It's hard to appreciate how good Rustls is at avoiding UaF since UaF avoidance is taken for granted in idiomatic Rust code. Tiny things like `#[must_use]` are small but help avoid big failures. Our friends doing concurrency & malloc/free in C are still struggling w/ the basics.
-
-
I'm still a fan of the DOM-is-implemented-in-JS idea.
-
Me too, from an elegance point of view. Still, there has to be a boundary between DOM and native *somewhere*, even if only at windowing layer.
-
I don't know quite why it's hard to find the places where we get unexpected reentrancy. I kind of imagine that most of this "unexpected" reentrancy happens many times through a few paths that are kind of stubbornly not rearchitected to avoid it. That's a pretty uninformed guess.
-
Mutation observers are the most common source of this problem. Remove a node from the DOM while in the middle of an operation on that node.
-
Mutation Events? Mutation Observers run around microtask time, which is pretty clearly defined and not reentrant.
-
Yeah, you are right. I always get those names mixed up for some reason.
End of conversation
New conversation -
-
-
The fundamental problem is seamless interoperability between the ownership world (C, C++, Rust…) and the shared-everything world (DOM, JS, COM…). Hard problem, and I haven’t seen a safe, usable, and ergonomic solution yet.
-
The Gecko script blockers plus static analysis seems helpful?
-
Helpful, yes, but sound? It’s 2018—we shouldn’t be settling for unsound solutions anymore.
End of conversation
New conversation -
-
-
Hm? The problem seems trivial: refcount references from JS to DOM, register all references from DOM to JS in a special GC root.
-
:) I agree that it does seem trivial. Of course that's basically what browsers do but it doesn't work.
-
It "doesn't work" because of some fundamental shortcoming, or it "doesn't work" because they keep making shortcut hacks around it to make it perform better^H^H^H^H^H^H^H^H^H^H^H^H^H^Hso sites can be 10x as bloated at the same performance.
-
Intuitively, Rust's borrow-checker-based access management for objects isn't going to compose well with a system like JS GC that is completely unaware of it. So in your Rust code and C++ code you think you have the one and only (mutable) pointer to an obj but then you trigger JS.
End of conversation
New conversation -
-
-
I mean, Servo's GC solution is *okay*. It doesn't have the reentrancy problem, but it's not 100% rust-sound either and you can cause bugs. The Josephine model may help here.
-
Though I guess Firefox has a rooting analysis too
End of conversation
New conversation -
-
-
Why are those specifically pernicious? Most UAFs are exploitable.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.