Intent to Implement: Use fdlibm for Math.cos, Math.sin, and Math.tan to prevent math-based fingerprinting
Tom Ritter
For performance reasons, Firefox currently doesn't use the cross-platform fdlibm for Math.cos, Math.sin, and Math.tan (using it only for other, more esoteric functions like Math.cosh and Math.sinh), and instead chooses to use the local, platform-supplied math library [0]. This leaves Firefox open to math-based fingerprinting [1]. Using fdlibm for these more popular functions closes this fingerprinting vector.
Additionally, use of the platform Math routines results in different WebAudio fingerprints, and we believe that we can eliminate those differences also with future work.
There is a performance hit on Windows; on other platforms the regression is negligible. (More below.) We intend to implement this and enable it when Resist Fingerprinting is turned on. If no one objects, we’d also like to enable it on Nightly to get a larger test population. We haven’t tested Android yet, so for now this will be Desktop only and we’ll investigate that soon as well.
######
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531915
Standard: ECMA-262 §21.3.2 recommends but does not require fdlibm for Math.cos, Math.sin, and Math.tan [2].
Platform coverage: All.
Other browsers: Chromium/V8 uses fdlibm for these functions. It has constant Javascript math (and WebAudio) fingerprints as a consequence.
Note: This work has been driven by volunteer contributors, with their help we’ve been making good progress on several long-standing fingerprinting issues.
#####
Testing
We confirmed that local fingerprints did not match try run fingerprints, then created a browser test (browser_math.js) to ensure that the fdlibm fingerprints matched locally and on try [3,4].
#####
Performance Impact
We benchmarked this patch in two configurations—fdlibm for sin, cos, and tan enabled (“fdlibm on”) and fdlibm for sin, cos, and tan disabled (“fdlibm off”)—on three OSes (OS X, Linux, and Windows). The “fdlibm off” configuration shows the overhead of our preference check. We ran it against the current configuration on three benchmarks aiming to simulate real-world math workloads: JetStream's Box2d, Kraken's Audio DFT, and SunSpider's Math Partial Sums, and then also on arai’s microbenchmark of concerning values to give us fine-grained performance characteristics [5].
The data was collected from try runs and is illustrated in the graphs below [6,7,8].
### Performance on the Three Benchmarks
On OS X and Linux, the performance hit goes both ways and is small, staying within 3%, implying that it is likely negligible. However, on Windows, we see a significant performance hit, ranging from 27% on Box2d to 73% on Math Partial Sums.
### Performance on Arai’s Microbenchmark
On OS X, we see speedups for sin and cos but slowdowns for tan, with a max slowdown of 14% (tan [-8*PI..8*PI]), a max speedup of 25% (cos [-2*PI..2*PI]), and an average *speedup* of 5%.
On Linux, we see speedups on all tasks except sin [-PI..PI] and sin [-2*PI..2*PI], where we see slowdowns of 7% and 15% respectively, giving us an average *speedup* of 16%.
On Windows, we see slowdowns across the board ranging from 7% (cos [-PI..PI]) to 90% (tan [-4*PI..4*PI]), with the average slowdown being 42%.
---
[0]: https://searchfox.org/mozilla-central/source/modules/fdlibm/import.sh#49,84,91
[2]: https://262.ecma-international.org/12.0/#sec-function-properties-of-the-math-object
[3]: https://phabricator.services.mozilla.com/D119426
[4]: https://treeherder.mozilla.org/jobs?repo=try&revision=0e8d6b893e7b706a9c0e9ffa0ade1199a2b54635
[5]: https://bugzilla.mozilla.org/show_bug.cgi?id=933257#c139
[6]: https://treeherder.mozilla.org/jobs?repo=try&revision=da1eda8500f9a10f5c8a85b42b2496c25e23dca8
[7]: https://treeherder.mozilla.org/jobs?repo=try&revision=b114438356df50f347da19c22c5e66056100877d
[8]: https://treeherder.mozilla.org/jobs?repo=try&revision=b524ccad583f883c7953ccdaf93103297c1c3fa3
Jeff Muizelaar
--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADua4_uUukyeRC2DuAzQf7waZyua%2BszevaLn1XdF0U5aHj%2BqNg%40mail.gmail.com.