Most active commenters

    V8 Garbage Collector

    (wingolog.org)
    58 points swah | 20 comments | 14 Nov 25 09:53 UTC | HN request time: 1.274s | source | bottom
    1. ZeroConcerns ◴[14 Nov 25 11:10 UTC] No.45925770[source]
    Interesting article! One thing that made me literally LOL was the fact that several exploits were enabled via a Google "style recommendation" that caused on-heap length fields to be signed and thus subject to sign-extension attacks.

    The conversation-leading-up-to-that played out a bit like this in my head:

    Google Engineer #1: Hey, shouldn't that length field be unsigned? Not like a negative value ever makes sense there?

    GE#2: Style guide says no

    GE#1: Yeah, but that could easily be exploited, right?

    GE#2: Maybe, but at least I won't get dinged on code review: my metrics are already really lagging this quarter

    GE#1: Good point! In fact, I'll pre-prepare an emergency patch for that whole thing, as my team lead indicated I've been a bit slow on the turnaround lately...

    replies(2): >>45925968 #>>45925990 #
    2. maartin0 ◴[14 Nov 25 11:12 UTC] No.45925776[source]
    What does FTE stand for?:

    > From what I can tell, there have been about 4 FTE from Google over this period

    replies(3): >>45925797 #>>45926324 #>>45926654 #
    3. kannanvijayan ◴[14 Nov 25 11:19 UTC] No.45925797[source]
    Full Time Employee
    replies(1): >>45926421 #
    4. NeutralForest ◴[14 Nov 25 11:45 UTC] No.45925910[source]
    It's an interesting article because tech articles rarely revisit the past for what kind of decisions were made and why. Thanks! Also always cool to see a Wingo article because I get exposed to a field I know very little about (how garbage collection works).
    5. Leszek ◴[14 Nov 25 11:54 UTC] No.45925968[source]
    The signed length fields pre-date the sandbox, and at that point being able to corrupt the string length meant you already had an OOB write primitive and didn't need to get one via strings. The sandbox is the new weird thing, where now these in-sandbox corruptions can sometimes be promoted into out-of-sandbox corruptions if code on the boundary doesn't handle these sorts of edge cases.
    6. dbdr ◴[14 Nov 25 11:59 UTC] No.45925990[source]
    Quote from their style guide:

    > The fact that unsigned arithmetic doesn't model the behavior of a simple integer, but is instead defined by the standard to model modular arithmetic (wrapping around on overflow/underflow), means that a significant class of bugs cannot be diagnosed by the compiler.

    Fair enough, but signed arithmetic doesn't model the behavior of a "simple integer" (supposedly the mathematical concept) either. Instead, overflow in signed arithmetic is undefined behavior. Does that actually lead to the compiler being able to diagnose bugs? What's the claimed benefit exactly?

    replies(3): >>45926013 #>>45926616 #>>45926636 #
    7. gf000 ◴[14 Nov 25 12:05 UTC] No.45926013{3}[source]
    I believe some logic behind may be that you can't recognize an overflow has happened with unsigned, but with signed you can recognize over and underflows in certain cases by simply checking if it's a non-negative number.

    At least I believe Java decided on signed integers for similar reasons. But if it's indeed UB in C++, it doesn't make sense.

    replies(1): >>45926378 #
    8. whizzter ◴[14 Nov 25 12:52 UTC] No.45926273[source]
    I don't envy these engineers having to trace through corruptions and other issues related to moving GC's, just keeping a simple regular toy GC from blowing up can be hard enough sometimes (Maybe they have some better tools, but memory corruptions are inherently prickly to debug).
    replies(1): >>45926319 #
    9. Leszek ◴[14 Nov 25 13:00 UTC] No.45926319[source]
    rr (https://rr-project.org/) and memory watchpoints are a godsend when it comes to analysing heap corruptions.
    10. comonoid ◴[14 Nov 25 13:00 UTC] No.45926324[source]
    FTE is a TLA.
    11. alpinisme ◴[14 Nov 25 13:09 UTC] No.45926378{4}[source]
    It’s the opposite in cpp: unsigned integer overflow is undefined but signed overflow is defined as wrapping
    replies(2): >>45926584 #>>45926673 #
    12. DanielHB ◴[14 Nov 25 13:16 UTC] No.45926421{3}[source]
    Is this a codeword for "not contractor"? I heard that at google contractors are second class citizens.
    replies(1): >>45926652 #
    13. debugnik ◴[14 Nov 25 13:37 UTC] No.45926584{5}[source]
    Did you mix up unsigned and signed by mistake? Because in C and C++, the wrapping one is unsigned and the here-be-dragons-on-overflow one is signed.
    14. sltkr ◴[14 Nov 25 13:43 UTC] No.45926616{3}[source]
    Tools like UBsan [1] can detect integer overflow in debug builds, and are used internally at Google to run automated tests.

    So if you use a signed integer, there is a chance that overflows are caught in tests.

    1. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html

    15. dzaima ◴[14 Nov 25 13:45 UTC] No.45926636{3}[source]
    A sanitizer or static analysis or any other tool can unconditionally give you a warning/error on signed integer overflow. Whereas that's invalid for unsigned integers as they have well-defined behavior, and said overflow is relied on by many things.

    Ideally there'd be a third type for unsigned-non-wrapping-integer (and llvm even supports a UB-on-unsigned-wrapping flag for arith ops in its IR that largely goes unused for C/C++), but alas such doesn't exist. Half-relatedly, this previously appeared as a discussion point on Linux (though Linus really did not like the concept of multiple unsigned types and as such it didn't go anywhere iirc).

    16. ColonelPhantom ◴[14 Nov 25 13:47 UTC] No.45926652{4}[source]
    I think FTE is mostly used as a 'unit'. E.g. if two people work on something 50% of the time, you get one "FTE-equivalent", as there is roughly one full-time employee of effort put in.

    Though in this context it just seems to be the number of people working on the code on a consistent basis.

    replies(1): >>45926663 #
    17. layer8 ◴[14 Nov 25 13:47 UTC] No.45926654[source]
    Full-time equivalent: https://en.wikipedia.org/wiki/Full-time_equivalent
    18. layer8 ◴[14 Nov 25 13:48 UTC] No.45926663{5}[source]
    The “E” in “FTE” actually already stands for “equivalent”.
    19. sltkr ◴[14 Nov 25 13:49 UTC] No.45926673{5}[source]
    No, it's the opposite. UNSIGNED overflow wraps around. SIGNED overflow is undefined behavior.

    This leads to fun behavior. Consider these functions which differ only in the type of the loop variable:

    int foo() { for (int i = 1; i > 0; ++i) {} return 42; }

    int bar() { for (unsigned i = 1; i > 0; ++i) {} return 42; }

    If you compile these with GCC with optimization enabled, the result is:

    foo(): .L2: jmp .L2

    bar(): mov eax, 42 ret

    That is, foo() gets compiled into an infinite loop, while the loop in bar() is eliminated. This is because the compiler may assume only in the first case that i will never overflow.