Ignore:
Timestamp:
Jul 8, 2020, 9:42:54 AM (5 years ago)
Author:
[email protected]
Message:

Add a way to return early from detected infinite loops to aid the fuzzer
https://bugs.webkit.org/show_bug.cgi?id=214067

Reviewed by Yusuke Suzuki.

It's useful for the fuzzer to not get stuck in infinite loops so its
test cases can make forward progress trying to find bugs. This patch
adds a new mechanism where we can early return if we've exceeded a total
execution count for a static loop in bytecode. Note: this is not on a
per-frame basis, but it's a way to implement this in a non-invasive way
which is also practical for the fuzzer to use.

  • b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:

(JSC::B3::Air::GenerateAndAllocateRegisters::generate):

  • b3/air/AirCode.cpp:

(JSC::B3::Air::Code::emitEpilogue):

  • b3/air/AirCode.h:
  • b3/air/AirGenerate.cpp:

(JSC::B3::Air::generateWithAlreadyAllocatedRegisters):

  • bytecode/BytecodeList.rb:
  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::~CodeBlock):

  • dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):

  • jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_loop_hint):

  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

  • llint/LowLevelInterpreter32_64.asm:
  • llint/LowLevelInterpreter64.asm:
  • offlineasm/mips.rb:
  • runtime/OptionsList.h:
  • runtime/VM.cpp:

(JSC::VM::addLoopHintExecutionCounter):
(JSC::VM::getLoopHintExecutionCounter):
(JSC::VM::removeLoopHintExecutionCounter):

  • runtime/VM.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/offlineasm/mips.rb

    r260310 r264105  
    685685            # and we should name it properly.
    686686            # https://bugs.webkit.org/show_bug.cgi?id=208236
    687             if node.name =~ /^.*_return_location(?:_(?:wide16|wide32))?$/ or node.name.start_with?("_checkpoint_osr_exit_from_inlined_call_trampoline")
     687            if node.name =~ /^.*_return_location(?:_(?:wide16|wide32))?$/ or node.name.start_with?("_checkpoint_osr_exit_from_inlined_call_trampoline") or node.name.start_with?("_fuzzer_return_early_from_loop_hint")
    688688                # We need to have a special case for return location labels because they are always
    689689                # reached from a `ret` instruction. In this case, we need to proper reconfigure `$gp`
Note: See TracChangeset for help on using the changeset viewer.