Ignore:
Timestamp:
Jul 17, 2014, 9:34:16 PM (11 years ago)
Author:
[email protected]
Message:

Need ability to fuzz exception throwing
https://bugs.webkit.org/show_bug.cgi?id=134945
<rdar://problem/17722027>

Reviewed by Sam Weinig.

Source/JavaScriptCore:
Adds the ability to instrument exception checks, and to force some random
exception check to artificially throw an exception. Also adds new tests that
are suitable for testing this. Note that this is closely tied to the Tools
directory changes that are also part of this changeset.

This also fixes an activation tear-off bug that arises if we ever throw an
exception from operationOptimize, or if due to some other bug it's only due
to the operationOptimize exception check that we realize that there is an
exception to be thrown.

  • dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::fastExceptionCheck):

  • ftl/FTLIntrinsicRepository.h:
  • ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::callCheck):

  • interpreter/Interpreter.cpp:

(JSC::unwindCallFrame):

  • jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::emitExceptionCheck):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitExceptionCheck): Deleted.

  • jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

  • jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_enter):

  • jit/JITOperations.cpp:

(JSC::numberOfExceptionFuzzChecks):

  • jit/JITOperations.h:
  • jsc.cpp:

(jscmain):

  • runtime/Options.h:
  • runtime/TestRunnerUtils.h:
  • tests/exceptionFuzz.yaml: Added.
  • tests/exceptionFuzz: Added.
  • tests/exceptionFuzz/3d-cube.js: Added.
  • tests/exceptionFuzz/date-format-xparb.js: Added.
  • tests/exceptionFuzz/earley-boyer.js: Added.

Tools:
Adds a new script, js-exception-fuzz, which will run some jsc command-line using
exception fuzzing. This means that we will force exceptions to be thrown in random
places to see how the engine reacts. This is now integrated with the various test
drivers, so run-javascriptcore-tests will run some exception fuzzing tests by
default.

  • Scripts/jsc-stress-test-helpers/js-exception-fuzz: Added.

(fail):

  • Scripts/run-javascriptcore-tests:
  • Scripts/run-jsc-stress-tests:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

    r168776 r171213  
    482482#endif
    483483   
     484    void callExceptionFuzz();
     485   
    484486    enum ExceptionCheckKind { NormalExceptionCheck, InvertedExceptionCheck };
    485     Jump emitExceptionCheck(ExceptionCheckKind kind = NormalExceptionCheck)
    486     {
    487 #if USE(JSVALUE64)
    488         return branchTest64(kind == NormalExceptionCheck ? NonZero : Zero, AbsoluteAddress(vm()->addressOfException()));
    489 #elif USE(JSVALUE32_64)
    490         return branch32(kind == NormalExceptionCheck ? NotEqual : Equal, AbsoluteAddress(reinterpret_cast<char*>(vm()->addressOfException()) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
    491 #endif
    492     }
     487    Jump emitExceptionCheck(ExceptionCheckKind kind = NormalExceptionCheck);
    493488
    494489#if ENABLE(SAMPLING_COUNTERS)
Note: See TracChangeset for help on using the changeset viewer.