Interpret errors during memory analysis

Although the QNX Memory Analysis perspective can quickly direct you to memory errors in your application, you need to understand the types of memory errors that you might run into.

During memory analysis, you may encounter the following types of memory errors:

During memory analysis, the following functions are checked for memory errors:

String functions

strcat strdup strncat strcmp strncmp strcpy strncpy strlen strchr strrchr index rindex strpbrk strspn strcspn strstr strtok

Memory copy functions

memccpy memchr memmove memcpy memcmp memset bcopy bzero bcmp

Allocation functions

malloc calloc realloc free

Illegal deallocation of memory

The illegal deallocation of memory occurs when a free operation is performed on a pointer that doesn't point to an appropriate heap memory segment. This type of error can occur when you attempt to do any of the following activities:

  • free a NULL pointer (not detected)
  • free a pointer to stack or static memory
  • free a pointer to heap memory that does not point to the beginning of an allocated block
  • perform a double free (when free) is performed more than once on the same memory location)

Consequences

The illegal deallocation of memory can generate the following runtime errors:

  • memory corruption (a stack, heap, or static segment)
  • immediate segmentation fault

Detecting the error

In the Momentics IDE for BlackBerry, the Memory Analysis tool detects this error (if error detection is enabled), and it traps the illegal deallocation error when any of the following functions are called:

  • free
  • realloc

For instructions about enabling error detection in the Momentics IDE, see Enable memory leak detection.

Enabling error detection for the illegal deallocation of memory

To enable error detection for the illegal deallocation of memory:

  1. In the Launch Configuration window, select the Tools tab.
  2. Expand Memory Errors and select the Enable error detection check box.
  3. Select the Enable check on realloc()/free() argument check box.
  4. Click OK.

Message returned to the Momentics IDE

In the Momentics IDE, you can expect the message for this type of memory error to include the following types of information and detail:

  • Message: Pointer does not point to heap area
  • Severity: ERROR
  • Pointer: 0 (typically 0 for most messages)
  • TrapFunction: shows the free or realloc function where the error occurred.
  • Operation: shown, where applicable

For a list of error messages returned by the Memory Analysis tool, see Summary of error messages.

How to address the illegal deallocation of memory

To help address this memory problem, try the following:

  • Add a condition to test that when a NULL is a pointer, to verify that it can be freed.
  • Don't free stack and static memory. Ensure that the same pointer can never point to different types of memory.
  • Never reassign an allocated pointer (except for a NULL or other allocation). If you need to iterate over allocated memory, use another pointer (alias), or use an index.
  • Nullify the pointer immediately after deallocation, unless it is a local variable which is out of scope.

Example

The following code shows an example of the illegal deallocation of memory:

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
                     
int main(int argc, char ** argv){ 
char * str = ""; 
if (argc>1) { 
str = malloc(10); 
// ... 
} 
printf("Str: %s\n",str); 
free(str); 
return 0; 
}

NULL pointer dereference

A NULL pointer dereference is a sub type of an error causing a segmentation fault. It occurs when a program attempts to read or write to memory with a NULL pointer.

Consequences

Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error.

For instructions about enabling error detection in the Momentics IDE for BlackBerry, see Enable memory leak detection.

When the memory analysis feature detects this type of error, it traps these errors for any of the following functions (if error detection is enabled) when they are called within your program:

  • free
  • memory and string functions:

strcat strdup strncat strcmp strncmp strcpy strncpy strlen strchr strrchr index rindex strpbrk strspn (only the first argument) strcspn strstr strtok

The memory analysis feature doesn't trap errors for the following functions when they are called:

memccpy memchrv memmove memcpy memcmp memset bcopy bzero memccpy memchrv memmove memcpy memcmp memset bcopy bzero bcmp bcmp

Enabling error detection for a NULL pointer dereference

To enable error detection for the NULL pointer dereference:

  1. In the Launch Configuration window, select the Tools tab.
  2. Expand Memory Errors and select the Enable error detection check box.
  3. To detect the passing of a zero (0) pointer to string and memory functions, select Verify parameters in string and memory functions.
  4. To detect the freeing of a zero (0) pointer, select Enable check on realloc()/free() argument.

Message returned to the Momentics IDE

In the Momentics IDE, you can expect the message for this type of memory error to include the following types of information and detail:

  • Message: various types of messages expected
  • Severity: ERROR
  • Pointer: 0
  • TrapFunction: shows the memory or string function where the error occurred.
  • Operation: shown, where applicable

For a list of error messages returned by the Memory Analysis tool, see Summary of error messages.

How to address a NULL pointer dereference

You can perform an explicit check for NULL for all pointers returned by functions that can return NULL, and when parameters are passed to the function.

Example

The following code shows an example of a NULL pointer dereference:

int main(int argc, char ** argv){
  char buf[255];
  char * ptr = NULL;
  if (argc>1) {
    ptr = argv[1];
  }
  strcpy(str,ptr);
  return 0;
}

Buffer overflow

A buffer overflow error occurs when a program unintentionally writes to a memory area that's out of bounds for the buffer it intended to write to.

Consequences

A buffer overflow generates the following runtime errors:

  • memory corruption (with an unpredictable failure in the future)
  • segmentation fault

Detecting the error

The Memory Analysis tool can detect a limited number of possible buffer overflows with following conditions:

  • when the overflow buffer belongs to the heap area
  • when the overflow occurred within the block's memory overhead (typically, the overflow is over by 1, and the overflow is trapped in the free function)
  • when the overflow is corrupting the heap. Typically, with a large enough index (or negative index), you can write data into next block area, thereby making all of the heap unusable. This error is trapped in the following allocation functions: malloc, calloc, realloc, free.
  • when the overflow occurred in a library function:

strcat strdup strncat strcmp strncmp strcpy strncpy strlen strchr strrchr index rindex strpbrk strspn strcspn strstr strtok memccpy memchr memmove memcpy memcmp memset bcopy bzero bcmp

Enabling error detection

To enable error detection for a buffer overflow or underflow:

  1. In the Launch Configuration window, click the Tools tab.
  2. Select the Enable error detection check box.
  3. To detect an immediate overflow, select Verify parameters in string and memory functions.
  4. To detect a small overflow in block's memory overhead area, select Enabled bounds checking (where possible).
  5. To detect a corrupted heap, caused by overflowing other regions, select Perform full heap integrity check on every allocation/deallocation.

Message returned to the Momentics IDE for BlackBerry

In the Momentics IDE, you can expect the message for this type of memory error to include the following types of information and detail:

  • Messages
    • allocator inconsistency - Malloc chain is corrupted, pointers out of order
    • allocator inconsistency - Malloc chain is corrupted, end before end pointer
    • pointer does not point to heap area
    • possible overwrite - Malloc block header corrupted
    • allocator inconsistency - Pointers between this segment and adjoining segments are invalid
    • data has been written outside allocated memory block
    • pointer points to heap but not to a user writable area
    • allocator inconsistency - Malloc segment in free list is in-use
    • malloc region doesn't have a valid CRC in header
  • Other parameters
    • Severity: ERROR
    • Pointer: pointer that points outside of buffer
    • TrapFunction: memory or string function where the error was trapped (the error can also occur before the actual function in error)
    • Operation: UNKNOWN, malloc, malloc-realloc, calloc — how memory was allocated for the memory region we are referencing
    • State: In Use or FREED

For a list of error messages returned by the Memory Analysis tool, see Summary of error messages.

How to address buffer overflow errors

Locate the code where the actual overflow occurred. Ensure that the size of the memory region always come with the pointer itself. Also, verify all unsafe operations, and that the memory region is large enough to accommodate the data going into that location.

Example

The following code shows an example of a buffer overflow trapped by a library function:

int main(int argc, char ** argv){
  char * ptr = NULL;
  ptr = malloc(12);
  strcpy(ptr,"Hello World!");
  return 0;
}

The following code shows an example of a buffer overflow trapped by a postheap check in a free function:

int main(int argc, char ** argv){
  char * ptr = NULL;
  ptr = malloc(12);
  ptr[12]=0;
  free(pre);
  return 0;
}

Use freed memory

If you attempt to read or write to memory that was previously freed, the result is a conflict and the program generates a memory error. For example, if a program calls the free function for a particular block and then continues to use that block, it creates a reuse problem when a malloc call is made.

Consequences

Using freed memory generates the following runtime errors:

  • memory corruption (results in an unpredictable future failure)
  • random data read — when the heap is reused, other data can be in that location

Detecting the error

The Memory Analysis tool can detect only a limited number of situations where free memory is read/written with following conditions:

  • where library functions read a pointer that is already known to be free, those functions are:

strcat strdup strncat strcmp strncmp strcpy strncpy strlen strchr strrchr index rindex strpbrk strspn strcspn strstr strtok memccpy memchr memmove memcpy memcmp memset bcopy bzero bcmp

  • The newly allocated block contains altered data; it was modified after deallocation. The memory errors are trapped in the following memory functions:

malloc calloc realloc free

Enabling error detection

To enable error detection when using freed memory:

  1. In the Launch Configuration window, click the Tools tab.
  2. Expand Memory Errors and select the Enable error detection check box.
  3. To detect usage of freed memory, select Verify parameters in string and memory functions.
  4. To detect writing to a freed memory area, select Enabled bounds checking (where possible).

Message returned to the Momentics IDE for BlackBerry

In the Momentics IDE, you can expect the message for this type of memory error to include the following types of information and detail:

  • Messages: data in freed memory block has been modified
  • Severity: ERROR
  • Pointer: not specified
  • TrapFunction: shows the memory or string function where the error occurred (where the error was trapped).
  • Operation: In Use or Free — indicates whether the memory region is being used or is available.

For a list of error messages returned by the Memory Analysis tool, see Summary of error messages.

How to address freed memory usage

Set the pointer of the freed memory to NULL immediately after the call to free, unless it is a local variable that goes out of the scope in the next line of the program.

Example

The following code shows an example using already freed memory:

int main(int argc, char ** argv){
  char * ptr = NULL;
  ptr = malloc(13);
  free(ptr);
  strcpy(ptr,"Hello World!");
  return 0;
}

Read uninitialized memory

If you attempt to read or write to memory that was previously allocated, the result is a conflict and the program generates a memory error because the memory is not initialized.

Consequences

Using an uninitialized memory read generates a random data read runtime error.

Detecting the error

Typically, the Momentics IDE for BlackBerry does not detect this type of error. However, the Memory Analysis tool does trap the condition of reading uninitialized data from a recently allocated memory region.

For a list of error messages returned by the Memory Analysis tool, see Summary of error messages.

How to address random data read issues

Use the calloc function, which always initializes data with zeros (0).

Example

The following code shows an example of an uninitialized memory read:

int main(int argc, char ** argv){
  char * ptr = NULL;
  ptr = malloc(13);
  if (argc>1)
     strcpy(ptr,"Hello World!");
  ptr[12]=0;
  printf("%s\n",ptr);
  return 0;
}

Resource (memory) leaks

Memory leaks can occur if your program allocates memory and then does not free it. For example, a resource leak can occur in a memory region that no longer has references from a process.

Consequences

Resource leaks generate the following runtime errors:

  • resource Exhaustion
  • program termination

Detecting the error

This error would be trapped during the following circumstances:

  • a typical program exit (versus an abnormal program exit/termination)
  • routine investigation (set by the programmer or tester) at regular intervals

Enabling error detection

In the Momentics IDE for BlackBerry, you can expect the message for this type of memory error to include the following types of information and detail:

  1. In the Launch Configuration window, select the Tools tab.
  2. Expand Memory Errors and select the Perform leak check when process exits checkbox.
  3. Optional: Specify how often to check for leaks in the Perform leak check every (ms) field. The minimum depends on target speed; however, on average, it should be no less than 100 ms.

Message returned to the Momentics IDE

In the Momentics IDE, you can expect the message for this type of memory error to include the following types of information and detail:

  • Message: varies
  • Severity: LEAK
  • Pointer: lost pointer
  • TrapFunction: blank
  • Operation: malloc, realloc, alloc, calloc — how memory was allocated for this leak
  • State: empty or in use

For a list of error messages returned by the Memory Analysis tool, see Summary of error messages.

How to address resource (memory) leaks

To address resource leaks in your program, ensure that memory is deallocated on all paths, including error paths.

Example

The following code shows an example of a memory leak:

int main(int argc, char ** argv){
  char * str = malloc(10);
  if (argc>1) {
     str = malloc(20);
     // ...
  }
  printf("Str: %s\n",str);
  free(str);
  return 0;
}

Summary of error messages

The following table shows a summary of potential error messages you might encounter during memory analysis:

Message Caused by Description
no errors No errors No errors
allocator inconsistency - Malloc chain is corrupted, pointers out of order A buffer overflow occurred in the heap. The heap memory is corrupted.
allocator inconsistency - Malloc chain is corrupted, end before end pointer A buffer overflow occurred in the heap. The heap memory is corrupted.
pointer does not point to heap area The illegal deallocation of memory. You attempted to free non-heap memory.
possible overwrite - Malloc block header corrupted A buffer overflow occurred in the heap. The heap memory is corrupted.
allocator inconsistency - Pointers between this segment and adjoining segments are invalid A buffer overflow occurred in the heap. The heap memory is corrupted.
data has been written outside allocated memory block A buffer overflow occurred in the heap. The program attempted to write data to a region beyond allocated memory.
data in free'd memory block has been modified Attempting to use memory that was previously freed. The program is attempting to write to a memory region that was previously freed.
data area is not in use (can't be freed or realloced) A buffer overflow occurred in the heap. The heap memory is corrupted.
unable to get additional memory from the system All memory resources are exhausted. There are no more memory resources to allocate.
pointer points to the heap but not to a user writable area A buffer overflow occurred in the heap. The heap memory is corrupted.
allocator inconsistency - Malloc segment in free list is in-use A buffer overflow occurred in the heap. The heap memory is corrupted.
malloc region doesn't have a valid CRC in header A buffer overflow occurred in the heap. The heap memory is corrupted.
free'd pointer isn't at start of allocated memory block An illegal deallocation of memory. An attempt was made to deallocate the pointer that shifted from its original value when it was returned by the allocator.

Last modified: 2015-03-31



Got questions about leaving a comment? Get answers from our Disqus FAQ.

comments powered by Disqus