模糊JavaScript JIT编译器与高质量的差异测试oracle

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-09-13 DOI:10.1016/j.cose.2025.104660

Jizhe Li, Haoran Xu, Yongjun Wang, Zhiyuan Jiang, Huang Chun, Peidai Xie, Yongxin Chen, Tian Xia

{"title":"模糊JavaScript JIT编译器与高质量的差异测试oracle","authors":"Jizhe Li, Haoran Xu, Yongjun Wang, Zhiyuan Jiang, Huang Chun, Peidai Xie, Yongxin Chen, Tian Xia","doi":"10.1016/j.cose.2025.104660","DOIUrl":null,"url":null,"abstract":"<div><div>Modern JavaScript engines use Just-In-Time (JIT) compilers to convert frequently executed code into machine instructions, boosting performance for web applications and cross-platform systems. However, the optimizations in JIT compilers often introduce vulnerabilities while enhancing speed, especially optimization bugs which are difficult to detect. Despite progress in detecting these bugs by using differential testing oracle, existing methods are limited by high false positives and inefficiencies.</div><div>This paper proposes AccuOracle, a test oracle for detecting JIT optimization bugs. We uses an input template-based test oracle that collects differential results from a single execution, enabling efficient fuzzing. To address the high false positive challenge, AccuOracle employs a four-layer progressive filtering architecture: the dynamism elimination and environment isolation layers address root causes, while the pre-check and differential arbitration layers assess JIT-induced divergences. Experiments on engines like V8, SpiderMonkey, and JavaScriptCore show that AccuOracle effectively eliminates false positives while maintaining high operational efficiency. It provides a high-accuracy and high-efficiency solution for JIT defect detection by integrating high-quality input templates and systematic false positive elimination. Notably, AccuOracle has uncovered eight new bugs (two of them have been assigned CVE), five of which Mozilla has confirmed and fixed.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104660"},"PeriodicalIF":5.4000,"publicationDate":"2025-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Fuzzing JavaScript JIT compilers with a high-quality differential test oracle\",\"authors\":\"Jizhe Li, Haoran Xu, Yongjun Wang, Zhiyuan Jiang, Huang Chun, Peidai Xie, Yongxin Chen, Tian Xia\",\"doi\":\"10.1016/j.cose.2025.104660\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Modern JavaScript engines use Just-In-Time (JIT) compilers to convert frequently executed code into machine instructions, boosting performance for web applications and cross-platform systems. However, the optimizations in JIT compilers often introduce vulnerabilities while enhancing speed, especially optimization bugs which are difficult to detect. Despite progress in detecting these bugs by using differential testing oracle, existing methods are limited by high false positives and inefficiencies.</div><div>This paper proposes AccuOracle, a test oracle for detecting JIT optimization bugs. We uses an input template-based test oracle that collects differential results from a single execution, enabling efficient fuzzing. To address the high false positive challenge, AccuOracle employs a four-layer progressive filtering architecture: the dynamism elimination and environment isolation layers address root causes, while the pre-check and differential arbitration layers assess JIT-induced divergences. Experiments on engines like V8, SpiderMonkey, and JavaScriptCore show that AccuOracle effectively eliminates false positives while maintaining high operational efficiency. It provides a high-accuracy and high-efficiency solution for JIT defect detection by integrating high-quality input templates and systematic false positive elimination. Notably, AccuOracle has uncovered eight new bugs (two of them have been assigned CVE), five of which Mozilla has confirmed and fixed.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"159 \",\"pages\":\"Article 104660\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-09-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825003499\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003499","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

现代JavaScript引擎使用即时（JIT）编译器将频繁执行的代码转换为机器指令，从而提高了web应用程序和跨平台系统的性能。然而，JIT编译器中的优化在提高速度的同时经常引入漏洞，特别是难以检测的优化错误。尽管在使用差分测试oracle检测这些错误方面取得了进展，但现有的方法受到高误报和低效率的限制。本文提出了一个用于检测JIT优化错误的测试oracle——AccuOracle。我们使用一个基于输入模板的测试oracle，它从一次执行中收集不同的结果，从而实现有效的模糊测试。为了解决高误报的挑战，AccuOracle采用了四层渐进式过滤架构：动态消除层和环境隔离层解决根本原因，而预检查层和差分仲裁层评估jit引起的分歧。在V8、SpiderMonkey、JavaScriptCore等引擎上的实验表明，AccuOracle能够有效消除误报，同时保持较高的运行效率。通过集成高质量的输入模板和系统的误报消除，为JIT缺陷检测提供了高精度、高效率的解决方案。值得注意的是，AccuOracle发现了8个新漏洞（其中2个已被分配CVE），其中5个已被Mozilla确认并修复。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Fuzzing JavaScript JIT compilers with a high-quality differential test oracle

Modern JavaScript engines use Just-In-Time (JIT) compilers to convert frequently executed code into machine instructions, boosting performance for web applications and cross-platform systems. However, the optimizations in JIT compilers often introduce vulnerabilities while enhancing speed, especially optimization bugs which are difficult to detect. Despite progress in detecting these bugs by using differential testing oracle, existing methods are limited by high false positives and inefficiencies.

This paper proposes AccuOracle, a test oracle for detecting JIT optimization bugs. We uses an input template-based test oracle that collects differential results from a single execution, enabling efficient fuzzing. To address the high false positive challenge, AccuOracle employs a four-layer progressive filtering architecture: the dynamism elimination and environment isolation layers address root causes, while the pre-check and differential arbitration layers assess JIT-induced divergences. Experiments on engines like V8, SpiderMonkey, and JavaScriptCore show that AccuOracle effectively eliminates false positives while maintaining high operational efficiency. It provides a high-accuracy and high-efficiency solution for JIT defect detection by integrating high-quality input templates and systematic false positive elimination. Notably, AccuOracle has uncovered eight new bugs (two of them have been assigned CVE), five of which Mozilla has confirmed and fixed.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.