CL.MLK.ASSIGN

Memory leak in an assignment operator

This is a class-level (CL) checker that notifies of potential for a memory leak in operator=. Klocwork reports CL.MLK.ASSIGN when a class performing dynamic memory allocation in the constructor overwrites the corresponding pointers in operator=, without the prior memory release and/or decrementing the proper reference counter. This can lead to a memory leak.

Vulnerability and risk

Memory leaks cause the application to consume additional memory. This reduces the amount of memory available to other applications and eventually causes the operating system to start paging, slowing the system down. In critical cases, the application will reach overall memory limits, which may result in application crashes.

Vulnerable code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
    class C {
    public:
        C() { ip = new int; }
        ~C() { delete ip; }
        C& operator=(const C& rhs) {
            if (this == &rhs) return *this;
            ip = new int;      // memory pointed by ip is leaked
            *ip = *rhs.ip;
            return *this;
        }
   private:
       C(const C&);
       int* ip;
   };

In this example, memory pointed by ip is not released before being overwritten. Since memory is allocated into this pointer in the constructor, this assignment leads to a possible memory leak that is reported by Klocwork as CL.MLK.ASSIGN.

Fixed code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
    class C {
    public:
        C() { ip = new int; }
        ~C() { delete ip; }
        C& operator=(const C& rhs) {
            if (this == &rhs) return *this;
            delete ip;
            ip = new int;
            *ip = *rhs.ip;
           return *this;
       }
   private:
       C(const C&);
       int* ip;
   };

In the fixed example 1, the dynamic memory pointed by ip is released at line 7 prior to the assignment to a new value.

Vulnerable code example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
    class counted {
    public:
        counted() { counter = 1; }
        void addRef() { counter++; }
        void decRef() { counter--; if (counter == 0) delete this; }
        /* other methods */
    private:
        int counter;
        /* other members */
   };

   class C {
   public:
       C() { cp = new counted; }
       ~C() { cp->decRef(); }
       C& operator=(const C& rhs) {
           if (this == &rhs) return *this;
           cp = rhs.cp;    // CL.MLK.ASSIGN reported
           cp->addRef();
           return *this;
       }
   private:
       C(const C&);
       counted* cp;
   };

In this example, the reference counter of memory pointed by cp is not decremented before the overwrite that can lead to memory leaks and is reported by Klocwork as CL.MLK.ASSIGN.

Fixed code example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
    class counted {
    public:
        counted() { counter = 1; }
        void addRef() { counter++; }
        void decRef() { counter--; if (counter == 0) delete this; }
        /* other methods */
    private:
        int counter;
        /* other members */
   };

   class C {
   public:
       C() { cp = new counted(); }
       ~C() { cp->decRef(); }
       C& operator=(const C& rhs) {
           if (this == &rhs) return *this;
           cp->decRef();
           cp = rhs.cp;
           cp->addRef();
           return *this;
       }
   private:
       C(const C&);
       counted* cp;
   }; 

Now, the reference counter is decremented, and no defect is reported.

Related checkers

• CL.SHALLOW.ASSIGN
• CL.SHALLOW.COPY
• CL.MLK
• CL.SELF-ASSIGN

External guidance

• CWE-401: Missing Release of Memory after Effective Lifetime
• CWE-400: Uncontrolled Resource Consumption

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.