Script-language runtimes such as Python, Lua, and JavaScript are widely deployed in security sensitive contexts, yet they remain difficult to test because valid inputs must satisfy syntax, dynamic type constraints, and object-level semantics. Existing grammar and reflection-based fuzzers improve syntactic validity and interface reachability, but they rarely model override hooks, dynamic rebinding, and attribute-resolution behavior that can redirect built-in operations across the script-native boundary and trigger use-after-free or type-confusion bugs. We present OverrideFuzz, a two-phase, semantic-aware grammar fuzzer for script-language runtimes. Its declaration phase constructs objects with overriding methods, while its execution phase generates operations that route through those hooks. Active reflection tracks runtime types, and passive reflection learns from error messages to remove invalid operation shapes, allowing generation to approach semantic correctness without manual API specification. We evaluate OverrideFuzz on CPython, Lua, and QuickJS. All three targets show consistent coverage growth, with rapid early expansion followed by slower incremental gains, and Lua benefits most from its pervasive metamethod dispatch mechanism. Although OverrideFuzz did not discover novel vulnerabilities during the bounded evaluation period, corpus analysis shows that it reconstructs inputs matching known vulnerability patterns, which suggests that semantic-aware generation reaches the intended script-native boundary behaviors.

翻译：脚本语言运行时（如Python、Lua和JavaScript）在安全敏感场景中广泛部署，但因其有效输入需同时满足语法约束、动态类型约束和对象级语义，测试难度极高。现有基于语法和反射的模糊测试工具虽能提升输入语法有效性和接口可达性，却鲜少建模可重定向脚本-本地边界内建操作的覆盖钩子、动态重绑定及属性解析行为，而这些行为正是导致释放后使用或类型混淆漏洞的根源。本文提出OverideFuzz——一种面向脚本语言运行时的两阶段语义感知语法模糊测试工具：其声明阶段构造包含重写方法的对象，执行阶段生成路由至这些钩子的操作序列。主动反射机制追踪运行时类型，被动反射机制则从错误信息中学习以剔除无效操作形态，从而无需人工API规范即可逼近语义正确的输入生成。我们在CPython、Lua和QuickJS上评估了OverideFuzz。所有三个目标均呈现持续的覆盖率增长——初期快速拓展后进入平缓增量阶段，其中Lua因具备泛型元方法调度机制获益最多。尽管在有限评估期内未发现新漏洞，语料分析表明OverideFuzz重建了与已知漏洞模式匹配的输入，这证明语义感知生成机制能够有效触及预期的脚本-本地边界行为。