Closed
Bug 1028345
Opened 10 years ago
Closed 5 years ago
Allocate DOM nodes in a separate heap partition
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1377999
People
(Reporter: mccr8, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug, )
Details
Apparently both IE and Chrome allocate DOM nodes into some kind of separate heap partition. This is a weaker mitigation measure than frame poisoning, because things with different vtables can still get allocated to the same location, but I suppose it reduces problems where a typed array buffer gets allocated in the former location of a DOM node. The main drawback would presumably be increased heap fragmentation.
|
||
Comment 1•10 years ago
|
||
We sort of tried this before FF 3, because of perf reasons. And it was good for perf, but bad for memory consumption. See bug 403830.
|
||
Updated•9 years ago
|
Blocks: heap-partitioning
|
||
Updated•6 years ago
|
Priority: -- → P5
|
||
Updated•6 years ago
|
Summary: Considering allocating DOM nodes in a separate heap partition → Allocate DOM nodes in a separate heap partition
|
|
||
Updated•6 years ago
|
Priority: P5 → P3
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Comment 2•5 years ago
|
||
Bug 1377999 is now doing the same thing.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•