[webkit-reviews] review denied: [Bug 203898] Add FuzzerAgent that reads predictions from a file : [Attachment 382922] proposed patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 7 14:21:28 PST 2019
Saam Barati <sbarati at apple.com> has denied Tuomas Karkkainen
<tuomas.webkit at apple.com>'s request for review:
Bug 203898: Add FuzzerAgent that reads predictions from a file
https://bugs.webkit.org/show_bug.cgi?id=203898
Attachment 382922: proposed patch
https://bugs.webkit.org/attachment.cgi?id=382922&action=review
--- Comment #3 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 382922
--> https://bugs.webkit.org/attachment.cgi?id=382922
proposed patch
View in context: https://bugs.webkit.org/attachment.cgi?id=382922&action=review
> Source/JavaScriptCore/ChangeLog:7
> +
you should describe the details of what this patch is doing here.
> Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp:167
> +String FileBasedFuzzerAgent::createLookupKey(const String& sourceFilename,
OpcodeID opcodeId, int startLocation, int endLocation)
> +{
> + StringBuilder lookupKey;
> + lookupKey.append(sourceFilename);
> + lookupKey.append("|");
> + lookupKey.append(toString(opcodeAliasForLookupKey(opcodeId)));
> + lookupKey.append("|");
> + lookupKey.append(startLocation);
> + lookupKey.append("|");
> + lookupKey.append(endLocation);
> + return lookupKey.toString();
> +}
nit: This is slightly hokey. We tend to define a struct for hash map keys, and
use a custom hash and equality function. Turning it into a String is
convenient, but slightly weird. I guess since we don't care about perf, maybe
this is ok.
> Source/JavaScriptCore/runtime/FuzzerPredictions.cpp:50
> + while ((line = fgets(buffer, sizeof(buffer), f))) {
> + SpeculatedType prediction;
> + char lookupKey[BUFSIZ];
> + int numberOfItemsFound = sscanf(line, "%[^:]:%llx\n", lookupKey,
&prediction);
> + RELEASE_ASSERT(numberOfItemsFound == 2);
> + const String& functionNameString = String(lookupKey,
strlen(lookupKey));
> + m_predictions.set(functionNameString, prediction);
> + }
can you comment on the format of this file?
Also, how do you produce this file?
> Source/JavaScriptCore/runtime/FuzzerPredictions.cpp:61
> + RELEASE_ASSERT((predicted & SpecFullTop) != SpecNone);
why can't we sometimes produce SpecNone?
> Source/JavaScriptCore/runtime/FuzzerPredictions.h:32
> +#define NO_PREDICTION_FOUND 1ull << 55
Why does this work? This seems slightly wrong.
Maybe we should just fall back to random fuzzer when we don't have the key?
More information about the webkit-reviews
mailing list