Plotly - device-independent and stable codegen + codegen cache. #637
Conversation
…om generated code
…es from generated code
…hich could be different on different devices
… of 'isNaN' function for checking literals in core.js
yujin-wu
changed the title
|
Thanks for the PR! It would be great to fix the CSP issues! I don't currently have time for an in-depth review, but a couple things which jump out at me are:
with the result that (function (global, factory) {
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory(require('crypto')) :
typeof define === 'function' && define.amd ? define(['crypto'], factory) :
(global.createREGL = factory(global.crypto));
}(this, (function (crypto) { 'use strict';A way this has been handled in the past was to write a browserify transform which could be run to transform a dynamic call into a static call. See, for example cwise-transform.js which replaces the entry point to replace dynamic calls with code generation to static calls with the generated code. Unfortunately, the ecosystem is fragmented and browserify transforms can cause lots of headaches with various bundlers. If anything though, I think it'd be maybe preferable to replace interaction with a global |
|
Ah, I think static-module was the module which replaces module usage with inline expressions. Plotly includes it via |
|
Thanks for taking a look! I have added the cache to window before because I thought maybe applications have libraries that instantiate regl itself which wasn't accessible to the application. But alas I haven't seen an example of that, and it is nicer to keep it contained so as you've said I've changed that now. I didn't even realize the crypto issue until you mentioned it, because the resulting code did happen to work wherever web cryptography existed :P. But yeah it ought to be fixed - I am still replacing it with a dependency-free safe hash function (hopefully lighter than sha256). I am still considering whether using an attackable hash/digest function to index cached code is a security concern here, if so I may end up having to include a crypto library just for this purpose. |
…standalone sha256 implementation, added codegen initialization to constructor
package.json
Outdated
| @@ -43,7 +43,7 @@ | |||
| "getusermedia": "^1.3.7", | |||
| "git-commits": "^1.2.0", | |||
| "git-parse-commit": "^1.0.0", | |||
| "gl": "4.0.1", | |||
| "gl": "4.9.2", | |||
There was a problem hiding this comment.
Wondering why this change is necessary?
If not, please revert it.
There was a problem hiding this comment.
Yes this was in the process of debugging the build, it is not necessary change. Reverting.
package-lock.json
Outdated
| @@ -1,19 +1,14307 @@ | |||
| { | |||
| "name": "regl", | |||
| "version": "2.1.0", | |||
| "lockfileVersion": 1, | |||
| "lockfileVersion": 2, | |||
There was a problem hiding this comment.
Let's not touch the version of package-lock in this PR.
There was a problem hiding this comment.
This has been reverted now too. I just undid the last 2 commits.
yujin-wu
force-pushed
the
plotly/cache-codegen
branch
2 times, most recently
from
1cd7107
to
29c9b09
Compare
|
So great that this is being worked on, |
Issue
#638
unsafe-eval. This change allows developers to pre-generate shaders for their apps and make them CSP compliant.Changes
-- added "stable link" capability to link runtime-dependent values.
-- rolled-up the vertex array loop.
This makes it possible for developers to create CSP compliant apps using regl, roughly by:
__regl_codegen_cache, and save into application source.__regl_codegen_cache. Regl will avoid codegen for those functions.Impact on performance