> This bug is possible because of how many complex APIs interact with each other and the programmer not being able to enforce ownership of memory throughout the codebase. At [0], the program gets a pointer to a buffer owned by a JavaScript object. Then at [1], because of the language complexity, to get another variable, it might execute more JavaScript code. At [2], it will use the buffer and width to create a new JavaScript object with the contents of that pointer.
So to adapt that example, the way an expert programmer in a complicated codebase might end up invalidating an iterator, could be by looping over a list that user-provided scripts are allowed to modify, and then accidentally re-entering script code in that loop. It might take a really contrived script to exploit the bug, but such is life in the browser/JS world.
Why would you ever append to a list while looping it?
Is there an example that’s actually realistic or is this just another language hate post where we have fun picking at things no one would actually do.
The way that expert programmers make these same mistakes is by introducing a few layers of abstraction. Here's a real CVE from Microsoft: https://msrc.microsoft.com/blog/2019/07/we-need-a-safer-syst...
> This bug is possible because of how many complex APIs interact with each other and the programmer not being able to enforce ownership of memory throughout the codebase. At [0], the program gets a pointer to a buffer owned by a JavaScript object. Then at [1], because of the language complexity, to get another variable, it might execute more JavaScript code. At [2], it will use the buffer and width to create a new JavaScript object with the contents of that pointer.
So to adapt that example, the way an expert programmer in a complicated codebase might end up invalidating an iterator, could be by looping over a list that user-provided scripts are allowed to modify, and then accidentally re-entering script code in that loop. It might take a really contrived script to exploit the bug, but such is life in the browser/JS world.