frama-c

[ai-review] / critic / c-memory.md

# C Memory Safety Critic Module (ISO/IEC JTC 1/SC 22)

This module guides the Critic role when evaluating C programming code for memory safety issues, proper memory management, and prevention of memory-related vulnerabilities. This critic focuses on dynamic memory allocation, pointer safety, buffer management, and resource cleanup.

## Memory Safety Evaluation Areas

### 1. Dynamic Memory Management
**What to Look For:**
- Proper allocation and deallocation of dynamic memory
- Correct pairing of malloc/free operations
- Appropriate use of memory allocation functions
- Proper handling of allocation failures

**Common Problems:**
- Memory leaks from unmatched malloc/free pairs
- Use after free or double free errors
- Failure to check malloc return values
- Incorrect use of realloc without proper error handling
- Memory fragmentation from inefficient allocation patterns

**Evaluation Questions:**
- Is every malloc() paired with exactly one free()?
- Are malloc() return values checked for NULL?
- Is realloc() used correctly with proper error handling?
- Are allocation failures handled gracefully?
- Is memory deallocated in the correct order?

### 2. Pointer Safety and Validation
**What to Look For:**
- Correct pointer arithmetic and dereferencing
- Proper null pointer checking
- Safe pointer initialization and assignment
- Appropriate use of const and restrict qualifiers

**Common Problems:**
- Dereferencing null or uninitialized pointers
- Improper pointer arithmetic leading to undefined behavior
- Use of dangling pointers to freed memory
- Incorrect pointer type casting
- Missing const qualifiers for read-only data

**Evaluation Questions:**
- Are pointers checked for NULL before dereferencing?
- Is pointer arithmetic performed safely and correctly?
- Are pointers properly initialized before use?
- Are const qualifiers used appropriately?
- Is pointer type casting done safely?

### 3. Buffer Management and Bounds Checking
**What to Look For:**
- Prevention of buffer overflows and underflows
- Proper array bounds validation
- Safe string handling and manipulation
- Correct use of buffer size parameters

**Common Problems:**
- Buffer overruns and array bounds violations
- String operations without proper bounds checking
- Incorrect buffer size calculations
- Use of unsafe string functions (strcpy, sprintf)
- Missing null terminator handling

**Evaluation Questions:**
- Are all array accesses within proper bounds?
- Are string operations performed safely with bounds checking?
- Are buffer sizes validated before use?
- Are unsafe string functions avoided or used safely?
- Is proper null termination maintained?

### 4. Resource Management and Cleanup
**What to Look For:**
- Proper resource acquisition and release
- Cleanup on all code paths including error conditions
- Appropriate use of RAII-like patterns in C
- Memory cleanup in error handling paths

**Common Problems:**
- Resource leaks on error paths
- Inconsistent cleanup patterns
- Missing cleanup in exception-like error handling
- Improper resource ordering in cleanup

**Evaluation Questions:**
- Are resources cleaned up on all code paths?
- Is cleanup performed in the correct order?
- Are error paths properly handled with cleanup?
- Is there consistent resource management throughout the code?
- Are cleanup functions idempotent and safe?

## Memory Safety Criticism Process

### Step 1: Memory Management Audit
1. **Track Allocations**: Identify all dynamic memory allocations
2. **Verify Pairing**: Ensure each allocation has exactly one deallocation
3. **Check Error Handling**: Verify allocation failures are handled
4. **Assess Cleanup**: Ensure cleanup occurs on all code paths

### Step 2: Pointer Safety Assessment
1. **Null Pointer Analysis**: Check for proper null pointer validation
2. **Dangling Pointer Detection**: Identify use of freed memory
3. **Pointer Arithmetic Review**: Verify safe pointer operations
4. **Type Safety Validation**: Check for safe pointer type conversions

### Step 3: Buffer Safety Evaluation
1. **Bounds Checking**: Verify all array accesses are within bounds
2. **String Safety**: Assess string operation safety
3. **Buffer Size Validation**: Check buffer size calculations
4. **Overflow Prevention**: Identify potential buffer overflow scenarios

## Memory Safety Criticism Guidelines

### Focus on Memory Safety Violations
**Good Criticism:**
- "This code has a memory leak - malloc() at line X has no corresponding free()"
- "Potential use-after-free: pointer 'p' is used after being freed at line Y"
- "Buffer overflow: array access at index Z exceeds allocated size"
- "Null pointer dereference: 'ptr' is dereferenced without null check"

**Poor Criticism:**
- "This looks like it might have memory issues"
- "Memory management seems problematic"
- "This could cause memory problems"

### Emphasize Specific Evidence
**Good Criticism:**
- "Memory leak detected: malloc(100) at line 15, no free() in any code path"
- "Buffer overflow: strcpy(dest, src) at line 23, dest size unknown"
- "Use-after-free: pointer freed at line 45, used at line 52"

**Poor Criticism:**
- "This has memory problems"
- "Memory management is wrong"
- "This will cause crashes"

## Memory Safety Problem Categories

### Memory Leak Problems
- **Unmatched Allocation**: malloc() without corresponding free()
- **Lost References**: Pointers to allocated memory that become unreachable
- **Cleanup Omission**: Missing cleanup in error paths or exit conditions
- **Resource Leaks**: File handles, locks, or other resources not released

### Use-After-Free Problems
- **Dangling Pointers**: Using pointers to freed memory
- **Double Free**: Calling free() on already freed memory
- **Stale References**: Using pointers after memory is reallocated
- **Invalid Pointer Arithmetic**: Arithmetic on freed memory

### Buffer Overflow Problems
- **Stack Overflow**: Writing beyond stack-allocated buffer bounds
- **Heap Overflow**: Writing beyond heap-allocated buffer bounds
- **String Overflow**: String operations that exceed buffer capacity
- **Integer Overflow**: Buffer size calculations that overflow

### Pointer Safety Problems
- **Null Pointer Dereference**: Dereferencing null pointers
- **Uninitialized Pointer Use**: Using pointers before initialization
- **Type Casting Issues**: Unsafe pointer type conversions
- **Pointer Arithmetic Errors**: Incorrect pointer arithmetic operations

## Memory Safety Criticism Templates

### For Memory Leak Issues
```
Memory Leak Issue: [Specific memory leak]
Problem: [What causes the memory leak]
Impact: [Memory exhaustion, performance degradation, or resource waste]
Evidence: [Specific allocation and missing deallocation locations]
Recommendation: [Specific fix or cleanup strategy]
Priority: [Critical/High/Medium/Low]
```

### For Use-After-Free Issues
```
Use-After-Free Issue: [Specific use-after-free problem]
Problem: [What makes this unsafe]
Impact: [Potential crashes, corruption, or security vulnerabilities]
Evidence: [Specific code paths showing free and subsequent use]
Recommendation: [Specific fix or alternative approach]
Priority: [Critical/High/Medium/Low]
```

### For Buffer Overflow Issues
```
Buffer Overflow Issue: [Specific buffer overflow]
Problem: [What causes the buffer overflow]
Impact: [Potential crashes, corruption, or security vulnerabilities]
Evidence: [Specific code showing buffer access and size]
Recommendation: [Specific fix or bounds checking approach]
Priority: [Critical/High/Medium/Low]
```

## Memory Safety Evaluation Metrics

### Quantitative Metrics
- **Memory Leak Count**: Number of unmatched allocations detected
- **Use-After-Free Count**: Number of potential use-after-free scenarios
- **Buffer Overflow Count**: Number of potential buffer overflow scenarios
- **Null Pointer Count**: Number of potential null pointer dereferences

### Qualitative Metrics
- **Static Analysis Integration**: Integration with tools like Valgrind, AddressSanitizer
- **Memory Safety Coverage**: Percentage of memory operations analyzed
- **False Positive Rate**: Accuracy of memory safety issue detection
- **Tool Compatibility**: Ability to verify issues with existing tools

## Memory Safety Criticism Checklist

### Memory Management Assessment
- [ ] Are all memory allocations properly paired with deallocations?
- [ ] Are malloc() return values checked for NULL?
- [ ] Is memory deallocated in the correct order?
- [ ] Are allocation failures handled gracefully?
- [ ] Is cleanup performed on all code paths?

### Pointer Safety Assessment
- [ ] Are all pointer dereferences safe and defined?
- [ ] Are pointers checked for NULL before dereferencing?
- [ ] Is pointer arithmetic performed safely and correctly?
- [ ] Are const and restrict qualifiers used appropriately?
- [ ] Are pointer type conversions done safely?

### Buffer Safety Assessment
- [ ] Are all array accesses within proper bounds?
- [ ] Are string operations performed safely with bounds checking?
- [ ] Are buffer sizes validated before use?
- [ ] Are unsafe string functions avoided or used safely?
- [ ] Is proper null termination maintained?

### Resource Management Assessment
- [ ] Are resources properly managed on all code paths?
- [ ] Is cleanup performed in the correct order?
- [ ] Are error paths properly handled with cleanup?
- [ ] Is there consistent resource management throughout?
- [ ] Are cleanup functions idempotent and safe?

## Memory Safety Evaluation Questions

### For Any C Code
1. **Is every malloc() paired with exactly one free()?**
2. **Are all array accesses within proper bounds?**
3. **Are pointers checked for NULL before dereferencing?**
4. **Is pointer arithmetic performed safely and correctly?**
5. **Are const and restrict qualifiers used appropriately?**

### For Library Code
1. **Are all public interfaces documented with memory ownership rules?**
2. **Is thread safety clearly specified and implemented correctly?**
3. **Are all parameters validated appropriately?**
4. **Is the API design consistent with memory management conventions?**
5. **Are all resources properly managed by the library?**

### For System Code
1. **Are all system calls checked for errors?**
2. **Is privilege escalation handled securely?**
3. **Are buffer sizes validated before use?**
4. **Is concurrency handled correctly?**
5. **Are all security implications considered and addressed?**

## Error Handling and Fallback Strategies

### When Memory Analysis is Incomplete
- **Strategy**: "Insufficient context for complete memory analysis, focus on observable issues"
- **Action**: Analyze only the provided code without making assumptions about missing parts
- **Fallback**: Identify potential issues that can be verified with additional context

### When Static Analysis Tools are Unavailable
- **Strategy**: "Recommend static analysis tools for comprehensive memory safety verification"
- **Action**: Suggest tools like Valgrind, AddressSanitizer, or static analyzers
- **Fallback**: Focus on manual code review of obvious memory safety issues

### When Memory Patterns are Complex
- **Strategy**: "Complex memory patterns detected, recommend simplified approaches"
- **Action**: Suggest simpler memory management patterns or RAII-like abstractions
- **Fallback**: Document assumptions and recommend verification with tools

## Continuous Improvement Metrics

### Performance Tracking
- **Memory Issue Detection Rate**: Track ability to identify memory safety problems
- **False Positive Rate**: Monitor incorrect memory safety accusations
- **Tool Integration Success**: Measure effectiveness of static analysis tool integration
- **Developer Feedback**: Collect feedback on memory safety criticism helpfulness

### Improvement Areas
- **Static Analysis Integration**: Integration with memory safety analysis tools
- **Pattern Recognition**: Build database of common memory safety patterns
- **Tool Recommendations**: Develop recommendations for appropriate analysis tools
- **Expert Review**: Periodic review by memory safety experts