On Wednesday, November 21, 2012 11:42:13 AM UTC-8, Bobby Holley wrote: > On Wed, Nov 21, 2012 at 11:21 AM, Dave Mandelin <dmande...@gmail.com> wrote: > > On Wednesday, November 21, 2012 11:14:18 AM UTC-8, Bobby Holley wrote: > > > I've pondered having the JSAPI methods automatically enter compartments, > > > but that's kind of sketchy. > > > What's sketchy about it? I've thought about that before too, and it seemed > > like it would probably be OK, although APIs that take two compartment-owned > > values require something extra. > > One issue is that it means that a series of JSAPI calls might involve a > dozen enter()/leave()s, rather than just one (had the caller appropriately > entered the right compartment). It would also involve wrapping return > values, which the caller might not want at all and might be slow. > > But on a more general API level, it makes it easier to not know what you're > doing and have automatic behavior that you may not want. I'm obviously > coming at this from the perspective of somebody who understands this stuff > very well, and thinks that everyone using these APIs should understand it > too and have things crash predictably when they get it wrong.
Fair enough. Just out of curiosity, if it didn't have the security benefits, would you think compartments are worthwhile? > > > Moreover, if such checks were acceptable performance-wise, then I think > > > we should just make compartment checking run on release builds (so that > > > we could just MOZ_CRASH safely, meaning compartment mismatches would > > > no longer be security bugs). Does anyone have a sense if that's in the > > > realm of the possible? > > > The main question is if Firefox ends up crashing all over the place to due > > to existing bugs or faulty addons. Someone would just have to try it out. > > If we're crashing like that, I think crashing is way better than the > alternative of what's happening. Release drivers may or may not agree. I don't think there's any way to know other than trying it and seeing how much more crashing there is. I believe someone once did but I forget the outcome. > If that's the only consideration I think we should do this. The other considerations are the infinitely recurring "who's gonna do it?" and "what's gonna get bumped for it?" Dave _______________________________________________ dev-tech-js-engine-internals mailing list dev-tech-js-engine-internals@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
