Extraction and Mutation at a High Level: Template-Based Fuzzing for JavaScript Engines

Wai Kin WONG; Dongwei XIAO; Cheuk Tung LAI; Yiteng PENG; Daoyuan WU; Shuai WANG

doi:10.1145/3763154

Extraction and Mutation at a High Level: Template-Based Fuzzing for JavaScript Engines

Wai Kin WONG
, Dongwei XIAO
, Cheuk Tung LAI
, Yiteng PENG
, Daoyuan WU
, Shuai WANG^*

^*Corresponding author for this work

Lingnan University

Research output: Journal Publications › Journal Article (refereed) › peer-review

Abstract

JavaScript (JS) engines implement complex language semantics and optimization strategies to support the dynamic nature of JS, making them difficult to test thoroughly and prone to subtle, security-critical bugs. Existing fuzzers often struggle to generate diverse and valid test cases. They either rely on syntax-level mutations that lack semantic awareness or perform limited, local mutations on concrete code, thus failing to explore deeper, more complex program behaviors. This paper presents TemuJs, a novel fuzzing framework that performs extraction and mutation at a high level, operating on abstract templates derived from real-world JS programs. These templates capture coarse-grained program structures with semantic placeholders, enabling semantics-aware mutations that preserve the high-level intent of the original code while diversifying its behavior. By decoupling mutation from concrete syntax and leveraging a structured intermediate representation for the templates, TemuJs explores a broader and more meaningful space of program behaviors. Evaluated on three major JS engines, namely, V8, SpiderMonkey, and JavaScriptCore, TemuJs discovers 44 bugs and achieves a 10.3% increase in edge coverage compared to state-of-the-art fuzzers on average. Our results demonstrate the efficacy of high-level, template-mutation fuzzing in testing JS engines.

Original language	English
Article number	376
Pages (from-to)	2898-2926
Number of pages	29
Journal	Proceedings of the ACM on Programming Languages
Volume	9
Issue number	OOPSLA2
DOIs	https://doi.org/10.1145/3763154
Publication status	Published - 9 Oct 2025

Bibliographical note

We also thank Prof. Zhendong Su at ETH Zurich for his valuable discussions with Dongwei Xiao regarding the ideas presented in this paper, which took place during Dongwei Xiao's visit. We additionally thank Samuel Groß and Carl Smith at Google for their valuable feedback during the initial stages of this work.

Publisher Copyright:
© 2025 Owner/Author.

Funding

The HKUST authors are supported in part by a RGC GRF grant under the contract 16214723.

Keywords

JavaScript engine
Just-in-time compilation
fuzzing
security

Access to Document

10.1145/3763154Licence: CC BY

Cite this

@article{57696e0fca31425786f494c1227ac4b9,

title = "Extraction and Mutation at a High Level: Template-Based Fuzzing for JavaScript Engines",

abstract = "JavaScript (JS) engines implement complex language semantics and optimization strategies to support the dynamic nature of JS, making them difficult to test thoroughly and prone to subtle, security-critical bugs. Existing fuzzers often struggle to generate diverse and valid test cases. They either rely on syntax-level mutations that lack semantic awareness or perform limited, local mutations on concrete code, thus failing to explore deeper, more complex program behaviors. This paper presents TemuJs, a novel fuzzing framework that performs extraction and mutation at a high level, operating on abstract templates derived from real-world JS programs. These templates capture coarse-grained program structures with semantic placeholders, enabling semantics-aware mutations that preserve the high-level intent of the original code while diversifying its behavior. By decoupling mutation from concrete syntax and leveraging a structured intermediate representation for the templates, TemuJs explores a broader and more meaningful space of program behaviors. Evaluated on three major JS engines, namely, V8, SpiderMonkey, and JavaScriptCore, TemuJs discovers 44 bugs and achieves a 10.3\% increase in edge coverage compared to state-of-the-art fuzzers on average. Our results demonstrate the efficacy of high-level, template-mutation fuzzing in testing JS engines.",

keywords = "JavaScript engine, Just-in-time compilation, fuzzing, security",

author = "WONG, \{Wai Kin\} and Dongwei XIAO and LAI, \{Cheuk Tung\} and Yiteng PENG and Daoyuan WU and Shuai WANG",

note = "We also thank Prof. Zhendong Su at ETH Zurich for his valuable discussions with Dongwei Xiao regarding the ideas presented in this paper, which took place during Dongwei Xiao's visit. We additionally thank Samuel Gro{\ss} and Carl Smith at Google for their valuable feedback during the initial stages of this work. Publisher Copyright: {\textcopyright} 2025 Owner/Author.",

year = "2025",

month = oct,

day = "9",

doi = "10.1145/3763154",

language = "English",

volume = "9",

pages = "2898--2926",

journal = "Proceedings of the ACM on Programming Languages",

issn = "2475-1421",

publisher = "Association for Computing Machinery, Inc",

number = "OOPSLA2",

}

TY - JOUR

T1 - Extraction and Mutation at a High Level: Template-Based Fuzzing for JavaScript Engines

AU - WONG, Wai Kin

AU - XIAO, Dongwei

AU - LAI, Cheuk Tung

AU - PENG, Yiteng

AU - WU, Daoyuan

AU - WANG, Shuai

N1 - We also thank Prof. Zhendong Su at ETH Zurich for his valuable discussions with Dongwei Xiao regarding the ideas presented in this paper, which took place during Dongwei Xiao's visit. We additionally thank Samuel Groß and Carl Smith at Google for their valuable feedback during the initial stages of this work. Publisher Copyright: © 2025 Owner/Author.

PY - 2025/10/9

Y1 - 2025/10/9

N2 - JavaScript (JS) engines implement complex language semantics and optimization strategies to support the dynamic nature of JS, making them difficult to test thoroughly and prone to subtle, security-critical bugs. Existing fuzzers often struggle to generate diverse and valid test cases. They either rely on syntax-level mutations that lack semantic awareness or perform limited, local mutations on concrete code, thus failing to explore deeper, more complex program behaviors. This paper presents TemuJs, a novel fuzzing framework that performs extraction and mutation at a high level, operating on abstract templates derived from real-world JS programs. These templates capture coarse-grained program structures with semantic placeholders, enabling semantics-aware mutations that preserve the high-level intent of the original code while diversifying its behavior. By decoupling mutation from concrete syntax and leveraging a structured intermediate representation for the templates, TemuJs explores a broader and more meaningful space of program behaviors. Evaluated on three major JS engines, namely, V8, SpiderMonkey, and JavaScriptCore, TemuJs discovers 44 bugs and achieves a 10.3% increase in edge coverage compared to state-of-the-art fuzzers on average. Our results demonstrate the efficacy of high-level, template-mutation fuzzing in testing JS engines.

AB - JavaScript (JS) engines implement complex language semantics and optimization strategies to support the dynamic nature of JS, making them difficult to test thoroughly and prone to subtle, security-critical bugs. Existing fuzzers often struggle to generate diverse and valid test cases. They either rely on syntax-level mutations that lack semantic awareness or perform limited, local mutations on concrete code, thus failing to explore deeper, more complex program behaviors. This paper presents TemuJs, a novel fuzzing framework that performs extraction and mutation at a high level, operating on abstract templates derived from real-world JS programs. These templates capture coarse-grained program structures with semantic placeholders, enabling semantics-aware mutations that preserve the high-level intent of the original code while diversifying its behavior. By decoupling mutation from concrete syntax and leveraging a structured intermediate representation for the templates, TemuJs explores a broader and more meaningful space of program behaviors. Evaluated on three major JS engines, namely, V8, SpiderMonkey, and JavaScriptCore, TemuJs discovers 44 bugs and achieves a 10.3% increase in edge coverage compared to state-of-the-art fuzzers on average. Our results demonstrate the efficacy of high-level, template-mutation fuzzing in testing JS engines.

KW - JavaScript engine

KW - Just-in-time compilation

KW - fuzzing

KW - security

UR - https://www.scopus.com/pages/publications/105018669527

U2 - 10.1145/3763154

DO - 10.1145/3763154

M3 - Journal Article (refereed)

SN - 2475-1421

VL - 9

SP - 2898

EP - 2926

JO - Proceedings of the ACM on Programming Languages

JF - Proceedings of the ACM on Programming Languages

IS - OOPSLA2

M1 - 376

ER -

Extraction and Mutation at a High Level: Template-Based Fuzzing for JavaScript Engines

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this