GrapheneOS used to implement a local-init sanitizer for Clang to zero uninitialized variables in C and C++. In the development branch, this feature is once again globally enabled for Vanadium and the GrapheneOS kernel/userspace via Clang's new -ftrivial-auto-var-init=zero switch.
Conversation
Replying to
Wouldn’t 0xFEEDFACE (pick your favorite) be a better auto-initialization choice, because if you ever see it, there’s a 99% chance you know what the problem is....
1
Replying to
In production releases, our goal is hardening, not discovering or resolving bugs. Zero is least likely to turn an otherwise inert bug into an exploitable vulnerability. It's also the least disruptive. A non-zero value uncovers more bugs and leads to crashes / memory corruption.
1
5
For 32-bit processes on 64-bit, the entire 32-bit address space is accessible other than below mmap_min_addr. It's important for the pattern to be chosen so that dereferences of pointers will be caught, including reasonable offsets from the address created by the fill pattern.