This patch implements a off-by-default flag called "scribble", which will overwrite free()'d memory with 0x55 bytes. This is to match the MallocScribble env var on macOS (see https://developer.apple.com/library/content/documentation/Performance/Conceptual/ManagingMemory/Articles/MallocDebug.html) and it's a helpful tool to better detect use-after-free bugs that happen in non-instrumented code. For example in Obj-C code, a lot of memory accesses happens within libobjc, which is not instrumented, and using "scribble=1" will make it crash much more reliably.
Details
Diff Detail
Event Timeline
Changing the testcase slightly. I realized that 0x55555555 can actually be a valid address in some platforms.
there is already max_malloc_fill_size and malloc_fill_byte
So to be consistent I suggest to have flags max_free_fill_size and free_fill_byte
I don't mind having max_free_fill_size=0x1000 by default.
lib/asan/asan_allocator.cc | ||
---|---|---|
533 | If you're re-using max_malloc_fill_size, please add to its description that it's also used for scribbling after deallocation. | |
lib/asan/asan_flags.inc | ||
153 | "On deallocation..."? Since we also set it for delete/delete[] |
Updating patch. This now uses the max_malloc_fill_size/max_free_fill_size and malloc_fill_byte/free_fill_byte flag names. We're also turning this on with the same env vars as Malloc Scribble on macOS does (https://developer.apple.com/library/content/documentation/Performance/Conceptual/ManagingMemory/Articles/MallocDebug.html).
test/asan/TestCases/scribble.cc | ||
---|---|---|
4 | and now this test will fail on non-Mac, right? |
test/asan/TestCases/scribble.cc | ||
---|---|---|
4 | Right, I thought this test was in TestCases/Darwin/. |
If you're re-using max_malloc_fill_size, please add to its description that it's also used for scribbling after deallocation.
Otherwise, having different flags for the deallocation scribbling looks good too.