| JavaScript is a prototype-based dynamic weakly typed scripting language.As a weakly typed language,the type of each variable cannot be specified in the JavaScript program,and its executor,the JavaScript engine,can judge the type of the variable only when the corresponding statement is executed.Therefore,many type anomalies that can be avoided in strongly typed languages may be hidden,making it difficult to find the problem.When testing the JavaScript engine,how to efficiently generate test cases with high code coverage and find their hidden defects more quickly are all problems that need to be resolved.Therefore,this thesis proposes a fuzzing method for JavaScript engines based on type inference.The specific research contents are as follows:(1)In order to avoid the abnormality of the code in the front and cause the program to exit prematurely,improve the code coverage and the utilization rate of the original corpus,the code in the original corpus is split into functions in JavaScript,called pre-test cases.(2)In order to effectively call these functions and further improve the code coverage of pre-test cases,we propose a parameter type inference method.First traverse the function body for each parameter of the function,the number of type inference factors of each data type is counted,and the data type with the highest statistical score is presumed to be the data type of the parameter.Then the actual parameters and function call expressions are generated accordingly,that is,test cases with high code coverage and efficient triggering of JavaScript engine crash defects are obtained.Finally,based on the type inference results,the test cases are guided and accurately mutated,which improves the possibility of further improving code coverage and triggering more JavaScript engine defects by meeting boundary conditions.(3)In order to verify the effectiveness of the above methods,this thesis implements the prototype system JSTIFuzz,and uses the prototype system to conduct the parameter type inference effect evaluation experiment,code coverage improvement effect evaluation experiment and the fuzzy test effect evaluation experiment.Experimental results show that using JSTIFuzz to infer the type of parameters of functions,the highest type accuracy rate is 10.8 times higher than that of random parameter passing.JSTIFuzz can also increase the code coverage of test cases by up to 30.33% and the code coverage of JavaScript engines by up to 8.81%.Using the same original corpus as input and under the same time and environment,JSTIFuzz can trigger more crash defects on the test set than other fuzzing tools.Finally,in a 100-hour fuzz test conducted on the latest version of each JavaScript engine,we found and submitted a total of 6 crash defects of 4 JavaScript engines such as Rhino,Jerry Script,Quick JS,and Hermes,of which 2 have been confirmed. |
PDF Full Text Request