Open Bug 1052575 (heap-partitioning) Opened 7 years ago Updated 2 years ago
[meta] store content-controlled buffers in a separate heap
This is a tracking bug for a project to store content-controlled buffers such as strings, ArrayBuffer, network buffers, and other similar data in a heap separate from the normal C++ heap. Links and prior art: https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends---object-allocation-hardening-in-web-browsers/ https://codereview.chromium.org/26196002 https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/PartitionAlloc.h
Depends on: 1446046
Safari has (just) implemented Isolated Heaps for their DOM. Interestingly, they seem to have a separate Isolated Heap for every individual DOM type (which is very strong protection!) https://github.com/WebKit/webkit/commit/197cd32c3b5527e8c2bbe3fcb7d78cc993dd8904 https://bugs.webkit.org/show_bug.cgi?id=183546#c43 https://github.com/WebKit/webkit/blob/2e53890f18d9a44fa41607791efca2939aa3c7f7/Source/WTF/wtf/IsoMalloc.h https://github.com/WebKit/webkit/blob/master/Source/bmalloc/bmalloc/IsoHeap.h https://github.com/WebKit/webkit/blob/master/Source/bmalloc/bmalloc/IsoHeapInlines.h
Depends on: 1402282
Summary: Tracking: store content-controlled buffers in a separate heap → [meta] store content-controlled buffers in a separate heap
You need to log in before you can comment on or make changes to this bug.