RenderArena was a perf optimization for the rendering tree, which hyatt imported from Mozilla 10 years ago: http://trac.webkit.org/changeset/2635
The prevailing lore has long been that RenderArena is no longer useful, ugly, and should be killed! http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg12681.html The (unfortunate?) reality is that we've failed to do so, despite trying several times. http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg12682.html However, like those bell-bottoms in your father's closet, RenderArena is back in vogue and Chromium's security team very excited about RenderArena's security benefits. Why, you might ask? Slab-allocators (i.e. RenderArena) hand out memory all from a single region, guaranteeing (among other things) that free'd objects can only be ever overwritten by other objects from the same pool. This makes it much harder, for example to find a Use-After-Free of a RenderBlock and then fill that RenderBlock's memory (and vtable pointer) with arbitrary memory (like the contents of a javascript array). http://en.wikipedia.org/wiki/Slab_allocation We're aware of multiple high-profile past WebKit exploits (including the last $60,000-winning Pwnium 2 exploit) which would have been defeated by a Slab-allocated DOM. Various members of Chromium's security team have also been working on improving RenderArena: http://trac.webkit.org/changeset/133119 http://trac.webkit.org/changeset/132970 http://trac.webkit.org/changeset/129583 http://trac.webkit.org/changeset/97009 Since RenderArena is generic, the current plan to move it to WTF (as by Chris Marrin suggested back in http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg12672.html), clean up the code further, and investigate wider deployment (like to the DOM tree) for the security benefit and possible perf win. https://bugs.webkit.org/show_bug.cgi?id=101087 Also on the list is making our smart-pointers (OwnPtr,ReftPtr) smarter, to avoid the current manual use/free mess of current RenderArena clients. Personally, I hope we bring back mullets next. _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev