Activate your free membership today | Log-in

Wednesday, December 24th, 2008

Playing with a fuzzy monkey; Helping JITs improve

Category: JavaScript

PLAIN TEXT
JAVASCRIPT:
  1.  
  2. for (var i = 0; i <0x02000000; ++i) {
  3.   d = 0x55555555;
  4.   d++; d++; d++; d++; d++;
  5. }
  6.  

This code runs 250 times faster when the JIT is enabled in a Firefox with TraceMonkey available.

This is just one minor thing that Jesse Ruderman has been able to find as he helps out the TraceMonkey team with his jsfunfuzz JavaScript fuzzer.

He has found many bugs, and those that would have been hard to track down:

Andreas Gal commented that each fuzz-generated testcase saved him nearly a day of debugging: otherwise, he'd probably have to tease a testcase out of a misbehaving complex web page. Encouraged by his comment, I looked for additional ways to help the TraceMonkey team.

He then put his fuzzer to work to find differences between Spidermonkey and JavaScriptCore. Interesting stuff.

Related Content:

Posted by Dion Almaer at 5:29 am
1 Comment

++++-
4 rating from 5 votes

1 Comment »

Comments feed TrackBack URI

Fine work Jesse, keep at it!

Comment by oopstudios — December 27, 2008

Leave a comment

You must be logged in to post a comment.