Skip to content

Commit e091065

Browse files
committed
Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279 Source/JavaScriptCore: Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. Instead of testing such a small pool we should just fuzz each executable allocation that says it can fail. The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. Reviewed by Michael Saboff. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::numberOfDFGCompiles): * jit/ExecutableAllocationFuzz.cpp: (JSC::doExecutableAllocationFuzzing): * jsc.cpp: (runJSC): Tools: Reviewed by Michael Saboff. Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. Instead of testing such a small pool we should just fuzz each executable allocation that says it can fail. The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/239665@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279916 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1 parent 8dbae6a commit e091065

6 files changed

Lines changed: 65 additions & 19 deletions

File tree

Source/JavaScriptCore/ChangeLog

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,27 @@
1+
2021-07-14 Keith Miller <keith_miller@apple.com>
2+
3+
Convert small JIT pool tests into executable fuzzing
4+
https://bugs.webkit.org/show_bug.cgi?id=226279
5+
6+
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
7+
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
8+
Instead of testing such a small pool we should just fuzz each executable allocation that says it
9+
can fail.
10+
11+
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
12+
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
13+
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
14+
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
15+
16+
Reviewed by Michael Saboff.
17+
18+
* bytecode/CodeBlock.cpp:
19+
(JSC::CodeBlock::numberOfDFGCompiles):
20+
* jit/ExecutableAllocationFuzz.cpp:
21+
(JSC::doExecutableAllocationFuzzing):
22+
* jsc.cpp:
23+
(runJSC):
24+
125
2021-07-14 Mark Lam <mark.lam@apple.com>
226

327
Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape().

Source/JavaScriptCore/bytecode/CodeBlock.cpp

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2481,6 +2481,10 @@ void CodeBlock::countReoptimization()
24812481
unsigned CodeBlock::numberOfDFGCompiles()
24822482
{
24832483
ASSERT(JITCode::isBaselineCode(jitType()));
2484+
2485+
// FIXME: We don't really do a good job tracking when a compilation failed because of executable allocation fuzzing. https://bugs.webkit.org/show_bug.cgi?id=226276
2486+
if (Options::useExecutableAllocationFuzz())
2487+
return 1000000;
24842488
if (Options::testTheFTL()) {
24852489
if (m_didFailFTLCompilation)
24862490
return 1000000;

Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ unsigned numberOfExecutableAllocationFuzzChecks()
4141

4242
ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
4343
{
44+
static WeakRandom random(Options::seedOfVMRandomForFuzzer() ? Options::seedOfVMRandomForFuzzer() : cryptographicallyRandomNumber());
45+
4446
ASSERT(Options::useExecutableAllocationFuzz());
4547

4648
if (Options::fireExecutableAllocationFuzzRandomly()) {
@@ -59,29 +61,25 @@ ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
5961
return AllowNormalExecutableAllocation;
6062
}
6163

62-
unsigned oldValue;
63-
unsigned newValue;
64-
do {
65-
oldValue = s_numberOfExecutableAllocationFuzzChecks.load();
66-
newValue = oldValue + 1;
67-
} while (!s_numberOfExecutableAllocationFuzzChecks.compareExchangeWeak(oldValue, newValue));
68-
69-
if (newValue == Options::fireExecutableAllocationFuzzAt()) {
64+
unsigned numChecks = s_numberOfExecutableAllocationFuzzChecks.value++;
65+
66+
if (numChecks == Options::fireExecutableAllocationFuzzAt()) {
7067
if (Options::verboseExecutableAllocationFuzz()) {
7168
dataLog("Will pretend to fail executable allocation.\n");
7269
WTFReportBacktrace();
7370
}
7471
return PretendToFailExecutableAllocation;
7572
}
76-
73+
7774
if (Options::fireExecutableAllocationFuzzAtOrAfter()
78-
&& newValue >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
75+
&& numChecks >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
7976
if (Options::verboseExecutableAllocationFuzz()) {
8077
dataLog("Will pretend to fail executable allocation.\n");
8178
WTFReportBacktrace();
8279
}
8380
return PretendToFailExecutableAllocation;
84-
}
81+
} else if (!Options::fireExecutableAllocationFuzzAt() && random.getUint32() < UINT_MAX * Options::randomIntegrityAuditRate())
82+
return PretendToFailExecutableAllocation;
8583

8684
return AllowNormalExecutableAllocation;
8785
}

Tools/ChangeLog

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,23 @@
1+
2021-07-14 Keith Miller <keith_miller@apple.com>
2+
3+
Convert small JIT pool tests into executable fuzzing
4+
https://bugs.webkit.org/show_bug.cgi?id=226279
5+
6+
Reviewed by Michael Saboff.
7+
8+
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
9+
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
10+
Instead of testing such a small pool we should just fuzz each executable allocation that says it
11+
can fail.
12+
13+
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
14+
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
15+
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
16+
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
17+
18+
* Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
19+
* Scripts/run-jsc-stress-tests:
20+
121
2021-07-14 Aakash Jain <aakash_jain@apple.com>
222

323
Add step name and description to InstallBuiltProduct build step

Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ if (shift @ARGV) {
6969
die "Ignoring garbage arguments; only the first non-option argument is used as the command string.";
7070
}
7171

72-
open (my $testInput, "$commandString --useExecutableAllocationFuzz=true |") or fail("Cannot execute initial command when getting check count");
72+
open (my $testInput, "$commandString --useExecutableAllocationFuzz=true --verboseExecutableAllocationFuzz=true |") or fail("Cannot execute initial command when getting check count");
7373
while (my $inputLine = <$testInput>) {
7474
chomp($inputLine);
7575
my $handled = 0;

Tools/Scripts/run-jsc-stress-tests

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -189,7 +189,7 @@ def usage
189189
puts "--basic Run with default and these additional modes: no-llint,"
190190
puts " no-cjit-validate-phases, no-cjit-collect-continuously, dfg-eager"
191191
puts " and for FTL platforms: no-ftl, ftl-eager-no-cjit and"
192-
puts " ftl-no-cjit-small-pool."
192+
puts " ftl-no-cjit-fuzz."
193193
exit 1
194194
end
195195

@@ -852,8 +852,8 @@ def runFTLNoCJITNoAccessInlining(*optionalTestSpecificOptions)
852852
run("ftl-no-cjit-no-access-inlining", "--useAccessInlining=false", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
853853
end
854854

855-
def runFTLNoCJITSmallPool(*optionalTestSpecificOptions)
856-
run("ftl-no-cjit-small-pool", "--jitMemoryReservationSize=102400", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
855+
def runFTLNoCJITFuzz(*optionalTestSpecificOptions)
856+
run("ftl-no-cjit-fuzz", "--useExecutableAllocationFuzz=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
857857
end
858858

859859
def runNoCJIT(*optionalTestSpecificOptions)
@@ -898,7 +898,7 @@ def defaultRun
898898
runNoFTL
899899
runFTLEager
900900
runFTLEagerNoCJITValidate
901-
runFTLNoCJITSmallPool
901+
runFTLNoCJITFuzz
902902

903903
return if $mode == "basic"
904904

@@ -929,7 +929,7 @@ def defaultNoNoLLIntRun
929929

930930
runNoFTL
931931
runFTLNoCJITValidate
932-
runFTLNoCJITSmallPool
932+
runFTLNoCJITFuzz
933933

934934
return if $mode == "basic"
935935

@@ -1009,7 +1009,7 @@ def defaultNoSamplingProfilerRun
10091009
runFTLNoCJITNoInlineValidate
10101010
runFTLEager
10111011
runFTLEagerNoCJITValidate
1012-
runFTLNoCJITSmallPool
1012+
runFTLNoCJITFuzz
10131013
end
10141014
end
10151015

@@ -1161,7 +1161,7 @@ def defaultRunModules(noLLInt: true)
11611161
run("ftl-no-cjit-no-inline-validate-modules", "-m", "--validateGraph=true", "--maximumInliningDepth=1", *(FTL_OPTIONS + NO_CJIT_OPTIONS))
11621162
run("ftl-eager-modules", "-m", *(FTL_OPTIONS + EAGER_OPTIONS))
11631163
run("ftl-eager-no-cjit-modules", "-m", "--validateGraph=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + EAGER_OPTIONS))
1164-
run("ftl-no-cjit-small-pool-modules", "-m", "--jitMemoryReservationSize=102400", *(FTL_OPTIONS + NO_CJIT_OPTIONS))
1164+
run("ftl-no-cjit-fuzz-modules", "-m", "--useExecutableAllocationFuzz=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS))
11651165
end
11661166

11671167
def noNoLLIntRunModules

0 commit comments

Comments
 (0)