bool far_from_bounds = false;
shadow_val = *shadow_addr;
int bug_type_score = 0;
+ // For use-after-frees reads are almost as bad as writes.
+ int read_after_free_bonus = 0;
switch (shadow_val) {
case kAsanHeapLeftRedzoneMagic:
case kAsanHeapRightRedzoneMagic:
case kAsanHeapFreeMagic:
bug_descr = "heap-use-after-free";
bug_type_score = 20;
+ if (!is_write) read_after_free_bonus = 18;
break;
case kAsanStackLeftRedzoneMagic:
bug_descr = "stack-buffer-underflow";
case kAsanStackAfterReturnMagic:
bug_descr = "stack-use-after-return";
bug_type_score = 30;
+ if (!is_write) read_after_free_bonus = 18;
break;
case kAsanUserPoisonedMemoryMagic:
bug_descr = "use-after-poison";
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
break;
}
- SS.Scare(bug_type_score, bug_descr);
+ SS.Scare(bug_type_score + read_after_free_bonus, bug_descr);
if (far_from_bounds)
SS.Scare(10, "far-from-bounds");
}
// CHECK3: SCARINESS: 33 (2-byte-write-heap-buffer-overflow)
// CHECK4: SCARINESS: 52 (8-byte-write-heap-buffer-overflow-far-from-bounds)
// CHECK5: SCARINESS: 55 (multi-byte-write-heap-buffer-overflow-far-from-bounds)
- // CHECK6: SCARINESS: 22 (1-byte-read-heap-use-after-free)
+ // CHECK6: SCARINESS: 40 (1-byte-read-heap-use-after-free)
// CHECK7: SCARINESS: 46 (4-byte-write-heap-use-after-free)
- // CHECK8: SCARINESS: 33 (8-byte-read-heap-use-after-free)
+ // CHECK8: SCARINESS: 51 (8-byte-read-heap-use-after-free)
// CHECK9: SCARINESS: 55 (multi-byte-write-heap-use-after-free)
// CHECK10: SCARINESS: 46 (1-byte-write-stack-buffer-overflow)
// CHECK11: SCARINESS: 38 (8-byte-read-stack-buffer-overflow)
// CHECK12: SCARINESS: 61 (4-byte-write-stack-buffer-overflow-far-from-bounds)
- // CHECK13: SCARINESS: 32 (1-byte-read-stack-use-after-return)
+ // CHECK13: SCARINESS: 50 (1-byte-read-stack-use-after-return)
// CHECK14: SCARINESS: 65 (multi-byte-write-stack-use-after-return)
// CHECK15: SCARINESS: 31 (1-byte-write-global-buffer-overflow)
// CHECK16: SCARINESS: 36 (multi-byte-read-global-buffer-overflow-far-from-bounds)