[splint-discuss] Need help understanding this storage warning...

Tommy Pettersson ptp at lysator.liu.se
Sat Jun 24 14:07:48 EDT 2006 

On Fri, Jun 23, 2006 at 03:26:28PM -0500, Todd Pytel wrote:
> I think 
>  I've understood and accounted for the other warnings I received,

Just in case you didn't notice: the function process() has a
memory leak in the "work through the queue" loop.

>  but 
> there's one left I don't understand.

I'm not sure I understand it either, but I think it goes
something like this:

The results array has both outer and inner storage. The outer
storage is the pointer to the dynamically allocated memory of
the array. The inner storage are the pointers in the array to
the dynamically allocated strings. The /*@only@*/ annotation
only applies to the outer pointer, so the inner pointers are
unqualified.

Splint by default doesn't check for many memory reference things
because most of them require the source code first be annotated,
but if it is run with the -checks option it does, and gives the
somewhat more understandable error message:

  grants.c: (in function process)
  grants.c:99: Only storage assigned to unqualified:
      results[numInputs - 1] = calloc((size_t)(3 * N + 1), sizeof(char))
    The only reference to this storage is transferred to another reference that
    does not have an aliasing annotation. This may lead to a memory leak, since
    the new reference is not necessarily released. (Use -onlyunqglobaltrans to
    inhibit warning)

I believe the warning "Storage reachable from global is fresh
(should be unqualified)" is basically the same warning, but in a
more general form detected later in some validation check. Fresh
memory (allocated within the function) that still lives after
the function ends must be stored in /*@only@*/ variables, which
the inner pointers of results[] aren't.

Section 5.2.7 of the manual explains how to annotate inner
storage, but it won't help much since the realloc() will then
cause another warning. The previous size of the array is not
generally known, so splint can't assume all previous pointers
survive the realloc (the array could be shrunken), and splint
will thus warn about inner /*@only@*/ references might be lost
without first being free():ed.


-- 
Tommy Pettersson <ptp at lysator.liu.se>

More information about the splint-discuss mailing list