Tobias Wienand (Ruhr-Universitat Bochum), Lukas Bernhard (Ruhr-Universitat Bochum), Flavio Toffalini (Ruhr-Universitat Bochum)
JavaScript (JS) engines apply heavy code optimizations to the executed JS code through Just-in-Time (JIT) compilation. Incorrectly handling JS types during JIT compilation can lead to exploitable bugs in the engine. Current fuzzing techniques for JS engines rely solely on code coverage as the dominant feedback mechanism. However, code coverage primarily captures control-flow diversity rather than data-flow diversity. This limitation is crucial for JS engines, where runtime type information drives JIT compiler optimization decisions.
In this work, we investigate whether type coverage can improve bug-finding effectiveness over traditional code coverage in JS engines. Our prototype, TYPEFUZZ, tracks heap object types at optimization-sensitive locations during JIT compilation and directs fuzzing exploration toward under-tested type locations. We have implemented TYPEFUZZ on top of Fuzzilli and instrumented V8’s Maglev and Turbofan compilers to track 463 typesensitive locations. Our preliminary evaluation demonstrates that type coverage successfully increases data-flow diversity during JIT compilation by 37.5% compared to code coverage alone, effectively exploring substantially more type-sensitive compiler states. In our preliminary campaign, we discovered four bugs in non experimental features of V8. All bugs were discoverable with both metrics in this preliminary evaluation, yet the substantial increase in type-diverse states explored suggests potential for discovering type-specific bugs with extended campaigns, enhanced bug oracles (differential testing), and cross-engine evaluation on JavaScriptCore.