Ignore:
Timestamp:
Jun 22, 2021, 10:48:42 AM (4 years ago)
Author:
[email protected]
Message:

jitCompileAndSetHeuristics shouldn't return true when we fail to compile
https://bugs.webkit.org/show_bug.cgi?id=227155

Reviewed by Tadeu Zagallo.

JSTests:

  • microbenchmarks/interpreter-wasm.js:
  • microbenchmarks/memcpy-wasm-large.js:
  • microbenchmarks/memcpy-wasm-medium.js:
  • microbenchmarks/memcpy-wasm-small.js:
  • microbenchmarks/memcpy-wasm.js:
  • stress/wasm-error-message-cross-threads.js:

Source/JavaScriptCore:

jitCompileAndSetHeuristics should only return true when we've successfully
compiled a baseline JIT CodeBlock. However, with the rewrite to using a
unified JIT worklist, the code was changed to returning true when a
compilation finished, regardless of it being successful or not. This patch
fixes that error.

This bug was found by our existing executable allocation fuzzer, but at a low
hit rate. That fuzzer only ran a single test case. This patch also introduces
a new form of the executable fuzzer where we fail to allocate JIT code
randomly, and the crash manifests more reliably. And this patch also hooks
the new fuzzer into more JSC stress tests.

  • dfg/DFGLICMPhase.cpp:

(JSC::DFG::LICMPhase::run):

  • jit/ExecutableAllocationFuzz.cpp:

(JSC::doExecutableAllocationFuzzing):

  • jsc.cpp:

(runJSC):

  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::jitCompileAndSetHeuristics):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):

  • runtime/OptionsList.h:

Source/WTF:

  • wtf/WeakRandom.h:

Tools:

  • Scripts/run-jsc-stress-tests:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp

    r278425 r279126  
    3030#include <wtf/Atomics.h>
    3131#include <wtf/DataLog.h>
     32#include <wtf/WeakRandom.h>
    3233
    3334namespace JSC {
     
    4243{
    4344    ASSERT(Options::useExecutableAllocationFuzz());
     45
     46    if (Options::fireExecutableAllocationFuzzRandomly()) {
     47        static LazyNeverDestroyed<WeakRandom> random;
     48        static std::once_flag once;
     49        std::call_once(once, [] () {
     50            random.construct();
     51        });
     52
     53        static Lock fuzzingLock;
     54        Locker locker { fuzzingLock };
     55       
     56        if (random->returnTrueWithProbability(Options::fireExecutableAllocationFuzzRandomlyProbability()))
     57            return PretendToFailExecutableAllocation;
     58
     59        return AllowNormalExecutableAllocation;
     60    }
    4461   
    4562    unsigned oldValue;
Note: See TracChangeset for help on using the changeset viewer.