googleprojectzero

googleprojectzero/fuzzilli

Swift Apache-2.0 Security

A JavaScript Engine Fuzzer

2.3k stars
363 forks
active
GitHub +55 / week

2.3k

Stars

363

Forks

74

Open issues

30

Contributors

v0.9.3 03 Feb 2023

AI Analysis

Fuzzilli is a coverage-guided fuzzer for JavaScript engines that uses a custom intermediate language (FuzzIL) to generate semantically valid test cases. It is purpose-built for security researchers and engine developers to find bugs in JIT compilers and interpreter cores, not suitable for general-purpose JavaScript testing or application fuzzing.

Security Security Tool Discovery value: 6/10
Documentation 8/10
Activity 9/10
Community 7/10
Code quality 6/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

fuzzing security-research javascript-engines coverage-guided compiler-testing
Actively maintained Well documented Niche/specialized use case Popular Production ready
Deep Analysis · Based on README and public signals
2d ago

Specialized JavaScript engine fuzzer from Project Zero, used for finding JIT compiler bugs

Fuzzilli is a coverage-guided fuzzer specifically designed for JavaScript engines, built by Google Project Zero. It uses a custom intermediate language (FuzzIL) to generate semantically valid test programs that can uncover deep bugs in JIT compilers and interpreter implementations. The tool has verified adoption within security research and bug-hunting communities, with documented CVE discoveries. It targets a narrow but critical use case: finding correctness bugs in dynamic language interpreters rather than general API fuzzing.

Origin

Created in March 2019 by Project Zero, Fuzzilli emerged from the need for a better approach to fuzzing JavaScript engines where semantic correctness of generated code matters. The FuzzIL intermediate language design reflects lessons from targeting JIT compiler bugs where most generic fuzzing approaches fail to generate meaningful test cases.

Growth

The project has maintained steady, modest growth: 2,215 stars over 7 years with 1 star gained in the last week, indicating stable niche adoption rather than accelerating growth. Recent activity shows continued maintenance (last push 2026-07-02), but growth trajectory suggests the project has reached equilibrium in its target community rather than expanding into new domains.

In production

Adoption verified within security research and vulnerability disclosure contexts. README explicitly invites researchers to report vulnerabilities found via Fuzzilli and includes a bug showcase section suggesting documented real-world discoveries. However, quantitative metrics on production usage are not provided. Adoption appears concentrated among security researchers, vulnerability assessors, and JavaScript engine developers rather than mainstream software developers.

Code analysis
Architecture

Fuzzilli appears to be built in Swift with C components for coverage measurement and socket interactions. The architecture centers on a MutationFuzzer engine that applies semantic-preserving mutations to FuzzIL programs, executes them against target JavaScript engines, and evaluates coverage feedback. Multiple mutator types (InputMutator, CodeGenMutator, CombineMutator, OperationMutator) handle different aspects of program mutation. The design prioritizes maintaining semantic validity of generated programs—a core constraint for JIT fuzzing.

Tests

Not documented in README. No test coverage metrics or testing strategy is mentioned in the provided README excerpt.

Maintenance

Active maintenance detected: last commit 2026-07-02 (6 days before analysis date), indicating recent work. Project has maintained patches and support for multiple JavaScript engines (V8, SpiderMonkey, JavaScriptCore, etc.), with documented README and contribution guidelines. This pattern indicates sustained maintenance rather than abandonment, though the slow star growth suggests a mature project with stable rather than expanding user base.

Honest verdict

ADOPT IF: you are a security researcher, JavaScript engine developer, or vulnerability researcher needing to find JIT compiler bugs or semantic correctness issues in JavaScript engines. AVOID IF: you need a general-purpose fuzzer, are fuzzing JavaScript applications (not the engine itself), or require extensive commercial support and documentation. MONITOR IF: you are building a comprehensive fuzzing platform and considering whether to integrate specialized language-specific fuzzers, or if you work on dynamic language implementations where semantic correctness of generated tests is critical.

Independent dimensions

Mainstream potential

3/10

Technical importance

8/10

Adoption evidence

5/10

Risks
  • Adoption appears limited to specialized security research domain; may not expand beyond that niche given the problem specificity.
  • Swift as implementation language may limit contributor base compared to C++/Python alternatives; Swift ecosystem smaller for systems tooling.
  • Requires deep knowledge of target JavaScript engine internals and patching to set up; high friction for new users compared to black-box fuzzers.
  • Semantic validity constraints, while technically sound, make it unsuitable for generic API fuzzing or testing JavaScript application code.
  • No public evidence of adoption outside security research community; enterprise usage patterns not documented.
Prediction

Fuzzilli likely remains a stable, specialist tool for JavaScript engine developers and security researchers. Expect continued maintenance and modest adoption growth, but unlikely to achieve mainstream visibility beyond its niche. May see increased adoption if JavaScript engine security becomes a higher industry priority, but core use case limits mainstream expansion.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Swift
96.1%
JavaScript
1.5%
C
1.2%
Python
0.6%
Shell
0.5%
Dockerfile
0.1%

Information

Language
Swift
License
Apache-2.0
Last updated
22h ago
Created
89mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

CodeIntelligenceTesting

CodeIntelligenceTesting/jazzer

Jazzer is a coverage-guided, in-process fuzzer for the JVM that brings...

1.2k Java Security
google

google/fuzztest

FuzzTest is a C++ testing framework that enables property-based fuzzing tests...

googleprojectzero

googleprojectzero/Jackalope

Jackalope is a coverage-guided fuzzer for binary security testing on Windows,...

1.4k C++ Security
google

google/clusterfuzz

ClusterFuzz is a scalable fuzzing infrastructure used by Google to find...

5.6k Python Security
xmendez

xmendez/wfuzz

Wfuzz is a specialized web application fuzzer designed for security assessments...

6.5k Python Security
vs. alternatives
Google ClusterFuzz (5,576 stars)

ClusterFuzz is a distributed fuzzing platform covering many targets; Fuzzilli is specialized for JavaScript semantics. ClusterFuzz handles orchestration and corpus management at scale; Fuzzilli focuses on semantic mutation. Not direct competitors—Fuzzilli could be integrated into ClusterFuzz infrastructure.

Google FuzzTest (1,023 stars)

FuzzTest targets C++ property-based testing; Fuzzilli targets dynamic language JIT bugs. Different problem domains and languages. FuzzTest is more about testing user code; Fuzzilli is about testing interpreter correctness.

CodeIntelligence Jazzer (1,239 stars)

Jazzer is a coverage-guided fuzzer for Java with similar goals to Fuzzilli but different target language. Both use intermediate language approaches; Fuzzilli's semantic validity constraint is more specific to JIT compilation problems.

Google Jackalope (1,373 stars)

Jackalope is a general-purpose coverage-guided fuzzer; Fuzzilli is JavaScript-specific with semantic constraints. Different scope and target application.

wfuzz / xmendez (6,535 stars)

wfuzz is a web application fuzzer for API and parameter fuzzing. Fuzzilli targets language interpreter implementation bugs. Entirely different problem class and user base.