Closed Bug 330812 Opened 19 years ago Closed 19 years ago

Making Array(1 << 29).sort() less problematic.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: igor, Assigned: igor)

References

(
URL
)

Details

Attachments

(1 file, 2 obsolete files)

Patch to commit with nits addressed
2.73 KB, patch
Details | Diff | Splinter Review 
Currently Array(1 << 29).sort() is quite effective Denial-of-Service since it not only causes browser freeze with CPU usage 100% but also triggers allocation of 2GB of memory on 32 bit platforms. That in turn lead to very heavy swapping and an unresponsive system in general unless one does have over 2GB of RAM.

This is caused by the fact that the code from array_sort in jsarray.c allocates a temporary vector for sorting with the capacity to hold array.length jsvals and clearing the vector with zeros as preparation for rooting of its elements even if the array is spare. 

With bug 311515 resolved one can avoid this heaving swapping assuming a reasonable VM implementation in OS. The idea is not to clear the whole vector before rooting it but rather set fp->nvar initially to 0 and clear elements one by one before increasing fp->nvar as necessary. In this way for a mostly spare array the code would never touch the tail of the vector corresponding to holes in the array. It allows for OS to avoid bringing the corresponding pages into memory and swapping.
Attached patch Implementation (obsolete) — Splinter Review 
Assignee: general → igor.bukanov
Status: NEW → ASSIGNED

        Attachment #215395 -
        Flags: review?(mrbkap)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Implementation v2 (obsolete)
        — Splinter Review
      

    


  
The prevois patch made nbytes from array_sort unnecessary and this version removes  it.

        Attachment #215395 -
        Attachment is obsolete: true

        Attachment #215396 -
        Flags: review?(mrbkap)

        Attachment #215395 -
        Flags: review?(mrbkap)

    
    

    
  
With the last patch applied the optimized build of js shell did finished Array(1 << 29).sort() after 10 minutes on a PC with 1GB of run with Linux kernel 2.6.15. The system was not swapping at all and was wery responsive.
URL: javascript:Array(1 << 29).sort(),aler...

    
    

    
  
Comment on attachment 215396 [details] [diff] [review]
Implementation v2

English nits only.

>Index: src/jsarray.c
>+     * Initialize rooting of vec.

How about 'Initialize vec as a root'.

>+        /* Clear vec[newlen] before including it to the rooted set. */

... including it *in* the rooted set ...

r=mrbkap

        Attachment #215396 -
        Flags: review?(mrbkap) → review+

    
    

    
  


  

        Attachment #215396 -
        Attachment is obsolete: true

    
    

    
  
I committed the last patch:

Checking in jsarray.c;
/cvsroot/mozilla/js/src/jsarray.c,v  <--  jsarray.c
new revision: 3.78; previous revision: 3.77
done

Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Checking in regress-330812.js;
/cvsroot/mozilla/js/tests/js1_5/Array/regress-330812.js,v  <--  regress-330812.js
initial revision: 1.1

Flags: in-testsuite+

    
    

    
  
verified fixed 1.9a1 win/mac/linux. Note that in 1.8.0/1.8.1 the testcase only hangs mac shell tests.
Status: RESOLVED → VERIFIED

    
    

    
  
we still have some other prob. see Bug# 334935

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: