<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[181968] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/181968">181968</a></dd>
<dt>Author</dt> <dd>ggaren@apple.com</dd>
<dt>Date</dt> <dd>2015-03-25 11:37:17 -0700 (Wed, 25 Mar 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>New map and set modification tests in <a href="http://trac.webkit.org/projects/webkit/changeset/181922">r181922</a> fails
https://bugs.webkit.org/show_bug.cgi?id=143031
Reviewed and tweaked by Geoffrey Garen.
When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
to adjust for the packed backing store.
Consider the following map data.
x: deleted, o: exists
0 1 2 3 4
x x x x o
And iterator with m_index 3.
When packing the map data, map data will become,
0
o
At that time, we perfom didRemoveEntry 4 times on iterators.
times => m_index/index/result
1 => 3/0/dec
2 => 2/1/dec
3 => 1/2/nothing
4 => 1/3/nothing
After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
This is because if we use decremented m_index for comparison,
while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
In this patch, we compare against the packed index instead.
times => m_index/packedIndex/result
1 => 3/0/dec
2 => 2/0/dec
3 => 1/0/dec
4 => 0/0/nothing
So m_index becomes 0 as expected.
And according to the spec, once the iterator is closed (becomes done: true),
its internal [[Map]]/[[Set]] is set to undefined.
So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
In this patch, we change 2 things.
1.
Compare an iterator's index against the packed index when removing an entry.
2.
If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
Patch by Yusuke Suzuki <utatane.tea@gmail.com> on 2015-03-25
* runtime/MapData.h:
(JSC::MapDataImpl::IteratorData::finish):
(JSC::MapDataImpl::IteratorData::isFinished):
(JSC::MapDataImpl::IteratorData::didRemoveEntry):
(JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
(JSC::MapDataImpl::IteratorData::startPackBackingStore):
* runtime/MapDataInlines.h:
(JSC::JSIterator>::replaceAndPackBackingStore):
* tests/stress/modify-map-during-iteration.js:
* tests/stress/modify-set-during-iteration.js:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapDatah">trunk/Source/JavaScriptCore/runtime/MapData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapDataInlinesh">trunk/Source/JavaScriptCore/runtime/MapDataInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressmodifymapduringiterationjs">trunk/Source/JavaScriptCore/tests/stress/modify-map-during-iteration.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressmodifysetduringiterationjs">trunk/Source/JavaScriptCore/tests/stress/modify-set-during-iteration.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (181967 => 181968)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-03-25 18:29:19 UTC (rev 181967)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-03-25 18:37:17 UTC (rev 181968)
</span><span class="lines">@@ -1,3 +1,68 @@
</span><ins>+2015-03-25 Yusuke Suzuki <utatane.tea@gmail.com>
+
+ New map and set modification tests in r181922 fails
+ https://bugs.webkit.org/show_bug.cgi?id=143031
+
+ Reviewed and tweaked by Geoffrey Garen.
+
+ When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
+ to adjust for the packed backing store.
+
+ Consider the following map data.
+
+ x: deleted, o: exists
+ 0 1 2 3 4
+ x x x x o
+
+ And iterator with m_index 3.
+
+ When packing the map data, map data will become,
+
+ 0
+ o
+
+ At that time, we perfom didRemoveEntry 4 times on iterators.
+ times => m_index/index/result
+ 1 => 3/0/dec
+ 2 => 2/1/dec
+ 3 => 1/2/nothing
+ 4 => 1/3/nothing
+
+ After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
+ This is because if we use decremented m_index for comparison,
+ while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
+
+ In this patch, we compare against the packed index instead.
+ times => m_index/packedIndex/result
+ 1 => 3/0/dec
+ 2 => 2/0/dec
+ 3 => 1/0/dec
+ 4 => 0/0/nothing
+
+ So m_index becomes 0 as expected.
+
+ And according to the spec, once the iterator is closed (becomes done: true),
+ its internal [[Map]]/[[Set]] is set to undefined.
+ So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
+
+ In this patch, we change 2 things.
+ 1.
+ Compare an iterator's index against the packed index when removing an entry.
+
+ 2.
+ If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
+
+ * runtime/MapData.h:
+ (JSC::MapDataImpl::IteratorData::finish):
+ (JSC::MapDataImpl::IteratorData::isFinished):
+ (JSC::MapDataImpl::IteratorData::didRemoveEntry):
+ (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
+ (JSC::MapDataImpl::IteratorData::startPackBackingStore):
+ * runtime/MapDataInlines.h:
+ (JSC::JSIterator>::replaceAndPackBackingStore):
+ * tests/stress/modify-map-during-iteration.js:
+ * tests/stress/modify-set-during-iteration.js:
+
</ins><span class="cx"> 2015-03-24 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Setter should have a single formal parameter, Getter no parameters
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapData.h (181967 => 181968)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapData.h 2015-03-25 18:29:19 UTC (rev 181967)
+++ trunk/Source/JavaScriptCore/runtime/MapData.h 2015-03-25 18:37:17 UTC (rev 181968)
</span><span class="lines">@@ -54,15 +54,23 @@
</span><span class="cx"> IteratorData(const MapDataImpl*);
</span><span class="cx"> bool next(WTF::KeyValuePair<JSValue, JSValue>&);
</span><span class="cx">
</span><del>- void didRemoveEntry(int32_t index)
</del><ins>+ // This function is called while packing a map's backing store. The
+ // passed-in index is the new index the entry would have after packing.
+ void didRemoveEntry(int32_t packedIndex)
</ins><span class="cx"> {
</span><del>- if (m_index <= index)
</del><ins>+ if (isFinished())
</ins><span class="cx"> return;
</span><ins>+
+ if (m_index <= packedIndex)
+ return;
+
</ins><span class="cx"> --m_index;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void didRemoveAllEntries()
</span><span class="cx"> {
</span><ins>+ if (isFinished())
+ return;
</ins><span class="cx"> m_index = 0;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapDataInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapDataInlines.h (181967 => 181968)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapDataInlines.h 2015-03-25 18:29:19 UTC (rev 181967)
+++ trunk/Source/JavaScriptCore/runtime/MapDataInlines.h 2015-03-25 18:37:17 UTC (rev 181968)
</span><span class="lines">@@ -178,8 +178,8 @@
</span><span class="cx"> for (int32_t i = 0; i < m_size; i++) {
</span><span class="cx"> Entry& entry = m_entries[i];
</span><span class="cx"> if (!entry.key()) {
</span><del>- m_iterators.forEach([i](JSIterator* iterator, JSIterator*) {
- iterator->iteratorData()->didRemoveEntry(i);
</del><ins>+ m_iterators.forEach([newEnd](JSIterator* iterator, JSIterator*) {
+ iterator->iteratorData()->didRemoveEntry(newEnd);
</ins><span class="cx"> });
</span><span class="cx"> continue;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressmodifymapduringiterationjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/stress/modify-map-during-iteration.js (181967 => 181968)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/modify-map-during-iteration.js 2015-03-25 18:29:19 UTC (rev 181967)
+++ trunk/Source/JavaScriptCore/tests/stress/modify-map-during-iteration.js 2015-03-25 18:37:17 UTC (rev 181968)
</span><span class="lines">@@ -74,3 +74,24 @@
</span><span class="cx"> throw new Error("unreeachable.");
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+var map = new Map();
+for (var i = 0; i < 5; ++i)
+ map.set(i, i);
+testValue(map.size, 5);
+var iter = map.keys();
+testValue(iter.next().value, 0);
+testValue(iter.next().value, 1);
+testValue(iter.next().value, 2);
+testValue(iter.next().value, 3);
+map.delete(0);
+map.delete(1);
+map.delete(2);
+map.delete(3);
+// It will cause MapData packing.
+for (var i = 5; i < 1000; ++i)
+ map.set(i, i);
+gc();
+for (var i = 4; i < 1000; ++i)
+ testValue(iter.next().value, i);
+testValue(iter.next().value, undefined);
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressmodifysetduringiterationjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/stress/modify-set-during-iteration.js (181967 => 181968)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/modify-set-during-iteration.js 2015-03-25 18:29:19 UTC (rev 181967)
+++ trunk/Source/JavaScriptCore/tests/stress/modify-set-during-iteration.js 2015-03-25 18:37:17 UTC (rev 181968)
</span><span class="lines">@@ -70,3 +70,22 @@
</span><span class="cx"> throw new Error("unreeachable.");
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+var set = new Set([0, 1, 2, 3, 4]);
+var iter = set[Symbol.iterator]();
+testValue(set.size, 5);
+testValue(iter.next().value, 0);
+testValue(iter.next().value, 1);
+testValue(iter.next().value, 2);
+testValue(iter.next().value, 3);
+set.delete(0);
+set.delete(1);
+set.delete(2);
+set.delete(3);
+// It will cause MapData packing.
+for (var i = 5; i < 1000; ++i)
+ set.add(i);
+gc();
+for (var i = 4; i < 1000; ++i)
+ testValue(iter.next().value, i);
+testValue(iter.next().value, undefined);
+
</ins></span></pre>
</div>
</div>
</body>
</html>