<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 12, 2016 at 12:48 AM, Sanjoy Das <span dir="ltr"><<a href="mailto:sanjoy@playingwithpointers.com" target="_blank">sanjoy@playingwithpointers.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">Hi Sean,<br>
<br>
Sean Silva wrote:<br>
><br></span><span class="">
> ASan's reuses it less often, but keeps it poisoned so that dangling pointers get caught. This makes it less likely that<br>
> re-use will cause invalid analysis results. BUT it makes it more likely that when we access a dangling pointer, it falls<br>
> into a poisoned heap area. So the net result is that it catches dangling pointers better.<br>
><br>
> Or to put it another way, the "heap slot reuse causes invalid analysis results" situation is actually a subset of "we<br>
> access a dangling pointer"<br>
<br></span>
I'm not sure about this -- is manipulating a pointer as an integer<br>
(without loading or storing through it) included in "access"? IOW,<br>
will asan catch this bug at all:<br>
<br>
DenseMap M;<br>
M[BB] = 5;<br>
delete BB;<br>
BB = new BasicBlock()<br>
return M[BB];<br>
<br>
?<br>
<br>
It seems to be fine with<br>
<br>
int main(int, char **) {<br>
int *f = new int[5];<br>
delete[]f;<br>
return f == (int*) 100;<div class=""><div class="h5"><br>
}<br></div></div></blockquote><div><br></div><div><br></div><div>Yeah, this is the reason that I qualified my ASan comment with "if we do try to access through any of these dangling pointers".</div><div><br></div><div>-- Sean Silva</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5">
<br>
<br>
> which is what we really want to catch (I mean "dangling" in a sense that a pointer stays<br>
> "dangling" even if its heap slot is reused). By avoiding reuse of heap slots, the dangling pointer is more likely to be<br>
> in a heap slot that ASan is keeping poisoned and not reusing (hence it can detect the error).<br>
><br>
> -- Sean Silva<br>
><br>
><br>
> (Or did I just re-state what you were saying?)<br>
><br>
> -- Sanjoy<br>
><br>
><br>
</div></div></blockquote></div><br></div></div>