Existing static analysis tools often miss memory leaks in C/C++ programs due to their inability to recognize custom memory management functions and lack of path sensitivity. This work proposes MemHint, the first approach that integrates neural semantic understanding from large language models with Z3-based symbolic execution to automatically identify and model project-specific memory allocation and deallocation functions while verifying their path feasibility. By enhancing the capabilities of CodeQL and Infer, MemHint significantly improves leak detection accuracy. Evaluated on seven real-world projects totaling 3.4 million lines of code, MemHint discovered 52 memory leaks—47 of which have been fixed, including four assigned CVEs—at an average cost of only $1.70 per vulnerability, substantially outperforming the native tools.

Memory leaks remain prevalent in real-world C/C++ software. Static analyzers such as CodeQL provide scalable program analysis but frequently miss such bugs because they cannot recognize project-specific custom memory-management functions and lack path-sensitive control-flow modeling. We present MemHint, a neuro-symbolic pipeline that addresses both limitations by combining LLMs' semantic understanding of code with Z3-based symbolic reasoning. MemHint parses the target codebase and applies an LLM to classify each function as a memory allocator, deallocator, or neither, producing function summaries that record which argument or return value carries memory ownership, extending the analyzer's built-in knowledge beyond standard primitives such as malloc and free. A Z3-based validation step checks each summary against the function's control-flow graph, discarding those whose claimed memory operation is unreachable on any feasible path. The validated summaries are injected into CodeQL and Infer via their respective extension mechanisms. Z3 path feasibility filtering then eliminates warnings on infeasible paths, and a final LLM-based validation step confirms whether each remaining warning is a genuine bug. On seven real-world C/C++ projects totaling over 3.4M lines of code, MemHint detects 52 unique memory leaks (47 confirmed/fixed, 4 CVEs submitted) at approximately $1.7 per detected bug, compared to 19 by vanilla CodeQL and 3 by vanilla Infer.