CheckPointer: C Memory Safety Checker

The C Memory Safety Checker diagnoses memory access errors in C programs using a combination of static and dynamic analysis. This tool detects various kinds of memory access faults, including buffer overruns, array access errors, and bad pointer dereferences at the instant of the access error and provides precise information about the location of the fault. This allows the programmer to focus on fixing the problem, rather than trying to figure out where it is. It is a member of the CheckPointer memory safety checker tools family.

Features

  • Instruments application code to detect memory safety errors
  • Detects at moment of error:
    • Null or invalid pointer value
    • Accesses outside entity from which original pointer derived:
      array, string, structure member, heap, local, global or thread-storage variable
    • Accesses to storage which has been released (even if reallocated):
      locals, heap, thread storage
  • Available for ANSI, C99, C11, GCC3, GCC4 (including C99 extensions) and Microsoft VisualC6 and Visual Studio 2005
  • Provides list of unfreed storage, and location of allocation, at end of execution
  • Custom, instrumented standard C library provided
  • Configurable for interoperation with binary libraries
  • Support for vendor-supplied and custom multithreaded execution
  • Instrumented code can be run in appropriate embedded environments (ask about debugging Windows drivers!)
  • Metadata access optimized to minimize execution time overhead
  • Some static analysis to diagnose certain failures directly, or to eliminate provably unnecessary dynamic checks
  • Works with large applications consisting of tens of thousands of files
  • Consistent style and operation across different dialects of C
  • Probe installer operates on Windows 2003/XP/Vista/7/8/10 and on Linux under Wine
  • Application may run on any platform

Capability and Comparisons

Many safety checking products will not catch access errors inside a struct or C library functions; here is simple example of CheckPointer that does. You can also see an more complicated example of buggy C code and its execution with and without the safety check.

Here you can read about a comparison of the C CheckPointer tool with similar tools.

Download an evaluation copy.

CWE Juliet Test Suite Results

NIST publishes the Juliet Test Suite to help compare the quality of program analysis tools.

We have run CheckPointer on the over 14,195 Juliet tests that are relevant to the C language (as of 2015), with the following results:

  • 13257 cases of expected pointer errors were reported.
  • 908 cases did not report errors. The non-reported cases include ones that contain undefined behavior not related to pointer usage errors (which CheckPointer is not intended to detect), or pointer usage errors that were not exposed by the actual execution (e.g. uninitialized variable contained 0 in actual execution). [We modified some of these examples to ensure that the actual execution did not contain 0 for such variables, and afterwards got an error message as expected.]
  • We have not checked those test cases that involve user input yet.
  • Unusual Requirements?

    Your dialect not listed, runs in an unusual environment, or you have some custom need? SD can configure a memory safety tool for you! These tools are based on DMS, and inherit DMS's language agility and scalability.

    Semantic Designs also provides a variety of other tools.

For more information: [email protected]    Follow us at Twitter: @SemanticDesigns

C CheckPointer
Memory Safety Checker