How can I get the memory address of a JavaScript variable?

Is it possible to find the memory address of a JavaScript variable? The JavaScript code is part of (embedded into) a normal application where JavaScript is used as a front end to C++ and does not run on the browser. The JavaScript implementation used is SpiderMonkey.


If it would be possible at all, it would be very dependent on the javascript engine. The more modern javascript engine compile their code using a just in time compiler and messing with their internal variables would be either bad for performance, or bad for stability.

If the engine allows it, why not make a function call interface to some native code to exchange the variable's values?


It's more or less impossible - Javascript's evaluation strategy is to always use call by value, but in the case of Objects (including arrays) the value passed is a reference to the Object, which is not copied or cloned. If you reassign the Object itself in the function, the original won't be changed, but if you reassign one of the Object's properties, that will affect the original Object.

That said, what are you trying to accomplish? If it's just passing complex data between C++ and Javascript, you could use a JSON library to communicate. Send a JSON object to C++ for processing, and get a JSON object to replace the old one.


You can using a side-channel, but you can't do anything useful with it other than attacking browser security!

The closest to virtual addresses are ArrayBuffers.

If one virtual address within an ArrayBuffer is identified, the remaining addresses are also known, as both the addresses of the memory and the array indices are linear.

Although virtual addresses are not themselves physical memory addresses, there are ways to translate virtual address into a physical memory address.

Browser engines allocate ArrayBuffers always page aligned. The first byte of the ArrayBuffer is therefore at the beginning of a new physical page and has the least significant 12 bits set to ‘0’.

If a large chunk of memory is allocated, browser engines typically use mmap to allocate this memory, which is optimized to allocate 2 MB transparent huge pages (THP) instead of 4 KB pages.

As these physical pages are mapped on demand, i.e., as soon as the first access to the page occurs, iterating over the array indices results in page faults at the beginning of a new page. The time to resolve a page fault is significantly higher than a normal memory access. Thus, you can knows the index at which a new 2 MB page starts. At this array index, the underlying physical page has the 21 least significant bits set to ‘0’.

This answer is not trying to provide a proof of concept because I don’t have time for this, but I may be able to do so in the future. This answer is an attempt to point the right direction to the person asking the question.

Sources,

http://www.misc0110.net/files/jszero.pdf

https://download.vusec.net/papers/anc_ndss17.pdf