canmove, Confirmed users
637
edits
Firefox3.1/JS Tracing Security Review: Difference between revisions
Firefox3.1/JS Tracing Security Review (view source)
Revision as of 20:56, 13 January 2009
, 13 January 2009→Review comments
| Line 54: | Line 54: | ||
== Review comments == | == Review comments == | ||
* nanoJIT needs a separate security review | * nanoJIT needs a separate security review (probably code-level review) | ||
* GC has been largely disconnected from tracing: if GC happens while we're recording we keep recording (so nothing is interrupted when it's not expecting it) but we throw away the trace. | * GC has been largely disconnected from tracing: if GC happens while we're recording we keep recording (so nothing is interrupted when it's not expecting it) but we throw away the trace. | ||
* main attack would be getting us to generate dangerous code. | * main attack would be getting us to generate dangerous code. | ||
** code cache | |||
** LIR cache | |||
* could generated code access DOM objects that interpreted code would not be allowed? | * could generated code access DOM objects that interpreted code would not be allowed? | ||
* multi-threaded doesn't work with shared globals -- native/interpreted or two native threads using the same variables would have their own copies. We currently disallow this. | * multi-threaded doesn't work with shared globals -- native/interpreted or two native threads using the same variables would have their own copies. We currently disallow this. | ||
* Need Jason's patch to land, can create corner cases where we mishandle builtins | * Need Jason's patch to land, can create corner cases where we mishandle builtins | ||