Store Arraybuffer Metadata in its own Arena
The bug tracks backporting and landing https://bugzilla.mozilla.org/show_bug.cgi?id=1474659 to move ArrayBuffer metadata (including length) into its own jemalloc arena. This will hopefully make it harder to write exploits that fiddle the length of ArrayBuffers.
Activity
Okay, so the two patches in https://bugzilla.mozilla.org/show_bug.cgi?id=1474659 apply cleanly to esr60 and work: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c70737de337bd0ff00df317bc0272f31e308da17
The talos numbers seem to be okay, they don't indicate anything bad. I'm not sure these speedups are valid though: https://treeherder.mozilla.org/perf.html#/compare?originalProject=try&originalRevision=db57ad7ff45d3096eb579bb7fb60425d6413287f&newProject=try&newRevision=c70737de337bd0ff00df317bc0272f31e308da17&framework=1&showOnlyComparable=1&showOnlyImportant=1
I think the next step is to uplift these patches into Alpha and give it a go.
Okay,
bug_28711_v2(https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_28711_v2) has two commits that contain the backport. I tested resulting builds a bit on Windows, Linux, and Android and nothing exploded.Trac:
Status: new to needs_review
Keywords: TorBrowserTeam201901 deleted, TorBrowserTeam201901R addedmentioned in issue #30429 (moved)
