A JavaScript Engine Fuzzer
2.3k
Stars
363
Forks
74
Open issues
30
Contributors
AI Analysis
Fuzzilli is a coverage-guided fuzzer for JavaScript engines that uses a custom intermediate language (FuzzIL) to generate semantically valid test cases. It is purpose-built for security researchers and engine developers to find bugs in JIT compilers and interpreter cores, not suitable for general-purpose JavaScript testing or application fuzzing.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Specialized JavaScript engine fuzzer from Project Zero, used for finding JIT compiler bugs
Fuzzilli is a coverage-guided fuzzer specifically designed for JavaScript engines, built by Google Project Zero. It uses a custom intermediate language (FuzzIL) to generate semantically valid test programs that can uncover deep bugs in JIT compilers and interpreter implementations. The tool has verified adoption within security research and bug-hunting communities, with documented CVE discoveries. It targets a narrow but critical use case: finding correctness bugs in dynamic language interpreters rather than general API fuzzing.
Created in March 2019 by Project Zero, Fuzzilli emerged from the need for a better approach to fuzzing JavaScript engines where semantic correctness of generated code matters. The FuzzIL intermediate language design reflects lessons from targeting JIT compiler bugs where most generic fuzzing approaches fail to generate meaningful test cases.
The project has maintained steady, modest growth: 2,215 stars over 7 years with 1 star gained in the last week, indicating stable niche adoption rather than accelerating growth. Recent activity shows continued maintenance (last push 2026-07-02), but growth trajectory suggests the project has reached equilibrium in its target community rather than expanding into new domains.
Adoption verified within security research and vulnerability disclosure contexts. README explicitly invites researchers to report vulnerabilities found via Fuzzilli and includes a bug showcase section suggesting documented real-world discoveries. However, quantitative metrics on production usage are not provided. Adoption appears concentrated among security researchers, vulnerability assessors, and JavaScript engine developers rather than mainstream software developers.
Fuzzilli appears to be built in Swift with C components for coverage measurement and socket interactions. The architecture centers on a MutationFuzzer engine that applies semantic-preserving mutations to FuzzIL programs, executes them against target JavaScript engines, and evaluates coverage feedback. Multiple mutator types (InputMutator, CodeGenMutator, CombineMutator, OperationMutator) handle different aspects of program mutation. The design prioritizes maintaining semantic validity of generated programs—a core constraint for JIT fuzzing.
Not documented in README. No test coverage metrics or testing strategy is mentioned in the provided README excerpt.
Active maintenance detected: last commit 2026-07-02 (6 days before analysis date), indicating recent work. Project has maintained patches and support for multiple JavaScript engines (V8, SpiderMonkey, JavaScriptCore, etc.), with documented README and contribution guidelines. This pattern indicates sustained maintenance rather than abandonment, though the slow star growth suggests a mature project with stable rather than expanding user base.
ADOPT IF: you are a security researcher, JavaScript engine developer, or vulnerability researcher needing to find JIT compiler bugs or semantic correctness issues in JavaScript engines. AVOID IF: you need a general-purpose fuzzer, are fuzzing JavaScript applications (not the engine itself), or require extensive commercial support and documentation. MONITOR IF: you are building a comprehensive fuzzing platform and considering whether to integrate specialized language-specific fuzzers, or if you work on dynamic language implementations where semantic correctness of generated tests is critical.
Independent dimensions
Mainstream potential
3/10
Technical importance
8/10
Adoption evidence
5/10
- Adoption appears limited to specialized security research domain; may not expand beyond that niche given the problem specificity.
- Swift as implementation language may limit contributor base compared to C++/Python alternatives; Swift ecosystem smaller for systems tooling.
- Requires deep knowledge of target JavaScript engine internals and patching to set up; high friction for new users compared to black-box fuzzers.
- Semantic validity constraints, while technically sound, make it unsuitable for generic API fuzzing or testing JavaScript application code.
- No public evidence of adoption outside security research community; enterprise usage patterns not documented.
Fuzzilli likely remains a stable, specialist tool for JavaScript engine developers and security researchers. Expect continued maintenance and modest adoption growth, but unlikely to achieve mainstream visibility beyond its niche. May see increased adoption if JavaScript engine security becomes a higher industry priority, but core use case limits mainstream expansion.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- Swift
- License
- Apache-2.0
- Last updated
- 22h ago
- Created
- 89mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Crash
fuzzying 2M+ consistent crash with this same instruction
Fatal error: Unknown frame type in `DiffOracle.parseFrameType` during differential execution (DumplingDiffOracle)
Assertion failure in scheduleCorpusImport with --jobs>=2
NJS Fuzz BUILD
Top contributors
Similar repos
CodeIntelligenceTesting/jazzer
Jazzer is a coverage-guided, in-process fuzzer for the JVM that brings...
googleprojectzero/Jackalope
Jackalope is a coverage-guided fuzzer for binary security testing on Windows,...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
2.3k | +55 | Swift | 8/10 | 22h ago |
|
|
1.2k | — | Java | 8/10 | 3d ago |
|
|
1k | — | C++ | 8/10 | 11h ago |
|
|
1.4k | — | C++ | 8/10 | 7d ago |
|
|
5.6k | — | Python | 8/10 | 19h ago |
|
|
6.5k | — | Python | 7/10 | 6mo ago |
ClusterFuzz is a distributed fuzzing platform covering many targets; Fuzzilli is specialized for JavaScript semantics. ClusterFuzz handles orchestration and corpus management at scale; Fuzzilli focuses on semantic mutation. Not direct competitors—Fuzzilli could be integrated into ClusterFuzz infrastructure.
FuzzTest targets C++ property-based testing; Fuzzilli targets dynamic language JIT bugs. Different problem domains and languages. FuzzTest is more about testing user code; Fuzzilli is about testing interpreter correctness.
Jazzer is a coverage-guided fuzzer for Java with similar goals to Fuzzilli but different target language. Both use intermediate language approaches; Fuzzilli's semantic validity constraint is more specific to JIT compilation problems.
Jackalope is a general-purpose coverage-guided fuzzer; Fuzzilli is JavaScript-specific with semantic constraints. Different scope and target application.
wfuzz is a web application fuzzer for API and parameter fuzzing. Fuzzilli targets language interpreter implementation bugs. Entirely different problem class and user base.