It's intended to ensure that memory allocated by functions in the Keychain Services API is deallocated in the correct manner by the caller. For instance, SecKeychainFindGenericPassword
returns password data via an output parameter. The caller is required to deallocate this data via SecKeychainItemFreeContent
rather than alternative APIs like free
. Failing to use the correct API can leave sensitive data (e.g., the password) in memory.
You can see the implementation of this checker in the LLVM SVN repository if you're interested in more detail.