[Webkit-unassigned] [Bug 203993] Add FuzzerAgents that narrow and widen number predictions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 4 14:26:41 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=203993

Yusuke Suzuki <ysuzuki at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ysuzuki at apple.com

--- Comment #9 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 384692
  --> https://bugs.webkit.org/attachment.cgi?id=384692
proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=384692&action=review

I have question about how narrowing and widening types.

> Source/JavaScriptCore/runtime/NarrowingNumberPredictionFuzzerAgent.cpp:49
> +    unsigned numberOfTypesToKeep = m_random.getUint32(numberTypesThatCouldBePartOfSpeculation.size() + 1);

This means that, we could see SpeculateType sets in the same ratio for each count. Let's consider the case that is having 5 SpeculatedTypes. So,

0 => 1/6
1 => 1/6
...
4 => 1/6
5 => 1/6

We have 5 combination when "4" is picked. And each one gets 1/24, which is 1/4 when comparing to SpecNone. Is it intentional?

> Source/JavaScriptCore/runtime/WideningNumberPredictionFuzzerAgent.cpp:61
> +    unsigned numberOfTypesToAdd = m_random.getUint32(numberTypesNotIncludedInSpeculation.size() + 1);
> +    if (!numberOfTypesToAdd)
> +        return original;
> +
> +    SpeculatedType generated = original;
> +    for (unsigned i = 0; i < numberOfTypesToAdd; i++) {
> +        unsigned indexOfNewType = m_random.getUint32(numberTypesNotIncludedInSpeculation.size());
> +        mergeSpeculation(generated, numberTypesNotIncludedInSpeculation[indexOfNewType]);
> +        numberTypesNotIncludedInSpeculation.remove(indexOfNewType);
> +    }

Ditto.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191204/e711ec98/attachment.htm>

More information about the webkit-unassigned mailing list