Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

perf(jsx/dom): improve performance #3288

Merged
merged 21 commits into from
Aug 19, 2024
Merged

Conversation

usualoma
Copy link
Member

#3264

Key changes

use for-loop instead of recursion for findInsertBefore 0dadfbc

As @ryuapp pointed out in #3203, the implementation with recursive calls did not perform well and sometimes resulted in errors when there were a large number of elements, so it was modified so that recursive calls were not made.

assign type and ref to node object directly. Object.defineProperties is too slow 7fd73ef

  • reactElement.type
  • reactElement.ref

https://github.com/honojs/hono/compare/main...usualoma:hono:perf/jsx-dom?expand=1#diff-c9b14c1b74662b399c25e6dc0c870408c466e1c96e39a1d429903b2a3d0db51fL11-L20

The code to make the following properties referential is for React compatibility, but the implementation using Object.defineProperties was very expensive. This change is not pretty, but it is an acceptable redundancy when considered as a trade-off for improved performance.

Reduce recalculation and reapplication when properties are unchanged

In some cases, DOM attributes were being reassigned even when there were no changes to the properties, so reassignment is no longer performed when it is unnecessary.

benchmark

Based on this branch (thank you very much @aminya!),

https://github.com/aminya/js-framework-benchmark/tree/hono

The following changes were added and benchmarked in my environment.

diff --git a/frameworks/keyed/hono/src/index.tsx b/frameworks/keyed/hono/src/index.tsx
index 2628e205..998c4b0f 100644
--- a/frameworks/keyed/hono/src/index.tsx
+++ b/frameworks/keyed/hono/src/index.tsx
@@ -141,9 +141,8 @@ const App = () => {
     <table class="table table-hover table-striped test-data">
       <tbody>
         {data.map(item => {
-          console.log(item);
           return (
-            <Row item={item} selected={selected === item.id} dispatch={dispatch} />
+            <Row key={item.id} item={item} selected={selected === item.id} dispatch={dispatch} />
           );
         })}
       </tbody>

Performance for creation or update is roughly equivalent to React, with smaller file sizes and memory usage, which is an expected result since "hono/jsx" aims for "an implementation with a React-compatible API that is small enough to be practical with a small amount of code".

jsx-dom-bench

The author should do the following, if applicable

  • Add tests
    • Only a few tests have been added, but as most of the changes are internal refactoring with no external specification changes, no further additional tests are considered necessary.
  • Run tests
  • bun run format:fix && bun run lint:fix to format the code

@usualoma
Copy link
Member Author

@yusukebe Would you please review?

Copy link

codecov bot commented Aug 18, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.31%. Comparing base (e6459e7) to head (9d6e16e).
Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3288      +/-   ##
==========================================
+ Coverage   96.24%   96.31%   +0.07%     
==========================================
  Files         151      151              
  Lines       15293    15368      +75     
  Branches     2662     2700      +38     
==========================================
+ Hits        14718    14801      +83     
+ Misses        575      567       -8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@usualoma
Copy link
Member Author

Minor refactorings and tests are added.
There is no change in behavior, but test coverage scores have improved.

@yusukebe
Copy link
Member

yusukebe commented Aug 18, 2024

@usualoma

Thanks. I'll review this.

Copy link
Member

@yusukebe yusukebe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@yusukebe
Copy link
Member

@usualoma

Looks good to me!

Performance for creation or update is roughly equivalent to React, with smaller file sizes and memory usage, which is an expected result since "hono/jsx" aims for "an implementation with a React-compatible API that is small enough to be practical with a small amount of code".

Yes. You are right. In my environment, the scores were Preact, hono/jsx, and React in order of speed, but similar to yours. This score is reasonable. For example, optimizing the building step to minify build code size efficiently may be possible, but we don't have to do it since it would only be a small improvement.

Anyway, thank you for the awesome improvement!

@yusukebe yusukebe merged commit 1854e24 into honojs:main Aug 19, 2024
14 checks passed
@usualoma usualoma deleted the perf/jsx-dom branch August 19, 2024 01:14
@aminya
Copy link

aminya commented Aug 21, 2024

Based on this branch (thank you very much @aminya!),

You're welcome! It's nice to see that the benchmark effort resulted in these improvements. I'll update the benchmark based on the new version.

adamnolte referenced this pull request in autoblocksai/cli Aug 22, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [hono](https://hono.dev/) ([source](https://github.com/honojs/hono))
| [`4.5.5` ->
`4.5.8`](https://renovatebot.com/diffs/npm/hono/4.5.5/4.5.8) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/hono/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/hono/4.5.5/4.5.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-43787](https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5)

### Summary

Hono CSRF middleware can be bypassed using crafted Content-Type header.

### Details

MIME types are case insensitive, but `isRequestedByFormElementRe` only
matches lower-case.


https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17

As a result, attacker can bypass csrf middleware using upper-case
form-like MIME type, such as "Application/x-www-form-urlencoded".

### PoC

```html
<html>
  <head>
    <title>CSRF Test</title>
    <script defer>
      document.addEventListener("DOMContentLoaded", () => {
        document.getElementById("btn").addEventListener("click", async () => {
          const res = await fetch("http://victim.example.com/test", {
            method: "POST",
            credentials: "include",
            headers: {
              "Content-Type": "Application/x-www-form-urlencoded",
            },
          });
        });
      });
    </script>
  </head>
  <body>
    <h1>CSRF Test</h1>
    <button id="btn">Click me!</button>
  </body>
</html>
```

### Impact

Bypass csrf protection implemented with hono csrf middleware.

### Discussion

I'm not sure that omitting csrf checks for Simple POST request is a good
idea.
CSRF prevention and CORS are different concepts even though CORS can
prevent CSRF in some cases.

---

### Release Notes

<details>
<summary>honojs/hono (hono)</summary>

### [`v4.5.8`](https://github.com/honojs/hono/releases/tag/v4.5.8)

[Compare
Source](https://github.com/honojs/hono/compare/v4.5.7...v4.5.8)

##### Security Fix for CSRF Protection Middleware

Before this release, in versions 4.5.7 and below, the CSRF Protection
Middleware did not treat requests including `Content-Types` with
uppercase letters (e.g., `Application/x-www-form-urlencoded`) as
potential attacks, allowing them to pass.

This could cause unexpected behavior, leading to a vulnerability. If you
are using the CSRF Protection Middleware, please upgrade to version
4.5.8 or higher immediately.

For more details, see the report here:
GHSA-rpfr-3m35-5vx5

### [`v4.5.7`](https://github.com/honojs/hono/releases/tag/v4.5.7)

[Compare
Source](https://github.com/honojs/hono/compare/v4.5.6...v4.5.7)

#### What's Changed

- fix(jsx/dom): Fixed a bug that caused Script elements to turn into
Style elements. by [@&#8203;usualoma](https://github.com/usualoma) in
[https://github.com/honojs/hono/pull/3294](https://github.com/honojs/hono/pull/3294)
- perf(jsx/dom): improve performance by
[@&#8203;usualoma](https://github.com/usualoma) in
[https://github.com/honojs/hono/pull/3288](https://github.com/honojs/hono/pull/3288)
- feat(jsx): improve a-tag types with well known values by
[@&#8203;ssssota](https://github.com/ssssota) in
[https://github.com/honojs/hono/pull/3287](https://github.com/honojs/hono/pull/3287)
- fix(validator): Fixed a bug in hono/validator where URL Encoded Data
could not be validated if the Content-Type included charset. by
[@&#8203;uttk](https://github.com/uttk) in
[https://github.com/honojs/hono/pull/3297](https://github.com/honojs/hono/pull/3297)
- feat(jsx): improve `target` and `formtarget` attribute types by
[@&#8203;ssssota](https://github.com/ssssota) in
[https://github.com/honojs/hono/pull/3299](https://github.com/honojs/hono/pull/3299)
- docs(README): change Twitter to X by
[@&#8203;nakasyou](https://github.com/nakasyou) in
[https://github.com/honojs/hono/pull/3301](https://github.com/honojs/hono/pull/3301)
- fix(client): replace optional params to url correctly by
[@&#8203;yusukebe](https://github.com/yusukebe) in
[https://github.com/honojs/hono/pull/3304](https://github.com/honojs/hono/pull/3304)
- feat(jsx): improve input attribute types based on react by
[@&#8203;ssssota](https://github.com/ssssota) in
[https://github.com/honojs/hono/pull/3302](https://github.com/honojs/hono/pull/3302)

#### New Contributors

- [@&#8203;uttk](https://github.com/uttk) made their first
contribution in
[https://github.com/honojs/hono/pull/3297](https://github.com/honojs/hono/pull/3297)

**Full Changelog**:
honojs/hono@v4.5.6...v4.5.7

### [`v4.5.6`](https://github.com/honojs/hono/releases/tag/v4.5.6)

[Compare
Source](https://github.com/honojs/hono/compare/v4.5.5...v4.5.6)

#### What's Changed

- fix(jsx): handle async component error explicitly and throw the error
in the response by [@&#8203;usualoma](https://github.com/usualoma) in
[https://github.com/honojs/hono/pull/3274](https://github.com/honojs/hono/pull/3274)
- fix(validator): support multipart headers without a separating space
by [@&#8203;Ernxst](https://github.com/Ernxst) in
[https://github.com/honojs/hono/pull/3286](https://github.com/honojs/hono/pull/3286)
- fix(validator): Allow form data will mutliple values appended by
[@&#8203;nicksrandall](https://github.com/nicksrandall) in
[https://github.com/honojs/hono/pull/3273](https://github.com/honojs/hono/pull/3273)
- feat(jsx): improve meta-tag types with well known values by
[@&#8203;ssssota](https://github.com/ssssota) in
[https://github.com/honojs/hono/pull/3276](https://github.com/honojs/hono/pull/3276)

#### New Contributors

- [@&#8203;Ernxst](https://github.com/Ernxst) made their first
contribution in
[https://github.com/honojs/hono/pull/3286](https://github.com/honojs/hono/pull/3286)
- [@&#8203;ssssota](https://github.com/ssssota) made their first
contribution in
[https://github.com/honojs/hono/pull/3276](https://github.com/honojs/hono/pull/3276)

**Full Changelog**:
honojs/hono@v4.5.5...v4.5.6

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/Chicago,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job log](https://developer.mend.io/github/autoblocksai/cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants