From: "ko1 (Koichi Sasada)" Date: 2013-12-09T15:35:21+09:00 Subject: [ruby-core:58990] [ruby-trunk - Feature #8977] String#frozen that takes advantage of the deduping Issue #8977 has been updated by ko1 (Koichi Sasada). Now, I have one concern about security concern. This kind of method can be used widely and easily. And if this method is used with external string getting from IO, fstring table can be grow and grow easily. I'm afraid about such kind of security risk: (1) DoS attack (2) Side channel attack (observe from outside) But I'm not a security expert. So I want to ask experts. Note that this problem has not impact than Symbol related DoS attack because these keys are collected. ----- I think multiple tables support solve kind of issues. To solve such issue (and continue to discuss this issue to 2.2), Ruby level implementation and gem is reasonable alternative, I believe. However, in ruby-level, we can't do that same thing. Therefor nobu made a patch for WeakHash, a variant of WeakMap (we will make another ticket for it). WeakMap is object_id -> Object map. WeakHash is Object -> Object map. With this class, we can make fstring technique with multiple tables easily. class FrozenStringTable def initialize @table = {} # WeakHash.new end def get str raise TypeError unless str.kind_of?(String) unless @table.has_key? str str.freeze @table[str] = str end @table[str] end end F1 = FrozenStringTable.new p F1.get('foo').object_id #=> 8274120 p F1.get('foo').object_id #=> 8274120 ---- In this comment, I show (1) security concern, and (2) alternative approach. ---------------------------------------- Feature #8977: String#frozen that takes advantage of the deduping https://bugs.ruby-lang.org/issues/8977#change-43544 Author: sam.saffron (Sam Saffron) Status: Assigned Priority: Normal Assignee: matz (Yukihiro Matsumoto) Category: Target version: current: 2.1.0 During memory profiling I noticed that a large amount of string duplication is generated from non pre-determined strings. Take this report for example https://gist.github.com/SamSaffron/6789005 (generated using the memory_profiler gem that works against head) ">=" x 4953 /Users/sam/.rbenv/versions/2.1.0-dev/lib/ruby/2.1.0/rubygems/requirement.rb:93 x 4535 This string is most likely extracted from a version. Or "/Users/sam/.rbenv/versions/2.1.0-dev/lib/ruby/gems" x 5808 /Users/sam/.rbenv/versions/2.1.0-dev/lib/ruby/gems/2.1.0/gems/activesupport-3.2.12/lib/active_support/dependencies.rb:251 x 3894 A string that can not be pre-determined. ---- It would be nice to have "hello,world".split(",")[0].frozen.object_id == "hello"f.object_id Adding #frozen will give library builders a way of using the de-duping. It also could be implemented using weak refs in 2.0 and stubbed with a .dup.freeze in 1.9.3 . Thoughts ? -- http://bugs.ruby-lang.org/