All objects in Blink are expected to be allocated with PartitionAlloc or Oilpan.
Blink uses different PartitionAlloc partitions, for different kinds of objects:
LayoutObject partition: A partition to allocate
LayoutObjects. The LayoutObject partition is a
ThreadUnsafePartitionAllocator. Having a dedicated partition for
LayoutObjects improves cache locality and thus performance.
Buffer partition: A partition to allocate objects that have a strong risk that the length and/or the contents are exploited by user scripts. Specifically, we allocate
Strings in the Buffer partition.
ArrayBuffer partition: A partition to allocate
FastMalloc partition: A partition to allocate all other objects. Objects marked with
USING_FAST_MALLOC are allocated on the FastMalloc partition.
The Buffer partition and the FastMalloc partition have many buckets. They support any arbitrary size of allocations but padding may be added to align the allocation with the closest bucket size. The bucket sizes are chosen to keep the worst-case memory overhead less than 10%.
LayoutObjects into a dedicated partition because
LayoutObjects are likely to be a source of use-after-free (UAF) vulnerabilities. Similarly, we put
Vectors, et c. into the Buffer partition, and
ArrayBufferContentss into the ArrayBuffer partition, because malicious web contents are likely to exploit the length field and/or contents of these objects.
PartitionAlloc doesn‘t acquire a lock when allocating on the LayoutObject partition, because it’s guaranteed that
LayoutObjects are allocated only by the main thread.
PartitionAlloc acquires a lock when allocating on the Buffer, ArrayBuffer, and FastMalloc partitions.