From pcguy11 at live.com Thu Nov 6 17:16:42 2008 From: pcguy11 at live.com (Greg White) Date: Thu, 6 Nov 2008 19:16:42 -0600 Subject: [splint-discuss] DIR *dire storage created but not released?? Message-ID: I ran splint on some source code that compiles with no errors using -Wall and works great. I get: main.c:29: Include file matches the name of a POSIX library, but the POSIX library is not being used. Consider using +posixlib or +posixstrictlib to select the POSIX library, or -warnposix to suppress this message. main.c: (in function findfiles) main.c:79:2: Fresh storage dire not released before return A memory leak has been detected. Storage allocated locally is not released before the last reference to it is lost. (Use -mustfreefresh to inhibit warning) main.c:58:3: Fresh storage dire created #include DIR *dire; struct dirent *filea; dire = opendir("./"); if (dire == NULL) { perror ("Couldn't open the directory"); exit(EXIT_FAILURE); } while ((filea = readdir (dire))) { printf("filename %s\n", filea->d_name); } (void) closedir (dire); As you can see I close what I open, but splint still sees a memory leak. Can splint be educated about closedir so I don't get this error? Yes I could do -mustfreefresh to suppress the error but I would rather have splint fixed. Also can someone please explain the POSIX library thing? Thanks, _________________________________________________________________ You live life beyond your PC. So now Windows goes beyond your PC. http://clk.atdmt.com/MRT/go/115298556/direct/01/ From Michael.Wojcik at MicroFocus.com Fri Nov 7 10:09:17 2008 From: Michael.Wojcik at MicroFocus.com (Michael Wojcik) Date: Fri, 7 Nov 2008 10:09:17 -0800 Subject: [splint-discuss] DIR *dire storage created but not released?? In-Reply-To: References: Message-ID: <11352F9641010A418AD5057945A3A6590118BA11@MTV-EXCHANGE.microfocus.com> > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- > bounces at cs.virginia.edu] On Behalf Of Greg White > Sent: Thursday, 06 November, 2008 20:17 > To: splint-discuss at mail.cs.virginia.edu > > I ran splint on some source code that compiles with no errors using - > Wall and works great. I get: > > main.c:29: Include file matches the name of a POSIX library, but the > POSIX library is not being used. Consider using +posixlib or > +posixstrictlib to select the POSIX library, or -warnposix to > suppress this message. Splint is in effect a C implementation. It provides its own version of the C standard library, and when you include a header from the standard library Splint skips it and applies its own definitions, based on the standard. Similarly, Splint comes with its own set of POSIX definitions, based on the standard. That message is telling you that you should have told Splint that you were using POSIX functionality, by specifying +posixlib (or +posixstrictlib for stricter checking). That way, Splint can apply its knowledge of POSIX to your program. This is described in the Splint documentation: http://splint.org/manual/html/sec14.html > main.c: (in function findfiles) > main.c:79:2: Fresh storage dire not released before return > A memory leak has been detected. Storage allocated locally is not > released before the last reference to it is lost. (Use -mustfreefresh > to inhibit warning) > main.c:58:3: Fresh storage dire created > > As you can see I close what I open, but splint still sees a memory > leak. Can splint be educated about closedir so I don't get this error? Try running with +posixlib, as Splint suggested. > Yes I could do -mustfreefresh to suppress the error but I would rather > have splint fixed. You haven't shown that Splint is broken yet, so asking for a fix is a bit premature. Note that if you continue to get the warning even when Splint is running in the correct mode, you can always suppress the error just for this one case using code annotations. See the manual. -- Michael Wojcik Principal Software Systems Developer, Micro Focus From pcguy11 at live.com Fri Nov 7 10:56:59 2008 From: pcguy11 at live.com (Greg White) Date: Fri, 7 Nov 2008 12:56:59 -0600 Subject: [splint-discuss] DIR *dire storage created but not released?? In-Reply-To: <11352F9641010A418AD5057945A3A6590118BA11@MTV-EXCHANGE.microfocus.com> References: <11352F9641010A418AD5057945A3A6590118BA11@MTV-EXCHANGE.microfocus.com> Message-ID: > Date: Fri, 7 Nov 2008 10:09:17 -0800 > From: Michael.Wojcik at microfocus.com > To: splint-discuss at cs.virginia.edu > Subject: Re: [splint-discuss] DIR *dire storage created but not released?? > >> From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- >> bounces at cs.virginia.edu] On Behalf Of Greg White >> Sent: Thursday, 06 November, 2008 20:17 >> To: splint-discuss at mail.cs.virginia.edu >> >> main.c: (in function findfiles) >> main.c:79:2: Fresh storage dire not released before return >> A memory leak has been detected. Storage allocated locally is not >> released before the last reference to it is lost. (Use -mustfreefresh >> to inhibit warning) >> main.c:58:3: Fresh storage dire created >> > > You haven't shown that Splint is broken yet, so asking for a fix is a > bit premature. If I do an open and close on dire and get a warning about fresh storage being created when I open and not being released when I close there is a bug somewhere. I saw this same warning when I did a malloc and forgot the free. If I add a free(dire) after the close the warning goes away but the program crashes saying something about double free memory. Thanks, _________________________________________________________________ Stay organized with simple drag and drop from Windows Live Hotmail. http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_102008 From Michael.Wojcik at MicroFocus.com Fri Nov 7 13:29:02 2008 From: Michael.Wojcik at MicroFocus.com (Michael Wojcik) Date: Fri, 7 Nov 2008 13:29:02 -0800 Subject: [splint-discuss] DIR *dire storage created but not released?? In-Reply-To: References: <11352F9641010A418AD5057945A3A6590118BA11@MTV-EXCHANGE.microfocus.com> Message-ID: <11352F9641010A418AD5057945A3A6590118BA14@MTV-EXCHANGE.microfocus.com> > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- > bounces at cs.virginia.edu] On Behalf Of Greg White > Sent: Friday, 07 November, 2008 13:57 > > If I do an open and close on dire and get a warning about fresh storage > being created when I open and not being released when I close there is > a bug somewhere. Except that you did not have Splint configured correctly. If the problem still occurs when you run Splint with +posixlib (and eliminate any other warnings), then yes, that would be a bug. And certainly Splint has bugs - as much of the traffic on this list will attest. My point was simply that you were jumping the gun a bit calling it a bug, since Splint was telling you that you weren't running it correctly. And that in particular you hadn't told Splint to use the POSIX library support, which might have something to do with a false positive from a POSIX function. On the other hand, since Splint recognized that opendir allocated memory even without +posixlib, I would have expected (perhaps unfairly) it to recognize that closedir would free that memory. So I wouldn't be surprised if this is a bug; I just don't want to conclude that it is without due diligence. -- Michael Wojcik Principal Software Systems Developer, Micro Focus From pcguy11 at live.com Fri Nov 7 16:44:20 2008 From: pcguy11 at live.com (Greg White) Date: Fri, 7 Nov 2008 18:44:20 -0600 Subject: [splint-discuss] DIR *dire storage created but not released?? In-Reply-To: <11352F9641010A418AD5057945A3A6590118BA14@MTV-EXCHANGE.microfocus.com> References: <11352F9641010A418AD5057945A3A6590118BA11@MTV-EXCHANGE.microfocus.com> <11352F9641010A418AD5057945A3A6590118BA14@MTV-EXCHANGE.microfocus.com> Message-ID: > Date: Fri, 7 Nov 2008 13:29:02 -0800 > From: Michael.Wojcik at microfocus.com > To: splint-discuss at cs.virginia.edu > Subject: Re: [splint-discuss] DIR *dire storage created but not released?? > >> From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- >> bounces at cs.virginia.edu] On Behalf Of Greg White >> Sent: Friday, 07 November, 2008 13:57 >> >> If I do an open and close on dire and get a warning about fresh > storage >> being created when I open and not being released when I close there is >> a bug somewhere. > > Except that you did not have Splint configured correctly. > > If the problem still occurs when you run Splint with +posixlib (and > eliminate any other warnings), then yes, that would be a bug. And > certainly Splint has bugs - as much of the traffic on this list will > attest. > > My point was simply that you were jumping the gun a bit calling it a > bug, since Splint was telling you that you weren't running it correctly. > And that in particular you hadn't told Splint to use the POSIX library > support, which might have something to do with a false positive from a > POSIX function. > > On the other hand, since Splint recognized that opendir allocated memory > even without +posixlib, I would have expected (perhaps unfairly) it to > recognize that closedir would free that memory. So I wouldn't be > surprised if this is a bug; I just don't want to conclude that it is > without due diligence. I tried splint +posixlib file.c and am now down to 2 messages. The messages about creating and freeing dire have disappeared. I personally would categorize my issue as a splint bug for the reason you give. Given that splint hasn't had a release in over a year I am not holding my breath on a fix. Thanks, _________________________________________________________________ Windows Live Hotmail now works up to 70% faster. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_faster_112008 From pcguy11 at live.com Fri Nov 7 18:28:54 2008 From: pcguy11 at live.com (Greg White) Date: Fri, 7 Nov 2008 20:28:54 -0600 Subject: [splint-discuss] incomplete deallocation Message-ID: Hi again, I do the following in my code: n = malloc(sizeof(nk_hdr)); if (n == NULL) { (void)snprintf(error, 50, "can't allocate memory for n\n"); return -1; } memset(n, 0, sizeof(n)); nkhdr looks like: typedef struct _nk_hdr { short int name_len; short int classname_len; unsigned char *key_name; } nk_hdr; when I do a free(n); splint says: Only storage n->key_name (type unsigned char *) derived from released storage is not released (memory leak): n A storage leak due to incomplete deallocation of a structure or deep pointer is suspected. Unshared storage that is reachable from a reference that is being deallocated has not yet been deallocated. Splint assumes when an object is passed as an out only void pointer that the outer object will be deallocated, but the inner objects will not. (Use -compdestroy to inhibit warning) What did I do wrong? Thanks, _________________________________________________________________ Get 5 GB of storage with Windows Live Hotmail. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_5gb_112008 From brian.quinlan at iolfree.ie Sat Nov 8 05:26:00 2008 From: brian.quinlan at iolfree.ie (Brian Quinlan) Date: Sat, 08 Nov 2008 13:26:00 +0000 Subject: [splint-discuss] incomplete deallocation In-Reply-To: References: Message-ID: <1226150760.8251.16.camel@russell> On Fri, 2008-11-07 at 20:28 -0600, Greg White wrote: > Hi again, > > I do the following in my code: > > n = malloc(sizeof(nk_hdr)); > if (n == NULL) { > (void)snprintf(error, 50, "can't allocate memory for n\n"); > return -1; > } > memset(n, 0, sizeof(n)); > > nkhdr looks like: > typedef struct _nk_hdr { > short int name_len; > short int classname_len; > unsigned char *key_name; > } nk_hdr; > > when I do a free(n); > splint says: > Only storage n->key_name (type unsigned char *) derived from > released storage is not released (memory leak): n > A storage leak due to incomplete deallocation of a structure or deep pointer > is suspected. Unshared storage that is reachable from a reference that is > being deallocated has not yet been deallocated. Splint assumes when an object > is passed as an out only void pointer that the outer object will be > deallocated, but the inner objects will not. (Use -compdestroy to inhibit > warning) > > What did I do wrong? > Hi Greg, The problem is that the key_name pointer is not annotated, so it defaults to "only" storage, i.e., splint assumes that key_name has the only reference to the memory. For splint this means that when n is freed, the program loses the only reference to the memory pointed to by key_name, i.e., a memory leak. See the Memory Management section of Appendix C of the manual for a list of relevant annotations. Bye, Brian From pcguy11 at live.com Sun Nov 9 09:28:06 2008 From: pcguy11 at live.com (Greg White) Date: Sun, 9 Nov 2008 11:28:06 -0600 Subject: [splint-discuss] incomplete deallocation In-Reply-To: <1226150760.8251.16.camel@russell> References: <1226150760.8251.16.camel@russell> Message-ID: > From: brian.quinlan at iolfree.ie > >> Hi again, >> >> I do the following in my code: >> >> n = malloc(sizeof(nk_hdr)); >> if (n == NULL) { >> (void)snprintf(error, 50, "can't allocate memory for n\n"); >> return -1; >> } >> memset(n, 0, sizeof(n)); >> >> nkhdr looks like: >> typedef struct _nk_hdr { >> short int name_len; >> short int classname_len; >> unsigned char *key_name; >> } nk_hdr; >> >> when I do a free(n); >> splint says: >> Only storage n->key_name (type unsigned char *) derived from >> released storage is not released (memory leak): n >> A storage leak due to incomplete deallocation of a structure or deep pointer >> is suspected. Unshared storage that is reachable from a reference that is >> being deallocated has not yet been deallocated. Splint assumes when an object >> is passed as an out only void pointer that the outer object will be >> deallocated, but the inner objects will not. (Use -compdestroy to inhibit >> warning) >> >> What did I do wrong? >> > The problem is that the key_name pointer is not annotated, so it > defaults to "only" storage, i.e., splint assumes that key_name has the > only reference to the memory. For splint this means that when n is > freed, the program loses the only reference to the memory pointed to by > key_name, i.e., a memory leak. See the Memory Management section of > Appendix C of the manual for a list of relevant annotations. Thanks. I used /*@dependent@*/ on key_name and splint stopped warning and the program still works. I must say the manual could use a little work. For example it gives examples of bad code, but it never shows you the good version of the bad code. Thanks again, _________________________________________________________________ Color coding for safety: Windows Live Hotmail alerts you to suspicious email. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_safety_112008 From Michael.Wojcik at MicroFocus.com Mon Nov 10 07:04:21 2008 From: Michael.Wojcik at MicroFocus.com (Michael Wojcik) Date: Mon, 10 Nov 2008 07:04:21 -0800 Subject: [splint-discuss] incomplete deallocation In-Reply-To: References: <1226150760.8251.16.camel@russell> Message-ID: <11352F9641010A418AD5057945A3A6590118BA16@MTV-EXCHANGE.microfocus.com> > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- > bounces at cs.virginia.edu] On Behalf Of Greg White > Sent: Sunday, 09 November, 2008 12:28 > > >> I do the following in my code: > >> > >> n = malloc(sizeof(nk_hdr)); The following would be better: nk_hdr *n; n = malloc(sizeof *n); That's less cluttered (the operand of the sizeof operator only needs to be parenthesized if it's a type identifier), and it's typesafe; the malloc statement doesn't need to include the purported type of the object pointed to by n. > >> memset(n, 0, sizeof(n)); I hope you acutally have "sizeof *n" there (again, sizeof's operand does not have to be parenthesized when it's an object identifier). Otherwise you only cleared out a pointer-sized area. A better way to initialize dynamically-allocated structures is with structure copy: static const nk_hdr nk_hdr0 = {0}; ... n = malloc(sizeof *n); *n = nk_hdr0; This has a number of advantages: - It's simpler, less cluttered, and clearer. - It's typesafe; you'll get an error if the type of n changes, and you forget to change the initialization statement. - It's guaranteed to initialize all types correctly. It's possible for a C implementation to have a null pointer representation that's not binary-zeroes. - It avoids the mistake that your memset line above makes. (Note that the "{0}" initializer initializes every member of nk_hdr0 to its type-appropriate zero value: integer types to 0, floating types to 0.0, pointers to null, and aggregate types to zero recursively. The "= {0}" is actually not necessary, as all static variables are implicitly initialized this way, but for a dedicated initializer I like to make it explicit as documentation.) [Brian's already answered your actual question.] > Thanks. I used /*@dependent@*/ on key_name and splint stopped warning > and the program still works. Of course Splint annotations have no effect on the code generated by your compiler, so they should never affect how the program works. (Unless there's a C implementation other than Splint that recognizes Splint annotations and alters its code generation, I suppose, but I've never heard of one.) > I must say the manual could use a little work. For example it gives > examples of bad code, but it never shows you the good version of the > bad code. Agreed. But someone has to take on the job of updating it. I think most of the people still doing research in this area (static code analysis) have either moved on to other languages, or to commercial products, which have the advantage of substantial R&D budgets. Splint maintenance is mostly being done by a handful of stubborn holdouts - which I certainly respect, but their resources for the project are necessarily limited. So while it's always useful to have suggestions for improvement, it's much more useful to actually contribute an improvement. -- Michael Wojcik Principal Software Systems Developer, Micro Focus From pcguy11 at live.com Mon Nov 10 12:57:10 2008 From: pcguy11 at live.com (Greg White) Date: Mon, 10 Nov 2008 14:57:10 -0600 Subject: [splint-discuss] incomplete deallocation In-Reply-To: <11352F9641010A418AD5057945A3A6590118BA16@MTV-EXCHANGE.microfocus.com> References: <1226150760.8251.16.camel@russell> <11352F9641010A418AD5057945A3A6590118BA16@MTV-EXCHANGE.microfocus.com> Message-ID: > Date: Mon, 10 Nov 2008 07:04:21 -0800 > From: Michael.Wojcik at microfocus.com > To: splint-discuss at cs.virginia.edu > Subject: Re: [splint-discuss] incomplete deallocation > >> From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- >> bounces at cs.virginia.edu] On Behalf Of Greg White >> Sent: Sunday, 09 November, 2008 12:28 >> >>>> I do the following in my code: >>>> >>>> n = malloc(sizeof(nk_hdr)); > > The following would be better: > > nk_hdr *n; > n = malloc(sizeof *n); > > That's less cluttered (the operand of the sizeof operator only needs to > be parenthesized if it's a type identifier), and it's typesafe; the > malloc statement doesn't need to include the purported type of the > object pointed to by n. > >>>> memset(n, 0, sizeof(n)); > > I hope you acutally have "sizeof *n" there (again, sizeof's operand does > not have to be parenthesized when it's an object identifier). Otherwise > you only cleared out a pointer-sized area. Yes the code has a *n. I wasn't in front of the code when I typed in the email. The memset is kill a splint warning of n not being fully defined (or something like that, I am not in front of my code). > A better way to initialize dynamically-allocated structures is with > structure copy: > > static const nk_hdr nk_hdr0 = {0}; > ... > n = malloc(sizeof *n); > *n = nk_hdr0; > > This has a number of advantages: > > - It's simpler, less cluttered, and clearer. > - It's typesafe; you'll get an error if the type of n changes, and you > forget to change the initialization statement. > - It's guaranteed to initialize all types correctly. It's possible for a > C implementation to have a null pointer representation that's not > binary-zeroes. > - It avoids the mistake that your memset line above makes. > > (Note that the "{0}" initializer initializes every member of nk_hdr0 to > its type-appropriate zero value: integer types to 0, floating types to > 0.0, pointers to null, and aggregate types to zero recursively. The "= > {0}" is actually not necessary, as all static variables are implicitly > initialized this way, but for a dedicated initializer I like to make it > explicit as documentation.) Thank you for the suggestions. I will try them out. > [Brian's already answered your actual question.] > >> Thanks. I used /*@dependent@*/ on key_name and splint stopped warning >> and the program still works. > > Of course Splint annotations have no effect on the code generated by > your compiler, so they should never affect how the program works. > (Unless there's a C implementation other than Splint that recognizes > Splint annotations and alters its code generation, I suppose, but I've > never heard of one.) I noticed that. I did a diff between my executable before and after fixing up some splint warnings and there wasn't any difference, except when I added a missing check for null after malloc. >> I must say the manual could use a little work. For example it gives >> examples of bad code, but it never shows you the good version of the >> bad code. > > Agreed. But someone has to take on the job of updating it. > > I think most of the people still doing research in this area (static > code analysis) have either moved on to other languages, or to commercial > products, which have the advantage of substantial R&D budgets. Splint > maintenance is mostly being done by a handful of stubborn holdouts - > which I certainly respect, but their resources for the project are > necessarily limited. > > So while it's always useful to have suggestions for improvement, it's > much more useful to actually contribute an improvement. I would really like to help with that, but as you can see I am not close to being an expert in either C or splint. I do try to help out projects when I can. I just wrote some code for a open source project and it is this code I am using splint on. Thanks for the tips, _________________________________________________________________ Get 5 GB of storage with Windows Live Hotmail. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_5gb_112008 From pcguy11 at live.com Mon Nov 10 17:31:30 2008 From: pcguy11 at live.com (Greg White) Date: Mon, 10 Nov 2008 19:31:30 -0600 Subject: [splint-discuss] incomplete deallocation In-Reply-To: <11352F9641010A418AD5057945A3A6590118BA16@MTV-EXCHANGE.microfocus.com> References: <1226150760.8251.16.camel@russell> <11352F9641010A418AD5057945A3A6590118BA16@MTV-EXCHANGE.microfocus.com> Message-ID: > Date: Mon, 10 Nov 2008 07:04:21 -0800 > From: Michael.Wojcik at microfocus.com > To: splint-discuss at cs.virginia.edu > Subject: Re: [splint-discuss] incomplete deallocation > A better way to initialize dynamically-allocated structures is with > structure copy: > > static const nk_hdr nk_hdr0 = {0}; > ... > n = malloc(sizeof *n); > *n = nk_hdr0; OK I made the changes you suggested but splint is now giving me the following message: Initializer block for nk_hdr0 has 1 field, but nk_hdr has 5 fields: 0 Initializer does not set every field in the structure. (Use -fullinitblock to inhibit warning) Code: static const nk_hdr nk_hdr0 = {0}; nk_hdr *n = NULL; n = (nk_hdr*) malloc(sizeof(*n)); if (n == NULL) { printf("can't allocate memory for n\n"); return -1; } *n = nk_hdr0; Did I do something wrong? Thanks, _________________________________________________________________ Stay up to date on your PC, the Web, and your mobile phone with Windows Live http://clk.atdmt.com/MRT/go/119462413/direct/01/ From Michael.Wojcik at MicroFocus.com Tue Nov 11 06:17:11 2008 From: Michael.Wojcik at MicroFocus.com (Michael Wojcik) Date: Tue, 11 Nov 2008 06:17:11 -0800 Subject: [splint-discuss] incomplete deallocation In-Reply-To: References: <1226150760.8251.16.camel@russell> <11352F9641010A418AD5057945A3A6590118BA16@MTV-EXCHANGE.microfocus.com> Message-ID: <11352F9641010A418AD5057945A3A6590118BA1D@MTV-EXCHANGE.microfocus.com> > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- > bounces at cs.virginia.edu] On Behalf Of Greg White > Sent: Monday, 10 November, 2008 20:32 > > > Date: Mon, 10 Nov 2008 07:04:21 -0800 > > From: Michael.Wojcik at microfocus.com > > To: splint-discuss at cs.virginia.edu > > A better way to > > initialize dynamically-allocated structures is with structure copy: > > > > static const nk_hdr nk_hdr0 = {0}; > > ... > > n = malloc(sizeof *n); > > *n = nk_hdr0; > > OK I made the changes you suggested but splint is now giving me the > following message: > Initializer block for nk_hdr0 has 1 field, but nk_hdr has 5 fields: 0 > Initializer does not set every field in the structure. (Use - > fullinitblock to inhibit warning) > > Code: > static const nk_hdr nk_hdr0 = {0}; > nk_hdr *n = NULL; > > n = (nk_hdr*) malloc(sizeof(*n)); > if (n == NULL) { > printf("can't allocate memory for n\n"); > return -1; > } > *n = nk_hdr0; > > Did I do something wrong? No. This is a misfeature in Splint. Compound initializers with fewer fields than the aggregate type being initialized are well-defined by the ISO C standard, and the "{0}" initializer in particular is a widely-recognized idiom. (Splint should really silently ignore any "short" initializer that ends with a 0 constant.) This sort of false-positive message is a common problem with lint-style static analyzers, which is why they introduced source code annotations. The proper way to fix it is with an annotation. This should do it: /*@ -fullinitblock @*/ static const nk_hdr nk_hdr0 = {0}; /*@ +fullinitblock @*/ or alternatively: static const nk_hdr nk_hdr0 = /*@i1@*/ {0}; (The "i1" annotation means "ignore exactly one item from here to the end of this line".) You can also just remove the "= {0}" part, since static variables are implicitly initialized to {0} if no explicit initializer is present. -- Michael Wojcik Principal Software Systems Developer, Micro Focus From kay at dohmanngmbh.de Wed Nov 12 07:49:43 2008 From: kay at dohmanngmbh.de (Kay Dohmann) Date: Wed, 12 Nov 2008 16:49:43 +0100 Subject: [splint-discuss] implicit options Message-ID: <491AFB17.30002@dohmanngmbh.de> Hi. I got a tiny question on using splint. Is it possible to have implicit options on .h files for example? I'll explain: I want to have my C modules as application undependent as possible. For example I have, let's say a stringfunctions.c and stringfunctions.h in my application. In stringfunctions.h all the api is defined, but this application does not use all of this api. So I need to have /*@-export-local@*/ and /*@=export-local@*/ surrounding my api functions in the .h file. This way I get warnings on non-static functions in my module and no warnings on my defined api. But isn't there a more comfortable way to do this? Like having an implicit /*@-export-local@*/ for the .h files? -- Mit freundlichem Gruss, Best Regards, Kay Dohmann ************************************************************ I. Dohmann GmbH Email: kay at dohmanngmbh.de Phone: +49 (0) 5241 960600 Fax: +49 (0) 5241 9606030 Isselhorster Strasse 403 - 33334 Guetersloh - Germany Geschaeftsfuehrung: Ingo Dohmann Sitz der Gesellschaft: Guetersloh Handelsregister: Amtsgericht Guetersloh HRB 2442 ************************************************************ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20081112/d150de46/attachment-0001.bin From john.carter at tait.co.nz Wed Nov 12 14:45:59 2008 From: john.carter at tait.co.nz (John Carter) Date: Thu, 13 Nov 2008 11:45:59 +1300 (NZDT) Subject: [splint-discuss] Speeding up splint. Message-ID: Currently two thirds of our compilation time is taken up by splint. Is there any way to speed it up? For example, are there certain checks or flags that are much slower than others? Is there any room for optimizing splint? eg.Hot spots in the splint code. Is there any way of separating the preprocessor step from the rest so one can distribute it via distcc? Thanks, John Carter Phone : (64)(3) 358 6639 Tait Electronics Fax : (64)(3) 359 4632 PO Box 1645 Christchurch Email : john.carter at tait.co.nz New Zealand From pcguy11 at live.com Thu Nov 13 17:30:14 2008 From: pcguy11 at live.com (Greg White) Date: Thu, 13 Nov 2008 19:30:14 -0600 Subject: [splint-discuss] incomplete deallocation In-Reply-To: <11352F9641010A418AD5057945A3A6590118BA1D@MTV-EXCHANGE.microfocus.com> References: <1226150760.8251.16.camel@russell> <11352F9641010A418AD5057945A3A6590118BA16@MTV-EXCHANGE.microfocus.com> <11352F9641010A418AD5057945A3A6590118BA1D@MTV-EXCHANGE.microfocus.com> Message-ID: > From: Michael.Wojcik at microfocus.com >>> static const nk_hdr nk_hdr0 = {0}; >>> ... >>> n = malloc(sizeof *n); >>> *n = nk_hdr0; >> >> OK I made the changes you suggested but splint is now giving me the >> following message: >> Initializer block for nk_hdr0 has 1 field, but nk_hdr has 5 fields: 0 >> Initializer does not set every field in the structure. (Use - >> fullinitblock to inhibit warning) >> >> Code: >> static const nk_hdr nk_hdr0 = {0}; >> nk_hdr *n = NULL; >> >> n = (nk_hdr*) malloc(sizeof(*n)); >> if (n == NULL) { >> printf("can't allocate memory for n\n"); >> return -1; >> } >> *n = nk_hdr0; >> >> Did I do something wrong? > > No. This is a misfeature in Splint. Compound initializers with fewer > fields than the aggregate type being initialized are well-defined by the > ISO C standard, and the "{0}" initializer in particular is a > widely-recognized idiom. (Splint should really silently ignore any > "short" initializer that ends with a 0 constant.) > > This sort of false-positive message is a common problem with lint-style > static analyzers, which is why they introduced source code annotations. > > The proper way to fix it is with an annotation. This should do it: > > /*@ -fullinitblock @*/ > static const nk_hdr nk_hdr0 = {0}; > /*@ +fullinitblock @*/ > > or alternatively: > > static const nk_hdr nk_hdr0 = /*@i1@*/ {0}; > > (The "i1" annotation means "ignore exactly one item from here to the end > of this line".) > > You can also just remove the "= {0}" part, since static variables are > implicitly initialized to {0} if no explicit initializer is present. I just removed the = {0} and everything is fine now. Thanks for the help, _________________________________________________________________ Get 5 GB of storage with Windows Live Hotmail. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_5gb_112008 From scventer43 at telkomsa.net Sat Nov 22 14:58:00 2008 From: scventer43 at telkomsa.net (Steven Venter) Date: Sat, 22 Nov 2008 14:58:00 -0800 Subject: [splint-discuss] assembly code parsing Message-ID: Hi List I'm working on an embedded application. I have successfully splint my code by removing some calls to third party libraries. I have the flowing questions 1. Is there an option whereby on can exclude the parsing of third party code (header files) but include my headers? 2. if not, how will I validate the following - extern PGM_VOID_P memchr_P(PGM_VOID_P, int __val, size_t __len) __ATTR_CONST__; problem with size_t size_t is defined in stddef.h so I don't know what the problem is - stddef is included. and __asm__ __volatile__( "rjmp 1f\n 1:" ); - no idea how the get this checked! I created my own .splintrc file and is included as reference. I created this with some basic setting from the doc and then as I splint(ed) my files added if I felt it was necessary (NEWBIE way I suppose). Is this ok? ###.splintrc-file for GCC AVR-compiler # ###Include search paths ###I (no space between I and -IC:\WinAVR-20080610\pfleury_avrlibs -IC:\WinAVR-20080610\AVRlib\conf -IC:\WinAVR-20080610\AVRlib -IC:\WinAVR-20080610\avr\include -IC:\WinAVR-20080610\avr\include\avr -warnflags -preproc ### ./.splintrc(71,1): Setting +preproc redundant with current value ### FLAGS -maintype ### Type of main does not match expected type ### -partial ### Do not check as partial system (no effect?) +nolib ### No library is loaded ### +charindex ### Allow chars to be used to index arrays ### +charunsignedchar ### Char and unsigned chars match ### +relax-quals ### Report qualifier mismatches only if dangerous ### +numabstractlit ### Number literals may be used as numabstract types ### -weak ### -internal-name-length 31 variable length max +single-include ### check each include file only once. -nestcomment ### // allowed after // -nocomments -unrecogcomments +larchpath C:\splint\imports ### lcd path +larchpath C:\splint\lib ### lcd path -warnflags +enumint ### Enum and int types are equivalent ### -pred-bool ### Sets predboolint, predboolptr and predboolothers -booltype BOOL -warnflags -predboolint ### prevent warning on things like "while (1)" ###-boolops ### means can us && and ! for things other than bools -boolfalse FALSE ### Name of boolean false -booltrue TRUE ### Name of boolean true ###DEFINES -Dpinf= ### define PINF as const -Dsfrb=const ### define sfrb as "" for non-function -Dsfrw=const ### define sfrw as "" for non-function -Deeprom= ### Define eeprom as "" -Dflash= ### const ### Define const as "" ### -D_MCU_CLOCK_FREQUENCY_=8000000 ### Define _MCU_CL... as 4000000 Thanks for Splint and your support. Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20081122/c4b643eb/attachment.html From lodenhsieuquay at yahoo.com Mon Nov 24 01:28:14 2008 From: lodenhsieuquay at yahoo.com (Le Huu Hoang Gia) Date: Mon, 24 Nov 2008 01:28:14 -0800 (PST) Subject: [splint-discuss] How to control infinite Loop? Message-ID: <319322.70584.qm@web63201.mail.re1.yahoo.com> I write a code: void loop1(int x) { while (x < 3) x--; }; Splint report no errors or warning. Is there any way to analize this code? I expected that splint would report a warning in this loop. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20081124/1f661646/attachment-0001.html From Boris.Hollas at de.bosch.com Mon Nov 24 01:45:40 2008 From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1)) Date: Mon, 24 Nov 2008 10:45:40 +0100 Subject: [splint-discuss] How to control infinite Loop? Message-ID: <7A407C25F211BE428DF593363B385D930363746C@si-mail02.de.bosch.com> I believe that Splint does not analyse properties that are undecidable. Detecting whether a loop is infinite is undecidable in general. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20081124/96b9fcc5/attachment.html From jon.wilson at globalgraphics.com Mon Nov 24 02:33:07 2008 From: jon.wilson at globalgraphics.com (Jon Wilson) Date: Mon, 24 Nov 2008 10:33:07 +0000 Subject: [splint-discuss] How to control infinite Loop? In-Reply-To: <319322.70584.qm@web63201.mail.re1.yahoo.com> References: <319322.70584.qm@web63201.mail.re1.yahoo.com> Message-ID: <492A82E3.3060009@globalgraphics.com> Le Huu Hoang Gia wrote: > I write a code: > void loop1(int x) > { > while (x < 3) x--; > }; > Splint report no errors or warning. > Is there any way to analize this code? I expected that splint would > report a warning in this loop. That loop will terminate just fine, when x wraps around and becomes positive. Splint, I believe, will report simple infinite loops with for (;;) or while (true) with no break or exit statements. Jon From raeburn at raeburn.org Mon Nov 24 02:49:19 2008 From: raeburn at raeburn.org (Ken Raeburn) Date: Mon, 24 Nov 2008 05:49:19 -0500 Subject: [splint-discuss] How to control infinite Loop? In-Reply-To: <319322.70584.qm@web63201.mail.re1.yahoo.com> References: <319322.70584.qm@web63201.mail.re1.yahoo.com> Message-ID: <030A1AAA-22D4-4B10-A74D-AB2CB090BDDF@raeburn.org> On Nov 24, 2008, at 04:28, Le Huu Hoang Gia wrote: > I write a code: > void loop1(int x) > { > while (x < 3) x--; > }; > Splint report no errors or warning. > Is there any way to analize this code? I expected that splint would > report a warning in this loop. After x reaches INT_MIN, you're likely to get INT_MAX or a signal from the next decrement, so it wouldn't be an infinite loop in those cases. The details are up to the compiler implementation, though. Ken From jon.wilson at globalgraphics.com Mon Nov 24 02:33:07 2008 From: jon.wilson at globalgraphics.com (Jon Wilson) Date: Mon, 24 Nov 2008 10:33:07 +0000 Subject: [splint-discuss] How to control infinite Loop? In-Reply-To: <319322.70584.qm@web63201.mail.re1.yahoo.com> References: <319322.70584.qm@web63201.mail.re1.yahoo.com> Message-ID: <492A82E3.3060009@globalgraphics.com> Le Huu Hoang Gia wrote: > I write a code: > void loop1(int x) > { > while (x < 3) x--; > }; > Splint report no errors or warning. > Is there any way to analize this code? I expected that splint would > report a warning in this loop. That loop will terminate just fine, when x wraps around and becomes positive. Splint, I believe, will report simple infinite loops with for (;;) or while (true) with no break or exit statements. Jon From raeburn at raeburn.org Mon Nov 24 02:49:19 2008 From: raeburn at raeburn.org (Ken Raeburn) Date: Mon, 24 Nov 2008 05:49:19 -0500 Subject: [splint-discuss] How to control infinite Loop? In-Reply-To: <319322.70584.qm@web63201.mail.re1.yahoo.com> References: <319322.70584.qm@web63201.mail.re1.yahoo.com> Message-ID: <030A1AAA-22D4-4B10-A74D-AB2CB090BDDF@raeburn.org> On Nov 24, 2008, at 04:28, Le Huu Hoang Gia wrote: > I write a code: > void loop1(int x) > { > while (x < 3) x--; > }; > Splint report no errors or warning. > Is there any way to analize this code? I expected that splint would > report a warning in this loop. After x reaches INT_MIN, you're likely to get INT_MAX or a signal from the next decrement, so it wouldn't be an infinite loop in those cases. The details are up to the compiler implementation, though. Ken From tony at unetixs.com Mon Nov 24 05:14:28 2008 From: tony at unetixs.com (Tony Castillo) Date: Mon, 24 Nov 2008 08:14:28 -0500 Subject: [splint-discuss] Speeding up splint. (John Carter) In-Reply-To: References: Message-ID: <492AA8B4.8040008@unetixs.com> Here are a few things: Splint is a memory hog. Try adding more RAM. Splint is not a compiler. Use splint near the end of your project (after things are working). Try to break up modules (.C files). This works best if you have a smaller number of header (.H) files With large header files, try to combine modules. Combine all of your includes into 1 super header file that is used by all modules. This way splint only has to parse them once. This is the instance where more RAM may be useful. > > Currently two thirds of our compilation time is taken up by splint. > > Is there any way to speed it up? From sramkar at gmail.com Mon Nov 24 09:36:34 2008 From: sramkar at gmail.com (RKS) Date: Mon, 24 Nov 2008 12:36:34 -0500 Subject: [splint-discuss] splint and pthreads Message-ID: <88f74be20811240936m435dbc70t299c2a28cd9809aa@mail.gmail.com> Hi, I am beginner to splint. When I use splint against this code: #include int main (void) { return 0; } I get the following: /usr/include/bits/types.h:192:24: Datatype __socklen_t declared with inconsistent type: unsigned int A function, variable or constant is redefined with a different type. (Use -incondefs to inhibit warning) load file unix.lcd: Specification of __socklen_t: arbitrary unsigned integral type /usr/include/bits/pthreadtypes.h:36:27: Datatype pthread_t declared with inconsistent type: unsigned long int load file unix.lcd: Specification of pthread_t: arbitrary integral type /usr/include/bits/pthreadtypes.h:43:3: Datatype pthread_attr_t declared with inconsistent type: union { char [36] __size; long int __align; } load file unix.lcd: Specification of pthread_attr_t: arbitrary integral type /usr/include/bits/pthreadtypes.h:73:3: Datatype pthread_mutex_t declared with inconsistent type: union { struct __pthread_mutex_s __data; char [24] __size; long int __align; } load file unix.lcd: Specification of pthread_mutex_t: arbitrary integral type /usr/include/bits/pthreadtypes.h:79:3: Datatype pthread_mutexattr_t declared with inconsistent type: union { char [4] __size; long int __align; } load file unix.lcd: Specification of pthread_mutexattr_t: arbitrary integral type I see that there is a mismatch between what is declared in the bits/types.h and unix.h, unix.lcd. But how do I resolve this ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20081124/247f73a1/attachment.html From brian.quinlan at iolfree.ie Mon Nov 24 11:04:55 2008 From: brian.quinlan at iolfree.ie (Brian Quinlan) Date: Mon, 24 Nov 2008 19:04:55 +0000 Subject: [splint-discuss] Speeding up splint. (John Carter) In-Reply-To: <492AA8B4.8040008@unetixs.com> References: <492AA8B4.8040008@unetixs.com> Message-ID: <1227553495.7580.40.camel@russell> On Mon, 2008-11-24 at 08:14 -0500, Tony Castillo wrote: > Here are a few things: > Splint is a memory hog. Try adding more RAM. > Splint is not a compiler. Use splint near the end of your project > (after things are working). Splint is a compiler that produces errors rather than object files. If you wait till the end of your project, you'll get a huge number of errors; it's better to fix them incrementally as they occur during the project, rather than in one big bang at the end. When I used splint in the past, the default target initially had a dependency on the splint target. However, although we had to remove the dependency (because splint took so long), we kept the splint target which developers were required to make before checking in code (but not every single time they built). > Try to break up modules (.C files). This works best if you have a > smaller number of header (.H) files > With large header files, try to combine modules. Combine all of your > includes into 1 super header file that is used by all modules. This way > splint only has to parse them once. This is the instance where more RAM > may be useful. Be very careful about creating undesired coupling between unrelated modules because of a tool problem. If all modules include a super header, then someday, someone will (WILL, not might) use an inappropriate header because their module can see the header. This will make it very hard to separate their module from the other modules on which it has an inappropriate dependency. > > > > Currently two thirds of our compilation time is taken up by splint. > > > > Is there any way to speed it up? > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss From mike.werner at brain-child.de Tue Nov 25 00:44:24 2008 From: mike.werner at brain-child.de (Mike Werner) Date: Tue, 25 Nov 2008 09:44:24 +0100 Subject: [splint-discuss] HowTo specify DEFINES by CMD line Message-ID: Hello, my IDE specifies several defines when running the compiler. This e.g. lets the compiler know which platform specific headers should be included. When I run splint it complains that some types are missing. How can I tell splint those defines so that it knows which headers to be included? -- -- Mit freundlichen Gr??en Mike Werner _______________________________ brainchild GmbH Rathausplatz 6 84307 Eggenfelden - Germany Mobile: +49 (0) 175 206 166 9 Phone : +49 (0) 8721 506 977 0 Fax : +49 (0) 8721 506 977 21 [mike.werner at brain-child.de http://www.brain-child.de -> https://www.brain-child.de/egroupware/index.php?menuaction=felamimail.uicompose.compose&send_to=bWlrZS53ZXJuZXJAYnJhaW4tY2hpbGQuZGU=] _____________________________________________________________________ brainchild GmbH Registered Office: Eggenfelden District Court of Landshut HRB 7454 Managing Directors: Mike Werner _____________________________________________________________________ NOTICE: This message, together with any attachments, may contain privileged and/or confidential information. If you have received this e-mail in error or are not an intended recipient, you may not use, reproduce, disseminate or distribute it; do not open nor save any attachments, delete it immediately from your system and notify the sender promptly by e-mail that you have done so. Thank you -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lholzheid at bihl-wiedemann.de Tue Nov 25 01:09:01 2008 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 25 Nov 2008 10:09:01 +0100 Subject: [splint-discuss] HowTo specify DEFINES by CMD line In-Reply-To: References: Message-ID: <20081125090901.GA781@svr5.bihl-wiedemann.de> On Tue, 2008-11-25 09:44:24 +0100, Mike Werner wrote: > [..] > > How can I tell splint those defines so that it knows which headers to be > included? Try "-D" or "-D=", either as command line argument or in splintrc. See also the Pre-processor section in appendix B of the manual. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From roland.illig at gmx.de Tue Nov 25 01:15:36 2008 From: roland.illig at gmx.de (Roland Illig) Date: Tue, 25 Nov 2008 10:15:36 +0100 Subject: [splint-discuss] HowTo specify DEFINES by CMD line In-Reply-To: References: Message-ID: <492BC238.6020700@gmx.de> Mike Werner schrieb: > Hello, > > my IDE specifies several defines when running the compiler. This e.g. lets > the compiler know which platform specific headers should be included. When I > run splint it complains that some types are missing. > > How can I tell splint those defines so that it knows which headers to be > included? When you include one of the standard headers , , , SPlint doesn't include your system's headers but its own ones. When you include other system headers, you should probably write your own replacements for them, declaring what these headers provide, so that SPlint can use it. You should then include these headers only for SPlint at the very beginning of the header search path. Roland From Wenzel at bbr-vt.de Tue Nov 25 01:05:48 2008 From: Wenzel at bbr-vt.de (Wenzel, Bodo) Date: Tue, 25 Nov 2008 10:05:48 +0100 Subject: [splint-discuss] HowTo specify DEFINES by CMD line Message-ID: <46B6459B655D7342AB97371E8B7CD8B84A63FB@sv-exch.BBR.local> Hi Mike, > How can I tell splint those defines so that it knows which headers to be > included? According to the documentation (page 72) you pass "D" on the commandline. Mit freundlichen Gr??en i. A. Bodo Wenzel - Entwicklung Software - -- BBR - Baudis Bergmann R?sch Verkehrstechnik GmbH Pillaustra?e 1e D - 38126 Braunschweig T: +49.531.27300-766 F: +49.531.27300-999 @: wenzel at bbr-vt.de W: http://www.bbr-vt.de Registergericht: AG Braunschweig HRB 3037 Gesch?ftsf?hrer: Dipl.-Ing. Arne Baudis Dipl.-Ing. Thomas Bergmann Dipl.-Ing. Frank-Michael R?sch USt.-ID-Nr.: DE 114 877 881