{"paper":{"title":"Finding Memory Leaks in C/C++ Programs via Neuro-Symbolic Augmented Static Analysis","license":"http://creativecommons.org/licenses/by-nc-sa/4.0/","headline":"MemHint augments static analyzers with LLMs and Z3 to detect 52 memory leaks in 3.4 million lines of C/C++ code.","cross_cats":["cs.CR"],"primary_cat":"cs.SE","authors_text":"Bo Wang, David Lo, Huihui Huang, Jieke Shi, Zhou Yang","submitted_at":"2026-03-28T10:31:58Z","abstract_excerpt":"Memory leaks remain prevalent in real-world C/C++ software. Static analyzers such as CodeQL provide scalable program analysis but frequently miss such bugs because they cannot recognize project-specific custom memory-management functions and lack path-sensitive control-flow modeling. We present MemHint, a neuro-symbolic pipeline that addresses both limitations by combining LLMs' semantic understanding of code with Z3-based symbolic reasoning. MemHint parses the target codebase and applies an LLM to classify each function as a memory allocator, deallocator, or neither, producing function summar"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"On seven real-world C/C++ projects totaling over 3.4M lines of code, MemHint detects 52 unique memory leaks (49 confirmed/fixed, 4 CVEs submitted) at approximately $1.7 per detected bug, compared to 19 by vanilla CodeQL and 3 by vanilla Infer.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The LLM produces accurate classifications of custom memory functions and ownership semantics, and Z3 correctly identifies feasible versus infeasible paths without missing real leaks or introducing excessive false negatives.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"MemHint combines LLM classification of custom memory functions with Z3 path validation to augment CodeQL and Infer, detecting 52 memory leaks (49 confirmed) across 3.4M LOC versus 19 and 3 by vanilla tools.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"MemHint augments static analyzers with LLMs and Z3 to detect 52 memory leaks in 3.4 million lines of C/C++ code.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"7eaf3af722be0d46e0951cfc04b05c97e072b80eae6dc997ed31262f2935fac6"},"source":{"id":"2603.27224","kind":"arxiv","version":4},"verdict":{"id":"ffb8e92b-abbd-4bb6-b0ee-ac8a3e6f8473","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T22:30:44.761213Z","strongest_claim":"On seven real-world C/C++ projects totaling over 3.4M lines of code, MemHint detects 52 unique memory leaks (49 confirmed/fixed, 4 CVEs submitted) at approximately $1.7 per detected bug, compared to 19 by vanilla CodeQL and 3 by vanilla Infer.","one_line_summary":"MemHint combines LLM classification of custom memory functions with Z3 path validation to augment CodeQL and Infer, detecting 52 memory leaks (49 confirmed) across 3.4M LOC versus 19 and 3 by vanilla tools.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The LLM produces accurate classifications of custom memory functions and ownership semantics, and Z3 correctly identifies feasible versus infeasible paths without missing real leaks or introducing excessive false negatives.","pith_extraction_headline":"MemHint augments static analyzers with LLMs and Z3 to detect 52 memory leaks in 3.4 million lines of C/C++ code."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2603.27224/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}