> On Thu, Jul 04, 2013 at 05:24:20PM +0200, Mark Kettenis wrote: > > > From: Theo de Raadt <dera...@cvs.openbsd.org> > > > Date: Thu, 04 Jul 2013 09:04:54 -0600 > > > > > > I suspect the best approach would be a hybrid value. The upper half > > > of the address should try to land in an unmapped zone, or into the zero > > > page, or into some address space hole, ir into super high memory above > > > the stack which is gauranteed unmapped. > > > > Don't forget strict alignment architectures, where it is beneficial > > to have the lowest bit set to trigger alignment traps. > > You also want the highest bit set. This makes sure signed indexes get > interpreted as negative, which should more often detect problems than > positive ones. There are not only pointers in the heap.
A while ago someone hit a bug in my code that I hadn't (and wouldn't ever have) triggered with MALLOC_OPTIONS=S because the Duh pattern always sets the high bit, giving a negative integer which just so happened to be harmless. Back then I wished malloc would've used all random bits instead. If you test run your code more than a couple times (as one obviously should, before going into release), then I'd say randomness (which will likely soon produce a bug-trigger value) is better than a fixed pattern that attempts to be useful in some (common?) scenarios but will reliably fail to make a difference in other cases. I do see the value in having the option to use fixed patterns though, so perhaps the hybrid value with a configurable mask as Theo proposed is a good idea.