1

I want to try some open source static analysis tools to check their performance in detecting leaks on linux source code.I am starting with cppchecker. In linux most of the memory allocation calls are made through functions like kmalloc(), kzalloc() and corresponding free function is kfree(). How can I configure cppchecker to track kmalloc calls instead of default malloc() call?There is something called creating a new config file where we can define user preferences but i cant figure out how to do that.

Also as a follow up to the above question does cppcheck performs interprocedural analysis for memory leak detection? What other open source static analysis tools I can use for this purpose?

dsingh
  • 270
  • 1
  • 5
  • 17

2 Answers2

3

I am a Cppcheck developer.

It is true that there are old builtin handling for kmalloc etc. A good start is to check the kernel with the builtin knowledge. No cfg file is needed.

However with a cfg file you can enhance cppcheck.

Here is a start:

<?xml version="1.0"?>
<def format="1">
    <memory>
        <dealloc>kfree</dealloc>
        <alloc init="false">kmalloc</alloc>
        <alloc init="true">kzalloc</alloc>
    </memory>
</def>

Save that text in a file with a name such as kernel.cfg and then use for instance --library=kernel to use that info during cppcheck analysis.

There are lots of missing info here in this cfg. If you use --check-cfg , Cppcheck will complain when it is confused during analysis and wants more cfg-info. It mainly needs noreturn information about functions and also if a function is "leak-ignore".

You can look in our official std.cfg file, for instance at the configuration for strcmp(). This configuration explicitly says that strcmp() is not noreturn. The configuration also has a "leak-ignore" attribute - because if you can pass a pointer to the allocated memory to strcmp() then the leaks-checker should ignore this because the strcmp() will not cause any deallocation etc.

Let us know if you have questions about how it works.

Daniel Marjamäki
  • 2,907
  • 15
  • 16
  • Thanks for the information. I am trying cppcheck on linux for memory leaks, can you tell me how cppcheck tracks allocated variables in case of function pointers, pointer arithmatic or escape to global variable. – dsingh Oct 10 '14 at 19:36
  • pointer arithmetic: cppcheck isn't very clever here. as long as the allocated pointer is not reassigned it should work, such as 'p=malloc(10); free(p+1);'. if it gets too complicated cppcheck bails out. – Daniel Marjamäki Oct 12 '14 at 09:27
  • escape to global variable: cppcheck bails out. in general cppcheck don't track global variables since they might be used asynchronously by other threads etc. – Daniel Marjamäki Oct 12 '14 at 09:28
  • function pointers: this will not work well. the checker will just see that an unknown function is called. if the allocated pointer is passed to the function as argument, the checker assumes that the function deallocates the memory and bails out. So there can be FN. – Daniel Marjamäki Oct 12 '14 at 09:37
  • Obviously, Cppcheck is not a silver bullet. There are leaks that are not detected. As far as I know there is no silver bullet - use different tools/methods and you'll find different leaks. I believe the strength of Cppcheck is when it comes to detecting leaks in unlikely and relatively simple paths. – Daniel Marjamäki Oct 12 '14 at 09:47
0

Are you quite sure that cppcheck is not already able to check for kernel allocation leaks? The source code looks strongly like it treats kmalloc and so on just like malloc. Look at the testmemleak.cpp file in the cppcheck repository for example and you see test cases that exercise a bad kmalloc.

As far as interprocedural analysis goes, I don't believe that cppcheck does this. I speculate that GCC might be able to do a little based on the -flto flag, but I am not an expert.

AlwaysLearning
  • 796
  • 3
  • 10