Read OSS
webKit/webkit

WTF, Memory Management, and Core Primitives

Advanced

Prerequisites

  • Article 1: Architecture Overview and Navigating the WebKit Codebase
  • Strong C++ knowledge: move semantics, RAII, templates, CRTP
  • Understanding of reference counting vs garbage collection

WTF, Memory Management, and Core Primitives

Every line of WebKit code is built on top of two foundational layers: bmalloc (the memory allocator) and WTF (the Web Template Framework). These aren't optional libraries — they're the vocabulary of the codebase. You can't read a WebCore class without understanding Ref, can't debug a DOM mutation without knowing protectedThis, and can't reason about WebKit's security posture without understanding IsoHeap.

This article dissects these foundational layers, starting with why WebKit replaces the STL, then walking through the ownership model, and finishing with the security-hardened allocator that makes type confusion exploits significantly harder.

WTF: Why WebKit Replaces the STL

The Web Template Framework isn't a whimsical name — it's a deliberate choice to build a purpose-designed library for web engine workloads. WebKit replaces std::vector with WTF::Vector, std::unordered_map with WTF::HashMap, std::string with WTF::String, and std::shared_ptr with WTF::Ref/WTF::RefPtr.

The motivations are threefold:

  1. Performance — WebKit's containers are tuned for web workloads. Vector supports inline storage (small-buffer optimization controlled at compile time). HashMap uses open addressing with Robin Hood hashing. String stores 8-bit Latin-1 data when possible, avoiding unnecessary 16-bit storage.

  2. Security — The smart pointer types enforce ownership invariants at compile time. Ref<T> is non-nullable, eliminating an entire class of null-dereference bugs. The allocator segregates types to prevent exploitation.

  3. Platform abstraction — WTF provides threading primitives (RunLoop, WorkQueue, Lock), time utilities, and platform-specific helpers that are consistent across macOS, Linux, and Windows.

graph LR
    subgraph STL["C++ STL"]
        SV["std::vector"]
        SM["std::unordered_map"]
        SS["std::shared_ptr"]
        STR["std::string"]
    end
    subgraph WTF_LIB["WTF"]
        WV["Vector<T, N>"]
        WM["HashMap<K,V>"]
        WR["Ref<T> / RefPtr<T>"]
        WSTR["String (8/16-bit)"]
    end
    SV -.->|"replaced by"| WV
    SM -.->|"replaced by"| WM
    SS -.->|"replaced by"| WR
    STR -.->|"replaced by"| WSTR

Tip: When reading WebKit code, treat WTF types as first-class citizens, not wrappers. They're not STL-compatible drop-ins — they have different APIs, different iterator semantics, and different performance characteristics. Consult the header files directly rather than assuming STL behavior.

Reference Counting: Ref, RefPtr, and RefCounted

WebKit's primary ownership model is intrusive reference counting. Unlike std::shared_ptr which allocates a separate control block, WebKit embeds the reference count directly in the object via the RefCounted<T> base class.

The class hierarchy looks like this:

classDiagram
    class RefCountedBase {
        -uint32_t m_refCount = 1
        +ref()
        +hasOneRef() bool
        +refCount() uint32_t
        #derefBase() bool
    }
    class RefCounted~T~ {
        +deref()
    }
    class Ref~T~ {
        -T* m_ptr
        +get() T&
        +operator->() T*
    }
    class RefPtr~T~ {
        -T* m_ptr
        +get() T*
        +operator->() T*
        +operator bool()
    }
    RefCountedBase <|-- RefCounted
    RefCounted <.. Ref : "points to"
    RefCounted <.. RefPtr : "points to"

RefCountedBase is the non-template base that holds the uint32_t m_refCount (initialized to 1). The ref() method increments the count. The derefBase() method decrements and returns true when the count reaches zero — signaling the object should be deleted.

RefCounted<T> adds the template-parameterized deref() that calls delete const_cast<T*>(static_cast<const T*>(this)) when the count hits zero. This is where the actual destruction happens.

The two smart pointer types enforce different guarantees:

  • Ref<T>Non-nullable. Always holds a valid reference. Cannot be default-constructed. Construction from a T& immediately calls ref(). This is the preferred ownership type.

  • RefPtr<T>Nullable. Can hold nullptr. Useful for optional references, container values, and late-initialized fields.

The intrusive approach has a key advantage over std::shared_ptr: no separate control block allocation. This means creating a Ref<Node> to an existing DOM node is a single atomic increment — no heap allocation, no extra cache line. For a system that creates and destroys millions of DOM nodes per session, this matters enormously.

The protectedThis Pattern and Use-After-Free Prevention

One of the most important patterns in WebKit — and one you'll see hundreds of times — is protectedThis:

Ref<PendingScript> protectedThis(*this);

This appears at Source/WebCore/dom/PendingScript.cpp line 68. Why would an object take a reference to itself?

The answer lies in how DOM tree mutations work. Consider this scenario:

sequenceDiagram
    participant JS as JavaScript
    participant N as Node::dispatchEvent()
    participant DOM as DOM Tree
    
    JS->>N: element.click()
    N->>N: Begin dispatching event
    Note over N: Handler may modify DOM
    JS->>DOM: element.remove()
    Note over DOM: Node ref count drops to 0
    DOM-->>N: Node deleted!
    N->>N: 💥 Use-after-free

When a DOM node dispatches an event, the event handler (JavaScript code) can modify the DOM tree in ways that remove the very node dispatching the event. If the node's reference count drops to zero during dispatch, the node is deleted while its method is still on the call stack.

The fix is simple but must be applied consistently: at the start of any method that might trigger callbacks or DOM mutations, create a temporary Ref to *this:

void Node::someMethod() {
    Ref protectedThis { *this }; // bumps ref count
    // Safe to call code that might remove us from the tree
    dispatchEvent(...);
    // protectedThis destructor decrements count when we return
}

This pattern appears throughout WebCore, in event dispatch, timer callbacks, promise resolution, and anywhere an object's method might trigger code that could destroy it. The Ref wrapper on the stack ensures the object survives until the method returns.

Tip: If you're adding new code to WebCore that calls into JavaScript or dispatches events, always ask: "Could this callback delete the object I'm running on?" If yes, add Ref protectedThis { *this }; at the method's start.

WeakPtr and CanMakeWeakPtr

Non-owning references are equally important. WeakPtr<T> automatically becomes null when the referenced object is destroyed — no dangling pointers, no manual invalidation.

To use WeakPtr, a class must inherit from CanMakeWeakPtr:

classDiagram
    class CanMakeWeakPtr~T~ {
        -WeakPtrFactory m_weakPtrFactory
        +weakImpl() WeakPtrImpl&
    }
    class WeakPtr~T~ {
        -WeakPtrImpl* m_impl
        +get() T*
        +operator bool()
    }
    class WeakPtrImpl {
        -void* m_ptr
        +get() void*
        +clear()
    }
    CanMakeWeakPtr --> WeakPtrImpl : "owns factory"
    WeakPtr --> WeakPtrImpl : "observes"

The mechanism works through an intermediary WeakPtrImpl object. When the target is destroyed, CanMakeWeakPtr's destructor calls clear() on the impl, setting its internal pointer to null. All outstanding WeakPtrs point to the same impl, so they all become null simultaneously.

As the documentation notes, WeakPtr involves an extra level of indirection (it's a pointer to a pointer), which can hurt compiler optimizations. In performance-sensitive code, RefPtr or CheckedPtr is often preferred.

Common use cases for WeakPtr include event listeners that observe an object without extending its lifetime, cache entries that should expire when the cached object is deleted, and observer patterns where the observer shouldn't keep the subject alive.

bmalloc and IsoHeap: Security-Hardened Allocation

Below WTF sits bmalloc — WebKit's custom memory allocator. Its most important feature for security is IsoHeap (Isolated Heap), which segregates allocations by type.

In a traditional allocator, a Node object and a CSSStyleSheet object might end up in adjacent memory. If an attacker achieves use-after-free on the Node, they can allocate a CSSStyleSheet in the same memory slot and perform a type confusion attack — calling Node methods on CSSStyleSheet data.

IsoHeap prevents this by giving each type its own memory pages:

flowchart TD
    subgraph TRADITIONAL["Traditional Allocator"]
        T1["Page: [Node][CSS][Node][Event]"]
    end
    
    subgraph ISO["IsoHeap (bmalloc)"]
        I1["Page A: [Node][Node][Node]"]
        I2["Page B: [CSS][CSS][CSS]"]
        I3["Page C: [Event][Event]"]
    end
    
    TRADITIONAL -->|"type confusion possible"| VULN["🔓 Attacker can reuse Node slot with CSS object"]
    ISO -->|"type confusion blocked"| SAFE["🔒 Node slot can only be reused by Node"]

In the codebase, you'll see types opting into isolated allocation with the WTF_MAKE_TZONE_ALLOCATED macro. Look at Node.h:

class Node : public EventTarget, public CanMakeCheckedPtr<Node> {
    WTF_MAKE_PREFERABLY_COMPACT_TZONE_ALLOCATED(Node);

The TZoneMalloc system builds on bmalloc's IsoHeap to provide type-segregated allocation. The WebContent process entry point even configures TZone bucket parameters during initialization, as seen in WebContentServiceEntryPoint.mm:

#if USE(TZONE_MALLOC)
    bmalloc::api::TZoneHeapManager::setBucketParams(4);
#endif

This is defense-in-depth: even if an attacker finds a use-after-free vulnerability, type isolation limits what they can do with it.

Strings and Threading Primitives

WebKit's String type is heavily optimized for web workloads. The key insight is that most text on the web is ASCII — so String stores characters as 8-bit Latin-1 by default and only upgrades to 16-bit UChar storage when the string contains non-Latin-1 characters.

The string type hierarchy includes:

  • String — The primary nullable string type. Ref-counted StringImpl under the hood.
  • AtomString — Interned string for cheap equality comparisons (pointer equality instead of character-by-character). Used for tag names, attribute names, and CSS property names.
  • StringView — Non-owning view into string data, analogous to std::string_view.

For threading, WTF provides:

  • RunLoop — A platform-abstracted event loop (wraps CFRunLoop on Apple, GMainLoop on GTK).
  • WorkQueue — Concurrent dispatch queues for background work.
  • Lock / Condition — Lightweight synchronization primitives.
  • ThreadSafeRefCounted<T> — A variant of RefCounted that uses atomic operations for thread-safe reference counting.

Note that plain RefCounted is not thread-safe — it uses non-atomic increments. If you need to share an object across threads, it must inherit from ThreadSafeRefCounted instead. The ref count debugger will assert if you violate this rule.

What's Next

With the WTF and bmalloc foundations understood, we're ready to enter WebCore — the largest and most complex component of WebKit. In Part 3, we'll trace how HTML becomes pixels: the DOM tree, the rendering pipeline, CSS style resolution (including the unique CSS selector JIT compiler), and the Web IDL binding system that bridges JSC's garbage collector with WebCore's reference-counted world. The Ref/RefPtr patterns from this article will appear on nearly every line.