From cbfalconer at yahoo.com Sat Nov 1 13:16:18 2003 From: cbfalconer at yahoo.com (CBFalconer) Date: Wed Mar 22 17:10:18 2006 Subject: [splint-discuss] Help with mmap() and abstract data type annotations References: Message-ID: <3FA3F872.79B02238@yahoo.com> David Hawkins wrote: > ... snip ... > > I've been adding casts to function calls where > appropriate to remove splint warnings. Since > I plan to run splint on code as I write and > test blocks of it, I'm quite happy with this > slight typing overhead. If you recommend an > alternate approach, I'm happy to listen. Please don't top-post. I strongly recommend against the casual use of casts, especially to shut up warnings. The result may be warning free, but can easily contain fatal errors. You are immediately overriding the compilers (and splint is a form of compiler) judgement with your own, and stating 'ignore this'. Unnecessary casts are most likely to be a sign of faulty initial thinking. -- Chuck F (cbfalconer@yahoo.com) (cbfalconer@worldnet.att.net) Available for consulting/temporary embedded and systems. USE worldnet address! From dwh at ovro.caltech.edu Sat Nov 1 14:45:12 2003 From: dwh at ovro.caltech.edu (David Hawkins) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] Help with mmap() and abstract data type annotations In-Reply-To: <3FA3F872.79B02238@yahoo.com> Message-ID: Hi Chuck, > Please don't top-post. Enlighten me? What do you mean by 'top-post'? And sorry for doing it :) > I strongly recommend against the casual use of casts, > especially to shut up warnings. The result may be > warning free, but can easily contain fatal errors. > You are immediately overriding the compilers (and > splint is a form of compiler) judgement with your > own, and stating 'ignore this'. Unnecessary casts > are most likely to be a sign of faulty initial thinking. Ok good. I posted what I had been doing to get feedback on what I should be doing. So any chance you could indicate the appropriate way to proceed? I'm trying to 'improve' my coding style and work habits. Splint 'encourages' me to do this, so I'd like to work out how to use it correctly. So for example, when determining the length of a string, and assigning it to an int, then passing it off to a string function and getting a size_t warning, what should I have really done? Used a size_t right from the outset is one answer, but is that the only? How about accessing register values, a hardware register is defined as a 'volatile unsigned int', but when I manipulate it, its no longer volatile once inside a variable ... in that case a cast to 'unsigned int' seems appropriate. Many thanks, Dave Hawkins. Owens Valley Radio Observatory. Caltech. From Jay.St.Pierre at Colorado.EDU Sat Nov 1 16:33:02 2003 From: Jay.St.Pierre at Colorado.EDU (Jay A. St. Pierre) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] bug with -load flag Message-ID: Just checking to see if there is any response my followup questions... thanks. -Jay ---------- Forwarded message ---------- Date: Tue, 21 Oct 2003 10:13:06 -0600 (MDT) From: Jay A. St. Pierre Reply-To: splint-discuss@cs.virginia.edu To: splint-discuss@cs.virginia.edu Subject: Re: [splint-discuss] bug with -load flag On Tue, 21 Oct 2003, David Evans wrote: > On Mon, 20 Oct 2003, Jay A. St. Pierre wrote: > > > I have the following piece of code: > > > > #include > > #include > > #include > > ... > > > > When I run splint with no arguments, I get: > > > > $ splint foo.c > > Splint 3.1.1 --- 20 May 2003 > > > > Finished checking --- no warnings > > > > Now, when I run it using the -load flag to tell it to load the > > standard.lcd file that comes with splint, I get: > > > > $ splint +load /opt/splint-3.1.1/share/splint/lib/standard.lcd foo.c > > Splint 3.1.1 --- 20 May 2003 > > > > foo.c:3:21: Cannot find include file stdbool.h on search path: > > /usr/include;/opt/splint-3.1.1/include > > Preprocessing error. (Use -preproc to inhibit warning) > > Preprocessing error for file: /tmp/foo.c > > *** Cannot continue. > > > > Splint only skips the ANSI standard headers if the library is used. In > this case, it doesn't know that the +load .../standard.lcd is the standard > library, so it doesn't skip the standard headers. But shouldn't it skip the standard headers if I include the +skip-iso-headers (or +skip-ansi-headers) flag? This does not seem to work: $ splint +load /opt/splint-3.1.1/share/splint/lib/standard.lcd \ +skip-iso-headers foo.c Command Line: Setting +skipisoheaders redundant with current value foo.c:3:21: Cannot find include file stdbool.h on search path: /usr/include;/opt/splint-3.1.1/include Preprocessing error. (Use -preproc to inhibit warning) Preprocessing error for file: /tmp/foo.c *** Cannot continue. > Note that when you generate a library running splint on your > code with the standard library, the generated library includes > this information that it was produced using the standard > library (or unix, posix library as the case may be) and will > skip the appropriate headers. So, I'm not sure I understand > why you are running into this problem when you generate your > libraries with the POSIX real time extendions. The > standard.lcd doesn't include that information (since it wasn't > generated from a splint run that used the standard library), > but it probably should so the behavior is the same whether you > load it explicitly or normally. Referring to the above example, if its not skipping the iso headers because I'm explicitly loading standard.lcd, why does it complain "+skipisoheaders redundant with current value" when I use the +skip-iso-headers flag? Am I not understanding the +skip-iso-headers flag correctly? As a further note, the library we are creating is just a small superset of the posix.lcd that comes with splint. We create a posix-rte.h that has annotated POSIX.4 structures, constants, and prototypes, then we run the command: splint -nolib standard.h posix.h posix-rte.h -dump posix-rte Then we use this library to check our code. Using the +skip-posix-headers flag with this library generates the "redundant" complaint, and by and large seems to work fine. So far its just code that is including gcc-3.2.3's stdarg.h that exhibits this problem. Thanks for your time. -Jay _______________________________________________ splint-discuss mailing list splint-discuss@cs.virginia.edu http://www.splint.org/mailman/listinfo/splint-discuss From evans at cs.virginia.edu Sat Nov 1 18:09:19 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] bug with -load flag In-Reply-To: References: Message-ID: > > Splint only skips the ANSI standard headers if the library is used. In > > this case, it doesn't know that the +load .../standard.lcd is the standard > > library, so it doesn't skip the standard headers. > > But shouldn't it skip the standard headers if I include the > +skip-iso-headers (or +skip-ansi-headers) flag? This does not > seem to work: > > $ splint +load /opt/splint-3.1.1/share/splint/lib/standard.lcd \ > +skip-iso-headers foo.c > > Command Line: Setting +skipisoheaders redundant with current value > foo.c:3:21: Cannot find include file stdbool.h on search path: > /usr/include;/opt/splint-3.1.1/include > Preprocessing error. (Use -preproc to inhibit warning) > Preprocessing error for file: /tmp/foo.c > *** Cannot continue. > No, it only skips the headers is the appropriate library is used. The +skipisoheaders flag is set by default, but only skips libraries if a standard library is used. It might make sense to change the meaning of these flags, but that's what they mean now. > As a further note, the library we are creating is just a small > superset of the posix.lcd that comes with splint. We create a > posix-rte.h that has annotated POSIX.4 structures, constants, and > prototypes, then we run the command: > > splint -nolib standard.h posix.h posix-rte.h -dump posix-rte > > Then we use this library to check our code. Using the > +skip-posix-headers flag with this library generates the > "redundant" complaint, and by and large seems to work fine. > So far its just code that is including gcc-3.2.3's stdarg.h that > exhibits this problem. > One (somewhat awkward) workaround would be to rename your posix-rte library to replace the posix.lcd standard library, so it would skip the headers like you want. Another solution would be to change the lcllib.c code to make the skip header flags behave like you want (remove the && context_usingAnsiLibrary ()) clause on line 169. --- Dave From roland.illig at gmx.de Sat Nov 1 19:06:46 2003 From: roland.illig at gmx.de (Roland Illig) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] memory leak detection Message-ID: <20031102000646.GA19119@informatik.uni-hamburg.de> Hi, I don't understand the following C program. ------------------------------------------------------------------ #include #include #include extern int main(void) /*@globals fileSystem, errno, stderr; @*/ /*@modifies fileSystem, *stderr; @*/ { /*@only@*/ char *last_string = NULL; while (1 == 1) { /*@only@*/ char *this_string; this_string = malloc((size_t) 1234); if (this_string == NULL) { perror(""); exit(EXIT_FAILURE); /*@notreached@*/ } /*20*/ *this_string = '\0'; if (last_string == NULL) { /*23*/ last_string = this_string; } else { last_string = realloc(last_string, (size_t) 100); if (last_string == NULL) { perror(""); exit(EXIT_FAILURE); /*@notreached@*/ } strcpy(last_string, this_string); free(this_string); /*33*/ } } if (last_string != NULL) { free(last_string); } return 0; } ------------------------------------------------------------------ front-decode.c: (in function main) front-decode.c:33:9: Variable this_string is released in false branch, but live in true branch. The state of a variable is different depending on which branch is taken. This means no annotation can sensibly be applied to the storage. (Use -branchstate to inhibit warning) front-decode.c:33:9: in false branch: front-decode.c:32:18: Storage this_string released front-decode.c:33:9: in true branch: front-decode.c:20:9: Storage this_string defined ------------------------------------------------------------------ What I don't understand is the following: I have two /*@only@*/ strings. After the assignment in line 23 this_string should be considered dead (according to the manual) but it isn't. Roland From evans at cs.virginia.edu Sat Nov 1 21:58:46 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] memory leak detection In-Reply-To: <20031102000646.GA19119@informatik.uni-hamburg.de> References: <20031102000646.GA19119@informatik.uni-hamburg.de> Message-ID: > front-decode.c: (in function main) > front-decode.c:33:9: Variable this_string is released in false branch, but live > in true branch. > The state of a variable is different depending on which branch is taken. This > means no annotation can sensibly be applied to the storage. (Use -branchstate > to inhibit warning) > front-decode.c:33:9: in false branch: > front-decode.c:32:18: Storage this_string released > front-decode.c:33:9: in true branch: > front-decode.c:20:9: Storage this_string defined > > ------------------------------------------------------------------ > > What I don't understand is the following: I have two /*@only@*/ strings. > After the assignment in line 23 this_string should be considered dead > (according to the manual) but it isn't. > Splint's analysis isn't sophisticated enough to figure this out. If you do, free(this_string); this_string = NULL; it will prevent the warning. --- Dave From cbfalconer at yahoo.com Sat Nov 1 17:10:23 2003 From: cbfalconer at yahoo.com (CBFalconer) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] Help with mmap() and abstract data type annotations References: Message-ID: <3FA42F4F.895C9412@yahoo.com> David Hawkins wrote: > > > Please don't top-post. > > Enlighten me? What do you mean by 'top-post'? > And sorry for doing it :) Top posting is posting before the quoted material to which you are replying, which you did before, but not this time. It is encouraged by brain-dead software such as Outhouse Excretion. It is also considered polite to retain attributions for any material you quote, but not for quoted material you snip because it is not germane to your reply. > > > I strongly recommend against the casual use of casts, > > especially to shut up warnings. The result may be > > warning free, but can easily contain fatal errors. > > You are immediately overriding the compilers (and > > splint is a form of compiler) judgement with your > > own, and stating 'ignore this'. Unnecessary casts > > are most likely to be a sign of faulty initial thinking. > > Ok good. I posted what I had been doing to get feedback > on what I should be doing. So any chance you could > indicate the appropriate way to proceed? > > I'm trying to 'improve' my coding style and work habits. > Splint 'encourages' me to do this, so I'd like to > work out how to use it correctly. > > So for example, when determining the length of a string, > and assigning it to an int, then passing it off to > a string function and getting a size_t warning, > what should I have really done? Used a size_t right > from the outset is one answer, but is that the That obviously depends. The strlen function returns a size_t, and if it to be supplied to something requiring a size_t what possibly purpose can there be to casting it? Why should its value ever be stored in an int? > only? How about accessing register values, a hardware > register is defined as a 'volatile unsigned int', > but when I manipulate it, its no longer volatile > once inside a variable ... in that case a cast > to 'unsigned int' seems appropriate. Volatile etc. does not define a hardware register - it simply says that the value contained therein may spontaneously change. The description applies to the storage location, not to the value. The question by itself indicates that you need to look more deeply into the guarantees that do and do not apply to your data and code. would be a useful resource. Similarly the ISO C standard. Splint is a tool, and usage requires judgement, just as with any other tool. -- Chuck F (cbfalconer@yahoo.com) (cbfalconer@worldnet.att.net) Available for consulting/temporary embedded and systems. USE worldnet address! From roland.illig at gmx.de Sun Nov 2 05:34:27 2003 From: roland.illig at gmx.de (Roland Illig) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] memory leak detection In-Reply-To: References: <20031102000646.GA19119@informatik.uni-hamburg.de> Message-ID: <20031102103427.GA3561@informatik.uni-hamburg.de> On Sat, Nov 01, 2003 at 09:58:46PM -0500, David Evans wrote: > > Splint's analysis isn't sophisticated enough to figure this out. If you > do, > > free(this_string); > this_string = NULL; > > it will prevent the warning. I just checked the manual, and in clause 5.2.1#5 it states that "After the release obligation is transferred, the original reference is a dead pointer and the storage it points to may not be used." 5.2.1#3 says: * assign it to an external reference declared with an only annotation According to these statements, the following program should be ok, shouldn't it? ------------------------------------------------------------------ typedef /*@only@*/ /*@null@*/ char *cstring; /*@external@*/ extern cstring make_string(const char *) /*@*/; extern int main(void) { cstring oldstr = NULL; cstring newstr = make_string("newstr"); if (oldstr == NULL) { oldstr = newstr; /* oldstr should be live */ /* newstr should be dead */ } else { free(oldstr); oldstr = make_string("oldstr"); /* oldstr should be live */ free(newstr); /* newstr should be dead */ } free(oldstr); return 0; } ------------------------------------------------------------------ Roland From evans at cs.virginia.edu Sun Nov 2 09:59:05 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] memory leak detection In-Reply-To: <20031102103427.GA3561@informatik.uni-hamburg.de> References: <20031102000646.GA19119@informatik.uni-hamburg.de> <20031102103427.GA3561@informatik.uni-hamburg.de> Message-ID: On Sun, 2 Nov 2003, Roland Illig wrote: > On Sat, Nov 01, 2003 at 09:58:46PM -0500, David Evans wrote: > > > > Splint's analysis isn't sophisticated enough to figure this out. If you > > do, > > > > free(this_string); > > this_string = NULL; > > > > it will prevent the warning. > > I just checked the manual, and in clause 5.2.1#5 it states that > > "After the release obligation is transferred, the original reference > is a dead pointer and the storage it points to may not be used." > > 5.2.1#3 says: > > * assign it to an external reference declared with an only annotation > > According to these statements, the following program should be ok, > shouldn't it? > The warning isn't complaining directly about a memory leak here --- its complaining about the state of this_string being different along two paths. Along the true path, it does last_string = this_string; which makes this_string dependent (but live). On the false branch, it does free(this_string) which makes this_string dead. As the warning explains, The state of a variable is different depending on which branch is taken. This means no annotation can sensibly be applied to the storage. (Use -branchstate to inhibit warning) Splint's analysis avoids path explosion by merging states after multi-path statements, but in this case the states are inconsistent so a warning is produced. If splint had more path sensitive analyses, or dealt with local variable assignments in a better way, it would be able to avoid producing the spurious warning here. --- Dave From Jay.St.Pierre at Colorado.EDU Sun Nov 2 14:19:17 2003 From: Jay.St.Pierre at Colorado.EDU (Jay A. St. Pierre) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] bug with -load flag In-Reply-To: Message-ID: On Sat, 1 Nov 2003, David Evans wrote: > One (somewhat awkward) workaround would be to rename your > posix-rte library to replace the posix.lcd standard library, so > it would skip the headers like you want. Another solution > would be to change the lcllib.c code to make the skip header > flags behave like you want (remove the && > context_usingAnsiLibrary ()) clause on line 169. I patched the code as you suggested and that appears to fix our problem. I would think creating extended libraries that are supersets of the iso and posix libraries would be relatively common. Therefore I would support your suggestion that the meanings of the "skip-headers" flags be adjusted. I would submit a patch, if I knew the code well enough, but its not obvious to me how to set the default value of the flags depending on whether the internal iso or posix libraries are used. Thanks very much for your help. -Jay From evans at cs.virginia.edu Sun Nov 2 15:33:56 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] Abstract data type annotation help In-Reply-To: References: Message-ID: On Wed, 29 Oct 2003, David Hawkins wrote: > > Hi, > > Thanks Dave for the annotation suggestions yesterday. > I've reposted the splintTest3.c code. Checking > this code using > > splint +unixlib splintTest3.c > > Gives this one last error: > > splintTest3.c: (in function openHandle) > splintTest3.c:128:11: Function returns with null storage derivable from > global > file_handle[]->base > A possibly null pointer is reachable from a parameter or global variable > that > is not declared using a /*@null@*/ annotation. (Use -nullstate to inhibit > warning) > splintTest3.c:127:25: Storage file_handle[]->base becomes null > > Now, its possible that splint is confused due to the > use of mmap here. The code checks for a valid > return value from mmap, so there is no way that > base will be null when assigning to file_handle[]->base. > If this is a spurious warning, then I guess I could > always add an if (base == NULL) test. Suggestions? > The problem is splint does not know that the MAP_FAILED constant is null, so the check, if(base == (int *) MAP_FAILED) { (void)close(fd); return -1; } isn't enough to convince splint that base is not NULL. I don't believe MAP_FAILED is necessarily NULL, but it is probably the case the mmap either returns a non-NULL pointer or MAP_FAILED, so after the if we know base is non-NULL. To be sure, you can do assert (base != NULL) after the if. > There were several other errors due to the use of the > local variable FILE_HANDLE fh in openHandle(). I added > the annotation /*@temp@*/ - is that the correct annotation? > My thinking for using it was that fh is a temporary > variable, and that ownership was being passed to > the global array. However, I thought that the > annotation of only in the FILE_HANDLE type > definition would have implied that the local > FILE_HANDLE variable fh was passing ownership > over to the global, and hence no annotation > would be necessary. Care to comment/explain > whats going on here? > I don't get any of these errors when I run splint normally, but perhaps you are setting the -accessmodule flag to prevent the module where FILE_HANDLE is defined from having access to its representation. (Then, there are many warnings about accessing the representation of FILE_HANDLE.) Adding the /*@temp@*/ annotation to a local variable declaration doesn't effect this, so I'm not sure what the problem is. --- Dave From Jay.St.Pierre at Colorado.EDU Sun Nov 2 23:56:16 2003 From: Jay.St.Pierre at Colorado.EDU (Jay A. St. Pierre) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] bug with -load flag In-Reply-To: Message-ID: On Sun, 2 Nov 2003, Jay A. St. Pierre wrote: > On Sat, 1 Nov 2003, David Evans wrote: > > > One (somewhat awkward) workaround would be to rename your > > posix-rte library to replace the posix.lcd standard library, so > > it would skip the headers like you want. Another solution > > would be to change the lcllib.c code to make the skip header > > flags behave like you want (remove the && > > context_usingAnsiLibrary ()) clause on line 169. > > I patched the code as you suggested and that appears to fix our > problem. I spoke too soon. For some reason, it is now picking up the file "uio.h" which is included by the file "limits.h". This causes it to crash, since uio.h uses the type caddr_t which is defined in types/vxTypes.h, which is included by sys/types.h, which is in turn included by uio.h. So splint is parsing uio.h but apparently not types/vxTypes.h. The behavior is the same if instead of "patching" splint, I build a new posix.lcd that has my extensions and drop it into splint's installation. So why does it parse uio.h but not vxTypes.h? Is there any way to figure out in what order splint is including files and which files it is deciding to parse? Or is there a way to generate the preprocessed file that splint parses? I've tried looking at the source code for splint, but I can't figure out where to start to debug this problem. -Jay From evans at cs.virginia.edu Mon Nov 3 00:02:52 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] bug with -load flag In-Reply-To: References: Message-ID: On Sun, 2 Nov 2003, Jay A. St. Pierre wrote: > > So why does it parse uio.h but not vxTypes.h? Is there any way > to figure out in what order splint is including files and which > files it is deciding to parse? Or is there a way to generate the > preprocessed file that splint parses? > If you use +keep, you can examine the preprocessor output files. Neither uio.h nor vxTypes.h is in the list of excluded standard headers. The different behavior is probably based on which files include them. --- Dave From Jay.St.Pierre at Colorado.EDU Mon Nov 3 01:07:01 2003 From: Jay.St.Pierre at Colorado.EDU (Jay A. St. Pierre) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] bug with -load flag In-Reply-To: Message-ID: On Mon, 3 Nov 2003, David Evans wrote: > On Sun, 2 Nov 2003, Jay A. St. Pierre wrote: > > > > So why does it parse uio.h but not vxTypes.h? Is there any way > > to figure out in what order splint is including files and which > > files it is deciding to parse? Or is there a way to generate the > > preprocessed file that splint parses? > > > > If you use +keep, you can examine the preprocessor output files. > > Neither uio.h nor vxTypes.h is in the list of excluded standard headers. > The different behavior is probably based on which files include them. Thanks. With the output of the preprocessor, I was able to see that uio.h also gets included by ioLib.h (non-standard header), but vxTypes.h is only included through sys/types.h (posix header). Ugh. The vxWorks header files include many of the standard and posix header files, but they also define many extensions (mostly unix-like things). This means I either have to add a bunch more items to an extended posix library, or I have to let splint parse the header files. If I let splint parse the header files, it chokes in environments where stdargs.h is provided by gcc 3.x. Obviously, extending our local "posix" library is the correct choice, but that's not happening tonight. :) Thanks for all your help. -Jay From terry-splint at tenberry.com Mon Nov 3 11:51:18 2003 From: terry-splint at tenberry.com (Terry Colligan) Date: Wed Mar 22 17:10:19 2006 Subject: [splint-discuss] Problem building from CVS Message-ID: <200311030951.18009.terry-splint@tenberry.com> I got the source from CVS last week. This morning I did a "cvs update". Following the directions on page http://www.splint.org/source.html, I did a ./configure This seemed to do okay. Then I did a gmake Which produces the following output: cd . && /bin/bash /shares/tools/splint/splint/config/missing --run aclocal-1.6 /shares/tools/splint/splint/config/missing: line 46: aclocal-1.6: command not found WARNING: `aclocal-1.6' is needed, and you do not seem to have it handy on your system. You might have modified some files without having the proper tools for further handling them. Check the `README' file, it often tells you about the needed prerequirements for installing this package. You may also peek at any GNU archive site, in case some other package would contain this missing `aclocal-1.6' program. gmake: *** [aclocal.m4] Error 1 But 'aclocal-1.6' is not listed on the requirements on the web page, and the 'README' file just says to visit the web page... Any suggestions? -- Terry Terry Colligan mailto:terry-splint@tenberry.com Tenberry Software, Inc. http://www.tenberry.com info@tenberry.com phone 1.480.767.8868 fax 1.480.767.8709 From evans at cs.virginia.edu Mon Nov 3 13:04:03 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] Problem building from CVS In-Reply-To: <200311030951.18009.terry-splint@tenberry.com> References: <200311030951.18009.terry-splint@tenberry.com> Message-ID: aclocal-1.6 is part of autoconf. You can get it from http://www.gnu.org/software/autoconf/ if it is not available on your system. --- Dave On Mon, 3 Nov 2003, Terry Colligan wrote: > > I got the source from CVS last week. > > This morning I did a "cvs update". > > Following the directions on page http://www.splint.org/source.html, > I did a > > ./configure > > This seemed to do okay. > > Then I did a > > gmake > > Which produces the following output: > > cd . && /bin/bash /shares/tools/splint/splint/config/missing --run aclocal-1.6 > /shares/tools/splint/splint/config/missing: line 46: aclocal-1.6: command not found > WARNING: `aclocal-1.6' is needed, and you do not seem to have it handy on your > system. You might have modified some files without having the > proper tools for further handling them. Check the `README' file, > it often tells you about the needed prerequirements for installing > this package. You may also peek at any GNU archive site, in case > some other package would contain this missing `aclocal-1.6' program. > gmake: *** [aclocal.m4] Error 1 > > > But 'aclocal-1.6' is not listed on the requirements on the web page, > and the 'README' file just says to visit the web page... > > Any suggestions? > > -- > Terry > > Terry Colligan mailto:terry-splint@tenberry.com > Tenberry Software, Inc. http://www.tenberry.com > info@tenberry.com phone 1.480.767.8868 fax 1.480.767.8709 > > _______________________________________________ > splint-discuss mailing list > splint-discuss@cs.virginia.edu > http://www.splint.org/mailman/listinfo/splint-discuss > From sjl at zepler.org Mon Nov 3 16:46:35 2003 From: sjl at zepler.org (Simon Liddington) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] array element definition before use Message-ID: <200311041046.35474.sjl@zepler.org> I'm gettting this: test_Database.c:3037:38: Array element fixed1ElemFields[0] used before definition An rvalue is used that may not be initialized to a value on some execution path. (Use -usedef to inhibit warning) The relevent code is (BTW, note the annoying use of casts to initialise values of type dsdbm_fieldType_t (actually unsigned char i.e. 8 bit): dsdbm_fieldType_t fieldSizes[] = { (dsdbm_fieldType_t)1, (dsdbm_fieldType_t)5, (dsdbm_fieldType_t)8, (dsdbm_fieldType_t)9, (dsdbm_fieldType_t)16, (dsdbm_fieldType_t)17, (dsdbm_fieldType_t)20, (dsdbm_fieldType_t)32 }; .... /*@reldef@*/ dsdbm_identifier_t fixed1ElemFields[sizeof(fieldSizes) / sizeof(*fieldSizes)]; for (.....) { for (sizeIndex = 0; sizeIndex < numFieldSizes ; ++sizeIndex) { for (.....) { for (.....) { for (.....) { if (expression) { fixed1ElemFields[sizeIndex] = fieldId; } } } } } } ... code that uses fixed1ElemFields[] I can tell splint the for loops execute with +forloopexec but I can't tell it that "expression" is guaranteed to be true at least once for each value of sizeIndex which means the array is fully defined at the end of these loops. I don't want to use -usedef everywhere I use the array following this. I also don't want to pre-initialise the array as I would have to change the initialiser each time I change fieldSizes[] (but it's probably my best bet for now). The question is why doesn't reldef work? Thanks, Simon From Paolo.Argenton at elsag.it Wed Nov 5 07:56:57 2003 From: Paolo.Argenton at elsag.it (Argenton Paolo) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] real-compare Message-ID: I made the following modification to splint 3.1.1 in order to have a warning only for the following double / float comparisons x == y x != y and to ignore the others: x < y x <= y x >= y x > y source modified is exprNode.c line number is about 5823 the patch is the following: if (fepsilon) { ; /* Don't complain. */ } else /* my mod: following test was not present in the original */ if (opid == EQ_OP || opid == NE_OP) { voptgenerror (FLG_REALCOMPARE, message ("Dangerous comparison involving %s types: %s", ctype_unparse (rtype), exprNode_unparse (ret)), ret->loc); } } Please let me know if you agress since is the first time I try such a thing... Regards Paolo Argenton From Paolo.Argenton at elsag.it Wed Nov 5 08:32:28 2003 From: Paolo.Argenton at elsag.it (Argenton Paolo) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] likelybounds ? Message-ID: I was unable to have the likelybounds flag working correctly, while the bounds flag behaves ok. In other words likelybounds behaves as if never set, has anybody dealt with this problem ? thanks Paolo P.S. splint is 3.1.1 win32 version From evans at cs.virginia.edu Wed Nov 5 10:16:48 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] real-compare In-Reply-To: References: Message-ID: On Wed, 5 Nov 2003, Argenton Paolo wrote: > I made the following modification to splint 3.1.1 in order to have a warning > only for the following double / float comparisons > x == y > x != y > and to ignore the others: > > x < y > x <= y > x >= y > x > y > > source modified is exprNode.c line number is about 5823 the patch is the > following: > Thanks, Paolo. That looks good. It is incorporated into the development code now, with a new flag to get the warnings for relational comparisons also. --- Dave > if (fepsilon) > { > ; /* Don't complain. */ > } > else > /* my mod: following test was not present in the original */ > if (opid == EQ_OP || opid == NE_OP) > { > > voptgenerror > (FLG_REALCOMPARE, > message ("Dangerous comparison involving %s types: %s", > ctype_unparse (rtype), > exprNode_unparse (ret)), > ret->loc); > } > } > > > Please let me know if you agress since is the first time I try such a > thing... > Regards > Paolo Argenton > _______________________________________________ > splint-discuss mailing list > splint-discuss@cs.virginia.edu > http://www.splint.org/mailman/listinfo/splint-discuss > From Marco.Giromini at marconiselenia.com Wed Nov 5 12:49:56 2003 From: Marco.Giromini at marconiselenia.com (Marco.Giromini@marconiselenia.com) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] likelybounds ? Message-ID: I tried the two separate flags with Splint 3.1.1 for linux and I got the following error message: .splintrc:285:12: Unrecognized option: +likelyboundsread .splintrc:285:12: Unrecognized option: +likelyboundswrite Marco Giromini Argenton Paolo @cs.virginia.edu on 11/05/2003 02:32:28 PM Please respond to splint-discuss@cs.virginia.edu Sent by: splint-discuss-admin@cs.virginia.edu To: "'splint-discuss@cs.virginia.edu'" cc: Subject: [splint-discuss] likelybounds ? I was unable to have the likelybounds flag working correctly, while the bounds flag behaves ok. In other words likelybounds behaves as if never set, has anybody dealt with this problem ? thanks Paolo P.S. splint is 3.1.1 win32 version _______________________________________________ splint-discuss mailing list splint-discuss@cs.virginia.edu http://www.splint.org/mailman/listinfo/splint-discuss From john.carter at tait.co.nz Wed Nov 19 17:17:49 2003 From: john.carter at tait.co.nz (John Carter) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] Speeding Splint. Message-ID: We're splinting all our files (with various levels), but this is now taking a significant amount of time to do. (2.4 times the time taken to compile the files...) Are there any tricks we can play, checks we can disable, that would significantly decrease the time it takes to splint all the files? Thanks, John Carter Phone : (64)(3) 358 6639 Tait Electronics Fax : (64)(3) 359 4632 PO Box 1645 Christchurch Email : john.carter@tait.co.nz New Zealand A Million Monkeys can inflict worse things than just Shakespeare on your system. From evans at cs.virginia.edu Wed Nov 26 10:37:34 2003 From: evans at cs.virginia.edu (David Evans) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] Speeding Splint. In-Reply-To: References: Message-ID: Sorry for the slow response. Turning off checks will have minimal effect on performance (except for the bounds checking which has approximiately a factor of two performance cost). The way to scale splint to larger applications is to use the library mechanism so you only need to check the files that have changed. See http://www.splint.org/manual/html/sec14.html The +single-include flag will also considerably improve performance if most of the processing time is being spent re-processing header files. --- Dave On Thu, 20 Nov 2003, John Carter wrote: > We're splinting all our files (with various levels), but this is now > taking a significant amount of time to do. (2.4 times the time taken > to compile the files...) > > Are there any tricks we can play, checks we can disable, that would > significantly decrease the time it takes to splint all the files? > > Thanks, > > > John Carter Phone : (64)(3) 358 6639 > Tait Electronics Fax : (64)(3) 359 4632 > PO Box 1645 Christchurch Email : john.carter@tait.co.nz > New Zealand > > A Million Monkeys can inflict worse things than just Shakespeare on > your system. > _______________________________________________ > splint-discuss mailing list > splint-discuss@cs.virginia.edu > http://www.splint.org/mailman/listinfo/splint-discuss > From blytkerchan at users.sourceforge.net Tue Nov 25 10:08:06 2003 From: blytkerchan at users.sourceforge.net (Ronald Landheer-Cieslak) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] Cygwin port of Splint Message-ID: <20031125150806.GA10265@linux_rln.harvest> Hello all, As of today, I've taken over maintainership of Splint's Cygwin port, previously maintained by Elfyn McBratney. For you, that probably won't change anything - at least until a Cygwin user using splint reports a bug. If such a bug is Cygwin-specific (but located in Splint) I will (try to) fix it and send you a patch for consideration. Elfyn has made a single patch to Splint (version 3.1.1), which I have attached for your consideration - I haven't tried building without it, but I assume the patch is needed at least for the Cygwin build ;) Just thought you might like to know :) rlc NB: would patches moving towards support for out-of-tree building of Splint be considered for inclusion? I usually build (or try to) from read-only source trees and trying that on Splint failed.. -- It's all in the mind, ya know. From ndalton at lastminute.com Tue Nov 25 10:41:31 2003 From: ndalton at lastminute.com (Niall Dalton) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] parse error? Message-ID: <1069774891.5110.530.camel@localhost.localdomain> Hello, This little example seems to cause an error in splint; any hints on the best way of avoiding this? Regards, niall #include void print64BitWord(uint64_t word){ printf("Word in hex is %" PRIx64 "\n", word); } Splint 3.1.1 --- 02 Jul 2003 test.c:4:43: Parse Error. (For help on parse errors, see splint -help parseerrors.) *** Cannot continue. ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ From mNEp0WQOm?JM'x-V=J^c& at rf.risimo.net Thu Nov 27 05:42:45 2003 From: mNEp0WQOm?JM'x-V=J^c& at rf.risimo.net (Raimar Falke) Date: Wed Mar 22 17:10:20 2006 Subject: [splint-discuss] Variadic macros Message-ID: <20031127104245.GA30941@stone.privat> AFAIK splint doesn't support variadic macros. What are the plans here? Are there patches which support this? Is someone working on this? Is there a known work-around? Raimar -- email: rf13@inf.tu-dresden.de "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." -- Brian W. Kernighan From cbfalconer at yahoo.com Thu Nov 27 10:32:19 2003 From: cbfalconer at yahoo.com (CBFalconer) Date: Wed Mar 22 17:10:21 2006 Subject: [splint-discuss] parse error? References: <1069774891.5110.530.camel@localhost.localdomain> Message-ID: <3FC61903.100F32FD@yahoo.com> Niall Dalton wrote: > > This little example seems to cause an error in splint; any hints > on the best way of avoiding this? > > #include > > void print64BitWord(uint64_t word){ > printf("Word in hex is %" PRIx64 "\n", word); > } > > Splint 3.1.1 --- 02 Jul 2003 > test.c:4:43: Parse Error. er - correct the source code? -- Chuck F (cbfalconer@yahoo.com) (cbfalconer@worldnet.att.net) Available for consulting/temporary embedded and systems. USE worldnet address! From Gaurav at Colorado.EDU Sun Nov 30 02:51:34 2003 From: Gaurav at Colorado.EDU (Gaurav Mathur) Date: Wed Mar 22 17:10:21 2006 Subject: [splint-discuss] Ensures clause question Message-ID: <200311300751.hAU7pYPG005666@leather.Colorado.EDU> Hi, Suppose I have the following code fragment.... void func (int x, int y) { if (x<0) y = 1; else y = 0; } How do I capture the semantics that y is either 0 or 1 after this function returns. Could I use ensures (assume y is a reference in that case) or some other annotation. Thanks in advance, Regards, -Gaurav From cbfalconer at yahoo.com Sun Nov 30 10:33:39 2003 From: cbfalconer at yahoo.com (CBFalconer) Date: Wed Mar 22 17:10:21 2006 Subject: [splint-discuss] Ensures clause question References: <200311300751.hAU7pYPG005666@leather.Colorado.EDU> Message-ID: <3FCA0DD3.E339EB10@yahoo.com> Gaurav Mathur wrote: > > Suppose I have the following code fragment.... > > void func (int x, int y) > { > if (x<0) > y = 1; > else > y = 0; > } > > How do I capture the semantics that y is either > 0 or 1 after this function returns. Could I use > ensures (assume y is a reference in that case) > or some other annotation. y is passed by value, and thus any alterations by the function are lost. But, within the function, how about: y = (x < 0); -- Chuck F (cbfalconer@yahoo.com) (cbfalconer@worldnet.att.net) Available for consulting/temporary embedded and systems. USE worldnet address! From Gaurav at Colorado.EDU Sun Nov 30 15:53:51 2003 From: Gaurav at Colorado.EDU (Gaurav Mathur) Date: Wed Mar 22 17:10:21 2006 Subject: [splint-discuss] Ensures clause question In-Reply-To: Your message of "Sun, 30 Nov 2003 10:33:39 EST." Message-ID: <200311302053.hAUKrqPG007490@leather.Colorado.EDU> Thanks for the response Chuck.. Here's what I am really curious about.. Let's say that x and y are indeed references, and let's assume that the value of *y *has* to be either 1 or 0 after the function returns and it's not just dependent on the if condition of my example. What would be the splint annotation to capture that information. I am a splin newbie so maybe I am missing something out here. What I actually wanted was to achieve some of the power of the *ensures* clause of the LSL (Larch) stlye of specifications. Another example would be... Suppose I want to state that two char * pointers would have the same value when the function exits. In LSL I would do something like... char a[10]; char b[10]; . . ensures sameStr (a, b) . . where sameStr was defined in some LSL trait. How would I do this in splint... Thanks and Regards, -Gaurav > Gaurav Mathur wrote: > > > > Suppose I have the following code fragment.... > > > > void func (int x, int y) > > { > > if (x<0) > > y = 1; > > else > > y = 0; > > } > > > > How do I capture the semantics that y is either > > 0 or 1 after this function returns. Could I use > > ensures (assume y is a reference in that case) > > or some other annotation. > > y is passed by value, and thus any alterations by the function are > lost. But, within the function, how about: > > y = (x < 0); > > -- > Chuck F (cbfalconer@yahoo.com) (cbfalconer@worldnet.att.net) > Available for consulting/temporary embedded and systems. > USE worldnet address! > > > _______________________________________________ > splint-discuss mailing list > splint-discuss@cs.virginia.edu > http://www.splint.org/mailman/listinfo/splint-discuss From Roy.YAO at alcatel-sbell.com.cn Sun Nov 30 23:45:53 2003 From: Roy.YAO at alcatel-sbell.com.cn (FND-AD YAO Roy) Date: Wed Mar 22 17:10:21 2006 Subject: [splint-discuss] How can I overcome these two warnings? Message-ID: Hello, Here are two problems blocked me while learning splint. Can anyone help me? When I use splint to check my header file bool.h, no warning is given. But when I check another source file that included bool.h, the following warnings are given. ( my splint version is 3.0.1.7) bool.h:5:13: Type exported, but not specified: bool bool.h:4:14: Flag booltype (in semantic comment) must be followed by an argument Why? How can I overcome them? Best regards, Roy Yao +++++ code excerpt: bool.h +++++ 1 #ifndef BOOL_H__ 2 #define BOOL_H__ 3 4 /*@-cppnames -booltype bool@*/ 5 typedef int bool; 6 /*@=cppnames@*/ 7 8 #ifndef FALSE 9 /*@constant unused bool FALSE@*/ 10 #define FALSE 0 11 #endif 12 13 #ifndef TRUE 14 /*@constant unused bool TRUE@*/ 15 #define TRUE (!FALSE) 16 #endif 17 18 #endif +++++ end +++++ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.Virginia.EDU/pipermail/splint-discuss/attachments/20031201/8d136df5/attachment.htm