v8/tools/testrunner/testproc/fuzzer.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

363 lines
11 KiB
Python
Raw Normal View History

# Copyright 2018 the V8 project authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
from collections import namedtuple
import time
from . import base
# Extra flags randomly added to all fuzz tests with numfuzz. List of tuples
# (probability, flag).
EXTRA_FLAGS = [
(0.1, '--always-opt'),
(0.1, '--assert-types'),
(0.1, '--interrupt-budget-for-feedback-allocation=0'),
(0.1, '--cache=code'),
(0.25, '--compact-maps'),
(0.1, '--force-slow-path'),
(0.2, '--future'),
(0.1, '--interrupt-budget=100'),
(0.1, '--liftoff'),
(0.2, '--no-analyze-environment-liveness'),
# TODO(machenbach): Enable when it doesn't collide with crashing on missing
# simd features.
#(0.1, '--no-enable-sse3'),
#(0.1, '--no-enable-ssse3'),
#(0.1, '--no-enable-sse4_1'),
(0.1, '--no-enable-sse4_2'),
(0.1, '--no-enable-sahf'),
(0.1, '--no-enable-avx'),
(0.1, '--no-enable-fma3'),
(0.1, '--no-enable-bmi1'),
(0.1, '--no-enable-bmi2'),
(0.1, '--no-enable-lzcnt'),
(0.1, '--no-enable-popcnt'),
(0.3, '--no-lazy-feedback-allocation'),
(0.1, '--no-liftoff'),
(0.1, '--no-opt'),
(0.2, '--no-regexp-tier-up'),
(0.25, '--no-use-map-space'),
(0.1, '--no-wasm-tier-up'),
(0.1, '--regexp-interpret-all'),
(0.1, '--regexp-tier-up-ticks=10'),
(0.1, '--regexp-tier-up-ticks=100'),
(0.1, '--stress-background-compile'),
(0.1, '--stress-concurrent-inlining'),
(0.1, '--stress-flush-code'),
(0.1, '--stress-lazy-source-positions'),
(0.1, '--stress-wasm-code-gc'),
(0.1, '--turbo-instruction-scheduling'),
(0.1, '--turbo-stress-instruction-scheduling'),
(0.1, '--turbo-force-mid-tier-regalloc'),
]
def random_extra_flags(rng):
"""Returns a random list of flags chosen from the configurations in
EXTRA_FLAGS.
"""
return [flag for prob, flag in EXTRA_FLAGS if rng.random() < prob]
class FuzzerConfig(object):
def __init__(self, probability, analyzer, fuzzer):
"""
Args:
probability: of choosing this fuzzer (0; 10]
analyzer: instance of Analyzer class, can be None if no analysis is needed
fuzzer: instance of Fuzzer class
"""
assert probability > 0 and probability <= 10
self.probability = probability
self.analyzer = analyzer
self.fuzzer = fuzzer
class Analyzer(object):
def get_analysis_flags(self):
raise NotImplementedError()
def do_analysis(self, result):
raise NotImplementedError()
class Fuzzer(object):
def create_flags_generator(self, rng, test, analysis_value):
"""
Args:
rng: random number generator
test: test for which to create flags
analysis_value: value returned by the analyzer. None if there is no
corresponding analyzer to this fuzzer or the analysis phase is disabled
"""
raise NotImplementedError()
# TODO(majeski): Allow multiple subtests to run at once.
class FuzzerProc(base.TestProcProducer):
def __init__(self, rng, count, fuzzers, disable_analysis=False):
"""
Args:
rng: random number generator used to select flags and values for them
count: number of tests to generate based on each base test
fuzzers: list of FuzzerConfig instances
disable_analysis: disable analysis phase and filtering base on it. When
set, processor passes None as analysis result to fuzzers
"""
super(FuzzerProc, self).__init__('Fuzzer')
self._rng = rng
self._count = count
self._fuzzer_configs = fuzzers
self._disable_analysis = disable_analysis
self._gens = {}
def setup(self, requirement=base.DROP_RESULT):
# Fuzzer is optimized to not store the results
assert requirement == base.DROP_RESULT
super(FuzzerProc, self).setup(requirement)
def _next_test(self, test):
if self.is_stopped:
return False
analysis_subtest = self._create_analysis_subtest(test)
if analysis_subtest:
return self._send_test(analysis_subtest)
self._gens[test.procid] = self._create_gen(test)
return self._try_send_next_test(test)
def _create_analysis_subtest(self, test):
if self._disable_analysis:
return None
analysis_flags = []
for fuzzer_config in self._fuzzer_configs:
if fuzzer_config.analyzer:
analysis_flags += fuzzer_config.analyzer.get_analysis_flags()
if analysis_flags:
analysis_flags = list(set(analysis_flags))
return self._create_subtest(test, 'analysis', flags=analysis_flags,
keep_output=True)
def _result_for(self, test, subtest, result):
if not self._disable_analysis:
if result is not None:
# Analysis phase, for fuzzing we drop the result.
if result.has_unexpected_output:
self._send_result(test, None)
return
self._gens[test.procid] = self._create_gen(test, result)
self._try_send_next_test(test)
def _create_gen(self, test, analysis_result=None):
# It will be called with analysis_result==None only when there is no
# analysis phase at all, so no fuzzer has it's own analyzer.
gens = []
indexes = []
for fuzzer_config in self._fuzzer_configs:
analysis_value = None
if analysis_result and fuzzer_config.analyzer:
analysis_value = fuzzer_config.analyzer.do_analysis(analysis_result)
if not analysis_value:
# Skip fuzzer for this test since it doesn't have analysis data
continue
p = fuzzer_config.probability
flag_gen = fuzzer_config.fuzzer.create_flags_generator(self._rng, test,
analysis_value)
indexes += [len(gens)] * p
gens.append((p, flag_gen))
if not gens:
# No fuzzers for this test, skip it
return
i = 0
while not self._count or i < self._count:
main_index = self._rng.choice(indexes)
_, main_gen = gens[main_index]
flags = random_extra_flags(self._rng) + next(main_gen)
for index, (p, gen) in enumerate(gens):
if index == main_index:
continue
if self._rng.randint(1, 10) <= p:
flags += next(gen)
flags.append('--fuzzer-random-seed=%s' % self._next_seed())
yield self._create_subtest(test, str(i), flags=flags)
i += 1
def _try_send_next_test(self, test):
if not self.is_stopped:
for subtest in self._gens[test.procid]:
if self._send_test(subtest):
return True
del self._gens[test.procid]
return False
def _next_seed(self):
seed = None
while not seed:
seed = self._rng.randint(-2147483648, 2147483647)
return seed
class ScavengeAnalyzer(Analyzer):
def get_analysis_flags(self):
return ['--fuzzer-gc-analysis']
def do_analysis(self, result):
for line in reversed(result.output.stdout.splitlines()):
if line.startswith('### Maximum new space size reached = '):
return int(float(line.split()[7]))
class ScavengeFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
while True:
yield ['--stress-scavenge=%d' % (analysis_value or 100)]
class MarkingAnalyzer(Analyzer):
def get_analysis_flags(self):
return ['--fuzzer-gc-analysis']
def do_analysis(self, result):
for line in reversed(result.output.stdout.splitlines()):
if line.startswith('### Maximum marking limit reached = '):
return int(float(line.split()[6]))
class MarkingFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
while True:
yield ['--stress-marking=%d' % (analysis_value or 100)]
class GcIntervalAnalyzer(Analyzer):
def get_analysis_flags(self):
return ['--fuzzer-gc-analysis']
def do_analysis(self, result):
for line in reversed(result.output.stdout.splitlines()):
if line.startswith('### Allocations = '):
return int(float(line.split()[3][:-1]))
class GcIntervalFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
if analysis_value:
value = analysis_value // 10
else:
value = 10000
while True:
yield ['--random-gc-interval=%d' % value]
class CompactionFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
while True:
yield ['--stress-compaction-random']
class InterruptBudgetFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
while True:
# Half with half without lazy feedback allocation. The first flag
# overwrites potential flag negations from the extra flags list.
flag1 = rng.choice(
'--lazy-feedback-allocation', '--no-lazy-feedback-allocation')
# For most code paths, only one of the flags below has a meaning
# based on the flag above.
flag2 = '--interrupt-budget=%d' % rng.randint(0, 135168)
flag3 = '--interrupt-budget-for-feedback-allocation=%d' % rng.randint(
0, 940)
yield [flag1, flag2, flag3]
class StackSizeFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
while True:
yield ['--stack-size=%d' % rng.randint(54, 983)]
class TaskDelayFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
while True:
yield ['--stress-delay-tasks']
class ThreadPoolSizeFuzzer(Fuzzer):
def create_flags_generator(self, rng, test, analysis_value):
while True:
yield ['--thread-pool-size=%d' % rng.randint(1, 8)]
class DeoptAnalyzer(Analyzer):
MAX_DEOPT=1000000000
def __init__(self, min_interval):
super(DeoptAnalyzer, self).__init__()
self._min = min_interval
def get_analysis_flags(self):
return ['--deopt-every-n-times=%d' % self.MAX_DEOPT,
'--print-deopt-stress']
def do_analysis(self, result):
for line in reversed(result.output.stdout.splitlines()):
if line.startswith('=== Stress deopt counter: '):
counter = self.MAX_DEOPT - int(line.split(' ')[-1])
if counter < self._min:
# Skip this test since we won't generate any meaningful interval with
# given minimum.
return None
return counter
class DeoptFuzzer(Fuzzer):
def __init__(self, min_interval):
super(DeoptFuzzer, self).__init__()
self._min = min_interval
def create_flags_generator(self, rng, test, analysis_value):
while True:
if analysis_value:
value = analysis_value // 2
else:
value = 10000
interval = rng.randint(self._min, max(value, self._min))
yield ['--deopt-every-n-times=%d' % interval]
FUZZERS = {
'compaction': (None, CompactionFuzzer),
'delay': (None, TaskDelayFuzzer),
'deopt': (DeoptAnalyzer, DeoptFuzzer),
'gc_interval': (GcIntervalAnalyzer, GcIntervalFuzzer),
'interrupt': InterruptBudgetFuzzer,
'marking': (MarkingAnalyzer, MarkingFuzzer),
'scavenge': (ScavengeAnalyzer, ScavengeFuzzer),
'stack': (None, StackSizeFuzzer),
'threads': (None, ThreadPoolSizeFuzzer),
}
def create_fuzzer_config(name, probability, *args, **kwargs):
analyzer_class, fuzzer_class = FUZZERS[name]
return FuzzerConfig(
probability,
analyzer_class(*args, **kwargs) if analyzer_class else None,
fuzzer_class(*args, **kwargs),
)