Detecting Struct Member-Related Memory Leaks Using Error Code Analysis in Linux Kernel

Abstract

Struct member-related memory leak can become a serious problem. Linux kernel is not an exception. According to our study of Linux Kernel patches, 54.6% of all memory leak-related patches within the last two years were related to the leak of struct members. This occurs when a struct is freed before freeing its dynamically allocated struct members. Detecting these bugs in large-scale software requires to reduce analysis cost for scalability and effectively collect the state of a struct and its members.In this paper, we present a simple static-analysis approach to detect struct member-related memory leak in the Linux Kernel. Our analysis first collects alloc/free information by conducting a path-insensitive analysis. To efficiently conduct inter-procedural analysis, we introduce error-code analysis, which is an optimization to efficiently pass back the alloc/free information by focusing on the return value of callee and its use in the caller. When detecting a struct free, we scan through the collected information to detect any member that remains unfreed, and generate warnings to them. We evaluated our method by analyzing the Linux Kernel 5.3-rc4, and found two new bugs. Both of the bugs were reviewed and confirmed by Linux Kernel developers.