> In the end all double frees still will be caught by the actual free > code, just with a delay. The delayed free buffer double free check is > just a way of catching it as soon as possible to make debugging > easier. That's the reason the originla code could just do the check > on the slot being replaced only. > > The only case that could be missed is when the chunk is given out by > malloc in between the original free and the double free. But that > case never be caught in all circumstances since the delay buffer is of > finite size. > > -Otto
True, the delay buffer currently only guarantees allocations are kept out of circulation for one cycle since the random choice is between previously freed allocations, never the current one. It matters more with the other change making half of the quarantine into a ring buffer to provide a longer guaranteed delay. I think that makes sense as a trade-off vs. an extra bit of entropy from a 2x larger random array for a given total quarantine size. It also improves the write- after-free detection, especially with a configurable quarantine size, which makes it somewhat like the ASan quarantine but with delayed detection of write-after-free and only indirect read-after-free detection via junk filling (i.e. if something ends up crashing / breaking from reading junk instead of what it expected).
