Memory Leak Detection
Detection Workflow
- •Identify allocation points: Find all malloc/calloc/realloc calls, new/delete pairs (C++), map allocation locations
- •Trace allocation lifecycle: Use
xrefs_toto trace allocations, follow pointers through code, identify all free() calls - •Check cleanup paths: Verify every allocation has a corresponding free, check all error handling paths, review exception handling, assess callback cleanup
- •Assess impact: How much memory is leaked? How often does it leak? What's the cumulative impact? Can it cause DoS?
Key Patterns
- •Missing free: malloc() without corresponding free(), calloc() without free(), new without delete (C++)
- •Exception path leaks: allocations before exception-prone operations, missing cleanup in error handling, leaks in early returns
- •Reference cycles: circular references in data structures, reference counting bugs, shared pointer cycles
- •Long-lived allocations: allocations that never get freed, caches without size limits, accumulating data structures
Output Format
Report with: id, type, subtype, severity, confidence, location, allocation (function, address, size), leak path, leak scenario, leak size per call, frequency, exploitability, impact, mitigation.
Severity Guidelines
- •HIGH: Large leaks in frequently called functions
- •MEDIUM: Small leaks or infrequent allocations
- •LOW: Minor leaks with limited impact
See Also
- •
patterns.md- Detailed detection patterns and exploitation scenarios - •
examples.md- Example analysis cases and code samples - •
references.md- CWE references and mitigation strategies