5

In the following code snippet there is an error that is not trivial but I would have expected tools like AddressSanitizer to catch it.

#include <vector>
#include <iostream>

int main ()
{
 std::vector<int> toto;
 toto.push_back(2);
 int const& titi = toto[0];
 toto.pop_back();
 std::cout << titi << std::endl;
 return 1;
}

When scopping the vector and printing outside of the scope the catch reference an error is thrown use-heap-after-free.

But when there is no scope, the std::vector implementation will probably not release the memory after the pop_back thus the reference is still pointing towards valid memory.

I have search around and I found that you can manually poison memory and I was wondering if this has been implemented in STL (https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning)

yugr
  • 19,769
  • 3
  • 51
  • 96
moeryn
  • 198
  • 2
  • 12
  • Perhaps one of runtime libraries does this in a debug build. But I would not expect this in a release build as it is against the principle of "only pay for what you need". – Richard Critten Apr 13 '17 at 10:43

1 Answers1

3

This has been implemented in Clang (libc++) and relatively recent GNU (libstdc++) STLs (see Asan wiki for details).

One problem with this feature is that it breaks separate sanitization i.e. ability to sanitize only parts of your app (e.g. only executable and not the libs). The issue is that if vector is pushed in unsanitized and popped in sanitized code, the pusher will not be aware that it needs to unpoison the buffer. For this reason it's disabled by default in GCC (define _GLIBCXX_SANITIZE_VECTOR to enable it), Clang still has it one by default for unclear reasons.

yugr
  • 19,769
  • 3
  • 51
  • 96