It would be great to land this simple initial implementation and move from there. I have ideas on how to make these features better but I'm wary of doing a lot of work out-of-tree. If it lands in some form, that would go a long way to encouraging further work on it. I basically just don't want to end up maintaining a whole allocator implementation.
For detecting UAF, the ideal would be having a FIFO ring buffer placed in front of the randomized delayed chunk array. The delay would then depend on the amount of memory that's set aside for this. For example, delaying up to 4M of small allocations (which is a lot, but totally doable with modern hardware) would go a long way to catching most writes after free via this junk validation feature. Could potentially be configurable as the cache size is. It also becomes increasingly more useful to check the currently delayed allocations at exit rather than just when they get flushed out of the delayed array (and/or queue) if there's actually a longer form of delay. It isn't all that useful right now, but it would be a valuable component of this if it was fancier. Right now it basically relies on luck to detect anything, unless the allocation is immediately written to after a free and before the next free. It's a place where a mix of determinism and non-determinism would be best, i.e. a guaranteed amount of delay, but without losing the randomization since that is useful for other reasons (randomized heap layout). The malloc canaries mostly just don't play well with the current power of two size classes. They'd be very cheap if the size classes were finer grained, i.e. accepting more external fragmentation but reducing the internal fragmentation (wasted padding). There's a nice technique used in jemalloc based on spacing classes rather than size classes but it isn't appropriate in OpenBSD malloc because it would lose the nice property of stuff being isolated based on size (and it would really be best to *expand* that property more towards what PartitionAlloc does rather than losing it).
