Exposing Bugs in JavaScript Engines through Test Transplantation and Differential Testing

Lima, Igor; Silva, Jefferson Lins da; Miranda, Breno; Pinto, Gustavo; d’Amorim, Marcelo

doi:10.48550/arxiv.2012.03759

Cited by 2 publications

(3 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, test generation has been explored in the case of native extensions for the JVM (i.e., JNI) [13]. Similar work appeared recently for JavaScript engines, applying differential testing with test transplantation [18] and compiler fuzzing [23,33]. Although we share with these approaches the goal of automatic test generation, these explore a more coarse test generation using and usually think of the VM as a black-box.…”

Section: Related Workmentioning

confidence: 95%

Interpreter-guided differential JIT compiler unit testing

Polito

Tesone

Ducasse

2022

Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Modern language implementations using Virtual Machines feature diverse execution engines such as byte-code interpreters and machine-code dynamic translators, a.k.a. JIT compilers. Validating such engines requires not only validating each in isolation, but also that they are functionally equivalent. Tests should be duplicated for each execution engine exercising the same execution paths on each of them.In this paper we present a novel automated testing approach for virtual machines featuring byte-code interpreters. Our solution uses concolic meta-interpretation: it applies concolic testing to a byte-code interpreter to explore all possible execution interpreter paths and obtain a list of concrete values that explore such paths. We then use such values to apply differential testing on the VM interpreter and JIT compiler. This solution is based on two insights: (1) both the interpreter and compiler implement the same language semantics and (2) interpreters are simple executable specifications of those semantics and thus promising targets to (meta-) interpretation using concolic testing. We validated it on 4 different compilers of the open-source Pharo Virtual Machine and found 468 differences between them, produced by 91 different causes, organized in 6 different categories.

show abstract

Section: Related Workmentioning

confidence: 95%

Interpreter-guided differential JIT compiler unit testing

Polito

Tesone

Ducasse

2022

Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

show abstract

“…Recent work explores cross-version comparison among a single JVM [38]. Similar work appeared recently for JavaScript engines using test transplantation [21] and compiler fuzzing [23], [36]. Although we share with these approaches the goal of automatic test generation, these explore JIT compiler testing and treat VMs as black boxes.…”

Section: B Automated Virtual Machine Testingmentioning

confidence: 96%

“…Existing fuzzing techniques applied to virtual machines (VM) are aimed at testing (just in time) JIT compiler engines and propose generally the use of template programs that are mutated [6], [7], [17], [21], [23], [24], [36]. We argue however that such approaches, although shown suitable to find compilation errors, are not the most efficient at finding garbage collection bugs.…”

Section: Introductionmentioning

confidence: 99%

Heap Fuzzing: Automatic Garbage Collection Testing with Expert-Guided Random Events

Polito

Tesone

Privat

et al. 2023

2023 IEEE Conference on Software Testing, Verification and Validation (ICST)

View full text Add to dashboard Cite

Producing robust memory manager implementations is a challenging task. Defects in garbage collection algorithms produce subtle effects that are revealed later in program execution as memory corruptions. This problem is exacerbated by the fact that garbage collection algorithms deal with low-level implementation details to be efficient. Finding, reproducing, and debugging such bugs is complex and time-consuming.In this article, we propose to fuzz heaps by generating large sequences of random heap events guided by virtual machine experts. Randomly generated events exercise the garbage collection algorithm with the objective of crashing the virtual machine and finding bugs. Once a bug is found, we use a test case reduction algorithm to find the smaller subset of events that reproduces the issue.We implemented our approach on top of the virtual machine simulator of the Pharo Virtual Machine, to test its sequential stopthe-world generational scavenger. Experts guided our fuzzing toward the ephemeron finalization mechanism, corner allocation cases, and the heap compaction algorithm. Our prototype found 6 bugs: 3 in Pharo's ephemeron implementation which is not yet in production, 2 bugs in the default compactor which has been in production for 8 years, and 1 bug in the VM simulator used daily by VM developers. We show how such test cases were automatically reduced to trivial sequences that were easy to debug.Index Terms-garbage collection, testing, fuzzing, virtual machines• The first implementation, to the best of our knowledge, of a heap fuzzer that tests memory managers and garbage

show abstract

Exposing Bugs in JavaScript Engines through Test Transplantation and Differential Testing

Cited by 2 publications

References 22 publications

Interpreter-guided differential JIT compiler unit testing

Interpreter-guided differential JIT compiler unit testing

Heap Fuzzing: Automatic Garbage Collection Testing with Expert-Guided Random Events

Contact Info

Product

Resources

About