From roma at ro-che.info Sat Jun 16 02:43:25 2007 From: roma at ro-che.info (Roman Cheplyaka) Date: Sat Jun 16 20:50:20 2007 Subject: [splint-discuss] Can't fit our memory management to Splint's model Message-ID: <20070616094325.GA26487@crematorium> Hi all! We use nested structures like struct s { struct s1 * f1; struct s2 * f2; } and each has its alloc and free function, e.g. void s_free(struct s * f) { if ( f == NULL ) return; s1_free(f->f1); s2_free(f->f2); free(f); } So, the contract is "s_free takes either NULL, or pointer to allocated structure, whose members are allocated, too, and releases all of them". The problem is that in one execution path (when f is NULL) f->f1 and f->f2 are not released, and this confuses splint. How can I explain splint that in this case they have not to be released? -- Roman I. Cheplyaka http://ro-che.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : http://www.cs.Virginia.EDU/pipermail/splint-discuss/attachments/20070616/9625e1af/attachment.bin From Keith.Richeson at us.elster.com Sun Jun 17 01:00:21 2007 From: Keith.Richeson at us.elster.com (Keith.Richeson@us.elster.com) Date: Sun Jun 17 01:08:24 2007 Subject: [splint-discuss] Keith Richeson is out of the office. Message-ID: I will be out of the office starting 06/15/2007 and will not return until 06/25/2007. I will respond to your message when I return. From ptp at lysator.liu.se Sun Jun 17 02:33:30 2007 From: ptp at lysator.liu.se (Tommy Pettersson) Date: Sun Jun 17 02:34:23 2007 Subject: [splint-discuss] Can't fit our memory management to Splint's model In-Reply-To: <20070616094325.GA26487@crematorium> References: <20070616094325.GA26487@crematorium> Message-ID: <20070617093330.GA24213@static-81.216.50.98.addr.tdcsong.se> On Sat, Jun 16, 2007 at 12:43:25PM +0300, Roman Cheplyaka wrote: > Hi all! Hi, > We use nested structures like > struct s { > struct s1 * f1; > struct s2 * f2; > } > and each has its alloc and free function, e.g. > void s_free(struct s * f) { > if ( f == NULL ) > return; > s1_free(f->f1); > s2_free(f->f2); > free(f); > } [...] > How can I explain > splint that in this case they have not to be released? I'm not totally sure this is correct in every way, but it seems to work: #include #include struct s { /*@only@*/ char *f1; /*@only@*/ char *f2; }; static void s_free (/*@special@*/ struct s *p_f) /*@releases p_f->f1, p_f->f2, p_f; @*/ ; static void s_free (struct s *f) { if ( f == NULL ) /*@i3@*/ return; free( f->f1 ); free( f->f2 ); free( f ); } int main (void) { struct s *s = malloc( sizeof *s ); assert( s != NULL ); s->f1 = malloc( 1 ); assert( s->f1 != NULL ); s->f2 = malloc( 1 ); assert( s->f2 != NULL ); s_free( NULL ); s_free( s ); return 0; } On the /*@i3@*/ line splint will complain that f, f1 and f2 are not released as claimed by the declaration, but it is an obviously false warning. A slightly better way would perhaps be to surround the return line with annotations that temporarily turns of just the expected bogus warning. (To my surprise, the order of the arguments in the @releases@ clause seem to matter. I had to put p_f last, or I got unexplainable warnings about undefined storage passed to the s_free function.) -- Tommy Pettersson From wenzel at bbr-vt.de Sun Jun 17 23:43:32 2007 From: wenzel at bbr-vt.de (Wenzel, Bodo) Date: Mon Jun 18 00:27:27 2007 Subject: [splint-discuss] Re: Can't fit our memory management to Splint's model Message-ID: <467645B4.12503.24D513@wenzel.bbr-vt.de> Hi. This works without any /*@i@*/ annotation, Splint 3.1.1 called with "+checks", which is quite strict, but not as "+strict" ;-) struct s1 { } struct s2 { } static void s1_free (/*@only@*/ /*@null@*/ struct s1 * f) { if ( f == NULL ) return; free(f); } static void s2_free (/*@only@*/ /*@null@*/ struct s2 * f) { if ( f == NULL ) return; free(f); } struct s { struct s1 * f1; struct s2 * f2; } static void s_free (/*@only@*/ /*@null@*/ struct s * f) { if ( f == NULL ) return; s1_free(f->f1); s2_free(f->f2); free(f); } int main (void) { struct s *s = malloc( sizeof *s ); assert( s != NULL ); s->f1 = malloc( sizeof * (s->f1) ); assert( s->f1 != NULL ); s->f2 = malloc( sizeof * (s->f2) ); assert( s->f2 != NULL ); s_free( NULL ); s_free( s ); return 0; } Mit freundlichen Gr??en, Bodo Wenzel - Entwicklung Software - -- BBR - Baudis Bergmann R?sch Verkehrstechnik GmbH Pillaustra?e 1e D - 38126 Braunschweig T: +49.531.27300-766 F: +49.531.27300-999 @: wenzel@bbr-vt.de W: http://www.bbr-vt.de Registergericht: AG Braunschweig HRB 3037 Gesch?ftsf?hrer: Dipl.-Ing. Arne Baudis Dipl.-Ing. Thomas Bergmann Dipl.-Ing. Frank-Michael R?sch USt.-ID-Nr.: DE 114 877 881 From ptp at lysator.liu.se Mon Jun 18 02:26:47 2007 From: ptp at lysator.liu.se (Tommy Pettersson) Date: Mon Jun 18 02:27:21 2007 Subject: [splint-discuss] Re: Can't fit our memory management to Splint's model In-Reply-To: <467645B4.12503.24D513@wenzel.bbr-vt.de> References: <467645B4.12503.24D513@wenzel.bbr-vt.de> Message-ID: <20070618092647.GA10888@static-81.216.50.98.addr.tdcsong.se> On Mon, Jun 18, 2007 at 08:43:32AM +0200, Wenzel, Bodo wrote: > static void > s_free (/*@only@*/ /*@null@*/ struct s * f) { > if ( f == NULL ) > return; > s1_free(f->f1); > s2_free(f->f2); > free(f); > } It has the problem that if you "forget" to free e.g. f->f2 in s_free() splint doesn't warn you about it. Maybe not a big deal though, if s_free is simple. -- Tommy Pettersson From elfring at users.sourceforge.net Mon Jun 18 02:49:00 2007 From: elfring at users.sourceforge.net (SF Markus Elfring) Date: Mon Jun 18 02:49:22 2007 Subject: [splint-discuss] Re: Can't fit our memory management to Splint's model In-Reply-To: <467645B4.12503.24D513@wenzel.bbr-vt.de> References: <467645B4.12503.24D513@wenzel.bbr-vt.de> Message-ID: <4676550C.6090209@users.sourceforge.net> > static void > s1_free (/*@only@*/ /*@null@*/ struct s1 * f) { > if ( f == NULL ) > return; > free(f); > } By the way: The check for the null pointer can be omitted in this example. http://opengroup.org/onlinepubs/009695399/functions/free.html Regards, Markus From azaka at felixstowe.actaris.com Thu Jun 21 01:20:05 2007 From: azaka at felixstowe.actaris.com (Asim Zaka) Date: Thu Jun 21 01:51:34 2007 Subject: [splint-discuss] Re: Can't fit our memory management to Splint's model In-Reply-To: <4676550C.6090209@users.sourceforge.net> References: <467645B4.12503.24D513@wenzel.bbr-vt.de> <4676550C.6090209@users.sourceforge.net> Message-ID: <7.0.0.16.2.20070621091045.022aaed8@felixstowe.actaris.com> An HTML attachment was scrubbed... URL: http://www.cs.Virginia.EDU/pipermail/splint-discuss/attachments/20070621/72ffbeca/attachment.html From lholzheid at bihl-wiedemann.de Thu Jun 21 04:19:02 2007 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Thu Jun 21 04:20:04 2007 Subject: [splint-discuss] Re: Can't fit our memory management to Splint's model In-Reply-To: <7.0.0.16.2.20070621091045.022aaed8@felixstowe.actaris.com> References: <467645B4.12503.24D513@wenzel.bbr-vt.de> <4676550C.6090209@users.sourceforge.net> <7.0.0.16.2.20070621091045.022aaed8@felixstowe.actaris.com> Message-ID: <20070621111902.GA366@svr5.bihl-wiedemann.de> On Thu, 2007-06-21 09:20:05 +0100, Asim Zaka wrote: > > > Morning all,

Hi Asim, first of all, don't send HTML-only mail to mailing lists. You should even consider not to send mixed plain text/HTML mails, as the HTML version just bloats the mail archive and doesn't gain anything. Another thing is, I don't see a relation from the subject line to the contents of your mail. If you want to start a new thread, please do so instead of 'replying' to an arbitrary mail on the list. If I switch my mail client to 'threaded view', your mail looks like a reply to a mail from Markus Elfring, which it isn't. > I want to customize splint in a way that it the "warnings" it > produces for .c or .h file should be outputted to the console as just > "one" line. For example I get:

Doesn't the "-linelen" and '-hints' flags do what you want? Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From azaka at felixstowe.actaris.com Thu Jun 21 04:29:26 2007 From: azaka at felixstowe.actaris.com (Asim Zaka) Date: Thu Jun 21 04:29:33 2007 Subject: [splint-discuss] Output Message length Message-ID: <7.0.0.16.2.20070621122834.0233ed48@felixstowe.actaris.com> An HTML attachment was scrubbed... URL: http://www.cs.Virginia.EDU/pipermail/splint-discuss/attachments/20070621/7c86f644/attachment.html From roma at ro-che.info Thu Jun 21 07:12:31 2007 From: roma at ro-che.info (Roman Cheplyaka) Date: Thu Jun 21 08:12:50 2007 Subject: [splint-discuss] Re: Can't fit our memory management to Splint's model In-Reply-To: <467645B4.12503.24D513@wenzel.bbr-vt.de> References: <467645B4.12503.24D513@wenzel.bbr-vt.de> Message-ID: <20070621141231.GA12561@crematorium> * Wenzel, Bodo [2007-06-18 08:43:32+0200] > Hi. > > This works without any /*@i@*/ annotation, Splint 3.1.1 called with > "+checks", which is quite strict, but not as "+strict" ;-) > > struct s1 { > } > > struct s2 { > } > > static void > s1_free (/*@only@*/ /*@null@*/ struct s1 * f) { > if ( f == NULL ) > return; > free(f); > } > > static void > s2_free (/*@only@*/ /*@null@*/ struct s2 * f) { > if ( f == NULL ) > return; > free(f); > } > > struct s { > struct s1 * f1; > struct s2 * f2; > } > > static void > s_free (/*@only@*/ /*@null@*/ struct s * f) { > if ( f == NULL ) > return; > s1_free(f->f1); > s2_free(f->f2); > free(f); > } > > int > main (void) { > struct s *s = malloc( sizeof *s ); assert( s != NULL ); > s->f1 = malloc( sizeof * (s->f1) ); assert( s->f1 != NULL ); > s->f2 = malloc( sizeof * (s->f2) ); assert( s->f2 != NULL ); > s_free( NULL ); > s_free( s ); > return 0; > } Yes, _this_ actually works. But if we add some fields to our structures (say, struct s1 { int a; } and struct s2 { int b; }), then Passed storage *(s->f1) contains 1 undefined field: a Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. (Use -compdef to inhibit warning) Passed storage *(s->f2) contains 1 undefined field: b So, naturally we need to declare *_free as /*@out@*/ (and this is how libc function free is annotated). But then Unallocated storage f->f1 passed as out parameter to s1_free: f->f1 An rvalue is used that may not be initialized to a value on some execution path. (Use -usedef to inhibit warning) Unallocated storage f->f2 passed as out parameter to s2_free: f->f2 This is a problem I was talking about.. -- Roman I. Cheplyaka http://ro-che.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : http://www.cs.Virginia.EDU/pipermail/splint-discuss/attachments/20070621/3c73ef25/attachment.bin From lholzheid at bihl-wiedemann.de Thu Jun 21 08:11:48 2007 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Thu Jun 21 08:15:09 2007 Subject: [splint-discuss] Output Message length In-Reply-To: <7.0.0.16.2.20070621132426.022e3770@felixstowe.actaris.com> <7.0.0.16.2.20070621122834.0233ed48@felixstowe.actaris.com> References: <467645B4.12503.24D513@wenzel.bbr-vt.de> <4676550C.6090209@users.sourceforge.net> <7.0.0.16.2.20070621091045.022aaed8@felixstowe.actaris.com> <20070621111902.GA366@svr5.bihl-wiedemann.de> <7.0.0.16.2.20070621132426.022e3770@felixstowe.actaris.com> <7.0.0.16.2.20070621122834.0233ed48@felixstowe.actaris.com> Message-ID: <20070621151148.GA27255@svr5.bihl-wiedemann.de> On Thu, 2007-06-21 14:42:37 +0100, Asim Zaka wrote: > > > HI Ludolf,

> Thanks for the help. It looks much better now but still there are many > warning which go beyond the max -linelen as I have started off by making > -linelen 120 and have now reached -linelen 180 but I guess increasing > beyond a certain value does not really increase the line length.

> Do you know what I need to change in the code to increase this -linelen > max to something like 300 characters?

> Regards and Thanks alot!
> Asim.

>

>
Hi Asim, as far as I read the code, the variable changed with '-linelen' is an int, which allows for setting the maximum line length to about 2*10^9 characters for most operating systems. It is initialized to DEFAULT_LINELEN, which is set to 80 in constants.h. I still don't know why you want to recompile splint instead of just adding something like '-linelen 10000' to your .splintrc. Ludolf P.S.: Please configure your mail program to send plain text mails. -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From wenzel at bbr-vt.de Fri Jun 22 02:55:58 2007 From: wenzel at bbr-vt.de (Wenzel, Bodo) Date: Fri Jun 22 02:56:43 2007 Subject: [splint-discuss] Re: Can't fit our memory management to Splint's model Message-ID: <467BB8CE.18821.D666E6@wenzel.bbr-vt.de> > Yes, _this_ actually works. But if we add some fields to our > structures (say, struct s1 { int a; } and struct s2 { int b; }), > then > > Passed storage *(s->f1) contains 1 undefined field: a > [...] > Passed storage *(s->f2) contains 1 undefined field: b That's correct. The fields _ARE_ undefined. If values are stored, no error is reported. > So, naturally we need to declare *_free as /*@out@*/ (and this is > how libc function free is annotated). This annotation is only necessary if it is really your intention to release the struct's memory while some field is undefined. See above. > But then > > Unallocated storage f->f1 passed as out parameter to s1_free: > f->f1 > [...] > Unallocated storage f->f2 passed as out parameter to s2_free: > f->f2 > > This is a problem I was talking about.. Again the error message is correct, as the Splint manual describes: "The out annotation denotes a pointer to storage that may be undefined." And so it assumes that fields of struct s are undefined, say unallocated, right? But if we annotate just s[12]_free, because all fields of struct s ARE defined, the "Passed storage..." messages re-appear. Well, it seems that Splint refers the annotation on the fields recursively... You can use "partial" in s_free, but then you won't get any error message if you don't define f1 or f2 or both. No more clues at the moment... :-( Mit freundlichen Gr??en, Bodo Wenzel - Entwicklung Software - -- BBR - Baudis Bergmann R?sch Verkehrstechnik GmbH Pillaustra?e 1e D - 38126 Braunschweig T: +49.531.27300-766 F: +49.531.27300-999 @: wenzel@bbr-vt.de W: http://www.bbr-vt.de Registergericht: AG Braunschweig HRB 3037 Gesch?ftsf?hrer: Dipl.-Ing. Arne Baudis Dipl.-Ing. Thomas Bergmann Dipl.-Ing. Frank-Michael R?sch USt.-ID-Nr.: DE 114 877 881 From gregory.descamps at awtce.be Fri Jun 22 13:06:51 2007 From: gregory.descamps at awtce.be (Gregory Descamps) Date: Fri Jun 22 13:22:36 2007 Subject: [splint-discuss] Gregory Descamps is out of the office Message-ID: I will be out of the office starting 2007/06/22 and will not return until 2007/07/16. Please contact Joachim Vandersleyen if necessary. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.Virginia.EDU/pipermail/splint-discuss/attachments/20070622/bcb2a902/attachment.html From pkzc at freemail.hu Sun Jun 24 13:28:15 2007 From: pkzc at freemail.hu (=?ISO-8859-1?Q?Kozics_P=E9ter?=) Date: Sun Jun 24 13:50:35 2007 Subject: [splint-discuss] /*@null@*/ array elements Message-ID: <467ED3DF.4070902@freemail.hu> I couldn't figure out myself and could not find any hint in the splint manual how to annotate array elements to be /*@null@*/. I would like to get rid of the warning redef.c:5:20: Local a[0][0] initialized to null value: a[0][0] = 0 A reference with no null annotation is assigned or initialized to NULL. for the following code. int *f( void ) { int *a[2][3] = {{0}}; return a[1][1]; } When I naively annotate the array with /*@null@*/., it seems that I make statement about ``a'' and not about its elements which are of type int *, and which the the warning refers to. thank you Peter From brian.quinlan at iolfree.ie Mon Jun 25 01:37:31 2007 From: brian.quinlan at iolfree.ie (Brian Quinlan) Date: Mon Jun 25 01:47:00 2007 Subject: [splint-discuss] /*@null@*/ array elements In-Reply-To: <467ED3DF.4070902@freemail.hu> References: <467ED3DF.4070902@freemail.hu> Message-ID: <1182760651.5287.12.camel@akebono> On Sun, 2007-06-24 at 22:28 +0200, Kozics P?ter wrote: > I couldn't figure out myself and could not find any hint in the splint > manual how to annotate array elements to be /*@null@*/. > > I would like to get rid of the warning > > redef.c:5:20: Local a[0][0] initialized to null value: a[0][0] = 0 > A reference with no null annotation is assigned or initialized to NULL. > > for the following code. > > > int *f( void ) > { > int *a[2][3] = {{0}}; > > return a[1][1]; > } > > > When I naively annotate the array with /*@null@*/., it seems that I make > statement about ``a'' and not about its elements which are of type int > *, and which the the warning refers to. > Hi Peter, It's not perfect, because it involves a change to your coding style, but you could try using an annotated typedef in the array: typedef /*@null@*/ int *IntPtr; IntPtr f( void ) { IntPtr a[2][3] = {{0, 0, 0}, {0, 0, 0}}; return a[1][1]; } There's still a warning to fix in this modified code, but it's not the one about null values. Bye, Brian From keithp at marvell.com Mon Jun 25 09:45:48 2007 From: keithp at marvell.com (Keith Prickett) Date: Mon Jun 25 10:04:10 2007 Subject: [splint-discuss] Resubscriptions Message-ID: <6965B5420FA1794C8EA5238AA424F4A916C6FB@SC-EXCH01.marvell.com> I had unsubscribed a while ago from this list, but all of a sudden I have started receiving discussions again. Does anyone else have this experience? -- Keith Prickett