- We define Memory Allocation Bugs (MAL) as follows:
- An object is allocated, extended, or reallocated (while extending)
improperly.
- Fig. 1 depicts MAL causes, attributes and consequences.
Fig 1. Memory Allocation Bugs (MAL) Class - click on image for detailed view.
-
The MAL operations are: Allocate, Extend, and Reallocate–Extend. They reflect improper formation of an object.
| Operation Value | Definition |
|---|---|
| Allocate | Reserves space in memory for an object; defines its initial boundaries and size. |
| Extend | Allocates additional memory for an object in the same space; redefines its boundaries and size. |
| Reallocate–Extend | Allocates a new larger piece of memory for an object at a new address, copies the object content there, reassigns its pointer, and deallocates the previous piece of memory. |
- The graph of causes shows that there are three main causes for memory allocation bugs: Improper Operation,
Improper Pointer, and Improper Object.
| Improper Operation | |
|---|---|
| Value | Definition |
| Missing | The operation is absent. |
| Mismatched | The deallocation function does not match the allocation function used for the same object. |
| Erroneous | There is a bug in the implementation of the operation. |
| Improper Pointer | |
|---|---|
| Value | Definition |
| Wild Pointer | Points to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used. |
| Dangling Pointer | Still points to the address of its successfully deallo- cated object. |
| Wrong Position | Points to a miscalculated position inside object bounds. |
| Hardcoded Address | The pointer points a wrong specific address. |
| Forbidden Address | The pointer points to an OS protected or non-existing address. |
| Single Owner of Object | The only pointer of an already allocated object is used to allocate a new object. |
| Improper Object | |
|---|---|
| Value | Definition |
| Wrong Size Used | The value used as size does not match the real size of the object. |
- The graph of consequences shows Improper Pointer for Next Operation, Improper object for Next
Operation, and Memory Error as consequences.
| Improper Pointer for Next Operation | |
|---|---|
| Value | Definition |
| NULL Pointer | Points to the zero address, a specific invalid address. |
| Wild Pointer | Points to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used. |
| Improper Object for Next Operation | |
|---|---|
| Value | Definition |
| Not Enough Allocated | The allocated memory is too little for the data it should store. |
| Memory Error | |
|---|---|
| Value | Definition |
| Memory Overflow | More memory requested than available. |
| Memory Leak | An object has no pointer pointing to it. |
| Double Free | Attempt to deallocate a deallocated object or via an uninitialized pointer. |
| Object Corruption | Object data is unintentionally altered. |
- The attributes of MAL are:
| Name | Value | Definition |
|---|---|---|
| Mechanism | Implicit | The operation is performed without a function call. |
| Explicit | The operation is performed by a function/ method) call. | |
| Source Code | Codebase | The operation is in programmer’s code – in the application itself. |
| Third Party | The operation is in a third party library. | |
| Standard Library | The operation is in the standard library for a particular programming language. | |
| Language Processor | The operation is in the tool that allows execution or creates executable (compiler, assembler, interpreter). | |
| Execution Space | Userland | The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture). |
| Kernel | The bugged code runs in an environment with privilege levels with access privileged instruc- tions (e.g., ring 0 in x86 architecture). | |
| Bare-Metal | The bugged code runs in an environment with-out privilege control. Usually, the program is the only software running and has total access to the hardware. | |
| Ownership | None | The object has no owner. |
| Single | The object has one owner. | |
| Shared | The object has more than one owner. | |
| Location | Stack | The object is a non-static local variable (defined in a function, a passed parameters, or a function return address). |
| Heap | The object is a dynamically allocated data structure (e.g., via malloc() and new). |
- MAL sites are any allocation routine (e.g.,
malloc()) or the new operator, any
declaration of a variable with implicit allocation, any OOP constructor, or any extension routine (e.g.,
realoc()) or adding elements to a container object.- Application examples are provided here.