- Revision
- 186605
- Author
- fpi...@apple.com
- Date
- 2015-07-09 12:43:28 -0700 (Thu, 09 Jul 2015)
Log Message
OSR exit fuzzing should allow us to select a static exit site
https://bugs.webkit.org/show_bug.cgi?id=146601
Reviewed by Geoffrey Garen.
The original implementation of the fuzzer allows us to trigger an exit based on its index
in the dynamic sequence of exit sites encountered. But there are usually millions of
dynamically encountered exit sites, even if the program only has thousands of static exit
sites. That means that we would at best be able to do a random sampling of exits, and
those would be biased to the hottest exit sites.
This change allows us to also select exit sites based on their index in the static
sequence of exit sites that the compiler compiled. Then, once that static exit site is
selected, we can select which dynamic exit at that exit site we should trigger. Since the
number of static exit sites is usually smallish (it's bounded by program size), we can do
an exhaustive search over all exit sites in most programs.
* dfg/DFGOSRExitFuzz.cpp:
(JSC::numberOfStaticOSRExitFuzzChecks):
(JSC::numberOfOSRExitFuzzChecks):
* dfg/DFGOSRExitFuzz.h:
(JSC::DFG::doOSRExitFuzzing):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
* jsc.cpp:
(jscmain):
* runtime/Options.h:
* runtime/TestRunnerUtils.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (186604 => 186605)
--- trunk/Source/_javascript_Core/ChangeLog 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-07-09 19:43:28 UTC (rev 186605)
@@ -1,3 +1,36 @@
+2015-07-03 Filip Pizlo <fpi...@apple.com>
+
+ OSR exit fuzzing should allow us to select a static exit site
+ https://bugs.webkit.org/show_bug.cgi?id=146601
+
+ Reviewed by Geoffrey Garen.
+
+ The original implementation of the fuzzer allows us to trigger an exit based on its index
+ in the dynamic sequence of exit sites encountered. But there are usually millions of
+ dynamically encountered exit sites, even if the program only has thousands of static exit
+ sites. That means that we would at best be able to do a random sampling of exits, and
+ those would be biased to the hottest exit sites.
+
+ This change allows us to also select exit sites based on their index in the static
+ sequence of exit sites that the compiler compiled. Then, once that static exit site is
+ selected, we can select which dynamic exit at that exit site we should trigger. Since the
+ number of static exit sites is usually smallish (it's bounded by program size), we can do
+ an exhaustive search over all exit sites in most programs.
+
+ * dfg/DFGOSRExitFuzz.cpp:
+ (JSC::numberOfStaticOSRExitFuzzChecks):
+ (JSC::numberOfOSRExitFuzzChecks):
+ * dfg/DFGOSRExitFuzz.h:
+ (JSC::DFG::doOSRExitFuzzing):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
+ * jsc.cpp:
+ (jscmain):
+ * runtime/Options.h:
+ * runtime/TestRunnerUtils.h:
+
2015-07-08 Joseph Pecoraro <pecor...@apple.com>
Fix grammar issue in TypeError attempting to change an unconfigurable property
Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitFuzz.cpp (186604 => 186605)
--- trunk/Source/_javascript_Core/dfg/DFGOSRExitFuzz.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitFuzz.cpp 2015-07-09 19:43:28 UTC (rev 186605)
@@ -30,10 +30,16 @@
namespace JSC { namespace DFG {
+unsigned g_numberOfStaticOSRExitFuzzChecks;
unsigned g_numberOfOSRExitFuzzChecks;
} // namespace DFG
+unsigned numberOfStaticOSRExitFuzzChecks()
+{
+ return DFG::g_numberOfStaticOSRExitFuzzChecks;
+}
+
unsigned numberOfOSRExitFuzzChecks()
{
return DFG::g_numberOfOSRExitFuzzChecks;
Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitFuzz.h (186604 => 186605)
--- trunk/Source/_javascript_Core/dfg/DFGOSRExitFuzz.h 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitFuzz.h 2015-07-09 19:43:28 UTC (rev 186605)
@@ -26,8 +26,24 @@
#ifndef DFGOSRExitFuzz_h
#define DFGOSRExitFuzz_h
+#include "Options.h"
+
namespace JSC { namespace DFG {
+extern unsigned g_numberOfStaticOSRExitFuzzChecks;
+
+inline bool doOSRExitFuzzing()
+{
+ if (!Options::enableOSRExitFuzz())
+ return false;
+
+ g_numberOfStaticOSRExitFuzzChecks++;
+ if (unsigned atStatic = Options::fireOSRExitFuzzAtStatic())
+ return atStatic == g_numberOfStaticOSRExitFuzzChecks;
+
+ return true;
+}
+
// DFG- and FTL-generated code will query this on every speculation.
extern unsigned g_numberOfOSRExitFuzzChecks;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (186604 => 186605)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2015-07-09 19:43:28 UTC (rev 186605)
@@ -159,7 +159,7 @@
MacroAssembler::Jump SpeculativeJIT::emitOSRExitFuzzCheck()
{
- if (!Options::enableOSRExitFuzz())
+ if (!doOSRExitFuzzing())
return MacroAssembler::Jump();
MacroAssembler::Jump result;
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (186604 => 186605)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-07-09 19:43:28 UTC (rev 186605)
@@ -8167,7 +8167,7 @@
dataLog(" Available recoveries: ", listDump(m_availableRecoveries), "\n");
}
- if (Options::enableOSRExitFuzz()) {
+ if (doOSRExitFuzzing()) {
LValue numberOfFuzzChecks = m_out.add(
m_out.load32(m_out.absolute(&g_numberOfOSRExitFuzzChecks)),
m_out.int32One);
Modified: trunk/Source/_javascript_Core/jsc.cpp (186604 => 186605)
--- trunk/Source/_javascript_Core/jsc.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/jsc.cpp 2015-07-09 19:43:28 UTC (rev 186605)
@@ -1551,8 +1551,10 @@
Options::fireExecutableAllocationFuzzAt() || Options::fireExecutableAllocationFuzzAtOrAfter();
if (Options::enableExecutableAllocationFuzz() && (!fireAtEnabled || Options::verboseExecutableAllocationFuzz()))
printf("JSC EXECUTABLE ALLOCATION FUZZ: encountered %u checks.\n", numberOfExecutableAllocationFuzzChecks());
- if (Options::enableOSRExitFuzz())
- printf("JSC OSR EXIT FUZZ: encountered %u checks.\n", numberOfOSRExitFuzzChecks());
+ if (Options::enableOSRExitFuzz()) {
+ printf("JSC OSR EXIT FUZZ: encountered %u static checks.\n", numberOfStaticOSRExitFuzzChecks());
+ printf("JSC OSR EXIT FUZZ: encountered %u dynamic checks.\n", numberOfOSRExitFuzzChecks());
+ }
#endif
}
Modified: trunk/Source/_javascript_Core/runtime/Options.h (186604 => 186605)
--- trunk/Source/_javascript_Core/runtime/Options.h 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/runtime/Options.h 2015-07-09 19:43:28 UTC (rev 186605)
@@ -310,6 +310,7 @@
v(bool, verboseExecutableAllocationFuzz, false, nullptr) \
\
v(bool, enableOSRExitFuzz, false, nullptr) \
+ v(unsigned, fireOSRExitFuzzAtStatic, 0, nullptr) \
v(unsigned, fireOSRExitFuzzAt, 0, nullptr) \
v(unsigned, fireOSRExitFuzzAtOrAfter, 0, nullptr) \
\
Modified: trunk/Source/_javascript_Core/runtime/TestRunnerUtils.h (186604 => 186605)
--- trunk/Source/_javascript_Core/runtime/TestRunnerUtils.h 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/_javascript_Core/runtime/TestRunnerUtils.h 2015-07-09 19:43:28 UTC (rev 186605)
@@ -46,6 +46,7 @@
JS_EXPORT_PRIVATE unsigned numberOfExceptionFuzzChecks();
JS_EXPORT_PRIVATE unsigned numberOfExecutableAllocationFuzzChecks();
+JS_EXPORT_PRIVATE unsigned numberOfStaticOSRExitFuzzChecks();
JS_EXPORT_PRIVATE unsigned numberOfOSRExitFuzzChecks();
} // namespace JSC
