[JSC] Pass CodeOrigin to FuzzerAgent
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Apr 2019 18:53:08 +0000 (18:53 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Apr 2019 18:53:08 +0000 (18:53 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196590

Reviewed by Saam Barati.

Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
* runtime/FuzzerAgent.cpp:
(JSC::FuzzerAgent::getPrediction):
* runtime/FuzzerAgent.h:
* runtime/RandomizingFuzzerAgent.cpp:
(JSC::RandomizingFuzzerAgent::getPrediction):
* runtime/RandomizingFuzzerAgent.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243885 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/runtime/FuzzerAgent.cpp
Source/JavaScriptCore/runtime/FuzzerAgent.h
Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp
Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.h

index 33fc8d6..3eae3a8 100644 (file)
@@ -1,3 +1,23 @@
+2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Pass CodeOrigin to FuzzerAgent
+        https://bugs.webkit.org/show_bug.cgi?id=196590
+
+        Reviewed by Saam Barati.
+
+        Pass CodeOrigin instead of bytecodeIndex. CodeOrigin includes richer information (InlineCallFrame*).
+        We also mask prediction with SpecBytecodeTop in DFGByteCodeParser. The fuzzer can produce any SpeculatedTypes,
+        but DFGByteCodeParser should only see predictions that can be actually produced from the bytecode execution.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+        * runtime/FuzzerAgent.cpp:
+        (JSC::FuzzerAgent::getPrediction):
+        * runtime/FuzzerAgent.h:
+        * runtime/RandomizingFuzzerAgent.cpp:
+        (JSC::RandomizingFuzzerAgent::getPrediction):
+        * runtime/RandomizingFuzzerAgent.h:
+
 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
 
         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
index 3e5c4b6..0626e79 100644 (file)
@@ -832,20 +832,20 @@ private:
     
     SpeculatedType getPredictionWithoutOSRExit(unsigned bytecodeIndex)
     {
-        auto getValueProfilePredictionFromForCodeBlockAndBytecodeOffset = [&] (CodeBlock* codeBlock, int bytecodeIndex)
+        auto getValueProfilePredictionFromForCodeBlockAndBytecodeOffset = [&] (CodeBlock* codeBlock, const CodeOrigin& codeOrigin)
         {
             SpeculatedType prediction;
             {
                 ConcurrentJSLocker locker(codeBlock->m_lock);
-                prediction = codeBlock->valueProfilePredictionForBytecodeOffset(locker, bytecodeIndex);
+                prediction = codeBlock->valueProfilePredictionForBytecodeOffset(locker, codeOrigin.bytecodeIndex());
             }
             auto* fuzzerAgent = m_vm->fuzzerAgent();
             if (UNLIKELY(fuzzerAgent))
-                return fuzzerAgent->getPrediction(codeBlock, bytecodeIndex, prediction);
+                return fuzzerAgent->getPrediction(codeBlock, codeOrigin, prediction) & SpecBytecodeTop;
             return prediction;
         };
 
-        SpeculatedType prediction = getValueProfilePredictionFromForCodeBlockAndBytecodeOffset(m_inlineStackTop->m_profiledBlock, bytecodeIndex);
+        SpeculatedType prediction = getValueProfilePredictionFromForCodeBlockAndBytecodeOffset(m_inlineStackTop->m_profiledBlock, CodeOrigin(bytecodeIndex, inlineCallFrame()));
         if (prediction != SpecNone)
             return prediction;
 
@@ -879,7 +879,7 @@ private:
             while (stack->m_inlineCallFrame != codeOrigin->inlineCallFrame())
                 stack = stack->m_caller;
 
-            return getValueProfilePredictionFromForCodeBlockAndBytecodeOffset(stack->m_profiledBlock, codeOrigin->bytecodeIndex());
+            return getValueProfilePredictionFromForCodeBlockAndBytecodeOffset(stack->m_profiledBlock, *codeOrigin);
         }
 
         default:
index 8aa7322..df708f7 100644 (file)
@@ -32,7 +32,7 @@ FuzzerAgent::~FuzzerAgent()
 {
 }
 
-SpeculatedType FuzzerAgent::getPrediction(CodeBlock*, int, SpeculatedType result)
+SpeculatedType FuzzerAgent::getPrediction(CodeBlock*, const CodeOrigin&, SpeculatedType result)
 {
     return result;
 }
index 999e7e3..06032db 100644 (file)
@@ -25,8 +25,8 @@
 
 #pragma once
 
+#include "CodeOrigin.h"
 #include "SpeculatedType.h"
-#include <wtf/Locker.h>
 
 namespace JSC {
 
@@ -36,7 +36,7 @@ class FuzzerAgent {
 public:
     JS_EXPORT_PRIVATE virtual ~FuzzerAgent();
 
-    JS_EXPORT_PRIVATE virtual SpeculatedType getPrediction(CodeBlock*, int bytecodeOffset, SpeculatedType);
+    JS_EXPORT_PRIVATE virtual SpeculatedType getPrediction(CodeBlock*, const CodeOrigin&, SpeculatedType);
 };
 
 } // namespace JSC
index cfda10b..3d22595 100644 (file)
@@ -27,6 +27,7 @@
 #include "RandomizingFuzzerAgent.h"
 
 #include "CodeBlock.h"
+#include <wtf/Locker.h>
 
 namespace JSC {
 
@@ -35,14 +36,14 @@ RandomizingFuzzerAgent::RandomizingFuzzerAgent(VM&)
 {
 }
 
-SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock* codeBlock, int bytecodeIndex, SpeculatedType original)
+SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock* codeBlock, const CodeOrigin& codeOrigin, SpeculatedType original)
 {
     auto locker = holdLock(m_lock);
     uint32_t high = m_random.getUint32();
     uint32_t low = m_random.getUint32();
     SpeculatedType generated = static_cast<SpeculatedType>((static_cast<uint64_t>(high) << 32) | low) & SpecFullTop;
     if (Options::dumpRandomizingFuzzerAgentPredictions())
-        dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", bytecodeIndex, "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
+        dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", codeOrigin.bytecodeIndex(), "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
     return generated;
 }
 
index 75523d5..472277a 100644 (file)
@@ -37,7 +37,7 @@ class RandomizingFuzzerAgent final : public FuzzerAgent {
 public:
     RandomizingFuzzerAgent(VM&);
 
-    SpeculatedType getPrediction(CodeBlock*, int bytecodeOffset, SpeculatedType) override;
+    SpeculatedType getPrediction(CodeBlock*, const CodeOrigin&, SpeculatedType) override;
 
 private:
     WeakRandom m_random;