[BranchHints] Fuzz branch hints #7704
Conversation
|
(This will wait to land until all optimizations are fixed up.) |
| // A map of expressions to their parents, so we can identify the pattern. | ||
| std::unique_ptr<Parents> parents; | ||
|
|
||
| Sub* getSub() { return (Sub*)this; } |
There was a problem hiding this comment.
Our usual pattern (although we're not entirely consistent) is to return a reference and call this self.
| Sub* getSub() { return (Sub*)this; } | |
| Sub& self() { return *static_cast<Sub*>(this); } |
| if (!get) { | ||
| return {}; | ||
| } | ||
| auto& sets = getSub()->localGraph->getSets(get); |
There was a problem hiding this comment.
Can we skip the getSub() (or self()) here, given that localGraph is a member of the current class?
| auto id = info->call->operands[0]->template cast<Const>()->value.geti32(); | ||
| if (idsToDelete.count(id)) { | ||
| // Remove the branch hint. | ||
| getFunction()->codeAnnotations[curr].branchLikely = {}; |
There was a problem hiding this comment.
Is it worth deleting the expression out of the map if there are no annotations remaining? Perhaps we could have some helper functions for managing that.
| // Replace the instrumented condition with the original one (swap so that | ||
| // the IR remains valid; the other use of the local will not matter, as we | ||
| // remove the logging calls). |
There was a problem hiding this comment.
I'm not sure I understand the comment here. What IR is remaining valid because of the swap? What would go wrong if we did a replaceCurrent(info->originalCondition)?
Edit: Oh, is it because the logging calls might not be nested under curr?
| # where the three integers are: ID, predicted, actual. | ||
| all_ids = set() | ||
| bad_ids = set() | ||
| LEI_LOG_BRANCH = '[LoggingExternalInterface log-branch' |
There was a problem hiding this comment.
I think this would be a clearer name. I took a break in the middle of reviewing and when I came back and read the code below, I had no idea what LEI stood for :)
| LEI_LOG_BRANCH = '[LoggingExternalInterface log-branch' | |
| LOG_BRANCH_PREFIX = '[LoggingExternalInterface log-branch' |
Add two helper passes, one to delete specific branch hints by their
instrumentation ID (as added by InstrumentBranchHints), and one to
remove all instrumentation. The new fuzzer then
The idea is that once we have a wasm with only correct hints, the
optimizer is allowed to remove some (e.g. in DCE), but it should
never emit an invalid branch hint (e.g. by forgetting to flip a hint
when it flips an if).