On Sat, Sep 12, 2020 at 08:16:36PM -0400, Cade Brown wrote:
Aside from the extra complexity, which may or may not pay off in speed improvements, the downside of NAN boxing is the serious security hole that if you can introduce an arbitrary NAN value into a JS primitive value, you get a pointer to arbitrary memory and can use that to get up to all sorts of shenanigans.
To avoid that security hole, JS has to normalise all incoming NANs to a single canonical NAN (thus, losing any possibility of user code making use of NAN payloads).
In CPython's case, the interpreter uses pointers as object references, not the payload bits of a NAN. Jython and IronPython use whatever the JVM and .Net CLR use, which probably isn't NANs either.
So while NAN boxing is a clever use of NAN payloads, it's not really relevant here. Python code doesn't have a notion of pointers to arbitrary addresses, but if it did, user code probably wouldn't have to manipulate the payload bits of a NAN float object to get one.