Project

General

Profile

Actions

Feature #18611

closed

Promote best practice for combining multiple values into a hash code

Added by chrisseaton (Chris Seaton) over 2 years ago. Updated over 2 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:107784]

Description

User-defined hash methods often work by combining the hash code of several values into one. This requires some logic to combine the values. In our experience, users are making a variety of choices for the algorithm for this, and in many cases are picking an option which may not be the best for security and performance in multiple ways. It's also a shame that users are having to think about how to do this basic operation themselves.

For example, this hash method creates a single hash code by combining the hash value of three values that make up the object. The user has combined the values using the xor operator and multiplication by prime numbers to distribute bits. This is an ok way to combine multiple values into a hash code.

def hash
  x.hash ^ (y.hash * 3) ^ (z.hash * 5)
end

But users have to know to do this, and they sometimes get it wrong, writing things like this.

def hash
  x.hash ^ y.hash ^ z.hash
end

This isn't distributing the bits very well. A bad hash code may harm performance if it cause more collisions in a hash table. Collisions may also cause excess cache eviction, which would further harm performance. If performance is reduced in this way there's a potential security risk due to denial-of-service. (We don't think this is an immediate practical security problem, which is why we're discussing in the open issue tracker, not the security mailing list.)

The x.hash ^ (y.hash * 3) ^ (z.hash * 5) pattern is still not ideal, as users have to manually write it, and it's a lot of logic to execute in the Ruby interpreter, when it could be possibly be done in native code instead. A better pattern we think is this:

def hash
  [x, y, z].hash
end

This leaves the logic of creating a suitable and safe hash value to [...].hash, which does it correctly.

Why doesn't everyone already use this pattern? Because it's not documented as the right thing to do. We want to present a couple of options for what could be done to encourage people to use this pattern or an equivalent, to help people write more concise and clear code that is also more performant and secure.

Document [...].hash as best practice and optimise it

If we want people to use [...].hash, we should say that in the documentation for Kernel#hash as the best practice. Wording along the lines of

If you're implementing a hash code for a compound set of values, best practice is to combine them with [...].hash. For example....

This way people reading the documentation on Kernel#hash get pointed in the clear, concise, performant, secure direction.

We can combine this recommendation with an optimisation to [...].hash to remove the array allocation in implementation of Ruby without escape analysis and scalar replacement, similar to what is done for Array#min and #max. This way the best practice is even faster.

Introduce a new similar method, but specifically for the purpose so it is discoverable

A second option is to introduce a new method, specifically for this task, hash_objects(...). This is inspired By Java's Objects.hash(...). The reason for the new method is that it should make it more discoverable - if you go looking for a tool to combine hash values you'd find one. We'd still link to it from Kernel#hash. This method would not require the array allocation removal optimisation, as it's just a simple call.

Examples of hash methods

Even the MRI codebase has some suboptimal hash methods we don't need to look very far for examples. For example lib lib/resolv.rb, these two hash methods don't distribute the bits they combine

Both these examples could be replaced with either of our proposals.

A good example of someone already using best practice is this.

But this would still be faster with the optimisation we proposed, or using hash_objects(...), as that'd remove the array allocation and the hash call.

Other things we've already done

We've proposed a RuboCop cop to try to catch the pattern we think is suboptimal https://github.com/rubocop/rubocop/pull/10441.

Co-authored with @sambostock (Sam Bostock).

Updated by Dan0042 (Daniel DeLorme) over 2 years ago

chrisseaton (Chris Seaton) wrote:

A better pattern we think is this:

def hash
  [x, y, z].hash
end

Not a bad idea, but wouldn't this be even better?

def hash
  [self.class, x, y, z].hash
end

Which is roughly what Struct does, I believe

X = Struct.new(:a, :b, :c)
Y = Struct.new(:a, :b, :c)
X.new(1,2,3).hash #=> 1941937414662583733
X.new(1,2,3).hash #=> 1941937414662583733
Y.new(1,2,3).hash #=> 1583914263362372853

And at the same time Struct also defines eql? to follow the same rules as hash. So maybe a better "best practice" would be to inherit from Struct when you want hash/eql based on a compound set of values. I think this makes the "Value Struct" proposed in #16122 more important, since you may not want that class to be Enumerable.

Updated by chrisseaton (Chris Seaton) over 2 years ago

Yes we could recommend adding class to the mixture. That's an argument for hash_values since if it has self already and can fix in the class itself.

I think refactoring lots of work to use Struct is a bit more radical. There are existing APIs that we may not want to modify like that.

Updated by Eregon (Benoit Daloze) over 2 years ago

Including the class is often (maybe even always?) unnecessary, and does impact performance.
Struct is special because it generates generic classes, so there it makes sense to include the class, but that's about the only case where it does IMHO.

I think [a, b, c].hash is the best by far, could you open a PR to document that?

Adding a new method would prevent adopting it now and just delay solving this problem, I don't think it's a productive way if an existing way already works fine ([a, b, c].hash).

(BTW, hash_objects would still likely allocate an array (internal or Ruby-level) for the var-args, so that's worse than a literal array actually.)

Updated by byroot (Jean Boussier) over 2 years ago

Including the class is often (maybe even always?) unnecessary, and does impact performance.

Could you elaborate a bit more on this? In my mind #hash should include all the elements that may change the result of #eql?, and it's common (if not best practice) for #eql? / #== to start with other.class == self.class.

That particularly make sense when you have some kinds of value objects for which the class is an important metadata, e.g. trees of nodes etc.

Updated by Eregon (Benoit Daloze) over 2 years ago

I think an eql? implementation should either not check the class, and assume it will be used a key with objects of the same class, or do return false unless other.is_a?(MyClass).
Another way to see this is why the other.class == self.class is ignoring the singleton class? Because it does not matter in most cases.
So if one defines eql? on a non-leaf class (or a class which has at least 1 subclass), I think they need to ask themselves do I want instances of different subclasses to be eql? or not.
I could imagine yes, for instance if a subclass is used to optimize some methods for a given well-known instance.

Updated by Eregon (Benoit Daloze) over 2 years ago

Regarding my last reply, I changed my mind, including the class is useful to avoid unintentional hash conflicts between unrelated classes for a Hash which contains keys of various types, more details here: https://github.com/ruby/ruby/pull/5805#discussion_r851650129

Updated by tenderlovemaking (Aaron Patterson) over 2 years ago

I think this is a good idea. Searching GitHub shows many example of the not-so-great XOR pattern, but also shows many people doing [a, b, c].hash. It makes sense to me that we promote the later and optimize it as well.

Updated by sambostock (Sam Bostock) over 2 years ago

I found some interesting implementations while working on the Rubocop Cop, including some in Ruby itself. For example:

In related news, the cop has been merged into Rubocop 1.28, although it is worth noting it is not enabled by default.

Updated by Eregon (Benoit Daloze) over 2 years ago

  • Status changed from Open to Closed

Merged.

Updated by ioquatix (Samuel Williams) over 2 years ago

This makes me happy, thanks everyone!

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0