<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[186605] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/186605">186605</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2015-07-09 12:43:28 -0700 (Thu, 09 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>OSR exit fuzzing should allow us to select a static exit site
https://bugs.webkit.org/show_bug.cgi?id=146601
Reviewed by Geoffrey Garen.
The original implementation of the fuzzer allows us to trigger an exit based on its index
in the dynamic sequence of exit sites encountered. But there are usually millions of
dynamically encountered exit sites, even if the program only has thousands of static exit
sites. That means that we would at best be able to do a random sampling of exits, and
those would be biased to the hottest exit sites.
This change allows us to also select exit sites based on their index in the static
sequence of exit sites that the compiler compiled. Then, once that static exit site is
selected, we can select which dynamic exit at that exit site we should trigger. Since the
number of static exit sites is usually smallish (it's bounded by program size), we can do
an exhaustive search over all exit sites in most programs.
* dfg/DFGOSRExitFuzz.cpp:
(JSC::numberOfStaticOSRExitFuzzChecks):
(JSC::numberOfOSRExitFuzzChecks):
* dfg/DFGOSRExitFuzz.h:
(JSC::DFG::doOSRExitFuzzing):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
* jsc.cpp:
(jscmain):
* runtime/Options.h:
* runtime/TestRunnerUtils.h:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitFuzzcpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitFuzzh">trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejsccpp">trunk/Source/JavaScriptCore/jsc.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOptionsh">trunk/Source/JavaScriptCore/runtime/Options.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTestRunnerUtilsh">trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -1,3 +1,36 @@
</span><ins>+2015-07-03 Filip Pizlo <fpizlo@apple.com>
+
+ OSR exit fuzzing should allow us to select a static exit site
+ https://bugs.webkit.org/show_bug.cgi?id=146601
+
+ Reviewed by Geoffrey Garen.
+
+ The original implementation of the fuzzer allows us to trigger an exit based on its index
+ in the dynamic sequence of exit sites encountered. But there are usually millions of
+ dynamically encountered exit sites, even if the program only has thousands of static exit
+ sites. That means that we would at best be able to do a random sampling of exits, and
+ those would be biased to the hottest exit sites.
+
+ This change allows us to also select exit sites based on their index in the static
+ sequence of exit sites that the compiler compiled. Then, once that static exit site is
+ selected, we can select which dynamic exit at that exit site we should trigger. Since the
+ number of static exit sites is usually smallish (it's bounded by program size), we can do
+ an exhaustive search over all exit sites in most programs.
+
+ * dfg/DFGOSRExitFuzz.cpp:
+ (JSC::numberOfStaticOSRExitFuzzChecks):
+ (JSC::numberOfOSRExitFuzzChecks):
+ * dfg/DFGOSRExitFuzz.h:
+ (JSC::DFG::doOSRExitFuzzing):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
+ * jsc.cpp:
+ (jscmain):
+ * runtime/Options.h:
+ * runtime/TestRunnerUtils.h:
+
</ins><span class="cx"> 2015-07-08 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Fix grammar issue in TypeError attempting to change an unconfigurable property
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitFuzzcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.cpp (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.cpp 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -30,10 +30,16 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><ins>+unsigned g_numberOfStaticOSRExitFuzzChecks;
</ins><span class="cx"> unsigned g_numberOfOSRExitFuzzChecks;
</span><span class="cx">
</span><span class="cx"> } // namespace DFG
</span><span class="cx">
</span><ins>+unsigned numberOfStaticOSRExitFuzzChecks()
+{
+ return DFG::g_numberOfStaticOSRExitFuzzChecks;
+}
+
</ins><span class="cx"> unsigned numberOfOSRExitFuzzChecks()
</span><span class="cx"> {
</span><span class="cx"> return DFG::g_numberOfOSRExitFuzzChecks;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitFuzzh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.h (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.h 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitFuzz.h 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -26,8 +26,24 @@
</span><span class="cx"> #ifndef DFGOSRExitFuzz_h
</span><span class="cx"> #define DFGOSRExitFuzz_h
</span><span class="cx">
</span><ins>+#include "Options.h"
+
</ins><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><ins>+extern unsigned g_numberOfStaticOSRExitFuzzChecks;
+
+inline bool doOSRExitFuzzing()
+{
+ if (!Options::enableOSRExitFuzz())
+ return false;
+
+ g_numberOfStaticOSRExitFuzzChecks++;
+ if (unsigned atStatic = Options::fireOSRExitFuzzAtStatic())
+ return atStatic == g_numberOfStaticOSRExitFuzzChecks;
+
+ return true;
+}
+
</ins><span class="cx"> // DFG- and FTL-generated code will query this on every speculation.
</span><span class="cx"> extern unsigned g_numberOfOSRExitFuzzChecks;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -159,7 +159,7 @@
</span><span class="cx">
</span><span class="cx"> MacroAssembler::Jump SpeculativeJIT::emitOSRExitFuzzCheck()
</span><span class="cx"> {
</span><del>- if (!Options::enableOSRExitFuzz())
</del><ins>+ if (!doOSRExitFuzzing())
</ins><span class="cx"> return MacroAssembler::Jump();
</span><span class="cx">
</span><span class="cx"> MacroAssembler::Jump result;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -8167,7 +8167,7 @@
</span><span class="cx"> dataLog(" Available recoveries: ", listDump(m_availableRecoveries), "\n");
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (Options::enableOSRExitFuzz()) {
</del><ins>+ if (doOSRExitFuzzing()) {
</ins><span class="cx"> LValue numberOfFuzzChecks = m_out.add(
</span><span class="cx"> m_out.load32(m_out.absolute(&g_numberOfOSRExitFuzzChecks)),
</span><span class="cx"> m_out.int32One);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejsccpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jsc.cpp (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jsc.cpp 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/jsc.cpp 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -1551,8 +1551,10 @@
</span><span class="cx"> Options::fireExecutableAllocationFuzzAt() || Options::fireExecutableAllocationFuzzAtOrAfter();
</span><span class="cx"> if (Options::enableExecutableAllocationFuzz() && (!fireAtEnabled || Options::verboseExecutableAllocationFuzz()))
</span><span class="cx"> printf("JSC EXECUTABLE ALLOCATION FUZZ: encountered %u checks.\n", numberOfExecutableAllocationFuzzChecks());
</span><del>- if (Options::enableOSRExitFuzz())
- printf("JSC OSR EXIT FUZZ: encountered %u checks.\n", numberOfOSRExitFuzzChecks());
</del><ins>+ if (Options::enableOSRExitFuzz()) {
+ printf("JSC OSR EXIT FUZZ: encountered %u static checks.\n", numberOfStaticOSRExitFuzzChecks());
+ printf("JSC OSR EXIT FUZZ: encountered %u dynamic checks.\n", numberOfOSRExitFuzzChecks());
+ }
</ins><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Options.h (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Options.h 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/runtime/Options.h 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -310,6 +310,7 @@
</span><span class="cx"> v(bool, verboseExecutableAllocationFuzz, false, nullptr) \
</span><span class="cx"> \
</span><span class="cx"> v(bool, enableOSRExitFuzz, false, nullptr) \
</span><ins>+ v(unsigned, fireOSRExitFuzzAtStatic, 0, nullptr) \
</ins><span class="cx"> v(unsigned, fireOSRExitFuzzAt, 0, nullptr) \
</span><span class="cx"> v(unsigned, fireOSRExitFuzzAtOrAfter, 0, nullptr) \
</span><span class="cx"> \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTestRunnerUtilsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h (186604 => 186605)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h 2015-07-09 19:31:09 UTC (rev 186604)
+++ trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h 2015-07-09 19:43:28 UTC (rev 186605)
</span><span class="lines">@@ -46,6 +46,7 @@
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE unsigned numberOfExceptionFuzzChecks();
</span><span class="cx"> JS_EXPORT_PRIVATE unsigned numberOfExecutableAllocationFuzzChecks();
</span><ins>+JS_EXPORT_PRIVATE unsigned numberOfStaticOSRExitFuzzChecks();
</ins><span class="cx"> JS_EXPORT_PRIVATE unsigned numberOfOSRExitFuzzChecks();
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre>
</div>
</div>
</body>
</html>