JIT-Picking: Exploiting the Logic Gap in Modern JavaScript Engines

JavaScript has become the backbone of the modern web, with browsers relying on optimized engines like V8, SpiderMonkey, and JavaScriptCore. These engines use Just-In-Time compilers to achieve native-like performance, but this has created a vast attack surface with silent JIT miscomputations being a major concern. Silent JIT miscomputations are logic flaws that can evade conventional security oracles and be used for remote code execution. Securing JIT engines is difficult due to the limitations of traditional testing methodologies, which are often blind to semantic correctness. Traditional fuzzing strategies fall short due to silent failures, sanitizer blindness, and cross-engine noise. To address this, JIT-Picking introduces a precision-focused differential fuzzing architecture that turns a JavaScript engine against itself. This approach involves executing the same JavaScript input in interpreter-only and JIT-enabled modes, injecting probes to capture local variable values, and hashing the probed values to detect miscomputations. JIT-Picking has been evaluated against production-grade engines, revealing 32 bugs, with 27 being JIT-specific, and has been effective in detecting bugs in loop optimizations. The approach excels at capturing transient miscomputations that traditional fuzzers may miss, and its effectiveness has been demonstrated through a 10-month evaluation against production-grade engines. The future of browser security lies in semantic-aware testing, with a focus on treating logic correctness as a first-class security boundary, and automated differential testing may become mandatory in browser CI/CD pipelines to ensure secure browsers.