tags:

views:

248

answers:

3
+2  Q: 

What types of false positive memory leaks can be reported?

When you look for memory leaks using some kind of "tool" like, for example, WinDbg, GlowCode or even the integrated Visual C++ leak reporter, what types of false positives can be reported?

In fact, GlowCode warns you against false positives. Depending on the type of scan that you run, more false positives can appear.

With this question I'm trying to figure out things like how GlowCode scanner compares to WinDbg's !heap -l...

I'll appreciate any hint you can provide!

UPDATE: If you could give some real example in C++ (or your preferred language) that would help a lot.

+1  A: 

The general approach of memory debuggers is to report all allocated memory at program exit. This memory could be leaked, but it could be just memory that is allocated for the entire lifetime of the application and never released explicitly (a questionable programming practice in itself).

Other tools (static analyzers for example) try to match alloc/release calls or certain programming patterns. The MS prefast tool for example will warn you if you allocate memory and call functions that can throw exceptions without a try block. One case where this would be a false positive is where the allocated objects are deleted automatically when their parent is destroyed.

rpg  2009-08-19 13:14:14
+1  A: 

There are two kinds of memory reported by leak detector:

  • memory which is no more reachable (i.e. there is no way to get a pointer to them from global variable). There can be false positive here (in the sense that the memory is still in fact reachable) if you play tricks to hide the value pointer. Some of those are conforming, some works in practice but aren't. They often are of dubious nature but can come handy when working in memory tight situation. I haven't used them since my days in embedded 8 bits systems. Those usually are rare in code base.

  • memory which is still reachable at the end of the program but has not be freed. This kind can be named "false positive". This usage is a matter of style; one may question the soundness of the practice of not deleting objects when quitting the program as one may question the utility of making unobservable work, well unobservable as far as runtime is ignored. Note that sometimes, it is done purposely, so that the object can be used in static destructors which are called when the program exits.

AProgrammer  2009-08-19 13:57:08
What about tools that look for memory leaks _during_ execution?
David Alfonso  2009-08-20 10:45:01
During execution, it makes little sense to report reachable memory (excepted to provide allocation statistics), so they report unreachable one.
AProgrammer  2009-08-20 11:41:10
Of course, I'm talking about _unreachable_ memory... that's what you call a memory leak, don't you?
David Alfonso  2009-08-20 12:26:51
If you have life references to memory which will no more be accessed, is it a leak or not? The notion that it is a leak is arguable and that's why memory leak detectors report them at the end of process.
AProgrammer  2009-08-20 12:59:59
+1  A: 

Assume you have allocated memory at address A and at address B and saved the values to corresponding pointers. Then you replace A and B values with (A+B) and (A-B) respectively.

And how in the world should the checker guess that the memory is still reachable? You really can restore original pointer values, and maybe you somewhere really do. But how should it guess that? And if you mangled the values with trigonometrical functions or, say, RSA? :)

One more thing. You sound like that greater amount of false positives means worse tool. But, generally, when the number of false positives grows, the number of false negatives decreases. It's like becoming a more suspicious detective to catch an elusive criminal, but at the same time hijack greater number of innocent people.

Pavel Shved  2009-08-20 21:59:48
I'm not trying to judge any tool, I just wanted to find out a little about how some apps manage to avoid false positives if you let them more process time to do so. Thank you for your answer!
David Alfonso  2009-08-21 06:39:40
As a brief example, some checkers may let you turn on and off flow-sensitive alias analysis. Brief look at you code tells that in free(x), the x may point to a and b memory regions, because the code looks like that: x = a; ... x = b; ... free(b); free(x);Whoa, your program _may_ be freeing b two times, says the checker and reports an error.But if the checker spent more time looking at the code, he could notice that it actually looks like this: x = a; ... if (2*2 == 5) x = b; ... free(b); free(x);And it would report no error then.
Pavel Shved  2009-08-22 10:56:46

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS