867531 - Consider poisoning DOM stuff

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, enhancement)

Comment 1

[Mats Palmgren (inactive)]

Attachment: Poison some nsINode subclasses

Comment 2

[Mats Palmgren (inactive)]

Attachment: Poison the nsAttrAndChildArray buffer and nsINodeInfo objects

Comment 3

[Mats Palmgren (inactive)]

Attachment: stack, bug 865076

I did an experiment with the attached patches (on top of the patches in
bug 867530) to see if it could help mitigate exploitable crashes in
content code.  I used bug 865076 as an example.  Using an Opt build
on Linux64 it seems like it would make it non-exploitable.

There are of course limitations to how useful this is in content code
where the memory is quickly allocated for other purposes (unlike pres-
arena objects) but it might help a bit.  It could be made more useful
with a special purpose allocator for content I guess.

Comment 4

[Benjamin Smedberg]

Unless this is much simpler than bug 860254, I'd really prefer that we work on that one instead.

Comment 5

[David Bolter [:davidb] (NeedInfo me for attention)]

Mats, shall we close this in lieu of (fixed) bug 860254 or is there something more we can do here?

Comment 6

[Mats Palmgren (inactive)]

If nsINode-derived classes are still allocated from the general heap, then yes, bug 860254
should take care of it, except for the issue that Jesse raises in bug 860254 comment 34.
(assuming we use jemalloc on all platforms we care about)

Comment 7

[Andrew McCreight [:mccr8]]

Yes, nodes are allocated from the general heap, and we use jemalloc on all Tier 1 platforms.