Say I manage to convince Firefox to free a DOM Node X that I have partial control over (by changing the attributes). I can't do anything interesting just changing the attributes of this DOM node. It is freed (but still used, the UAF) by the allocator, which now allocates a More Interesting Internal Data Structure on the same spot. Now, the memory spot that I control and that was a harmless attribute actually contains a vtable ptr = profit. This kind of attack is harder if the arena only allows other Less Interesting Objects to be allocated into the freed up memory. It is even harder if every DOM Node has its own arena. WebKit has this, but it's quite a step further from this still.
Bug 1377999 Comment 50 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Say I manage to convince Firefox to free a DOM Node X that I have partial control over (by changing the attributes). I can't do anything interesting just changing the attributes of this DOM node. It is freed (but still used, the UAF) by the allocator, which now allocates a More Interesting Internal Data Structure on the same spot. Now, the memory spot that I control and that was a harmless attribute actually contains a vtable ptr = profit. This kind of attack is harder if the arena only allows other Less Interesting Objects to be allocated into the freed up memory. It's even harder if it's similarly sized objects of a similar type (i.e. other DOM Nodes), since there's less chance the vtable is in a useful position. It is even harder if every DOM Node has its own arena. WebKit has this, but it's quite a step further from this still.