Abstract

Just-In-Time (JIT) compiler is a core component of JavaScript engines, which takes a snippet of JavaScript code as input and applies a series of optimization passes on it and then transforms it to machine code. The optimization passes often have some assumptions (e.g., variable types) on the target JavaScript code, and therefore will yield vulnerabilities if the assumptions do not hold. To discover such bugs, it is essential to thoroughly test different optimization passes, but previous work fails to do so and mainly focused on exploring code coverage. In this paper, we present the first optimization path guided fuzzing solution for JavaScript JIT compilers, namely OptFuzz, which focuses on exploring optimization path coverage. Specifically, we utilize an optimization trunk path metric to approximate the optimization path coverage, and use it as a feedback to guide seed preservation and seed scheduling of the fuzzing process. We have implemented a prototype of OptFuzz and evaluated it on 4 mainstream JavaScript engines. On earlier versions of JavaScript engines, OptFuzz found several times more bugs than baseline solutions. On the latest JavaScript engines, OptFuzz discovered 36 unknown bugs, while baseline solutions found none.