Definition 1 The pointer variable p is a dangling pointer, if and only if (x := allocate(size) | 0 [less than or equal to] x [less than or equal to] [2.sup.32] -1) [conjunction] (p [member of] [x, x + size -1]) [conjunction] (release(x))
Definition 2 A program crash is UAF vulnerability, if and only if the dangling pointer is generated and reused during the execution process of the program.
It should be noted that not all the dangling pointers generated by program will cause crash, only the key dangling pointer (noted KDP) which cause crash is concerned.
To exploit UAF vulnerability, "memory occupying" should be carried out, that is, before the dangling pointer is reused, the pointed memory area is first filled as the controllable data.
According to Definition 1, the dangling pointer must be a released one, and according to Property 1, the crash context will restore the information of the KDP.
Since the causes of not-UAF vulnerability are irrelevant with the dangling pointers, it is difficult to find the candidate set of the KDP, leading to a clustering eigenvalue of 0 on y-axis.
Table 1 illustrates the comparison results of runtime between ADEDU, FileFuzz , MSEC  and UnDangle  which can find dangling pointers. ADEDU analyzed 1041 samples in 12692 seconds, average 12.2 seconds per sample.
Studies on UAF vulnerability: Some debugging tools such as Purify  can find the dangling pointers by checking whether the pointers are pointing to the live memory.
"In certain circumstances, properties in the plugin instance's parameter array could be freed prematurely leaving a dangling pointer
that the plugin could execute, potentially calling into attacker-controlled memory," the security update states.
The developers say that, "In certain circumstances, properties in the plug-in instance's parameter array could be freed prematurely leaving a dangling pointer
that the plug-in could execute, potentially calling into attacker-controlled memory."