On Nov 13, 2012, at 10:23 PM, Eric Seidel <e...@webkit.org> wrote: > > > We're aware of multiple high-profile past WebKit exploits (including > the last $60,000-winning Pwnium 2 exploit) which would have been > defeated by a Slab-allocated DOM.
Some of RenderArena's basic assumptions are that no renderers can outlive the root of their render tree, and that renderers can never be moved from one render tree to another. These are correct for render objects but not DOM nodes. I don't know if this is a fatal obstacle but it is certainly not obvious how to address it. You could force a "DOM Arena" to stay alive so long as any of its associated DOM nodes was alive, but this has the potential to lead to pathological levels of memory fragmentation. Regards, Maciej _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo/webkit-dev
