Code Signing and Notarization
Gatekeeper, notarytool, SmartScreen, Authenticode, and the real cost of shipping a desktop binary.
Tag
Runtime
37 notes
Static-PIE
Statically linked, position-independent, ASLR-friendly, and no dynamic loader required.
Apple Universal Binaries
Fat Mach-O wrapping arm64 + x86_64, the lipo tool, and the end of x86_64 support.
Freestanding / no-libc
Direct syscalls on Linux, why this is impossible on macOS, and the APE alternative.
The Go Runtime as a Library
cgo, c-shared, c-archive: keep vm3 in Go and call into it from native code.
Cosmopolitan Libc
One binary, six operating systems, two ISAs. The APE format and cosmocc toolchain.
glibc
The default Linux libc, and the reasons "fully static linking" is officially unsupported.
Android Scudo + MTE inside ART
The canonical "secure allocator inside a managed runtime." Scudo is Android's hardened native heap, used for ART's non-managed allocations (JIT code, off-heap buffers, JNI). Pairs with ARM MTE on Armv9 hardware for hardware-checked tagging. Default for all native allocations on Android since 11.
Spectre Mitigations in Hosted JITs
Speculative-execution attacks haven't gone away. As of May 2026, every shipping JIT either implements index masking + bounds-check hardening, or relies on process-level Site Isolation, or both. The consensus: software mitigations alone are necessary but not sufficient; hardware (eIBRS, BHI controls, CET-IBT) carries the load on CPUs that have it.
W^X Enforcement in Modern JITs
What every shipping JIT must do on day 1 to be production-grade: never have a code page that is both writable and executable to the same thread at the same time. MAP_JIT + pthread_jit_write_protect_np on Apple Silicon, mprotect dance elsewhere, hardware shadow stacks (Intel CET, ARM BTI) increasingly mandatory.
V8 Pointer Compression Cage
A direct ancestor of vm3's 32-bit slab index. V8 squeezes 64-bit pointers down to 32-bit offsets within a per-isolate 4 GB virtual region (the "cage"). Cut V8's heap by 43%, Chrome renderer memory by 20%.
WasmGC
Native GC primitives in a portable bytecode. Ratified in Wasm 3.0 (Sep 2025), shipped in all major browsers by Dec 2024. Dart, Kotlin, OCaml, Java/Scala/Scheme can now compile to Wasm without bundling a GC.
WebAssembly Segmented Memory (and friends)
The CG-track answer to "what's beyond a single 4 GB linear memory?" Multiple memories shipped in Wasm 3.0 (Sep 2025). Memory64 shipped at the same time. A formal "segmented memory" proposal in the MSWasm vein has not yet entered the CG track but is influencing design.
MSWasm — Memory-Safe WebAssembly
A WebAssembly extension that replaces linear memory with segments and handles. Handles are unforgeable, typed pointers carrying bounds and provenance — closely modelled on CHERI capabilities but pure software.
V8 Sandbox
A purely software in-process sandbox for the V8 JS heap. Ban raw pointers, replace with offsets into a 1 TB sandbox region and indices into out-of-sandbox pointer tables. About 1% perf cost, enabled by default in Chrome 123. Every modern JIT is moving this direction.
V8 — Orinoco + Oilpan
Chrome's two cooperating collectors. Orinoco runs V8's young-generation JS heap in parallel; Oilpan is Blink's traced C++ GC, recently hosted inside V8 as a library, learning to do generational collection with conservative stack scanning.
JavaScriptCore — Riptide
WebKit's retreating-wavefront concurrent garbage collector. Marks objects while JS runs, throttles allocation when it falls behind, and uses logical versioning to skip clearing bitmaps.
MMTk and LXR
A research framework that cleanly separates GC plans from policies, plus the LXR collector that proves a stop-the-world RC+mark-region design can beat industrial concurrent GCs on tail latency.
ZGC — Generational, Colored-Pointer GC (OpenJDK)
Java's flagship low-latency collector. Sub-millisecond pauses on multi-TB heaps via colored 64-bit pointers and concurrent everything.
Lobster — Compile-Time Reference Counting
A pragmatic language by Wouter van Oortmerssen that elides 95% of refcount ops at compile time through flow-typed lifetime analysis. Cycles handled by a cleanup at program exit.
Roc — Perceus in production-ish
The biggest real-world deployment of Perceus reference counting, layered with Morphic alias analysis and "seamless slices" so functional code rarely allocates.
Perceus (Koka)
"Garbage-free" precise reference counting with reuse — in-place updates without locks, statically inserted at compile time.
Runtime Techniques and Sandboxed Memory
Perceus/Koka, Roc, Lobster, generational ZGC, MMTk LXR, JSC Riptide, V8 Oilpan/Sandbox, MSWasm, WasmGC, V8 cage, W^X / JIT hardening, Spectre/JIT mitigations.
musl libc
The static-friendly C library that makes "build once, ship anywhere" actually work on Linux.
Runtime and libc
musl static, glibc, Cosmopolitan libc, Go runtime as library, no-libc freestanding, universal binaries, static-PIE, signing and notarization.
51. Audit Hooks
sys.addaudithook, the cpython.PyAudit_AddHook C API, and auditable events across the standard library.
50. Context Variables
PEP 567 Context and ContextVar objects, context copying on task creation, and asyncio integration.
49. Signals
Signal handler registration, the eval breaker flag, and safe SIGINT delivery to Python code.
48. Subinterpreters
Per-interpreter state isolation, Py_NewInterpreterFromConfig, and the experimental per-interpreter GIL.
47. Threads
Python thread objects, OS thread mapping, the GIL acquisition protocol, and thread-local state management.
46. The GIL
GIL purpose, implementation in Python/ceval_gil.c, forced release intervals, and its effect on multi-core performance.
45. The MRO
C3 linearization algorithm, mro() computation, and how Python resolves method lookup across multiple inheritance.
44. Classes and Metaclasses
type.__new__ and type.__init__, __init_subclass__, __set_name__, and metaclass resolution order.
43. Descriptors
__get__, __set__, __delete__ protocol, data vs. non-data descriptors, and property/classmethod/staticmethod internals.
42. The Import Lock
The per-module import lock, re-entrant import detection, and deadlock scenarios in multithreaded code.
41. Packages
Package __init__.py, namespace packages (PEP 420), relative imports, and __path__ manipulation.
40. Modules and Imports
The import machinery: finders, loaders, sys.modules cache, and the importlib bootstrap sequence.