def parseOptions(args): parser = OptionParser() parser.disable_interspersed_args() parser.add_option("--valgrind", action="store_true", dest="valgrind", default=False, help="use valgrind with a reasonable set of options") parser.add_option("--submit", action="store_true", dest="submit", default=False, help="submit to fuzzmanager (if interesting)") parser.add_option("--minlevel", type="int", dest="minimumInterestingLevel", default=JS_FINE + 1, help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting") parser.add_option("--timeout", type="int", dest="timeout", default=120, help="timeout in seconds") options, args = parser.parse_args(args) if len(args) < 2: raise Exception("Not enough positional arguments") options.knownPath = args[0] options.jsengineWithArgs = args[1:] options.collector = createCollector.createCollector("jsfunfuzz") if not os.path.exists(options.jsengineWithArgs[0]): raise Exception("js shell does not exist: " + options.jsengineWithArgs[0]) options.shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsengineWithArgs[0], 'more-deterministic') return options
def randomFlagSet(shellPath): """Return a random list of CLI flags appropriate for the given shell. Only works for spidermonkey js shell. Does not work for xpcshell. """ args = [] ion = shellSupportsFlag(shellPath, "--ion") and chance(.8) if shellSupportsFlag(shellPath, '--fuzzing-safe'): args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361 # Landed in m-c changeset c0c1d923c292, see bug 1255008 if shellSupportsFlag(shellPath, '--ion-aa=flow-sensitive'): if chance(.4): args.append('--ion-aa=flow-sensitive') elif shellSupportsFlag(shellPath, '--ion-aa=flow-insensitive') and chance(.4): args.append('--ion-aa=flow-insensitive') # See bug 932517, which had landed to fix this issue. Keeping this around for archives: # Original breakage in m-c rev 269359 : https://hg.mozilla.org/mozilla-central/rev/a0ccab2a6e28 # Fix in m-c rev 269896: https://hg.mozilla.org/mozilla-central/rev/3bb8446a6d8d # Anything in-between involving let probably needs "-e 'version(185);'" to see if we can bypass breakage # if shellSupportsFlag(shellPath, "--execute='version(185);'"): # args.append("--execute='version(185);'") # Note for future: --wasm-check-bce is only useful for x86 and ARM32 if shellSupportsFlag(shellPath, '--wasm-always-baseline') and chance(.5): args.append("--wasm-always-baseline") # --wasm-always-baseline landed in bug 1232205 if shellSupportsFlag(shellPath, '--ion-pgo=on') and chance(.2): args.append("--ion-pgo=on") # --ion-pgo=on landed in bug 1209515 if shellSupportsFlag(shellPath, '--ion-sincos=on') and chance(.5): sincosValue = "on" if chance(0.5) else "off" args.append("--ion-sincos=" + sincosValue) # --ion-sincos=[on|off] landed in bug 984018 if shellSupportsFlag(shellPath, '--ion-instruction-reordering=on') and chance(.2): args.append("--ion-instruction-reordering=on") # --ion-instruction-reordering=on landed in bug 1195545 if shellSupportsFlag(shellPath, '--ion-shared-stubs=on') and chance(.2): args.append("--ion-shared-stubs=on") # --ion-shared-stubs=on landed in bug 1168756 if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3): args.append("--non-writable-jitcode") # --non-writable-jitcode landed in bug 977805 if shellSupportsFlag(shellPath, "--execute=setJitCompilerOption('ion.forceinlineCaches',1)") and chance(.1): args.append("--execute=setJitCompilerOption('ion.forceinlineCaches',1)") if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1): args.append("--no-cgc") # --no-cgc landed in bug 1126769 if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1): args.append("--no-ggc") # --no-ggc landed in bug 706885 if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1): args.append("--no-incremental-gc") # --no-incremental-gc landed in bug 958492 if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2): args.append("--no-unboxed-objects") # --no-unboxed-objects landed in bug 1162199 # if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2): # args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674 if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9): # Focus testing on CheckNursery (16), see: # https://hg.mozilla.org/mozilla-central/rev/bdbb5822afe1 gczealValue = 16 if chance(0.5) else random.randint(0, 16) args.append("--gc-zeal=" + str(gczealValue)) # --gc-zeal= landed in bug 1101602 if shellSupportsFlag(shellPath, '--enable-small-chunk-size') and chance(.1): args.append("--enable-small-chunk-size") # --enable-small-chunk-size landed in bug 941804 if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2): args.append("--ion-loop-unrolling=on") # --ion-loop-unrolling=on landed in bug 1039458 if shellSupportsFlag(shellPath, '--no-threads') and chance(.5): args.append("--no-threads") # --no-threads landed in bug 1031529 if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05): args.append("--disable-ion") # --disable-ion landed in bug 789319 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3): # It was suggested to focus more on the range between 0 and 1. # Reduced the upper limit to 8, see bug 1053996 comment 8. asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint(0, 1) args.append("--arm-asm-nop-fill=" + str(asmNopFill)) # Landed in bug 1020834 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3): asmPoolMaxOffset = random.randint(5, 1024) args.append("--asm-pool-max-offset=" + str(asmPoolMaxOffset)) # Landed in bug 1026919 if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1): args.append("--no-native-regexp") # See bug 976446 if inspectShell.queryBuildConfiguration(shellPath, 'arm-simulator') and chance(.4): args.append('--arm-sim-icache-checks') if (shellSupportsFlag(shellPath, '--no-sse3') and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2): # --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a. if chance(.5): args.append("--no-sse3") else: args.append("--no-sse4") # We should stop fuzzing --no-fpu according to the js devs... # if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2): # args.append("--no-fpu") # --no-fpu landed in bug 858022 if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5): args.append("--no-asmjs") # --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c. if shellSupportsFlag(shellPath, '--baseline-eager'): if chance(.3): args.append('--no-baseline') # elif is important, as we want to call --baseline-eager only if --no-baseline is not set. elif chance(.6): args.append("--baseline-eager") if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'): if chance(.7): # Focus on the reproducible cases args.append("--ion-offthread-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # Default is to have --ion-offthread-compile=on and --thread-count=<some default value> elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'): # --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9. if chance(.7): # Focus on the reproducible cases args.append("--ion-parallel-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # The default is to have --ion-parallel-compile=on and --thread-count=<some default value> if ion: if chance(.6): args.append("--ion-eager") if chance(.2): args.append("--ion-gvn=off") if chance(.2): args.append("--ion-licm=off") if shellSupportsFlag(shellPath, '--ion-edgecase-analysis=off') and chance(.2): args.append("--ion-edgecase-analysis=off") if chance(.2): args.append("--ion-range-analysis=off") if chance(.2): args.append("--ion-inlining=off") if chance(.2): args.append("--ion-osr=off") if chance(.2): args.append("--ion-limit-script-size=off") # Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e # The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs # if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2): # args.append('--ion-regalloc=stupid') if shellSupportsFlag(shellPath, '--ion-regalloc=testbed') and chance(.2): args.append('--ion-regalloc=testbed') if shellSupportsFlag(shellPath, '--ion-check-range-analysis') and chance(.3): args.append('--ion-check-range-analysis') if shellSupportsFlag(shellPath, '--ion-extra-checks') and chance(.3): args.append('--ion-extra-checks') else: args.append("--no-ion") # if chance(.05): # args.append("--execute=verifyprebarriers()") if chance(.05): args.append("-D") # aka --dump-bytecode return args
def randomFlagSet(shellPath): """Return a random list of CLI flags appropriate for the given shell. Only works for spidermonkey js shell. Does not work for xpcshell. """ args = [] ion = shellSupportsFlag(shellPath, "--ion") and chance(.8) if shellSupportsFlag(shellPath, '--fuzzing-safe'): args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361 # See bug 932517, which had landed to fix this issue. Keeping this around for archives: # Original breakage in m-c rev 269359 : https://hg.mozilla.org/mozilla-central/rev/a0ccab2a6e28 # Fix in m-c rev 269896: https://hg.mozilla.org/mozilla-central/rev/3bb8446a6d8d # Anything in-between involving let probably needs "-e 'version(185);'" to see if we can bypass breakage # if shellSupportsFlag(shellPath, "--execute='version(185);'"): # args.append("--execute='version(185);'") if shellSupportsFlag(shellPath, '--ion-pgo=on') and chance(.2): args.append("--ion-pgo=on") # --ion-pgo=on landed in bug 1209515 if shellSupportsFlag(shellPath, '--ion-sincos=on') and chance(.5): sincosValue = "on" if chance(0.5) else "off" args.append("--ion-sincos=" + sincosValue) # --ion-sincos=[on|off] landed in bug 984018 if shellSupportsFlag(shellPath, '--ion-instruction-reordering=on') and chance(.2): args.append("--ion-instruction-reordering=on") # --ion-instruction-reordering=on landed in bug 1195545 if shellSupportsFlag(shellPath, '--ion-shared-stubs=on') and chance(.2): args.append("--ion-shared-stubs=on") # --ion-shared-stubs=on landed in bug 1168756 if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3): args.append("--non-writable-jitcode") # --non-writable-jitcode landed in bug 977805 if shellSupportsFlag(shellPath, "--execute=setJitCompilerOption('ion.forceinlineCaches',1)") and chance(.1): args.append("--execute=setJitCompilerOption('ion.forceinlineCaches',1)") if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1): args.append("--no-cgc") # --no-cgc landed in bug 1126769 if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1): args.append("--no-ggc") # --no-ggc landed in bug 706885 if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1): args.append("--no-incremental-gc") # --no-incremental-gc landed in bug 958492 if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2): args.append("--no-unboxed-objects") # --no-unboxed-objects landed in bug 1162199 # if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2): # args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674 if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9): gczealValue = 14 if chance(0.5) else random.randint(0, 14) # Focus test compacting GC (14) args.append("--gc-zeal=" + str(gczealValue)) # --gc-zeal= landed in bug 1101602 if shellSupportsFlag(shellPath, '--enable-small-chunk-size') and chance(.1): args.append("--enable-small-chunk-size") # --enable-small-chunk-size landed in bug 941804 if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2): args.append("--ion-loop-unrolling=on") # --ion-loop-unrolling=on landed in bug 1039458 if shellSupportsFlag(shellPath, '--no-threads') and chance(.5): args.append("--no-threads") # --no-threads landed in bug 1031529 if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05): args.append("--disable-ion") # --disable-ion landed in bug 789319 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3): # It was suggested to focus more on the range between 0 and 1. # Reduced the upper limit to 8, see bug 1053996 comment 8. asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint(0, 1) args.append("--arm-asm-nop-fill=" + str(asmNopFill)) # Landed in bug 1020834 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3): asmPoolMaxOffset = random.randint(5, 1024) args.append("--asm-pool-max-offset=" + str(asmPoolMaxOffset)) # Landed in bug 1026919 if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1): args.append("--no-native-regexp") # See bug 976446 if inspectShell.queryBuildConfiguration(shellPath, 'arm-simulator') and chance(.4): args.append('--arm-sim-icache-checks') if (shellSupportsFlag(shellPath, '--no-sse3') and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2): # --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a. if chance(.5): args.append("--no-sse3") else: args.append("--no-sse4") if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2): args.append("--no-fpu") # --no-fpu landed in bug 858022 if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5): args.append("--no-asmjs") # --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c. if shellSupportsFlag(shellPath, '--baseline-eager'): if chance(.3): args.append('--no-baseline') # elif is important, as we want to call --baseline-eager only if --no-baseline is not set. elif chance(.6): args.append("--baseline-eager") if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'): if chance(.7): # Focus on the reproducible cases args.append("--ion-offthread-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # Default is to have --ion-offthread-compile=on and --thread-count=<some default value> elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'): # --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9. if chance(.7): # Focus on the reproducible cases args.append("--ion-parallel-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # The default is to have --ion-parallel-compile=on and --thread-count=<some default value> if ion: if chance(.6): args.append("--ion-eager") if chance(.2): args.append("--ion-gvn=off") if chance(.2): args.append("--ion-licm=off") if shellSupportsFlag(shellPath, '--ion-edgecase-analysis=off') and chance(.2): args.append("--ion-edgecase-analysis=off") if chance(.2): args.append("--ion-range-analysis=off") if chance(.2): args.append("--ion-inlining=off") if chance(.2): args.append("--ion-osr=off") if chance(.2): args.append("--ion-limit-script-size=off") # Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e # The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs # if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2): # args.append('--ion-regalloc=stupid') if shellSupportsFlag(shellPath, '--ion-regalloc=testbed') and chance(.2): args.append('--ion-regalloc=testbed') if shellSupportsFlag(shellPath, '--ion-check-range-analysis'): if chance(.3): args.append('--ion-check-range-analysis') if shellSupportsFlag(shellPath, '--ion-extra-checks'): if chance(.3): args.append('--ion-extra-checks') else: args.append("--no-ion") # if chance(.05): # args.append("--execute=verifyprebarriers()") if chance(.05): args.append("-D") # aka --dump-bytecode return args
def randomFlagSet(shellPath): ''' Returns a random list of command-line flags appropriate for the given shell. Only works for spidermonkey js shell. Does not work for xpcshell. ''' args = [] ion = shellSupportsFlag(shellPath, "--ion") and chance(.8) if shellSupportsFlag(shellPath, '--fuzzing-safe'): args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361 if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3): args.append("--non-writable-jitcode" ) # --non-writable-jitcode landed in bug 977805 if shellSupportsFlag( shellPath, "--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'" ) and chance(.1): args.append( "--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'") if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1): args.append("--no-cgc") # --no-cgc landed in bug 1126769 if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1): args.append("--no-ggc") # --no-ggc landed in bug 706885 if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1): args.append( "--no-incremental-gc") # --no-incremental-gc landed in bug 958492 # if shellSupportsFlag(shellPath, '--unboxed-arrays') and chance(.2): # args.append("--unboxed-arrays") # --unboxed-arrays landed in bug 1146597 if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2): args.append("--no-unboxed-objects" ) # --no-unboxed-objects landed in bug 1162199 #if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2): # args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674 if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9): gczealValue = 14 if chance(0.5) else random.randint( 0, 14) # Focus test compacting GC (14) args.append("--gc-zeal=" + str(gczealValue)) # --gc-zeal= landed in bug 1101602 if shellSupportsFlag(shellPath, '--enable-small-chunk-size') and chance(.1): args.append("--enable-small-chunk-size" ) # --enable-small-chunk-size landed in bug 941804 if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2): args.append("--ion-loop-unrolling=on" ) # --ion-loop-unrolling=on landed in bug 1039458 if shellSupportsFlag(shellPath, '--no-threads') and chance(.5): args.append("--no-threads") # --no-threads landed in bug 1031529 if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05): args.append("--disable-ion") # --disable-ion landed in bug 789319 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3): # It was suggested to focus more on the range between 0 and 1. # Reduced the upper limit to 8, see bug 1053996 comment 8. asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint( 0, 1) args.append("--arm-asm-nop-fill=" + str(asmNopFill)) # Landed in bug 1020834 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3): asmPoolMaxOffset = random.randint(5, 1024) args.append("--asm-pool-max-offset=" + str(asmPoolMaxOffset)) # Landed in bug 1026919 if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1): args.append("--no-native-regexp") # See bug 976446 if inspectShell.queryBuildConfiguration(shellPath, 'arm-simulator') and chance(.4): args.append('--arm-sim-icache-checks') if (shellSupportsFlag(shellPath, '--no-sse3') and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2): # --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a. if chance(.5): args.append("--no-sse3") else: args.append("--no-sse4") if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2): args.append("--no-fpu") # --no-fpu landed in bug 858022 if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5): args.append("--no-asmjs") # --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c. if shellSupportsFlag(shellPath, '--baseline-eager'): if chance(.3): args.append('--no-baseline') # elif is important, as we want to call --baseline-eager only if --no-baseline is not set. elif chance(.6): args.append("--baseline-eager") if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'): if chance(.7): # Focus on the reproducible cases args.append("--ion-offthread-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # Default is to have --ion-offthread-compile=on and --thread-count=<some default value> elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'): # --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9. if chance(.7): # Focus on the reproducible cases args.append("--ion-parallel-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # The default is to have --ion-parallel-compile=on and --thread-count=<some default value> if ion: if chance(.6): args.append("--ion-eager") if chance(.2): args.append("--ion-gvn=off") if chance(.2): args.append("--ion-licm=off") if shellSupportsFlag(shellPath, '--ion-edgecase-analysis=off') and chance(.2): args.append("--ion-edgecase-analysis=off") if chance(.2): args.append("--ion-range-analysis=off") if chance(.2): args.append("--ion-inlining=off") if chance(.2): args.append("--ion-osr=off") if chance(.2): args.append("--ion-limit-script-size=off") # Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e # The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs #if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2): #args.append('--ion-regalloc=stupid') if shellSupportsFlag(shellPath, '--ion-regalloc=testbed') and chance(.2): args.append('--ion-regalloc=testbed') if shellSupportsFlag(shellPath, '--ion-check-range-analysis'): if chance(.3): args.append('--ion-check-range-analysis') if shellSupportsFlag(shellPath, '--ion-extra-checks'): if chance(.3): args.append('--ion-extra-checks') else: args.append("--no-ion") #if chance(.05): # args.append("--execute=verifyprebarriers()") if chance(.05): args.append("-D") # aka --dump-bytecode return args
def randomFlagSet(shellPath): ''' Returns a random list of command-line flags appropriate for the given shell. Only works for spidermonkey js shell. Does not work for xpcshell. ''' args = [] ion = shellSupportsFlag(shellPath, "--ion") and chance(.8) if shellSupportsFlag(shellPath, '--fuzzing-safe'): args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361 if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3): args.append("--non-writable-jitcode") # --non-writable-jitcode landed in bug 977805 if shellSupportsFlag(shellPath, "--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'") and chance(.1): args.append("--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'") if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1): args.append("--no-cgc") # --no-cgc landed in bug 1126769 if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1): args.append("--no-ggc") # --no-ggc landed in bug 706885 if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1): args.append("--no-incremental-gc") # --no-incremental-gc landed in bug 958492 # Disabled until bug 1190733, bug 1193213 and bug 1193543 are fixed. # if shellSupportsFlag(shellPath, '--unboxed-arrays') and chance(.2): # args.append("--unboxed-arrays") # --unboxed-arrays landed in bug 1146597 if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2): args.append("--no-unboxed-objects") # --no-unboxed-objects landed in bug 1162199 #if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2): # args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674 if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9): gczealValue = 14 if chance(0.5) else random.randint(0, 14) # Focus test compacting GC (14) args.append("--gc-zeal=" + str(gczealValue)) # --gc-zeal= landed in bug 1101602 if shellSupportsFlag(shellPath, '--enable-small-chunk-size') and chance(.1): args.append("--enable-small-chunk-size") # --enable-small-chunk-size landed in bug 941804 if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2): args.append("--ion-loop-unrolling=on") # --ion-loop-unrolling=on landed in bug 1039458 if shellSupportsFlag(shellPath, '--no-threads') and chance(.5): args.append("--no-threads") # --no-threads landed in bug 1031529 if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05): args.append("--disable-ion") # --disable-ion landed in bug 789319 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3): # It was suggested to focus more on the range between 0 and 1. # Reduced the upper limit to 8, see bug 1053996 comment 8. asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint(0, 1) args.append("--arm-asm-nop-fill=" + str(asmNopFill)) # Landed in bug 1020834 # See bug 1026919 comment 60: if sps.isARMv7l and \ shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3): asmPoolMaxOffset = random.randint(5, 1024) args.append("--asm-pool-max-offset=" + str(asmPoolMaxOffset)) # Landed in bug 1026919 if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1): args.append("--no-native-regexp") # See bug 976446 if inspectShell.queryBuildConfiguration(shellPath, 'arm-simulator') and chance(.4): args.append('--arm-sim-icache-checks') if (shellSupportsFlag(shellPath, '--no-sse3') and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2): # --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a. if chance(.5): args.append("--no-sse3") else: args.append("--no-sse4") if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2): args.append("--no-fpu") # --no-fpu landed in bug 858022 if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5): args.append("--no-asmjs") # --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c. if shellSupportsFlag(shellPath, '--baseline-eager'): if chance(.3): args.append('--no-baseline') # elif is important, as we want to call --baseline-eager only if --no-baseline is not set. elif chance(.6): args.append("--baseline-eager") if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'): if chance(.7): # Focus on the reproducible cases args.append("--ion-offthread-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # Default is to have --ion-offthread-compile=on and --thread-count=<some default value> elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'): # --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9. if chance(.7): # Focus on the reproducible cases args.append("--ion-parallel-compile=off") elif chance(.5) and multiprocessing.cpu_count() > 1 and \ shellSupportsFlag(shellPath, '--thread-count=1'): # Adjusts default number of threads for parallel compilation (turned on by default) totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2)) args.append('--thread-count=' + str(totalThreads)) # else: # The default is to have --ion-parallel-compile=on and --thread-count=<some default value> if ion: if chance(.6): args.append("--ion-eager") if chance(.2): args.append("--ion-gvn=off") if chance(.2): args.append("--ion-licm=off") if shellSupportsFlag(shellPath, '--ion-edgecase-analysis=off') and chance(.2): args.append("--ion-edgecase-analysis=off") if chance(.2): args.append("--ion-range-analysis=off") if chance(.2): args.append("--ion-inlining=off") if chance(.2): args.append("--ion-osr=off") if chance(.2): args.append("--ion-limit-script-size=off") # Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e # The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs #if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2): #args.append('--ion-regalloc=stupid') if shellSupportsFlag(shellPath, '--ion-regalloc=testbed') and chance(.2): args.append('--ion-regalloc=testbed') if shellSupportsFlag(shellPath, '--ion-check-range-analysis'): if chance(.3): args.append('--ion-check-range-analysis') if shellSupportsFlag(shellPath, '--ion-extra-checks'): if chance(.3): args.append('--ion-extra-checks') else: args.append("--no-ion") #if chance(.05): # args.append("--execute=verifyprebarriers()") if chance(.05): args.append("-D") # aka --dump-bytecode return args
def many_timed_runs(targetTime, wtmpDir, args): options = parseOpts(args) engineFlags = options.engineFlags # engineFlags is overwritten later if --random-flags is set. startTime = time.time() if os.path.isdir(sps.normExpUserPath(options.repo)): regressionTestListFile = sps.normExpUserPath( os.path.join(wtmpDir, "regression-tests.list")) with open(regressionTestListFile, "wb") as f: for fn in inTreeRegressionTests(options.repo): f.write(fn + "\n") regressionTestPrologue = makeRegressionTestPrologue( options.repo, regressionTestListFile) else: regressionTestPrologue = "" fuzzjs = sps.normExpUserPath(os.path.join(wtmpDir, "jsfunfuzz.js")) linkFuzzer(fuzzjs, options.repo, regressionTestPrologue) iteration = 0 while True: if targetTime and time.time() > startTime + targetTime: print "Out of time!" os.remove(fuzzjs) if len(os.listdir(wtmpDir)) == 0: os.rmdir(wtmpDir) return (lithOps.HAPPY, None) # Construct command needed to loop jsfunfuzz fuzzing. jsInterestingArgs = [] jsInterestingArgs.append('--timeout=' + str(options.timeout)) if options.valgrind: jsInterestingArgs.append('--valgrind') jsInterestingArgs.append(options.knownPath) jsInterestingArgs.append(options.jsEngine) if options.randomFlags: engineFlags = shellFlags.randomFlagSet(options.jsEngine) jsInterestingArgs.extend(engineFlags) jsInterestingArgs.extend( ['-e', 'maxRunTime=' + str(options.timeout * (1000 / 2))]) jsInterestingArgs.extend(['-f', fuzzjs]) jsunhappyOptions = jsInteresting.parseOptions(jsInterestingArgs) iteration += 1 logPrefix = sps.normExpUserPath( os.path.join(wtmpDir, "w" + str(iteration))) level = jsInteresting.jsfunfuzzLevel(jsunhappyOptions, logPrefix) if level != jsInteresting.JS_FINE: showtail(logPrefix + "-out.txt") showtail(logPrefix + "-err.txt") # splice jsfunfuzz.js with `grep FRC wN-out` filenameToReduce = logPrefix + "-reduced.js" [before, after] = fileManipulation.fuzzSplice(fuzzjs) with open(logPrefix + '-out.txt', 'rb') as f: newfileLines = before + [ l.replace('/*FRC*/', '') for l in fileManipulation.linesStartingWith(f, "/*FRC*/") ] + after fileManipulation.writeLinesToFile(newfileLines, logPrefix + "-orig.js") fileManipulation.writeLinesToFile(newfileLines, filenameToReduce) # Run Lithium and autobisect (make a reduced testcase and find a regression window) itest = [interestingpy] if options.valgrind: itest.append("--valgrind") itest.append("--minlevel=" + str(level)) itest.append("--timeout=" + str(options.timeout)) itest.append(options.knownPath) (lithResult, lithDetails) = pinpoint.pinpoint( itest, logPrefix, options.jsEngine, engineFlags, filenameToReduce, options.repo, options.buildOptionsStr, targetTime, level) if targetTime: return (lithResult, lithDetails) else: shellIsDeterministic = inspectShell.queryBuildConfiguration( options.jsEngine, 'more-deterministic') flagsAreDeterministic = "--dump-bytecode" not in engineFlags and '-D' not in engineFlags if options.useCompareJIT and level == jsInteresting.JS_FINE and \ shellIsDeterministic and flagsAreDeterministic: linesToCompare = jitCompareLines(logPrefix + '-out.txt', "/*FCM*/") jitcomparefilename = logPrefix + "-cj-in.js" fileManipulation.writeLinesToFile(linesToCompare, jitcomparefilename) (lithResult, lithDetails) = compareJIT.compareJIT( options.jsEngine, engineFlags, jitcomparefilename, logPrefix + "-cj", options.knownPath, options.repo, options.buildOptionsStr, options.timeout, targetTime) if lithResult == lithOps.HAPPY: os.remove(jitcomparefilename) if targetTime and lithResult != lithOps.HAPPY: jsInteresting.deleteLogs(logPrefix) return (lithResult, lithDetails) jsInteresting.deleteLogs(logPrefix)
def many_timed_runs(targetTime, wtmpDir, args): options = parseOpts(args) engineFlags = options.engineFlags # engineFlags is overwritten later if --random-flags is set. startTime = time.time() if os.path.isdir(sps.normExpUserPath(options.repo)): regressionTestListFile = sps.normExpUserPath(os.path.join(wtmpDir, "regression-tests.list")) with open(regressionTestListFile, "wb") as f: for fn in inTreeRegressionTests(options.repo): f.write(fn + "\n") regressionTestPrologue = makeRegressionTestPrologue(options.repo, regressionTestListFile) else: regressionTestPrologue = "" fuzzjs = sps.normExpUserPath(os.path.join(wtmpDir, "jsfunfuzz.js")) linkFuzzer(fuzzjs, options.repo, regressionTestPrologue) iteration = 0 while True: if targetTime and time.time() > startTime + targetTime: print "Out of time!" os.remove(fuzzjs) if len(os.listdir(wtmpDir)) == 0: os.rmdir(wtmpDir) return (lithOps.HAPPY, None) # Construct command needed to loop jsfunfuzz fuzzing. jsInterestingArgs = [] jsInterestingArgs.append('--timeout=' + str(options.timeout)) if options.valgrind: jsInterestingArgs.append('--valgrind') jsInterestingArgs.append(options.knownPath) jsInterestingArgs.append(options.jsEngine) if options.randomFlags: engineFlags = shellFlags.randomFlagSet(options.jsEngine) jsInterestingArgs.extend(engineFlags) jsInterestingArgs.extend(['-e', 'maxRunTime=' + str(options.timeout*(1000/2))]) jsInterestingArgs.extend(['-f', fuzzjs]) jsunhappyOptions = jsInteresting.parseOptions(jsInterestingArgs) iteration += 1 logPrefix = sps.normExpUserPath(os.path.join(wtmpDir, "w" + str(iteration))) level = jsInteresting.jsfunfuzzLevel(jsunhappyOptions, logPrefix) if level != jsInteresting.JS_FINE: showtail(logPrefix + "-out.txt") showtail(logPrefix + "-err.txt") # splice jsfunfuzz.js with `grep FRC wN-out` filenameToReduce = logPrefix + "-reduced.js" [before, after] = fileManipulation.fuzzSplice(fuzzjs) with open(logPrefix + '-out.txt', 'rb') as f: newfileLines = before + [l.replace('/*FRC*/', '') for l in fileManipulation.linesStartingWith(f, "/*FRC*/")] + after fileManipulation.writeLinesToFile(newfileLines, logPrefix + "-orig.js") fileManipulation.writeLinesToFile(newfileLines, filenameToReduce) # Run Lithium and autobisect (make a reduced testcase and find a regression window) itest = [interestingpy] if options.valgrind: itest.append("--valgrind") itest.append("--minlevel=" + str(level)) itest.append("--timeout=" + str(options.timeout)) itest.append(options.knownPath) (lithResult, lithDetails) = pinpoint.pinpoint(itest, logPrefix, options.jsEngine, engineFlags, filenameToReduce, options.repo, options.buildOptionsStr, targetTime, level) if targetTime: return (lithResult, lithDetails) else: shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsEngine, 'more-deterministic') flagsAreDeterministic = "--dump-bytecode" not in engineFlags and '-D' not in engineFlags if options.useCompareJIT and level == jsInteresting.JS_FINE and \ shellIsDeterministic and flagsAreDeterministic: linesToCompare = jitCompareLines(logPrefix + '-out.txt', "/*FCM*/") jitcomparefilename = logPrefix + "-cj-in.js" fileManipulation.writeLinesToFile(linesToCompare, jitcomparefilename) (lithResult, lithDetails) = compareJIT.compareJIT(options.jsEngine, engineFlags, jitcomparefilename, logPrefix + "-cj", options.knownPath, options.repo, options.buildOptionsStr, options.timeout, targetTime) if lithResult == lithOps.HAPPY: os.remove(jitcomparefilename) if targetTime and lithResult != lithOps.HAPPY: jsInteresting.deleteLogs(logPrefix) return (lithResult, lithDetails) jsInteresting.deleteLogs(logPrefix)