Ignore:
Timestamp:
Jul 14, 2021, 12:58:16 PM (4 years ago)
Author:
[email protected]
Message:

Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279

Source/JavaScriptCore:

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

Reviewed by Michael Saboff.

  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::numberOfDFGCompiles):

  • jit/ExecutableAllocationFuzz.cpp:

(JSC::doExecutableAllocationFuzzing):

  • jsc.cpp:

(runJSC):

Tools:

Reviewed by Michael Saboff.

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

  • Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
  • Scripts/run-jsc-stress-tests:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp

    r279126 r279916  
    4242ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
    4343{
     44    static WeakRandom random(Options::seedOfVMRandomForFuzzer() ? Options::seedOfVMRandomForFuzzer() : cryptographicallyRandomNumber());
     45
    4446    ASSERT(Options::useExecutableAllocationFuzz());
    4547
     
    6062    }
    6163   
    62     unsigned oldValue;
    63     unsigned newValue;
    64     do {
    65         oldValue = s_numberOfExecutableAllocationFuzzChecks.load();
    66         newValue = oldValue + 1;
    67     } while (!s_numberOfExecutableAllocationFuzzChecks.compareExchangeWeak(oldValue, newValue));
    68    
    69     if (newValue == Options::fireExecutableAllocationFuzzAt()) {
     64    unsigned numChecks = s_numberOfExecutableAllocationFuzzChecks.value++;
     65
     66    if (numChecks == Options::fireExecutableAllocationFuzzAt()) {
    7067        if (Options::verboseExecutableAllocationFuzz()) {
    7168            dataLog("Will pretend to fail executable allocation.\n");
     
    7471        return PretendToFailExecutableAllocation;
    7572    }
    76    
     73
    7774    if (Options::fireExecutableAllocationFuzzAtOrAfter()
    78         && newValue >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
     75        && numChecks >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
    7976        if (Options::verboseExecutableAllocationFuzz()) {
    8077            dataLog("Will pretend to fail executable allocation.\n");
     
    8279        }
    8380        return PretendToFailExecutableAllocation;
    84     }
     81    } else if (!Options::fireExecutableAllocationFuzzAt() && random.getUint32() < UINT_MAX * Options::randomIntegrityAuditRate())
     82        return PretendToFailExecutableAllocation;
    8583   
    8684    return AllowNormalExecutableAllocation;
Note: See TracChangeset for help on using the changeset viewer.