Add a code generator to force OSR

Test cases that use OSR currently only do this through --jit-fuzzing
triggering OSR in loops, often leading to brittle repros like the
referenced bug.

This creates a typical pattern in a code generator making use of
the %OptimizeOsr() runtime function.

Bug: 490353576
Change-Id: Id09459d8f7ba26a1b0eaec7e438de555b22fc7b5
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087056
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>

Author: mi-ac

Sources/Fuzzilli/Profiles/V8CommonProfile.swift

@@ -148,6 +148,34 @@ public let ForceTurboFanCompilationGenerator = forceCompilationGenerator(
 public let ForceMaglevCompilationGenerator = forceCompilationGenerator(
     "ForceMaglevCompilationGenerator", optimizeName: "OptimizeMaglevOnNextCall")
 
+// Create a loop and force OSR in one of the iterations.
+public let ForceOsrGenerator = CodeGenerator("ForceOsrGenerator", [
+    GeneratorStub(
+        "ForceOsrBeginGenerator",
+        inContext: .single(.javascript),
+        provides: [.javascript]
+    ) { b in
+        let numIterations = Int.random(in: 2...50)
+        let loopVar = b.emit(BeginRepeatLoop(iterations: numIterations)).innerOutput
+        let condition = b.compare(
+            loopVar, with: b.loadInt(Int64.random(in: 0..<Int64(numIterations))),
+            using: .equal)
+        b.buildIf(condition) {
+            if probability(0.8) {
+                b.eval("%OptimizeOsr()");
+            } else {
+                b.eval("%OptimizeOsr(%@)", with: [b.loadInt(1)]);
+            }
+        }
+    },
+    GeneratorStub(
+        "ForceOsrEndGenerator",
+        inContext: .single([.javascript])
+    ) { b in
+        b.emit(EndRepeatLoop())
+    },
+])
+
 public let TurbofanVerifyTypeGenerator = CodeGenerator("TurbofanVerifyTypeGenerator", inputs: .one) { b, v in
     b.eval("%VerifyType(%@)", with: [v])
 }

Sources/Fuzzilli/Profiles/V8DumplingProfile.swift

@@ -126,6 +126,7 @@ let v8DumplingProfile = Profile(
         (ForceJITCompilationThroughLoopGenerator,  5),
         (ForceTurboFanCompilationGenerator,        5),
         (ForceMaglevCompilationGenerator,          5),
+        (ForceOsrGenerator,                        5),
         (TurbofanVerifyTypeGenerator,             10),
 
         (V8GcGenerator,                           10),

Sources/Fuzzilli/Profiles/V8HoleFuzzingProfile.swift

@@ -71,6 +71,7 @@ let v8HoleFuzzingProfile = Profile(
         (ForceJITCompilationThroughLoopGenerator,  5),
         (ForceTurboFanCompilationGenerator,        5),
         (ForceMaglevCompilationGenerator,          5),
+        (ForceOsrGenerator,                        5),
         (V8GcGenerator,                           10),
         (HoleLeakGenerator,                       25),
     ],

Sources/Fuzzilli/Profiles/V8Profile.swift

@@ -60,6 +60,7 @@ public let v8Profile = Profile(
         (ForceJITCompilationThroughLoopGenerator,  5),
         (ForceTurboFanCompilationGenerator,        5),
         (ForceMaglevCompilationGenerator,          5),
+        (ForceOsrGenerator,                        5),
         (TurbofanVerifyTypeGenerator,             10),
 
         (WorkerGenerator,                         10),

Sources/Fuzzilli/Profiles/V8SandboxProfile.swift

@@ -522,6 +522,7 @@ let v8SandboxProfile = Profile(
         (ForceJITCompilationThroughLoopGenerator,  5),
         (ForceTurboFanCompilationGenerator,        5),
         (ForceMaglevCompilationGenerator,          5),
+        (ForceOsrGenerator,                        5),
         (V8GcGenerator,                           10),
         (WasmStructGenerator,                      5),
         (WasmArrayGenerator,                       5),