Repository files navigation

This repository contains several JavaScript-based fuzzers.jsfunfuzz tests JavaScript engines and can run in a JavaScript shell, compareJIT compares output from SpiderMonkey using different flags, while randorderfuzz throws in random tests from the mozilla-central directory into generated jsfunfuzz output.

Most of the code other than testcase generation is written in Python: restarting the program when it exits or crashes, noticing evidence of new bugs from the program's output,reducing testcases, andidentifying when regressions were introduced.

Install the required pip packages usingpip install -r requirements.txt.

Some parts of the fuzzer will only activate if the Python scripts can find your mozilla-central tree:

mkdir -p ~/trees/hg clone https://hg.mozilla.org/mozilla-central/ ~/trees/mozilla-central/

Some parts of the harness assume a cleanMercurial clone of the mozilla trees. There is insufficient testing with Git for now - please file an issue if you hit problems with Git repositories of mozilla trees.

If you want to use these scripts to compile SpiderMonkey or Firefox, install the usual prerequisites forbuilding Firefox orbuilding SpiderMonkey. There areadditional requirements for building with Address Sanitizer.

After the addition of FuzzManager support, you will need to first install the pip packages listed in requirements.txt ofFuzzManager.

Here's a guide topip and virtualenv.

1. InstallMozillaBuild (Using compileShell for SpiderMonkey requires at least version 2.2.0) to get an msys shell.
2. InstallGit for Windows to get Git for Windows in order to clone these funfuzz repositories. (32-bit works best for now)
3. InstallDebugging Tools for Windows to get cdb.exe and thus stacks from crashes.
4. Make sure you install at least Microsoft Visual Studio 2015 (Community Edition is recommended) as per the build instructions above in the Setup section.
5. Runstart-shell-msvc2015.bat to get a MSYS shell. Do not use the MSYS shell that comes with Git for Windows. You can use Git by calling its absolute path, e.g./c/Program\ Files\ \(x86\)/Git/bin/git.exe.
   1. Run the batch file with administrator privileges to get gflags analysis working correctly.

1. On Mac OS X 10.9, you must first install a newer version of unzip than the one that comes with the OS. (Old versionshit an error on large zip files, such as the "mac64.tests.zip" file thatdownloadBuild.py grabs.)

brew install homebrew/dupes/unzipbrew link --force unzip

2. If you encounter problems accessing the compiler, try re-running this command:

xcode-select --install

especially after updating major/minor OS versions. This sometimes manifests on Mac OS X Combo updates.

3. Install LLVM via Homebrew, to get llvm-symbolizer needed for symbolizing ASan crash stacks.

brew install llvm

1. To ensure your core dumps don't get mixed up when multiple instances crash at the same time, run:

echo -n 1 | sudo tee /proc/sys/kernel/core_uses_pid

2. Install 32-bit libraries to compile 32-bit binaries:

• Debian/Ubuntu:sudo apt-get install lib32z1 gcc-multilib g++-multilib
• Fedora: (Fedora is known to work, however the exact library names are unknown for now.)** Note that parts of the code which containif isLinux and float(platform.linux_distribution()[1]) > 15.04 might fail on Fedora, as they assume Ubuntu's versioning scheme. Patches welcome.

3. Install gdb:

• Debian/Ubuntu:sudo apt-get install gdb
• Fedora: Please ensure that all development packages are installed (seerpm -qa "*devel"), and runyum install gdb

4. Install clang for clang/ASan builds:

• Debian/Ubuntu:sudo apt-get install clang

To runonly the js fuzzers which compiles shells with random configurations every 8 hours and tests them:

python -u funfuzz/loopBot.py -b "--random" -t "js" --target-time 28800 | tee ~/log-loopBotPy.txt

To testa patch (assuming patch is in ~/patch.diff) against a specific branch (assumingMercurial mozilla-inbound is in ~/trees/mozilla-inbound), using a debug 64-bit deterministic shell configuration, every 8 hours:

python -u funfuzz/loopBot.py -b "--enable-debug --enable-more-deterministic -R ~/trees/mozilla-inbound -P ~/patch.diff" -t "js" --target-time 28800 | tee ~/log-loopBotPy.txt

In js mode, loopBot.py makes use of:

• compileShell
• jsfunfuzz
• compareJIT (if testing deterministic builds)
• randorderfuzz (included in jsfunfuzz, if tests are present in the mozilla repository)
• autoBisect (if the mozilla repository is present).

The parameters in-b get passed intocompileShell andautoBisect.

FuzzManager support got landed, so you will also need to create a ~/.fuzzmanagerconf file, similar to:

[Main]serverhost = <your hostname>serverport = <your port>serverproto = httpsserverauthtoken = <if any>sigdir = /Users/<your username>/sigcache/tool = jsfunfuzz

Replace anything between "<" and ">" with your desired parameters.

Q: What platforms does funfuzz run on?

A: compileShell has been tested on:

• Windows 10, 7 and Windows Server 2012 R2, withMozillaBuild 2.2.0. It should also work with MozillaBuild 3.0.
• Mac OS X 10.12
• Ubuntu 16.04 LTS and later

Fedora Linux has not been tested extensively and there may be a few bugs along the way.

The following operating systems are old/less common and while they may still work, be prepared toexpect issues along the way:

• Windows Vista / Windows 8 / Windows 8.1
• Mac OS X 10.10 / 10.11
• Ubuntu Linux 14.04 LTS, 15.10 and prior
• Ubuntu (and variants) onARM ODROID boards

Support for the following operating systemshave been removed:

• Windows XP
• Mac OS X 10.6 through 10.9

Q: What version of Python does funfuzz require?

A: We recommend the Python 2.7.x series. There is no support for Python 3 yet, although there is work happening for the move to Python 3.