I'm going to need rounding for large allocation sizes like jemalloc to work around poorly written applications and libraries with element-by-element realloc growth loops. GTK+ / Qt ecosystems are full of memory corruption & inefficient patterns like this.
github.com/AndroidHardeni
Conversation
It's all fine with server and command-line applications and on Android, but GTK+ and Qt applications often take a ridiculously long time to load because applications feel like reallocating 32 bytes to 32 MiB via realloc loops in increments of 32 bytes. Krita is particularly bad.
2
2
8
Epiphany does a lot of this but it's also packed full of memory corruption so it's hard to test performance... not that anyone should be using such an insecure browser anyway. Even Firefox's lack of meaningful sandboxing and other issues are way less bad than the WebKitGTK mess.
Replying to
I find it shocking how poorly desktop Linux applications other than Firefox/Chromium hold up to being run with memory corruption mitigations. It's ridiculous to use C or C++ without any ASan/UBSan testing in 2019. Qt forces lots of undefined behavior in the framework itself...
2
6
13
This Tweet was deleted by the Tweet author. Learn more
Replying to
It's still not good. They're moving towards eventually providing decent isolation separating content from the OS but it's not there yet. It also doesn't provide isolation between sites like Chromium's site isolation. See wiki.mozilla.org/Project_Fission for their site isolation project.
1
Show replies
Replying to
Would you be able to elaborate on how you consider our sandbox not meaningful? I'm very eager to hear what suggestions you have. And in case you have found specific defects, I invite you to submit them to our bug bounty program (cf mozilla.org/en-US/security)
1
Replying to
Mozilla still owes me a bit of money, along with being in an enormous debt for all the volunteer work I did and the horrible treatment that I was given. I'm extremely unlikely to contribute anything else, and that includes not reporting vulnerabilities in any Mozilla projects.
2
Show replies