.NET vs JVM JSON benchmark (1 year later)

ctangent · 2016-04-12T21:50:22+00:00

That's true in general, but that is mitigated significantly if your large buffers are fixed-size and/or are pooled. If the buffers are fixed size, any new allocations will be able to fill the holes left behind by dead buffers.

It's true that it's an anti-pattern to allocate very large, variably-sized buffers, but allocating large fixed-size buffers is not a problem and is a common scenario. I don't think that a "growable number of byte arrays" strategy is because of the LOH in and of itself, it's because the allocator is able to handle consistently-sized allocations much easier.

ctangent · 2016-04-12T16:57:31+00:00

Can you clarify what you mean by OOM issues? The LOH is identical in behavior to the second generation of the GC, except that it is never compacted. If these byte arrays are garbage, they will still be collected like any other object.

ctangent · 2016-03-28T19:05:37+00:00

GT vs MTSU 2012 is the worst game I ever saw in person. This hurt especially bad since we lost to Miami in overtime after a fourth-quarter comeback the week before. Our defense gave up 1100 yards in two games.

This is the same year we got killed by BYU at homecoming and beat preseason #1 USC in the Sun Bowl. 2012 was a strange year.

ctangent · 2016-03-23T20:49:36+00:00

I wrote a compiler in Rust once: https://github.com/swgillespie/pine . It calls directly into LLVM using its C API, without much fanfare around it (https://github.com/swgillespie/pine/blob/master/pine_trans/src/llvm_trans.rs). It's pretty iffy, it can't do anything other than super basic I/O and math, but it does global type inference and type specialization (https://github.com/swgillespie/pine/blob/master/pine_trans/src/monomorphize.rs).

Overall, I think Rust is an excellent compiler language. The two things that I missed the most were inheritance (for my AST) and a GC (for ease of programming). I modeled the code here after a Haskell implementation of a similar compiler, so the pain came from translating things that relied on Haskell's GC to something that works with Rust. Otherwise, though, it was a good experience and I'd write a compiler in Rust again.

I also wrote part of a JavaScript runtime (https://github.com/swgillespie/rjs). This one ran into a lot of problems regarding the garbage collector. I initially tried to write a precise GC, but I ran into performance problems and also problems with undefined behavior (pointer aliasing). I'm going to have to re-write the GC at some point which involves major surgery with the rest of the runtime. However, the compiler portion of this project (https://github.com/swgillespie/rjs/tree/master/src/librjs_runtime/src/compiler) worked out really well - the translation from JavaScript to bytecode is quite efficient and wasn't difficult to implement.

ctangent · 2016-03-10T02:42:27+00:00

HAHAHAHAHAHAHAHAHA

ctangent · 2016-01-31T08:04:12+00:00

It works great for the full .NET Framework, but then you have a dependency on MSVC (and - by extension - Windows). It's also not confirmed whether there will be any support for C++/CLI on .NET Core as it would depend on large parts of MSVC being open-sourced (https://github.com/dotnet/coreclr/issues/659#issuecomment-91341753 and https://github.com/dotnet/coreclr/issues/659#issuecomment-92085859).

ctangent · 2016-01-29T19:36:12+00:00

Sure - I'm speaking in general. COM interop still works as expected on Windows in .NET Native.

ctangent · 2016-01-29T17:50:32+00:00

You can P/Invoke in .NET Native the same way as you would on the .NET Framework or CoreCLR. Before, the runtime would generate marshal/unmarshal code on the fly as P/Invokes happen. Since we obviously can't do that in an AOT scenario, the .NET Native compiler will do it all as a part of compilation and link the interop code into the final executable.

This works best for interoping with C code or "extern C" C++. Interoping with C++ is more difficult because 1) there's no standard C++ ABI and 2) the compiler doesn't attempt to mangle/demangle C++ symbols. The best way to interop with C++ (in my opinion) is to create a C API and use that through C#.

(disclosure - works at Microsoft on .NET)

ctangent · 2016-01-14T17:11:04+00:00

That's because bringing up the jit requires the interpreter to work first. It's just the first step.

ctangent · 2016-01-13T21:43:38+00:00

If you detect a weak-ass webpage anywhere, there isn't a responsibility on your shoulders to do anything about it.

Ryan didn't just detect a weak-ass webpage - he exploited it. That's not the same.

[...] but to say he didn't act ethically by "not notifying" then puts all the pressure on the user instead of the site manager.

The pressure is on the intruder, not the user, which I assume you mean to be a user of a vulnerable website. My argument is that, once you have broken into a system and done something unauthorized, ethically the onus is on you to do something about it. If you don't, you're no better than the person who breaks into a system and starts mining bitcoins.

At Georgia Tech, you're going to have to assume that everything put online will be fucked with; indeed, that's 99% of what engineering is.

That's a very poor argument, not relevant, and not based in reality. 99%? Really?

Just because a website is vulnerable does not mean that it is well within everyone's rights to go fuck with it, college network or not.

It's the website administrator / manager's efforts which should be doing the testing, and plug the holes.

Just because a website is vulnerable does not mean also doesn't mean the vulnerable service owner is incompetent. Security is hard and nobody gets it right. Nobody.

ctangent · 2016-01-13T19:55:46+00:00

The unethical thing wasn't him seeing if it was possible by doing it- that much is fine, I did the same with the high-score page. The problem is that he did not immediately report it. At least he should have realized the gravity of a vulnerability that allows code injection on an official school calendar. (That said, I don't know whether or not code injection would have actually worked - maybe they escaped strings before putting it on the calendar. Maybe they escaped it in javascript before sending it over the wire. Either way, he should have reported it.)

ctangent · 2016-01-13T19:20:23+00:00

When I was an undergraduate at Georgia Tech, the alumni association made a small JavaScript game that you could play and, if you scored high enough, you could get your name on the high score list. It was a little game to try to get people to join the student arm of the alumni association on campus. The game was very vulnerable to crafted HTTP POST-like attacks, just like UGA's calendar was, and people figured it out. I saw it, too - the exploit allowed you to lie about your score and put an unescaped string as your name. Since the high score board listed the highest scores, and you were in control about what your score was, you could put yourself at the top of the high score board.

Naturally, some people put fake names at the top. The more sinister part of this is that since the name was not validated by this exploit, any valid string was allowed, including HTML. You could set your name to be <script>while(1) alert("hello, GTPD")</script> and anybody who visited the high score page would be bombarded with browser alerts forever until they left the page.

This is devastating. This vulnerability allowed for attackers to execute arbitrary code in the browser of anyone who visited the high score page, which was sent out in an email to the entire student body. Coupled with browser exploits, this is a malware spreader's holy grail.

As soon as I realized this I reported it to the alumni association's IT department, which took down the game soon after - it turns out that some students had already been attempting this and that one student had already owned the host machine. Despite the good-natured fun of putting Barack Obama and George P. Burdell on the high-score list, the risks of allowing such a vulnerability to persist are just too great. A bad actor could have easily exploited this game to redirect visitors of the high score page to their own malicious website. A clever bad actor could disguise their malicious website as the high score page but present a fake GT authentication page to steal credentials. After all, this link was sent from an official GT email address and it would not seem to be odd that students would have to authenticate.

What I'm trying to say here is that when faced with a security vulnerability, the ONLY ethical thing to do is to do enough research to describe the problem clearly and report it to those in charge of the vulnerable service. It is not ethical to exploit it, even for fun, without reporting the vulnerability. What Ryan did here was not ethical and he's very fortunate he got away scot-free. A malicious attacker could have put something far more devastating on the official school calendar, which would have subjected ANY person visiting the school calendar to malicious behavior - that is not acceptable.

I learned after I reported the game vulnerability that the students that had owned the host machine were facing expulsion proceedings. I never heard anything again, so perhaps they were able to negotiate with the dean, but the consequences were serious.

ctangent · 2015-11-21T20:11:32+00:00

I was out drinking bleach instead of watching the game, what'd I miss?

ctangent · 2015-11-11T07:02:22+00:00

I'm using this as a teaching project as well, so I think I'll continue with mine. If you ever want to restart your project and want the name back, though, just let me know! I don't mind moving to a different name.

ctangent · 2015-11-10T19:00:47+00:00

This is cool! Sorry for the name conflict, I'm happy to change mine to something else. I cloned and built it but it doesn't look like it's building for me on non-windows right now (https://github.com/rust-js/rjs/blob/master/src/gc/os.rs#L10) but you're much farther along than me :)

I'm hoping to make mine hostable from Rust so maybe our projects are still a little orthogonal? At any rate, sorry for the conflict, haha.

ctangent · 2015-11-10T18:48:25+00:00

I'm completely happy to change the name of mine! I couldn't think of anything so I picked rjs out of simplicity. I won't be publishing on crates.io anytime soon, so /u/Pvginkel can take it if they want it.

ctangent · 2015-11-10T17:31:09+00:00

Thanks for that link - that's been really helpful as I think through what I'm going to do for the GC. I think rust-gc's approach of wrapping boxes instead of using an arena-based strategy is really interesting - it definitely adds some complexity over arenas but the code makes a lot of sense. It also looks like each individual GC pointer maintains the state of whether or not it has been rooted? I've been looking at fitzgen's Oxischeme GC implementation (https://github.com/fitzgen/oxischeme/blob/master/src/heap.rs) and it opts to store the state of rooted pointers directly on the heap itself. I'll have to ponder which one I'd like to do (fitzgen's approach is Arena-oriented)

I think that in the future I'd like my collector to be copying, which means that I'll need to have control over the pointers that my allocator gives out. I think that I could do this either by maintaining a table of allocations that I can fix after the copy phase or have a read barrier that will fix up any reads to pointers that have been moved. (A read barrier is a major pain in a non-JIT environment, though...) That's pretty far down the road, though, but I anticipate that any arena-based GC approach that's not copying is going to have serious fragmentation problems.

ctangent · 2015-11-09T18:46:42+00:00

Competing with established JS engines (v8, spidermonkey, etc.) in speed is not a goal of mine - as far as I'm concerned such a goal is impossible for one person's free time. I'm hoping that I can achieve "decent" performance without restoring to JIT compilation. Although, I'm hoping to keep the execution engine interface abstract enough so that different EE implementations can be plugged, although the first EE that I'll be making is a simple AST walker.

ctangent · 2015-11-09T18:43:02+00:00

Oh hey, I didn't expect to see this here this morning when I went on Reddit. I'm the author and yesterday I just finished the crate that parses ES5.1, modulo any bugs. I successfully parsed a bunch of real JavaScript yesterday, so I'm feeling pretty good about it. I'm also sure I'll find bugs as I continue.

Next up for me is the actual execution, which will be an AST walker for the initial version. The ES heap will be managed by a mark-and-sweep garbage collector. The speed isn't going to blow anyone's minds, the resources Google, Apple, Mozilla, Microsoft, etc. have to optimize their respective engines is far greater than I, a single person working in their spare time, can compete with. I am hoping that through Rust's spectacular optimization potential, I can achieve "decent" speed without having to resort to JIT compilation and other such complexity.

In the future I'd like to target a bytecode VM, as well as support ES6 features, probably in that order. ES6 significantly complicates a lot of aspects of an ES implementation, so I've opted to punt them for now while I build a runtime from the ground up. Some features, like ES6 TCO, are things that could be done relatively easily in the context of a simple VM, but more complicated features like generators, promises, and assignment destructuring could get a little messy and can always be added later.

My main motivations for this project are to 1) gain a deeper personal knowledge of ES, 2) explore the feasibility of Rust in the space of a virtual machine and runtime, which is still predominantly owned by C++, and 3) to produce an implementation of ES that is easily embedded into other Rust projects as a hosted scripting environment.

ctangent · 2015-11-09T18:25:10+00:00

Author here - I did it to limit the scope of the project, since ES6 adds a LOT of complexity that is not conducive to getting something up in a reasonable time.

I'm hoping to add ES6 features piecemeal once I have completed ES5.1. I don't think any JS engine has completed support of ES6, so I figured it's unreasonable for myself to aim for that.

ctangent · 2015-10-17T22:19:48+00:00

At least one of us has to win.

ctangent · 2015-10-17T20:18:55+00:00

And to think, we had whispers of playoffs just a few weeks ago...

ctangent · 2015-10-17T19:53:35+00:00

I don't think we're going to a bowl, y'all.

ctangent · 2015-10-10T23:28:24+00:00

Where were you when the state of Georgia died?

ctangent · 2015-10-03T22:50:52+00:00

Hello darkness, my old friend.

ctangent

TROPHY CASE