Design Of PartitionAlloc In Blink

All objects in Blink are expected to be allocated with PartitionAlloc or Oilpan.

Blink uses different PartitionAlloc partitions, for different kinds of objects:

  • LayoutObject partition: A partition to allocate LayoutObjects. The LayoutObject partition is a ThreadUnsafePartitionAllocator. Having a dedicated partition for LayoutObjects improves cache locality and thus performance.

  • Buffer partition: A partition to allocate objects that have a strong risk that the length and/or the contents are exploited by user scripts. Specifically, we allocate Vectors, HashTables, and Strings in the Buffer partition.

  • ArrayBuffer partition: A partition to allocate ArrayBufferContentss.

  • FastMalloc partition: A partition to allocate all other objects. Objects marked with USING_FAST_MALLOC are allocated on the FastMalloc partition.

The Buffer partition and the FastMalloc partition have many buckets. They support any arbitrary size of allocations but padding may be added to align the allocation with the closest bucket size. The bucket sizes are chosen to keep the worst-case memory overhead less than 10%.


We put LayoutObjects into a dedicated partition because LayoutObjects are likely to be a source of use-after-free (UAF) vulnerabilities. Similarly, we put Strings, Vectors, et c. into the Buffer partition, and ArrayBufferContentss into the ArrayBuffer partition, because malicious web contents are likely to exploit the length field and/or contents of these objects.


PartitionAlloc doesn‘t acquire a lock when allocating on the LayoutObject partition, because it’s guaranteed that LayoutObjects are allocated only by the main thread.

PartitionAlloc acquires a lock when allocating on the Buffer, ArrayBuffer, and FastMalloc partitions.