Ruby » Ruby master

Isn't rb_str_dup copy-on-write and so should be fairly cheap?

I agree the dup is unnecessary since 99.99% of the time you're just doing buf << CGI.escapeHTML(str). Not sure the performance gain would be measurable. A new method like CGI.escapeHTML! would make sense to me, as it indicates the danger of mutating the return value.

I did a search for CGI.escapeHTML in gems: https://pastebin.com/7HYUTASZ
There's a lot of safe usage where the result is directly used in interpolation or concatenation.
There's also some "potentially unsafe" usage like

      def escape_html(string)
        CGI.escapeHTML(string)
      end

which depends on how the escape_html method is called, but in general the only valid use case for these methods is when appending to a buffer. So I'd say it's a low-risk change.

Isn't rb_str_dup copy-on-write and so should be fairly cheap?

As I wrote in the description, calling rb_str_dup is making the whole method 1.34x slower no matter how efficient CoW is. Whether the 34% slowdown is cheap or not depends on how often the method is used and hits the non-escaped case. What I'm saying is that this method is used for almost all embedded expressions in templates and it hits the non-escaped case most of the time. Let's say you have a page that lists 100 resources with 5 fields, it would call CGI.escapeHTML at least 500 times and many of them could have no '"&<> characters.

Generally, escaping an HTML is known to be one of the largest bottlenecks in template engine benchmarks that enable HTML escaping, which is why I've literally spent years optimizing this method. I would never say a 34% slowdown in CGI.escapeHTML is cheap. When I modified the benchmark created by the Slim team to escape embedded expressions, the benchmark became 1.1x faster by just removing this rb_str_dup call. So the 34% slowdown in the microbenchmark of this method translates to a 10% slowdown in the template rendering.

A new method like CGI.escapeHTML! would make sense to me, as it indicates the danger of mutating the return value.

It's not doing any mutation by itself, and I don't know of any existing method named like that. Thus Matz would not like the name, and I'm not sure if the library maintainer (@nobu (Nobuyoshi Nakada)) likes it either. But thanks for proposing an alternative name.

You know, if speed is that much a concern, I think optimized_escape_html2 should seek the first escapable character and only if found then do the ALLOCV_N (and memcpy from cstr to buf).

Actually an even better approach may be to append the escaped bytes directly to the final output buffer, instead of generating any intermediary string at all. As such I would like to propose:
CGI.escapeHTML(str, "") append to new string (current behavior)
CGI.escapeHTML(str, nil) append to new string or return unmodified str (new default?)
CGI.escapeHTML(str, buffer) append to buffer (most efficient when rendering mutliple strings in template)

You know, if speed is that much a concern, I think optimized_escape_html2 should seek the first escapable character and only if found then do the ALLOCV_N (and memcpy from cstr to buf).

ALLOCV_N is essentially alloca. I'd say this one is indeed "fairly cheap". Feel free to prove it otherwise by submitting a patch and benchmarking it though.

As to memcpy, while technically memcpy isn't called for the case we're discussing, *dest++ = c; feels like an unneeded overhead and I have an idea to improve it. I'd discuss it in a different ticket though.

Actually an even better approach may be to append the escaped bytes directly to the final output buffer, instead of generating any intermediary string at all.

You seem to assume that the buffer is bare String, but it's not necessarily the case for Rails. I believe it could/should be fixed, but it's a different discussion.

We might be able to make it efficient for a non-String buffer too, so I'll give it a try first. Thanks for the idea.

It's true ALLOCV_N is almost free but I was thinking more about the cost of copying between buffers
a) when nothing needs escaping: copy bytes to tmp buffer then discard
b) when something needs escaping: copy bytes to tmp buffer then copy again to final string

You seem to assume that the buffer is bare String, but it's not necessarily the case for Rails.

If buffer is bare String we can use CGI.escapeHTML(str, buffer), and if something else (Array?) we can use CGI.escapeHTML(str). I think it's nice to support both cases.

6x allocation is optimal for worst cast like '"' * 1000 but personally I would optimize for common case. So grow the string by an amount sufficient for 99.9% of cases (maybe something like (N+30)*1.2) and accept a realloc for degenerate cases. It's a different kind of choice/trade-off.

Thank you for the discussion, it's a fun topic.

I did not expect rb_str_dup() is so costly on CRuby, I guess the allocation is slow and of course CRuby can't escape-analyze it.
I think it is important to keep the optimized HTML escape in core/stdlib (e.g., in CGI), as the fastest way is implementation-dependent.
See https://bugs.ruby-lang.org/issues/19102#note-4

I think we should add an optional argument to avoid copying the string when unchanged, that's easy and avoids yet another place/method with that escaping logic.

I filed a PR for truffleruby https://github.com/ruby/erb/pull/39.

I think it is important to keep the optimized HTML escape in core/stdlib (e.g., in CGI)

I didn't get what you mean in this part. CGI and ERB are both default gems. There's no difference in its "coreness" between them.

Right, I forgot CGI is a default gem too.
I think it seems cleaner for other template engines (e.g. haml, slim, etc) to depend (as in require "cgi") on CGI vs depending on ERB, i.e. CGI feels smaller/like a subset of ERB. In other words, it doesn't seem ideal for other template engines to depend on the ERB template engine just for escaping (although practically speaking there is no issue, just from a design perspective).

I get what you're saying. My position on this issue is:

• CGI is not a good place either unless you're writing a CGI application. ERB also has ERB::Escape now, and I'd say "embedded Ruby escape" is a better module name than "CGI" for the purpose.
• ERB 4.0.0 was shipped with a new file erb/util.rb, which allows you to load only a couple of escape methods, not loading an extra template engine.
• The way we defined the method was designed by @jeremyevans0 (Jeremy Evans) for Erubi. Loading the ERB template engine would be the last thing the Erubi maintainer would like to do. So, thanks to his idea, it's possible to load only escape methods.
• ERB::Util.html_escape is monkey-patched by Rails and it's been the only official html_safe-compatible HTML escape method for years (while it's been using Erubis or Erubi). Since it's the only Rails-official way to do it, moving it to another place would be unnecessarily disruptive.

Thank you for the explanation, that's very good arguments and they address my concerns.