Hacker News new | past | comments | ask | show | jobs | submit login

ASan is a runtime detector; it only works if you have a test case that covers the buggy thing, like in this case sending a malformed heartbeat request. OpenSSL pretty clearly didn't have a test case for that - if they did, they'd've caught the problem, with or without ASan. It's like the difference between a type system and unit testing.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: