Changeset 278356 in webkit

Timestamp:

Jun 2, 2021, 9:26:00 AM (4 years ago)

Author:

[email protected]

Message:

Convert small JIT pool tests into executable fuzzing
​https://bugs.webkit.org/show_bug.cgi?id=226279

Source/JavaScriptCore:

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

Reviewed by Michael Saboff.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::numberOfDFGCompiles):

• jit/ExecutableAllocationFuzz.cpp:

(JSC::doExecutableAllocationFuzzing):

• jsc.cpp:

(runJSC):

Tools:

Reviewed by Michael Saboff.

Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.

The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.

• Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
• Scripts/run-jsc-stress-tests:

Location:

trunk

Files:

• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp (modified) (4 diffs)
• Source/JavaScriptCore/jsc.cpp (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz (modified) (1 diff)
• Tools/Scripts/run-jsc-stress-tests (modified) (6 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-06-02  Keith Miller  <[email protected]>
+
+        Convert small JIT pool tests into executable fuzzing
+        https://bugs.webkit.org/show_bug.cgi?id=226279
+
+        Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
+        actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
+        Instead of testing such a small pool we should just fuzz each executable allocation that says it
+        can fail.
+
+        The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
+        fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
+        by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
+        flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
+
+        Reviewed by Michael Saboff.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::numberOfDFGCompiles):
+        * jit/ExecutableAllocationFuzz.cpp:
+        (JSC::doExecutableAllocationFuzzing):
+        * jsc.cpp:
+        (runJSC):
+
 2021-06-02  Chris Dumez  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -2482 +2482 @@
 {
     ASSERT(JITCode::isBaselineCode(jitType()));
+
+    // FIXME: We don't really do a good job tracking when a compilation failed because of executable allocation fuzzing. https://bugs.webkit.org/show_bug.cgi?id=226276
+    if (Options::useExecutableAllocationFuzz())
+        return 1000000;
     if (Options::testTheFTL()) {
         if (m_didFailFTLCompilation)

trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp

@@ -30 +30 @@
 #include <wtf/Atomics.h>
 #include <wtf/DataLog.h>
+#include <wtf/WeakRandom.h>
 
 namespace JSC {
@@ -41 +42 @@
 ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
 {
+    static WeakRandom random(Options::seedOfVMRandomForFuzzer() ? Options::seedOfVMRandomForFuzzer() : cryptographicallyRandomNumber());
+
     ASSERT(Options::useExecutableAllocationFuzz());
     
-    unsigned oldValue;
-    unsigned newValue;
-    do {
-        oldValue = s_numberOfExecutableAllocationFuzzChecks.load();
-        newValue = oldValue + 1;
-    } while (!s_numberOfExecutableAllocationFuzzChecks.compareExchangeWeak(oldValue, newValue));
-    
-    if (newValue == Options::fireExecutableAllocationFuzzAt()) {
+    unsigned numChecks = s_numberOfExecutableAllocationFuzzChecks.value++;
+
+    if (numChecks == Options::fireExecutableAllocationFuzzAt()) {
         if (Options::verboseExecutableAllocationFuzz()) {
             dataLog("Will pretend to fail executable allocation.\n");
@@ -57 +55 @@
         return PretendToFailExecutableAllocation;
     }
-    
+
     if (Options::fireExecutableAllocationFuzzAtOrAfter()
-        && newValue >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
+        && numChecks >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
         if (Options::verboseExecutableAllocationFuzz()) {
             dataLog("Will pretend to fail executable allocation.\n");
@@ -65 +63 @@
         }
         return PretendToFailExecutableAllocation;
-    }
+    } else if (!Options::fireExecutableAllocationFuzzAt() && random.getUint32() < UINT_MAX * Options::randomIntegrityAuditRate())
+        return PretendToFailExecutableAllocation;
     
     return AllowNormalExecutableAllocation;

trunk/Source/JavaScriptCore/jsc.cpp

@@ -3490 +3490 @@
         if (Options::useExceptionFuzz())
             printf("JSC EXCEPTION FUZZ: encountered %u checks.\n", numberOfExceptionFuzzChecks());
-        bool fireAtEnabled =
-        Options::fireExecutableAllocationFuzzAt() || Options::fireExecutableAllocationFuzzAtOrAfter();
-        if (Options::useExecutableAllocationFuzz() && (!fireAtEnabled || Options::verboseExecutableAllocationFuzz()))
+        if (Options::useExecutableAllocationFuzz() && Options::verboseExecutableAllocationFuzz())
             printf("JSC EXECUTABLE ALLOCATION FUZZ: encountered %u checks.\n", numberOfExecutableAllocationFuzzChecks());
         if (Options::useOSRExitFuzz() && Options::verboseOSRExitFuzz()) {

trunk/Tools/ChangeLog

@@ +1 @@
+2021-06-02  Keith Miller  <[email protected]>
+
+        Convert small JIT pool tests into executable fuzzing
+        https://bugs.webkit.org/show_bug.cgi?id=226279
+
+        Reviewed by Michael Saboff.
+
+        Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
+        actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
+        Instead of testing such a small pool we should just fuzz each executable allocation that says it
+        can fail.
+
+        The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
+        fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
+        by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
+        flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
+
+        * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
+        * Scripts/run-jsc-stress-tests:
+
 2021-06-02  Jonathan Bedard  <[email protected]>
 

trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz

@@ -70 +70 @@
 }
 
-open (my $testInput, "$commandString --useExecutableAllocationFuzz=true |") or fail("Cannot execute initial command when getting check count");
+open (my $testInput, "$commandString --useExecutableAllocationFuzz=true --verboseExecutableAllocationFuzz=true |") or fail("Cannot execute initial command when getting check count");
 while (my $inputLine = <$testInput>) {
     chomp($inputLine);

trunk/Tools/Scripts/run-jsc-stress-tests

@@ -190 +190 @@
     puts "                            no-cjit-validate-phases, no-cjit-collect-continuously, dfg-eager"
     puts "                            and for FTL platforms: no-ftl, ftl-eager-no-cjit and"
-    puts "                            ftl-no-cjit-small-pool."
+    puts "                            ftl-no-cjit-fuzz."
     exit 1
 end
@@ -852 +852 @@
 end
 
-def runFTLNoCJITSmallPool(*optionalTestSpecificOptions)
-    run("ftl-no-cjit-small-pool", "--jitMemoryReservationSize=102400", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
+def runFTLNoCJITFuzz(*optionalTestSpecificOptions)
+    run("ftl-no-cjit-fuzz", "--useExecutableAllocationFuzz=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
 end
 
@@ -898 +898 @@
             runFTLEager
             runFTLEagerNoCJITValidate
-            runFTLNoCJITSmallPool
+            runFTLNoCJITFuzz
 
             return if $mode == "basic"
@@ -929 +929 @@
             runNoFTL
             runFTLNoCJITValidate
-            runFTLNoCJITSmallPool
+            runFTLNoCJITFuzz
 
             return if $mode == "basic"
@@ -1009 +1009 @@
         runFTLEager
         runFTLEagerNoCJITValidate
-        runFTLNoCJITSmallPool
+        runFTLNoCJITFuzz
     end
 end
@@ -1161 +1161 @@
     run("ftl-eager-modules", "-m", *(FTL_OPTIONS + EAGER_OPTIONS))
     run("ftl-eager-no-cjit-modules", "-m", "--validateGraph=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + EAGER_OPTIONS))
-    run("ftl-no-cjit-small-pool-modules", "-m", "--jitMemoryReservationSize=102400", *(FTL_OPTIONS + NO_CJIT_OPTIONS))
+    run("ftl-no-cjit-fuzz-modules", "-m", "--useExecutableAllocationFuzz=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS))
 end