Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LeakGuard: Detecting Memory Leaks Accurately and Scalably

Hongliang Liang, Luming Yin, Guohao Wu, Yuxiang Li, Qiuping Yi, Lei Wang

TL;DR

LeakGuard tackles memory-leak detection by coupling precise, path-sensitive modeling of memory-allocation/deallocation functions with scalable analysis via bottom-up MAD-function summaries and under-constrained symbolic execution. It introduces ownership-aware memory models and a pointer escape analysis to accurately track dynamic memory, while pruning exploration through MAD-caller filtering. Empirically, LeakGuard outperforms multiple state-of-the-art tools and discovers 129 previously unknown leaks across 18 real-world projects, all confirmed by developers, demonstrating strong practical impact. The work provides a public benchmark and a scalable framework for evaluating memory-leak detectors in large-scale software ecosystems.

Abstract

Memory leaks are prevalent in various real-world software projects, thereby leading to serious attacks like denial-of-service. Though prior methods for detecting memory leaks made significant advance, they often suffer from low accuracy and weak scalability for testing large and complex programs. In this paper we present LeakGuard, a memory leak detection tool which provides satisfactory balance of accuracy and scalability. For accuracy, LeakGuard analyzes the behaviors of library and developer-defined memory allocation and deallocation functions in a path-sensitive manner and generates function summaries for them in a bottom-up approach. Additionally, we develop a pointer escape analysis technique to model the transfer of pointer ownership. For scalability, LeakGuard examines each function of interest independently by using its function summary and under-constrained symbolic execution technique, which effectively mitigates path explosion problem. Our extensive evaluation on 18 real-world software projects and standard benchmark datasets demonstrates that LeakGuard achieves significant advancements in multiple aspects: it exhibits superior MAD function identification capability compared to Goshawk, outperforms five state-of-the-art methods in defect detection accuracy, and successfully identifies 129 previously undetected memory leak bugs, all of which have been independently verified and confirmed by the respective development teams.

LeakGuard: Detecting Memory Leaks Accurately and Scalably

TL;DR

LeakGuard tackles memory-leak detection by coupling precise, path-sensitive modeling of memory-allocation/deallocation functions with scalable analysis via bottom-up MAD-function summaries and under-constrained symbolic execution. It introduces ownership-aware memory models and a pointer escape analysis to accurately track dynamic memory, while pruning exploration through MAD-caller filtering. Empirically, LeakGuard outperforms multiple state-of-the-art tools and discovers 129 previously unknown leaks across 18 real-world projects, all confirmed by developers, demonstrating strong practical impact. The work provides a public benchmark and a scalable framework for evaluating memory-leak detectors in large-scale software ecosystems.

Abstract

Memory leaks are prevalent in various real-world software projects, thereby leading to serious attacks like denial-of-service. Though prior methods for detecting memory leaks made significant advance, they often suffer from low accuracy and weak scalability for testing large and complex programs. In this paper we present LeakGuard, a memory leak detection tool which provides satisfactory balance of accuracy and scalability. For accuracy, LeakGuard analyzes the behaviors of library and developer-defined memory allocation and deallocation functions in a path-sensitive manner and generates function summaries for them in a bottom-up approach. Additionally, we develop a pointer escape analysis technique to model the transfer of pointer ownership. For scalability, LeakGuard examines each function of interest independently by using its function summary and under-constrained symbolic execution technique, which effectively mitigates path explosion problem. Our extensive evaluation on 18 real-world software projects and standard benchmark datasets demonstrates that LeakGuard achieves significant advancements in multiple aspects: it exhibits superior MAD function identification capability compared to Goshawk, outperforms five state-of-the-art methods in defect detection accuracy, and successfully identifies 129 previously undetected memory leak bugs, all of which have been independently verified and confirmed by the respective development teams.

Paper Structure

This paper contains 27 sections, 7 equations, 5 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Motivation
  3. Approach
  4. Formalization of memory leak
  5. Allocation Return with Ownership & RefCount (AROR)
  6. Inner Allocation Return with Ownership & RefCount (IAROR)
  7. Deallocation of Argument with Ownership & RefCount (DAOR)
  8. Deallocation of Argument Offset with Ownership & RefCount (DAOOR)
  9. Allocation in Global with Ownership & RefCount (AGOR)
  10. Deallocation of Global with Ownership & RefCount (DAGOR)
  11. Argument Copy with RefCount (ACR)
  12. Overview
  13. Modeling MAD Functions
  14. Identifying Caller Functions of MAD functions
  15. Detecting Memory Leaks
  16. ...and 12 more sections

Figures (5)

  • Figure 1: A memory leak in OpenSSL found by LeakGuard
  • Figure 2: Overview of LeakGuard
  • Figure 3: Code snippet from FFmpeg project
  • Figure 4: Code snippet from OpenSSL project
  • Figure 5: Code snippet from redis project