查看文章

Compacting garbage collection (compact-gc) is a method that improves memory utilization and reduces memory fragmentation by rearranging live objects and updating their references using an address table. A critical use-after-free bug may exist if an object reference that is not registered in the address table is used after compact-gc, as the live object may be moved but the reference will not be updated after compact-gc. We refer to this as a use-after-compact-gc (use-after-cgc) bug. Prior tools have attempted to statically detect these bugs with target-specific heuristics. However, due to their path-insensitive analysis and imprecise target-specific heuristics, they have high false-positives and false-negatives.