OLD | NEW |
1 # PartitionAlloc Design | 1 # PartitionAlloc Design |
2 | 2 |
3 This document explains a high-level design of PartitionAlloc. | 3 This document explains a high-level design of PartitionAlloc. |
4 If you're interested in its in-depth implementation, see comments | 4 If you're interested in its in-depth implementation, see comments |
5 in PartitionAlloc.h. | 5 in partition_alloc.h. |
6 | 6 |
7 [TOC] | 7 [TOC] |
8 | 8 |
9 ## Overview | 9 ## Overview |
10 | 10 |
11 PartitionAlloc is a memory allocator optimized for performance and security | 11 PartitionAlloc is a memory allocator optimized for performance and security |
12 in Blink. All objects in Blink are expected to be allocated with | 12 in Blink. All objects in Blink are expected to be allocated with |
13 PartitionAlloc or Oilpan (but not yet done). | 13 PartitionAlloc or Oilpan (but not yet done). |
14 | 14 |
15 ## Partitions and buckets | 15 ## Partitions and buckets |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
66 ## Security | 66 ## Security |
67 | 67 |
68 Security is one of the most important goals of PartitionAlloc. | 68 Security is one of the most important goals of PartitionAlloc. |
69 | 69 |
70 Different partitions are guaranteed to exist in separate address spaces. | 70 Different partitions are guaranteed to exist in separate address spaces. |
71 When objects contained in a page in a partition are all freed, | 71 When objects contained in a page in a partition are all freed, |
72 the physical memory is returned to the system but the address space | 72 the physical memory is returned to the system but the address space |
73 remains reserved. The address space may be reused later only for the partition. | 73 remains reserved. The address space may be reused later only for the partition. |
74 Remember that PartitionAlloc puts LayoutObjects into a dedicated partition. | 74 Remember that PartitionAlloc puts LayoutObjects into a dedicated partition. |
75 This is because LayoutObjects are likely to be a source of use-after-free. | 75 This is because LayoutObjects are likely to be a source of use-after-free. |
76 Simiarly, PartitionAlloc puts Strings, Vectors etc into the Buffer partition | 76 Similarly, PartitionAlloc puts Strings, Vectors etc into the Buffer partition |
77 because the length and/or contents may be exploited by user scripts. | 77 because the length and/or contents may be exploited by user scripts. |
78 This means that PartitionAlloc greedily uses virtual address spaces in favor of | 78 This means that PartitionAlloc greedily uses virtual address spaces in favor of |
79 security hardening. | 79 security hardening. |
80 | 80 |
81 Also the following security properties are provided: | 81 Also the following security properties are provided: |
82 | 82 |
83 * Linear overflows cannot corrupt into the partition. | 83 * Linear overflows cannot corrupt into the partition. |
84 | 84 |
85 * Linear overflows cannot corrupt out of the partition. | 85 * Linear overflows cannot corrupt out of the partition. |
86 | 86 |
87 * Metadata is recorded in a dedicated region (not next to each object). | 87 * Metadata is recorded in a dedicated region (not next to each object). |
88 Linear overflow or underflow cannot corrupt the metadata. | 88 Linear overflow or underflow cannot corrupt the metadata. |
89 | 89 |
90 * Buckets are helpful to allocate different-sized objects on different addresses
. | 90 * Buckets are helpful to allocate different-sized objects on different addresses
. |
91 One page can contain only similar-sized objects. | 91 One page can contain only similar-sized objects. |
92 | 92 |
93 * Dereference of a freelist pointer should fault. | 93 * Dereference of a freelist pointer should fault. |
94 | 94 |
95 * Partial pointer overwrite of freelist pointer should fault. | 95 * Partial pointer overwrite of freelist pointer should fault. |
96 | 96 |
97 * Large allocations are guard-paged at the beginning and end. | 97 * Large allocations are guard-paged at the beginning and end. |
OLD | NEW |