NDSS 2025 -DUMPLING: Fine-Grained Differential JavaScript Engine Fuzzing

Web browsers rely on JavaScript engines that dynamically compile hot code paths using just‑in‑time (JIT) techniques. While JIT boosts performance, it also introduces complex optimization assumptions that can diverge from the interpreter’s behavior, creating a fertile ground for subtle security flaws. Traditional fuzzers focus on crashes or assertion failures, leaving many logic‑level inconsistencies unchecked. As browsers become the primary platform for interactive applications, ensuring the correctness of both interpreted and compiled execution paths is essential for protecting users from remote code execution attacks.

DUMPLING tackles this challenge by shifting the instrumentation focus from the JavaScript payload to the engine itself. It periodically extracts "frame dumps," a snapshot of the full execution state—including registers, stack frames, and variable values—while the engine runs both interpreted and JIT‑compiled code. This fine‑grained visibility enables the fuzzer to compare outcomes at a much higher resolution than prior differential approaches, which relied on ad‑hoc JavaScript probes. By operating at the engine level, DUMPLING avoids the need to modify test inputs, preserving natural execution patterns and allowing deeper inspection of optimized code paths that were previously opaque to fuzzers.

The practical impact of DUMPLING is evident: it identified eight new bugs in the heavily scrutinized V8 engine, bugs that earlier differential fuzzers failed to surface. Google’s acknowledgment of these findings with a $11,000 reward underscores the real‑world relevance of the approach. Beyond V8, the methodology can be adapted to other JIT‑enabled runtimes, offering a scalable path toward more robust browser security. As the web continues to evolve, tools like DUMPLING will be critical for closing the testing gap between high‑performance engine optimizations and the safety guarantees users expect.