[webkit-dev] RenderArena: Teaching an old dog new tricks
Maciej Stachowiak
mjs at apple.com
Wed Nov 14 23:12:54 PST 2012
On Nov 14, 2012, at 10:36 PM, Elliott Sprehn <esprehn at chromium.org> wrote:
>
> On Thu, Nov 15, 2012 at 1:29 AM, Ryosuke Niwa <rniwa at webkit.org> wrote:
> ...
> In other words, why are you interested in using the proposed allocation mechanism for only DOM nodes/objects instead of everything in WebCore/WebKit?
>
>
> This was my concern as well. It would seem you'd need many different arenas, and that would only make it really annoying to get use after frees since they have to be in the same arena, not impossible.
>
> The major danger is really ArrayBuffer (and I suppose String) which lets you allocate an object of a specific size and aligned the same as the freed object. You can then create thousands of them until you get one on top of the freed location and fill in the buffer with the malicious vtable and ptr.
>
> How hard would it be to allocate the void* buffer and the String UChar* with an arena?
I don't think you specifically want something with RenderArena's behavior for those, just something disjoint from the space where anything with a vtable pointer goes. There's no point having separate pools per document for these, or tighter size classes than what you get with normal malloc, or anything like that.
Regards,
Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20121114/1c7e968a/attachment.html>
More information about the webkit-dev
mailing list