On 08/19/2013 10:14 AM, Jim Blandy wrote:
There are many issues here, but specifically regarding the runtime impact of
a DOMinator-style taint analysis when not in use:
Taint instrumentation is only needed in operations that allocate new strings
whose contents are taken from other strings. Such operations would gain a
branch per input (checking for taint), and a branch per output (checking
whether there was taint to be propagated). These branches sit alongside a
JSString allocation, and perhaps content copies. When taint is not in use,
the branches would be well-predicted (and we could annotate them "unlikely",
if that would help).
That's not zero impact - but would you expect it to be measurable on
benchmarks?
Yes, I think this will damage performances on cases, where people are
building strings with a concatenation loop:
for (var i = 0, ii = arr.length; i < ii; i++)
s += String.fromCharCode(arr[i]);
PdfJS has a few of these, where an array/string is converted into a string.
Either to copy the content, or to go from a base 64 to some text. This
kind of code is also expected at boundaries of typed arrays.
I agree, the trivial example above can be inferred, but the "+=" is in
question here. As we are allocating a JSStringRope for every operations.
So having hooks on the string allocation sounds like a terrible idea.
On the other hand, Doing it as part of the flatten operation, will remove
half of the comparisons. Still, I would expect some impact there.
--
Nicolas B. Pierron
_______________________________________________
dev-tech-js-engine-internals mailing list
dev-tech-js-engine-internals@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
