Changeset 278356 in webkit for trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp

Timestamp:

Jun 2, 2021, 9:26:00 AM (4 years ago)

Author:

[email protected]

Message:

Convert small JIT pool tests into executable fuzzing
​https://bugs.webkit.org/show_bug.cgi?id=226279

Source/JavaScriptCore:

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

Reviewed by Michael Saboff.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::numberOfDFGCompiles):

• jit/ExecutableAllocationFuzz.cpp:

(JSC::doExecutableAllocationFuzzing):

• jsc.cpp:

(runJSC):

Tools:

Reviewed by Michael Saboff.

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

• Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
• Scripts/run-jsc-stress-tests:

File:

• trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp

@@ -30 +30 @@
 #include <wtf/Atomics.h>
 #include <wtf/DataLog.h>
+#include <wtf/WeakRandom.h>
 
 namespace JSC {
@@ -41 +42 @@
 ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
 {
+    static WeakRandom random(Options::seedOfVMRandomForFuzzer() ? Options::seedOfVMRandomForFuzzer() : cryptographicallyRandomNumber());
+
     ASSERT(Options::useExecutableAllocationFuzz());
     
-    unsigned oldValue;
-    unsigned newValue;
-    do {
-        oldValue = s_numberOfExecutableAllocationFuzzChecks.load();
-        newValue = oldValue + 1;
-    } while (!s_numberOfExecutableAllocationFuzzChecks.compareExchangeWeak(oldValue, newValue));
-    
-    if (newValue == Options::fireExecutableAllocationFuzzAt()) {
+    unsigned numChecks = s_numberOfExecutableAllocationFuzzChecks.value++;
+
+    if (numChecks == Options::fireExecutableAllocationFuzzAt()) {
         if (Options::verboseExecutableAllocationFuzz()) {
             dataLog("Will pretend to fail executable allocation.\n");
@@ -57 +55 @@
         return PretendToFailExecutableAllocation;
     }
-    
+
     if (Options::fireExecutableAllocationFuzzAtOrAfter()
-        && newValue >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
+        && numChecks >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
         if (Options::verboseExecutableAllocationFuzz()) {
             dataLog("Will pretend to fail executable allocation.\n");
@@ -65 +63 @@
         }
         return PretendToFailExecutableAllocation;
-    }
+    } else if (!Options::fireExecutableAllocationFuzzAt() && random.getUint32() < UINT_MAX * Options::randomIntegrityAuditRate())
+        return PretendToFailExecutableAllocation;
     
     return AllowNormalExecutableAllocation;