In this case, the pointer of "button" object was a dangling pointer , as shown in Fig.
Definition 1 The pointer variable p is a dangling pointer, if and only if (x := allocate(size) | 0 [less than or equal to] x [less than or equal to] [2.
Definition 2 A program crash is UAF vulnerability, if and only if the dangling pointer is generated and reused during the execution process of the program.
It should be noted that not all the dangling pointers generated by program will cause crash, only the key dangling pointer (noted KDP) which cause crash is concerned.
To exploit UAF vulnerability, "memory occupying" should be carried out, that is, before the dangling pointer is reused, the pointed memory area is first filled as the controllable data.
According to Definition 1, the dangling pointer must be a released one, and according to Property 1, the crash context will restore the information of the KDP.
Electric Fence tool  and PageHeap technique  use a new page for each allocation and rely on page protection mechanisms to detect dangling pointer uses, but it can hardly locate the root of the dangling pointer.
Based on the method of dynamic taint analysis , Undangle  tracks the allocations and releases of all pointers in the program, and is effective in finding and eliminating the dangling pointers.
In certain circumstances, properties in the plugin instance's parameter array could be freed prematurely leaving a dangling pointer
that the plugin could execute, potentially calling into attacker-controlled memory," the security update states.
The developers say that, "In certain circumstances, properties in the plug-in instance's parameter array could be freed prematurely leaving a dangling pointer
that the plug-in could execute, potentially calling into attacker-controlled memory.