Ignore:
Timestamp:
Jul 17, 2014, 9:34:16 PM (11 years ago)
Author:
[email protected]
Message:

Need ability to fuzz exception throwing
https://bugs.webkit.org/show_bug.cgi?id=134945
<rdar://problem/17722027>

Reviewed by Sam Weinig.

Source/JavaScriptCore:
Adds the ability to instrument exception checks, and to force some random
exception check to artificially throw an exception. Also adds new tests that
are suitable for testing this. Note that this is closely tied to the Tools
directory changes that are also part of this changeset.

This also fixes an activation tear-off bug that arises if we ever throw an
exception from operationOptimize, or if due to some other bug it's only due
to the operationOptimize exception check that we realize that there is an
exception to be thrown.

  • dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::fastExceptionCheck):

  • ftl/FTLIntrinsicRepository.h:
  • ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::callCheck):

  • interpreter/Interpreter.cpp:

(JSC::unwindCallFrame):

  • jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::emitExceptionCheck):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitExceptionCheck): Deleted.

  • jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

  • jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_enter):

  • jit/JITOperations.cpp:

(JSC::numberOfExceptionFuzzChecks):

  • jit/JITOperations.h:
  • jsc.cpp:

(jscmain):

  • runtime/Options.h:
  • runtime/TestRunnerUtils.h:
  • tests/exceptionFuzz.yaml: Added.
  • tests/exceptionFuzz: Added.
  • tests/exceptionFuzz/3d-cube.js: Added.
  • tests/exceptionFuzz/date-format-xparb.js: Added.
  • tests/exceptionFuzz/earley-boyer.js: Added.

Tools:
Adds a new script, js-exception-fuzz, which will run some jsc command-line using
exception fuzzing. This means that we will force exceptions to be thrown in random
places to see how the engine reacts. This is now integrated with the various test
drivers, so run-javascriptcore-tests will run some exception fuzzing tests by
default.

  • Scripts/jsc-stress-test-helpers/js-exception-fuzz: Added.

(fail):

  • Scripts/run-javascriptcore-tests:
  • Scripts/run-jsc-stress-tests:
Location:
trunk/Source/JavaScriptCore/interpreter
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

    r170147 r171213  
    458458#endif
    459459        activation = callFrame->uncheckedActivation();
    460         if (activation)
    461             jsCast<JSActivation*>(activation)->tearOff(*scope->vm());
     460        // Protect against the activation not being created, or the variable still being
     461        // initialized to Undefined inside op_enter.
     462        if (activation && activation.isCell()) {
     463            JSActivation* activationObject = jsCast<JSActivation*>(activation);
     464            // Protect against throwing exceptions after tear-off.
     465            if (!activationObject->isTornOff())
     466                activationObject->tearOff(*scope->vm());
     467        }
    462468    }
    463469
    464470    if (codeBlock->codeType() == FunctionCode && codeBlock->usesArguments()) {
    465471        if (Arguments* arguments = visitor->existingArguments()) {
    466             if (activation)
     472            if (activation && activation.isCell())
    467473                arguments->didTearOffActivation(callFrame, jsCast<JSActivation*>(activation));
    468474#if ENABLE(DFG_JIT)

  • trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp

    r164032 r171213  
    279279   
    280280    JSValue result = callFrame()->r(unmodifiedArgumentsRegister(reg).offset()).jsValue();
    281     if (!result)
     281    if (!result || !result.isCell()) // Protect against Undefined in case we throw in op_enter.
    282282        return 0;
    283283    return jsCast<Arguments*>(result);
Note: See TracChangeset for help on using the changeset viewer.