Bug 196530

Summary:

[JSC] Add FuzzerAgent, which has a hooks to get feedback & inject fuzz data into JSC

Product:

WebKit

Reporter:

Yusuke Suzuki <ysuzuki>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, saam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	saam: review+

Description Yusuke Suzuki 2019-04-03 00:50:24 PDT

...

Comment 1 Yusuke Suzuki 2019-04-03 01:59:52 PDT

Created attachment 366587 [details]
Patch

Comment 2 Yusuke Suzuki 2019-04-03 02:06:40 PDT

Created attachment 366589 [details]
Patch

Comment 3 Yusuke Suzuki 2019-04-03 02:22:31 PDT

Created attachment 366590 [details]
Patch

Comment 4 Yusuke Suzuki 2019-04-03 02:42:57 PDT

Maybe, randomizing part is too simple, but I'll try running this debug build this night, and see the results tomorrow morning.

Comment 5 Yusuke Suzuki 2019-04-03 10:05:36 PDT

I got several test failures. Looking into them.

stress/string-equal-exception-check.js reveals missing exception check.
stress/strict-to-this-int.js reveals incorrect result.
stress/regress-153486.js fails. need to investigate it.

Comment 6 Yusuke Suzuki 2019-04-03 10:13:36 PDT

** The following JSC stress test failures have been introduced:
        jsc-layout-tests.yaml/js/script-tests/dfg-double-vote-fuzz.js.layout
        stress/activation-sink-osrexit-default-value-tdz-error.js.ftl-no-cjit-small-pool
        stress/activation-sink-osrexit-default-value.js.ftl-no-cjit-small-pool
        stress/arrowfunction-lexical-this-activation-sink-osrexit.js.ftl-no-cjit-small-pool
        stress/op_bitand.js.misc-ftl-no-cjit
        stress/op_bitor.js.misc-ftl-no-cjit
        stress/op_bitxor.js.misc-ftl-no-cjit
        stress/regress-153486.js.default
        stress/regress-153486.js.dfg-eager
        stress/regress-153486.js.dfg-eager-no-cjit-validate
        stress/regress-153486.js.dfg-maximal-flush-validate-no-cjit
        stress/regress-153486.js.ftl-eager
        stress/regress-153486.js.ftl-eager-no-cjit
        stress/regress-153486.js.ftl-eager-no-cjit-b3o1
        stress/regress-153486.js.ftl-no-cjit-b3o0
        stress/regress-153486.js.ftl-no-cjit-no-put-stack-validate
        stress/regress-153486.js.ftl-no-cjit-validate-sampling-profiler
        stress/regress-153486.js.no-cjit-validate-phases
        stress/regress-153486.js.no-ftl
        stress/regress-153486.js.no-llint
        stress/rest-parameter-many-arguments.js.ftl-no-cjit-small-pool
        stress/strict-to-this-int.js.dfg-eager
        stress/strict-to-this-int.js.dfg-eager-no-cjit-validate
        stress/strict-to-this-int.js.no-cjit-validate-phases
        stress/strict-to-this-int.js.no-ftl
        stress/strict-to-this-int.js.no-llint
        stress/string-equal-exception-check.js.default
        stress/tailCallForwardArguments.js.ftl-no-cjit-small-pool
        stress/validate-int-52-ai-state.js.default

Results for JSC stress tests:
    29 failures found.

Comment 7 Yusuke Suzuki 2019-04-03 10:13:56 PDT

(In reply to Yusuke Suzuki from comment #6)
> ** The following JSC stress test failures have been introduced:
>         jsc-layout-tests.yaml/js/script-tests/dfg-double-vote-fuzz.js.layout
>        
> stress/activation-sink-osrexit-default-value-tdz-error.js.ftl-no-cjit-small-
> pool
>        
> stress/activation-sink-osrexit-default-value.js.ftl-no-cjit-small-pool
>        
> stress/arrowfunction-lexical-this-activation-sink-osrexit.js.ftl-no-cjit-
> small-pool
>         stress/op_bitand.js.misc-ftl-no-cjit
>         stress/op_bitor.js.misc-ftl-no-cjit
>         stress/op_bitxor.js.misc-ftl-no-cjit
>         stress/regress-153486.js.default
>         stress/regress-153486.js.dfg-eager
>         stress/regress-153486.js.dfg-eager-no-cjit-validate
>         stress/regress-153486.js.dfg-maximal-flush-validate-no-cjit
>         stress/regress-153486.js.ftl-eager
>         stress/regress-153486.js.ftl-eager-no-cjit
>         stress/regress-153486.js.ftl-eager-no-cjit-b3o1
>         stress/regress-153486.js.ftl-no-cjit-b3o0
>         stress/regress-153486.js.ftl-no-cjit-no-put-stack-validate
>         stress/regress-153486.js.ftl-no-cjit-validate-sampling-profiler
>         stress/regress-153486.js.no-cjit-validate-phases
>         stress/regress-153486.js.no-ftl
>         stress/regress-153486.js.no-llint
>         stress/rest-parameter-many-arguments.js.ftl-no-cjit-small-pool
>         stress/strict-to-this-int.js.dfg-eager
>         stress/strict-to-this-int.js.dfg-eager-no-cjit-validate
>         stress/strict-to-this-int.js.no-cjit-validate-phases
>         stress/strict-to-this-int.js.no-ftl
>         stress/strict-to-this-int.js.no-llint
>         stress/string-equal-exception-check.js.default
>         stress/tailCallForwardArguments.js.ftl-no-cjit-small-pool
>         stress/validate-int-52-ai-state.js.default
> 
> Results for JSC stress tests:
>     29 failures found.

Many of them are simple timeout. But it seems that some of them are real issues.

Comment 8 Yusuke Suzuki 2019-04-03 14:43:07 PDT

Created attachment 366646 [details]
Patch

Comment 9 EWS Watchlist 2019-04-03 14:46:02 PDT

Attachment 366646 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:3:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer, fuzzer  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 15 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 10 Saam Barati 2019-04-03 15:06:04 PDT

Comment on attachment 366646 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=366646&action=review

r=me

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:844
> +            auto* fuzzerAgent = m_vm->fuzzerAgent();
> +            if (UNLIKELY(fuzzerAgent))
> +                return fuzzerAgent->getPrediction(codeBlock, bytecodeIndex, prediction);

nit: I like to write this as a single line:
if (UNLIKELY(auto* fuzzerAgent = m_vm->fuzzerAgent()))

> Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp:36
> +SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock*, int, SpeculatedType)

Can we enable this on some of our tests once we pass all tests with it? Maybe worth filing a bug.

Comment 11 Yusuke Suzuki 2019-04-03 15:17:11 PDT

Comment on attachment 366646 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=366646&action=review

Thanks!

>> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:844
>> +                return fuzzerAgent->getPrediction(codeBlock, bytecodeIndex, prediction);
> 
> nit: I like to write this as a single line:
> if (UNLIKELY(auto* fuzzerAgent = m_vm->fuzzerAgent()))

Unfortunately, we cannot do this since `auto* fuzzerAgent = m_vm->fuzzerAgent()` is not expression, so we cannot wrap it with UNLIKELY.

if (UNLIKELY(auto* fuzzerAgent = m_vm->fuzzerAgent())) => compile error

This is why we have two lines now... :(

>> Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp:36
>> +SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock*, int, SpeculatedType)
> 
> Can we enable this on some of our tests once we pass all tests with it? Maybe worth filing a bug.

Yeah, I think we can add an another variant like "-value-profiling-fuzz" in the stress tests to fuzz our engine more. I've opened the bug for this https://bugs.webkit.org/show_bug.cgi?id=196569.

Comment 12 Yusuke Suzuki 2019-04-03 15:24:52 PDT

Committed r243832: <https://trac.webkit.org/changeset/243832>

Comment 13 Radar WebKit Bug Importer 2019-04-03 15:25:37 PDT

<rdar://problem/49576836>