Skip to content

[JSC] LICM fuzzer should always try to hoist check nodes #13410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
webkit-commit-queue merged 1 commit into from
May 3, 2023
Merged

[JSC] LICM fuzzer should always try to hoist check nodes #13410

webkit-commit-queue merged 1 commit into from
May 3, 2023

Conversation

@hyjorc1
Copy link
Contributor

@hyjorc1 hyjorc1 commented May 3, 2023
edited by webkit-early-warning-system
Loading

d38e925

[JSC] LICM fuzzer should always try to hoist check nodes
https://bugs.webkit.org/show_bug.cgi?id=256223
rdar://108693746

Reviewed by Yusuke Suzuki.

The LICM fuzzer is introduced in https://trac.webkit.org/changeset/264133/webkit,
which is intend for checking unsafe hoisting. However, we might get crash when
some nodes got hoisted but not for its corresponding check nodes. This is because
when the useLICMFuzzing=1 the fuzzer will try to hoist randomly picked nodes.
To fix the issue, the fuzzer should always try to hoist check nodes.

* Source/JavaScriptCore/dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::isCheckNode):

Canonical link: https://commits.webkit.org/263648@main

898f6f4

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🛠 gtk
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 🧪 gtk-wk2
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim ✅ 🧪 jsc-armv7-tests
✅ 🛠 🧪 merge ✅ 🛠 watch ✅ 🛠 jsc-mips
✅ 🛠 watch-sim ✅ 🧪 jsc-mips-tests

@hyjorc1 hyjorc1 requested a review from a team as a code owner May 3, 2023 19:55
@hyjorc1 hyjorc1 self-assigned this May 3, 2023
@hyjorc1 hyjorc1 added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label May 3, 2023
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented May 3, 2023
edited
Loading

EWS run on previous version of this PR (hash 6c0aa3d)

Details

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 wincairo
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug 🧪 wpe-wk2
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac ✅ 🛠 gtk
🧪 ios-wk2-wpt 🧪 mac-wk1 🧪 gtk-wk2
⏳ 🛠 🧪 jsc 🧪 api-ios 🧪 mac-wk2 🧪 api-gtk
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 tv 🧪 mac-AS-debug-wk2 ✅ 🛠 jsc-armv7
⏳ 🛠 tv-sim 🧪 jsc-armv7-tests
✅ 🛠 watch ✅ 🛠 jsc-mips
✅ 🛠 watch-sim 🧪 jsc-mips-tests

@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented May 3, 2023
edited
Loading

EWS run on current version of this PR (hash 898f6f4)

Details

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🛠 gtk
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 🧪 gtk-wk2
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim ✅ 🧪 jsc-armv7-tests
✅ 🛠 🧪 merge ✅ 🛠 watch ✅ 🛠 jsc-mips
✅ 🛠 watch-sim ✅ 🧪 jsc-mips-tests

Constellation
Constellation approved these changes May 3, 2023
View reviewed changes
Copy link
Member

@Constellation Constellation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r=me

@hyjorc1 hyjorc1 added the merge-queue Applied to send a pull request to merge-queue label May 3, 2023
@hyjorc1
[JSC] LICM fuzzer should always try to hoist check nodes
d38e925 
https://bugs.webkit.org/show_bug.cgi?id=256223
rdar://108693746

Reviewed by Yusuke Suzuki.

The LICM fuzzer is introduced in https://trac.webkit.org/changeset/264133/webkit,
which is intend for checking unsafe hoisting. However, we might get crash when
some nodes got hoisted but not for its corresponding check nodes. This is because
when the useLICMFuzzing=1 the fuzzer will try to hoist randomly picked nodes.
To fix the issue, the fuzzer should always try to hoist check nodes.

* Source/JavaScriptCore/dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::isCheckNode):

Canonical link: https://commits.webkit.org/263648@main
@webkit-commit-queue
Copy link
Collaborator

webkit-commit-queue commented May 3, 2023

Committed 263648@main (d38e925): https://commits.webkit.org/263648@main

Reviewed commits have been landed. Closing PR #13410 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit d38e925 into WebKit:main May 3, 2023
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label May 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Constellation Constellation Constellation approved these changes

Assignees

@hyjorc1 hyjorc1

Labels

JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hyjorc1 @webkit-early-warning-system @webkit-commit-queue @Constellation