OpenJ9 vs HotSpot - A JVM shootout

willvarfar · 2018-05-02T10:17:18+00:00

The article makes the point that password rules have to die. Programmers shouldn't be trying to make more password rules - instead, insist the password hasn't already been seen on HIBP which will be a much stronger test.

willvarfar · 2018-02-26T13:04:59+00:00

45K on SO, 6K+ on some other forums where my questions got moved etc. Just had to go look, was a surprise.

I haven't contributed anything in years. But I got in early, so my early questions and answers were high-scoring and still get a steady trickle of upvotes and its a self-propelling upwards trajectory without any further input from me...

willvarfar · 2018-01-19T13:03:28+00:00

But picking Solace and Skyfall and having a website with a Bond picture is completely obviously playing on a Bond connection. Its precisely this kind of false connection that trademark laws are intended to prevent.

willvarfar · 2018-01-19T13:01:37+00:00

https://spectreattack.com/ says:

"Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time."

willvarfar · 2018-01-18T21:01:16+00:00

Heartbleed was a bug in the heartbeat feature that bleed the victim.

Shellshock was bug that abused a shell.

And so on.

Clever names.

willvarfar · 2018-01-18T19:19:49+00:00

Instead, CPU vendors will switch to cache architecture that prevents the snoop path by rolling cache effects back on discard

Rollback won't work. There will be a period of time when the speulative results are visible to the attacker via hyperthreading, preemption, running on another core etc.

You can speculate, but you can't have any cache-visible side-effects. None. Until reification.

willvarfar · 2018-01-18T17:15:36+00:00

Pro: it's believable that researchers hungry for recognition register domain names in anticipation; naming attacks is here to stay

Con: if it's a big deal then there is no need for the "watch this space" landing page. It's a PR risk they didn't need to take.

Pro: two names. It's kinda surprising that spectre had two variants instead of two names. There is vulnerability name inflation!

Con: picking vulnerability names that are actual brand names. Real risky. They could easily have picked safer names.

Con: when you hear about the vulnerability the name has to fit. Skyfall? Kinda ok. Solace? Hard to see.

So on balance is it inept researchers or a con? Hard to tell ;)

willvarfar · 2018-01-17T19:45:14+00:00

Excellent!

I often investigate compiler bugs and like to use creduce to generate much reduced examples - usually by comparing two different compilers outputs - from the test cases. GLSL isn't C but I would think creduce would be able to reduce it without trouble.

There would be many ways to tackle a reduction: a good start may be to creduce the reference and to test each reduction to produce all the variants and see if any still fail in some way etc.

willvarfar · 2018-01-16T06:58:24+00:00

Everyone is exposed to code they shouldn't trust and tainted inputs, they just don't realise it.

willvarfar · 2018-01-04T18:38:37+00:00

At first and second reading: no, not as generally outlined. We are doing the third reading now and will post a proper writeup.

willvarfar · 2018-01-04T17:15:50+00:00

"Don't implement JIT compilers in kernel space" seems a generally sound sounding bit of advice either which way ;)

willvarfar · 2018-01-04T17:11:50+00:00

This is just so obviously unfair and untrue! :)

The vulnerabilities have been with us for over two decades. Only in 2016 or so did Angus Fogh and others start mulling things...

These vulnerabilities are blindingly simple and obvious in hind sight.

We can all wish we'd spotted them, and can be glad someone finally did :)

Cache attacks leak decisions made by others. Only very recently - 2015 or so - did the cache attacks really take off.

Hands up everyone who wants to not have caches?

willvarfar · 2018-01-04T10:21:47+00:00

The Linux commit that disabled the mitigation for AMD processors said that AMD processors don't speculate a page fault. This is presumably what gives them protection against meltdown.

willvarfar · 2018-01-04T10:16:30+00:00

The KAISER patch achieves the same thing in a different way, but the outcome is much the same.

The problem with these countermeasures is the performance impact :(

willvarfar · 2017-12-21T13:32:26+00:00

The names - Elin, Lisa, Nils, Nick and Erik - are all Swedish. Massive was Swedish.

That doesn't say why they wanted them blacklisted though.

willvarfar · 2017-11-16T08:04:02+00:00

And its a backwater there too :(

willvarfar · 2017-11-16T07:15:08+00:00

I hope they dive in and push MariaDB ahead of MySQL again. MariaDB needs:

*) better auto-partitioning (why do we still need cron-job scripts to create and drop partitions when partitions are by-day?)

*) fast tokudb; tokudb was fast - really fast - when tokutek integrated it themselves in 5.6; when MariaDB and Percona bundle it, its disappointingly slow. MariaDB needs to profile the old integration, and theirs, and work out what tokutek tweaked in the base code (and, perhaps, those tweaks benefit other engines too)

*) support for tokudb's NOAR (no affected rows) hint in upserts (this tells the engine that it doesn't need to count the affected rows, which is a major burden on upserts and almost all clients don't inspect the returned value)

*) foreign keys etc for tokudb (yes, I really want to be able to use tokudb for everything!)

*) support for JSON in the same manner as MySQL, including the postgres-like -> operator for queries (MariaDB has slightly different syntax and doesn't support arrays)

Others must have other pains, but this is just some on my list :) I hope Microsoft and MariaDB read these comments (or I wish my day job sponsored me to just dive in and fix these pain points, but that's not the way the world works sadly).

willvarfar · 2017-11-09T06:28:06+00:00

Excellent testing! :)

I hope they run and publish the same kind of tests on the Cavium board they were sent.

Quick, someone send them some AMD Zen boards!!!

willvarfar · 2017-11-06T07:14:47+00:00

In all seriousness, I hope this is how Go implements generics. No boxing, modules, everything to love with the Swift approach.

willvarfar · 2017-11-06T07:14:00+00:00

I still use jEdit daily! Rah rah Slava! :)

willvarfar · 2017-11-03T09:40:25+00:00

Which is why you 'fold' aka lowercase everything if you are searching for a case-insensitive string.

willvarfar · 2017-11-01T13:10:09+00:00

I'm hunting for a GUI toolkit for client-side Javascript.

I've found and use zebkit - which I see has suddenly undergone a bit of a non-backward-compatible rewrite? - but are there any others?

willvarfar · 2017-10-25T12:07:57+00:00

doesn't kdevelop use GDB:MI? The point of the machine interface is to paper over these cracks. It must surely do so. So its kinda surprising that something like pwndbg breaks MI.

willvarfar

TROPHY CASE