[fulafel]

> V8 is hardened, battle-tested and fuzzed/verified by the best engineers

It's built on unsound foundations that causes an endless stream of this kind of bugs. They make compromises regarding security engineering and then do indeed put a fair amount of engineering resources to mitigate the resulting security problems.

This can be said to be good or bad engineering depending on your viewpoint, the alternatives might for example have performance tradeoffs and it can be valid engineering to make tradeoffs that favour other things at expense of security. But also we certainly do know practical and proven ways to eliminate this class of memory safety bugs in JS implementations, so it's definitely an engineering choice.

[tessierashpool]

yeah, plus that "the best engineers at Google" has an element of hyperbole. this is one of those times where you can move a statement from being ridiculous to being correct just by throwing in a "some of." it's not like they assigned Jeff Dean to AI instead of Chrome because he just couldn't cut it.

[pas]

can you please elaborate on those unsound foundations?

[fulafel]

Formulating a plan to make V8 safe with a high degree of assurance sounds like a tall order for a monday HN comment!

I'll just point out that this type confusion bug class is just one of many that plague v8 based on perusing the CVE list, and memory safety errors and other security bugs typical of unsafe C++ seem to play a large part in many. V8 is also huge, and complexity is the enemy of security, there are much smaller JS implementations around.

Just fixing these most high profile bug classes might only reveal some other fundamental soundness issues. So it may be necessray to start from a clean slate with soundness and safety design constraints when adding features.