|
|
|
|
// Copyright (c) 2020, The Garble Authors.
|
|
|
|
|
// See LICENSE for licensing information.
|
|
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"os"
|
|
|
|
|
"os/exec"
|
|
|
|
|
"path/filepath"
|
|
|
|
|
"runtime"
|
|
|
|
|
"testing"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// BenchmarkBuild is a parallel benchmark for 'garble build' on a fairly simple
|
|
|
|
|
// main package with a handful of standard library depedencies.
|
|
|
|
|
//
|
|
|
|
|
// We use a real garble binary and exec it, to simulate what the real user would
|
|
|
|
|
// run. The real obfuscation and compilation will happen in sub-processes
|
|
|
|
|
// anyway, so skipping one exec layer doesn't help us in any way.
|
|
|
|
|
//
|
|
|
|
|
// At the moment, each iteration takes 1-2s on a laptop, so we can't make the
|
|
|
|
|
// benchmark include any more features unless we make it significantly faster.
|
|
|
|
|
func BenchmarkBuild(b *testing.B) {
|
|
|
|
|
garbleBin := filepath.Join(b.TempDir(), "garble")
|
|
|
|
|
if runtime.GOOS == "windows" {
|
|
|
|
|
garbleBin += ".exe"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := exec.Command("go", "build", "-o="+garbleBin).Run(); err != nil {
|
|
|
|
|
b.Fatalf("building garble: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
rework the build benchmarks
First, stop writing binaries into the current directory, which pollutes
the git clone.
Second, split the benchmark into two. The old benchmark always used the
build cache after the first iteration, meaning that we weren't really
measuring the cost of cold fresh builds.
The new benchmarks show a build with an always-warm cache, and one
without any cache.
Note that NoCache with the main package importing "fmt" took about 4s
wall time, which makes benchmarking too slow. For that reason, the new
bench-nocache program has no std dependencies other than runtime, which
already pulls in half a dozen dependencies we recompile at every
iteration. This reduces the wall time to 2s, which is bearable.
On the other hand, Cache is already fast, so we add a second and
slightly heavier dependency, net/http. The build still takes under 300ms
of wall time. This also helps the Cache benchmark imitate larger rebuilds
with a warm cache.
Longer term, both benchmarks will be useful, because we want both
scenarios to be as efficient as possible.
name time/op
Build/Cache-8 161ms ± 1%
Build/NoCache-8 1.21s ± 1%
name bin-B
Build/Cache-8 6.35M ± 0%
Build/NoCache-8 6.35M ± 0%
name sys-time/op
Build/Cache-8 218ms ± 7%
Build/NoCache-8 522ms ± 4%
name user-time/op
Build/Cache-8 825ms ± 1%
Build/NoCache-8 8.17s ± 1%
3 years ago
|
|
|
for _, name := range [...]string{"Cache", "NoCache"} {
|
|
|
|
|
b.Run(name, func(b *testing.B) {
|
|
|
|
|
buildArgs := []string{"build", "-o=" + b.TempDir()}
|
|
|
|
|
switch name {
|
|
|
|
|
case "Cache":
|
|
|
|
|
buildArgs = append(buildArgs, "./testdata/bench-cache")
|
|
|
|
|
|
rework the build benchmarks
First, stop writing binaries into the current directory, which pollutes
the git clone.
Second, split the benchmark into two. The old benchmark always used the
build cache after the first iteration, meaning that we weren't really
measuring the cost of cold fresh builds.
The new benchmarks show a build with an always-warm cache, and one
without any cache.
Note that NoCache with the main package importing "fmt" took about 4s
wall time, which makes benchmarking too slow. For that reason, the new
bench-nocache program has no std dependencies other than runtime, which
already pulls in half a dozen dependencies we recompile at every
iteration. This reduces the wall time to 2s, which is bearable.
On the other hand, Cache is already fast, so we add a second and
slightly heavier dependency, net/http. The build still takes under 300ms
of wall time. This also helps the Cache benchmark imitate larger rebuilds
with a warm cache.
Longer term, both benchmarks will be useful, because we want both
scenarios to be as efficient as possible.
name time/op
Build/Cache-8 161ms ± 1%
Build/NoCache-8 1.21s ± 1%
name bin-B
Build/Cache-8 6.35M ± 0%
Build/NoCache-8 6.35M ± 0%
name sys-time/op
Build/Cache-8 218ms ± 7%
Build/NoCache-8 522ms ± 4%
name user-time/op
Build/Cache-8 825ms ± 1%
Build/NoCache-8 8.17s ± 1%
3 years ago
|
|
|
// Ensure the build cache is warm,
|
|
|
|
|
// for the sake of consistent results.
|
|
|
|
|
cmd := exec.Command(garbleBin, buildArgs...)
|
|
|
|
|
if out, err := cmd.CombinedOutput(); err != nil {
|
|
|
|
|
b.Fatalf("%v: %s", err, out)
|
|
|
|
|
}
|
|
|
|
|
case "NoCache":
|
|
|
|
|
buildArgs = append(buildArgs, "./testdata/bench-nocache")
|
|
|
|
|
default:
|
|
|
|
|
b.Fatalf("unknown name: %q", name)
|
|
|
|
|
}
|
|
|
|
|
|
rework the build benchmarks
First, stop writing binaries into the current directory, which pollutes
the git clone.
Second, split the benchmark into two. The old benchmark always used the
build cache after the first iteration, meaning that we weren't really
measuring the cost of cold fresh builds.
The new benchmarks show a build with an always-warm cache, and one
without any cache.
Note that NoCache with the main package importing "fmt" took about 4s
wall time, which makes benchmarking too slow. For that reason, the new
bench-nocache program has no std dependencies other than runtime, which
already pulls in half a dozen dependencies we recompile at every
iteration. This reduces the wall time to 2s, which is bearable.
On the other hand, Cache is already fast, so we add a second and
slightly heavier dependency, net/http. The build still takes under 300ms
of wall time. This also helps the Cache benchmark imitate larger rebuilds
with a warm cache.
Longer term, both benchmarks will be useful, because we want both
scenarios to be as efficient as possible.
name time/op
Build/Cache-8 161ms ± 1%
Build/NoCache-8 1.21s ± 1%
name bin-B
Build/Cache-8 6.35M ± 0%
Build/NoCache-8 6.35M ± 0%
name sys-time/op
Build/Cache-8 218ms ± 7%
Build/NoCache-8 522ms ± 4%
name user-time/op
Build/Cache-8 825ms ± 1%
Build/NoCache-8 8.17s ± 1%
3 years ago
|
|
|
// We collect extra metrics.
|
|
|
|
|
var userTime, systemTime int64
|
|
|
|
|
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
|
|
|
for pb.Next() {
|
|
|
|
|
cmd := exec.Command(garbleBin, buildArgs...)
|
|
|
|
|
if name == "NoCache" {
|
|
|
|
|
gocache, err := os.MkdirTemp(b.TempDir(), "gocache-*")
|
|
|
|
|
if err != nil {
|
|
|
|
|
b.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
cmd.Env = append(os.Environ(), "GOCACHE="+gocache)
|
|
|
|
|
}
|
|
|
|
|
if out, err := cmd.CombinedOutput(); err != nil {
|
|
|
|
|
b.Fatalf("%v: %s", err, out)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userTime += int64(cmd.ProcessState.UserTime())
|
|
|
|
|
systemTime += int64(cmd.ProcessState.SystemTime())
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
b.ReportMetric(float64(userTime)/float64(b.N), "user-ns/op")
|
|
|
|
|
b.ReportMetric(float64(systemTime)/float64(b.N), "sys-ns/op")
|
|
|
|
|
info, err := os.Stat(garbleBin)
|
|
|
|
|
if err != nil {
|
|
|
|
|
b.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
b.ReportMetric(float64(info.Size()), "bin-B")
|
|
|
|
|
})
|
obfuscate unexported names like exported ones (#227)
In 90fa325da7, the obfuscation logic was changed to use hashes for
exported names, but incremental names starting at just one letter for
unexported names. Presumably, this was done for the sake of binary size.
I argue that this is not a good idea for the default mode for a number
of reasons:
1) It makes reversing of stack traces nearly impossible for unexported
names, since replacing an obfuscated name "c" with "originalName"
would trigger too many false positives by matching single characters.
2) Exported and unexported names aren't different. We need to know how
names were obfuscated at a later time in both cases, thanks to use
cases like -ldflags=-X. Using short names for one but not the other
doesn't make a lot of sense, and makes the logic inconsistent.
3) Shaving off three bytes for unexported names doesn't seem like a huge
deal for the default mode, when we already have -tiny to optimize for
size.
This saves us a bit of work, but most importantly, simplifies the
obfuscation state as we no longer need to carry privateNameMap between
the compile and link stages.
name old time/op new time/op delta
Build-8 153ms ± 2% 150ms ± 2% ~ (p=0.065 n=6+6)
name old bin-B new bin-B delta
Build-8 7.09M ± 0% 7.08M ± 0% -0.24% (p=0.002 n=6+6)
name old sys-time/op new sys-time/op delta
Build-8 296ms ± 5% 277ms ± 6% -6.50% (p=0.026 n=6+6)
name old user-time/op new user-time/op delta
Build-8 562ms ± 1% 558ms ± 3% ~ (p=0.329 n=5+6)
Note that I do not oppose using short names for both exported and
unexported names in the future for -tiny, since reversing of stack
traces will by design not work there. The code can be resurrected from
the git history if we want to improve -tiny that way in the future, as
we'd need to store state in header files again.
Another major cleanup we can do here is to no longer use the
garbledImports map. From a look at obfuscateImports, we hash a package's
import path with its action ID, much like exported names, so we can
simply re-do that hashing for the linker's -X flag.
garbledImports does have some logic to handle duplicate package names,
but it's worth noting that should not affect package paths, as they are
always unique. That area of code could probably do with some
simplification in the future, too.
While at it, make hashWith panic if either parameter is empty.
obfuscateImports was hashing the main package path without a salt due to
a bug, so we want to catch those in the future.
Finally, make some tiny spacing and typo tweaks to the README.
3 years ago
|
|
|
}
|
|
|
|
|
}
|
