pmatos rambles

how

target/release/jsse -e 'function Foo(x) { this.x = x; } var f = new Foo(42); console.log(f.x);'
42

$ claude
> /plugin marketplace add esbmc/agent-marketplace
> /plugin install esbmc-plugin@esbmc-marketplace

$ claude
> /plugin marketplace add esbmc/agent-marketplace
> /plugin install esbmc-plugin@esbmc-marketplace

#include <stdlib.h>

int main() {
    int buf[10];

    for (int i = 0; i <= 10; i++)
        buf[i] = i * 2;

    int *p = malloc(sizeof(int));
    *p = buf[9] + 1;

    int total = 0;
    for (int i = 0; i < 10; i++)
        total += buf[i];

    free(p);
    return total;
}
Violated property:
  file demo.c line 10 function main
  array bounds violated: array `buf' upper bound
  (signed long int)i < 10

State 23 file demo.c line 12 function main
  p = (signed int *)0

Violated property:
  file demo.c line 13 function main
  dereference failure: NULL pointer

"custom/claude": {
    "exec": "~/.config/waybar/claude-usage.sh",
    "return-type": "json",
    "interval": 120,
    "format": "🤖 {}",
    "tooltip": true
}
#custom-claude {
    background-color: #d4a574;
    color: #000000;
    font-weight: bold;
}

#custom-claude.claude-mid {
    background-color: #f39c12;
    color: #000000;
}

#custom-claude.claude-high {
    background-color: #e74c3c;
    color: #ffffff;
}

#custom-claude.claude-error {
    background-color: #7f8c8d;
    color: #ffffff;
}
float PytIdent(float x) {
  return sinf(x)*sinf(x) + cosf(x)*cosf(x);
}
  sub rsp, 4
  movss [rsp], xmm0
  fld [rsp]
  fsincos
  fmul st0, st0
  fxch
  fmul st0, st0
  faddp
  fstp [rsp]
  movss xmm0, [rsp]

	%9 i64 = LoadRegister #0x4, GPR
	%10 i128 = LoadMem FPR, %9 i64, %Invalid, #0x10, SXTX, #0x1
	(%11 i0) PushStack %10 i128, %10 i128, #0x10, #0x1
	(%12 i0) F80SINCOSStack
	%13 i64 = Constant #0x0
	(%14 i8) StoreContext GPR, %13 i64, #0x3fa
	(%15 i0) F80MulStack #0x0, #0x0
	(%16 i0) F80StackXchange #0x1
	%17 i64 = Constant #0x0
	(%18 i8) StoreContext GPR, %17 i64, #0x3f9
	(%19 i0) F80MulStack #0x0, #0x0
	(%20 i0) F80AddStack #0x1, #0x0
	(%21 i0) PopStackDestroy
	%23 i64 = LoadRegister #0x4, GPR
	(%24 i0) StoreStackMemory %23 i64, i128, #0x1, #0x8
	(%25 i0) PopStackDestroy

	%9 i64 = LoadRegister #0x4, GPR
	%10 i128 = LoadMem FPR, %9 i64, %Invalid, #0x10, SXTX, #0x1

	(%11 i0) PushStack %10 i128, %10 i128, #0x10, #0x1

	(%12 i0) F80SINCOSStack

	%13 i64 = Constant #0x0
	(%14 i8) StoreContext GPR, %13 i64, #0x3fa

	(%15 i0) F80MulStack #0x0, #0x0

	(%16 i0) F80StackXchange #0x1

	%17 i64 = Constant #0x0
	(%18 i8) StoreContext GPR, %17 i64, #0x3f9

	(%19 i0) F80MulStack #0x0, #0x0

	(%20 i0) F80AddStack #0x1, #0x0

	(%21 i0) PopStackDestroy

	%23 i64 = LoadRegister #0x4, GPR
	(%24 i0) StoreStackMemory %23 i64, i128, #0x1, #0x8
	(%25 i0) PopStackDestroy

	%9 i64 = LoadRegister #0x4, GPR
	%10 i128 = LoadMem FPR, %9 i64, %Invalid, #0x10, SXTX, #0x1
	(%11 i0) PushStack %10 i128, %10 i128, #0x10, #0x1
	(%12 i0) F80SINCOSStack
	%13 i64 = Constant #0x0
	(%14 i8) StoreContext GPR, %13 i64, #0x3fa
	(%15 i0) F80MulStack #0x0, #0x0
	(%16 i0) F80StackXchange #0x1
	%17 i64 = Constant #0x0
	(%18 i8) StoreContext GPR, %17 i64, #0x3f9

	(%19 i0) F80MulStack #0x0, #0x0
	(%20 i0) F80AddStack #0x1, #0x0
	(%21 i0) PopStackDestroy
	%23 i64 = LoadRegister #0x4, GPR
	(%24 i0) StoreStackMemory %23 i64, i128, #0x1, #0x8
	(%25 i0) PopStackDestroy

	(%19 i0) F80MulStack #0x0, #0x0

const a = ["a", "b", "c"];
for (const value of a) {
  console.log(value);
}
// =>
// "a"
// "b"
// "c"
const a = ["a", "b", "c"];
const it = a[Symbol.iterator]();
let result = it.next();
while (!result.done) {
  console.log(result.value);
  result = it.next();
}
iterator = symbolIterator.@call(iterable);
next = iterator.next;

nextResult = next.@call(iterator);
done = nextResult.done;
value = done ? (undefined / bottom) : nextResult.value;

macro nextInstruction()
    loadb [PB, PC, 1], t0
    leap _g_opcodeMap, t1
    jmp [t1, t0, PtrSize], BytecodePtrTag
end
llintOp(op_iterator_open, OpIteratorOpen, macro (size, get, dispatch)
    defineOSRExitReturnLabel(op_iterator_open, size)
    break
    if C_LOOP or C_LOOP_WIN
        # Insert superflous call return labels for Cloop.
        cloopCallJSFunction a0 # symbolIterator
        cloopCallJSFunction a0 # get next
    end
end)

macro llintOp(opcodeName, opcodeStruct, fn)

llintOpWithMetadata(op_iterator_open, OpIteratorOpen, macro (size, get, dispatch, metadata, return)
    macro fastNarrow()
        callSlowPath(_iterator_open_try_fast_narrow)
    end
    macro fastWide16()
        callSlowPath(_iterator_open_try_fast_wide16)
    end
    macro fastWide32()
        callSlowPath(_iterator_open_try_fast_wide32)
    end
    size(fastNarrow, fastWide16, fastWide32, macro (callOp) callOp() end)
    bbeq r1, constexpr IterationMode::Generic, .iteratorOpenGeneric
    dispatch()

.iteratorOpenGeneric:
    macro gotoGetByIdCheckpoint()
        jmp .getByIdStart
    end

    macro getCallee(dst)
        get(m_symbolIterator, dst)
    end

    macro getArgumentIncludingThisStart(dst)
        getu(size, OpIteratorOpen, m_stackOffset, dst)
    end

    macro getArgumentIncludingThisCount(dst)
        move 1, dst
    end

    callHelper(op_iterator_open,                    # opcodeName
               _llint_slow_path_iterator_open_call, # slowPath
               OpIteratorOpen,                      # opcodeStruct
               m_iteratorProfile,                   # valueProfileName
               m_iterator,                          # dstVirtualRegister
               prepareForRegularCall,               # prepareCall
               size,                                # size
               gotoGetByIdCheckpoint,               # dispatch
               metadata,                            # metadata
               getCallee,                           # getCallee
               getArgumentIncludingThisStart,       # getArgumentStart
               getArgumentIncludingThisCount)       # getArgumentCountIncludingThis

.getByIdStart:
	macro storeNextAndDispatch(valueTag, valuePayload)
        move valueTag, t2
        move valuePayload, t3
        get(m_next, t1)
        storei t2, TagOffset[cfr, t1, 8]
        storei t3, PayloadOffset[cfr, t1, 8]
 	    dispatch()
 	end

    # We need to load m_iterator into t3 because that's where
 	# performGetByIDHelper expects the base object   
 	loadVariable(get, m_iterator, t3, t0, t3)
 	bineq t0, CellTag, .iteratorOpenGenericGetNextSlow
 	performGetByIDHelper(OpIteratorOpen,                  # opcodeStruct
                         m_modeMetadata,                  # modeMetadataName
                         m_nextProfile,                   # valueProfileName
                         .iteratorOpenGenericGetNextSlow, # slowLabel
                         size,                            # size
                         metadata,                        # metadata
                         storeNextAndDispatch)            # return

.iteratorOpenGenericGetNextSlow:
 	callSlowPath(_llint_slow_path_iterator_open_get_next)
 	dispatch()
end)

void JIT::emit_op_iterator_open(const Instruction* instruction)
{
    auto bytecode = instruction->as<OpIteratorOpen>();
    auto* tryFastFunction = ([&] () {
        switch (instruction->width()) {
        case Narrow: return iterator_open_try_fast_narrow;
        case Wide16: return iterator_open_try_fast_wide16;
        case Wide32: return iterator_open_try_fast_wide32;
        default: RELEASE_ASSERT_NOT_REACHED();
        }
    })();

    JITSlowPathCall slowPathCall(this, instruction, tryFastFunction);
    slowPathCall.call();
    Jump fastCase = branch32(NotEqual, GPRInfo::returnValueGPR2, TrustedImm32(static_cast<uint32_t>(IterationMode::Generic)));
    compileOpCall<OpIteratorOpen>(instruction, m_callLinkInfoIndex++);

    advanceToNextCheckpoint();

    // call result (iterator) is in regT1 (tag)/regT0 (payload)
    const Identifier* ident = &vm().propertyNames->next;

    emitJumpSlowCaseIfNotJSCell(regT1);
    GPRReg tagIteratorGPR = regT1;
    GPRReg payloadIteratorGPR = regT0;

    GPRReg tagNextGPR = tagIteratorGPR;
    GPRReg payloadNextGPR = payloadIteratorGPR;

    JITGetByIdGenerator gen(
        m_codeBlock,
        CodeOrigin(m_bytecodeIndex),
        CallSiteIndex(BytecodeIndex(m_bytecodeIndex.offset())),
        RegisterSet::stubUnavailableRegisters(),
        CacheableIdentifier::createFromImmortalIdentifier(ident->impl()),
        JSValueRegs(tagIteratorGPR, payloadIteratorGPR),
        JSValueRegs(tagNextGPR, payloadNextGPR),
        AccessType::GetById);
    gen.generateFastPath(*this);
    addSlowCase(gen.slowPathJump());
    m_getByIds.append(gen);

    emitValueProfilingSite(bytecode.metadata(m_codeBlock));
    emitPutVirtualRegister(bytecode.m_next, JSValueRegs(tagNextGPR, payloadNextGPR));

    fastCase.link(this);
}
void JIT::emit_op_iterator_open(const Instruction* instruction)
{
    // ...
    JITSlowPathCall slowPathCall(this, instruction, tryFastFunction);
    slowPathCall.call();
    Jump fastCase = branch32(NotEqual, GPRInfo::returnValueGPR2, TrustedImm32(static_cast<uint32_t>(IterationMode::Generic)));
    // ...
    fastCase.link(this);
}

void JIT::emitSlow_op_iterator_open(const Instruction* instruction, Vector<SlowCaseEntry>::iterator& iter)
{
    // …
    linkAllSlowCases(iter);

    GPRReg tagIteratorGPR = regT1;
    GPRReg payloadIteratorGPR = regT0;

    JumpList notObject;
    notObject.append(branchIfNotCell(tagIteratorGPR));
    notObject.append(branchIfNotObject(payloadIteratorGPR));

    auto bytecode = instruction->as<OpIteratorOpen>();
    VirtualRegister nextVReg = bytecode.m_next;
    UniquedStringImpl* ident = vm().propertyNames->next.impl();

    JITGetByIdGenerator& gen = m_getByIds[m_getByIdIndex++];

    Label coldPathBegin = label();

    Call call = callOperationWithProfile(
        bytecode.metadata(m_codeBlock),                  // metadata
        operationGetByIdOptimize,                        // operation
        nextVReg,                                        // result
        TrustedImmPtr(m_codeBlock->globalObject()),      // arg1
        gen.stubInfo(),                                  // arg2
        JSValueRegs(tagIteratorGPR, payloadIteratorGPR), // arg3
        CacheableIdentifier::createFromImmortalIdentifier(ident).rawBits()); // arg4

    gen.reportSlowPathCall(coldPathBegin, call);
    auto done = jump();

    notObject.link(this);
    callOperation(operationThrowIteratorResultIsNotObject, TrustedImmPtr(m_codeBlock->globalObject()));

    done.link(this);
    //…
}

void JIT::emit_op_iterator_next(const Instruction* instruction)
{
    //…
    JSValueRegs nextRegs(regT1, regT0);
    emitGetVirtualRegister(bytecode.m_next, nextRegs);
    //…
}

$ WebKitBuild/Release/bin/jsc
>>> 2+2
4
>>> 
$ WebKitBuild/Release/bin/jsc --options
All JSC runtime options:
   useKernTCSM=true   ... Note: this needs to go before other options since they depend on this value.
   validateOptions=false   ... crashes if mis-typed JSC options were passed to the VM
   dumpOptions=0   ... dumps JSC options (0 = None, 1 = Overridden only, 2 = All, 3 = Verbose)

...
$ WebKitBuild/Release/bin/jsc --options 2>&1 | grep verbose
   verboseDFGBytecodeParsing=false
   verboseCompilation=false
   verboseFTLCompilation=false
   verboseValidationFailure=false
   verboseOSR=false
   verboseDFGOSRExit=false
   verboseFTLOSRExit=false
   verboseCallLink=false
   verboseCompilationQueue=false
   verboseExitProfile=false
   verboseCFA=false
   verboseDFGFailure=false
   verboseFTLToJSThunk=false
   verboseFTLFailure=false
   verboseSanitizeStack=false
   verboseVisitRace=false
   verboseExecutableAllocationFuzz=false
$ ~/dev/WebKit/WebKitBuild/Debug/bin/jsc --options 2>&1 | grep JIT    
   useJIT=true   ... allows the executable pages to be allocated for JIT and thunks if true
   useBaselineJIT=true   ... allows the baseline JIT to be used if true
   useDFGJIT=true   ... allows the DFG JIT to be used if true
   useRegExpJIT=true   ... allows the RegExp JIT to be used if true
   useDOMJIT=true   ... allows the DOMJIT to be used if true
   crashIfCantAllocateJITMemory=false
   dumpDisassembly=false   ... dumps disassembly of all JIT compiled code upon compilation
   logJITCodeForPerf=false
   bytecodeRangeToJITCompile=<null>   ... bytecode size range to allow compilation on, e.g. 1:100
   reportBaselineCompileTimes=false   ... dumps JS function signature and the time it took to BaselineJIT compile
   useFTLJIT=true   ... allows the FTL JIT to be used if true
   enableJITDebugAssertions=true
   useConcurrentJIT=true   ... allows the DFG / FTL compilation in threads other than the executing JS thread
   jitPolicyScale=1   ... scale JIT thresholds to this specified ratio between 0.0 (compile ASAP) and 1.0 (compile like normal).
   thresholdForJITAfterWarmUp=500
   thresholdForJITSoon=100
   forceGCSlowPaths=false   ... If true, we will force all JIT fast allocations down their slow paths.
   alwaysGeneratePCToCodeOriginMap=false   ... This will make sure we always generate a PCToCodeOriginMap for JITed code.
   useBBQJIT=true   ... allows the BBQ JIT to be used if true
   useOMGJIT=true   ... allows the OMG JIT to be used if true
   traceBaselineJITExecution=false
   dumpJITMemoryPath=""
   dumpJITMemoryFlushInterval=10   ... Maximum time in between flushes of the JIT memory dump in seconds.
$ ~/dev/WebKit/WebKitBuild/Debug/bin/jsc --options 2>&1 | grep -i gc
   repatchBufferingCountdown=8
   bytecodeRangeToDFGCompile=<null>   ... bytecode size range to allow DFG compilation on, e.g. 1:100
   logCompilationChanges=false
   validateDoesGC=true
   reportDFGCompileTimes=false   ... dumps JS function signature and the time it took to DFG and FTL compile
   useGenerationalGC=true
   useConcurrentGC=true
   criticalGCMemoryThreshold=0.8   ... percent memory in use the GC considers critical.  The collector is much more aggressive above this threshold
   concurrentGCMaxHeadroom=1.5
   concurrentGCPeriodMS=2
   minimumGCPauseMS=0.3
   gcPauseScale=0.3
   gcIncrementBytes=10000
   gcIncrementMaxBytes=100000
   gcIncrementScale=0
   numberOfDFGCompilerThreads=2
   priorityDeltaOfDFGCompilerThreads=0
   maximumInliningCallerBytecodeCost=10000
   numberOfGCMarkers=8
   useParallelMarkingConstraintSolver=true
   slowPathAllocsBetweenGCs=0   ... force a GC on every Nth slow path alloc, where N is specified by this option
   sweepSynchronously=false   ... debugging option to sweep all dead objects synchronously at GC end before resuming mutator
   logGC=None   ... debugging option to log GC activity (0 = None, 1 = Basic, 2 = Verbose)
   useGC=true
   gcAtEnd=false   ... If true, the jsc CLI will do a GC before exiting
   forceGCSlowPaths=false   ... If true, we will force all JIT fast allocations down their slow paths.
   forceDidDeferGCWork=false   ... If true, we will force all DeferGC destructions to perform a GC.
   gcMaxHeapSize=0
   recordGCPauseTimes=false
   numberOfGCCyclesToRecordForVerification=3
   validateDFGClobberize=false   ... Emits extra validation code in the DFG/FTL for the Clobberize phase
$ raco pkg install html-examples
$ raco pkg install bv
$ /home/pmatos/roots/br-root.jsc32-mips/host/bin/qemu-mipsel -L \
	/home/pmatos/roots/br-root.jsc32-mips/target ./WebKitBuild/Debug/bin/jsc \
	load-varargs-then-inlined-call-and-exit.js 
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
#!/bin/bash
/home/pmatos/roots/br-root.jsc32-mips/host/bin/qemu-mipsel -L \
	/home/pmatos/roots/br-root.jsc32-mips/target /home/pmatos/dev/WebKit/WebKitBuild/Debug/bin/jsc \
	load-varargs-then-inlined-call-and-exit.js &> err.txt
grep -q 'Illegal instruction' err.txt
$ creduce --not-c --n 16 ./red.sh load-varargs-then-inlined-call-and-exit.js
===< 26334 >===
running 16 interestingness tests in parallel
===< pass_blank :: 0 >===
(0.6 %, 1046 bytes)
===< pass_lines :: 0 >===
(-0.3 %, 1055 bytes)
(1.2 %, 1039 bytes)
===< pass_lines :: 1 >===
(-1.9 %, 1072 bytes)
(17.6 %, 867 bytes)
(20.9 %, 832 bytes)
(26.5 %, 773 bytes)
(34.8 %, 686 bytes)
...
===================== done ====================

pass statistics:
  method pass_balanced :: curly2 worked 1 times and failed 18 times
  method pass_balanced :: curly-inside worked 1 times and failed 12 times
  method pass_clex :: rm-toks-11 worked 1 times and failed 105 times
  method pass_balanced :: parens-to-zero worked 1 times and failed 25 times
  method pass_blank :: 0 worked 1 times and failed 0 times
  method pass_clex :: rename-toks worked 2 times and failed 4 times
  method pass_lines :: 8 worked 2 times and failed 123 times
  method pass_lines :: 4 worked 2 times and failed 123 times
  method pass_lines :: 10 worked 2 times and failed 123 times
  method pass_lines :: 3 worked 2 times and failed 123 times
  method pass_indent :: regular worked 2 times and failed 0 times
  method pass_lines :: 6 worked 2 times and failed 123 times
  method pass_lines :: 2 worked 5 times and failed 134 times
  method pass_clex :: rm-tok-pattern-4 worked 5 times and failed 784 times
  method pass_lines :: 0 worked 5 times and failed 70 times
  method pass_balanced :: parens-inside worked 6 times and failed 7 times
  method pass_clex :: rm-toks-1 worked 7 times and failed 132 times
  method pass_lines :: 1 worked 7 times and failed 147 times
  method pass_clex :: rm-toks-2 worked 8 times and failed 116 times

          ******** /home/pmatos/dev/WebKit/load-varargs-then-inlined-call-and-exit.js ********

function b(a) {
  return { a: a + 1 }
}
function bar() { b.apply(this, array) }
function c() {
  bar()
  c()
}
array = [ 2147483647 ]
c()
$ /home/pmatos/roots/br-root.jsc32-mips/host/bin/qemu-mipsel -L /home/pmatos/roots/br-root.jsc32-mips/target ./WebKitBuild/Debug/bin/jsc load-varargs-then-inlined-call-and-exit.js 
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
$ which chroot
/usr/sbin/chroot
$ chroot --help
Usage: chroot [OPTION] NEWROOT [COMMAND [ARG]...]
  or:  chroot OPTION
Run COMMAND with root directory set to NEWROOT.

  --groups=G_LIST        specify supplementary groups as g1,g2,..,gN
  --userspec=USER:GROUP  specify user and group (ID or name) to use
  --skip-chdir           do not change working directory to '/'
      --help     display this help and exit
      --version  output version information and exit

If no command is given, run '"$SHELL" -i' (default: '/bin/sh -i').

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/chroot>
or available locally via: info '(coreutils) chroot invocation'
$ man -s2 chroot
CHROOT(2)

NAME
       chroot - change root directory

SYNOPSIS
       #include <unistd.h>

       int chroot(const char *path);

   Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
...
#include <stdio.h>
#include <stdint.h>
#include <inttypes.h>
#include <stdlib.h>

int main(int argc, char *argv[]) {

  uint64_t result = 1;
  uint32_t arg;

  if (argc != 2)
    return 1;

  arg = strtoul(argv[1], NULL, 0);
  while(arg) result *= arg--;

  printf ("Result: %" PRIu64 "\n", result);
  return 0;
}
$ gcc -Wall -Wextra -o factorial factorial.c
$ ./factorial 20
Result: 2432902008176640000
$ mkdir jail
$ cp factorial jail/
$ chroot jail/ /factorial
chroot: cannot change root directory to 'jail/': Operation not permitted
$ sudo chroot jail/ /factorial
chroot: failed to run command ‘/factorial’: No such file or directory
$ ldd factorial
        linux-vdso.so.1 (0x00007ffe1f7f9000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f65bf62e000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f65bf844000)
$ gcc -Wall -Wextra -static -o factorial factorial.c
$ ldd factorial
        not a dynamic executable
$ sudo chroot jail/ /factorial 20
Result: 2432902008176640000
$ mkdir build
$ cd build
build/ $ ct-ng armv7-rpi2-linux-gnueabihf
build/ $ ct-ng build
$ export PATH=$HOME/x-tools/armv7-rpi2-linux-gnueabihf/bin:$PATH
$ armv7-rpi2-linux-gnueabihf-gcc -static -o factorial factorial.c
$ ./factorial
zsh: exec format error: ./factorial
$ file factorial
factorial: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), \
dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux \
4.19.21, with debug_info, not stripped
$ qemu-arm ./factorial 20 
Result: 2432902008176640000
$ zcat /proc/config.gz| grep BINFMT
CONFIG_BINFMT_ELF=y
CONFIG_COMPAT_BINFMT_ELF=y
CONFIG_BINFMT_SCRIPT=y
CONFIG_BINFMT_MISC=y
$ sudo bash -c 'echo ":qemu-arm:M:0:\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x02\\x00\\x28\\x00:\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\xff\\xff\\xff\\xff\\xff\
\\xff\\xff\\xff\\xfe\\xff\\xff\\xff:/home/pmatos/installs/bin/qemu-arm:OCF" > \
/proc/sys/fs/binfmt_misc/register'
$ ./factorial 20
Result: 2432902008176640000
$ mkdir rootfs
$ debootstrap --foreign --no-check-gpg --arch=arm buster ./rootfs http://httpredir.debian.org/debian/
$ cp -v /usr/bin/qemu-arm-static ./rootfs/usr/bin/
$ chroot ./rootfs ./debootstrap/debootstrap --second-stage --verbose
$ mount -t devpts devpts ./rootfs/dev/pts
$ mount -t proc proc ./rootfs/proc
$ mount -t sysfs sysfs ./rootfs/sys
$ chroot ./rootfs apt-get update
$ chroot ./rootfs apt-get -y upgrade
$ chroot ./rootfs apt-get install -y g++ cmake libicu-dev git ruby-highline ruby-json python
chroot ./rootfs apt-get -y autoremove
chroot ./rootfs apt-get clean
chroot ./rootfs find /var/lib/apt/lists -type f -delete
umount ./rootfs/dev/pts
umount ./rootfs/proc
umount ./rootfs/sys
$ tar --numeric-owner -cvf buster-arm.tar -C ./rootfs .
$ docker import buster-arm.tar jsc-base:arm-raw
$ cat <<EOF > jsc32-base.Dockerfile
FROM jsc32-base:arm-raw

LABEL description="Minimal Debian image to reproduce JSC dev"
LABEL maintainer="Paulo Matos <pmatos@igalia.com>"

CMD ["/bin/bash"]
EOF
$ docker build -t pmatos/jsc32-base:arm -f jsc32-base.Dockerfile
$ docker push pmatos/jsc32-base:arm
$ docker run pmatos/jsc32-base:arm file /bin/bash
/bin/bash: ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), dynamically linked, \
interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, \
BuildID[sha1]=40e50d160a6c70d1a4e961200202cf853b4a2145, stripped
$ podman run pmatos/jsc32-base:arm file /bin/bash
/bin/bash: ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), dynamically linked, \
interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, \
BuildID[sha1]=40e50d160a6c70d1a4e961200202cf853b4a2145, stripped
$ git clone --depth=1 git://git.webkit.org/WebKit.git
$ export WEBKIT_PATH=$PWD/WebKit
$ git clone --depth=1 git@github.com:pmatos/WebKit-misc.git
$ cd WebKit-misc/containers
$ ./reprojsc.sh -a arm -b -t -i $WEBKIT_PATH
$ git clone git://git.webkit.org/WebKit.git
...
$ du -hs WebKit
9.7G    WebKit
$ Tools/Scripts/build-jsc --jsc-only --debug
...
====================================================================
 JavaScriptCore is now built (02m:44s). 
====================================================================
$ Tools/Scripts/check-webkit-style
ERROR: Source/WTF/wtf/StackBounds.cpp:25:  Alphabetical sorting problem.  [build/include_order] [4]
ERROR: Source/WTF/wtf/StackBounds.cpp:126:  Place brace on its own line for function definitions.  [whitespace/braces] [4]
Total errors found: 2 in 2 files
$ ls -1 Tools/Scripts/run-*-tests
Tools/Scripts/run-api-tests
Tools/Scripts/run-bindings-tests
Tools/Scripts/run-builtins-generator-tests
Tools/Scripts/run-dashboard-tests
Tools/Scripts/run-gtk-tests
Tools/Scripts/run-iexploder-tests
Tools/Scripts/run-inspector-generator-tests
Tools/Scripts/run-javascriptcore-tests
Tools/Scripts/run-jsc-stress-tests
Tools/Scripts/run-mangleme-tests
Tools/Scripts/run-perf-tests
Tools/Scripts/run-regexp-tests
Tools/Scripts/run-webdriver-tests
Tools/Scripts/run-webkit-tests
Tools/Scripts/run-web-platform-tests
Tools/Scripts/run-wpe-tests
$ Tools/Scripts/run-javascriptcore-tests --no-build --no-fail-fast --debug --jsc-only
...
    0 failures found.
addi x1, zero, 1
mv   x2, zero
add  x2, x2, x1
add  x2, x2, x1
addi x2, zero, 2
mul x1, x1, 2
slli x1, x1, 1
$ riscv-s10 -j 8 --timeout 60 --verbose --progress add2.s
S10 Superoptimization Framework, by Linki Tools UG
https://linki.tools/s10

Booting up 8 cores (stochastic 3, lens 4, symbolic 1)
Input score: 16

* stochastic found optimization (score: 12)

  mv x2, zero
  addi x2, x2, 1
  addi x2, x2, 1

* lens found optimization (score: 4)

  addi x2, zero, 2

* symbolic found best

  addi x2, zero, 2

Shutting down cores

Caching solution:
  addi x2, zero, 2
$ riscv-s10 -j 8 --timeout 20 --verbose --progress \
  --metric speed --accurate-metric-script sim.sh --run-metric-on 2 add2.s
S10 Superoptimization Framework, by Linki Tools UG
https://linki.tools/s10

Booting up 8 cores (stochastic 3, lens 4, symbolic 1)
Input score: 16

* stochastic found optimization (score: 12)

  mv x2, zero
  addi x2, x2, 1
  addi x2, x2, 1

* lens found optimization (score: 4)

  addi x2, zero, 2

Timeout reached.
Shutting down cores

Best two solutions:

[1] mv x2, zero
    addi x2, x2, 1
    addi x2, x2, 1

[2] addi x2, zero, 2

Running sim.sh on [1]... Done
Running sim.sh on [2]... Done

Best solution (sim.sh):

[2] addi x2, zero, 2

Caching solution:
  addi x2, zero, 2

Metric	Value
Start date	January 27, 2026
100% non-staging test262	March 9, 2026 (42 days)
Total commits	592
Total Rust	~170,000 lines
Lines added (all time)	929,475
Lines removed (all time)	448,317
My hands-on-keyboard time	~4 hours total

Date	Rate	What happened
Jan 27	26%	Project kickoff: lexer, parser, basic interpreter
Jan 31	51%	String.prototype wiring bug fix exposed ~11k tests (+23% in a single day)
Feb 3	63%	Generators via state machine approach
Feb 10	86%	Temporal API phase 1
Feb 13	88%	Full suite expansion: added intl402, test count nearly doubled (~48k → ~92k), pass rate still went up
Feb 22	95%	SharedArrayBuffer + Atomics (868 new passes in one day)
Mar 5	99.6%	Massive parser early-errors batch (274 fixes)
Mar 9	100%	`Array.fromAsync` was the final fix

Engine	Version	Scenarios	Pass	Fail	Rate
JSSE	latest	101,234	101,044	190	99.81%
Boa	v0.21	91,986	83,260	8,726	90.51%
Node	v25.8.0	91,986	79,201	11,986	86.86%

Benchmark	Node v18	Boa v0.21	JSSE v0.1	JSSE vs Node
loop	0.18s	2.02s	2.90s	16x
fib	0.21s	2.53s	28.57s	136x
string	0.19s	0.62s	4.74s	25x
array	0.17s	0.53s	119.45s	703x
object	0.35s	0.69s	0.85s	2.4x
regex	0.16s	0.24s	5.62s	35x
closures	0.18s	2.79s	15.48s	86x
json	0.20s	0.44s	0.25s	1.2x

Model	Cost (API equivalent)	Share
Claude Opus 4.6	$4,062.91	88%
Claude Sonnet 4.6	$345.54	7.5%
Claude Haiku 4.5	$124.83	2.7%
Claude Sonnet 4.5	$45.56	1%
Claude Opus 4.5	$40.11	0.9%

x86 Asm	IR nodes
`fld qword [rsp]`	`LoadMem` + `PushStack`
`fsincos`	`F80SinCosStack`
`fmul st0, st0`	`F80MulStack`
`fxch`	`F80StackXchange`
`fmul st0, st0`	`F80MulStack`
`faddp`	`F80AddStack` + `PopStackDestroy`
`fstp qword [rsp]`	`StoreStackMemory` + `PopStackDestroy`

Game	Before	After	Reduction
Half-Life (Block 1)	2034	1368	32.7%
Half-Life (Block 2)	838	551	34.2%
Oblivion (Block 1)	34065	25782	24.3%
Oblivion (Block 2)	22089	16635	24.6%
Psychonauts (Block 1)	20545	16357	20.3%
Psychonauts Hot Loop (Matrix Swizzle)	2340	165	92.9%

pmatos rambles

Code Is Free Now. What's Left Is Us.

Then: July 2025

Now: April 2026

The Role Shift

More Human, Not Less

What Happens to Code Review?

What Should You Study?

Where the Trend Points

After the Mourning

JSSE: A JavaScript Engine Built by an Agent

How It Started

The Numbers

How It Was Built

What the Prompts Actually Looked Like

The Pass Rate Curve

Engine Comparison

A Note on Staging Tests

What About Performance?

The Cost

What I Learned

What's Next

Conclusions

Introducing Musiker: An Interactive Timeline of Classical Music

What You Can Explore

Under the Hood

Part of Rightkey

Try It Out

ESBMC Plugin Update: Python Support, a New Home, and Where This Is Going

What's New

Python Support

The Agent Marketplace

The Idea I Keep Coming Back To

Try It

Formal Verification in Your Terminal: ESBMC meets Claude Code

Setup

How It Works

A Quick Demo

Bug 1: Array out-of-bounds write

Bug 2: NULL pointer dereference

Why This Matters

Formal Methods and the Age of Generated Code

Beyond the Basics

Current Status

Claude Code Usage in Waybar

The Script

Waybar Configuration

Daring to imagine...

Life on GenAI in 2025 (part 1 - Intro and Education)

Education

FEX x87 Stack Optimization

A brief visit to the x87 FPU

Current issues

The new pass

The Good Case

The Bad Case

The Ugly Case

Results

Future work

WebAssembly Reference Types in Clang/LLVM

WebAssembly Reference Types in LLVM

Introduction

Linker and MC Layer

LLVM IR

Clang

Conclusions and Future

From Middle-C to Concert

Book references:

Music references:

Online Forums:

Others:

A tour of the `for..of` implementation for 32bits JSC

Context

Overview

javascript and for-of

LLInt

Baseline

Conclusions

Thanks

JSC - what are my options?