Bug 203993 - Add FuzzerAgents that narrow and widen number predictions
Summary: Add FuzzerAgents that narrow and widen number predictions
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-11-08 05:47 PST by Tuomas Karkkainen
Modified: 2020-01-08 15:42 PST (History)
9 users (show)

See Also:

Attachments
proposed patch (24.22 KB, patch)
2019-11-08 05:55 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
updated patch (24.36 KB, patch)
2019-11-08 08:10 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
fix ChangeLog as per review (24.43 KB, patch)
2019-11-08 11:40 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
proposed patch (23.72 KB, patch)
2019-11-13 00:09 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
proposed patch (23.88 KB, patch)
2019-12-02 02:11 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
proposed patch (23.63 KB, patch)
2019-12-02 02:13 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
proposed patch (23.61 KB, patch)
2019-12-02 22:58 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
proposed patch (23.66 KB, patch)
2019-12-08 23:41 PST, Tuomas Karkkainen 		no flags Details | Formatted Diff | Diff
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tuomas Karkkainen 2019-11-08 05:47:45 PST 
Add FuzzerAgents that narrow and widen number predictions
Comment 1 Tuomas Karkkainen 2019-11-08 05:55:37 PST 
Created attachment 383121 [details]
proposed patch

proposed patch
Comment 2 Tuomas Karkkainen 2019-11-08 08:10:51 PST 
Created attachment 383126 [details]
updated patch

added m_lock
Comment 3 Mark Lam 2019-11-08 11:29:36 PST 
Comment on attachment 383126 [details]
updated patch

View in context: https://bugs.webkit.org/attachment.cgi?id=383126&action=review

> Source/JavaScriptCore/ChangeLog:5
> +        Add two FuzzerAgents such that for any predictions that are originally subsets of SpecFullNumber:
> +        - one adds more number types to the prediction
> +        - the other removes some of the number types from the prediction

You should put this txt that explains what's changed in the region below "Reviewed by ..." but above the list of changed files.  Here, you should have a 1 line title instead e.g. "Add FuzzerAgents that narrow and widen number predictions." from the bug title.

> Source/JavaScriptCore/ChangeLog:9
> +        Reviewed by NOBODY (OOPS!).
> +

Move the above "what's changed" text here after the "Reviewed by ..." line.
Comment 4 Tuomas Karkkainen 2019-11-08 11:40:21 PST 
Created attachment 383149 [details]
fix ChangeLog as per review
Comment 5 Tuomas Karkkainen 2019-11-13 00:09:39 PST 
Created attachment 383437 [details]
proposed patch

replaces SpecFullNumber with SpecBytecodeNumber as the superset of number types included in the speculation.

also simplifies a couple of things.

previous patches returned 'original' from the narrowing fuzzer agent, as opposed to the intended 'generated'.
Comment 6 Tuomas Karkkainen 2019-12-02 02:11:39 PST 
Created attachment 384604 [details]
proposed patch

updated to address changes from other FuzzerAgent patches
Comment 7 Tuomas Karkkainen 2019-12-02 02:13:57 PST 
Created attachment 384605 [details]
proposed patch

remove extra whitespace change
Comment 8 Tuomas Karkkainen 2019-12-02 22:58:40 PST 
Created attachment 384692 [details]
proposed patch

update patch to account for external changes.
Comment 9 Yusuke Suzuki 2019-12-04 14:26:41 PST 
Comment on attachment 384692 [details]
proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=384692&action=review

I have question about how narrowing and widening types.

> Source/JavaScriptCore/runtime/NarrowingNumberPredictionFuzzerAgent.cpp:49
> +    unsigned numberOfTypesToKeep = m_random.getUint32(numberTypesThatCouldBePartOfSpeculation.size() + 1);

This means that, we could see SpeculateType sets in the same ratio for each count. Let's consider the case that is having 5 SpeculatedTypes. So,

0 => 1/6
1 => 1/6
...
4 => 1/6
5 => 1/6

We have 5 combination when "4" is picked. And each one gets 1/24, which is 1/4 when comparing to SpecNone. Is it intentional?

> Source/JavaScriptCore/runtime/WideningNumberPredictionFuzzerAgent.cpp:61
> +    unsigned numberOfTypesToAdd = m_random.getUint32(numberTypesNotIncludedInSpeculation.size() + 1);
> +    if (!numberOfTypesToAdd)
> +        return original;
> +
> +    SpeculatedType generated = original;
> +    for (unsigned i = 0; i < numberOfTypesToAdd; i++) {
> +        unsigned indexOfNewType = m_random.getUint32(numberTypesNotIncludedInSpeculation.size());
> +        mergeSpeculation(generated, numberTypesNotIncludedInSpeculation[indexOfNewType]);
> +        numberTypesNotIncludedInSpeculation.remove(indexOfNewType);
> +    }

Ditto.
Comment 10 Tuomas Karkkainen 2019-12-05 06:47:52 PST 
(In reply to Yusuke Suzuki from comment #9)
> Comment on attachment 384692 [details]
> proposed patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=384692&action=review
> 
> I have question about how narrowing and widening types.
> 
> > Source/JavaScriptCore/runtime/NarrowingNumberPredictionFuzzerAgent.cpp:49
> > +    unsigned numberOfTypesToKeep = m_random.getUint32(numberTypesThatCouldBePartOfSpeculation.size() + 1);
> 
> This means that, we could see SpeculateType sets in the same ratio for each
> count. Let's consider the case that is having 5 SpeculatedTypes. So,
> 
> 0 => 1/6
> 1 => 1/6
> ...
> 4 => 1/6
> 5 => 1/6
> 
> We have 5 combination when "4" is picked. And each one gets 1/24, which is
> 1/4 when comparing to SpecNone. Is it intentional?

For the widening FuzzerAgent I think this is fine. For the narrowing FuzzerAgent I don't like how often it returns SpecNone. I think it would probably be better to move the "+ 1" outside of the parentheses, which would mean that it never returned SpecNone, and single number type predictions were always left unchanged.

The real answer depends on how the speculations affect the machine code, and I don't have an answer for that.

> > Source/JavaScriptCore/runtime/WideningNumberPredictionFuzzerAgent.cpp:61
> > +    unsigned numberOfTypesToAdd = m_random.getUint32(numberTypesNotIncludedInSpeculation.size() + 1);
> > +    if (!numberOfTypesToAdd)
> > +        return original;
> > +
> > +    SpeculatedType generated = original;
> > +    for (unsigned i = 0; i < numberOfTypesToAdd; i++) {
> > +        unsigned indexOfNewType = m_random.getUint32(numberTypesNotIncludedInSpeculation.size());
> > +        mergeSpeculation(generated, numberTypesNotIncludedInSpeculation[indexOfNewType]);
> > +        numberTypesNotIncludedInSpeculation.remove(indexOfNewType);
> > +    }
> 
> Ditto.
Comment 11 Tuomas Karkkainen 2019-12-08 23:41:49 PST 
Created attachment 385135 [details]
proposed patch

Changes the narrowing fuzzer agent to always keep at least one number type. This means it never returns SpecNone.
Comment 12 Yusuke Suzuki 2020-01-08 14:54:30 PST 
Comment on attachment 385135 [details]
proposed patch

OK, r=me
Comment 13 WebKit Commit Bot 2020-01-08 15:41:37 PST 
Comment on attachment 385135 [details]
proposed patch

Clearing flags on attachment: 385135

Committed r254230: <https://trac.webkit.org/changeset/254230>
Comment 14 WebKit Commit Bot 2020-01-08 15:41:39 PST 
All reviewed patches have been landed.  Closing bug.
Comment 15 Radar WebKit Bug Importer 2020-01-08 15:42:21 PST 
<rdar://problem/58424588>