I'm going to need rounding for large allocation sizes like jemalloc to work around poorly written applications and libraries with element-by-element realloc growth loops. GTK+ / Qt ecosystems are full of memory corruption & inefficient patterns like this.
github.com/AndroidHardeni
Conversation
It's all fine with server and command-line applications and on Android, but GTK+ and Qt applications often take a ridiculously long time to load because applications feel like reallocating 32 bytes to 32 MiB via realloc loops in increments of 32 bytes. Krita is particularly bad.
2
2
8
Epiphany does a lot of this but it's also packed full of memory corruption so it's hard to test performance... not that anyone should be using such an insecure browser anyway. Even Firefox's lack of meaningful sandboxing and other issues are way less bad than the WebKitGTK mess.
2
4
Replying to
Would you be able to elaborate on how you consider our sandbox not meaningful? I'm very eager to hear what suggestions you have. And in case you have found specific defects, I invite you to submit them to our bug bounty program (cf mozilla.org/en-US/security)
1
Replying to
Mozilla still owes me a bit of money, along with being in an enormous debt for all the volunteer work I did and the horrible treatment that I was given. I'm extremely unlikely to contribute anything else, and that includes not reporting vulnerabilities in any Mozilla projects.
2
Replying to
I'm not going to reply to any kind of allegations on a character-constrained medium. 🤷♂️ However, our sandbox is in our bug bounty program. Everything that breaks out is a good report. memory corruption or not. Again I invite everyone to join our bug bounty program.
1
1
Replying to
Okay, and it being in the bug bounty program doesn't mean much when there are already major issues hindering the usefulness of the sandbox filed in the tracker. As I said, I'm also not planning on having Mozilla take advantage of me anymore. That's all you're putting forward.
Saying you have a bug bounty program isn't a magical answer to security criticisms. You aren't going to pay me for filing issues you already know about that trivialise the existence of the sandbox. I already haven't been paid money Mozilla owes me and was completely screwed over.
1
I work primarily on Linux and Android. Firefox has no sandbox on Android and the Linux sandbox is useless due to various known limitations including what I linked. It also has serious flaws elsewhere, along with having a limited scope in what it tries to accomplish vs. Chromium.