Every time you visit a website, your browser executes the JavaScript code contained therein using a JavaScript engine (JS engine). Modern JS engines use just-in-time compilation (JIT) to generate optimized machine code during runtime. This allows web applications to run significantly faster. At the same time, this optimization process can also pose security risks. If semantic errors occur in the engine, attackers can for example manipulate its execution. This allows them to bypass the browser’s security mechanisms, which can even give them access to sensitive local data belonging to the user.

Although fuzzing techniques help to automatically detect software errors, they reach their limits with JIT compilers. The complex dynamic behavior of compilers is difficult to model, making testing JIT optimizations and detecting corresponding vulnerabilities particularly challenging.

This challenge is tackled by Flavio Toffalini and his team in their project. The aim of the project is to further develop fuzzing techniques for detecting semantic errors in JS engines. For this purpose, new strategies for testing JIT code optimizations are being investigated, and novel methods for improving semantic error correction are being explored.

The project, which has already been launched, is scheduled to run for two years and is being funded by the Google Research Scholar Program. Preliminary results are to be presented at a conference shortly. Toffalini is also supervising a master’s thesis on the topic and plans to hire additional research staff to advance the project.

The idea for the current project arose from an earlier research project, also led by Flavio Toffalini, called “Dumpling: Fine-Grained Differential JavaScript Engine Fuzzing.” The accompanying paper won a Distinguished Paper Award at the Network and Distributed System Security Symposium (NDSS) 2025 in San Diego and attracted the attention of Google. The fuzzer “Dumpling”, developed as part of the project, was integrated into Google’s own products and laid the foundation for further cooperation.