Ignore:
Timestamp:
Jun 2, 2021, 9:26:00 AM (4 years ago)
Author:
[email protected]
Message:

Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279

Source/JavaScriptCore:

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

Reviewed by Michael Saboff.

  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::numberOfDFGCompiles):

  • jit/ExecutableAllocationFuzz.cpp:

(JSC::doExecutableAllocationFuzzing):

  • jsc.cpp:

(runJSC):

Tools:

Reviewed by Michael Saboff.

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

  • Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
  • Scripts/run-jsc-stress-tests:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r278351 r278356  
     12021-06-02  Keith Miller  <[email protected]>
     2
     3        Convert small JIT pool tests into executable fuzzing
     4        https://bugs.webkit.org/show_bug.cgi?id=226279
     5
     6        Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
     7        actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
     8        Instead of testing such a small pool we should just fuzz each executable allocation that says it
     9        can fail.
     10
     11        The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
     12        fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
     13        by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
     14        flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
     15
     16        Reviewed by Michael Saboff.
     17
     18        * bytecode/CodeBlock.cpp:
     19        (JSC::CodeBlock::numberOfDFGCompiles):
     20        * jit/ExecutableAllocationFuzz.cpp:
     21        (JSC::doExecutableAllocationFuzzing):
     22        * jsc.cpp:
     23        (runJSC):
     24
    1252021-06-02  Chris Dumez  <[email protected]>
    226
Note: See TracChangeset for help on using the changeset viewer.