regehr, this has to be one of my all-time favorite bug-finding techniques: in your widely deployed software, at very low probability, you put a new heap allocation next to a protected page. performance is unaffected and the bugs that you find are those that actually matter to users in practice.