[webkit-changes] [264133] trunk/Source/JavaScriptCore

[sbarati]

Title: [264133] trunk/Source/_javascript_Core

Revision

264133

Author

sbar...@apple.com

Date

2020-07-08 14:33:54 -0700 (Wed, 08 Jul 2020)

Log Message

Add a fuzzing toggle for LICM
https://bugs.webkit.org/show_bug.cgi?id=214093

Reviewed by Yusuke Suzuki.

We have an AI based safety checker for LICM, to determine if it's safe to
hoist nodes. Historically, we've had bugs here, where we allow unsafe
hoisting. In practice, we've been saved by safety checks also being hoisted
at the same time as the operation they're protecting, so even if we
have bugs in AI-based safeToExecute, things usually just work. Since
we've had security bugs here before, where the safety checks don't get hoisted,
leading to issues, it's helpful if we can fuzz this area.  This patch implements
a way to says we won't hoist a node based on some probability, allowing us to play
with what does and doesn't get hoisted.

* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* runtime/OptionsList.h:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGLICMPhase.cpp
• trunk/Source/_javascript_Core/runtime/OptionsList.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (264132 => 264133)

--- trunk/Source/_javascript_Core/ChangeLog	2020-07-08 21:13:55 UTC (rev 264132)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-07-08 21:33:54 UTC (rev 264133)
@@ -1,5 +1,26 @@
 2020-07-08  Saam Barati  <sbar...@apple.com>
 
+        Add a fuzzing toggle for LICM
+        https://bugs.webkit.org/show_bug.cgi?id=214093
+
+        Reviewed by Yusuke Suzuki.
+
+        We have an AI based safety checker for LICM, to determine if it's safe to
+        hoist nodes. Historically, we've had bugs here, where we allow unsafe
+        hoisting. In practice, we've been saved by safety checks also being hoisted
+        at the same time as the operation they're protecting, so even if we
+        have bugs in AI-based safeToExecute, things usually just work. Since
+        we've had security bugs here before, where the safety checks don't get hoisted,
+        leading to issues, it's helpful if we can fuzz this area.  This patch implements
+        a way to says we won't hoist a node based on some probability, allowing us to play
+        with what does and doesn't get hoisted.
+
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::run):
+        * runtime/OptionsList.h:
+
+2020-07-08  Saam Barati  <sbar...@apple.com>
+
         Add a way to return early from detected infinite loops to aid the fuzzer
         https://bugs.webkit.org/show_bug.cgi?id=214067
 

Modified: trunk/Source/_javascript_Core/dfg/DFGLICMPhase.cpp (264132 => 264133)

--- trunk/Source/_javascript_Core/dfg/DFGLICMPhase.cpp	2020-07-08 21:13:55 UTC (rev 264132)
+++ trunk/Source/_javascript_Core/dfg/DFGLICMPhase.cpp	2020-07-08 21:33:54 UTC (rev 264133)
@@ -181,6 +181,9 @@
         // tend to hoist dominators before dominatees.
         Vector<const NaturalLoop*> loopStack;
         bool changed = false;
+
+        WeakRandom random { Options::seedForLICMFuzzer() };
+
         for (BasicBlock* block : m_graph.blocksInPreOrder()) {
             if (!block->cfaHasVisited)
                 continue;
@@ -213,8 +216,17 @@
                 Node*& nodeRef = block->at(nodeIndex);
                 if (nodeRef->op() == ForceOSRExit)
                     break;
-                for (unsigned stackIndex = loopStack.size(); stackIndex--;)
+                for (unsigned stackIndex = loopStack.size(); stackIndex--;) {
+                    if (UNLIKELY(Options::useLICMFuzzing())) {
+                        constexpr double range = static_cast<double>(std::numeric_limits<uint32_t>::max());
+                        uint32_t floor = static_cast<unsigned>((1.0 - Options::allowHoistingLICMProbability()) * range);
+                        bool shouldAttemptHoist = random.getUint32() >= floor;
+                        if (!shouldAttemptHoist)
+                            continue;
+                    }
+
                     changed |= attemptHoist(block, nodeRef, loopStack[stackIndex]);
+                }
             }
         }
 

Modified: trunk/Source/_javascript_Core/runtime/OptionsList.h (264132 => 264133)

--- trunk/Source/_javascript_Core/runtime/OptionsList.h	2020-07-08 21:13:55 UTC (rev 264132)
+++ trunk/Source/_javascript_Core/runtime/OptionsList.h	2020-07-08 21:33:54 UTC (rev 264133)
@@ -512,6 +512,9 @@
     v(Bool, usePrivateClassFields, false, Normal, "If true, the parser will understand private data fields inside classes.") \
     v(Bool, returnEarlyFromInfiniteLoopsForFuzzing, false, Normal, nullptr) \
     v(Size, earlyReturnFromInfiniteLoopsLimit, 1300000000, Normal, "When returnEarlyFromInfiniteLoopsForFuzzing is true, this determines the number of executions a loop can run for before just returning. This is helpful for the fuzzer so it doesn't get stuck in infinite loops.") \
+    v(Bool, useLICMFuzzing, false, Normal, nullptr) \
+    v(Unsigned, seedForLICMFuzzer, 424242, Normal, nullptr) \
+    v(Double, allowHoistingLICMProbability, 0.5, Normal, nullptr) \
 
 enum OptionEquivalence {
     SameOption,

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes