My DOM fuzzer can now find bugs where the layout of a DOM tree depends on its history. In this example, forcing a re-layout swapped a “1†and “3†on the screen. My fuzzer ...
https://www.squarefree.com/2012/03/03/fuzzing-for-consistent-rendering/
In 2008 I wrote about generating random JavaScript to find differences between optimization modes and differences between JavaScript engines (rough list of bugs). How do you do this kind of testi...
https://www.squarefree.com/2010/11/03/gcc-correctness-fuzzing/
I gave my new fuzzer a break from testing TraceMonkey by asking it to look for differences between SpiderMonkey and JavaScriptCore. I have listed them below, with SpiderMonkey output above JavaSc...
Making JavaScript faster is important for the future of computer security. Faster scripts will allow computationally intensive applications to move to the Web. As messy as the Web's security mode...
Fuzz-testing is usually only used to find crashes and assertion failures, but my JavaScript engine fuzzer goes beyond catastrophic failures when it tests the decompiler. It checks the decompiled ...
https://www.squarefree.com/2007/08/02/fuzzing-for-correctness/