[webkit-dev] RenderArena: Teaching an old dog new tricks
mjs at apple.com
Tue Nov 13 23:27:49 PST 2012
On Nov 13, 2012, at 10:23 PM, Eric Seidel <eric at webkit.org> wrote:
> We're aware of multiple high-profile past WebKit exploits (including
> the last $60,000-winning Pwnium 2 exploit) which would have been
> defeated by a Slab-allocated DOM.
Some of RenderArena's basic assumptions are that no renderers can outlive the root of their render tree, and that renderers can never be moved from one render tree to another. These are correct for render objects but not DOM nodes. I don't know if this is a fatal obstacle but it is certainly not obvious how to address it. You could force a "DOM Arena" to stay alive so long as any of its associated DOM nodes was alive, but this has the potential to lead to pathological levels of memory fragmentation.
More information about the webkit-dev