Model-based deterministic fuzzer that reads Flutter Engine source, formalizes its rendering pipeline as a state machine,
and explores interleavings and event combinations across UI/Raster/IO threads.
Detects phase re-entry, scheduling, and frame pipeline violations automatically under a reproducible harness.
Includes Shrinker, Diff-fuzz, and Coverage metrics for regression-proof engine validation.
Flutter Engine runs a multi-threaded rendering pipeline (UI / Raster / IO) with asynchronous scheduling.
Tiny shifts in timing or overlapping events can trigger subtle, hard-to-reproduce bugs — for example,
flutter/flutter#104798,
where an unexpected scheduling overlap between frame submission and layout invalidation caused inconsistent rendering.
Traditional parameter fuzzing cannot reveal these phase-level violations,
because they depend on interleavings and event ordering, not value ranges.
We built a deterministic, model-based fuzzer that systematically explores this interaction space —
verifying the engine’s phase safety, scheduling invariants, and frame pipeline correctness directly from source code.
- Source-based state model from engine internals (
SchedulerBinding,PipelineOwner,Rasterizer) - Deterministic harness: fake clock, per-thread queue control, replayable events
- Model-based fuzzing: explore valid phase transitions systematically
- Multi-layer oracles: phase guards, consistency, performance checks
- Diff-fuzz & Shrinker: detect regressions and auto-minimize reproductions
/engine-model → SPEC.md / SPEC.json (state machine & invariants)
/harness → det_harness.dart (time/thread/input control)
/fuzzer → model_fuzzer.dart, shrinker.py, diff_runner.dart
/oracles → phase_guard.dart, consistency_checks.dart
/coverage → coverage_counters.dart, CoverageReport.md