[webkit-dev] RenderArena: Teaching an old dog new tricks

Ryosuke Niwa rniwa at webkit.org
Wed Nov 14 16:35:02 PST 2012


On Wed, Nov 14, 2012 at 3:46 PM, Chris Evans <cevans at chromium.org> wrote:

> On Wed, Nov 14, 2012 at 2:48 PM, Geoffrey Garen <ggaren at apple.com> wrote:
>
>> Hi Eric.
>>
>> Here are some problems in RenderArena that I know of:
>>
>> - Grows memory without bound
>> - Duplicates the functionality of FastMalloc
>> - Makes allocation error-prone (allocation in the wrong arena is
>> sometimes a leak, sometimes a use-after-free, and sometimes a heizenbug of
>> the two)
>> - Makes allocation verbose (you have to thread an arena pointer
>> everywhere)
>> - Makes object lifetime complicated (all objects are implicitly tied to a
>> single owner they may outlive)
>> - Uses C-style macros and manual initialization and destruction, instead
>> of modern WebKit C++ style
>>
>> You didn't mention any of these problems in your email, so I'll assume
>> you weren't aware of them.
>>
>> Considering these problems now, please don't use RenderArena in more
>> places.
>>
>> > Slab-allocators (i.e. RenderArena) hand out memory all from a single
>> > region, guaranteeing (among other things) that free'd objects can only
>> > be ever overwritten by other objects from the same pool.  This makes
>> > it much harder, for example to find a Use-After-Free of a RenderBlock
>> > and then fill that RenderBlock's memory (and vtable pointer) with
>> > arbitrary memory (like the contents of a javascript array).
>> > http://en.wikipedia.org/wiki/Slab_allocation
>>
>> This is magical thinking. RenderArena is no different from FastMalloc.
>>
>
> It's actually different enough to be interesting:
> - The bucket granularity is different, which affects exploitation
> significantly.
>

How big of a difference does this (and other characteristics of
RenderArena) make in making WebCore secure? e.g. do you have data (i.e.
esti as to what percentage of security vulnerabilities we’ve had in the
past one year could have been less severe if we had used RenderArena for
DOM?

Also, can you post the complete diff somewhere so that those of us
following at home may gather data ourselves as well?

- R. Niwa.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20121114/6938ba10/attachment.html>


More information about the webkit-dev mailing list