This paper presents a practical inter-procedural analysis algorithm for detecting memory leaks in C programs. Our algorithm tracks the flow of values from allocation points to deallocation points using a sparse representation of the program consisting of a value flow graph that captures def-use relations and value flows via program assignments. Edges in the graph are annotated with guards that describe branch conditions in the program. The memory leak analysis is reduced to a reachability problem over the guarded value flow graph. Our implemented tool has been effective at detecting more than 60 memory leaks in the SPEC2000 benchmarks and in two open-source applications, bash and sshd, while keeping the false positive rate below 20%. The sparse program representation makes the tool efficient in practice, and allows it to report concise error messages.be consumed by) exactly one occurrence of another event B. We refer to such properties as source-sink properties. Examples include detecting lock usage violations (where A is the lock acquire action, B is the lock release, and the value is the pointer to the lock); or detecting potential memory leaks or double frees (where A is the heap allocation event, B represents heap deallocation, and the value is the pointer to the allocated heap cell).Current error-detection techniques include both general-purpose tools for checking arbitrary finite-state machine properties [7, 5, 1]; as well as tools that have been used to check specific properties such as memory leaks [11,21,14]. The existing approaches largely fall into two categories: dataflow analysis approaches that track the state of program values through the control-flow, computing information at each program point; and flow-insensitive approaches, that track the flow of values using a sparse representation of the program (for instance, using definition-use chains or SSA form), but ignoring the control-flow otherwise. The latter is more efficient due to the sparse representation of value flows, but it is not applicable to checking arbitrary state-machine properties since it cannot reason about events that must eventually take place on all program paths, such as deallocating memory, releasing locks, or closing files. To the best of our knowledge, all of the existing memory leak detection techniques use flow-sensitive approaches.This paper presents a novel inter-procedural analysis algorithm for checking source-sink properties using a sparse representation of value flows, and applies this algorithm to the detection of heap memory errors, such as memory leaks or double frees. Our analysis identifies value flows from malloc sources to free sinks through program assignments and use-def chains using a value-flow graph representation of the program. A simple case of a memory leak occurs when a source never reaches a sink in the value-flow graph. Checking the other cases, where a malloc source reaches a free sink on all program paths, and only once on each path, is more challenging. Our approach is to annotate the edges in th...
