In the following code snippet there is an error that is not trivial but I would have expected tools like AddressSanitizer to catch it.
#include <vector>
#include <iostream>
int main ()
{
std::vector<int> toto;
toto.push_back(2);
int const& titi = toto[0];
toto.pop_back();
std::cout << titi << std::endl;
return 1;
}
When scopping the vector and printing outside of the scope the catch reference an error is thrown use-heap-after-free.
But when there is no scope, the std::vector
implementation will probably not release the memory after the pop_back thus the reference is still pointing towards valid memory.
I have search around and I found that you can manually poison memory and I was wondering if this has been implemented in STL (https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning)
This has been implemented in Clang (libc++) and relatively recent GNU (libstdc++) STLs (see Asan wiki for details).
One problem with this feature is that it breaks separate sanitization i.e. ability to sanitize only parts of your app (e.g. only executable and not the libs). The issue is that if vector is pushed in unsanitized and popped in sanitized code, the pusher will not be aware that it needs to unpoison the buffer. For this reason it's disabled by default in GCC (define _GLIBCXX_SANITIZE_VECTOR
to enable it), Clang still has it one by default for unclear reasons.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With