Protect against use-after-free access to meta data.

src/snmalloc/mem/localalloc.h

@@ -830,6 +830,11 @@ namespace snmalloc
 
       auto* meta_slab = entry.get_slab_metadata();
 
+      if (SNMALLOC_UNLIKELY(entry.is_backend_owned()))
+      {
+        error("Cannot access meta-data for write for freed memory!");
+      }
+
       if (SNMALLOC_UNLIKELY(meta_slab == nullptr))
       {
         error(
@@ -853,7 +858,8 @@ namespace snmalloc
 
       auto* meta_slab = entry.get_slab_metadata();
 
-      if (SNMALLOC_UNLIKELY(meta_slab == nullptr))
+      if (SNMALLOC_UNLIKELY(
+            (meta_slab == nullptr) || (entry.is_backend_owned())))
       {
         static typename Config::ClientMeta::StorageType null_meta_store{};
         return Config::ClientMeta::get(&null_meta_store, 0);

src/snmalloc/mem/metadata.h

@@ -690,9 +690,7 @@ namespace snmalloc
      */
     [[nodiscard]] SNMALLOC_FAST_PATH SlabMetadata* get_slab_metadata() const
     {
-      // TODO Following assertion removed for client meta-data use case.
-      // Think about possible UAF scenarios.
-      // SNMALLOC_ASSERT(get_remote() != nullptr);
+      SNMALLOC_ASSERT(!is_backend_owned());
       return unsafe_from_uintptr<SlabMetadata>(meta & ~META_BOUNDARY_BIT);
     }
   };