AuroraMiddleware/skia2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
57,286 Commits 1 Branch 0 Tags 544 MiB
2d71c9e995
Commit Graph

4 Commits

Author SHA1 Message Date
dependabot[bot]
4377bc917f Bump ws from 7.3.0 to 7.4.6 in /tools/perf-canvaskit-puppeteer 
Bumps [ws](https://github.com/websockets/ws) from 7.3.0 to 7.4.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p>
<blockquote>
<h2>7.4.6</h2>
<h1>Bug fixes</h1>
<ul>
<li>Fixed a ReDoS vulnerability (00c425ec).</li>
</ul>
<p>A specially crafted value of the <code>Sec-Websocket-Protocol</code> header could be used
to significantly slow down a ws server.</p>
<pre lang="js"><code>for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
<p>value.trim().split(/ *, */);</p>
<p>const end = process.hrtime.bigint();</p>
<p>console.log('length = %d, time = %f ns', length, end - start);
}
</code></pre></p>
<p>The vulnerability was responsibly disclosed along with a fix in private by
<a href="https://github.com/robmcl4">Robert McLaughlin</a> from University of California, Santa Barbara.</p>
<p>In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the <a href="https://nodejs.org/api/cli.html#cli_max_http_header_size_size"><code>--max-http-header-size=size</code></a>
and/or the <a href="https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener"><code>maxHeaderSize</code></a> options.</p>
<h2>7.4.5</h2>
<h1>Bug fixes</h1>
<ul>
<li>UTF-8 validation is now done even if <code>utf-8-validate</code> is not installed
(23ba6b29).</li>
<li>Fixed an edge case where <code>websocket.close()</code> and <code>websocket.terminate()</code> did
not close the connection (67e25ff5).</li>
</ul>
<h2>7.4.4</h2>
<h1>Bug fixes</h1>
<ul>
<li>Fixed a bug that could cause the process to crash when using the
permessage-deflate extension (92774377).</li>
</ul>
<h2>7.4.3</h2>
<h1>Bug fixes</h1>
<ul>
<li>The deflate/inflate stream is now reset instead of reinitialized when context
takeover is disabled (<a href="https://github-redirect.dependabot.com/websockets/ws/issues/1840">#1840</a>).</li>
</ul>
<h2>7.4.2</h2>
<h1>Bug fixes</h1>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="f5297f7090"><code>f5297f7</code></a> [dist] 7.4.6</li>
<li><a href="00c425ec77"><code>00c425e</code></a> [security] Fix ReDoS vulnerability</li>
<li><a href="990306d144"><code>990306d</code></a> [lint] Fix prettier error</li>
<li><a href="32e3a8439b"><code>32e3a84</code></a> [security] Remove reference to Node Security Project</li>
<li><a href="8c914d18b8"><code>8c914d1</code></a> [minor] Fix nits</li>
<li><a href="fc7e27d12a"><code>fc7e27d</code></a> [ci] Test on node 16</li>
<li><a href="587c201bfc"><code>587c201</code></a> [ci] Do not test on node 15</li>
<li><a href="f672710797"><code>f672710</code></a> [dist] 7.4.5</li>
<li><a href="67e25ff502"><code>67e25ff</code></a> [fix] Fix case where <code>abortHandshake()</code> does not close the connection</li>
<li><a href="23ba6b2922"><code>23ba6b2</code></a> [fix] Make UTF-8 validation work even if utf-8-validate is not installed</li>
<li>Additional commits viewable in <a href="https://github.com/websockets/ws/compare/7.3.0...7.4.6">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ws&package-manager=npm_and_yarn&previous-version=7.3.0&new-version=7.4.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/skia/network/alerts).

</details>

This is an imported pull request from
https://github.com/google/skia/pull/80

GitOrigin-RevId: a9a98b522212ab86f81c15979a3550ea7e276edb
Change-Id: Ia61edf467fb25d96bed7066b9355975005ca6393
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/415377
Reviewed-by: Ravi Mistry <rmistry@google.com>
Commit-Queue: Ravi Mistry <rmistry@google.com>
 2021-06-03 16:21:18 +00:00
dependabot[bot]
6c5e78d099 Bump bl from 4.0.2 to 4.0.3 in /tools/perf-canvaskit-puppeteer 
This is a security fix.

This is an imported pull request from
https://github.com/google/skia/pull/65

GitOrigin-RevId: 38f6e1b1fd360a28135ce0579dbc5521edbcf1a3
Change-Id: I5f38b6f76fcd2943decd5dbe7df7546d4ce2084f
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/338052
Reviewed-by: Ravi Mistry <rmistry@google.com>
Commit-Queue: Ravi Mistry <rmistry@google.com>
 2020-11-24 17:10:56 +00:00
Elliot Evans
b437d7b5e4 Add puppeteer perf for performance degredation related to transforming a complex path. Translations 
and rotations both have an effect on cache usage. Snapping translations to integer coordinations
reduces cache usage. Opacity of path painting does not have an effect on cache usage.

Bug: skia:10272
Change-Id: Id5d5f08cb43645c9ec44b9d8e5e96643041727c3
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/292280
Reviewed-by: Kevin Lubick <kjlubick@google.com>
 2020-05-29 20:17:14 +00:00
Kevin Lubick
5443bb32a2 [canvaskit] Start a generic puppeteer perfing system. 
IMPORTANT LESSON: when bringing in node (and possibly other
executables) via CIPD, add them to the path in gen_tasks_logic
so the parent executable (the task driver itself) has the right
PATH set. Otherwise, the subprocesses it spawns might grab the
wrong version because of how golang handles environments of
subprocesses.

This is starting as a fork of Skottie WASM. I hope to have a more unified
system for creating and running benchmarks.

Overall overview:
gen_tasks_logic.go creates a task in task.json that compiles
CanvasKit and the task drivers and then executes our task
(i.e. perf_puppeteer.go)

perf_puppeteer runs a node program (perf-with-puppeteer.js)
that uses puppeteer to execute benchmarking code on an
html page (canvaskit-skottie-frames-load.html).

I needed to update the node package so npm could be updated from
3.x to 6.14.4 so it knew about `npm ci`. This may not have been
entirely necessary, given the problems of executing the correct
npm (see important lesson above), but it hasn't broken things
further, so more up-to-date is probably a good thing.

Suggested Review Order:
 - canvaskit-skottie-frames-load.html (note it is similar to
   skottie-wasm-perf.html, but it waits for a button click
   to start animating and records times from the main JS thread
   itself)
 - perf-with-puppeteer.js (similar to skottie-wasm-perf.js, but
   has some things made optional [e.g. tracing])
 - perf_puppeteer_test.go (shows the inputs/outputs of various steps)
 - perf_puppeteer.go
 - Everything else.


Change-Id: I380e81b825f36682c257664d488267edaf36369e
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/285783
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Eric Boren <borenet@google.com>
 2020-05-01 19:23:08 +00:00