Context Navigation

← Previous Changeset
Next Changeset →

Changeset 130102 in webkit

Timestamp:

Oct 1, 2012, 5:14:33 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

Address a FIXME in JSArray::sort
https://bugs.webkit.org/show_bug.cgi?id=98080
<rdar://problem/12407844>

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

Get rid of fast sorting of sparse maps. I don't know that it's broken but I do know that we don't
have coverage for it. Then also address the FIXME in JSArray::sort regarding side-effecting
compare functions.

runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncSort):

runtime/JSArray.cpp:

(JSC::JSArray::sortNumeric):
(JSC::JSArray::sort):
(JSC::JSArray::compactForSorting):

runtime/JSArray.h:

(JSArray):

runtime/JSObject.h:

(JSC::JSObject::hasSparseMap):
(JSObject):

LayoutTests:

fast/js/jsc-test-list:
fast/js/script-tests/sort-with-side-effecting-comparisons.js: Added.
fast/js/sort-with-side-effecting-comparisons-expected.txt: Added.
fast/js/sort-with-side-effecting-comparisons.html: Added.

Location:

trunk

Files:

: 3 added
: 7 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/js/jsc-test-list (modified) (1 diff)
LayoutTests/fast/js/script-tests/sort-with-side-effecting-comparisons.js (added)
LayoutTests/fast/js/sort-with-side-effecting-comparisons-expected.txt (added)
LayoutTests/fast/js/sort-with-side-effecting-comparisons.html (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/JSArray.cpp (modified) (9 diffs)
Source/JavaScriptCore/runtime/JSArray.h (modified) (1 diff)
Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-              r130100
+              r130102
+-10-01  Filip Pizlo  <fpizlo@apple.com>
+        Address a FIXME in JSArray::sort
+        https://bugs.webkit.org/show_bug.cgi?id=98080
+        <rdar://problem/12407844>
+        Reviewed by Oliver Hunt.
+        * fast/js/jsc-test-list:
+        * fast/js/script-tests/sort-with-side-effecting-comparisons.js: Added.
+        * fast/js/sort-with-side-effecting-comparisons-expected.txt: Added.
+        * fast/js/sort-with-side-effecting-comparisons.html: Added.
 -10-01  Roger Fong  <roger_fong@apple.com>

trunk/LayoutTests/fast/js/jsc-test-list

r129948	r130102
298	298	fast/js/sort-randomly
299	299	fast/js/sort-stability
	300	fast/js/sort-with-side-effecting-comparisons
300	301	fast/js/sparse-array
301	302	fast/js/stack-overflow-arrity-catch

trunk/Source/JavaScriptCore/ChangeLog

-              r130014
+              r130102
+-10-01  Filip Pizlo  <fpizlo@apple.com>
+        Address a FIXME in JSArray::sort
+        https://bugs.webkit.org/show_bug.cgi?id=98080
+        <rdar://problem/12407844>
+        Reviewed by Oliver Hunt.
+        Get rid of fast sorting of sparse maps. I don't know that it's broken but I do know that we don't
+        have coverage for it. Then also address the FIXME in JSArray::sort regarding side-effecting
+        compare functions.
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSort):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::sortNumeric):
+        (JSC::JSArray::sort):
+        (JSC::JSArray::compactForSorting):
+        * runtime/JSArray.h:
+        (JSArray):
+        * runtime/JSObject.h:
+        (JSC::JSObject::hasSparseMap):
+        (JSObject):
 -10-01  Jonathan Liu  <net147@gmail.com>

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

r129676	r130102
656	656	CallType callType = getCallData(function, callData);
657	657
658		if (thisObj->classInfo() == &JSArray::s_info && !asArray(thisObj)->~~inSparseIndexingMode~~() && !shouldUseSlowPut(thisObj->structure()->indexingType())) {
	658	if (thisObj->classInfo() == &JSArray::s_info && !asArray(thisObj)->hasSparseMap() && !shouldUseSlowPut(thisObj->structure()->indexingType())) {
659	659	if (isNumericCompareFunction(exec, callType, callData))
660	660	asArray(thisObj)->sortNumeric(exec, function, callType, callData);

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

-              r129676
+              r130102
     case ArrayWithArrayStorage: {
         unsigned lengthNotIncludingUndefined = compactForSorting(exec->globalData());
+        unsigned lengthNotIncludingUndefined = compactForSorting();
         ArrayStorage* storage = m_butterfly->arrayStorage();
+        if (storage->m_sparseMap.get()) {
+            throwOutOfMemoryError(exec);
+            return;
+        }
+        ASSERT(!storage->m_sparseMap);
         if (!lengthNotIncludingUndefined)
 …
     case ArrayWithArrayStorage: {
         unsigned lengthNotIncludingUndefined = compactForSorting(exec->globalData());
+        unsigned lengthNotIncludingUndefined = compactForSorting();
         ArrayStorage* storage = m_butterfly->arrayStorage();
+        if (storage->m_sparseMap.get()) {
+            throwOutOfMemoryError(exec);
+            return;
+        }
+        ASSERT(!storage->m_sparseMap);
         if (!lengthNotIncludingUndefined)
 …
     case ArrayWithArrayStorage: {
-        ArrayStorage* storage = m_butterfly->arrayStorage();
         // FIXME: This ignores exceptions raised in the compare function or in toNumber.
         // The maximum tree depth is compiled in - but the caller is clearly up to no good
         // if a larger array is passed.
         ASSERT(storage->length() <= static_cast<unsigned>(std::numeric_limits<int>::max()));
         if (storage->length() > static_cast<unsigned>(std::numeric_limits<int>::max()))
+        ASSERT(arrayStorage()->length() <= static_cast<unsigned>(std::numeric_limits<int>::max()));
+        if (arrayStorage()->length() > static_cast<unsigned>(std::numeric_limits<int>::max()))
             return;
+        unsigned usedVectorLength = min(storage->length(), storage->vectorLength());
+        unsigned nodeCount = usedVectorLength + (storage->m_sparseMap ? storage->m_sparseMap->size() : 0);
+        unsigned usedVectorLength = min(arrayStorage()->length(), arrayStorage()->vectorLength());
+        ASSERT(!arrayStorage()->m_sparseMap);
+        unsigned nodeCount = usedVectorLength;
         if (!nodeCount)
 …
         // Iterate over the array, ignoring missing values, counting undefined ones, and inserting all other ones into the tree.
         for (; numDefined < usedVectorLength; ++numDefined) {
+            JSValue v = storage->m_vector[numDefined].get();
+            if (numDefined > arrayStorage()->vectorLength())
+                break;
+            JSValue v = arrayStorage()->m_vector[numDefined].get();
             if (!v || v.isUndefined())
                 break;
 …
+        }
         for (unsigned i = numDefined; i < usedVectorLength; ++i) {
+            JSValue v = storage->m_vector[i].get();
+            if (i > arrayStorage()->vectorLength())
+                break;
+            JSValue v = arrayStorage()->m_vector[i].get();
             if (v) {
                 if (v.isUndefined())
 …
         unsigned newUsedVectorLength = numDefined + numUndefined;
+        if (SparseArrayValueMap* map = storage->m_sparseMap.get()) {
+            newUsedVectorLength += map->size();
+            if (newUsedVectorLength > storage->vectorLength()) {
+                // Check that it is possible to allocate an array large enough to hold all the entries.
+                if ((newUsedVectorLength > MAX_STORAGE_VECTOR_LENGTH) || !increaseVectorLength(exec->globalData(), newUsedVectorLength)) {
+                    throwOutOfMemoryError(exec);
+                    return;
+                }
+                storage = m_butterfly->arrayStorage();
+            }
+            SparseArrayValueMap::const_iterator end = map->end();
+            for (SparseArrayValueMap::const_iterator it = map->begin(); it != end; ++it) {
+                tree.abstractor().m_nodes[numDefined].value = it->second.getNonSparseMode();
+                tree.insert(numDefined);
+                ++numDefined;
+            }
+            deallocateSparseIndexMap();
+        }
+        ASSERT(tree.abstractor().m_nodes.size() >= numDefined);
+        // FIXME: If the compare function changed the length of the array, the following might be
+        // modifying the vector incorrectly.
+        ASSERT(!arrayStorage()->m_sparseMap);
+        // The array size may have changed.  Figure out the new bounds.
+        unsigned newestUsedVectorLength = min(arrayStorage()->length(), arrayStorage()->vectorLength());
+        unsigned elementsToExtractThreshold = min(min(newestUsedVectorLength, numDefined), static_cast<unsigned>(tree.abstractor().m_nodes.size()));
+        unsigned undefinedElementsThreshold = min(newestUsedVectorLength, newUsedVectorLength);
+        unsigned clearElementsThreshold = min(newestUsedVectorLength, usedVectorLength);
         // Copy the values back into m_storage.
 …
         iter.start_iter_least(tree);
         JSGlobalData& globalData = exec->globalData();
         for (unsigned i = 0; i < numDefined; ++i) {
             storage->m_vector[i].set(globalData, this, tree.abstractor().m_nodes[*iter].value);
+        for (unsigned i = 0; i < elementsToExtractThreshold; ++i) {
+            arrayStorage()->m_vector[i].set(globalData, this, tree.abstractor().m_nodes[*iter].value);
             ++iter;
+        }
         // Put undefined values back in.
         for (unsigned i = numDefined; i < newUsedVectorLength; ++i)
             storage->m_vector[i].setUndefined();
+        for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i)
+            arrayStorage()->m_vector[i].setUndefined();
         // Ensure that unused values in the vector are zeroed out.
         for (unsigned i = newUsedVectorLength; i < usedVectorLength; ++i)
             storage->m_vector[i].clear();
         storage->m_numValuesInVector = newUsedVectorLength;
+        for (unsigned i = undefinedElementsThreshold; i < clearElementsThreshold; ++i)
+            arrayStorage()->m_vector[i].clear();
+        arrayStorage()->m_numValuesInVector = undefinedElementsThreshold;
         return;
+    }
 …
+}
 unsigned JSArray::compactForSorting(JSGlobalData& globalData)
+unsigned JSArray::compactForSorting()
+{
     ASSERT(!inSparseIndexingMode());
 …
         unsigned newUsedVectorLength = numDefined + numUndefined;
+        if (SparseArrayValueMap* map = storage->m_sparseMap.get()) {
+            newUsedVectorLength += map->size();
+            if (newUsedVectorLength > storage->vectorLength()) {
+                // Check that it is possible to allocate an array large enough to hold all the entries - if not,
+                // exception is thrown by caller.
+                if ((newUsedVectorLength > MAX_STORAGE_VECTOR_LENGTH) || !increaseVectorLength(globalData, newUsedVectorLength))
+                    return 0;
+                storage = m_butterfly->arrayStorage();
+            }
+            SparseArrayValueMap::const_iterator end = map->end();
+            for (SparseArrayValueMap::const_iterator it = map->begin(); it != end; ++it)
+                storage->m_vector[numDefined++].setWithoutWriteBarrier(it->second.getNonSparseMode());
+            deallocateSparseIndexMap();
+        }
+        ASSERT(!storage->m_sparseMap);
         for (unsigned i = numDefined; i < newUsedVectorLength; ++i)

trunk/Source/JavaScriptCore/runtime/JSArray.h

r129676	r130102
104	104	bool unshiftCountSlowCase(JSGlobalData&, bool, unsigned);
105	105
106		unsigned compactForSorting(~~JSGlobalData&~~);
	106	unsigned compactForSorting();
107	107	};
108	108

trunk/Source/JavaScriptCore/runtime/JSObject.h

-              r129691
+              r130102
+        }
+        bool hasSparseMap()
+        {
+            switch (structure()->indexingType()) {
+            case ALL_BLANK_INDEXING_TYPES:
+                return false;
+            case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+                return m_butterfly->arrayStorage()->m_sparseMap;
+            default:
+                ASSERT_NOT_REACHED();
+                return false;
+            }
+        }
         bool inSparseIndexingMode()
+        {

Note: See TracChangeset for help on using the changeset viewer.