mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out changeset d3d587531672 (bug 1794784) for causing spidermonkey bustages on BaselineCacheIRCompiler.cpp. CLOSED TREE

This commit is contained in:
Csoregi Natalia 2022-10-27 19:33:10 +03:00
Родитель 0ccfd247ed
Коммит df1fd00af6
27 изменённых файлов: 36 добавлений и 896 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

65
js/src/builtin/TestingFunctions.cpp
Просмотреть файл

@ -49,8 +49,6 @@
# include "builtin/intl/FormatBuffer.h"
# include "builtin/intl/SharedIntlData.h"
#endif
#include "builtin/BigInt.h"
#include "builtin/MapObject.h"
#include "builtin/Promise.h"
#include "builtin/TestingUtility.h" // js::ParseCompileOptions, js::ParseDebugMetadata
#include "frontend/BytecodeCompilation.h" // frontend::CompileGlobalScriptToExtensibleStencil, frontend::DelazifyCanonicalScriptedFunction
@ -103,8 +101,6 @@
#include "util/DifferentialTesting.h"
#include "util/StringBuffer.h"
#include "util/Text.h"
#include "vm/BooleanObject.h"
#include "vm/DateObject.h"
#include "vm/ErrorContext.h" // AutoReportFrontendContext
#include "vm/ErrorObject.h"
#include "vm/GlobalObject.h"
@ -113,7 +109,6 @@
#include "vm/Interpreter.h"
#include "vm/JSContext.h"
#include "vm/JSObject.h"
#include "vm/NumberObject.h"
#include "vm/PlainObject.h" // js::PlainObject
#include "vm/PromiseObject.h" // js::PromiseObject, js::PromiseSlot_*
#include "vm/ProxyObject.h"
@ -121,7 +116,6 @@
#include "vm/ScopeKind.h"
#include "vm/Stack.h"
#include "vm/StencilObject.h" // StencilObject, StencilXDRBufferObject
#include "vm/StringObject.h"
#include "vm/StringType.h"
#include "wasm/AsmJS.h"
#include "wasm/WasmBaselineCompile.h"
@ -4764,13 +4758,6 @@ static mozilla::Maybe<JS::StructuredCloneScope> ParseCloneScope(
bool js::testingFunc_serialize(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
if (js::SupportDifferentialTesting()) {
RootedObject callee(cx, &args.callee());
ReportUsageErrorASCII(cx, callee,
"Function unavailable in differential testing mode.");
return false;
}
mozilla::Maybe<JSAutoStructuredCloneBuffer> clonebuf;
JS::CloneDataPolicy policy;
@ -4868,13 +4855,6 @@ bool js::testingFunc_serialize(JSContext* cx, unsigned argc, Value* vp) {
static bool Deserialize(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
if (js::SupportDifferentialTesting()) {
RootedObject callee(cx, &args.callee());
ReportUsageErrorASCII(cx, callee,
"Function unavailable in differential testing mode.");
return false;
}
if (!args.get(0).isObject() || !args[0].toObject().is<CloneBufferObject>()) {
JS_ReportErrorASCII(cx, "deserialize requires a clonebuffer argument");
return false;
@ -9224,48 +9204,3 @@ bool js::DefineTestingFunctions(JSContext* cx, HandleObject obj,
return JS_DefineFunctionsWithHelp(cx, obj, TestingFunctions);
}
#ifdef FUZZING_JS_FUZZILLI
uint32_t js::FuzzilliHashDouble(double value) {
// We shouldn't GC here as this is called directly from IC code.
AutoUnsafeCallWithABI unsafe;
uint64_t v = mozilla::BitwiseCast<uint64_t>(value);
return static_cast<uint32_t>(v) + static_cast<uint32_t>(v >> 32);
}
uint32_t js::FuzzilliHashBigInt(BigInt* bigInt) {
// We shouldn't GC here as this is called directly from IC code.
AutoUnsafeCallWithABI unsafe;
return bigInt->hash();
}
void js::FuzzilliHashObject(JSContext* cx, JSObject* obj) {
// called from IC and baseline/interpreter
uint32_t hash;
FuzzilliHashObjectInl(cx, obj, &hash);
cx->executionHashInputs += 1;
cx->executionHash = mozilla::RotateLeft(cx->executionHash + hash, 1);
}
void js::FuzzilliHashObjectInl(JSContext* cx, JSObject* obj, uint32_t* out) {
*out = 0;
RootedValue v(cx);
v.setObject(*obj);
JSAutoStructuredCloneBuffer JSCloner(
JS::StructuredCloneScope::DifferentProcess, nullptr, nullptr);
if (JSCloner.write(cx, v)) {
JSStructuredCloneData& data = JSCloner.data();
data.ForEachDataChunk([&](const char* aData, size_t aSize) {
uint32_t h = mozilla::HashBytes(aData, aSize);
h = (h << 1) | 1;
*out ^= h;
*out *= h;
return true;
});
} else if (JS_IsExceptionPending(cx)) {
JS_ClearPendingException(cx);
}
}
#endif

9
js/src/builtin/TestingFunctions.h
Просмотреть файл

@ -30,15 +30,6 @@ namespace js {
extern JSScript* TestingFunctionArgumentToScript(JSContext* cx, HandleValue v,
JSFunction** funp = nullptr);
#ifdef FUZZING_JS_FUZZILLI
uint32_t FuzzilliHashDouble(double value);
uint32_t FuzzilliHashBigInt(BigInt* bigInt);
void FuzzilliHashObjectInl(JSContext* cx, JSObject* obj, uint32_t* out);
void FuzzilliHashObject(JSContext* cx, JSObject* obj);
#endif
} /* namespace js */
#endif /* builtin_TestingFunctions_h */

8
js/src/jit/ABIFunctionList-inl.h
Просмотреть файл

@ -19,7 +19,6 @@
#include "builtin/Object.h" // js::ObjectClassToString
#include "builtin/RegExp.h" // js::RegExpPrototypeOptimizableRaw,
// js::RegExpInstanceOptimizableRaw
#include "builtin/TestingFunctions.h" // js::FuzzilliHash*
#include "irregexp/RegExpAPI.h"
// js::irregexp::CaseInsensitiveCompareNonUnicode,
@ -81,12 +80,6 @@ namespace jit {
# define ABIFUNCTION_WASM_CODEGEN_DEBUG_LIST(_)
#endif
#ifdef FUZZING_JS_FUZZILLI
# define ABIFUNCTION_FUZZILLI_LIST(_) _(js::FuzzilliHashBigInt)
#else
# define ABIFUNCTION_FUZZILLI_LIST(_)
#endif
#define ABIFUNCTION_LIST(_) \
ABIFUNCTION_JS_GC_PROBES_LIST(_) \
ABIFUNCTION_JS_CODEGEN_ARM_LIST(_) \
@ -164,7 +157,6 @@ namespace jit {
_(js::jit::StringFromCharCodeNoGC) \
_(js::jit::TypeOfNameObject) \
_(js::jit::WrapObjectPure) \
ABIFUNCTION_FUZZILLI_LIST(_) \
_(js::MapIteratorObject::next) \
_(js::NativeObject::addDenseElementPure) \
_(js::NativeObject::growSlotsPure) \

4
js/src/jit/BaselineCacheIRCompiler.cpp
Просмотреть файл

@ -1275,10 +1275,6 @@ bool BaselineCacheIRCompiler::emitMathRandomResult(uint32_t rngOffset) {
masm.randomDouble(scratch1, scratchFloat, scratch2,
output.valueReg().toRegister64());
if (js::SupportDifferentialTesting()) {
masm.zeroDouble(scratchFloat);
}
masm.boxDouble(scratchFloat, output.valueReg(), scratchFloat);
return true;
}

36
js/src/jit/CacheIR.cpp
Просмотреть файл

@ -35,7 +35,6 @@
#include "js/ScalarType.h" // js::Scalar::Type
#include "js/Wrapper.h"
#include "proxy/DOMProxy.h" // js::GetDOMProxyHandlerFamily
#include "util/DifferentialTesting.h"
#include "util/Unicode.h"
#include "vm/ArrayBufferObject.h"
#include "vm/BytecodeUtil.h"
@ -9633,29 +9632,6 @@ AttachDecision CallIRGenerator::tryAttachInlinableNative(HandleFunction callee,
return nativeGen.tryAttachStub();
}
#ifdef FUZZING_JS_FUZZILLI
AttachDecision InlinableNativeIRGenerator::tryAttachFuzzilliHash() {
if (argc_ != 1) {
return AttachDecision::NoAction;
}
// Initialize the input operand.
initializeInputOperand();
// Guard callee is the 'fuzzilli_hash' native function.
emitNativeCalleeGuard();
ValOperandId argValId =
writer.loadArgumentFixedSlot(ArgumentKind::Arg0, argc_);
writer.fuzzilliHashResult(argValId);
writer.returnFromIC();
trackAttached("FuzzilliHash");
return AttachDecision::Attach;
}
#endif
AttachDecision InlinableNativeIRGenerator::tryAttachStub() {
if (!callee_->hasJitInfo() ||
callee_->jitInfo()->type() != JSJitInfo::InlinableNative) {
@ -10056,24 +10032,12 @@ AttachDecision InlinableNativeIRGenerator::tryAttachStub() {
// Testing functions.
case InlinableNative::TestBailout:
if (js::SupportDifferentialTesting()) {
return AttachDecision::NoAction;
}
return tryAttachBailout();
case InlinableNative::TestAssertFloat32:
return tryAttachAssertFloat32();
case InlinableNative::TestAssertRecoveredOnBailout:
if (js::SupportDifferentialTesting()) {
return AttachDecision::NoAction;
}
return tryAttachAssertRecoveredOnBailout();
#ifdef FUZZING_JS_FUZZILLI
// Fuzzilli function
case InlinableNative::FuzzilliHash:
return tryAttachFuzzilliHash();
#endif
case InlinableNative::Limit:
break;
}

173
js/src/jit/CacheIRCompiler.cpp
Просмотреть файл

@ -8821,179 +8821,6 @@ bool CacheIRCompiler::emitAssertRecoveredOnBailoutResult(ValOperandId valId,
return true;
}
#ifdef FUZZING_JS_FUZZILLI
bool CacheIRCompiler::emitFuzzilliHashResult(ValOperandId valId) {
JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
ValueOperand input = allocator.useValueRegister(masm, valId);
AutoScratchRegister scratch(allocator, masm);
AutoScratchRegister scratchJSContext(allocator, masm);
AutoScratchFloatRegister floatReg(this);
# ifdef JS_PUNBOX64
AutoScratchRegister64 scratch64(allocator, masm);
# else
AutoScratchRegister scratch2(allocator, masm);
# endif
Label addFloat, updateHash, done;
{
ScratchTagScope tag(masm, input);
masm.splitTagForTest(input, tag);
Label notInt32;
masm.branchTestInt32(Assembler::NotEqual, tag, &notInt32);
{
ScratchTagScopeRelease _(&tag);
masm.unboxInt32(input, scratch);
masm.convertInt32ToDouble(scratch, floatReg);
masm.jump(&addFloat);
}
masm.bind(&notInt32);
Label notDouble;
masm.branchTestDouble(Assembler::NotEqual, tag, &notDouble);
{
ScratchTagScopeRelease _(&tag);
masm.unboxDouble(input, floatReg);
masm.canonicalizeDouble(floatReg);
masm.jump(&addFloat);
}
masm.bind(&notDouble);
Label notNull;
masm.branchTestNull(Assembler::NotEqual, tag, &notNull);
{
ScratchTagScopeRelease _(&tag);
masm.move32(Imm32(1), scratch);
masm.convertInt32ToDouble(scratch, floatReg);
masm.jump(&addFloat);
}
masm.bind(&notNull);
Label notUndefined;
masm.branchTestUndefined(Assembler::NotEqual, tag, &notUndefined);
{
ScratchTagScopeRelease _(&tag);
masm.move32(Imm32(2), scratch);
masm.convertInt32ToDouble(scratch, floatReg);
masm.jump(&addFloat);
}
masm.bind(&notUndefined);
Label notBoolean;
masm.branchTestBoolean(Assembler::NotEqual, tag, &notBoolean);
{
ScratchTagScopeRelease _(&tag);
masm.unboxBoolean(input, scratch);
masm.add32(Imm32(3), scratch);
masm.convertInt32ToDouble(scratch, floatReg);
masm.jump(&addFloat);
}
masm.bind(&notBoolean);
Label notBigInt;
masm.branchTestBigInt(Assembler::NotEqual, tag, &notBigInt);
{
ScratchTagScopeRelease _(&tag);
masm.unboxBigInt(input, scratch);
LiveRegisterSet volatileRegs(GeneralRegisterSet::Volatile(),
liveVolatileFloatRegs());
masm.PushRegsInMask(volatileRegs);
// TODO: remove floatReg, scratch, scratchJS?
using Fn = uint32_t (*)(BigInt * bigInt);
masm.setupUnalignedABICall(scratchJSContext);
masm.loadJSContext(scratchJSContext);
masm.passABIArg(scratch);
masm.callWithABI<Fn, js::FuzzilliHashBigInt>();
masm.storeCallInt32Result(scratch);
LiveRegisterSet ignore;
ignore.add(scratch);
ignore.add(scratchJSContext);
masm.PopRegsInMaskIgnore(volatileRegs, ignore);
masm.jump(&updateHash);
}
masm.bind(&notBigInt);
Label notObject;
masm.branchTestObject(Assembler::NotEqual, tag, &notObject);
{
ScratchTagScopeRelease _(&tag);
AutoCallVM callvm(masm, this, allocator);
Register obj = allocator.allocateRegister(masm);
masm.unboxObject(input, obj);
callvm.prepare();
masm.Push(obj);
using Fn = void (*)(JSContext * cx, JSObject * o);
callvm.callNoResult<Fn, js::FuzzilliHashObject>();
allocator.releaseRegister(obj);
masm.jump(&done);
}
masm.bind(&notObject);
{
masm.move32(Imm32(0), scratch);
masm.jump(&updateHash);
}
}
{
masm.bind(&addFloat);
masm.loadJSContext(scratchJSContext);
Address addrExecHash(scratchJSContext, offsetof(JSContext, executionHash));
# ifdef JS_PUNBOX64
masm.moveDoubleToGPR64(floatReg, scratch64);
masm.move32(scratch64.get().reg, scratch);
masm.rshift64(Imm32(32), scratch64);
masm.add32(scratch64.get().reg, scratch);
# else
Register64 scratch64(scratch, scratch2);
masm.moveDoubleToGPR64(floatReg, scratch64);
masm.add32(scratch2, scratch);
# endif
}
{
masm.bind(&updateHash);
masm.loadJSContext(scratchJSContext);
Address addrExecHash(scratchJSContext, offsetof(JSContext, executionHash));
masm.load32(addrExecHash, scratchJSContext);
masm.add32(scratchJSContext, scratch);
masm.rotateLeft(Imm32(1), scratch, scratch);
masm.loadJSContext(scratchJSContext);
masm.store32(scratch, addrExecHash);
// stats
Address addrExecHashInputs(scratchJSContext,
offsetof(JSContext, executionHashInputs));
masm.load32(addrExecHashInputs, scratch);
masm.add32(Imm32(1), scratch);
masm.store32(scratch, addrExecHashInputs);
}
masm.bind(&done);
AutoOutputRegister output(*this);
masm.moveValue(UndefinedValue(), output.valueReg());
return true;
}
#endif
template <typename Fn, Fn fn>
void CacheIRCompiler::callVM(MacroAssembler& masm) {
VMFunctionId id = VMFunctionToId<Fn, fn>::id;

3
js/src/jit/CacheIRGenerator.h
Просмотреть файл

@ -665,9 +665,6 @@ class MOZ_RAII InlinableNativeIRGenerator {
AttachDecision tryAttachSetHas();
AttachDecision tryAttachMapHas();
AttachDecision tryAttachMapGet();
#ifdef FUZZING_JS_FUZZILLI
AttachDecision tryAttachFuzzilliHash();
#endif
void trackAttached(const char* name /* must be a C string literal */) {
return generator_.trackAttached(name);

9
js/src/jit/CacheIROps.yaml
Просмотреть файл

@ -2921,12 +2921,3 @@
args:
val: ValId
mustBeRecovered: BoolImm
#ifdef FUZZING_JS_FUZZILLI
- name: FuzzilliHashResult
shared: true
transpile: true
cost_estimate: 4
args:
val: ValId
#endif

207
js/src/jit/CodeGenerator.cpp
Просмотреть файл

@ -16334,9 +16334,6 @@ void CodeGenerator::visitRandom(LRandom* ins) {
masm.movePtr(ImmPtr(rng), rngReg);
masm.randomDouble(rngReg, output, temp1, temp2);
if (js::SupportDifferentialTesting()) {
masm.zeroDouble(output);
}
}
void CodeGenerator::visitSignExtendInt32(LSignExtendInt32* ins) {
@ -17490,210 +17487,6 @@ void CodeGenerator::visitWasmAnyRefFromJSObject(LWasmAnyRefFromJSObject* lir) {
}
}
#ifdef FUZZING_JS_FUZZILLI
void CodeGenerator::emitFuzzilliHashDouble(FloatRegister floatDouble,
Register scratch, Register output) {
# ifdef JS_PUNBOX64
Register64 reg64_1(scratch);
Register64 reg64_2(output);
masm.moveDoubleToGPR64(floatDouble, reg64_1);
masm.move64(reg64_1, reg64_2);
masm.rshift64(Imm32(32), reg64_2);
masm.add32(scratch, output);
# else
Register64 reg64(scratch, output);
masm.moveDoubleToGPR64(floatDouble, reg64);
masm.add32(scratch, output);
# endif
}
void CodeGenerator::emitFuzzilliHashObject(LInstruction* lir, Register obj,
Register output) {
using Fn = void (*)(JSContext * cx, JSObject * obj, uint32_t * out);
OutOfLineCode* ool = oolCallVM<Fn, FuzzilliHashObjectInl>(
lir, ArgList(obj), StoreRegisterTo(output));
masm.jump(ool->entry());
masm.bind(ool->rejoin());
}
void CodeGenerator::emitFuzzilliHashBigInt(Register bigInt, Register output) {
LiveRegisterSet volatileRegs(GeneralRegisterSet::All(),
FloatRegisterSet::All());
volatileRegs.takeUnchecked(output);
masm.PushRegsInMask(volatileRegs);
using Fn = uint32_t (*)(BigInt * bigInt);
masm.setupUnalignedABICall(output);
masm.passABIArg(bigInt);
masm.callWithABI<Fn, js::FuzzilliHashBigInt>();
masm.storeCallInt32Result(output);
masm.PopRegsInMask(volatileRegs);
}
void CodeGenerator::visitFuzzilliHashV(LFuzzilliHashV* ins) {
MOZ_ASSERT(ins->mir()->getOperand(0)->type() == MIRType::Value);
ValueOperand value = ToValue(ins, 0);
Label isDouble, isObject, isBigInt, done;
FloatRegister scratchFloat = ToFloatRegister(ins->getTemp(1));
Register scratch = ToRegister(ins->getTemp(0));
Register output = ToRegister(ins->output());
MOZ_ASSERT(scratch != output);
# ifdef JS_PUNBOX64
Register tagReg = ToRegister(ins->getTemp(0));
masm.splitTag(value, tagReg);
# else
Register tagReg = value.typeReg();
# endif
Label noBigInt;
masm.branchTestBigInt(Assembler::NotEqual, tagReg, &noBigInt);
masm.unboxBigInt(value, scratch);
masm.jump(&isBigInt);
masm.bind(&noBigInt);
Label noObject;
masm.branchTestObject(Assembler::NotEqual, tagReg, &noObject);
masm.unboxObject(value, scratch);
masm.jump(&isObject);
masm.bind(&noObject);
Label noInt32;
masm.branchTestInt32(Assembler::NotEqual, tagReg, &noInt32);
masm.unboxInt32(value, scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
masm.jump(&isDouble);
masm.bind(&noInt32);
Label noNull;
masm.branchTestNull(Assembler::NotEqual, tagReg, &noNull);
masm.move32(Imm32(1), scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
masm.jump(&isDouble);
masm.bind(&noNull);
Label noUndefined;
masm.branchTestUndefined(Assembler::NotEqual, tagReg, &noUndefined);
masm.move32(Imm32(2), scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
masm.jump(&isDouble);
masm.bind(&noUndefined);
Label noBoolean;
masm.branchTestBoolean(Assembler::NotEqual, tagReg, &noBoolean);
masm.unboxBoolean(value, scratch);
masm.add32(Imm32(3), scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
masm.jump(&isDouble);
masm.bind(&noBoolean);
Label noDouble;
masm.branchTestDouble(Assembler::NotEqual, tagReg, &noDouble);
masm.unboxDouble(value, scratchFloat);
masm.canonicalizeDoubleIfDeterministic(scratchFloat);
masm.jump(&isDouble);
masm.bind(&noDouble);
masm.move32(Imm32(0), output);
masm.jump(&done);
masm.bind(&isBigInt);
emitFuzzilliHashBigInt(scratch, output);
masm.jump(&done);
masm.bind(&isObject);
emitFuzzilliHashObject(ins, scratch, output);
masm.jump(&done);
masm.bind(&isDouble);
emitFuzzilliHashDouble(scratchFloat, scratch, output);
masm.bind(&done);
}
void CodeGenerator::visitFuzzilliHashT(LFuzzilliHashT* ins) {
const LAllocation* value = ins->value();
MIRType mirType = ins->mir()->getOperand(0)->type();
FloatRegister scratchFloat = ToFloatRegister(ins->getTemp(1));
Register scratch = ToRegister(ins->getTemp(0));
Register output = ToRegister(ins->output());
MOZ_ASSERT(scratch != output);
if (mirType == MIRType::Object) {
MOZ_ASSERT(value->isGeneralReg());
masm.mov(value->toGeneralReg()->reg(), scratch);
emitFuzzilliHashObject(ins, scratch, output);
} else if (mirType == MIRType::BigInt) {
MOZ_ASSERT(value->isGeneralReg());
masm.mov(value->toGeneralReg()->reg(), scratch);
emitFuzzilliHashBigInt(scratch, output);
} else if (mirType == MIRType::Double) {
MOZ_ASSERT(value->isFloatReg());
masm.moveDouble(value->toFloatReg()->reg(), scratchFloat);
masm.canonicalizeDoubleIfDeterministic(scratchFloat);
emitFuzzilliHashDouble(scratchFloat, scratch, output);
} else if (mirType == MIRType::Float32) {
MOZ_ASSERT(value->isFloatReg());
masm.convertFloat32ToDouble(value->toFloatReg()->reg(), scratchFloat);
masm.canonicalizeDoubleIfDeterministic(scratchFloat);
emitFuzzilliHashDouble(scratchFloat, scratch, output);
} else if (mirType == MIRType::Int32) {
MOZ_ASSERT(value->isGeneralReg());
masm.mov(value->toGeneralReg()->reg(), scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
emitFuzzilliHashDouble(scratchFloat, scratch, output);
} else if (mirType == MIRType::Null) {
MOZ_ASSERT(value->isBogus());
masm.move32(Imm32(1), scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
emitFuzzilliHashDouble(scratchFloat, scratch, output);
} else if (mirType == MIRType::Undefined) {
MOZ_ASSERT(value->isBogus());
masm.move32(Imm32(2), scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
emitFuzzilliHashDouble(scratchFloat, scratch, output);
} else if (mirType == MIRType::Boolean) {
MOZ_ASSERT(value->isGeneralReg());
masm.mov(value->toGeneralReg()->reg(), scratch);
masm.add32(Imm32(3), scratch);
masm.convertInt32ToDouble(scratch, scratchFloat);
emitFuzzilliHashDouble(scratchFloat, scratch, output);
} else {
MOZ_CRASH("unexpected type");
}
}
void CodeGenerator::visitFuzzilliHashStore(LFuzzilliHashStore* ins) {
const LAllocation* value = ins->value();
MOZ_ASSERT(ins->mir()->getOperand(0)->type() == MIRType::Int32);
MOZ_ASSERT(value->isGeneralReg());
Register scratchJSContext = ToRegister(ins->getTemp(0));
Register scratch = ToRegister(ins->getTemp(1));
masm.loadJSContext(scratchJSContext);
// stats
Address addrExecHashInputs(scratchJSContext,
offsetof(JSContext, executionHashInputs));
masm.load32(addrExecHashInputs, scratch);
masm.add32(Imm32(1), scratch);
masm.store32(scratch, addrExecHashInputs);
Address addrExecHash(scratchJSContext, offsetof(JSContext, executionHash));
masm.load32(addrExecHash, scratch);
masm.add32(value->toGeneralReg()->reg(), scratch);
masm.rotateLeft(Imm32(1), scratch, scratch);
masm.store32(scratch, addrExecHash);
}
#endif
static_assert(!std::is_polymorphic_v<CodeGenerator>,
"CodeGenerator should not have any virtual methods");

7
js/src/jit/CodeGenerator.h
Просмотреть файл

@ -369,13 +369,6 @@ class CodeGenerator final : public CodeGeneratorSpecific {
// Bit mask of JitRealm stubs that are to be read-barriered.
uint32_t realmStubsToReadBarrier_;
#ifdef FUZZING_JS_FUZZILLI
void emitFuzzilliHashDouble(FloatRegister floatDouble, Register scratch,
Register output);
void emitFuzzilliHashObject(LInstruction* lir, Register obj, Register output);
void emitFuzzilliHashBigInt(Register bigInt, Register output);
#endif
#define LIR_OP(op) void visit##op(L##op* ins);
LIR_OPCODE_LIST(LIR_OP)
#undef LIR_OP

3
js/src/jit/InlinableNatives.cpp
Просмотреть файл

@ -282,9 +282,6 @@ bool js::jit::CanInlineNativeCrossRealm(InlinableNative native) {
case InlinableNative::ObjectIsPrototypeOf:
case InlinableNative::ObjectToString:
case InlinableNative::TypedArrayConstructor:
#ifdef FUZZING_JS_FUZZILLI
case InlinableNative::FuzzilliHash:
#endif
// Default to false for most natives.
return false;

10
js/src/jit/InlinableNatives.h
Просмотреть файл

@ -9,12 +9,6 @@
#include <stdint.h> // For uint16_t
#ifdef FUZZING_JS_FUZZILLI
# define INLINABLE_NATIVE_FUZZILLI_LIST(_) _(FuzzilliHash)
#else
# define INLINABLE_NATIVE_FUZZILLI_LIST(_)
#endif
#define INLINABLE_NATIVE_LIST(_) \
_(Array) \
_(ArrayIsArray) \
@ -203,9 +197,7 @@
_(IntrinsicTypedArrayLength) \
_(IntrinsicPossiblyWrappedTypedArrayLength) \
_(IntrinsicTypedArrayByteOffset) \
_(IntrinsicTypedArrayElementSize) \
\
INLINABLE_NATIVE_FUZZILLI_LIST(_)
_(IntrinsicTypedArrayElementSize)
struct JSClass;
class JSJitInfo;

11
js/src/jit/LIROps.yaml
Просмотреть файл

@ -3752,14 +3752,3 @@
- name: WasmAtomicExchangeI64
gen_boilerplate: false
#endif
#ifdef FUZZING_JS_FUZZILLI
- name: FuzzilliHashT
gen_boilerplate: false
- name: FuzzilliHashV
gen_boilerplate: false
- name: FuzzilliHashStore
gen_boilerplate: false
#endif

38
js/src/jit/Lowering.cpp
Просмотреть файл

@ -6757,44 +6757,6 @@ void LIRGenerator::visitWasmStoreObjectDataRefField(
add(new (alloc()) LKeepAliveObject(useKeepalive(ins->obj())), ins);
}
#ifdef FUZZING_JS_FUZZILLI
void LIRGenerator::visitFuzzilliHash(MFuzzilliHash* ins) {
MDefinition* value = ins->getOperand(0);
if (value->type() == MIRType::Undefined || value->type() == MIRType::Null) {
define(new (alloc()) LFuzzilliHashT(LAllocation(), temp(), tempDouble()),
ins);
} else if (value->type() == MIRType::Int32 ||
value->type() == MIRType::Double ||
value->type() == MIRType::Float32 ||
value->type() == MIRType::Boolean ||
value->type() == MIRType::BigInt) {
define(new (alloc())
LFuzzilliHashT(useRegister(value), temp(), tempDouble()),
ins);
} else if (value->type() == MIRType::Object) {
LFuzzilliHashT* lir =
new (alloc()) LFuzzilliHashT(useRegister(value), temp(), tempDouble());
define(lir, ins);
assignSafepoint(lir, ins);
} else if (value->type() == MIRType::Value) {
LFuzzilliHashV* lir =
new (alloc()) LFuzzilliHashV(useBox(value), temp(), tempDouble());
define(lir, ins);
assignSafepoint(lir, ins);
} else {
define(new (alloc()) LInteger(0), ins);
}
}
void LIRGenerator::visitFuzzilliHashStore(MFuzzilliHashStore* ins) {
MDefinition* value = ins->getOperand(0);
MOZ_ASSERT(value->type() == MIRType::Int32);
add(new (alloc()) LFuzzilliHashStore(useRegister(value), temp(), temp()),
ins);
}
#endif
static_assert(!std::is_polymorphic_v<LIRGenerator>,
"LIRGenerator should not have any virtual methods");

54
js/src/jit/MIR.h
Просмотреть файл

@ -358,13 +358,10 @@ class AliasSet {
// The pendingException slot on the wasm instance object.
WasmPendingException = 1 << 18,
// The fuzzilliHash slot
FuzzilliHash = 1 << 19,
Last = FuzzilliHash,
Last = WasmPendingException,
Any = Last | (Last - 1),
NumCategories = 20,
NumCategories = 19,
// Indicates load or store.
Store_ = 1 << 31
@ -10821,53 +10818,6 @@ class MWasmStoreObjectDataRefField : public MAryInstruction<4>,
}
};
#ifdef FUZZING_JS_FUZZILLI
class MFuzzilliHash : public MUnaryInstruction, public NoTypePolicy::Data {
MFuzzilliHash(MDefinition* obj) : MUnaryInstruction(classOpcode, obj) {
setResultType(MIRType::Int32);
setMovable();
}
public:
INSTRUCTION_HEADER(FuzzilliHash);
TRIVIAL_NEW_WRAPPERS
ALLOW_CLONE(MFuzzilliHash)
# ifdef DEBUG
bool isConsistentFloat32Use(MUse* use) const override { return true; }
# endif
AliasSet getAliasSet() const override {
MDefinition* obj = getOperand(0);
if (obj->type() == MIRType::Object || obj->type() == MIRType::Value) {
return AliasSet::Load(AliasSet::ObjectFields | AliasSet::FixedSlot |
AliasSet::DynamicSlot | AliasSet::Element |
AliasSet::UnboxedElement);
}
return AliasSet::None();
}
};
class MFuzzilliHashStore : public MUnaryInstruction, public NoTypePolicy::Data {
MFuzzilliHashStore(MDefinition* obj) : MUnaryInstruction(classOpcode, obj) {
MOZ_ASSERT(obj->type() == MIRType::Int32);
setResultType(MIRType::None);
}
public:
INSTRUCTION_HEADER(FuzzilliHashStore);
TRIVIAL_NEW_WRAPPERS
ALLOW_CLONE(MFuzzilliHashStore)
// this is a store and hence effectful, however no other load can
// alias with the store
AliasSet getAliasSet() const override {
return AliasSet::Store(AliasSet::FuzzilliHash);
}
};
#endif
#undef INSTRUCTION_HEADER
void MUse::init(MDefinition* producer, MNode* consumer) {

8
js/src/jit/MIROps.yaml
Просмотреть файл

@ -2834,11 +2834,3 @@
- name: WasmStoreObjectDataRefField
gen_boilerplate: false
#ifdef FUZZING_JS_FUZZILLI
- name: FuzzilliHash
gen_boilerplate: false
- name: FuzzilliHashStore
gen_boilerplate: false
#endif

10
js/src/jit/VMFunctionList-inl.h
Просмотреть файл

@ -13,7 +13,6 @@
#include "builtin/Promise.h" // js::AsyncFunctionAwait
#include "builtin/RegExp.h"
#include "builtin/String.h"
#include "builtin/TestingFunctions.h"
#include "jit/BaselineIC.h"
#include "jit/Ion.h"
#include "jit/IonIC.h"
@ -33,14 +32,6 @@
namespace js {
namespace jit {
#ifdef FUZZING_JS_FUZZILLI
# define VMFUNCTION_FUZZILLI_LIST(_) \
_(FuzzilliHashObject, js::FuzzilliHashObject) \
_(FuzzilliHashObjectInl, js::FuzzilliHashObjectInl)
#else
# define VMFUNCTION_FUZZILLI_LIST(_)
#endif
// List of all VM functions to be used with callVM. Each entry stores the name
// (must be unique, used for the VMFunctionId enum and profiling) and the C++
// function to be called. This list must be sorted on the name field.
@ -148,7 +139,6 @@ namespace jit {
_(FinishBoundFunctionInit, JSFunction::finishBoundFunctionInit) \
_(FreshenLexicalEnv, js::jit::FreshenLexicalEnv) \
_(FunWithProtoOperation, js::FunWithProtoOperation) \
VMFUNCTION_FUZZILLI_LIST(_) \
_(GeneratorThrowOrReturn, js::jit::GeneratorThrowOrReturn) \
_(GetAndClearException, js::GetAndClearException) \
_(GetFirstDollarIndexRaw, js::GetFirstDollarIndexRaw) \

15
js/src/jit/WarpCacheIRTranspiler.cpp
Просмотреть файл

@ -5355,21 +5355,6 @@ bool WarpCacheIRTranspiler::emitCloseIterScriptedResult(ObjOperandId iterId,
return true;
}
#ifdef FUZZING_JS_FUZZILLI
bool WarpCacheIRTranspiler::emitFuzzilliHashResult(ValOperandId valId) {
MDefinition* input = getOperand(valId);
auto* hash = MFuzzilliHash::New(alloc(), input);
add(hash);
auto* store = MFuzzilliHashStore::New(alloc(), hash);
addEffectful(store);
pushResult(constant(UndefinedValue()));
return resumeAfter(store);
}
#endif
static void MaybeSetImplicitlyUsed(uint32_t numInstructionIdsBefore,
MDefinition* input) {
// When building MIR from bytecode, for each MDefinition that's an operand to

4
js/src/jit/WarpOracle.cpp
Просмотреть файл

@ -22,7 +22,6 @@
#include "jit/TrialInlining.h"
#include "jit/TypeData.h"
#include "jit/WarpBuilder.h"
#include "util/DifferentialTesting.h"
#include "vm/BuiltinObjectKind.h"
#include "vm/BytecodeIterator.h"
#include "vm/BytecodeLocation.h"
@ -188,8 +187,7 @@ AbortReasonOr<WarpSnapshot*> WarpOracle::createSnapshot() {
HashNumber hash = icScript->hash();
if (outerScript_->jitScript()->hasFailedICHash()) {
HashNumber oldHash = outerScript_->jitScript()->getFailedICHash();
MOZ_ASSERT_IF(hash == oldHash && !js::SupportDifferentialTesting(),
cx_->hadResourceExhaustion());
MOZ_ASSERT_IF(hash == oldHash, cx_->hadResourceExhaustion());
}
snapshot->setICHash(hash);
#endif

51
js/src/jit/shared/LIR-shared.h
Просмотреть файл

@ -19,57 +19,6 @@ namespace jit {
LIR_OPCODE_CLASS_GENERATED
#ifdef FUZZING_JS_FUZZILLI
class LFuzzilliHashT : public LInstructionHelper<1, 1, 2> {
public:
LIR_HEADER(FuzzilliHashT);
LFuzzilliHashT(const LAllocation& value, const LDefinition& temp,
const LDefinition& tempFloat)
: LInstructionHelper(classOpcode) {
setOperand(0, value);
setTemp(0, temp);
setTemp(1, tempFloat);
}
const LAllocation* value() { return getOperand(0); }
MFuzzilliHash* mir() const { return mir_->toFuzzilliHash(); }
};
class LFuzzilliHashV : public LInstructionHelper<1, BOX_PIECES, 2> {
public:
LIR_HEADER(FuzzilliHashV);
LFuzzilliHashV(const LBoxAllocation& value, const LDefinition& temp,
const LDefinition& tempFloat)
: LInstructionHelper(classOpcode) {
setBoxOperand(0, value);
setTemp(0, temp);
setTemp(1, tempFloat);
}
MFuzzilliHash* mir() const { return mir_->toFuzzilliHash(); }
};
class LFuzzilliHashStore : public LInstructionHelper<0, 1, 2> {
public:
LIR_HEADER(FuzzilliHashStore);
LFuzzilliHashStore(const LAllocation& value, const LDefinition& temp1,
const LDefinition& temp2)
: LInstructionHelper(classOpcode) {
setOperand(0, value);
setTemp(0, temp1);
setTemp(1, temp2);
}
const LAllocation* value() { return getOperand(0); }
MFuzzilliHashStore* mir() const { return mir_->toFuzzilliHashStore(); }
};
#endif
class LBox : public LInstructionHelper<BOX_PIECES, 1, 0> {
MIRType type_;

5
js/src/jsdate.cpp
Просмотреть файл

@ -41,7 +41,6 @@
#include "js/Object.h" // JS::GetBuiltinClass
#include "js/PropertySpec.h"
#include "js/Wrapper.h"
#include "util/DifferentialTesting.h"
#include "util/StringBuffer.h"
#include "util/Text.h"
#include "vm/DateObject.h"
@ -1518,10 +1517,6 @@ static bool date_parse(JSContext* cx, unsigned argc, Value* vp) {
}
static ClippedTime NowAsMillis(JSContext* cx) {
if (js::SupportDifferentialTesting()) {
return TimeClip(0);
}
double now = PRMJ_Now();
bool clampAndJitter = cx->realm()->behaviors().clampAndJitterTime();
if (clampAndJitter && sReduceMicrosecondTimePrecisionCallback) {

7
js/src/jsmath.cpp
Просмотреть файл

@ -25,7 +25,6 @@
#include "jit/InlinableNatives.h"
#include "js/Class.h"
#include "js/PropertySpec.h"
#include "util/DifferentialTesting.h"
#include "vm/JSContext.h"
#include "vm/Realm.h"
#include "vm/Time.h"
@ -520,11 +519,7 @@ double js::math_random_impl(JSContext* cx) {
static bool math_random(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
if (js::SupportDifferentialTesting()) {
args.rval().setDouble(0);
} else {
args.rval().setDouble(math_random_impl(cx));
}
args.rval().setDouble(math_random_impl(cx));
return true;
}

142
js/src/shell/js.cpp
Просмотреть файл

@ -14,7 +14,6 @@
#include "mozilla/IntegerPrintfMacros.h"
#include "mozilla/mozalloc.h"
#include "mozilla/PodOperations.h"
#include "mozilla/RandomNum.h"
#include "mozilla/RefPtr.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/Sprintf.h"
@ -1677,10 +1676,6 @@ static void ReportCantOpenErrorUnknownEncoding(JSContext* cx,
return false;
}
}
#ifdef FUZZING_JS_FUZZILLI
fprintf(stderr, "executionHash is 0x%x with %d inputs\n", cx->executionHash,
cx->executionHashInputs);
#endif
return true;
}
@ -3515,44 +3510,6 @@ static bool DummyPreserveWrapperCallback(JSContext* cx, HandleObject obj) {
static bool DummyHasReleasedWrapperCallback(HandleObject obj) { return true; }
#ifdef FUZZING_JS_FUZZILLI
static bool fuzzilli_hash(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
args.rval().setUndefined();
if (argc != 1) {
return true;
}
uint32_t hash;
JS::Handle<JS::Value> v = args.get(0);
if (v.isInt32()) {
int32_t i = v.toInt32();
hash = FuzzilliHashDouble((double)i);
} else if (v.isDouble()) {
double d = v.toDouble();
d = JS::CanonicalizeNaN(d);
hash = FuzzilliHashDouble(d);
} else if (v.isNull()) {
hash = FuzzilliHashDouble(1.0);
} else if (v.isUndefined()) {
hash = FuzzilliHashDouble(2.0);
} else if (v.isBoolean()) {
hash = FuzzilliHashDouble(3.0 + v.toBoolean());
} else if (v.isBigInt()) {
JS::BigInt* bigInt = v.toBigInt();
hash = FuzzilliHashBigInt(bigInt);
} else if (v.isObject()) {
JSObject& obj = v.toObject();
FuzzilliHashObject(cx, &obj);
return true;
} else {
hash = 0;
}
cx->executionHashInputs += 1;
cx->executionHash = mozilla::RotateLeft(cx->executionHash + hash, 1);
return true;
}
// We have to assume that the fuzzer will be able to call this function e.g. by
// enumerating the properties of the global object and eval'ing them. As such
// this function is implemented in a way that requires passing some magic value
@ -3614,12 +3571,6 @@ static bool Fuzzilli(JSContext* cx, unsigned argc, Value* vp) {
}
fprintf(fzliout, "%s\n", bytes.get());
fflush(fzliout);
} else if (StringEqualsAscii(operation, "FUZZILLI_RANDOM")) {
// This is an entropy source which can be called during fuzzing.
// Its currently used to tests whether Fuzzilli detects non-deterministic
// behavior.
args.rval().setInt32(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
return true;
}
args.rval().setUndefined();
@ -9386,22 +9337,6 @@ static const JSFunctionSpecWithHelp shell_functions[] = {
};
// clang-format on
// clang-format off
#ifdef FUZZING_JS_FUZZILLI
static const JSFunctionSpec shell_function_fuzzilli_hash[] = {
JS_INLINABLE_FN("fuzzilli_hash", fuzzilli_hash, 1, 0, FuzzilliHash),
JS_FS_END
};
#endif
// clang-format on
// clang-format off
static const JSFunctionSpecWithHelp diff_testing_unsafe_functions[] = {
JS_FS_HELP_END
};
// clang-format on
// clang-format off
static const JSFunctionSpecWithHelp fuzzing_unsafe_functions[] = {
JS_FN_HELP("getSelfHostedValue", GetSelfHostedValue, 1, 0,
@ -10294,11 +10229,6 @@ static JSObject* NewGlobalObject(JSContext* cx, JS::RealmOptions& options,
!JS_DefineProfilingFunctions(cx, glob)) {
return nullptr;
}
#ifdef FUZZING_JS_FUZZILLI
if (!JS_DefineFunctions(cx, glob, shell_function_fuzzilli_hash)) {
return nullptr;
}
#endif
if (!js::DefineTestingFunctions(cx, glob, fuzzingSafe,
disableOOMFunctions)) {
return nullptr;
@ -10320,39 +10250,32 @@ static JSObject* NewGlobalObject(JSContext* cx, JS::RealmOptions& options,
return nullptr;
}
if (!js::SupportDifferentialTesting()) {
if (!JS_DefineFunctionsWithHelp(cx, glob,
diff_testing_unsafe_functions)) {
return nullptr;
}
RootedObject performanceObj(cx, JS_NewObject(cx, nullptr));
if (!performanceObj) {
return nullptr;
}
if (!JS_DefineFunctionsWithHelp(cx, performanceObj,
performance_functions)) {
return nullptr;
}
RootedObject mozMemoryObj(cx, JS_NewObject(cx, nullptr));
if (!mozMemoryObj) {
return nullptr;
}
RootedObject gcObj(cx, gc::NewMemoryInfoObject(cx));
if (!gcObj) {
return nullptr;
}
if (!JS_DefineProperty(cx, glob, "performance", performanceObj,
JSPROP_ENUMERATE)) {
return nullptr;
}
if (!JS_DefineProperty(cx, performanceObj, "mozMemory", mozMemoryObj,
JSPROP_ENUMERATE)) {
return nullptr;
}
if (!JS_DefineProperty(cx, mozMemoryObj, "gc", gcObj, JSPROP_ENUMERATE)) {
return nullptr;
}
RootedObject performanceObj(cx, JS_NewObject(cx, nullptr));
if (!performanceObj) {
return nullptr;
}
if (!JS_DefineFunctionsWithHelp(cx, performanceObj,
performance_functions)) {
return nullptr;
}
RootedObject mozMemoryObj(cx, JS_NewObject(cx, nullptr));
if (!mozMemoryObj) {
return nullptr;
}
RootedObject gcObj(cx, gc::NewMemoryInfoObject(cx));
if (!gcObj) {
return nullptr;
}
if (!JS_DefineProperty(cx, glob, "performance", performanceObj,
JSPROP_ENUMERATE)) {
return nullptr;
}
if (!JS_DefineProperty(cx, performanceObj, "mozMemory", mozMemoryObj,
JSPROP_ENUMERATE)) {
return nullptr;
}
if (!JS_DefineProperty(cx, mozMemoryObj, "gc", gcObj, JSPROP_ENUMERATE)) {
return nullptr;
}
/* Initialize FakeDOMObject. */
@ -11324,18 +11247,9 @@ static int Shell(JSContext* cx, OptionParser* op) {
fflush(stdout);
fflush(stderr);
// Send return code to parent and reset edge counters.
struct {
int status;
uint32_t execHash;
uint32_t execHashInputs;
} s;
s.status = (result & 0xff) << 8;
s.execHash = cx->executionHash;
s.execHashInputs = cx->executionHashInputs;
MOZ_RELEASE_ASSERT(write(REPRL_CWFD, &s, 12) == 12);
int status = (result & 0xff) << 8;
MOZ_RELEASE_ASSERT(write(REPRL_CWFD, &status, 4) == 4);
__sanitizer_cov_reset_edgeguards();
cx->executionHash = 1;
cx->executionHashInputs = 0;
}
#endif

4
js/src/vm/BigIntType.cpp
Просмотреть файл

@ -102,7 +102,6 @@
#include "js/StableStringChars.h"
#include "js/Utility.h"
#include "util/CheckedArithmetic.h"
#include "util/DifferentialTesting.h"
#include "vm/JSContext.h"
#include "vm/StaticStrings.h"
@ -2154,9 +2153,6 @@ BigInt* BigInt::lshByAbsolute(JSContext* cx, HandleBigInt x, HandleBigInt y) {
if (y->digitLength() > 1 || y->digit(0) > MaxBitLength) {
JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
JSMSG_BIGINT_TOO_LARGE);
if (js::SupportDifferentialTesting()) {
fprintf(stderr, "ReportOutOfMemory called\n");
}
return nullptr;
}
Digit shift = y->digit(0);

8
js/src/vm/JSContext.cpp
Просмотреть файл

@ -373,10 +373,6 @@ void js::ReportOversizedAllocation(JSContext* cx, const unsigned errorNumber) {
}
void js::ReportAllocationOverflow(JSContext* cx) {
if (js::SupportDifferentialTesting()) {
fprintf(stderr, "ReportAllocationOverflow called\n");
}
if (!cx) {
return;
}
@ -1003,10 +999,6 @@ JSContext::JSContext(JSRuntime* runtime, const JS::ContextOptions& options)
#endif
dtoaState(this, nullptr),
suppressGC(this, 0),
#ifdef FUZZING_JS_FUZZILLI
executionHash(1),
executionHashInputs(0),
#endif
#ifdef DEBUG
noNurseryAllocationCheck(this, 0),
disableStrictProxyCheckingCount(this, 0),

5
js/src/vm/JSContext.h
Просмотреть файл

@ -522,11 +522,6 @@ struct JS_PUBLIC_API JSContext : public JS::RootingContext,
*/
js::ContextData<int32_t> suppressGC;
#ifdef FUZZING_JS_FUZZILLI
uint32_t executionHash;
uint32_t executionHashInputs;
#endif
#ifdef DEBUG
js::ContextData<size_t> noNurseryAllocationCheck;

36
js/src/vm/StructuredClone.cpp
Просмотреть файл

@ -55,7 +55,6 @@
#include "js/ScalarType.h" // js::Scalar::Type
#include "js/SharedArrayBuffer.h" // JS::IsSharedArrayBufferObject
#include "js/Wrapper.h"
#include "util/DifferentialTesting.h"
#include "vm/BigIntType.h"
#include "vm/ErrorObject.h"
#include "vm/JSContext.h"
@ -1264,13 +1263,6 @@ bool JSStructuredCloneWriter::writeString(uint32_t tag, JSString* str) {
return false;
}
#if FUZZING_JS_FUZZILLI
if (js::SupportDifferentialTesting()) {
// TODO we could always output a twoByteChar string
return true;
}
#endif
static_assert(JSString::MAX_LENGTH <= INT32_MAX,
"String length must fit in 31 bits");
@ -1342,15 +1334,6 @@ bool JSStructuredCloneWriter::writeTypedArray(HandleObject obj) {
obj->maybeUnwrapAs<TypedArrayObject>());
JSAutoRealm ar(context(), tarr);
#ifdef FUZZING_JS_FUZZILLI
if (js::SupportDifferentialTesting() && !tarr->hasBuffer()) {
// fake oom because differential testing will fail
fprintf(stderr, "[unhandlable oom]");
_exit(-1);
return false;
}
#endif
if (!TypedArrayObject::ensureHasBuffer(context(), tarr)) {
return false;
}
@ -1592,11 +1575,9 @@ static bool TryAppendNativeProperties(JSContext* cx, HandleObject obj,
bool JSStructuredCloneWriter::traverseObject(HandleObject obj, ESClass cls) {
size_t count;
bool optimized = false;
if (!js::SupportDifferentialTesting()) {
if (!TryAppendNativeProperties(context(), obj, &objectEntries, &count,
&optimized)) {
return false;
}
if (!TryAppendNativeProperties(context(), obj, &objectEntries, &count,
&optimized)) {
return false;
}
if (!optimized) {
@ -2000,9 +1981,6 @@ bool JSStructuredCloneWriter::writePrimitive(HandleValue v) {
if (v.isString()) {
return writeString(SCTAG_STRING, v.toString());
} else if (v.isInt32()) {
if (js::SupportDifferentialTesting()) {
return out.writeDouble(v.toInt32());
}
return out.writePair(SCTAG_INT32, v.toInt32());
} else if (v.isDouble()) {
return out.writeDouble(v.toDouble());
@ -2424,14 +2402,6 @@ bool JSStructuredCloneWriter::write(HandleValue v) {
}
if (found) {
#if FUZZING_JS_FUZZILLI
// supress calls into user code
if (js::SupportDifferentialTesting()) {
fprintf(stderr, "Differential testing: cannot call GetProperty\n");
return false;
}
#endif
if (!writePrimitive(key) ||
!GetProperty(context(), obj, obj, id, &val) || !startWrite(val)) {
return false;