[Webkit-unassigned] [Bug 203993] Add FuzzerAgents that narrow and widen number predictions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 5 06:47:52 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=203993

--- Comment #10 from Tuomas Karkkainen <tuomas.webkit at apple.com> ---
(In reply to Yusuke Suzuki from comment #9)
> Comment on attachment 384692 [details]
> proposed patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=384692&action=review
> 
> I have question about how narrowing and widening types.
> 
> > Source/JavaScriptCore/runtime/NarrowingNumberPredictionFuzzerAgent.cpp:49
> > +    unsigned numberOfTypesToKeep = m_random.getUint32(numberTypesThatCouldBePartOfSpeculation.size() + 1);
> 
> This means that, we could see SpeculateType sets in the same ratio for each
> count. Let's consider the case that is having 5 SpeculatedTypes. So,
> 
> 0 => 1/6
> 1 => 1/6
> ...
> 4 => 1/6
> 5 => 1/6
> 
> We have 5 combination when "4" is picked. And each one gets 1/24, which is
> 1/4 when comparing to SpecNone. Is it intentional?

For the widening FuzzerAgent I think this is fine. For the narrowing FuzzerAgent I don't like how often it returns SpecNone. I think it would probably be better to move the "+ 1" outside of the parentheses, which would mean that it never returned SpecNone, and single number type predictions were always left unchanged.

The real answer depends on how the speculations affect the machine code, and I don't have an answer for that.

> > Source/JavaScriptCore/runtime/WideningNumberPredictionFuzzerAgent.cpp:61
> > +    unsigned numberOfTypesToAdd = m_random.getUint32(numberTypesNotIncludedInSpeculation.size() + 1);
> > +    if (!numberOfTypesToAdd)
> > +        return original;
> > +
> > +    SpeculatedType generated = original;
> > +    for (unsigned i = 0; i < numberOfTypesToAdd; i++) {
> > +        unsigned indexOfNewType = m_random.getUint32(numberTypesNotIncludedInSpeculation.size());
> > +        mergeSpeculation(generated, numberTypesNotIncludedInSpeculation[indexOfNewType]);
> > +        numberTypesNotIncludedInSpeculation.remove(indexOfNewType);
> > +    }
> 
> Ditto.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191205/b4e31177/attachment.htm>

More information about the webkit-unassigned mailing list