# Motivation
The repository is for solving the following problem encountered in reproducing CVE-2020-9802 in the AFL crash exploring mode of fuzzing process.
1. The `jsc` interpreter(Commit ID: `17218d1485b0f5d98d2aad116d4fdb2bad6aee2d`), whose version just before patching CVE-2020-9802, unexpected crash when receiving input don't conform to JavaScript language syntax.
2. The heap allocator of JavaScriptCore is probabilistic, which lead to unstable crash in reproducing CVE-2020-9802 in JavaScriptCore. AFL even doesn't accept the PoC as seed as it doesn't produce crash in `perform_dry_run()`.

# Solution
1. JavaScriptCore was updated into the latest compilable version `Safari-614.1.9`. It won't crash when receiving input don't conform to JavaScript language syntax.
2. The heap allocator of JavaScriptCore is modified to be deterministic.

# Reproduction
```bash
export WEBKIT_PATH="WEBKIT_PATH" # Modify this to your WebKit directory path
export AFL_PATH="AFL_PATH" # Modify this to your AFL directory path

# Git Clone
git clone https://github.com/WebKit/WebKit.git

# Switch version and patch
git checkout Safari-614.1.9
patch -p1 -i CVE-2020-9802-Safari-614.1.9.patch

# Static linking of JavaScriptCore
# Build for tracing
WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputTrace/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"
# Build for fuzzing
CC=$AFL_PATH/afl-gcc CXX=$AFL_PATH/afl-g++ WEBKIT_OUTPUTDIR=$WEBKIT_PATH/OutputFuzz/ Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DUSE_THIN_ARCHIVES=OFF"

# Deterministic Reproduction
./jsc --useConcurrentJIT=false PoC.js
```