There was a project zero article on HN recently [1] that said that bound check eliminations were removed from v8 because they allowed attackers to easily turn a type confusion into a memory read-write primitive:
> As a result, last year the V8 team issued a hardening patch designed to prevent attackers from abusing bounds check elimination. Instead of removing the checks, the compiler started marking them as “aborting”
But this post, which also appears to be written by someone from google with access to v8 developers, states that :
> You never go out of bounds. This means TurboFan does not need to emit bounds checks [...]
Does someone here know more about bound checks eliminations in TurboFan ? Are they removed in some cases but not others ?
This ensures aborting bounds checks to some parts of the the pipeline, but this doesn't mean that later optimizations can't determine that the check is dead code and remove it. For example: https://doar-e.github.io/blog/2019/05/09/circumventing-chrom...
> As a result, last year the V8 team issued a hardening patch designed to prevent attackers from abusing bounds check elimination. Instead of removing the checks, the compiler started marking them as “aborting”
But this post, which also appears to be written by someone from google with access to v8 developers, states that :
> You never go out of bounds. This means TurboFan does not need to emit bounds checks [...]
Does someone here know more about bound checks eliminations in TurboFan ? Are they removed in some cases but not others ?
[1] https://googleprojectzero.blogspot.com/2021/01/in-wild-serie...