Treffer: Fuzzing JavaScript JIT compilers with a high-quality differential test oracle.

Title:
Fuzzing JavaScript JIT compilers with a high-quality differential test oracle.
Authors:
Li, Jizhe1 (AUTHOR) ljz77@nudt.edu.cn, Xu, Haoran1 (AUTHOR) xuhaoran12@nudt.edu.cn, Wang, Yongjun1 (AUTHOR) wangyongjun@nudt.edu.cn, Jiang, Zhiyuan1 (AUTHOR) jzy@nudt.edu.cn, Chun, Huang1 (AUTHOR) chunhuang@nudt.edu.cn, Xie, Peidai1 (AUTHOR) xpd2002@126.com, Chen, Yongxin1 (AUTHOR) yongxinchen_cx@nudt.edu.cn, Xia, Tian1 (AUTHOR) xiatian19@nudt.edu.cn
Source:
Computers & Security. Dec2025, Vol. 159, pN.PAG-N.PAG. 1p.
Subject Terms:
*DEFECT tracking (Computer software development), JAVASCRIPT programming language, COMPILERS (Computer programs), COMPUTER software testing, SOFTWARE failures, DYNAMIC testing, FALSE positive error
Database:
Business Source Premier

Weitere Informationen

Modern JavaScript engines use Just-In-Time (JIT) compilers to convert frequently executed code into machine instructions, boosting performance for web applications and cross-platform systems. However, the optimizations in JIT compilers often introduce vulnerabilities while enhancing speed, especially optimization bugs which are difficult to detect. Despite progress in detecting these bugs by using differential testing oracle, existing methods are limited by high false positives and inefficiencies. This paper proposes AccuOracle, a test oracle for detecting JIT optimization bugs. We uses an input template-based test oracle that collects differential results from a single execution, enabling efficient fuzzing. To address the high false positive challenge, AccuOracle employs a four-layer progressive filtering architecture: the dynamism elimination and environment isolation layers address root causes, while the pre-check and differential arbitration layers assess JIT-induced divergences. Experiments on engines like V8, SpiderMonkey, and JavaScriptCore show that AccuOracle effectively eliminates false positives while maintaining high operational efficiency. It provides a high-accuracy and high-efficiency solution for JIT defect detection by integrating high-quality input templates and systematic false positive elimination. Notably, AccuOracle has uncovered eight new bugs (two of them have been assigned CVE), five of which Mozilla has confirmed and fixed. [ABSTRACT FROM AUTHOR]

Copyright of Computers & Security is the property of Pergamon Press - An Imprint of Elsevier Science and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)