Closed
Bug 1461689
Opened 6 years ago
Closed 6 years ago
Create a text file containing all the shell flags combinations we'd like to see tested by fuzzers
Categories
(Core :: JavaScript Engine: JIT, enhancement)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | fixed |
People
(Reporter: bbouvier, Assigned: bbouvier)
References
Details
Attachments
(1 file, 1 obsolete file)
1.17 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
This is a request from :decoder. We should have a list of shell flag combinations we'd like to see used by fuzzers which are trying to find bugs in our code base. This is nice because: - when we add a flag, we don't have to use a manual process of letting our fuzzing people know, if they use a tool that automatically parses this file. This process we currently use is cumbersome, and sometimes we forget telling them, and it silently breaks fuzzing. - We could even probably remove flags and not morph them into no-ops, as long as we'd remove the flag from the flag file too. - This is also nice for fuzzer people external to Mozilla, who would want to fuzz our code base but wouldn't know what the interesting flags are. - We can have time-based fuzzing experiments, when we can request a certain flag to be used more, for some amount of time, by adding new combinations using it. For what it's worth, Google has some file like this, if I remember correctly, in which they map probabilities to given flags, and the flags get randomly used in fuzzing with the set probabilities. I wondered if we could just have a JS shell CLI switch that would display all these flag combinations, but it would need to be manually maintained in the same way as a simple text file would be, so I'm not sure it's better overall. Now, I obviously don't know all the flags we'd like to test, so we'll need to crowdsource this process. I've added flags that seemed interesting for wasm, at least.
Assignee | ||
Comment 1•6 years ago
|
||
Please read comment 0 first. Jan, Jon: what do you think about this? which other flags would you like to see in this file (as tech leads of JIT and GC) ? Gary, Christian: would such a file be simple and useful enough for you to parse and generate the interesting flag combinations?
Attachment #8975819 -
Flags: review?(jdemooij)
Attachment #8975819 -
Flags: review?(jcoppeard)
Attachment #8975819 -
Flags: feedback?(nth10sd)
Attachment #8975819 -
Flags: feedback?(choller)
Comment 2•6 years ago
|
||
Which flags do the fuzzers use right now? Maybe we can start with that list? Benjamin, why is --test-wasm-await-tier2 (for instance) not on that list?
Assignee | ||
Comment 3•6 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2) > Which flags do the fuzzers use right now? Maybe we can start with that list? Good question. I'm hoping Christian and Gary can tell us. > Benjamin, why is --test-wasm-await-tier2 (for instance) not on that list? This particular flag didn't find many fuzzbugs in the past, if I'm correct, and my understanding was that it's been useful when developing tiering, and that its utility has lowered a lot since then. I could be wrong here, of course. Maybe we'd want to keep it. Maybe we could have a weight associated to each flag combination (as the Google system seems to have), so that we can indicate which combinations are more important?
Comment 4•6 years ago
|
||
On 64-bit: # Mandatory options binaryOptions: &binaryOptions - --fuzzing-safe - --cpu-count=2 # Options that can be used randomly in any builds randomOptions: &randomOptions - --ion-eager - --baseline-eager - --ion-offthread-compile=off - --ion-extra-checks - --ion-aa=flow-sensitive - --test-wasm-await-tier2 - --spectre-mitigations=on - --spectre-mitigations=off - --nursery-strings=on - --execute=gcstress=1 - --wasm-gc # This extends the options above with some options # that are only available in debug builds randomDebugOptions: &randomDebugOptions - *randomOptions - --ion-check-range-analysis On ARM simulator we add: - --arm-sim-icache-checks - --arm-asm-nop-fill=1 - --arm-hwcap=vfp In some configurations, I also add --no-threads. Note that LangFuzz currently has no notion of grouping flags together (as in, these flags should be used, but only together). So I would simply parse the file and take all of the flags for this list. However, note that some flags are only available in certain build types, we need to figure out a smart way to account for that. Maybe I can also write a script that figures out if the shell accepts a certain flag, as part of the extraction logic.
Comment 5•6 years ago
|
||
Benjamin, was your idea that the fuzzer would pick a random *line* from this file and use that? Or do we have a list of options that the fuzzer can pick multiple from? I'd prefer the latter because then we can add --ion-eager and --ion-offthread-compile=off on separate lines, and the fuzzers will automatically test all 4 combinations of these 2 flags (they're all useful). Assigning weights makes sense especially for options like --no-baseline and --no-ion, because these basically turn off huge parts of the code so we don't want to use these flags too often. Maybe we just shouldn't fuzz with these flags at all because we run jit-tests with them in automation and fuzzing is unlikely to find bugs that only show up with these flags. As for certain flags being only available in some builds, I think it makes sense either for the fuzzer to detect this or for us to make these flags no-ops in builds where they're not supported (we could print a warning to stderr).
Assignee | ||
Comment 6•6 years ago
|
||
Thanks for the list! (In reply to Jan de Mooij [:jandem] from comment #5) > Benjamin, was your idea that the fuzzer would pick a random *line* from this > file and use that? Or do we have a list of options that the fuzzer can pick > multiple from? I'd prefer the latter because then we can add --ion-eager and > --ion-offthread-compile=off on separate lines, and the fuzzers will > automatically test all 4 combinations of these 2 flags (they're all useful). My idea was indeed the former. In particular I mentioned --ion-eager as a flag that always wants to have --ion-compile-offthread=off, because to me it seems that it makes test cases much more reliable; but you seem to imply that the opposite is true, and that testing --ion-eager on its own is useful too. Decoder told me (irc) that LangFuzz can only pick a random flag, not a combination. So it seems the latter is more appropriate in both cases. In this case, we can probably just have one flag per line.
Comment 7•6 years ago
|
||
(In reply to Benjamin Bouvier [:bbouvier] from comment #6) > but you seem to imply > that the opposite is true, and that testing --ion-eager on its own is useful > too. Yeah, imagine an off-thread-compilation-specific bug/race :) It's true that --ion-eager *without* off-thread compilation is more deterministic and is very useful. > In this case, we can probably just have one flag per line. Sounds good!
Comment 8•6 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #4) > - --execute=gcstress=1 What does this do? Having this file seems like a good idea so that everyone can see which options are being tested.
Comment 9•6 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #8) > (In reply to Christian Holler (:decoder) from comment #4) > > - --execute=gcstress=1 > > What does this do? It enables a special gcstress mode in the fuzzing driver that calls gczeal much more. But that also makes everything a lot slower, so I'm not always passing this flag.
Comment 10•6 years ago
|
||
Comment on attachment 8975819 [details] [diff] [review] fuzzflags.patch Review of attachment 8975819 [details] [diff] [review]: ----------------------------------------------------------------- Starting with decoder's list makes sense to me (except --ion-aa=flow-sensitive because that has been removed). Maybe useful to add: --no-sse3 --no-sse4 --ion-warmup-threshold=100 --no-native-regexp
Attachment #8975819 -
Flags: review?(jdemooij) → feedback+
Updated•6 years ago
|
Attachment #8975819 -
Flags: review?(jcoppeard) → feedback+
Assignee | ||
Comment 11•6 years ago
|
||
Updated patch with one flag per line, as discussed before. I checked and all the flags are valid on all the build variants, including architecture specific ones (which might be no-ops in some configurations).
Attachment #8975819 -
Attachment is obsolete: true
Attachment #8975819 -
Flags: feedback?(nth10sd)
Attachment #8975819 -
Flags: feedback?(choller)
Attachment #8976117 -
Flags: review?(jdemooij)
Comment 12•6 years ago
|
||
Comment on attachment 8976117 [details] [diff] [review] fuzzflags.patch Review of attachment 8976117 [details] [diff] [review]: ----------------------------------------------------------------- Excellent, thanks for doing this. ::: js/src/shell/fuzz-flags.txt @@ +1,3 @@ > +# This lists all the possible flags we'd like to see tested out in the shell by > +# fuzzers. A non-empty line not starting with should be considered a valid one. > +# Note the following flag is recommeded in ALL the cases: --fuzzing-safe Nit: s/with/with #/ and recommended, typo
Attachment #8976117 -
Flags: review?(jdemooij) → review+
Comment 13•6 years ago
|
||
Alex, you run OSS-Fuzz on SpiderMonkey, right? needinfo to make sure you're aware of this change.
Flags: needinfo?(agaynor)
Comment 14•6 years ago
|
||
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/5bba65880a66 Add a fuzz-flags.txt file containing interesting flags for fuzzing; r=jandem
Comment 15•6 years ago
|
||
Thanks; filed https://github.com/google/oss-fuzz/issues/1425 on the OSS-Fuzz side to see how we can leverage this.
Flags: needinfo?(agaynor)
Comment 16•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/5bba65880a66
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Just saw this bugmail from being away on PTO. The ones that funfuzz uses that aren't present: --enable-avx --no-avx --cache-ir-stubs=on/off --ion-pgo=on/off --ion-sincos=on/off --ion-instruction-reordering=on --ion-shared-stubs=on --ion-regalloc=testbed --non-writable-jitcode --ion-loop-unrolling=on/off --ion-scalar-replacement=on/off --ion-range-analysis=on/off --ion-edgecase-analysis=on/off --ion-limit-script-size=on/off --ion-osr=on/off --ion-inlining=on/off --ion-gvn=on/off --ion-licm=on/off --no-unboxed-objects --dump-bytecode calling --no-baseline when --baseline-eager is not present calling --no-ion when --ion is not present GC-related that were separated out from the above: --no-incremental-gc --no-ggc --no-cgc --gc-zeal=<some variable numbers> Let me know which ones are also worth adding to fuzz-flags.txt so I'll file a new bug. === Reference files/links for the funfuzz harness (jsfunfuzz et. al): arch-specific: (e.g. ARM stuff) https://github.com/MozillaSecurity/funfuzz/blob/b4a7f75/src/funfuzz/js/shell_flags.py#L54 ion: https://github.com/MozillaSecurity/funfuzz/blob/b4a7f75/src/funfuzz/js/shell_flags.py#L91 wasm: https://github.com/MozillaSecurity/funfuzz/blob/b4a7f75/src/funfuzz/js/shell_flags.py#L172 main chunk: https://github.com/MozillaSecurity/funfuzz/blob/b4a7f75/src/funfuzz/js/shell_flags.py#L203
Comment 18•6 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #17) > --enable-avx > --no-avx These would be good to have to make sure we don't regress the AVX codegen (it's currently disabled). > --cache-ir-stubs=on/off > --ion-pgo=on/off > --ion-sincos=on/off > --ion-instruction-reordering=on > --ion-shared-stubs=on > --ion-regalloc=testbed > --non-writable-jitcode > --ion-loop-unrolling=on/off > --ion-scalar-replacement=on/off > --ion-range-analysis=on/off > --ion-edgecase-analysis=on/off > --ion-limit-script-size=on/off > --ion-osr=on/off > --ion-inlining=on/off > --ion-gvn=on/off > --ion-licm=on/off > --no-unboxed-objects The --non-writable-jitcode flag is a no-op we kept for fuzzing so we shouldn't add it. It might make sense to add both the on and off versions of the rest of these. Most of them are enabled by default, but at the same time it shouldn't hurt to enable explicitly. > GC-related that were separated out from the above: > --no-incremental-gc > --no-ggc > --no-cgc > --gc-zeal=<some variable numbers> Probably fine too. The --gc-zeal one is more complicated because it wants a random number but we also have gczeal() so I don't know if it's necessary.
You need to log in
before you can comment on or make changes to this bug.
Description
•