Dangling pointers are not a problem unless they are dereferenced and used. However, they are a source of UaF bugs and highly discouraged unless you are 100% confident that they are never dereferenced after the pointed-to objects are freed.
Behind build flags, Chrome implements a dangling pointer detector. It causes Chrome to crash, whenever a raw_ptr becomes dangling:
raw_ptr<T> ptr_never_dangling;
On the other hand, we cannot simply ban all the usage of dangling pointers because there are valid use cases. The DisableDanglingPtrDetection option can be used to annotate “intentional-and-safe” dangling pointers. It is meant to be used as a last resort, only if there is no better way to re-architecture the code.
raw_ptr<T, DisableDanglingPtrDetection> ptr_may_dangle;
It is gated behind both build and runtime flags:
gn args ./out/dangling/
use_goma = true is_debug = false dcheck_always_on = true use_backup_ref_ptr = true enable_dangling_raw_ptr_checks = true
We want to emphasize that is_debug = false is important. It is a common mistake to set it to true, which in turn turns on component builds, which disabled PartitionAlloc-Everywhere. use_backup_ref_ptr = true can't be used without PartitionAlloc-Everywhere, leading to error:
ERROR at //base/allocator/allocator.gni:126:3: Assertion failed. assert(!use_backup_ref_ptr || use_allocator == "partition",
./out/dangling/content_shell \ --enable-features=PartitionAllocBackupRefPtr,PartitionAllocDanglingPtr
By default, Chrome will crash on the first dangling raw_ptr detected.
--enable-features=PartitionAllocBackupRefPtr,PartitionAllocDanglingPtr:mode/crash
Example usage:
./out/dangling/content_shell \ --enable-features=PartitionAllocBackupRefPtr,PartitionAllocDanglingPtr:mode/log_signature \ |& tee output
The logs can be filtered and transformed into a tab separated table:
cat output \ | grep "DanglingSignature" \ | cut -f2,3 \ | sort \ | uniq -c \ | sed -E 's/^ *//; s/ /\t/' \ | sort -rn
This is used to list issues and track progresses.
This raw_ptr option means it is allowed to dangle. Contrary to DisableDanglingPtrDetection, we don't know yet why it dangle. It is meant to be either refactored to avoid dangling, or turned into “DisableDanglingPtrDetection” with a comment explaining what happens.
