[Webkit-unassigned] [Bug 203898] Add FuzzerAgent that reads predictions from a file

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 7 14:21:28 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=203898

Saam Barati <sbarati at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #382922|review?, commit-queue?      |review-, commit-queue-
              Flags|                            |

--- Comment #3 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 382922
  --> https://bugs.webkit.org/attachment.cgi?id=382922
proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=382922&action=review

> Source/JavaScriptCore/ChangeLog:7
> +

you should describe the details of what this patch is doing here.

> Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp:167
> +String FileBasedFuzzerAgent::createLookupKey(const String& sourceFilename, OpcodeID opcodeId, int startLocation, int endLocation)
> +{
> +    StringBuilder lookupKey;
> +    lookupKey.append(sourceFilename);
> +    lookupKey.append("|");
> +    lookupKey.append(toString(opcodeAliasForLookupKey(opcodeId)));
> +    lookupKey.append("|");
> +    lookupKey.append(startLocation);
> +    lookupKey.append("|");
> +    lookupKey.append(endLocation);
> +    return lookupKey.toString();
> +}

nit: This is slightly hokey. We tend to define a struct for hash map keys, and use a custom hash and equality function. Turning it into a String is convenient, but slightly weird. I guess since we don't care about perf, maybe this is ok.

> Source/JavaScriptCore/runtime/FuzzerPredictions.cpp:50
> +    while ((line = fgets(buffer, sizeof(buffer), f))) {
> +        SpeculatedType prediction;
> +        char lookupKey[BUFSIZ];
> +        int numberOfItemsFound = sscanf(line, "%[^:]:%llx\n", lookupKey, &prediction);
> +        RELEASE_ASSERT(numberOfItemsFound == 2);
> +        const String& functionNameString = String(lookupKey, strlen(lookupKey));
> +        m_predictions.set(functionNameString, prediction);
> +    }

can you comment on the format of this file?

Also, how do you produce this file?

> Source/JavaScriptCore/runtime/FuzzerPredictions.cpp:61
> +        RELEASE_ASSERT((predicted & SpecFullTop) != SpecNone);

why can't we sometimes produce SpecNone?

> Source/JavaScriptCore/runtime/FuzzerPredictions.h:32
> +#define NO_PREDICTION_FOUND 1ull << 55

Why does this work? This seems slightly wrong.

Maybe we should just fall back to random fuzzer when we don't have the key?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191107/e7ecf354/attachment.htm>

More information about the webkit-unassigned mailing list