funfuzz icon indicating copy to clipboard operation
funfuzz copied to clipboard
verified publisher icon MozillaSecurity

[jsfunfuzz] Make testMathyFunction call itself or turn it recursive

Open nth10sd opened this issue 8 years ago • 2 comments

testMathyFunction:

  • Present in lots of unreduced fuzzing testcases
    • Esp. if they involve Math.* functions
  • Is also effective at finding range boundary or other JIT issues

Potential improvement:

  • Make testMathyFunction call itself, or turn it recursive.
    • This could be in makeMathyFunAndTest or otherwise

Sidenote:

  • gen-math.js is more of its own thing. It creates its own function with lots of Math in them and returns the result, operates on 2 arguments, and there are 2 or 3 ways to call the function.
  • Generally used by compareJIT, a list of interesting inputs is generated, the results are hashed and then compared. gen-grammar.js also gets to call gen-math.js .

nth10sd avatar Feb 10 '17 01:02 nth10sd

I have made testMathyFunction recursive. While profiling we noticed that for each average case loop went from 10s to a range of 10-100 (our timeout). However within minutes we find bugs related to 1357149. Is it worth the dramatic increase and variation in each test case?

twahlfeld avatar May 08 '17 19:05 twahlfeld

Hmmm, I don't think so, especially since unhandlable ooms like bug 1357149 might be intended. (Let's wait for Jon Coppeard to comment there first). This was an idea, not sure how practical it is. Might you create a PR and we'll see what happens next?

nth10sd avatar May 08 '17 21:05 nth10sd