Changeset 252978 in webkit

Timestamp:

Dec 1, 2019 10:44:16 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Add FuzzerAgent that reads predictions from a file
​https://bugs.webkit.org/show_bug.cgi?id=203898

Patch by Tuomas Karkkainen <​tuomas.webkit@apple.com> on 2019-12-01
Reviewed by Mark Lam.

This patch adds a FuzzerAgent that reads predictions from a file. The predictions in the file are
correlated with the prediction sites using the name of the JavaScript source file, the opcode, and
start and end offsets in the source. There is also a separate FuzzerAgent that can be used to create
the prediction files.

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• runtime/FileBasedFuzzerAgent.cpp: Added.
• runtime/FileBasedFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
• runtime/FileBasedFuzzerAgentBase.cpp: Added.
• runtime/FileBasedFuzzerAgentBase.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
• runtime/FuzzerPredictions.cpp: Added.
• runtime/FuzzerPredictions.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
• runtime/Options.cpp:
• runtime/OptionsList.h:
• runtime/PredictionFileCreatingFuzzerAgent.cpp: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
• runtime/PredictionFileCreatingFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
• runtime/RandomizingFuzzerAgent.cpp:
• runtime/VM.cpp:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (9 diffs)
• Sources.txt (modified) (3 diffs)
• runtime/FileBasedFuzzerAgent.cpp (added)
• runtime/FileBasedFuzzerAgent.h (copied) (copied from trunk/Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp) (1 diff)
• runtime/FileBasedFuzzerAgentBase.cpp (added)
• runtime/FileBasedFuzzerAgentBase.h (copied) (copied from trunk/Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp) (1 diff)
• runtime/FuzzerPredictions.cpp (added)
• runtime/FuzzerPredictions.h (copied) (copied from trunk/Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp) (1 diff)
• runtime/Options.cpp (modified) (1 diff)
• runtime/OptionsList.h (modified) (1 diff)
• runtime/PredictionFileCreatingFuzzerAgent.cpp (copied) (copied from trunk/Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp) (1 diff)
• runtime/PredictionFileCreatingFuzzerAgent.h (copied) (copied from trunk/Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp) (1 diff)
• runtime/RandomizingFuzzerAgent.cpp (modified) (1 diff)
• runtime/VM.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-12-01  Tuomas Karkkainen  <tuomas.webkit@apple.com>
+
+        Add FuzzerAgent that reads predictions from a file
+        https://bugs.webkit.org/show_bug.cgi?id=203898
+
+        Reviewed by Mark Lam.
+
+        This patch adds a FuzzerAgent that reads predictions from a file. The predictions in the file are
+        correlated with the prediction sites using the name of the JavaScript source file, the opcode, and
+        start and end offsets in the source. There is also a separate FuzzerAgent that can be used to create
+        the prediction files.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * runtime/FileBasedFuzzerAgent.cpp: Added.
+        * runtime/FileBasedFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
+        * runtime/FileBasedFuzzerAgentBase.cpp: Added.
+        * runtime/FileBasedFuzzerAgentBase.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
+        * runtime/FuzzerPredictions.cpp: Added.
+        * runtime/FuzzerPredictions.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
+        * runtime/Options.cpp:
+        * runtime/OptionsList.h:
+        * runtime/PredictionFileCreatingFuzzerAgent.cpp: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
+        * runtime/PredictionFileCreatingFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp.
+        * runtime/RandomizingFuzzerAgent.cpp:
+        * runtime/VM.cpp:
+
 2019-12-01  Caio Lima  <ticaiolima@gmail.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1740 +1740 @@
                 C4F4B6F51A05C984005CAB76 /* generate_objc_protocol_types_implementation.py in Headers */ = {isa = PBXBuildFile; fileRef = C4F4B6D71A05C76F005CAB76 /* generate_objc_protocol_types_implementation.py */; settings = {ATTRIBUTES = (Private, ); }; };
                 C4F4B6F61A05C984005CAB76 /* objc_generator_templates.py in Headers */ = {isa = PBXBuildFile; fileRef = C4F4B6D81A05C76F005CAB76 /* objc_generator_templates.py */; settings = {ATTRIBUTES = (Private, ); }; };
+                CE20BD05237D3E230046E520 /* FileBasedFuzzerAgentBase.h in Headers */ = {isa = PBXBuildFile; fileRef = CE20BD03237D3AD40046E520 /* FileBasedFuzzerAgentBase.h */; };
+                CE20BD07237D3E480046E520 /* PredictionFileCreatingFuzzerAgent.h in Headers */ = {isa = PBXBuildFile; fileRef = CE20BD01237D3AD40046E520 /* PredictionFileCreatingFuzzerAgent.h */; };
                 CEAE7D7B889B477BA93ABA6C /* ScriptFetcher.h in Headers */ = {isa = PBXBuildFile; fileRef = 8852151A9C3842389B3215B7 /* ScriptFetcher.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                CECFAD362372DAD000291599 /* FuzzerPredictions.h in Headers */ = {isa = PBXBuildFile; fileRef = CECFAD342372DAA700291599 /* FuzzerPredictions.h */; };
+                CECFAD372372DAD400291599 /* FileBasedFuzzerAgent.h in Headers */ = {isa = PBXBuildFile; fileRef = CECFAD322372DAA700291599 /* FileBasedFuzzerAgent.h */; };
                 D9722752DC54459B9125B539 /* JSModuleLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */; };
                 DC00039319D8BE6F00023EB0 /* DFGPreciseLocalClobberize.h in Headers */ = {isa = PBXBuildFile; fileRef = DC00039019D8BE6F00023EB0 /* DFGPreciseLocalClobberize.h */; };
@@ -4822 +4826 @@
                 C4F4B6D71A05C76F005CAB76 /* generate_objc_protocol_types_implementation.py */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.python; path = generate_objc_protocol_types_implementation.py; sourceTree = "<group>"; };
                 C4F4B6D81A05C76F005CAB76 /* objc_generator_templates.py */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.python; path = objc_generator_templates.py; sourceTree = "<group>"; };
+                CE20BD01237D3AD40046E520 /* PredictionFileCreatingFuzzerAgent.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = PredictionFileCreatingFuzzerAgent.h; sourceTree = "<group>"; };
+                CE20BD02237D3AD40046E520 /* PredictionFileCreatingFuzzerAgent.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = PredictionFileCreatingFuzzerAgent.cpp; sourceTree = "<group>"; };
+                CE20BD03237D3AD40046E520 /* FileBasedFuzzerAgentBase.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FileBasedFuzzerAgentBase.h; sourceTree = "<group>"; };
+                CE20BD04237D3AD40046E520 /* FileBasedFuzzerAgentBase.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = FileBasedFuzzerAgentBase.cpp; sourceTree = "<group>"; };
+                CECFAD322372DAA700291599 /* FileBasedFuzzerAgent.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FileBasedFuzzerAgent.h; sourceTree = "<group>"; };
+                CECFAD332372DAA700291599 /* FileBasedFuzzerAgent.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = FileBasedFuzzerAgent.cpp; sourceTree = "<group>"; };
+                CECFAD342372DAA700291599 /* FuzzerPredictions.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FuzzerPredictions.h; sourceTree = "<group>"; };
+                CECFAD352372DAA700291599 /* FuzzerPredictions.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = FuzzerPredictions.cpp; sourceTree = "<group>"; };
                 D21202280AD4310C00ED79B6 /* DateConversion.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DateConversion.cpp; sourceTree = "<group>"; };
                 D21202290AD4310C00ED79B6 /* DateConversion.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DateConversion.h; sourceTree = "<group>"; };
@@ -7084 +7096 @@
                                 147341CB1DC02D7200AA29BA /* ExecutableBase.h */,
                                 E35A0B9C220AD87A00AC4474 /* ExecutableBaseInlines.h */,
+                                CECFAD332372DAA700291599 /* FileBasedFuzzerAgent.cpp */,
+                                CECFAD322372DAA700291599 /* FileBasedFuzzerAgent.h */,
+                                CE20BD04237D3AD40046E520 /* FileBasedFuzzerAgentBase.cpp */,
+                                CE20BD03237D3AD40046E520 /* FileBasedFuzzerAgentBase.h */,
                                 A7A8AF2917ADB5F3005AB174 /* Float32Array.h */,
                                 A7A8AF2A17ADB5F3005AB174 /* Float64Array.h */,
@@ -7101 +7117 @@
                                 E33A94952255322A00D42B06 /* FuzzerAgent.cpp */,
                                 E33A94922255322900D42B06 /* FuzzerAgent.h */,
+                                CECFAD352372DAA700291599 /* FuzzerPredictions.cpp */,
+                                CECFAD342372DAA700291599 /* FuzzerPredictions.h */,
                                 70B791851C024432002481E2 /* GeneratorFunctionConstructor.cpp */,
                                 70B791861C024432002481E2 /* GeneratorFunctionConstructor.h */,
@@ -7421 +7439 @@
                                 FE3842312324D51B009DD445 /* OptionsList.h */,
                                 37C738D11EDB5672003F2B0B /* ParseInt.h */,
+                                CE20BD02237D3AD40046E520 /* PredictionFileCreatingFuzzerAgent.cpp */,
+                                CE20BD01237D3AD40046E520 /* PredictionFileCreatingFuzzerAgent.h */,
                                 868916A9155F285400CB2B9A /* PrivateName.h */,
                                 147341DF1DC2CE9600AA29BA /* ProgramExecutable.cpp */,
@@ -9587 +9607 @@
                                 A1587D6E1B4DC14100D69849 /* IntlDateTimeFormat.h in Headers */,
                                 A1587D701B4DC14100D69849 /* IntlDateTimeFormatConstructor.h in Headers */,
+                                CE20BD05237D3E230046E520 /* FileBasedFuzzerAgentBase.h in Headers */,
                                 A1587D751B4DC1C600D69849 /* IntlDateTimeFormatConstructor.lut.h in Headers */,
                                 A1587D721B4DC14100D69849 /* IntlDateTimeFormatPrototype.h in Headers */,
@@ -9883 +9904 @@
                                 141448CB13A176EC00F5BA1A /* MarkedBlockSet.h in Headers */,
                                 14D2F3DB139F4BE200491031 /* MarkedSpace.h in Headers */,
+                                CE20BD07237D3E480046E520 /* PredictionFileCreatingFuzzerAgent.h in Headers */,
                                 0F7DF1351E2970DC0095951B /* MarkedSpaceInlines.h in Headers */,
                                 0F660E381E0517BB0031462C /* MarkingConstraint.h in Headers */,
@@ -9999 +10021 @@
                                 79B00CBD1C6AB07E0088C65D /* ProxyConstructor.h in Headers */,
                                 79B00CBF1C6AB07E0088C65D /* ProxyObject.h in Headers */,
+                                CECFAD372372DAD400291599 /* FileBasedFuzzerAgent.h in Headers */,
                                 79160DBE1C8E3EC8008C085A /* ProxyRevoke.h in Headers */,
                                 0F5780A218FE1E98001E72D9 /* PureNaN.h in Headers */,
@@ -10077 +10100 @@
                                 0F4D8C781FCA3CFA001D32AC /* SimpleMarkingConstraint.h in Headers */,
                                 0F2B670517B6B5AB00A7AE3F /* SimpleTypedArrayController.h in Headers */,
+                                CECFAD362372DAD000291599 /* FuzzerPredictions.h in Headers */,
                                 14BA78F113AAB88F005B7C2C /* SlotVisitor.h in Headers */,
                                 C2160FE715F7E95E00942DFC /* SlotVisitorInlines.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -767 +767 @@
 runtime/ExceptionScope.cpp
 runtime/ExecutableBase.cpp
+runtime/FileBasedFuzzerAgent.cpp
+runtime/FileBasedFuzzerAgentBase.cpp
 runtime/FunctionConstructor.cpp
 runtime/FunctionExecutable.cpp
@@ -774 +776 @@
 runtime/FunctionRareData.cpp
 runtime/FuzzerAgent.cpp
+runtime/FuzzerPredictions.cpp
 runtime/GeneratorFunctionConstructor.cpp
 runtime/GeneratorFunctionPrototype.cpp
@@ -904 +907 @@
 runtime/Operations.cpp
 runtime/Options.cpp
+runtime/PredictionFileCreatingFuzzerAgent.cpp
 runtime/ProgramExecutable.cpp
 runtime/PromiseTimer.cpp

trunk/Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.h

@@ -24 +24 @@
  */
 
-#include "config.h"
-#include "RandomizingFuzzerAgent.h"
+#pragma once
 
-#include "CodeBlock.h"
-#include <wtf/Locker.h>
+#include "FileBasedFuzzerAgentBase.h"
 
 namespace JSC {
 
-RandomizingFuzzerAgent::RandomizingFuzzerAgent(VM&)
-    : m_random(Options::seedOfRandomizingFuzzerAgent())
-{
-}
+class VM;
 
-SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock* codeBlock, const CodeOrigin& codeOrigin, SpeculatedType original)
-{
-    auto locker = holdLock(m_lock);
-    uint32_t high = m_random.getUint32();
-    uint32_t low = m_random.getUint32();
-    SpeculatedType generated = static_cast<SpeculatedType>((static_cast<uint64_t>(high) << 32) | low) & SpecFullTop;
-    if (Options::dumpRandomizingFuzzerAgentPredictions())
-        dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", codeOrigin.bytecodeIndex(), "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
-    return generated;
-}
+class FileBasedFuzzerAgent final : public FileBasedFuzzerAgentBase {
+    WTF_MAKE_FAST_ALLOCATED;
+
+public:
+    FileBasedFuzzerAgent(VM&);
+
+protected:
+    SpeculatedType getPredictionInternal(CodeBlock*, PredictionTarget&, SpeculatedType original) override;
+};
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/FileBasedFuzzerAgentBase.h

@@ -24 +24 @@
  */
 
-#include "config.h"
-#include "RandomizingFuzzerAgent.h"
+#pragma once
 
-#include "CodeBlock.h"
-#include <wtf/Locker.h>
+#include "FuzzerAgent.h"
+#include "Opcode.h"
+#include <wtf/Lock.h>
 
 namespace JSC {
 
-RandomizingFuzzerAgent::RandomizingFuzzerAgent(VM&)
-    : m_random(Options::seedOfRandomizingFuzzerAgent())
-{
-}
+class VM;
 
-SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock* codeBlock, const CodeOrigin& codeOrigin, SpeculatedType original)
-{
-    auto locker = holdLock(m_lock);
-    uint32_t high = m_random.getUint32();
-    uint32_t low = m_random.getUint32();
-    SpeculatedType generated = static_cast<SpeculatedType>((static_cast<uint64_t>(high) << 32) | low) & SpecFullTop;
-    if (Options::dumpRandomizingFuzzerAgentPredictions())
-        dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", codeOrigin.bytecodeIndex(), "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
-    return generated;
-}
+struct PredictionTarget {
+    BytecodeIndex bytecodeIndex;
+    int divot;
+    int startOffset;
+    int endOffset;
+    unsigned line;
+    unsigned column;
+    OpcodeID opcodeId;
+    String sourceFilename;
+    String lookupKey;
+};
+
+class FileBasedFuzzerAgentBase : public FuzzerAgent {
+    WTF_MAKE_FAST_ALLOCATED;
+
+public:
+    FileBasedFuzzerAgentBase(VM&);
+
+protected:
+    Lock m_lock;
+    virtual SpeculatedType getPredictionInternal(CodeBlock*, PredictionTarget&, SpeculatedType original) = 0;
+
+public:
+    SpeculatedType getPrediction(CodeBlock*, const CodeOrigin&, SpeculatedType original) final;
+
+protected:
+    static String createLookupKey(const String& sourceFilename, OpcodeID, int startLocation, int endLocation);
+    static OpcodeID opcodeAliasForLookupKey(const OpcodeID&);
+};
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/FuzzerPredictions.h

@@ -24 +24 @@
  */
 
-#include "config.h"
-#include "RandomizingFuzzerAgent.h"
+#pragma once
 
-#include "CodeBlock.h"
-#include <wtf/Locker.h>
+#include <bytecode/CodeBlock.h>
+#include <wtf/HashMap.h>
+#include <wtf/text/WTFString.h>
 
 namespace JSC {
 
-RandomizingFuzzerAgent::RandomizingFuzzerAgent(VM&)
-    : m_random(Options::seedOfRandomizingFuzzerAgent())
-{
-}
+class FuzzerPredictions {
+public:
+    JS_EXPORT_PRIVATE FuzzerPredictions(const char*);
 
-SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock* codeBlock, const CodeOrigin& codeOrigin, SpeculatedType original)
-{
-    auto locker = holdLock(m_lock);
-    uint32_t high = m_random.getUint32();
-    uint32_t low = m_random.getUint32();
-    SpeculatedType generated = static_cast<SpeculatedType>((static_cast<uint64_t>(high) << 32) | low) & SpecFullTop;
-    if (Options::dumpRandomizingFuzzerAgentPredictions())
-        dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", codeOrigin.bytecodeIndex(), "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
-    return generated;
-}
+    Optional<SpeculatedType> predictionFor(const String&);
+
+private:
+    HashMap<String, SpeculatedType> m_predictions;
+};
+
+JS_EXPORT_PRIVATE FuzzerPredictions& ensureGlobalFuzzerPredictions();
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/Options.cpp

@@ -449 +449 @@
         || Options::verboseDFGFailure()
         || Options::verboseFTLFailure()
-        || Options::dumpRandomizingFuzzerAgentPredictions())
+        || Options::dumpFuzzerAgentPredictions())
         Options::alwaysComputeHash() = true;
     

trunk/Source/JavaScriptCore/runtime/OptionsList.h

@@ -395 +395 @@
     v(Bool, useRandomizingFuzzerAgent, false, Normal, nullptr) \
     v(Unsigned, seedOfRandomizingFuzzerAgent, 1, Normal, nullptr) \
-    v(Bool, dumpRandomizingFuzzerAgentPredictions, false, Normal, nullptr) \
+    v(Bool, dumpFuzzerAgentPredictions, false, Normal, nullptr) \
     v(Bool, useDoublePredictionFuzzerAgent, false, Normal, nullptr) \
+    v(Bool, useFileBasedFuzzerAgent, false, Normal, nullptr) \
+    v(Bool, usePredictionFileCreatingFuzzerAgent, false, Normal, nullptr) \
+    v(Bool, requirePredictionForFileBasedFuzzerAgent, false, Normal, nullptr) \
+    v(OptionString, fuzzerPredictionsFile, nullptr, Normal, "file with list of predictions for FileBasedFuzzerAgent") \
     \
     v(Bool, logPhaseTimes, false, Normal, nullptr) \

trunk/Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.cpp

@@ -25 +25 @@
 
 #include "config.h"
-#include "RandomizingFuzzerAgent.h"
-
-#include "CodeBlock.h"
-#include <wtf/Locker.h>
+#include "PredictionFileCreatingFuzzerAgent.h"
 
 namespace JSC {
 
-RandomizingFuzzerAgent::RandomizingFuzzerAgent(VM&)
-    : m_random(Options::seedOfRandomizingFuzzerAgent())
+PredictionFileCreatingFuzzerAgent::PredictionFileCreatingFuzzerAgent(VM& vm)
+    : FileBasedFuzzerAgentBase(vm)
 {
 }
 
-SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock* codeBlock, const CodeOrigin& codeOrigin, SpeculatedType original)
+SpeculatedType PredictionFileCreatingFuzzerAgent::getPredictionInternal(CodeBlock*, PredictionTarget& predictionTarget, SpeculatedType original)
 {
-    auto locker = holdLock(m_lock);
-    uint32_t high = m_random.getUint32();
-    uint32_t low = m_random.getUint32();
-    SpeculatedType generated = static_cast<SpeculatedType>((static_cast<uint64_t>(high) << 32) | low) & SpecFullTop;
-    if (Options::dumpRandomizingFuzzerAgentPredictions())
-        dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", codeOrigin.bytecodeIndex(), "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
-    return generated;
+    switch (predictionTarget.opcodeId) {
+    case op_to_this:
+    case op_bitand:
+    case op_bitor:
+    case op_bitxor:
+    case op_bitnot:
+    case op_lshift:
+    case op_rshift:
+    case op_get_by_val:
+    case op_get_argument:
+    case op_get_from_arguments:
+    case op_get_from_scope:
+    case op_to_number:
+    case op_get_by_id:
+    case op_get_by_id_with_this:
+    case op_get_by_val_with_this:
+    case op_get_direct_pname:
+    case op_construct:
+    case op_construct_varargs:
+    case op_call:
+    case op_call_eval:
+    case op_call_varargs:
+    case op_tail_call:
+    case op_tail_call_varargs:
+        dataLogF("%s:%llx\n", predictionTarget.lookupKey.utf8().data(), original);
+        break;
+
+    default:
+        RELEASE_ASSERT_WITH_MESSAGE(false, "unhandled opcode: %s", toString(predictionTarget.opcodeId).utf8().data());
+    }
+    return original;
 }
 

trunk/Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.h

@@ -24 +24 @@
  */
 
-#include "config.h"
-#include "RandomizingFuzzerAgent.h"
+#pragma once
 
-#include "CodeBlock.h"
-#include <wtf/Locker.h>
+#include "FileBasedFuzzerAgentBase.h"
 
 namespace JSC {
 
-RandomizingFuzzerAgent::RandomizingFuzzerAgent(VM&)
-    : m_random(Options::seedOfRandomizingFuzzerAgent())
-{
-}
+class VM;
 
-SpeculatedType RandomizingFuzzerAgent::getPrediction(CodeBlock* codeBlock, const CodeOrigin& codeOrigin, SpeculatedType original)
-{
-    auto locker = holdLock(m_lock);
-    uint32_t high = m_random.getUint32();
-    uint32_t low = m_random.getUint32();
-    SpeculatedType generated = static_cast<SpeculatedType>((static_cast<uint64_t>(high) << 32) | low) & SpecFullTop;
-    if (Options::dumpRandomizingFuzzerAgentPredictions())
-        dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", codeOrigin.bytecodeIndex(), "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
-    return generated;
-}
+class PredictionFileCreatingFuzzerAgent final : public FileBasedFuzzerAgentBase {
+    WTF_MAKE_FAST_ALLOCATED;
+
+public:
+    PredictionFileCreatingFuzzerAgent(VM&);
+
+protected:
+    SpeculatedType getPredictionInternal(CodeBlock*, PredictionTarget&, SpeculatedType original) override;
+};
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp

@@ -43 +43 @@
     uint32_t low = m_random.getUint32();
     SpeculatedType generated = static_cast<SpeculatedType>((static_cast<uint64_t>(high) << 32) | low) & SpecFullTop;
-    if (Options::dumpRandomizingFuzzerAgentPredictions())
+    if (Options::dumpFuzzerAgentPredictions())
         dataLogLn("getPrediction name:(", codeBlock->inferredName(), "#", codeBlock->hashAsStringIfPossible(), "),bytecodeIndex:(", codeOrigin.bytecodeIndex(), "),original:(", SpeculationDump(original), "),generated:(", SpeculationDump(generated), ")");
     return generated;

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -51 +51 @@
 #include "FTLThunks.h"
 #include "FastMallocAlignedMemoryAllocator.h"
+#include "FileBasedFuzzerAgent.h"
 #include "FunctionCodeBlock.h"
 #include "FunctionConstructor.h"
@@ -118 +119 @@
 #include "ObjCCallbackFunction.h"
 #include "Parser.h"
+#include "PredictionFileCreatingFuzzerAgent.h"
 #include "ProfilerDatabase.h"
 #include "ProgramCodeBlock.h"
@@ -464 +466 @@
     if (Options::useDoublePredictionFuzzerAgent())
         setFuzzerAgent(makeUnique<DoublePredictionFuzzerAgent>(*this));
+    if (Options::useFileBasedFuzzerAgent())
+        setFuzzerAgent(makeUnique<FileBasedFuzzerAgent>(*this));
+    if (Options::usePredictionFileCreatingFuzzerAgent())
+        setFuzzerAgent(makeUnique<PredictionFileCreatingFuzzerAgent>(*this));
 
     if (Options::alwaysGeneratePCToCodeOriginMap())