144759 – MapDataImpl::add() shouldn't do the same hash lookup twice.

Bug 144759 - MapDataImpl::add() shouldn't do the same hash lookup twice.

Summary: MapDataImpl::add() shouldn't do the same hash lookup twice.

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Andreas Kling

URL:
Keywords:	Performance

Depends on:	144900
Blocks:
	Show dependency tree / graph

Reported:	2015-05-07 14:18 PDT by Andreas Kling
Modified:	2022-02-27 23:36 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Patch idea (1.91 KB, patch) 2015-05-07 14:20 PDT, Andreas Kling	no flags	Details \| Formatted Diff \| Diff
Patch (4.12 KB, patch) 2015-05-07 16:18 PDT, Oliver Hunt	no flags	Details \| Formatted Diff \| Diff
Patch (4.52 KB, patch) 2015-05-07 16:47 PDT, Oliver Hunt	no flags	Details \| Formatted Diff \| Diff
Patch (4.58 KB, patch) 2015-05-07 17:12 PDT, Oliver Hunt	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews102 for mac-mavericks (827.46 KB, application/zip) 2015-05-07 17:33 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews105 for mac-mavericks-wk2 (799.21 KB, application/zip) 2015-05-07 18:03 PDT, Build Bot	no flags	Details
Patch (1.88 KB, patch) 2015-05-08 09:27 PDT, Oliver Hunt	no flags	Details \| Formatted Diff \| Diff
Patch (3.91 KB, patch) 2015-05-08 11:28 PDT, Oliver Hunt	oliver: review-	Details \| Formatted Diff \| Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Kling 2015-05-07 14:18:48 PDT

MapDataImpl::add() does find(), then add(). This is twice the amount of work we should be doing.

Comment 1 Andreas Kling 2015-05-07 14:20:33 PDT

Created attachment 252626 [details]
Patch idea

Comment 2 Geoffrey Garen 2015-05-07 14:51:19 PDT

Regressions: Unexpected crashes (1)
  js/map-grow-with-holes.html [ Crash ]

Comment 3 Yusuke Suzuki 2015-05-07 15:03:25 PDT

Comment on attachment 252626 [details]
Patch idea

View in context: https://bugs.webkit.org/attachment.cgi?id=252626&action=review

> Source/JavaScriptCore/runtime/MapDataInlines.h:99
> +    if (!ensureSpaceForAppend(exec, owner)) {

When extending the backing store, MapDataImpl rehashes itself (replaceAndPackBackingStore).
At that time, we execute `ptr->value = m_entries[ptr->value].key().get().asInt32();`.
So, if the map contains the key-value pair (key, m_size) and if the m_size is out of the range of the previous backing store (before extending it), SEGV occcurs.

Comment 4 Andreas Kling 2015-05-07 15:05:44 PDT

Heh, that's what I get for not even compiling before I upload :|

Comment 5 Oliver Hunt 2015-05-07 16:18:16 PDT

Created attachment 252644 [details]
Patch

Comment 6 Andreas Kling 2015-05-07 16:22:34 PDT

Comment on attachment 252644 [details]
Patch

Thanks for wrapping that up!

Comment 7 Oliver Hunt 2015-05-07 16:47:45 PDT

Created attachment 252650 [details]
Patch

Comment 8 Andreas Kling 2015-05-07 17:11:32 PDT

Comment on attachment 252650 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=252650&action=review

> Source/JavaScriptCore/runtime/MapDataInlines.h:100
> +        return &m_entries[location->value];

s/location/result.iterator/

Comment 9 Oliver Hunt 2015-05-07 17:12:17 PDT

Created attachment 252656 [details]
Patch

Comment 10 Build Bot 2015-05-07 17:33:53 PDT

Comment on attachment 252656 [details]
Patch

Attachment 252656 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/6431934037098496

New failing tests:
js/regress/basic-set.html
inspector/model/parse-script-syntax-tree.html
js/set-foreach-calls-back-with-right-args.html
inspector/css/matched-style-properties.html
fast/storage/serialized-script-value.html
inspector/css/pseudo-element-matches.html
inspector/console/console-api.html
js/basic-map.html
js/map-foreach-calls-back-with-right-args.html
inspector/test-harness-trivially-works.html
js/array-from.html
inspector/css/selector-specificity.html
fast/dom/Window/window-postmessage-clone.html
js/basic-set.html
inspector/event-listener-set.html
inspector/protocol-promise-result.html
js/symbol-in-map.html

Comment 11 Build Bot 2015-05-07 17:33:57 PDT

Created attachment 252662 [details]
Archive of layout-test-results from ews102 for mac-mavericks

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102  Port: mac-mavericks  Platform: Mac OS X 10.9.5

Comment 12 Build Bot 2015-05-07 18:03:02 PDT

Comment on attachment 252656 [details]
Patch

Attachment 252656 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/6582692757897216

New failing tests:
js/regress/basic-set.html
inspector/model/parse-script-syntax-tree.html
http/tests/inspector/css/bad-mime-type.html
inspector/css/matched-style-properties.html
fast/storage/serialized-script-value.html
inspector/css/pseudo-element-matches.html
js/symbol-in-map.html
js/basic-map.html
js/map-foreach-calls-back-with-right-args.html
inspector/test-harness-trivially-works.html
js/array-from.html
inspector/css/selector-specificity.html
js/set-foreach-calls-back-with-right-args.html
js/basic-set.html
inspector/event-listener-set.html
inspector/protocol-promise-result.html

Comment 13 Build Bot 2015-05-07 18:03:11 PDT

Created attachment 252664 [details]
Archive of layout-test-results from ews105 for mac-mavericks-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-mavericks-wk2  Platform: Mac OS X 10.9.5

Comment 14 Oliver Hunt 2015-05-08 09:27:07 PDT

Created attachment 252722 [details]
Patch

Comment 15 Oliver Hunt 2015-05-08 11:28:08 PDT

Created attachment 252732 [details]
Patch

Comment 16 Gavin Barraclough 2015-05-08 13:02:51 PDT

Comment on attachment 252732 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=252732&action=review

> Source/JavaScriptCore/runtime/MapDataInlines.h:178
>      RELEASE_ASSERT(newCapacity > 0);

ASSERT please.

Comment 17 Oliver Hunt 2015-05-08 13:08:50 PDT

Committed r184009: <http://trac.webkit.org/changeset/184009>

Comment 18 Darin Adler 2015-05-10 14:14:15 PDT

Comment on attachment 252732 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=252732&action=review

> Source/JavaScriptCore/runtime/MapDataInlines.h:200
> +    for (auto ptr = m_valueKeyedTable.begin(); ptr != m_valueKeyedTable.end(); ++ptr) {

Modern for loop would make these for loops nicer to read.

Comment 19 Oliver Hunt 2015-05-10 15:46:55 PDT

Comment on attachment 252732 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=252732&action=review

>> Source/JavaScriptCore/runtime/MapDataInlines.h:200
>> +    for (auto ptr = m_valueKeyedTable.begin(); ptr != m_valueKeyedTable.end(); ++ptr) {
> 
> Modern for loop would make these for loops nicer to read.

I think this code predates us being allowed to use them. Is it worth rewriting as part of this patch? I'm torn between doing it (as i'm changing the lines any way) and not doing it (unrelated to the fix?)

Comment 20 Andreas Kling 2015-05-11 17:04:55 PDT

I think this is causing the following crash on ASan builds:

==98628==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010bbb9cc0 bp 0x00011da687b0 sp 0x00011da687a0 T13)
    #0 0x10bbb9cbf in 2015-05-11 16:19:43.470 atos[98896:1972233] Metadata.framework [Error]: couldn't get the client port
 (/Volumes/Data/slave/yosemite-asan-production-wk1-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x291cbf)
    #1 0x10c2927a4 in WTFCrash (/Volumes/Data/slave/yosemite-asan-production-wk1-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x96a7a4)
    #2 0x10bcf7b7e in JSC::MapDataImpl<JSC::JSMap::Entry, JSC::JSMapIterator>::copyBackingStore(JSC::CopyVisitor&, JSC::CopyToken) (/Volumes/Data/slave/yosemite-asan-production-wk1-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3cfb7e)
    #3 0x10bb96736 in JSC::CopyVisitor::visitItem(JSC::CopyWorklistItem) (/Volumes/Data/slave/yosemite-asan-production-wk1-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x26e736)
    #4 0x10b93aab0 in JSC::CopyVisitor::copyFromShared() (/Volumes/Data/slave/yosemite-asan-production-wk1-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12ab0)
    #5 0x10b931abd in JSC::GCThread::gcThreadMain() (/Volumes/Data/slave/yosemite-asan-production-wk1-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x9abd)
    #6 0x10b93196d in WTF::threadEntryPoint(void*) (/Volumes/Data/slave/yosemite-asan-production-wk1-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x996d)
    #7 0x7fff8e12f267 in WTF::wtfThreadEntryPoint(void*) (/usr/lib/system/libsystem_pthread.dylib+0x3267)
    #8 0x7fff8e12f1e4 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x31e4)
    #9 0x7fff8e12d41c in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x141c)

Comment 21 Alexey Proskuryakov 2015-05-11 22:46:06 PDT

The regression is tracked as <rdar://problem/20908178>. Rolling out.

Comment 22 WebKit Commit Bot 2015-05-11 22:48:43 PDT

Re-opened since this is blocked by bug 144900

Comment 23 Oliver Hunt 2015-05-12 08:45:07 PDT

(In reply to comment #21)
> The regression is tracked as <rdar://problem/20908178>. Rolling out.

Gah, sorry for disappearing was trapped in my real job :D

Thanks for rolling it out.

Comment 24 Oliver Hunt 2015-05-12 08:45:53 PDT

Comment on attachment 252732 [details]
Patch

r- as it was breaking asan.  Alexey: how do i do an asan build?

Comment 25 Yusuke Suzuki 2020-09-08 13:27:26 PDT

Our hash map implementation is changed.