Open Bug 1052575 (heap-partitioning) Opened 7 years ago Updated 2 years ago

[meta] store content-controlled buffers in a separate heap


(Core :: Security, defect)

Not set




(Reporter: benjamin, Unassigned)


(Depends on 2 open bugs, Blocks 1 open bug)


(5 keywords)

This is a tracking bug for a project to store content-controlled buffers such as strings, ArrayBuffer, network buffers, and other similar data in a heap separate from the normal C++ heap.

Links and prior art:
Depends on: 1052576
Depends on: 1052579
Depends on: 1052582
Alias: heap-partitioning
Depends on: 1053362
Depends on: 1028345
Depends on: 1402174
As we move this forward I wanted to point to the current partitions that Chromium has:

The first target would be what they call the buffer partition - all Javascript objects that are near-entirely user controlled (strings, arrays, and any similar or synonymous types) would be segmented into a separate partition. Once that is done and baked we can determine what would be good future targets for this work.
Depends on: 1410132
Depends on: 1446466
OS: Linux → All
Hardware: x86_64 → All
Depends on: 1474659
Depends on: 1377999
Keywords: meta
Summary: Tracking: store content-controlled buffers in a separate heap → [meta] store content-controlled buffers in a separate heap
You need to log in before you can comment on or make changes to this bug.