On Nov 14, 2012, at 10:36 PM, Elliott Sprehn <[email protected]> wrote:
> > On Thu, Nov 15, 2012 at 1:29 AM, Ryosuke Niwa <[email protected]> wrote: > ... > In other words, why are you interested in using the proposed allocation > mechanism for only DOM nodes/objects instead of everything in WebCore/WebKit? > > > This was my concern as well. It would seem you'd need many different arenas, > and that would only make it really annoying to get use after frees since they > have to be in the same arena, not impossible. > > The major danger is really ArrayBuffer (and I suppose String) which lets you > allocate an object of a specific size and aligned the same as the freed > object. You can then create thousands of them until you get one on top of the > freed location and fill in the buffer with the malicious vtable and ptr. > > How hard would it be to allocate the void* buffer and the String UChar* with > an arena? I don't think you specifically want something with RenderArena's behavior for those, just something disjoint from the space where anything with a vtable pointer goes. There's no point having separate pools per document for these, or tighter size classes than what you get with normal malloc, or anything like that. Regards, Maciej
_______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo/webkit-dev
