https://issues.chromium.org/issues/451401343 tracks work needed in the upstream xml-rs repository, so it seems like the team is working on addressing issues that would affect standards compliance. Disclaimer: I work on…
It's one thing if the library was proactively written with ABI compatibility in mind. It's another thing entirely if the library happens to expose all its implementation details in the headers, making it that much…
Disclaimer: I work on Chrome/Blink and I've also contributed a (very small) number of patches to libxml/libxslt. It's not just a matter of replacing the libxslt; libxslt integrates quite closely with libxml2. There's a…
Disclaimer: I work on Chrome and I have contributed a (very) small number of fixes to libxml2/libxslt for some of the recent security bugs. Speaking from personal experience, working on libxslt... not easy for many…
At least some of the implementation complexity is already there under the hood. WebKit/Blink have an optimization to use 8-bit characters for strings that consist only of latin1 characters.
A large part of the problem is the legacy burden of libxml2 and libxslt. A lot of the implementation details are exposed in headers, and that makes it hard to write improvements/fixes that don't break ABI compatibility.
Great read! Though there is an unnecessary double map lookup in part 2: https://github.com/tomysshadow/M4Revolution/blob/094764c87aa...
As someone who had the misfortune of working on clipboard support in Chrome, I thought "wow, there's no way we do that in places other than Linux". ... turns out we do and I helped review that patch. Doh! For how widely…
Except the derived class can simply change the visibility of the override, so...
`final` prevents a child class from overriding a method. `private` does not.
Oilpan isn't without issues though: finalization causes quite a few headaches, implementation details like concurrent marking make it hard to support things like std::variant, and the interface between Oilpan and…
Templated code can lead to some really long symbol names. As a random tangent, I was trying to figure out why Chrome's stack symbolizer wasn't working for some stack frames this week… and came across this comment in the…
Since C++17, using [[nodiscard]] can help with that.
Disclaimer: I am a Chrome developer, who formerly worked on the clipboard. For a long time, Chrome did not allow pages on the open web to use document.execCommand('copy') or document.execCommand('cut'), and there was a…
Project Zero does publish writeups for Chrome bugs. https://googleprojectzero.blogspot.com/2019/04/virtually-unl... is one example. Disclaimer: I am a Chrome developer.
From https://developer.chrome.com/blog/private-network-access-upd... > The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks.
Chromium has a presubmit that enforces that code is autoformatted. However, it only enforces this for changed lines, and in practice, it works pretty well.
My personal experience from reading code that uses Chromium's C++ garbage collector is that that's often not true. While there might no longer be use-after-free errors, it's also no longer possible to make assertions…
Chromium's object graph, for better or worse, has a lot of nodes and edges. Operations like tearing down a document that's navigating away are full of complexity. Executing JS is fraught with peril, since it's possible…
Even though Chromium was started before C++11 was standardized, it still used a smart pointer type with move semantics that was very similar to std::unique_ptr for lifetime management. However, while lifetime management…
Non-owning pointers are absolutely a problem if the object graph is large and complex enough. Many objects in Chromium have lifetimes managed by smart pointers, but unfortunately, that doesn't do anything to protect…
Actually, sqlite has its share of memory safety issues. https://bugs.chromium.org/p/chromium/issues/list?q=Type%3DBu... (and to be clear, this is just a coarse search, and the bugs there aren't necessarily all bugs in…
The object graph in Chromium is extremely complex. Even if an object's lifetime is managed with a smart pointer, there are often raw pointer back references from other objects. And if some of these objects also have…
There's actually been quite a bit of work to bounds check accesses for containers implemented inside Chromium, such as span and optional, but it's harder to get these checks into upstream libc++. GC is one way to reduce…
https://bugs.chromium.org/p/chromium/issues/list?q=Type%3DBu... It's not clear that all these bugs can be turned into an attack, but that sure is a lot of bugs.
https://issues.chromium.org/issues/451401343 tracks work needed in the upstream xml-rs repository, so it seems like the team is working on addressing issues that would affect standards compliance. Disclaimer: I work on…
It's one thing if the library was proactively written with ABI compatibility in mind. It's another thing entirely if the library happens to expose all its implementation details in the headers, making it that much…
Disclaimer: I work on Chrome/Blink and I've also contributed a (very small) number of patches to libxml/libxslt. It's not just a matter of replacing the libxslt; libxslt integrates quite closely with libxml2. There's a…
Disclaimer: I work on Chrome and I have contributed a (very) small number of fixes to libxml2/libxslt for some of the recent security bugs. Speaking from personal experience, working on libxslt... not easy for many…
At least some of the implementation complexity is already there under the hood. WebKit/Blink have an optimization to use 8-bit characters for strings that consist only of latin1 characters.
A large part of the problem is the legacy burden of libxml2 and libxslt. A lot of the implementation details are exposed in headers, and that makes it hard to write improvements/fixes that don't break ABI compatibility.
Great read! Though there is an unnecessary double map lookup in part 2: https://github.com/tomysshadow/M4Revolution/blob/094764c87aa...
As someone who had the misfortune of working on clipboard support in Chrome, I thought "wow, there's no way we do that in places other than Linux". ... turns out we do and I helped review that patch. Doh! For how widely…
Except the derived class can simply change the visibility of the override, so...
`final` prevents a child class from overriding a method. `private` does not.
Oilpan isn't without issues though: finalization causes quite a few headaches, implementation details like concurrent marking make it hard to support things like std::variant, and the interface between Oilpan and…
Templated code can lead to some really long symbol names. As a random tangent, I was trying to figure out why Chrome's stack symbolizer wasn't working for some stack frames this week… and came across this comment in the…
Since C++17, using [[nodiscard]] can help with that.
Disclaimer: I am a Chrome developer, who formerly worked on the clipboard. For a long time, Chrome did not allow pages on the open web to use document.execCommand('copy') or document.execCommand('cut'), and there was a…
Project Zero does publish writeups for Chrome bugs. https://googleprojectzero.blogspot.com/2019/04/virtually-unl... is one example. Disclaimer: I am a Chrome developer.
From https://developer.chrome.com/blog/private-network-access-upd... > The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks.
Chromium has a presubmit that enforces that code is autoformatted. However, it only enforces this for changed lines, and in practice, it works pretty well.
My personal experience from reading code that uses Chromium's C++ garbage collector is that that's often not true. While there might no longer be use-after-free errors, it's also no longer possible to make assertions…
Chromium's object graph, for better or worse, has a lot of nodes and edges. Operations like tearing down a document that's navigating away are full of complexity. Executing JS is fraught with peril, since it's possible…
Even though Chromium was started before C++11 was standardized, it still used a smart pointer type with move semantics that was very similar to std::unique_ptr for lifetime management. However, while lifetime management…
Non-owning pointers are absolutely a problem if the object graph is large and complex enough. Many objects in Chromium have lifetimes managed by smart pointers, but unfortunately, that doesn't do anything to protect…
Actually, sqlite has its share of memory safety issues. https://bugs.chromium.org/p/chromium/issues/list?q=Type%3DBu... (and to be clear, this is just a coarse search, and the bugs there aren't necessarily all bugs in…
The object graph in Chromium is extremely complex. Even if an object's lifetime is managed with a smart pointer, there are often raw pointer back references from other objects. And if some of these objects also have…
There's actually been quite a bit of work to bounds check accesses for containers implemented inside Chromium, such as span and optional, but it's harder to get these checks into upstream libc++. GC is one way to reduce…
https://bugs.chromium.org/p/chromium/issues/list?q=Type%3DBu... It's not clear that all these bugs can be turned into an attack, but that sure is a lot of bugs.