
Bugs found by jsfunfuzz - luu
https://bugzilla.mozilla.org/show_bug.cgi?id=jsfunfuzz
======
castell
For anyone interested it's called _fuzz testing_ :
[http://en.wikipedia.org/wiki/Fuzz_testing](http://en.wikipedia.org/wiki/Fuzz_testing)

------
wldlyinaccurate
This is really interesting, and a great approach to testing. I wonder if other
JS engines like V8 are using this or something similar?

~~~
amelius
Indeed interesting. I wonder if there is a tool for generating input in a way
that guarantees that all locations in the program are actually covered (in
other words, that all reachable code has been reached).

Of course, this is no guarantee that the program actually works, but it would
make me sleep better :)

~~~
SloopJon
An instrumented fuzzer like AFL purports to do this:

[http://lcamtuf.coredump.cx/afl/](http://lcamtuf.coredump.cx/afl/)

This blog post is a fascinating description of its potential:

[http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-
thi...](http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-
air.html)

I haven't had as much success with it, but it's so interesting that I'll keep
trying. I'm also interested in KLEE, which I found in a similar HN story, but
it has very specific build requirements:

[https://klee.github.io](https://klee.github.io)

[Edit: bhouston posted the exact same links minutes before I did. Anyway, cool
stuff.]

~~~
ainsej
KLEE is pretty cool. To compensate for the atrocious build instructions
there's a docker image which contains KLEE built and ready to use
([https://registry.hub.docker.com/u/kleeweb/klee/](https://registry.hub.docker.com/u/kleeweb/klee/)).

There's also a web interface to just play around with KLEE without having to
download and install anything that a few other people and I worked on
available at
[http://klee.doc.ic.ac.uk:55080/](http://klee.doc.ic.ac.uk:55080/), which we
open-sourced [https://github.com/klee-web/klee-web](https://github.com/klee-
web/klee-web).

