Open bnoordhuis opened 9 months ago
Tangential: other JS engines (and python, ruby, etc.) added random seeds to their hash tables about 10 years ago to mitigate DoS attacks. We probably want to do likewise.
As the comment indicates, /* XXX: better hash ? */
, the hash methods are simplistic and easy to defeat.
Combining the string length into the hash value is a simple way to fix hide the problem.
Implementing a fast reliable hash is of course a better approach.
Note by the way that the hash performed on BigInt values might pose problems too as I am not convinced the representation in the array is necessarily normalized. I discussed this with Fabrice and we agree a fresh biginteger package is necessary and would also vastly improve the bigint performance.
a fresh biginteger package is necessary and would also vastly improve the bigint performance
FWIW, I thought along similar lines and even made a start but ran out of time/steam.
a fresh biginteger package is necessary and would also vastly improve the bigint performance
FWIW, I thought along similar lines and even made a start but ran out of time/steam.
Fabrice has a few in his treasure chest, let's wait a bit to get that when he is ready.
Prints:
I exploit a weakness of
map_hash_key()
by inserting keys with ever longer zero prefixes -"k"
,"\0k"
,"\0\0k"
, etc. - that all hash to the same value and end up in the same hash bucket.Doubles-as-keys are exploitable too; maybe ints too because they're cast to doubles before hashing. The hash algorithm is this:
But there are literally millions of normal and subnormal doubles with high and low words that are bitwise identical and cancel each other out when xor'ed.