Created attachment 744064 [details] [diff] [review] Poison the nsAttrAndChildArray buffer and nsINodeInfo objects
Created attachment 744066 [details] stack, bug 865076 I did an experiment with the attached patches (on top of the patches in bug 867530) to see if it could help mitigate exploitable crashes in content code. I used bug 865076 as an example. Using an Opt build on Linux64 it seems like it would make it non-exploitable. There are of course limitations to how useful this is in content code where the memory is quickly allocated for other purposes (unlike pres- arena objects) but it might help a bit. It could be made more useful with a special purpose allocator for content I guess.
Unless this is much simpler than bug 860254, I'd really prefer that we work on that one instead.
Mats, shall we close this in lieu of (fixed) bug 860254 or is there something more we can do here?
If nsINode-derived classes are still allocated from the general heap, then yes, bug 860254 should take care of it, except for the issue that Jesse raises in bug 860254 comment 34. (assuming we use jemalloc on all platforms we care about)
Yes, nodes are allocated from the general heap, and we use jemalloc on all Tier 1 platforms.