Index: base/memory/scoped_ptr.h |
diff --git a/base/memory/scoped_ptr.h b/base/memory/scoped_ptr.h |
index fb781b0b32ddfd8b47ff3e4a0662ff53b9cd8760..47124d4b6d982a34481916ab5fe1ab4db74d4979 100644 |
--- a/base/memory/scoped_ptr.h |
+++ b/base/memory/scoped_ptr.h |
@@ -220,6 +220,12 @@ class scoped_ptr_impl { |
// Not using get_deleter() saves one function call in non-optimized |
// builds. |
static_cast<D&>(data_)(data_.ptr); |
+ // Even though |this| should no longer be accessed after destruction, |
+ // there may be use-after-free bugs. Setting |data_.ptr| to null should |
+ // cause many attempts to dereference |this| to segfault closer to the |
+ // source of the use-after-free. Of course, this may not catch issues if |
+ // the memory is immediately re-allocated and altered. |
+ data_.ptr = nullptr; |
danakj
2015/09/21 21:40:52
In libc++ they null the member then call the delet
danakj
2015/09/21 21:43:08
I guess that is because they reset() in the destru
Anand Mistry (off Chromium)
2015/09/22 01:13:53
Since we're in the territory of undefined behaviou
tapted
2015/09/22 02:53:09
(drive-by): the null-before-delete strategy is to
Anand Mistry (off Chromium)
2015/09/22 03:14:15
This is the defined behaviour for unique_ptr::rese
|
} |
} |