zlacker

[parent] [thread] 1 comments
1. Philip+(OP)[view] [source] 2025-03-27 07:50:46
For example if arrays were implemented like this (they're not)

    struct js_array {
        uint64_t length;
        js_value *values[];
    }
Because after bound checks have been taken care of, loading an element of a JS array probably compiles to a simple assembly-level load like mov. If you bypass the bounds checks, that mov can read or write any mapped address.
replies(1): >>saghm+LW1
2. saghm+LW1[view] [source] 2025-03-27 22:09:29
>>Philip+(OP)
Yeah, I understand all of that. I think my surprise was that you can access arbitrary parts of this struct from within JavaScript at all; I guess I really just haven't delved deeply enough into what JIT compiling actually is doing at runtime, because I wouldn't have expected that to be possible.
[go to top]