Dynamic memory access checking finds the following types of errors:
ABR: beyond array bounds read
ABW: beyond array bounds write
BFM: bad free memory
BRP: bad realloc address parameter
CGB: corrupted guard block
DFM: double freeing memory
FMR: freed memory read
FMW: freed memory write
IMR: invalid memory read
IMW: invalid memory write
MLK: memory leak
OLP: overlapping source and destination
PIR: partially initialized read
SBR: beyond stack bounds read
SBW: beyond stack bounds write
UAR: unallocated memory read
UAW: unallocated memory write
UMR: uninitialized memory read
This sections describes the possible causes of the error and a code example of when the error would occur.
Possible causes: Attempting to read memory beyond the array bounds.
Example:
int a[5];
. . .
printf("a[5] = %d\n",a[5]); // Reading memory beyond array bounds
Possible causes: Attempting to write memory beyond the array bounds.
Example:
int a [5];
. . .
a[5] = 5; // Writing to memory beyond array bounds
Possible Causes: Passing a non-heap data pointer to free()() or realloc()().
Example:
#include <stdlib.h>
int main()
{
int *p = (int*) malloc(sizeof(int));
free(p+1); // Freeing wrong memory block
}
Example:
#include <stdlib.h>
int main()
{
int *p = (int*) realloc(0,sizeof(int));
int *q = (int*) realloc(p+20,sizeof(int[2])); // Bad address parameter for realloc
}
Possible Causes: Writing past the end of a dynamically allocated array, or being in the "red zone".
Example:
#include <stdio.h>
#include <stdlib.h>
int main() {
int *p = (int *) malloc(sizeof(int)*4);
*(p+5) = 10; // Corrupted array guard block detected (only when the code is not annotated)
free(p);
return 0;
}
Possible Causes: Calling free()() more than once with the same pointer. In C++, using the delete operator more than once on the same pointer.
Example:
int *p = (int*) malloc(sizeof(int));
free(p);
. . . // p was not assigned a new value between the free statements
free(p); // Double freeing memory
Example:
int *p = (int*) malloc(sizeof(int));
free(p);
. . . // Nothing assigned to p in between
printf("p = 0x%h\n",p); // Reading from freed memory
Example:
int *p = (int*) malloc(sizeof(int));
free(p);
. . . // Nothing assigned to p in between
*p = 1; // Writing to freed memory
Example:
#include <stdlib.h>
int main() {
int *p = (int *) malloc(sizeof(int));
free(0);
int *q = (int*) realloc(p,sizeof(it[2])); //Freed pointer passed to realloc
}
Possible causes: Reading 2, 4, or 8 bytes from an address that is not half-word aligned, word aligned, or double-word aligned, respectively.
Example:
#include <stdlib.h>
int main()
{
int *p = 0;
int i = *p; // Read from invalid memory address
}
Possible causes: Writing 2, 4, or 8 bytes from an address that is not half-word aligned, word aligned, or double-word aligned, respectively. Writing to a text address, writing to a read-only data section (.rodata), or writing to a page that mmap has made read-only.
Example:
int main()
{
int *p = 0;
*p = 1; // Write to invalid memory address
}
Possible causes: Memory is allocated but not freed before exit or escaping from the function.
Example:
int foo()
{
int *p = (int*) malloc(sizeof(int));
if (x) {
p = (int *) malloc(5*sizeof(int)); // will cause a leak of the 1st malloc
}
} // The 2nd malloc leaked here
Possible causes: Incorrect source, destination, or length is specified. When the source and destination overlap, the behavior of the program is undefined.
Example:
#include <stlib.h>
#include <string.h>
int main() {
char *s=(char *) malloc(15);
memset(s, 'x', 15);
memcpy(s, s+5, 10);
return 0;
}
Example:
#include <stdio.h>
#include <stdlib.h>
int main()
{
int *p = (int*) malloc(sizeof(int));
*((char*)p) = 'c';
printf("*(p = %d\n",*(p+1)); // Accessing partially initialized data
}
Possible causes: Reading a local array past the end or before the start.
Example:
#include <stdio.h>
int main() {
int a[2] = {0, 1};
printf("a[-10]=%d\n",a[-10]); // Read is beyond stack frame bounds
return 0;
}
Possible causes: Writing to a local array past the end or before the start.
Example:
#include <stdio.h>
int main() {
int a[2] = {0, 1};
a[-10] = 2; // Write is beyond stack frame bounds
return 0;
}
Possible causes: A stray pointer, overflowing the bounds of a heap block, or accessing a heap block that has already been freed.
Example:
#include <stdio.h>
#include <stdlib>
int main()
{
int *p = (int*) malloc(sizeof(int));
printf("*(p+1) = %d\n",*(p+1)); // Reading from unallocated memory
}
Possible causes: A stray pointer, overflowing the bounds of a heap block, or accessing a heap block that has already been freed.
Example:
#include <stdio.h>
#include <stdlib>
int main()
{
int *p = (int*) malloc(sizeof(int));
*(p+1) = 1; // Writing to unallocated memory
}
Possible causes: Reading local or heap data that has not been initialized.
Example:
#include <stdio.h>
#include <stdlib>
int main()
{
int *p = (int*) malloc(sizeof(int));
printf("*p = %d\n",*p); // Accessing uninitialized data
}