def parseOptions(args):
parser = OptionParser()
parser.disable_interspersed_args()
parser.add_option("--valgrind",
action="store_true", dest="valgrind",
default=False,
help="use valgrind with a reasonable set of options")
parser.add_option("--submit",
action="store_true", dest="submit",
default=False,
help="submit to fuzzmanager (if interesting)")
parser.add_option("--minlevel",
type="int", dest="minimumInterestingLevel",
default=JS_FINE + 1,
help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting")
parser.add_option("--timeout",
type="int", dest="timeout",
default=120,
help="timeout in seconds")
options, args = parser.parse_args(args)
if len(args) < 2:
raise Exception("Not enough positional arguments")
options.knownPath = args[0]
options.jsengineWithArgs = args[1:]
options.collector = createCollector.createCollector("jsfunfuzz")
if not os.path.exists(options.jsengineWithArgs[0]):
raise Exception("js shell does not exist: " + options.jsengineWithArgs[0])
options.shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsengineWithArgs[0], 'more-deterministic')
return options
def parseOptions(args):
parser = OptionParser()
parser.disable_interspersed_args()
parser.add_option("--valgrind",
action="store_true", dest="valgrind",
default=False,
help="use valgrind with a reasonable set of options")
parser.add_option("--submit",
action="store_true", dest="submit",
default=False,
help="submit to fuzzmanager (if interesting)")
parser.add_option("--minlevel",
type="int", dest="minimumInterestingLevel",
default=JS_FINE + 1,
help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting")
parser.add_option("--timeout",
type="int", dest="timeout",
default=120,
help="timeout in seconds")
options, args = parser.parse_args(args)
if len(args) < 2:
raise Exception("Not enough positional arguments")
options.knownPath = args[0]
options.jsengineWithArgs = args[1:]
options.collector = createCollector.createCollector("jsfunfuzz")
if not os.path.exists(options.jsengineWithArgs[0]):
raise Exception("js shell does not exist: " + options.jsengineWithArgs[0])
options.shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsengineWithArgs[0], 'more-deterministic')
return options
def randomFlagSet(shellPath):
"""Return a random list of CLI flags appropriate for the given shell.
Only works for spidermonkey js shell. Does not work for xpcshell.
"""
args = []
ion = shellSupportsFlag(shellPath, "--ion") and chance(.8)
if shellSupportsFlag(shellPath, '--fuzzing-safe'):
args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361
# Landed in m-c changeset c0c1d923c292, see bug 1255008
if shellSupportsFlag(shellPath, '--ion-aa=flow-sensitive'):
if chance(.4):
args.append('--ion-aa=flow-sensitive')
elif shellSupportsFlag(shellPath, '--ion-aa=flow-insensitive') and chance(.4):
args.append('--ion-aa=flow-insensitive')
# See bug 932517, which had landed to fix this issue. Keeping this around for archives:
# Original breakage in m-c rev 269359 : https://hg.mozilla.org/mozilla-central/rev/a0ccab2a6e28
# Fix in m-c rev 269896: https://hg.mozilla.org/mozilla-central/rev/3bb8446a6d8d
# Anything in-between involving let probably needs "-e 'version(185);'" to see if we can bypass breakage
# if shellSupportsFlag(shellPath, "--execute='version(185);'"):
# args.append("--execute='version(185);'")
# Note for future: --wasm-check-bce is only useful for x86 and ARM32
if shellSupportsFlag(shellPath, '--wasm-always-baseline') and chance(.5):
args.append("--wasm-always-baseline") # --wasm-always-baseline landed in bug 1232205
if shellSupportsFlag(shellPath, '--ion-pgo=on') and chance(.2):
args.append("--ion-pgo=on") # --ion-pgo=on landed in bug 1209515
if shellSupportsFlag(shellPath, '--ion-sincos=on') and chance(.5):
sincosValue = "on" if chance(0.5) else "off"
args.append("--ion-sincos=" + sincosValue) # --ion-sincos=[on|off] landed in bug 984018
if shellSupportsFlag(shellPath, '--ion-instruction-reordering=on') and chance(.2):
args.append("--ion-instruction-reordering=on") # --ion-instruction-reordering=on landed in bug 1195545
if shellSupportsFlag(shellPath, '--ion-shared-stubs=on') and chance(.2):
args.append("--ion-shared-stubs=on") # --ion-shared-stubs=on landed in bug 1168756
if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3):
args.append("--non-writable-jitcode") # --non-writable-jitcode landed in bug 977805
if shellSupportsFlag(shellPath, "--execute=setJitCompilerOption('ion.forceinlineCaches',1)") and chance(.1):
args.append("--execute=setJitCompilerOption('ion.forceinlineCaches',1)")
if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1):
args.append("--no-cgc") # --no-cgc landed in bug 1126769
if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1):
args.append("--no-ggc") # --no-ggc landed in bug 706885
if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1):
args.append("--no-incremental-gc") # --no-incremental-gc landed in bug 958492
if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2):
args.append("--no-unboxed-objects") # --no-unboxed-objects landed in bug 1162199
# if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2):
# args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674
if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9):
# Focus testing on CheckNursery (16), see:
# https://hg.mozilla.org/mozilla-central/rev/bdbb5822afe1
gczealValue = 16 if chance(0.5) else random.randint(0, 16)
args.append("--gc-zeal=" + str(gczealValue)) # --gc-zeal= landed in bug 1101602
if shellSupportsFlag(shellPath, '--enable-small-chunk-size') and chance(.1):
args.append("--enable-small-chunk-size") # --enable-small-chunk-size landed in bug 941804
if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2):
args.append("--ion-loop-unrolling=on") # --ion-loop-unrolling=on landed in bug 1039458
if shellSupportsFlag(shellPath, '--no-threads') and chance(.5):
args.append("--no-threads") # --no-threads landed in bug 1031529
if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05):
args.append("--disable-ion") # --disable-ion landed in bug 789319
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3):
# It was suggested to focus more on the range between 0 and 1.
# Reduced the upper limit to 8, see bug 1053996 comment 8.
asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint(0, 1)
args.append("--arm-asm-nop-fill=" + str(asmNopFill)) # Landed in bug 1020834
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3):
asmPoolMaxOffset = random.randint(5, 1024)
args.append("--asm-pool-max-offset=" + str(asmPoolMaxOffset)) # Landed in bug 1026919
if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1):
args.append("--no-native-regexp") # See bug 976446
if inspectShell.queryBuildConfiguration(shellPath, 'arm-simulator') and chance(.4):
args.append('--arm-sim-icache-checks')
if (shellSupportsFlag(shellPath, '--no-sse3') and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2):
# --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a.
if chance(.5):
args.append("--no-sse3")
else:
args.append("--no-sse4")
# We should stop fuzzing --no-fpu according to the js devs...
# if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2):
# args.append("--no-fpu") # --no-fpu landed in bug 858022
if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5):
args.append("--no-asmjs")
# --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c.
if shellSupportsFlag(shellPath, '--baseline-eager'):
if chance(.3):
args.append('--no-baseline')
# elif is important, as we want to call --baseline-eager only if --no-baseline is not set.
elif chance(.6):
args.append("--baseline-eager")
if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'):
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-offthread-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# Default is to have --ion-offthread-compile=on and --thread-count=<some default value>
elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'):
# --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9.
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-parallel-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# The default is to have --ion-parallel-compile=on and --thread-count=<some default value>
if ion:
if chance(.6):
args.append("--ion-eager")
if chance(.2):
args.append("--ion-gvn=off")
if chance(.2):
args.append("--ion-licm=off")
if shellSupportsFlag(shellPath, '--ion-edgecase-analysis=off') and chance(.2):
args.append("--ion-edgecase-analysis=off")
if chance(.2):
args.append("--ion-range-analysis=off")
if chance(.2):
args.append("--ion-inlining=off")
if chance(.2):
args.append("--ion-osr=off")
if chance(.2):
args.append("--ion-limit-script-size=off")
# Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e
# The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs
# if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2):
# args.append('--ion-regalloc=stupid')
if shellSupportsFlag(shellPath, '--ion-regalloc=testbed') and chance(.2):
args.append('--ion-regalloc=testbed')
if shellSupportsFlag(shellPath, '--ion-check-range-analysis') and chance(.3):
args.append('--ion-check-range-analysis')
if shellSupportsFlag(shellPath, '--ion-extra-checks') and chance(.3):
args.append('--ion-extra-checks')
else:
args.append("--no-ion")
# if chance(.05):
# args.append("--execute=verifyprebarriers()")
if chance(.05):
args.append("-D") # aka --dump-bytecode
return args
def randomFlagSet(shellPath):
"""Return a random list of CLI flags appropriate for the given shell.
Only works for spidermonkey js shell. Does not work for xpcshell.
"""
args = []
ion = shellSupportsFlag(shellPath, "--ion") and chance(.8)
if shellSupportsFlag(shellPath, '--fuzzing-safe'):
args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361
# See bug 932517, which had landed to fix this issue. Keeping this around for archives:
# Original breakage in m-c rev 269359 : https://hg.mozilla.org/mozilla-central/rev/a0ccab2a6e28
# Fix in m-c rev 269896: https://hg.mozilla.org/mozilla-central/rev/3bb8446a6d8d
# Anything in-between involving let probably needs "-e 'version(185);'" to see if we can bypass breakage
# if shellSupportsFlag(shellPath, "--execute='version(185);'"):
# args.append("--execute='version(185);'")
if shellSupportsFlag(shellPath, '--ion-pgo=on') and chance(.2):
args.append("--ion-pgo=on") # --ion-pgo=on landed in bug 1209515
if shellSupportsFlag(shellPath, '--ion-sincos=on') and chance(.5):
sincosValue = "on" if chance(0.5) else "off"
args.append("--ion-sincos=" + sincosValue) # --ion-sincos=[on|off] landed in bug 984018
if shellSupportsFlag(shellPath, '--ion-instruction-reordering=on') and chance(.2):
args.append("--ion-instruction-reordering=on") # --ion-instruction-reordering=on landed in bug 1195545
if shellSupportsFlag(shellPath, '--ion-shared-stubs=on') and chance(.2):
args.append("--ion-shared-stubs=on") # --ion-shared-stubs=on landed in bug 1168756
if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3):
args.append("--non-writable-jitcode") # --non-writable-jitcode landed in bug 977805
if shellSupportsFlag(shellPath, "--execute=setJitCompilerOption('ion.forceinlineCaches',1)") and chance(.1):
args.append("--execute=setJitCompilerOption('ion.forceinlineCaches',1)")
if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1):
args.append("--no-cgc") # --no-cgc landed in bug 1126769
if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1):
args.append("--no-ggc") # --no-ggc landed in bug 706885
if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1):
args.append("--no-incremental-gc") # --no-incremental-gc landed in bug 958492
if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2):
args.append("--no-unboxed-objects") # --no-unboxed-objects landed in bug 1162199
# if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2):
# args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674
if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9):
gczealValue = 14 if chance(0.5) else random.randint(0, 14) # Focus test compacting GC (14)
args.append("--gc-zeal=" + str(gczealValue)) # --gc-zeal= landed in bug 1101602
if shellSupportsFlag(shellPath, '--enable-small-chunk-size') and chance(.1):
args.append("--enable-small-chunk-size") # --enable-small-chunk-size landed in bug 941804
if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2):
args.append("--ion-loop-unrolling=on") # --ion-loop-unrolling=on landed in bug 1039458
if shellSupportsFlag(shellPath, '--no-threads') and chance(.5):
args.append("--no-threads") # --no-threads landed in bug 1031529
if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05):
args.append("--disable-ion") # --disable-ion landed in bug 789319
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3):
# It was suggested to focus more on the range between 0 and 1.
# Reduced the upper limit to 8, see bug 1053996 comment 8.
asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint(0, 1)
args.append("--arm-asm-nop-fill=" + str(asmNopFill)) # Landed in bug 1020834
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3):
asmPoolMaxOffset = random.randint(5, 1024)
args.append("--asm-pool-max-offset=" + str(asmPoolMaxOffset)) # Landed in bug 1026919
if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1):
args.append("--no-native-regexp") # See bug 976446
if inspectShell.queryBuildConfiguration(shellPath, 'arm-simulator') and chance(.4):
args.append('--arm-sim-icache-checks')
if (shellSupportsFlag(shellPath, '--no-sse3') and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2):
# --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a.
if chance(.5):
args.append("--no-sse3")
else:
args.append("--no-sse4")
if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2):
args.append("--no-fpu") # --no-fpu landed in bug 858022
if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5):
args.append("--no-asmjs")
# --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c.
if shellSupportsFlag(shellPath, '--baseline-eager'):
if chance(.3):
args.append('--no-baseline')
# elif is important, as we want to call --baseline-eager only if --no-baseline is not set.
elif chance(.6):
args.append("--baseline-eager")
if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'):
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-offthread-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# Default is to have --ion-offthread-compile=on and --thread-count=<some default value>
elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'):
# --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9.
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-parallel-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# The default is to have --ion-parallel-compile=on and --thread-count=<some default value>
if ion:
if chance(.6):
args.append("--ion-eager")
if chance(.2):
args.append("--ion-gvn=off")
if chance(.2):
args.append("--ion-licm=off")
if shellSupportsFlag(shellPath, '--ion-edgecase-analysis=off') and chance(.2):
args.append("--ion-edgecase-analysis=off")
if chance(.2):
args.append("--ion-range-analysis=off")
if chance(.2):
args.append("--ion-inlining=off")
if chance(.2):
args.append("--ion-osr=off")
if chance(.2):
args.append("--ion-limit-script-size=off")
# Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e
# The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs
# if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2):
# args.append('--ion-regalloc=stupid')
if shellSupportsFlag(shellPath, '--ion-regalloc=testbed') and chance(.2):
args.append('--ion-regalloc=testbed')
if shellSupportsFlag(shellPath, '--ion-check-range-analysis'):
if chance(.3):
args.append('--ion-check-range-analysis')
if shellSupportsFlag(shellPath, '--ion-extra-checks'):
if chance(.3):
args.append('--ion-extra-checks')
else:
args.append("--no-ion")
# if chance(.05):
# args.append("--execute=verifyprebarriers()")
if chance(.05):
args.append("-D") # aka --dump-bytecode
return args
def randomFlagSet(shellPath):
'''
Returns a random list of command-line flags appropriate for the given shell.
Only works for spidermonkey js shell. Does not work for xpcshell.
'''
args = []
ion = shellSupportsFlag(shellPath, "--ion") and chance(.8)
if shellSupportsFlag(shellPath, '--fuzzing-safe'):
args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361
if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3):
args.append("--non-writable-jitcode"
) # --non-writable-jitcode landed in bug 977805
if shellSupportsFlag(
shellPath,
"--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'"
) and chance(.1):
args.append(
"--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'")
if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1):
args.append("--no-cgc") # --no-cgc landed in bug 1126769
if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1):
args.append("--no-ggc") # --no-ggc landed in bug 706885
if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1):
args.append(
"--no-incremental-gc") # --no-incremental-gc landed in bug 958492
# if shellSupportsFlag(shellPath, '--unboxed-arrays') and chance(.2):
# args.append("--unboxed-arrays") # --unboxed-arrays landed in bug 1146597
if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2):
args.append("--no-unboxed-objects"
) # --no-unboxed-objects landed in bug 1162199
#if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2):
# args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674
if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9):
gczealValue = 14 if chance(0.5) else random.randint(
0, 14) # Focus test compacting GC (14)
args.append("--gc-zeal=" +
str(gczealValue)) # --gc-zeal= landed in bug 1101602
if shellSupportsFlag(shellPath,
'--enable-small-chunk-size') and chance(.1):
args.append("--enable-small-chunk-size"
) # --enable-small-chunk-size landed in bug 941804
if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2):
args.append("--ion-loop-unrolling=on"
) # --ion-loop-unrolling=on landed in bug 1039458
if shellSupportsFlag(shellPath, '--no-threads') and chance(.5):
args.append("--no-threads") # --no-threads landed in bug 1031529
if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05):
args.append("--disable-ion") # --disable-ion landed in bug 789319
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3):
# It was suggested to focus more on the range between 0 and 1.
# Reduced the upper limit to 8, see bug 1053996 comment 8.
asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint(
0, 1)
args.append("--arm-asm-nop-fill=" +
str(asmNopFill)) # Landed in bug 1020834
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3):
asmPoolMaxOffset = random.randint(5, 1024)
args.append("--asm-pool-max-offset=" +
str(asmPoolMaxOffset)) # Landed in bug 1026919
if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1):
args.append("--no-native-regexp") # See bug 976446
if inspectShell.queryBuildConfiguration(shellPath,
'arm-simulator') and chance(.4):
args.append('--arm-sim-icache-checks')
if (shellSupportsFlag(shellPath, '--no-sse3')
and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2):
# --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a.
if chance(.5):
args.append("--no-sse3")
else:
args.append("--no-sse4")
if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2):
args.append("--no-fpu") # --no-fpu landed in bug 858022
if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5):
args.append("--no-asmjs")
# --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c.
if shellSupportsFlag(shellPath, '--baseline-eager'):
if chance(.3):
args.append('--no-baseline')
# elif is important, as we want to call --baseline-eager only if --no-baseline is not set.
elif chance(.6):
args.append("--baseline-eager")
if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'):
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-offthread-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# Default is to have --ion-offthread-compile=on and --thread-count=<some default value>
elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'):
# --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9.
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-parallel-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# The default is to have --ion-parallel-compile=on and --thread-count=<some default value>
if ion:
if chance(.6):
args.append("--ion-eager")
if chance(.2):
args.append("--ion-gvn=off")
if chance(.2):
args.append("--ion-licm=off")
if shellSupportsFlag(shellPath,
'--ion-edgecase-analysis=off') and chance(.2):
args.append("--ion-edgecase-analysis=off")
if chance(.2):
args.append("--ion-range-analysis=off")
if chance(.2):
args.append("--ion-inlining=off")
if chance(.2):
args.append("--ion-osr=off")
if chance(.2):
args.append("--ion-limit-script-size=off")
# Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e
# The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs
#if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2):
#args.append('--ion-regalloc=stupid')
if shellSupportsFlag(shellPath,
'--ion-regalloc=testbed') and chance(.2):
args.append('--ion-regalloc=testbed')
if shellSupportsFlag(shellPath, '--ion-check-range-analysis'):
if chance(.3):
args.append('--ion-check-range-analysis')
if shellSupportsFlag(shellPath, '--ion-extra-checks'):
if chance(.3):
args.append('--ion-extra-checks')
else:
args.append("--no-ion")
#if chance(.05):
# args.append("--execute=verifyprebarriers()")
if chance(.05):
args.append("-D") # aka --dump-bytecode
return args
def randomFlagSet(shellPath):
'''
Returns a random list of command-line flags appropriate for the given shell.
Only works for spidermonkey js shell. Does not work for xpcshell.
'''
args = []
ion = shellSupportsFlag(shellPath, "--ion") and chance(.8)
if shellSupportsFlag(shellPath, '--fuzzing-safe'):
args.append("--fuzzing-safe") # --fuzzing-safe landed in bug 885361
if shellSupportsFlag(shellPath, '--non-writable-jitcode') and chance(.3):
args.append("--non-writable-jitcode") # --non-writable-jitcode landed in bug 977805
if shellSupportsFlag(shellPath, "--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'") and chance(.1):
args.append("--execute='setJitCompilerOption(\"ion.forceinlineCaches\", 1)'")
if shellSupportsFlag(shellPath, '--no-cgc') and chance(.1):
args.append("--no-cgc") # --no-cgc landed in bug 1126769
if shellSupportsFlag(shellPath, '--no-ggc') and chance(.1):
args.append("--no-ggc") # --no-ggc landed in bug 706885
if shellSupportsFlag(shellPath, '--no-incremental-gc') and chance(.1):
args.append("--no-incremental-gc") # --no-incremental-gc landed in bug 958492
# Disabled until bug 1190733, bug 1193213 and bug 1193543 are fixed.
# if shellSupportsFlag(shellPath, '--unboxed-arrays') and chance(.2):
# args.append("--unboxed-arrays") # --unboxed-arrays landed in bug 1146597
if shellSupportsFlag(shellPath, '--no-unboxed-objects') and chance(.2):
args.append("--no-unboxed-objects") # --no-unboxed-objects landed in bug 1162199
#if shellSupportsFlag(shellPath, '--ion-sink=on') and chance(.2):
# args.append("--ion-sink=on") # --ion-sink=on landed in bug 1093674
if shellSupportsFlag(shellPath, '--gc-zeal=0') and chance(.9):
gczealValue = 14 if chance(0.5) else random.randint(0, 14) # Focus test compacting GC (14)
args.append("--gc-zeal=" + str(gczealValue)) # --gc-zeal= landed in bug 1101602
if shellSupportsFlag(shellPath, '--enable-small-chunk-size') and chance(.1):
args.append("--enable-small-chunk-size") # --enable-small-chunk-size landed in bug 941804
if shellSupportsFlag(shellPath, '--ion-loop-unrolling=on') and chance(.2):
args.append("--ion-loop-unrolling=on") # --ion-loop-unrolling=on landed in bug 1039458
if shellSupportsFlag(shellPath, '--no-threads') and chance(.5):
args.append("--no-threads") # --no-threads landed in bug 1031529
if shellSupportsFlag(shellPath, '--disable-ion') and chance(.05):
args.append("--disable-ion") # --disable-ion landed in bug 789319
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--arm-asm-nop-fill=0') and chance(0.3):
# It was suggested to focus more on the range between 0 and 1.
# Reduced the upper limit to 8, see bug 1053996 comment 8.
asmNopFill = random.randint(1, 8) if chance(0.3) else random.randint(0, 1)
args.append("--arm-asm-nop-fill=" + str(asmNopFill)) # Landed in bug 1020834
# See bug 1026919 comment 60:
if sps.isARMv7l and \
shellSupportsFlag(shellPath, '--asm-pool-max-offset=1024') and chance(0.3):
asmPoolMaxOffset = random.randint(5, 1024)
args.append("--asm-pool-max-offset=" + str(asmPoolMaxOffset)) # Landed in bug 1026919
if shellSupportsFlag(shellPath, '--no-native-regexp') and chance(.1):
args.append("--no-native-regexp") # See bug 976446
if inspectShell.queryBuildConfiguration(shellPath, 'arm-simulator') and chance(.4):
args.append('--arm-sim-icache-checks')
if (shellSupportsFlag(shellPath, '--no-sse3') and shellSupportsFlag(shellPath, '--no-sse4')) and chance(.2):
# --no-sse3 and --no-sse4 landed in m-c rev 526ba3ace37a.
if chance(.5):
args.append("--no-sse3")
else:
args.append("--no-sse4")
if shellSupportsFlag(shellPath, '--no-fpu') and chance(.2):
args.append("--no-fpu") # --no-fpu landed in bug 858022
if shellSupportsFlag(shellPath, '--no-asmjs') and chance(.5):
args.append("--no-asmjs")
# --baseline-eager landed after --no-baseline on the IonMonkey branch prior to landing on m-c.
if shellSupportsFlag(shellPath, '--baseline-eager'):
if chance(.3):
args.append('--no-baseline')
# elif is important, as we want to call --baseline-eager only if --no-baseline is not set.
elif chance(.6):
args.append("--baseline-eager")
if shellSupportsFlag(shellPath, '--ion-offthread-compile=off'):
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-offthread-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# Default is to have --ion-offthread-compile=on and --thread-count=<some default value>
elif shellSupportsFlag(shellPath, '--ion-parallel-compile=off'):
# --ion-parallel-compile=off has gone away as of m-c rev 9ab3b097f304 and f0d67b1ccff9.
if chance(.7):
# Focus on the reproducible cases
args.append("--ion-parallel-compile=off")
elif chance(.5) and multiprocessing.cpu_count() > 1 and \
shellSupportsFlag(shellPath, '--thread-count=1'):
# Adjusts default number of threads for parallel compilation (turned on by default)
totalThreads = random.randint(2, (multiprocessing.cpu_count() * 2))
args.append('--thread-count=' + str(totalThreads))
# else:
# The default is to have --ion-parallel-compile=on and --thread-count=<some default value>
if ion:
if chance(.6):
args.append("--ion-eager")
if chance(.2):
args.append("--ion-gvn=off")
if chance(.2):
args.append("--ion-licm=off")
if shellSupportsFlag(shellPath, '--ion-edgecase-analysis=off') and chance(.2):
args.append("--ion-edgecase-analysis=off")
if chance(.2):
args.append("--ion-range-analysis=off")
if chance(.2):
args.append("--ion-inlining=off")
if chance(.2):
args.append("--ion-osr=off")
if chance(.2):
args.append("--ion-limit-script-size=off")
# Backtracking (on by default as of 2015-04-15) and stupid landed in m-c changeset dc4887f61d2e
# The stupid allocator isn't used by default and devs prefer not to have to fix fuzzbugs
#if shellSupportsFlag(shellPath, '--ion-regalloc=stupid') and chance(.2):
#args.append('--ion-regalloc=stupid')
if shellSupportsFlag(shellPath, '--ion-regalloc=testbed') and chance(.2):
args.append('--ion-regalloc=testbed')
if shellSupportsFlag(shellPath, '--ion-check-range-analysis'):
if chance(.3):
args.append('--ion-check-range-analysis')
if shellSupportsFlag(shellPath, '--ion-extra-checks'):
if chance(.3):
args.append('--ion-extra-checks')
else:
args.append("--no-ion")
#if chance(.05):
# args.append("--execute=verifyprebarriers()")
if chance(.05):
args.append("-D") # aka --dump-bytecode
return args
def many_timed_runs(targetTime, wtmpDir, args):
options = parseOpts(args)
engineFlags = options.engineFlags # engineFlags is overwritten later if --random-flags is set.
startTime = time.time()
if os.path.isdir(sps.normExpUserPath(options.repo)):
regressionTestListFile = sps.normExpUserPath(
os.path.join(wtmpDir, "regression-tests.list"))
with open(regressionTestListFile, "wb") as f:
for fn in inTreeRegressionTests(options.repo):
f.write(fn + "\n")
regressionTestPrologue = makeRegressionTestPrologue(
options.repo, regressionTestListFile)
else:
regressionTestPrologue = ""
fuzzjs = sps.normExpUserPath(os.path.join(wtmpDir, "jsfunfuzz.js"))
linkFuzzer(fuzzjs, options.repo, regressionTestPrologue)
iteration = 0
while True:
if targetTime and time.time() > startTime + targetTime:
print "Out of time!"
os.remove(fuzzjs)
if len(os.listdir(wtmpDir)) == 0:
os.rmdir(wtmpDir)
return (lithOps.HAPPY, None)
# Construct command needed to loop jsfunfuzz fuzzing.
jsInterestingArgs = []
jsInterestingArgs.append('--timeout=' + str(options.timeout))
if options.valgrind:
jsInterestingArgs.append('--valgrind')
jsInterestingArgs.append(options.knownPath)
jsInterestingArgs.append(options.jsEngine)
if options.randomFlags:
engineFlags = shellFlags.randomFlagSet(options.jsEngine)
jsInterestingArgs.extend(engineFlags)
jsInterestingArgs.extend(
['-e', 'maxRunTime=' + str(options.timeout * (1000 / 2))])
jsInterestingArgs.extend(['-f', fuzzjs])
jsunhappyOptions = jsInteresting.parseOptions(jsInterestingArgs)
iteration += 1
logPrefix = sps.normExpUserPath(
os.path.join(wtmpDir, "w" + str(iteration)))
level = jsInteresting.jsfunfuzzLevel(jsunhappyOptions, logPrefix)
if level != jsInteresting.JS_FINE:
showtail(logPrefix + "-out.txt")
showtail(logPrefix + "-err.txt")
# splice jsfunfuzz.js with `grep FRC wN-out`
filenameToReduce = logPrefix + "-reduced.js"
[before, after] = fileManipulation.fuzzSplice(fuzzjs)
with open(logPrefix + '-out.txt', 'rb') as f:
newfileLines = before + [
l.replace('/*FRC*/', '')
for l in fileManipulation.linesStartingWith(f, "/*FRC*/")
] + after
fileManipulation.writeLinesToFile(newfileLines,
logPrefix + "-orig.js")
fileManipulation.writeLinesToFile(newfileLines, filenameToReduce)
# Run Lithium and autobisect (make a reduced testcase and find a regression window)
itest = [interestingpy]
if options.valgrind:
itest.append("--valgrind")
itest.append("--minlevel=" + str(level))
itest.append("--timeout=" + str(options.timeout))
itest.append(options.knownPath)
(lithResult, lithDetails) = pinpoint.pinpoint(
itest, logPrefix, options.jsEngine, engineFlags,
filenameToReduce, options.repo, options.buildOptionsStr,
targetTime, level)
if targetTime:
return (lithResult, lithDetails)
else:
shellIsDeterministic = inspectShell.queryBuildConfiguration(
options.jsEngine, 'more-deterministic')
flagsAreDeterministic = "--dump-bytecode" not in engineFlags and '-D' not in engineFlags
if options.useCompareJIT and level == jsInteresting.JS_FINE and \
shellIsDeterministic and flagsAreDeterministic:
linesToCompare = jitCompareLines(logPrefix + '-out.txt',
"/*FCM*/")
jitcomparefilename = logPrefix + "-cj-in.js"
fileManipulation.writeLinesToFile(linesToCompare,
jitcomparefilename)
(lithResult, lithDetails) = compareJIT.compareJIT(
options.jsEngine, engineFlags, jitcomparefilename,
logPrefix + "-cj", options.knownPath, options.repo,
options.buildOptionsStr, options.timeout, targetTime)
if lithResult == lithOps.HAPPY:
os.remove(jitcomparefilename)
if targetTime and lithResult != lithOps.HAPPY:
jsInteresting.deleteLogs(logPrefix)
return (lithResult, lithDetails)
jsInteresting.deleteLogs(logPrefix)
def many_timed_runs(targetTime, wtmpDir, args):
options = parseOpts(args)
engineFlags = options.engineFlags # engineFlags is overwritten later if --random-flags is set.
startTime = time.time()
if os.path.isdir(sps.normExpUserPath(options.repo)):
regressionTestListFile = sps.normExpUserPath(os.path.join(wtmpDir, "regression-tests.list"))
with open(regressionTestListFile, "wb") as f:
for fn in inTreeRegressionTests(options.repo):
f.write(fn + "\n")
regressionTestPrologue = makeRegressionTestPrologue(options.repo, regressionTestListFile)
else:
regressionTestPrologue = ""
fuzzjs = sps.normExpUserPath(os.path.join(wtmpDir, "jsfunfuzz.js"))
linkFuzzer(fuzzjs, options.repo, regressionTestPrologue)
iteration = 0
while True:
if targetTime and time.time() > startTime + targetTime:
print "Out of time!"
os.remove(fuzzjs)
if len(os.listdir(wtmpDir)) == 0:
os.rmdir(wtmpDir)
return (lithOps.HAPPY, None)
# Construct command needed to loop jsfunfuzz fuzzing.
jsInterestingArgs = []
jsInterestingArgs.append('--timeout=' + str(options.timeout))
if options.valgrind:
jsInterestingArgs.append('--valgrind')
jsInterestingArgs.append(options.knownPath)
jsInterestingArgs.append(options.jsEngine)
if options.randomFlags:
engineFlags = shellFlags.randomFlagSet(options.jsEngine)
jsInterestingArgs.extend(engineFlags)
jsInterestingArgs.extend(['-e', 'maxRunTime=' + str(options.timeout*(1000/2))])
jsInterestingArgs.extend(['-f', fuzzjs])
jsunhappyOptions = jsInteresting.parseOptions(jsInterestingArgs)
iteration += 1
logPrefix = sps.normExpUserPath(os.path.join(wtmpDir, "w" + str(iteration)))
level = jsInteresting.jsfunfuzzLevel(jsunhappyOptions, logPrefix)
if level != jsInteresting.JS_FINE:
showtail(logPrefix + "-out.txt")
showtail(logPrefix + "-err.txt")
# splice jsfunfuzz.js with `grep FRC wN-out`
filenameToReduce = logPrefix + "-reduced.js"
[before, after] = fileManipulation.fuzzSplice(fuzzjs)
with open(logPrefix + '-out.txt', 'rb') as f:
newfileLines = before + [l.replace('/*FRC*/', '') for l in fileManipulation.linesStartingWith(f, "/*FRC*/")] + after
fileManipulation.writeLinesToFile(newfileLines, logPrefix + "-orig.js")
fileManipulation.writeLinesToFile(newfileLines, filenameToReduce)
# Run Lithium and autobisect (make a reduced testcase and find a regression window)
itest = [interestingpy]
if options.valgrind:
itest.append("--valgrind")
itest.append("--minlevel=" + str(level))
itest.append("--timeout=" + str(options.timeout))
itest.append(options.knownPath)
(lithResult, lithDetails) = pinpoint.pinpoint(itest, logPrefix, options.jsEngine, engineFlags, filenameToReduce,
options.repo, options.buildOptionsStr, targetTime, level)
if targetTime:
return (lithResult, lithDetails)
else:
shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsEngine, 'more-deterministic')
flagsAreDeterministic = "--dump-bytecode" not in engineFlags and '-D' not in engineFlags
if options.useCompareJIT and level == jsInteresting.JS_FINE and \
shellIsDeterministic and flagsAreDeterministic:
linesToCompare = jitCompareLines(logPrefix + '-out.txt', "/*FCM*/")
jitcomparefilename = logPrefix + "-cj-in.js"
fileManipulation.writeLinesToFile(linesToCompare, jitcomparefilename)
(lithResult, lithDetails) = compareJIT.compareJIT(options.jsEngine, engineFlags, jitcomparefilename,
logPrefix + "-cj", options.knownPath, options.repo,
options.buildOptionsStr, options.timeout, targetTime)
if lithResult == lithOps.HAPPY:
os.remove(jitcomparefilename)
if targetTime and lithResult != lithOps.HAPPY:
jsInteresting.deleteLogs(logPrefix)
return (lithResult, lithDetails)
jsInteresting.deleteLogs(logPrefix)
