Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated references from C11->C23

...

KlocworkKlocwork3339, 4303, 4304 

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
dangling_pointer_use

Supported

Astrée reports all accesses to freed allocated memory.

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MEM30Detects memory accesses after its deallocation and double memory deallocations
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.UAF

Use after free
Compass/ROSE




Coverity

Include Page
Coverity_V
Coverity_V

USE_AFTER_FREE

Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer

Klocwork
Cppcheck

Include Page

Cppcheck_V

Cppcheck_V

UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST

UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST

LDRA tool suite
Include Page
LDRA_VLDRA_V

51 D, 484 S, 112 D

Partially implemented

Parasoft C/C++test
Include Page
Parasoft_VParasoft_V

CERT_C-MEM30-a

Do not use resources that have been freedParasoft Insure++Runtime analysisPolyspace Bug Finder
Include Page
Polyspace Bug Finder_VPolyspace Bug Finder_V

CERT C: Rule MEM30-C

Checks for use of previously freed pointer (rule partially covered)

PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v2731, 2732, 2733PRQA QA-C++
Include Page
cplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_VdoubleFree
deallocret
deallocuse
Partially implemented
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

doubleFree
deallocret
deallocuse
Partially  implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4866, DF4867, DF4868, DF4871, DF4872, DF4873

C++3339, C++4303, C++4304


Klocwork
Include Page
Klocwork_V
Klocwork_V
UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST


LDRA tool suite
Include Page
LDRA_V
LDRA_V

51 D, 484 S, 112 D

Partially implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-MEM30-a

Do not use resources that have been freed
Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

449, 2434

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule MEM30-C

Checks for:

  • Accessing previously freed pointer
  • Freeing previously freed pointer

Rule partially covered.

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V586, V774
Splint
Include Page
Splint_V
Splint_V



TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

dangling_pointer

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth()

...

Bibliography

[ISO/IEC 9899:20112024]7.2224.3, "Memory Management Functions"
[Kernighan 1988]Section 7.8.5, "Storage Management"
[OWASP Freed Memory]
[MIT 2005]
[Seacord 2013b]Chapter 4, "Dynamic Memory Management"
[Viega 2005]Section 5.2.19, "Using Freed Memory"
[VU#623332]
[xorl 2009]CVE-2009-1364: LibWMF Pointer Use after free()

...