memory safety and weak references

Marius Gundersen gundersen at gmail.com
Mon Apr 1 13:57:28 PDT 2013


> There are numerous problems with weak references and primitives, mostly
revolving around the ability to regenerate a primitive, e.g.
> The issue about non-object WeakMap keys was about semantics only, not
implementation safety bugs. If I can put "42" in a WeakMap, it can never be
removed, since I can "forge" that value by uttering the "42" literal again,
or (in a way refractory to analysis) concatenating "4" and "2", etc.

This is why I suggested, in the other thread, a system for weak event
listeners. This would not be a problem if the only allowed argument to a
weak reference is a function. An iterable weak set of functions would not
have this problem, would solve the suggested usecases for weak references
(observables/events):

Marius Gundersen



On Mon, Apr 1, 2013 at 10:39 PM, Brendan Eich <brendan at mozilla.com> wrote:

> Marius Gundersen wrote:
>
>> This seems to be more a problem with the garbage collector than with weak
>> references. If I understood it correctly, any double value can look like a
>> pointer,
>>
>
> No, that's not the issue in this (sub-)thread. Oliver was just
> recollecting thoughts about a position he took in favor of WeakMaps having
> non-object keys.
>
> You're right that any double (e.g.) that might be confused for a pointer
> in a VM implementation makes a bad bug, and VMs must carefully avoid (find
> and fix!) such bugs.
>
> The issue about non-object WeakMap keys was about semantics only, not
> implementation safety bugs. If I can put "42" in a WeakMap, it can never be
> removed, since I can "forge" that value by uttering the "42" literal again,
> or (in a way refractory to analysis) concatenating "4" and "2", etc.
>
> /be
>
>  and the garbage collector will check what it is pointing at. To me this
>> seems like a source for memory leaks. This problem exists even without weak
>> references (or weak iterable maps/sets); the weak references just makes it
>> observable. Does this mean the main reason weak references (or, again, weak
>> iterable maps/sets) are not to be implemented is because of a bug in the
>> garbage collector of popular JS enginges? As noted earlier, the
>> implementation of the garbage collector is not specified in the ecmascript
>> standard, so this is a problem with implementors, not with the
>> specification.
>>
>> Again, I'm far from an expert on GC or JS implementations (and would love
>> a simplified explanation if I have misunderstood the problem), but this
>> seems less like a problem with weak references, and more like a problem
>> with specific implementations of GCs.
>>
>> Marius Gundersen
>>
>>
>> On Fri, Mar 29, 2013 at 3:47 AM, Oliver Hunt <oliver at apple.com <mailto:
>> oliver at apple.com>> wrote:
>>
>>
>>     On Mar 29, 2013, at 7:36 AM, David Herman <dherman at mozilla.com
>>     <mailto:dherman at mozilla.com>> wrote:
>>
>>     > On Mar 27, 2013, at 4:52 AM, Sam Tobin-Hochstadt
>>     <samth at ccs.neu.edu <mailto:samth at ccs.neu.edu>> wrote:
>>     >
>>     >> On Tue, Mar 26, 2013 at 11:44 PM, Oliver Hunt <oliver at apple.com
>>     <mailto:oliver at apple.com>> wrote:
>>     >>> That said I believe that this does kill any dreams i may have
>>     had w.r.t primitive-keyed WeakMaps, kudos to MarkM.
>>     >>
>>     >> Wouldn't a primitive-keyed WeakMap just be a strong Map for those
>>     >> keys?  And therefore immune to any GC attacks?
>>     >
>>     > Indeed, and also deeply misleading (a weak map with strongly
>>     held entries?), which is why I argued that WeakMap should disallow
>>     primitive keys.
>>     >
>>     > Oliver-- can you clarify what you were hoping for?
>>
>>     I was dreaming of primitive keys, i was convinced in an earlier
>>     meeting of the problems that they would cause, but this security
>>     problem is a nail in the coffin :-/
>>
>>     >
>>     > Dave
>>     >
>>
>>     ______________________________**_________________
>>     es-discuss mailing list
>>     es-discuss at mozilla.org <mailto:es-discuss at mozilla.org**>
>>     https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss>
>>
>>
>>
>> ______________________________**_________________
>> es-discuss mailing list
>> es-discuss at mozilla.org
>> https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130401/27d451ea/attachment.html>


More information about the es-discuss mailing list