Highlighted
mrgrayson
Visitor.
1054 views

memory leak false positives in C

Currently previewing Fortify for my software dev team.

I'm getting about 80 errors of the same type in my C project. I've distilled it to the below example to show exactly what the issue is. See attachment for fortify analysis of this code snippet.

When I scan, I get a "memory leak" for line 28, but none for line 33. It so happens that neither are memory leaks, but more importantly, these two snippets are almost identical semantically and should be interpreted the same way in this case.

I believe this is a bug in Fortify. I'm not looking forward to having to document a million times why Fortify can't tell the difference between these two methods. 

#include <stdlib.h>

struct MemHider
{
    void * hiddenData;
};

void dataHider1( void * );
void dataHider2( void * );

int main( int argc, char ** argv )
{
    struct MemHider someMemory;
    struct MemHider someMemory2;
    
    dataHider1( &someMemory );
    dataHider2( &someMemory2 );

    free( someMemory.hiddenData );
    free( someMemory2.hiddenData );
    
    return 0;
}

void dataHider1( void * _this )
{
    struct MemHider * this = ( struct MemHider * )_this;
    this->hiddenData = malloc( sizeof( char ) );
}

void dataHider2( void * _this )
{
    ( ( struct MemHider * )_this)->hiddenData = malloc( sizeof( char ) );
}

AWB/SCA version 18.20.1071

0 Likes
5 Replies
mrgrayson
Visitor.

Re: memory leak false positives in C

Or rather, why Fortify differentiates these two methods.
0 Likes
Regular Contributor.. raspy Regular Contributor..
Regular Contributor..

Re: memory leak false positives in C

It seems that it just fails to track aliases to the same memory. I have simplified the example even further:

#include <stdlib.h>

struct MemHider
{
    void * hiddenData;
};

int main( int argc, char ** argv )
{
    struct MemHider someMemory;
    struct MemHider someMemory2;
    struct MemHider someMemory3;
    struct MemHider *alias = &someMemory;
    struct MemHider *alias3 = &someMemory3;

    someMemory.hiddenData = malloc(sizeof(char));
    free(alias->hiddenData);

    someMemory2.hiddenData = malloc(sizeof(char));
    free((&someMemory2)->hiddenData);

    alias3->hiddenData = malloc(sizeof(char));
    //free(someMemory3.hiddenData);

    return 0;
}

The only error reported is:

[DEE00A5CF7095407F77F55293DFB9120 : high : Memory Leak : controlflow ]

dataHider2.c(16) : start -> allocated : someMemory.hiddenData = malloc(...)
dataHider2.c(16) : allocated -> allocated : someMemory.hiddenData refers to dynamically allocated memory
dataHider2.c(25) : allocated -> allocated : return
dataHider2.c(25) : allocated -> allocated : someMemory.hiddenData no longer refers to dynamically allocated memory
dataHider2.c(25) : allocated -> leak : someMemory end scope : Memory leaked

 

This means that a) it fails to detect deallocation using alias and b) it fails to detect memory leak in someMemory3.

mrgrayson
Visitor.

Re: memory leak false positives in C

Wow, yeah. I also had noticed that it didn't correctly detect some actual memory leaks but I didn't put it together with the other issue. Well done.

0 Likes
Super Contributor.. eelgheez Super Contributor..
Super Contributor..

Re: memory leak false positives in C

It's not unusual to see a static tool to track just explicitly own memory allocations.

0 Likes
Regular Contributor.. raspy Regular Contributor..
Regular Contributor..

Re: memory leak false positives in C

Really? It's not such complicated code. Klocwork for this matter did not have any issues with noticing freeing of someMemory and allocating of someMemory3:

 

1 (Local) /dev/shm/test-memleak/dataHider2.c:25 MLK.MUST (2:Error) Analyze
Memory leak. Dynamic memory stored in 'alias3->hiddenData' allocated through function 'malloc' at line 22 is lost at line 25

Summary: 1 Local
1 Total Issue(s)

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.