[sanxiyn]

Yes, because JS is superior to C++ in terms of security.

I am in favor of bundling MathJax's MathML implementation in browsers though.

[coldtea]

>Yes, because JS is superior to C++ in terms of security.

Yeah, because moving 1/100th of web rendering (the math rendering part) to JS is going to make things more secure...

[saagarjha]

Is it? Keep in mind that the JavaScript is likely running on a C++ interpreter, and has mostly unfettered access to the page's content by design.

[sanxiyn]

Yes it is. Bundled JS won't add new use-after-free, new C++ code will.

[otabdeveloper2]

I've been coding C++ for 15 years and I've never seen a use-after-free in the wild. (I've seen lots of other bugs and security problems, but not use-after-free.)

Use-after-free is a C thing, not a C++ thing. Granted, C++ makes is super easy to code in C, but that's an organization problem that is already solved in any sane project.

[coldtea]

Not to mention something that almost any static analyzer will catch on the first run...

[the_why_of_y]

Can you recommend a static analyzer to Chromium developers? They appear to have problems with basic C++ programming; such a pity that Google cannot afford to hire competent developers like otabdeveloper2.

https://bugs.chromium.org/p/chromium/issues/list?can=2&q=%22...

[coldtea]

That's supposed to be a witty retort? Did you bother to read those bug reports you've linked to?

They are already tied to static analyzers, which is how they were found. What do you think the: "Sanitizer: address (ASAN)" or "Issue 938699: AutotestPrivateApiTest.AutotestPrivate getPrinterList failing on ASAN/LSAN" in the bug reports means?