From 1dcc21d32eaaefc2764b2897274f73724fae2ba9 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Thu, 16 Jul 2020 17:23:39 +0200
Subject: [PATCH] UserspaceEmulator: Include malloc/free backtraces in UAF logs
 :^)

When catching a use-after-free, we now also print out the backtraces
for where the memory was allocated, and for where it was freed.

This will be extremely helpful for debugging.
---
 DevTools/UserspaceEmulator/MallocTracer.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/DevTools/UserspaceEmulator/MallocTracer.cpp b/DevTools/UserspaceEmulator/MallocTracer.cpp
index 07b8123454..67f921268a 100644
--- a/DevTools/UserspaceEmulator/MallocTracer.cpp
+++ b/DevTools/UserspaceEmulator/MallocTracer.cpp
@@ -101,8 +101,11 @@ void MallocTracer::audit_read(FlatPtr address, size_t size)
     if (mallocation->freed) {
         dbgprintf("\n");
         dbgprintf("==%d==  \033[31;1mUse-after-free\033[0m, invalid %zu-byte read at address %p\n", s_pid, size, address);
-        dbgprintf("==%d==  Address is %zu bytes into freed block of size %zu\n", s_pid, offset_into_mallocation, mallocation->size);
         Emulator::the().dump_backtrace();
+        dbgprintf("==%d==  Address is %zu bytes into block of size %zu, allocated at:\n", s_pid, offset_into_mallocation, mallocation->size);
+        Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
+        dbgprintf("==%d==  Later freed at:\n", s_pid, offset_into_mallocation, mallocation->size);
+        Emulator::the().dump_backtrace(mallocation->free_backtrace);
         return;
     }
 }
@@ -124,8 +127,11 @@ void MallocTracer::audit_write(FlatPtr address, size_t size)
     if (mallocation->freed) {
         dbgprintf("\n");
         dbgprintf("==%d==  \033[31;1mUse-after-free\033[0m, invalid %zu-byte write at address %p\n", s_pid, size, address);
-        dbgprintf("==%d==  Address is %zu bytes into freed block of size %zu\n", s_pid, offset_into_mallocation, mallocation->size);
         Emulator::the().dump_backtrace();
+        dbgprintf("==%d==  Address is %zu bytes into block of size %zu, allocated at:\n", s_pid, offset_into_mallocation, mallocation->size);
+        Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
+        dbgprintf("==%d==  Later freed at:\n", s_pid, offset_into_mallocation, mallocation->size);
+        Emulator::the().dump_backtrace(mallocation->free_backtrace);
         return;
     }
 }