- The code in TFA is, by a hair’s breadth, not actually vulnerable, as long as the type signature of the function is obeyed. React spinned the same gun in the game of Russian roulette but was less lucky.
- Theoretically a good fuzzer could discover this value by itself, but I don’t believe anything like that exists that could run JS code and explore VM-level branches, at least not for JS code that’s even this complex. Otherwise, yes, PBT is less trivial than it seems, though I’m guessing a simple `strings jsc` coupled with general knowledge of special values of other types[1,2] could get you quite far.
[1] https://www.exploringbinary.com/php-hangs-on-numeric-value-2...
[2] https://www.exploringbinary.com/java-hangs-when-converting-2...
- TL;DR: obj[key] with user-controlled key == "__proto__" is a gift that keeps on giving; buy our AI tool that will write subtle vulnerabilities like that which you yourself won’t catch in review but then it will also write some property-based tests that maybe will
- A special place in hell is reserved for Stack Overflow’s recent redesign, which shows “Over a year ago” both for comments that are 13 months old and for those that are 13 years old.
- > especially when talking about code or other stuff that benefits from more richer formatting
Telegram has GFM-style fenced code blocks including language indication for syntax highlighting (e.g. ```python), what else could one want for code? (I guess syntax-highlighted inline monospaced blocks, it does indeed not have them.)
I wouldn’t say Telegram is perfect. The polish and the actual experience of using it are great. Yet when you look closely, it’s as rickety as you’d expect given the insane rate of shipping features that they’ve sustained until quite recently. (For instance, there were a few weeks where porn spambots in public chats would post single—thus animated—emoji, seemingly because the UI didn’t allow you to open the context menu on those in order to report spam, because the usual single-tap handler for that was overriden by the handler that would play the emoji animation.)
And the discoverability is in the toilet. Did you know that you can preview a chat without marking its messages read by long-pressing on the image? That works on Android—except on a tablet where your screen is large enough that you get the two-pane view; I thought for weeks they had removed that feature until I realized the tablet was the problem. And the only thing that mentions its existence is AFAIK an item in release notes from 2018[1,2]. Did you know that you could pop out individual chats into their own AIM/ICQ-style windows on desktop? I don’t think it’s documented anywhere, but it’s in the context menu.
If it were the 2000s I wouldn’t have given Telegram any HCI design awards. But everything else is considerably worse, with the possible exception of (indeed) Discord. (I prefer Telegram’s abundant tools for scrubbing through history though, it’s one of the few things in that category that’s actually better a calendar of posts like blogs used to have.)
[1] https://telegram.org/blog/unread-replace-2x#and-three-more-o... (it didn’t even make the headline!)
[2] Just found out (via the comments in https://bugs.telegram.org/c/52) that this actually exists on desktop too: Alt-click the chat. Argh.
- In one of the early releases of animated emoji on Telegram (I want to say the very first one), it did. Then Apple objected and it stopped. Then shortly afterwards like half of the rest started doing something suggestive but not the eggplant. A lot of fun was had on the Internet imagining the product meetings for all of that.
(Not that any of it is particularly relevant to the quality of Telegram’s UI, which is indeed unmatched.)
- LOLCODE isn’t much of one either? It’s fundamentally a BASIC more or less.
- A few deprecated characters, including the Kelvin and Ångström symbols, are in fact canonically equivalent to their replacements and not just compatibility equivalent, so plain NFC/NFD is enough. (It’s generally better to avoid NFKC/NFKD normalizations unless you fully understand the implications, as they do lose meaning and at the same time do not account for all possible confusables.)
- (I think this is my personal record wrt the relative number of errors in a short code snippet. You get the idea, and I’m frankly afraid to try and post a fixed version at this point :) )
- Why oh why isn’t 'uecker still pushing his GCC patch[1] enabling -fno-trampolines (i.e. function descriptors) for C. I know it’s an ABI break, but it would be so nice :(
Long story short:
[1] https://gcc.gnu.org/legacy-ml/gcc-patches/2018-12/msg00853.h...# (*funp)(); testl #1, %eax jz 1f movq 8(%eax), r10 movq (%eax), %eax 1: callq *%eax - A year ago, Framework-branded memory for DIY laptops cost, IIRC, 2x Amazon for equivalent specs (not the same modules—the ADATA ones that Framework puts their stickers on are theoretically available retail but in practice complete unobtanium in most countries). Not Apple pricing, but they definitely have some margin to eat into.
- To clarify, I was talking about Compiler Explorer-cleaned disassembly, same as the comment I was replying to.
- I see exactly the same assembly from x86-64 GCC 15.2 with -O2 the first example in the article both as is and without `static`, which makes sense. The two do differ if you add -fPIC, as though you’re compiling a dynamic library, and do not add -fvisibility=hidden at the same time, but that’s because Linux dynamic linking is badly designed.
- Reflecting sunlight from orbit is an idea that had been talked about for a couple of decades even before Znamya-2[1] launched in 1992. The materials science needed to unfurl large surfaces in space seems to be very difficult, whether mirrors or sails.
- The article is largely about layout shifts caused by flexbox during loading, and while networks have indeed gotten faster, they haven’t gotten faster uniformly across situations and people. Being able to show things properly while they are still downloading remains useful.
- Is the 8087 related to the FPU of the 432 in any way? I’ve always suspected the former’s stack nature was due to the latter being entirely stack-based, but precisely no sources mention that, so is it just a coincidence that Intel did two stack-based architectures essentially at the same time (and then never repeated that mistake)?
- Also of course years older than them.
- Apparently Outlook (the actual one, not the recent pretender) still uses some ancient WordHTML version as the renderer, so there isn’t much choice.
- I recently installed NT4 (including Plus!) in an emulator with a VESA video driver, and was greatly surprised when about half of the icons that I thought of as “Windows 2000” (including the memorable “My Computer” one with the bulbous sky-blue screen) turned out to be available even there, provided a non-indexed mode. The rest were the more familliar 16-color-compatible 95/NT4 ones, making for an incongruous result overall. I guess what I want to say is that 16-color compatibility is a large part of the 95/NT4 look from which 2000 very carefully departed.
[1] https://www.hackerneue.com/item?id=33155527