Pointer Compression in V8

Syed Faraz Abrar


In this blog post, I will provide some details on how the Chromium developers implemented pointer compression in V8. I will also talk about what this means from an exploit development perspective.


I’ve been an intern at InfoSect for the past couple of weeks now, and in this time, I’ve had to do a bunch of security related research into both V8 and Spidermonkey. One of the things that I spent a short amount of my time on was pointer compression in V8. I hadn’t heard of the term at all until Bruno Keith (@bkth_) mentioned it on twitter some time in December last year. The V8 developers also made a blog post to celebrate V8 v8.0 where they mentioned that implementing pointer compression had allowed them to save up to 40% in usage of heap memory! That’s a big improvement, so let’s take a look at what pointer compression is and what it means from an exploit developer’s perspective.


This is not intended to be an introductory guide by any means. You are expected to be familiar with JavaScript engine internals, and at least somewhat familiar with JavaScript engine exploitation.

What is pointer compression?

The V8 heap

Before I get into what pointer compression is, I’ll briefly talk about what the V8 heap is.
When you create any objects, arrays, or functions (the latter two are both considered as objects) in JavaScript, they are placed on the V8 heap. If you’re familiar with Linux exploitation, this heap is not the same as the region labeled [heap] that you would see in GDB. Instead, this heap consists of multiple mmapped sections of memory that are usually the lowest memory mappings in the program. Here is what I mean:

The sections of memory that have their upper 32 bits set to 0x0000177f are all essentially the V8 heap. Within the source code, this entire memory space is known as the isolate. As you can see, these are mapped to the lowest memory addresses, right below the binary’s text segment mappings. V8’s young generation and old generation both reside somewhere within these mapped memory regions, and pretty much anything that is allocate-able in JavaScript, barring some exceptions, is allocated within this region of memory.

The thing to notice here is that the upper 32 bits of this entire heap is always the same per run. The 0x0000177f value will change between multiple runs, but within a single run, only the lower 32 bits will differ between different objects on the heap.

Pointer compression

When V8 didn’t have pointer compression, any pointers in the V8 heap that pointed to other objects in the V8 heap would be stored as 64-bit pointers. Now, if you think about it, this is essentially a waste, since the upper 32 bits of every single pointer would be the same, so storing the upper 32 bits with every single pointer doesn’t make sense. It would be better to store the lower 32 bits within the heap, and only store the upper 32 bits once through some other means.

The Chromium team thought about this and ended up deciding to implement pointer compression for the V8 heap. Their design decisions are documented in this document.

Essentially, they ended up deciding to take the upper 32 bits of the V8 heap’s memory space (known as the isolate root) and storing it in one specific register (R13) that they decided to call the root register. Now, any pointers in the V8 heap are 32-bit pointers that only store the lower 32 bits of their actual 64-bit address.

Note – in the case of the above example, the isolate root would be 0x0000177f00000000

This is what pointer compression is. The pointers on the heap are compressed when they point to somewhere else in the V8 heap. Any time they need to be accessed, the isolate root that is stored in the root register is simply added to the compressed 32 bit address stored in the V8 heap, and then subsequently dereferenced.

A downside to this is that the V8 heap can not be any greater than 4 GB as that is the maximum limit of a 32-bit address space. This is fine for browsers, as the heap doesn’t need to be greater than 4 GB anyway. It becomes a problem with things like node.js that require larger heaps. Because of this, pointer compression is disabled for node.js until a better solution can be figured out.

You can see some implementation details of pointer compression in V8 in the following files:


What does this mean for exploitation?

Well, to start off with, there isn’t really an easy way to leak the isolate root (upper 32 bits of the V8 heap memory space) through JS, but if you think about it, there really isn’t a need to do that in the first place.

If you can massage a vulnerability into addrof and fakeobj primitives, you can fake a JSArray and control the elements pointer to gain arbitrary r/w primitives. The catch here is that these primitives would only let you perform arbitrary reads and writes within the V8 heap. Why you ask? Because the elements pointer of a JSArray stores a 32-bit compressed pointer, and if you change it to an arbitrary 32-bit memory address, performing reads and writes using this elements pointer will cause V8 to add the isolate root to the 32-bit address each time, meaning you are stuck within the V8 heap no matter what you do.

The way around this is to then go the classic route of allocating an ArrayBuffer on the V8 heap and overwriting its backing store to an arbitrary 64-bit memory address. Then, performing reads and writes with it using either a TypedArray or a DataView object will grant you an arbitrary r/w primitive within the entire 64-bit address space.

The reason this works is because the backing stores of array buffers are allocated using PartitionAlloc (I’m not entirely sure if this is still the case, but this was the case approximately 3-4 years ago, and I haven’t seen anything to suggest that it has changed). All PartitionAlloc allocations go on a separate memory region that is not within the V8 heap. This means that the backing store pointer needs to be stored as an uncompressed 64-bit pointer, since its upper 32 bits are not the same as the isolate root and thus have to be stored with the pointer.


In conclusion, pointer compression as it has been implemented currently only ever so slightly affects exploitation in the sense that all tagged pointers stored on the V8 heap now only take up 32 bits, which means you’ll need two separate pairs of arbitrary r/w primitives: one pair for performing arbitrary r/w within the V8 heap using a fakeobj (or similar) primitive, and another pair for performing arbitrary r/w elsewhere using the backing store of an ArrayBuffer.


  1. Online logistics management writing services are very difficult to complete and many students are always searching for Logistics Writing Services Online to help them complete their logistics coursework writing services and logistic research paper services.

    1. We are most popular to prepare cdr report for your career in Australian engieneering service sector. Please click the link : CDR Report. We are the best choice for the CDR Report Generation. We are the top CDR Report generator. If you are worried about how to write your CDR, Just call us.We will solve it in minutes.Visit: CDR Report Engineers Australia Contact: Email-briansymbian25@gmail.com, Tel:- +61-2 9191 7405, Address:- 37 Bligh Street, Sydney, NSW 2000, Australia

      Please click the links that follow below to get CDR report. We are the best choice for the CDR Report Generation.
      CDR Report Writing Services
      CDR Career Episode Report Writing
      CDR Writing Tips
      Australia CDR Sample Free Download

  2. Online law research paper help services are very common nowadays since there are very many students seeking Law Research Writing Services and law essay writing services.

  3. Thanks for sharing such a nice blog post. I really appreciate your work. Moreover, I am also sharing useful educational resource for the students seeking assignment help in Australia.

  4. Get programming help from best experts of Myassignmenthelp. we provide the best solution to every assignments.

  5. Thanks for sharing such a nice thinking, post is pleasant, thats why i have read it completely
    Website: kundan jewellery

  6. Get paper writing help from top experts and solve all your paper related query.

  7. A student's life is a bustling issue with broad learning plans, social life, and extra-curricular responsibilities, and for a few; even part-time work. Offer your assignment stresses with us like a huge number of your companions have, from around the globe. We won't frustrate you. In our undertaking to offering the best Assignment Help online in Canada

  8. it is really a great and helpful piece of info. I am glad that you shared this helpful information with us. Please keep us informed like this. Thank you for sharing.
    malaysian embassy singapore

  9. Online assignment help by MyAssignmentHelpNow. We have a Team of Dedicated Writers who will help you with Assignment Writing for getting good or A+ grade. We have 24/7 Customer live support where you can discuss your troubles with our specialized writers. We pioneer the custom-writing industry due to the flair and subject expertise of our pool of writers who promise to deliver 100% plagiarism-free papers.

    Online Assignment Help

  10. this article is very good. People must read your article, because it is very useful.
    Website :- Civil work service

  11. Russia where he is in refuge. Last week he showed interest that he could wish to return to America where still has supporters who are asking the government to grant him amnesty freelance writer for hire

  12. Clara smith has been associated with the
    essay help segment of allessaywriter.com for the last five years. She is a former university professor with immense knowledge of various citation styles, sources, applications, and updates, etc.

  13. play fantasy cricket Fantasy Power 11 is fantasy cricket best app-helps in knowing the best fantasy cricket tips, also a fantasy platform for fantasy cricket and win huge cash prizes.

  14. When it comes to providing best assignment service online,
    Unique Submission makes sure to complete assignment antecedently to offer scholars enough time to proof read the given assignment
    before submitting it to their tutors/professors. We never compromise to timely delivery and deadlines given by our customers.

    Assignment helper

  15. Spectrum Internet service offers the best spectrum internet plans for students who are willing to buy an ideal connection setup for their education and part-time job purposes. All of the deals and plans are available at a discounted price that makes it a lot cheaper than the other provider. Now you can enjoy fast-speed internet service at a discounted price.

  16. The informative blog posted on this website has its positive reviews. I maintain a positive state of relationships, situations that I use in https://topdissertations.com/ clearly formed words used in the essay, written to impress the content, not vocabulary, sophistication is good, but in moderation. Each word is important for forming a sentence with a unique meaning.

  17. Hello. I'm here because I want to find new ideas for my essays. I'm a writer at https://dissertationmasters.com
    Writing is my favorite task but sometimes I feel that I have no ideas..

  18. Are you a Business student? Are you doing a study in Strategy Assignment help? Are you assigned with lengthy and Corporate assignment help? Are you not willing to complete your Strategy management assignment help? Are you not able to understand complicated calculations and difficult queries? These are the reason you not be able to complete your Business law assignment help and need an expert for your help. If you are looking to score well in your final projects then you are at the right place. You can get undoubtedly get the best professional experts for all your Corporate law assignment help online problems.

  19. Are you searching for Assignment Help online in Canada? Then you are in the right spot. Our team of professional writers is highly efficient in helping the students with their assignments. Visit our website to know more about our services.

  20. University of Melbourne Assignment help
    At the tutors help, we provide our assignment help in a variety of subjects. Melbourne university students often find it difficult to manage time for their assignments. So our service experts are here to guide you as per your requirements. English assignments are research-based and need more time to complete as compared to the assignments of other subjects. University of Melbourne Assignment help
    . https://www.thetutorshelp.com/university-of-melbourne-assignment-help.php

  21. If you are a student looking for Assignment Help Canberra then you should academic services from GreatAssignmentHelp.com. They provide some great academic services in Canberra, which is worth every penny you pay them.

  22. This comment has been removed by the author.

  23. Stuck with your programming assignment? Looking to pay someone to do your programming homework urgently at a cheap price? Get the best Programming Assignment Help From Ozpaperhelp.com. We are number 1 in programming assignment help.Hire our Expert for high quality of Programming assignment services.Our specialists are providing quite insightful, knowledgeable duties of programming language.

    Programming Assignment Help
    Programming Assignment Help
    C++ Programming Assignment Help
    Python Programming Assignment Help

  24. do you wanna write best and you want plagiarism checker tool then you essayassignmenthelp tool and get the best result

  25. Hello there. It's a good item for me. I read with pleasure. If you're a student and need help with writing tasks you can use https://essaysprofessor.com/nursing-essay-writing-service.html

  26. Thanks a lot for providing these details. Some of them look beneficial for your readers. To add to it, I look for the service where I can buy problem solving essay IF you have some ideas for me just let me know.

  27. We are no 1 assignment writing service provider in the world and especially in Australia. Please connect with us: Phone: +61-2 9191 7405, E-mail: sales@no1assignmenthelp.com, Website: assignment help, Office: Level 4/22 Harry Chan Avenue, Darwin City NT 0800, Australia

  28. Not sure which is the best Assignment Help canada in Canada. Get in touch with our experts now and receive top-notch quality assistance and guidance, along with solutions to your academic issues.

  29. Students may find the assignment problem and supervisors' expectations difficult to understand or may not have time to work on the complicated requirements of the whole assignment or lack the good writing skills required to work on the assignments. We care for your skills and help you in every aspect to achieve good grades. Get Online cheap buy assignment help that is focused on providing client satisfaction and instant gratification.

  30. We serve students with plagiarism-free services for college, Masters, & Ph.D. Degree. Expert, programmers, coders, and computer science graduates promise A+ quality assistance at the most affordable price. Get high-quality, 100 % plagiarism free and updated assistance from us.
    SQL assignments
    Programming assignment expert’s review

  31. The ABC Assignment Help accepts that the students are essential for its bigger family and it deals with them as though they are one of its own. Any online Write my Assignment work that is delivered without considering the prerequisites of the assignments is stringently managed and the amended work is shipped off the students with no additional charge. assignment provider , assignment help

  32. We are providing CDR Writers Australia. If anybody requires to get CDR For Australia Immigration for successful visa migration approval in Australia, communicate with our experts and visit CDR Australia. They will provide the best CDR Report within a time.
    Kindly mail us at Contact@CDRAustralia.Org
    Our other Services:
    RPL Writing Services
    NER work experience statement
    Competency Based Assessment For Papua New Guinea

  33. 1. Are you looking for an Essay writing service You can get all kinds of Essay help from our 100% secure service. Any subject. Any deadline. Our essay writing experts will make it possible for you to write the best essay with correct facts, strong arguments and different examples. You can check our free essay samples and our testimonials for your reference.

    2. Do you often get ‘out of words’ while writing an essay? Do you have no time to work on your essay? Do you often think “I wish someone could Write my essay for me”? Essay writing can be a daunting task for students. But now you can overcome all the challenges of writing an essay with a professional Essay writing service . Take help from a qualified subject matter expert on your essay. Get assistance in proofreading and editing your Argumentative essay and you can earn the best grades in no time.

    3. Need help in completing your dissertation? Take the first step by writing a compelling dissertation proposal. GoDissertationHelp provides you with the best Dissertation proposal example before you finalise your dissertation. You can also seek help in dissertation methodology, literature review, dissertation conclusion and other important chapters of a dissertation from our dissertation writing services.

    4. Use a professional Essay writing service for your essay and see the difference in your grades! We offer high-quality essays, plagiarism reports, on-time delivery, and 24/7 customer support. With our free revision policy, you can get your essay edited even after delivery. If you do not like our work at all, you can always opt for complete cash back! Get round the clock Essay helpfrom top subject experts.

  34. We at Assignment Help Experts provide All Assignment Help services and assignment writing services to the students studying in various colleges and universities in Australia, the USA & UK. Call us now!

    Contact us at info@assignmenthelpexperts.com or call us at +61-3-9088-1335 for more information.

  35. Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Very Interesting Post! I regularly follow this kind of Blog.


  36. When you are working on your programming part, you require more time to manage your studies. And, for that you need professional assistance. With our PHP Assignment Help online services, you can tackle your time issues and can submit your project before the due dates.

  37. A dissertation assignment help is a long academic essay written after gaining in-depth knowledge of a subject using formal research. Thus Dissertation as a form of academic writing differ from other type of academic assessments and is a real test of capabilities of a student. In this form of academic assessment, leaner is expected to take full responsibility of his own learning starting from choosing the topic, selecting the method of study and concluding the outcomes in the end.

  38. I examine this publish your publish so first-rate and very informative submit thanks for sharing this post.

  39. Decent post. I simply located your weblog and desired to say that I've clearly loved analyzing your weblog posts.

  40. Thanks for Nice and Informative Post. We have study your all the facts some factors are additionally precise and some typically are awesome. Great put up I would like to thank you for the effort Admin you have made in writing this fascinating and educated article.
    Led TV Repair Service in Ballygunge

  41. Dear author, thaks a lot for sharing this useful and very interesting post about the Chromium developers with us! I will use this information in my summary response essay

  42. It was very interesting for me to read, thank you for information! I think it could be great if you can write a blogpost about how to write a sequence essay , because you can explain difficult things in a simple way!

  43. Thanks for the article, the information was very useful for me. I think I will write an essay about it and for this I need an order a management essay. I think I will have a very interesting and high quality essay.

  44. cara top up dunia game ML ini dapat dilakukan dengan cara yang sangat mudah. Berikut cara beli top Diamond untuk jenis game Mobil Legend. Seperti \game yang lainnya top up Mobil Legen  selain murah dapat dilakukan secara online. Lalu bagaimana cara top up Dunia Game yang Murah ML/FF/PUBG untuk jenis game online Mobil Legend? Berikut cara top up diamon Mobil Legen melaui Dunia Game. Yuk disimak informasinya.

  45. Thailand Plastic Surgery We know that the decision to have Thailand plastic surgery is a major one. Having any expert cosmetic surgery with health abroad settles on it a much greater decision. Azurite has been putting forth customers for cosmetic … Read More

  46. For latest information you have to visit web and on world wide-web I found this website as best web page for latest updates.Very nice post, I really love this website, keep it up thanks..To getting a visa for Turkey,There is a need to fill a visa on arrival Turkey through the Turkey visa online guide.

  47. Assignment studio also provide argumentative essay examples for the guidance of students. If you need help in any of your essay help contact Assignment Studio for better assistance.

  48. This comment has been removed by the author.

  49. This comment has been removed by the author.

  50. It was nice to read your blog. If anyone needs case study help in MBA then visit to our website:- My Case Study Help MBA . We provide all type of case study assignments for MBA, Nursing, Laws and Engineering students.

  51. Really nice to read such insightful information it might help expert to solve computer networking assignments easily!

  52. GotoAssignmentHelp is one of the most popular fields of study these days. Every year we Fulfilling all Physics homework help from scratch is must-do for every expert, new and already-established alike. Meeting deadlines and staying open to communicating with a customer is another pillar of Our Homework Help writing policy. We hand-pick the best candidates among those seeking accounting assignment help UK team.

  53. Get assignment help. Most students could do with the Australia assignment help There is a reason. Your thoughts may be in order but when it comes to translating them to words on paper that have a flow and consistency as well as perfect grammar, this is beyond most students. Expert writers can do it effortlessly but for students it is not an easy task. In such cases you can seek assistance from a quality Assignment Help USA with a proven track record of delivering well-researched, well-written, plagiarism-free assignments.

  54. Great work.. Thanks for this post. Foreign travelers who wish to apply for Azerbaijan visa must check the Azerbaijan visa requirement before filling the application.

  55. Our java assignment help experts are all time available for help and support.

  56. Your article is good to understand, are you interested in doors and windows? Our service is helpful to you.
    Modern aluminium doors in chennai
    Best Aluminium Windows in Chennai
    upvc ventilator window in Chennai

  57. Let’s take a closer look at each test to differentiate between them. Urine tests are non-invasive and simple to perform as all you have to do is give a sample of your urine. You can even order a urine test at home to test yourself. Apart from that, it has an incredible success rate • Quick Luck: ClearChoice offers this synthetic pee, which is both incredibly effective and efficient. What’s more, you can use it at the drop of a hat! Simply grab a vial, heat it up, and you’re good to go • Sub Solution: This one is another reliable product from ClearChoice. Sub Solution is the cheaper alternative to Quick Luck. Visit: https://www.urineworld.com/

  58. Nice Blog.

    Myself, Dwayne Santner and I am educational consultant at myassignmenthelp.com which is known as one of the best .online assignment help company. So, if you are looking for Descriptive Essay Help, Online Assignment Help Melbourne and how to write a college paper, then feel free to contact us.

    The Importance of College Assignments in Academic Life

    Just like everything else on God's green Earth, college assignments have their pros and cons too. While they do help one improve their command on writing, certain limiting factors act as serious disadvantages.

    Most college students fail to understand the simple fact that assignments nurture their skills and help them become better. The benefits of these classes outweigh the problems and pupils must be aware of the possible shortcomings. So, if you really want to Assignment Help Melbourne, just read this article.

    So without further ado, let's have a glance into the significant advantages of joining a professional writing course.
    Benefits of College Assignments

    The good aspects of a good writing class tend to outweigh the bad ones significantly. Hence, we look into the benefits at first.

  59. Don't worry if you're having trouble writing distinctive essays; we've got you covered. You may effortlessly compose original and high-quality essays in a short amount of time with the sophisticated Essay Generator tool. This will save you a significant amount of time and work.
    It's not easy to solve quadratic equations. The majority of pupils waste a lot of time trying to solve the equations. However, you may enter your quadratic equation into the handy Quadratic Equation Solver Online and have it answered fast and effortlessly.
    The sophisticated Spell Checker Online tool is the ideal answer for you if you want your work to be error-free. You can use this tool to ensure that your work is error-free and that you receive good grades on your assignments.
    There are a plethora of referencing styles to choose from. You can use the sophisticated Swinburne Harvard Referencing Tool to generate citations in APA, Harvard, Oxford, MLA, and other referencing styles, as well as others.

  60. MyAssignmenthelp is one of the leading providers of online assignment writing help in Australia. It has been in this business since 2009. Throughout these years, our efforts have helped thousands of students fulfill their academic goals.

    Other services:

    assignment help 4 me
    phonics assignment help
    programming assignment help
    SAP Assignment Help

  61. Wow! Great quality content. Are you also looking for Finance assignment help because you do not know how to make top-quality projects? Take the academic writing assistance from professional writers and get the top-class projects written in the least amount of time.


Post a Comment

Popular posts from this blog

Linux Kernel Stack Smashing

Sudoedit heap overflow