Manual poisoning of std :: vector

Question

Manual poisoning of std :: vector

There is an error in the following code snippet that is not trivial, but I would expect tools like AddressSanitizer to catch it.

#include <vector>
#include <iostream>

int main ()
{
 std::vector<int> toto;
 toto.push_back(2);
 int const& titi = toto[0];
 toto.pop_back();
 std::cout << titi << std::endl;
 return 1;
}

When re-encoding the vector and printing out of scope, the trick reference throws an error-use-heap-after-free.

But when not in scope, the std :: vector implementation probably won't free memory after pop_back, so the reference is still pointing to valid memory.

I have a search around and I found that you can manually poison the memory and I was wondering if this is implemented in the stl library ( https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning )

+3

c ++ sanitizer address-sanitizer

moeryn Apr 13 '17 at 10:00

source to share

1 answer

yugr · Accepted Answer · 2017-04-13T10:43:28+0000

This was implemented in Clang libC ++ and Google's libstdC ++ branch (see the Asan wiki for details ).

One problem with this feature is that it interrupts individual sanitization, that is, the ability to sanitize only part of your application (for example, only the executable, not the libs). The problem is that if a vector is pushed unmined and pushed into sanitized code, then the pusher will not know that it needs to clear the buffer.

Manual poisoning of std :: vector

More articles: