[splint-discuss] staticinittrans

[Richard O'Keefe]

On 24 Apr 2009, at 6:24 am, Jonathan and Caroline Moore wrote:
> typedef struct {
>       int *x;
> } stL_t;
>
> static int x[2] = {5, 10};
>
> static stL_t stL = {
>       x
> };

> test.c:10:2: Unqualified static storage x used as initial value for  
> implicitly
>               only: stL.x = x
> Static storage is used as an initial value in an inconsistent way.  
> (Use
> -staticinittrans to inhibit warning)

The big thing to understand is that
(1) C is not a garbage collected language, so
(2) SPlint takes as one of its main tasks helping you keep
     track of pointers.

It's telling you that in the absence of any declaration to
the contrary, it assumes that the .x field of an stL_t points
to something that NOTHING else points to (that's what the "only"
bit means: this is the only pointer to that), but in fact a
static variable can always be referred to anywhere in its source
file.  In effect, it's asking you to
(a) say that x[] is NOT supposed to be referenced anywhere else
     (which it can then check for you), or
(b) say that an_stL_t.x is NOT a unique reference.

Why does it matter whether something is an "only" pointer or not?
Because if it _is_, it's safe to free() what it points to, nobody
else can care, while if it isn't, someone else might have a
pointer to the freed thing and try to use it.

The SPlint manual has lots of material about pointer annotations,
but it may pay you to read the paper that was written when they
were introduced so you can understand _why_ they are there.

In brief, if all your pointers are properly annotated for SPlint,
there's quite a big payoff in reduced pointer mistakes, but a
partly annotated program tends to give you lots of confusing
messages, and it can be very hard to get all the annotations right
if you didn't start off _designing_ for SPlint.

partly annotated system