There are many issues here, but specifically regarding the runtime
impact of a DOMinator-style taint analysis when not in use:
Taint instrumentation is only needed in operations that allocate new
strings whose contents are taken from other strings. Such operations
would gain a branch per input (checking for taint), and a branch per
output (checking whether there was taint to be propagated). These
branches sit alongside a JSString allocation, and perhaps content
copies. When taint is not in use, the branches would be well-predicted
(and we could annotate them "unlikely", if that would help).
That's not zero impact - but would you expect it to be measurable on
benchmarks?
_______________________________________________
dev-tech-js-engine-internals mailing list
dev-tech-js-engine-internals@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
