Add an additional security brand check to StaticValues

[rictic]

Similar to #2307

[changeset-bot]

🦋 Changeset detected

Latest commit: 05ee1db

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

📊 Tachometer Benchmark Results

Summary

nop-update

• lit-html-kitchen-sink: unsure 🔍 -1% - +1% (-0.24ms - +0.37ms)
  ^{this-change vs tip-of-tree}

render

• lit-element-list: unsure 🔍 -1% - +3% (-0.84ms - +2.43ms)
  ^{this-change vs tip-of-tree}
• lit-html-kitchen-sink: unsure 🔍 -2% - +0% (-0.59ms - +0.12ms)
  ^{this-change vs tip-of-tree}
• lit-html-repeat: unsure 🔍 -3% - +1% (-0.34ms - +0.17ms)
  ^{this-change vs tip-of-tree}
• lit-html-template-heavy: unsure 🔍 -2% - +1% (-1.22ms - +0.51ms)
  ^{this-change vs tip-of-tree}
• reactive-element-list: unsure 🔍 -3% - +0% (-1.49ms - +0.20ms)
  ^{this-change vs tip-of-tree}

update

• lit-element-list: unsure 🔍 -1% - +2% (-7.88ms - +12.36ms)
  ^{this-change vs tip-of-tree}
• lit-html-kitchen-sink: unsure 🔍 -3% - +5% (-2.09ms - +4.02ms)
  ^{this-change vs tip-of-tree}
• lit-html-repeat: unsure 🔍 -1% - +1% (-2.98ms - +4.58ms)
  ^{this-change vs tip-of-tree}
• lit-html-template-heavy: unsure 🔍 -3% - +2% (-4.16ms - +2.02ms)
  ^{this-change vs tip-of-tree}
• reactive-element-list: unsure 🔍 -2% - +1% (-14.63ms - +6.97ms)
  ^{this-change vs tip-of-tree}

update-reflect

• lit-element-list: unsure 🔍 -1% - +1% (-12.14ms - +8.98ms)
  ^{this-change vs tip-of-tree}
• reactive-element-list: unsure 🔍 -1% - +2% (-10.96ms - +16.77ms)
  ^{this-change vs tip-of-tree}

Results

lit-element-list

• Browser: chrome-headless 98.0.4758.102
• Sample size: 50
• Built by: Benchmarks #2547

• Commit: 2c1fa52

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	74.72ms - 77.88ms	-	unsure 🔍 -1% - +3% -0.84ms - +2.43ms	faster ✔ 17% - 22% 15.88ms - 20.65ms
tip-of-tree tip-of-tree	75.08ms - 75.92ms	unsure 🔍 -3% - +1% -2.43ms - +0.84ms	-	faster ✔ 19% - 22% 17.23ms - 20.89ms
previous-release previous-release	92.78ms - 96.35ms	slower ❌ 20% - 27% 15.88ms - 20.65ms	slower ❌ 23% - 28% 17.23ms - 20.89ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	729.87ms - 745.36ms	-	unsure 🔍 -1% - +2% -7.88ms - +12.36ms	faster ✔ 7% - 10% 55.69ms - 77.65ms
tip-of-tree tip-of-tree	728.87ms - 741.88ms	unsure 🔍 -2% - +1% -12.36ms - +7.88ms	-	faster ✔ 7% - 10% 58.77ms - 79.05ms
previous-release previous-release	796.50ms - 812.07ms	slower ❌ 7% - 11% 55.69ms - 77.65ms	slower ❌ 8% - 11% 58.77ms - 79.05ms	-

update-reflect

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	821.05ms - 835.46ms	-	unsure 🔍 -1% - +1% -12.14ms - +8.98ms	faster ✔ 3% - 6% 28.20ms - 50.83ms
tip-of-tree tip-of-tree	822.12ms - 837.55ms	unsure 🔍 -1% - +1% -8.98ms - +12.14ms	-	faster ✔ 3% - 6% 26.29ms - 49.58ms
previous-release previous-release	859.05ms - 876.50ms	slower ❌ 3% - 6% 28.20ms - 50.83ms	slower ❌ 3% - 6% 26.29ms - 49.58ms	-

lit-html-kitchen-sink

• Browser: chrome-headless 98.0.4758.102
• Sample size: 30
• Built by: Benchmarks #2547

• Commit: 2c1fa52

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	29.83ms - 30.18ms	-	unsure 🔍 -2% - +0% -0.59ms - +0.12ms	faster ✔ 14% - 17% 4.69ms - 6.01ms
tip-of-tree tip-of-tree	29.93ms - 30.55ms	unsure 🔍 -0% - +2% -0.12ms - +0.59ms	-	faster ✔ 13% - 16% 4.41ms - 5.82ms
previous-release previous-release	34.72ms - 35.99ms	slower ❌ 16% - 20% 4.69ms - 6.01ms	slower ❌ 14% - 19% 4.41ms - 5.82ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	80.24ms - 85.81ms	-	unsure 🔍 -3% - +5% -2.09ms - +4.02ms	unsure 🔍 -6% - +3% -4.92ms - +2.50ms
tip-of-tree tip-of-tree	80.80ms - 83.32ms	unsure 🔍 -5% - +2% -4.02ms - +2.09ms	-	unsure 🔍 -6% - +1% -4.93ms - +0.58ms
previous-release previous-release	81.79ms - 86.69ms	unsure 🔍 -3% - +6% -2.50ms - +4.92ms	unsure 🔍 -1% - +6% -0.58ms - +4.93ms	-

nop-update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	26.14ms - 26.56ms	-	unsure 🔍 -1% - +1% -0.24ms - +0.37ms	faster ✔ 12% - 15% 3.51ms - 4.56ms
tip-of-tree tip-of-tree	26.07ms - 26.51ms	unsure 🔍 -1% - +1% -0.37ms - +0.24ms	-	faster ✔ 12% - 15% 3.57ms - 4.63ms
previous-release previous-release	29.91ms - 30.87ms	slower ❌ 13% - 17% 3.51ms - 4.56ms	slower ❌ 14% - 18% 3.57ms - 4.63ms	-

lit-html-repeat

• Browser: chrome-headless 98.0.4758.102
• Sample size: 30
• Built by: Benchmarks #2547

• Commit: 2c1fa52

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	10.95ms - 11.26ms	-	unsure 🔍 -3% - +1% -0.34ms - +0.17ms	faster ✔ 9% - 12% 1.10ms - 1.43ms
tip-of-tree tip-of-tree	10.99ms - 11.39ms	unsure 🔍 -2% - +3% -0.17ms - +0.34ms	-	faster ✔ 8% - 11% 0.96ms - 1.39ms
previous-release previous-release	12.30ms - 12.43ms	slower ❌ 10% - 13% 1.10ms - 1.43ms	slower ❌ 8% - 13% 0.96ms - 1.39ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	305.65ms - 311.20ms	-	unsure 🔍 -1% - +1% -2.98ms - +4.58ms	faster ✔ 30% - 32% 134.51ms - 144.54ms
tip-of-tree tip-of-tree	305.05ms - 310.19ms	unsure 🔍 -1% - +1% -4.58ms - +2.98ms	-	faster ✔ 30% - 32% 135.42ms - 145.23ms
previous-release previous-release	443.77ms - 452.13ms	slower ❌ 43% - 47% 134.51ms - 144.54ms	slower ❌ 44% - 47% 135.42ms - 145.23ms	-

lit-html-template-heavy

• Browser: chrome-headless 98.0.4758.102
• Sample size: 50
• Built by: Benchmarks #2547

• Commit: 2c1fa52

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	54.97ms - 56.25ms	-	unsure 🔍 -2% - +1% -1.22ms - +0.51ms	faster ✔ 16% - 19% 10.71ms - 13.31ms
tip-of-tree tip-of-tree	55.38ms - 56.55ms	unsure 🔍 -1% - +2% -0.51ms - +1.22ms	-	faster ✔ 16% - 19% 10.38ms - 12.93ms
previous-release previous-release	66.49ms - 68.76ms	slower ❌ 19% - 24% 10.71ms - 13.31ms	slower ❌ 18% - 23% 10.38ms - 12.93ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	124.75ms - 129.25ms	-	unsure 🔍 -3% - +2% -4.16ms - +2.02ms	faster ✔ 12% - 16% 17.10ms - 23.89ms
tip-of-tree tip-of-tree	125.96ms - 130.18ms	unsure 🔍 -2% - +3% -2.02ms - +4.16ms	-	faster ✔ 11% - 15% 16.13ms - 22.73ms
previous-release previous-release	144.96ms - 150.03ms	slower ❌ 13% - 19% 17.10ms - 23.89ms	slower ❌ 12% - 18% 16.13ms - 22.73ms	-

reactive-element-list

• Browser: chrome-headless 98.0.4758.102
• Sample size: 50
• Built by: Benchmarks #2547

• Commit: 2c1fa52

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	54.88ms - 55.99ms	-	unsure 🔍 -3% - +0% -1.49ms - +0.20ms	unsure 🔍 -1% - +1% -0.69ms - +0.79ms
tip-of-tree tip-of-tree	55.44ms - 56.72ms	unsure 🔍 -0% - +3% -0.20ms - +1.49ms	-	unsure 🔍 -0% - +3% -0.11ms - +1.49ms
previous-release previous-release	54.91ms - 55.87ms	unsure 🔍 -1% - +1% -0.79ms - +0.69ms	unsure 🔍 -3% - +0% -1.49ms - +0.11ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	774.09ms - 790.25ms	-	unsure 🔍 -2% - +1% -14.63ms - +6.97ms	unsure 🔍 -2% - +1% -14.00ms - +10.69ms
tip-of-tree tip-of-tree	778.83ms - 793.16ms	unsure 🔍 -1% - +2% -6.97ms - +14.63ms	-	unsure 🔍 -1% - +2% -9.59ms - +13.94ms
previous-release previous-release	774.49ms - 793.15ms	unsure 🔍 -1% - +2% -10.69ms - +14.00ms	unsure 🔍 -2% - +1% -13.94ms - +9.59ms	-

update-reflect

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	890.41ms - 909.64ms	-	unsure 🔍 -1% - +2% -10.96ms - +16.77ms	unsure 🔍 -2% - +1% -15.23ms - +12.62ms
tip-of-tree tip-of-tree	887.13ms - 907.11ms	unsure 🔍 -2% - +1% -16.77ms - +10.96ms	-	unsure 🔍 -2% - +1% -18.40ms - +9.98ms
previous-release previous-release	891.25ms - 911.41ms	unsure 🔍 -1% - +2% -12.62ms - +15.23ms	unsure 🔍 -1% - +2% -9.98ms - +18.40ms	-

_{tachometer-reporter-action v2 for Benchmarks}

[AndrewJakubowicz]

LGTM, but should also get a LGTM from someone else with domain knowledge here.

[justinfagnani]

It's clever that this is short, but using a RegExp is maybe a little obscure? Also typeof x === {aLiteral} is hghly optimized in JS VMs.

What about:

const staticBrand = Symbol();
export const unsafeStatic = (value: string): StaticValue => ({
  ['_$litStatic$']: value,
  r: staticBrand,
});

Then:

if ((typeof (value as Partial<StaticValue>)?.r !== 'symbol')) {

[rictic]

IE11 doesn't have native Symbol, right, so typeof Symbol() === 'symbol' can't work, can it? https://caniuse.com/mdn-javascript_builtins_symbol

[justinfagnani]

We already require the Symbol polyfill.

Symbol.for() might be good like you mentioned before too, then you can do (value as Partial<StaticValue>)?.r === staticBrand

[jridgewell]

Since these are each brand new instances of RegExp, and not a shared value, I'm assuming you're just trying to guard against JSON injections. In that case, you can take advantage of constructor: undefined to get the same benefits without needing an object (or a instanceof check, which is very slow). JSON cannot inject an undefined value, and a non-undefined constructor is present on all objects, so value.constructor === undefined guarantees the value was not constructed from JSON.

[rictic]

That's a really cool trick @jridgewell! Ended up going with Symbol.for('') for clarity and to avoid hitting VM optimization edge cases.

[rictic]

Oh, erp, didn't push all my changes, should be there now

[justinfagnani]

🔒 💂

[AndrewJakubowicz]

Awesome! Great comment on the brand.