Any pointers about the approach used by this tool to catch leaks?

They are giving a presentation at ACCU 2017 tomorrow. [0] I will find out and report back. :)

[0] https://conference.accu.org/site/stories/2017/sessions.html#...

(Apparently chap was previously called ah64)

No idea on what this tool does, but I guess you could emulate what a (terrible) GC does and bruteforce stack and memory for valid pointers. You know which pointers are valid from analyzing the heap management info, hence why this only works for glibc malloc (would have to implement on a case by case basis).

As a guess, you can view this as the same problem as a garbage collector for C programs.