From ptp at lysator.liu.se Fri May 1 05:24:55 2009 From: ptp at lysator.liu.se (Tommy Pettersson) Date: Fri, 1 May 2009 14:24:55 +0200 Subject: [splint-discuss] ensures isnull? In-Reply-To: <82A9D039-DE7C-46B3-9EC5-9D7051507AC3@cs.ru.nl> References: <41995178-C172-4346-97BB-9BED85ADD90C@cs.ru.nl> <8bf7d05b0904301503n3a32c302h16c6a9696be3c92a@mail.gmail.com> <82A9D039-DE7C-46B3-9EC5-9D7051507AC3@cs.ru.nl> Message-ID: <20090501122455.GA4909@fruity> This works: #include struct test { int i; /*@null@*/ /*@dependent@*/ char * a; }; void test2(struct test * param) /*@ensures isnull param->a @*/ { if ( param->a != NULL ) param->a = NULL; else param->a = NULL; return; } So presumably splint does not analyze the logic of alternative paths for the ensure clause; but instead checks that all possible paths fulfill the clause. For example, this is not enough to convince splint: void test2(struct test * param) /*@ensures isnull param->a @*/ { if ( 1 ) param->a = NULL; return; } -- Tommy Pettersson From lists at ingostruck.de Mon May 4 13:58:30 2009 From: lists at ingostruck.de (lists at ingostruck.de) Date: Mon, 4 May 2009 22:58:30 +0200 Subject: [splint-discuss] (U)INT_X_MAX constant types Message-ID: <200905042258.31650.lists@ingostruck.de> Hello list, recently I tried to check a program with the following two macros: #define BUF_FAIL UINT_FAST64_MAX #define BUF_MAX (UINT_FAST64_MAX-512) an assignment to a uint_fast64_t variable is considered an error by splint 3.1.2 (and recent CVS) due to non-matching types. I had a look into splint's ./lib/standard.h and found the question /* ** What should the types be here? */ /*#*/ before the (U)INT_X_MAX / MIN type constants. The answer is simple: they must match the corresponding types. See iso iec9899-1999, section 7.18.2: -------- 7.18.2 Limits of speci?ed-width integer types 1 The following object-like macros specify the minimum and maximum limits of the types declared in . Each macro name corresponds to a similar type name in 7.18.1. 2 Each instance of any de?ned macro shall be replaced by a constant expression suitable for use in #if preprocessing directives, and this expression shall have the same type as would an expression that is an object of the corresponding type converted according to the integer promotions. Its implementation-de?ned value shall be equal to or greater in [...] -------- --> imho the @constant annotations should be fixed to match the correct type. I could provide a patch, if this is wanted. Kind regards Ingo Struck From vijayendra.suman at gmail.com Tue May 12 02:36:08 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Tue, 12 May 2009 15:06:08 +0530 Subject: [splint-discuss] How to check Uninitialized variable Message-ID: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> Hi All, I have a piece of code which has a problem of uninitialized variable, I have used the -Wall which also adds -Wuninitialized, void Call(int *a) { if (a==NULL) return; if (*a == 1 ) StatusUpdate = MyOne(); else StatusUpdate = MyTwo(); } int main(int argc, char * argv[]) { int call; /* call is not initialized */ Call(&call); return 0; } Do we have a mechanism to check such kind of errors with splint tool. -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090512/0a98b6b1/attachment-0001.html From jandcmoore at gmail.com Tue May 12 03:19:11 2009 From: jandcmoore at gmail.com (Jonathan and Caroline Moore) Date: Tue, 12 May 2009 11:19:11 +0100 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> Message-ID: <8bf7d05b0905120319g777b049i22e9fbd868f456e3@mail.gmail.com> call is not initialized but the address of call is certainly initialized. Can you post some code that will compile. Jonathan 2009/5/12 Vijayendra Suman : > Hi All, > > I have a piece of code which has a problem of uninitialized variable, I have > used the -Wall which also adds? -Wuninitialized, > > > void Call(int *a) > { > if (a==NULL) return; > if (*a == 1 ) > StatusUpdate = MyOne(); > else > StatusUpdate = MyTwo(); > } > > int main(int argc, char * argv[]) > { > ?int call; /* call is not initialized */ > ?Call(&call); > ?return 0; > } > > Do we have a mechanism to check such kind of errors with splint tool. > > -- > https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy > Regards > Vijayendra Suman > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > > -- Jonathan (and Caroline) Jonathan and Caroline Moore JandCMoore at gmail.com (Jonathan) CandJMoore at gmail.com (Caroline) http://jandcmoore.googlepages.com/ From jandcmoore at gmail.com Tue May 12 03:19:11 2009 From: jandcmoore at gmail.com (Jonathan and Caroline Moore) Date: Tue, 12 May 2009 11:19:11 +0100 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> Message-ID: <8bf7d05b0905120319g777b049i22e9fbd868f456e3@mail.gmail.com> call is not initialized but the address of call is certainly initialized. Can you post some code that will compile. Jonathan 2009/5/12 Vijayendra Suman : > Hi All, > > I have a piece of code which has a problem of uninitialized variable, I have > used the -Wall which also adds? -Wuninitialized, > > > void Call(int *a) > { > if (a==NULL) return; > if (*a == 1 ) > StatusUpdate = MyOne(); > else > StatusUpdate = MyTwo(); > } > > int main(int argc, char * argv[]) > { > ?int call; /* call is not initialized */ > ?Call(&call); > ?return 0; > } > > Do we have a mechanism to check such kind of errors with splint tool. > > -- > https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy > Regards > Vijayendra Suman > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > > -- Jonathan (and Caroline) Jonathan and Caroline Moore JandCMoore at gmail.com (Jonathan) CandJMoore at gmail.com (Caroline) http://jandcmoore.googlepages.com/ From lholzheid at bihl-wiedemann.de Tue May 12 03:33:46 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 12 May 2009 12:33:46 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> Message-ID: <20090512103346.GA21851@svr5.bihl-wiedemann.de> On Tue, 2009-05-12 15:06:08 +0530, Vijayendra Suman wrote: > [..] > > Do we have a mechanism to check such kind of errors with splint tool. Hmm. I tried to run your code snippet through splint. Among other messages it gave: > y.c(17,7): Passed storage &call not completely defined: Call (&call) > Storage derivable from a parameter, return value or global is not > defined. > Use /*@out@*/ to denote passed or returned storage which need not be > defined. > (Use -compdef to inhibit warning) Do you think this is wrong? Or what's your exact question? Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From vijayendra.suman at gmail.com Tue May 12 04:22:44 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Tue, 12 May 2009 16:52:44 +0530 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512103346.GA21851@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> Message-ID: <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> Hello All, Thanks for the prompt response, Here is the small piece of code this is compilable 1 #include 2 void Call(int *a) 3 { 4 int StatusUpdate; 5 int MyOne() 6 { 7 printf("One \n"); 8 return 1; 9 } 10 int MyTwo() 11 { 12 printf("Two \n"); 13 return 2; 14 } 15 if (a==NULL) return; 16 if (*a == 1 ) 17 StatusUpdate = MyOne(); 18 else 19 StatusUpdate = MyTwo(); 20 } 21 22 int main(int argc, char * argv[]) 23 { 24 int call; /* call is not initialized */ 25 Call(&call); 26 return 0; 27 } I compiled using gcc -o my my.c -Wall Problem definition: int call; /* call is not initialized */ The call variable is not initialized, Even with -Wall i do not get any warnings. This is a problem as it may have any value. I want to make sure there are no such problems in my code which i can detect through the static analyzer. I have tried using splint i get the following problem when i invoked splint [root at localhost vijay]# splint -compdef 1.c Splint 3.1.2 --- 13 Nov 2008 1.c:6:6: Parse Error. (For help on parse errors, see splint -help parseerrors.) *** Cannot continue. I am not sure about this problem. Splint : Do we have some flags in splint which can detect this kind of errors, specially in such case 16 if (*a == 1 ) This line is a problem. If there is some flags, that will be fine or if it is needed to done i can start with it. With Sincere Regards Vijayendra Suman On Tue, May 12, 2009 at 4:03 PM, Ludolf Holzheid < lholzheid at bihl-wiedemann.de> wrote: > On Tue, 2009-05-12 15:06:08 +0530, Vijayendra Suman wrote: > > [..] > > > > Do we have a mechanism to check such kind of errors with splint tool. > > Hmm. > > I tried to run your code snippet through splint. Among other messages > it gave: > > > y.c(17,7): Passed storage &call not completely defined: Call (&call) > > Storage derivable from a parameter, return value or global is not > > defined. > > Use /*@out@*/ to denote passed or returned storage which need not be > > defined. > > (Use -compdef to inhibit warning) > > Do you think this is wrong? Or what's your exact question? > > Ludolf > > -- > > --------------------------------------------------------------- > Ludolf Holzheid Tel: +49 621 339960 > Bihl+Wiedemann GmbH Fax: +49 621 3392239 > Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de > D-68199 Mannheim, Germany > --------------------------------------------------------------- > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090512/a3fd54bb/attachment.html From vijayendra.suman at gmail.com Tue May 12 04:22:44 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Tue, 12 May 2009 16:52:44 +0530 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512103346.GA21851@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> Message-ID: <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> Hello All, Thanks for the prompt response, Here is the small piece of code this is compilable 1 #include 2 void Call(int *a) 3 { 4 int StatusUpdate; 5 int MyOne() 6 { 7 printf("One \n"); 8 return 1; 9 } 10 int MyTwo() 11 { 12 printf("Two \n"); 13 return 2; 14 } 15 if (a==NULL) return; 16 if (*a == 1 ) 17 StatusUpdate = MyOne(); 18 else 19 StatusUpdate = MyTwo(); 20 } 21 22 int main(int argc, char * argv[]) 23 { 24 int call; /* call is not initialized */ 25 Call(&call); 26 return 0; 27 } I compiled using gcc -o my my.c -Wall Problem definition: int call; /* call is not initialized */ The call variable is not initialized, Even with -Wall i do not get any warnings. This is a problem as it may have any value. I want to make sure there are no such problems in my code which i can detect through the static analyzer. I have tried using splint i get the following problem when i invoked splint [root at localhost vijay]# splint -compdef 1.c Splint 3.1.2 --- 13 Nov 2008 1.c:6:6: Parse Error. (For help on parse errors, see splint -help parseerrors.) *** Cannot continue. I am not sure about this problem. Splint : Do we have some flags in splint which can detect this kind of errors, specially in such case 16 if (*a == 1 ) This line is a problem. If there is some flags, that will be fine or if it is needed to done i can start with it. With Sincere Regards Vijayendra Suman On Tue, May 12, 2009 at 4:03 PM, Ludolf Holzheid < lholzheid at bihl-wiedemann.de> wrote: > On Tue, 2009-05-12 15:06:08 +0530, Vijayendra Suman wrote: > > [..] > > > > Do we have a mechanism to check such kind of errors with splint tool. > > Hmm. > > I tried to run your code snippet through splint. Among other messages > it gave: > > > y.c(17,7): Passed storage &call not completely defined: Call (&call) > > Storage derivable from a parameter, return value or global is not > > defined. > > Use /*@out@*/ to denote passed or returned storage which need not be > > defined. > > (Use -compdef to inhibit warning) > > Do you think this is wrong? Or what's your exact question? > > Ludolf > > -- > > --------------------------------------------------------------- > Ludolf Holzheid Tel: +49 621 339960 > Bihl+Wiedemann GmbH Fax: +49 621 3392239 > Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de > D-68199 Mannheim, Germany > --------------------------------------------------------------- > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090512/a3fd54bb/attachment-0003.html From D.Jansen at cs.ru.nl Tue May 12 05:02:21 2009 From: D.Jansen at cs.ru.nl (David N. Jansen) Date: Tue, 12 May 2009 14:02:21 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> Message-ID: <618207C6-94EE-42D5-933C-D54EA1E83163@cs.ru.nl> Op 12-mei-2009, om 13:22 heeft Vijayendra Suman het volgende geschreven: > 1 #include > 2 void Call(int *a) > 3 { > 4 int StatusUpdate; > 5 int MyOne() > 6 { > 7 printf("One \n"); > 8 return 1; > 9 } etc. This is a nested function, which is a gcc extension (see e.g. http:// gcc.gnu.org/onlinedocs/gcc-4.0.1/gcc/C-Extensions.html, the fourth item in the list of extensions). Splint does not understand this extension and produces a parse error. David Jansen. From vijayendra.suman at gmail.com Tue May 12 05:24:10 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Tue, 12 May 2009 17:54:10 +0530 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <618207C6-94EE-42D5-933C-D54EA1E83163@cs.ru.nl> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <618207C6-94EE-42D5-933C-D54EA1E83163@cs.ru.nl> Message-ID: <581ef6d60905120524w704482ebpaa46897d80ae2ddf@mail.gmail.com> Hi David, Can we give an extension to the splint for such functions, I wanted to run the glibc with splint and there are lot of functions which has such definitions. This was not my problem definition for now. I wanted if i can know if any pointers is being accessed without being initialized like if (*a == 1), Lead to a unknown results. Regards Vijayendra Suman On Tue, May 12, 2009 at 5:32 PM, David N. Jansen wrote: > Op 12-mei-2009, om 13:22 heeft Vijayendra Suman het volgende geschreven: > > > 1 #include > > 2 void Call(int *a) > > 3 { > > 4 int StatusUpdate; > > 5 int MyOne() > > 6 { > > 7 printf("One \n"); > > 8 return 1; > > 9 } > etc. > > This is a nested function, which is a gcc extension (see e.g. http:// > gcc.gnu.org/onlinedocs/gcc-4.0.1/gcc/C-Extensions.html, the fourth > item in the list of extensions). Splint does not understand this > extension and produces a parse error. > > David Jansen. > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090512/1b5be1c2/attachment.html From lholzheid at bihl-wiedemann.de Tue May 12 05:32:04 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 12 May 2009 14:32:04 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> Message-ID: <20090512123203.GB21851@svr5.bihl-wiedemann.de> On Tue, 2009-05-12 16:52:44 +0530, Vijayendra Suman wrote: > Hello All, > > Thanks for the prompt response, > > Here is the small piece of code this is compilable > [..] If you move the nested functions out of Call() like this: >> #include >> >> static int MyOne(void) >> { >> printf("One \n"); >> return 1; >> } >> >> static int MyTwo(void) >> { >> printf("Two \n"); >> return 2; >> } >> >> static void Call(int *a) >> { >> int StatusUpdate; >> if (a==NULL) return; >> if (*a == 1 ) >> StatusUpdate = MyOne(); >> else >> StatusUpdate = MyTwo(); >> } >> >> int main(void) >> { >> int call; /* call is not initialized */ >> Call(&call); >> return 0; >> } and run the result through splint, you will get the following: >> $ /c/Program\ Files/splint-3.1.1/bin/splint y.c >> Splint 3.1.1 --- 12 April 2003 >> >> y.c: (in function main) >> y.c(28,8): Passed storage &call not completely defined: Call (&call) >> Storage derivable from a parameter, return value or global is not >> defined. >> Use /*@out@*/ to denote passed or returned storage which need not be >> defined. >> (Use -compdef to inhibit warning) >> >> Finished checking --- 1 code warning That is, splint _does_ complain about using 'call' without prior initialization. Does this answer your question? Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From vijayendra.suman at gmail.com Tue May 12 05:59:05 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Tue, 12 May 2009 18:29:05 +0530 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512123203.GB21851@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512123203.GB21851@svr5.bihl-wiedemann.de> Message-ID: <581ef6d60905120559m37ad0639p415c82b4a76a4e7f@mail.gmail.com> Hi, Thanks for the response, this gives me what I wanted to check. Actually, I wanted to run splint on glibc code, specially the loader code. Do you think it is possible to check such functions with splint, I would like to give this extension. Also, I want to get the same result from a CPP code, I will try to use the splint code to get this result. Do any one has suggestion for it. Regards Vijayendra Suman On Tue, May 12, 2009 at 6:02 PM, Ludolf Holzheid < lholzheid at bihl-wiedemann.de> wrote: > On Tue, 2009-05-12 16:52:44 +0530, Vijayendra Suman wrote: > > Hello All, > > > > Thanks for the prompt response, > > > > Here is the small piece of code this is compilable > > [..] > > If you move the nested functions out of Call() like this: > > >> #include > >> > >> static int MyOne(void) > >> { > >> printf("One \n"); > >> return 1; > >> } > >> > >> static int MyTwo(void) > >> { > >> printf("Two \n"); > >> return 2; > >> } > >> > >> static void Call(int *a) > >> { > >> int StatusUpdate; > >> if (a==NULL) return; > >> if (*a == 1 ) > >> StatusUpdate = MyOne(); > >> else > >> StatusUpdate = MyTwo(); > >> } > >> > >> int main(void) > >> { > >> int call; /* call is not initialized */ > >> Call(&call); > >> return 0; > >> } > > and run the result through splint, you will get the following: > > >> $ /c/Program\ Files/splint-3.1.1/bin/splint y.c > >> Splint 3.1.1 --- 12 April 2003 > >> > >> y.c: (in function main) > >> y.c(28,8): Passed storage &call not completely defined: Call (&call) > >> Storage derivable from a parameter, return value or global is not > >> defined. > >> Use /*@out@*/ to denote passed or returned storage which need not be > >> defined. > >> (Use -compdef to inhibit warning) > >> > >> Finished checking --- 1 code warning > > That is, splint _does_ complain about using 'call' without prior > initialization. > > Does this answer your question? > > Ludolf > > -- > > --------------------------------------------------------------- > Ludolf Holzheid Tel: +49 621 339960 > Bihl+Wiedemann GmbH Fax: +49 621 3392239 > Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de > D-68199 Mannheim, Germany > --------------------------------------------------------------- > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090512/0fce322e/attachment.html From vijayendra.suman at gmail.com Tue May 12 05:59:05 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Tue, 12 May 2009 18:29:05 +0530 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512123203.GB21851@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512123203.GB21851@svr5.bihl-wiedemann.de> Message-ID: <581ef6d60905120559m37ad0639p415c82b4a76a4e7f@mail.gmail.com> Hi, Thanks for the response, this gives me what I wanted to check. Actually, I wanted to run splint on glibc code, specially the loader code. Do you think it is possible to check such functions with splint, I would like to give this extension. Also, I want to get the same result from a CPP code, I will try to use the splint code to get this result. Do any one has suggestion for it. Regards Vijayendra Suman On Tue, May 12, 2009 at 6:02 PM, Ludolf Holzheid < lholzheid at bihl-wiedemann.de> wrote: > On Tue, 2009-05-12 16:52:44 +0530, Vijayendra Suman wrote: > > Hello All, > > > > Thanks for the prompt response, > > > > Here is the small piece of code this is compilable > > [..] > > If you move the nested functions out of Call() like this: > > >> #include > >> > >> static int MyOne(void) > >> { > >> printf("One \n"); > >> return 1; > >> } > >> > >> static int MyTwo(void) > >> { > >> printf("Two \n"); > >> return 2; > >> } > >> > >> static void Call(int *a) > >> { > >> int StatusUpdate; > >> if (a==NULL) return; > >> if (*a == 1 ) > >> StatusUpdate = MyOne(); > >> else > >> StatusUpdate = MyTwo(); > >> } > >> > >> int main(void) > >> { > >> int call; /* call is not initialized */ > >> Call(&call); > >> return 0; > >> } > > and run the result through splint, you will get the following: > > >> $ /c/Program\ Files/splint-3.1.1/bin/splint y.c > >> Splint 3.1.1 --- 12 April 2003 > >> > >> y.c: (in function main) > >> y.c(28,8): Passed storage &call not completely defined: Call (&call) > >> Storage derivable from a parameter, return value or global is not > >> defined. > >> Use /*@out@*/ to denote passed or returned storage which need not be > >> defined. > >> (Use -compdef to inhibit warning) > >> > >> Finished checking --- 1 code warning > > That is, splint _does_ complain about using 'call' without prior > initialization. > > Does this answer your question? > > Ludolf > > -- > > --------------------------------------------------------------- > Ludolf Holzheid Tel: +49 621 339960 > Bihl+Wiedemann GmbH Fax: +49 621 3392239 > Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de > D-68199 Mannheim, Germany > --------------------------------------------------------------- > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090512/0fce322e/attachment-0003.html From jandcmoore at gmail.com Tue May 12 06:00:30 2009 From: jandcmoore at gmail.com (Jonathan and Caroline Moore) Date: Tue, 12 May 2009 14:00:30 +0100 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512123203.GB21851@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512123203.GB21851@svr5.bihl-wiedemann.de> Message-ID: <8bf7d05b0905120600x40721156g93c8502821b02fa0@mail.gmail.com> I get the same result with Splint 3.1.2 --- 07 May 2008. A complaint when not initialized, no complaint when initialized. Jonathan 2009/5/12 Ludolf Holzheid : > On Tue, 2009-05-12 16:52:44 +0530, Vijayendra Suman wrote: >> Hello All, >> >> Thanks for the prompt response, >> >> Here is the small piece of code this is compilable >> [..] > > If you move the nested functions out of Call() like this: > >>> #include >>> >>> static int MyOne(void) >>> { >>> ? ?printf("One \n"); >>> ? ?return 1; >>> } >>> >>> static int MyTwo(void) >>> { >>> ? ?printf("Two \n"); >>> ? ?return 2; >>> } >>> >>> static void Call(int *a) >>> { >>> ? int StatusUpdate; >>> ? if (a==NULL) return; >>> ? if (*a == 1 ) >>> ? ? StatusUpdate = MyOne(); >>> ? else >>> ? ? StatusUpdate = MyTwo(); >>> } >>> >>> int main(void) >>> { >>> ?int call; /* call is not initialized */ >>> ? Call(&call); >>> ? ?return 0; >>> } > > and run the result through splint, you will get the following: > >>> $ /c/Program\ Files/splint-3.1.1/bin/splint y.c >>> Splint 3.1.1 --- 12 April 2003 >>> >>> y.c: (in function main) >>> y.c(28,8): Passed storage &call not completely defined: Call (&call) >>> ? Storage derivable from a parameter, return value or global is not >>> ? defined. >>> ? Use /*@out@*/ to denote passed or returned storage which need not be >>> ? defined. >>> ? (Use -compdef to inhibit warning) >>> >>> Finished checking --- 1 code warning > > That is, splint _does_ complain about using 'call' without prior > initialization. > > Does this answer your question? > > Ludolf > > -- > > --------------------------------------------------------------- > Ludolf Holzheid ? ? ? ? ? ? Tel: ? ?+49 621 339960 > Bihl+Wiedemann GmbH ? ? ? ? Fax: ? ?+49 621 3392239 > Flo?w?rthstra?e 41 ? ? ? ? ?e-mail: lholzheid at bihl-wiedemann.de > D-68199 Mannheim, Germany > --------------------------------------------------------------- > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- Jonathan (and Caroline) Jonathan and Caroline Moore JandCMoore at gmail.com (Jonathan) CandJMoore at gmail.com (Caroline) http://jandcmoore.googlepages.com/ From jandcmoore at gmail.com Tue May 12 06:00:30 2009 From: jandcmoore at gmail.com (Jonathan and Caroline Moore) Date: Tue, 12 May 2009 14:00:30 +0100 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512123203.GB21851@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512123203.GB21851@svr5.bihl-wiedemann.de> Message-ID: <8bf7d05b0905120600x40721156g93c8502821b02fa0@mail.gmail.com> I get the same result with Splint 3.1.2 --- 07 May 2008. A complaint when not initialized, no complaint when initialized. Jonathan 2009/5/12 Ludolf Holzheid : > On Tue, 2009-05-12 16:52:44 +0530, Vijayendra Suman wrote: >> Hello All, >> >> Thanks for the prompt response, >> >> Here is the small piece of code this is compilable >> [..] > > If you move the nested functions out of Call() like this: > >>> #include >>> >>> static int MyOne(void) >>> { >>> ? ?printf("One \n"); >>> ? ?return 1; >>> } >>> >>> static int MyTwo(void) >>> { >>> ? ?printf("Two \n"); >>> ? ?return 2; >>> } >>> >>> static void Call(int *a) >>> { >>> ? int StatusUpdate; >>> ? if (a==NULL) return; >>> ? if (*a == 1 ) >>> ? ? StatusUpdate = MyOne(); >>> ? else >>> ? ? StatusUpdate = MyTwo(); >>> } >>> >>> int main(void) >>> { >>> ?int call; /* call is not initialized */ >>> ? Call(&call); >>> ? ?return 0; >>> } > > and run the result through splint, you will get the following: > >>> $ /c/Program\ Files/splint-3.1.1/bin/splint y.c >>> Splint 3.1.1 --- 12 April 2003 >>> >>> y.c: (in function main) >>> y.c(28,8): Passed storage &call not completely defined: Call (&call) >>> ? Storage derivable from a parameter, return value or global is not >>> ? defined. >>> ? Use /*@out@*/ to denote passed or returned storage which need not be >>> ? defined. >>> ? (Use -compdef to inhibit warning) >>> >>> Finished checking --- 1 code warning > > That is, splint _does_ complain about using 'call' without prior > initialization. > > Does this answer your question? > > Ludolf > > -- > > --------------------------------------------------------------- > Ludolf Holzheid ? ? ? ? ? ? Tel: ? ?+49 621 339960 > Bihl+Wiedemann GmbH ? ? ? ? Fax: ? ?+49 621 3392239 > Flo?w?rthstra?e 41 ? ? ? ? ?e-mail: lholzheid at bihl-wiedemann.de > D-68199 Mannheim, Germany > --------------------------------------------------------------- > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- Jonathan (and Caroline) Jonathan and Caroline Moore JandCMoore at gmail.com (Jonathan) CandJMoore at gmail.com (Caroline) http://jandcmoore.googlepages.com/ From sebastian.waschik at gmx.de Tue May 12 04:58:50 2009 From: sebastian.waschik at gmx.de (Sebastian Waschik) Date: 12 May 2009 13:58:50 +0200 Subject: [splint-discuss] How to check Uninitialized variable References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> Message-ID: <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> Hello, Vijayendra Suman writes: > Hello All, > Thanks for the prompt response, > Here is the small piece of code this is compilable > ? 1 #include > ? 2 void Call(int *a) > ? 3 { > ? 4???????? int StatusUpdate; > ? 5???????? int MyOne() > ? 6???????? { Two problems: 1. You use sometimes use not a real blank (0x20) but a chracter that looks like a blank (0xa0). 2. In C it is not allowed to definie functions inside other functions. I did not even know gcc accepts this. With cleanup a get the following messages. Source code follows. Greetings from Hamburg Sebastian Waschik Splint 3.1.1 --- 21 Apr 2006 test.c: (in function main) test.c:26:8: Passed storage &call not completely defined: Call (&call) Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. (Use -compdef to inhibit warning) test.c:23:14: Parameter argc not used A function parameter is not used in the body of the function. If the argument is needed for type compatibility or future plans, use /*@unused@*/ in the argument declaration. (Use -paramuse to inhibit warning) test.c:23:27: Parameter argv not used test.c:2:5: Variable exported but not used outside test: StatusUpdate A declaration is exported, but not used outside this module. Declaration can use static qualifier. (Use -exportlocal to inhibit warning) test.c:3:5: Function exported but not used outside test: MyOne test.c:7:1: Definition of MyOne test.c:8:5: Function exported but not used outside test: MyTwo test.c:12:1: Definition of MyTwo test.c:14:6: Function exported but not used outside test: Call test.c:21:1: Definition of Call #include int StatusUpdate; int MyOne() { printf("One \n"); return 1; } int MyTwo() { printf("Two \n"); return 2; } void Call(int *a) { if (a==NULL) return; if (*a == 1 ) StatusUpdate = MyOne(); else StatusUpdate = MyTwo(); } int main(int argc, char * argv[]) { int call; /* call is not initialized */ Call(&call); return 0; } From nido at foxserver.be Tue May 12 06:16:03 2009 From: nido at foxserver.be (Nido) Date: Tue, 12 May 2009 15:16:03 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> Message-ID: Here's a hack I used for another project /* Yes this is meant to be uninitialised */ unsigned int seed = (unsigned int)&seed; 2009/5/12 Sebastian Waschik : > Hello, > > Vijayendra Suman writes: >> Hello All, >> Thanks for the prompt response, >> Here is the small piece of code this is compilable >> ? 1 #include >> ? 2 void Call(int *a) >> ? 3 { >> ? 4???????? int StatusUpdate; >> ? 5???????? int MyOne() >> ? 6???????? { > > Two problems: > 1. You use sometimes use not a real blank (0x20) but a chracter that > looks like a blank (0xa0). > > 2. In C it is not allowed to definie functions inside other > ? functions. ?I did not even know gcc accepts this. > > > With cleanup a get the following messages. ?Source code follows. > > Greetings from Hamburg > Sebastian Waschik > > > Splint 3.1.1 --- 21 Apr 2006 > > test.c: (in function main) > test.c:26:8: Passed storage &call not completely defined: Call (&call) > ?Storage derivable from a parameter, return value or global is not defined. > ?Use /*@out@*/ to denote passed or returned storage which need not be defined. > ?(Use -compdef to inhibit warning) > test.c:23:14: Parameter argc not used > ?A function parameter is not used in the body of the function. If the argument > ?is needed for type compatibility or future plans, use /*@unused@*/ in the > ?argument declaration. (Use -paramuse to inhibit warning) > test.c:23:27: Parameter argv not used > test.c:2:5: Variable exported but not used outside test: StatusUpdate > ?A declaration is exported, but not used outside this module. Declaration can > ?use static qualifier. (Use -exportlocal to inhibit warning) > test.c:3:5: Function exported but not used outside test: MyOne > ? test.c:7:1: Definition of MyOne > test.c:8:5: Function exported but not used outside test: MyTwo > ? test.c:12:1: Definition of MyTwo > test.c:14:6: Function exported but not used outside test: Call > ? test.c:21:1: Definition of Call > > > #include > int StatusUpdate; > int MyOne() > { > ?printf("One \n"); > ?return 1; > } > int MyTwo() > { > ?printf("Two \n"); > ?return 2; > } > > void Call(int *a) > { > ?if (a==NULL) return; > ?if (*a == 1 ) > ? ?StatusUpdate = MyOne(); > ?else > ? ?StatusUpdate = MyTwo(); > } > > int main(int argc, char * argv[]) > { > ?int call; /* call is not initialized */ > ?Call(&call); > ? return 0; > } > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > From iwm at doc.ic.ac.uk Tue May 12 05:51:41 2009 From: iwm at doc.ic.ac.uk (Ian Moor) Date: Tue, 12 May 2009 13:51:41 +0100 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> Message-ID: <4A0970DD.60204@doc.ic.ac.uk> Vijayendra Suman wrote: > Hello All, > > Thanks for the prompt response, > > Here is the small piece of code this is compilable > > 1 #include > 2 void Call(int *a) > 3 { > 4 int StatusUpdate; > 5 int MyOne() > 6 { > 7 printf("One \n"); > 8 return 1; > 9 } > 10 int MyTwo() > 11 { > 12 printf("Two \n"); > 13 return 2; > 14 } > 15 if (a==NULL) return; > 16 if (*a == 1 ) > 17 StatusUpdate = MyOne(); > 18 else > 19 StatusUpdate = MyTwo(); > 20 } > 21 > 22 int main(int argc, char * argv[]) > 23 { > 24 int call; /* call is not initialized */ > 25 Call(&call); > 26 return 0; > 27 } > > I compiled using > gcc -o my my.c -Wall > > Problem definition: > int call; /* call is not initialized */ > The call variable is not initialized, Even with -Wall i do not get any > warnings. > In the gcc manual the section about the -Wuninitialized option it says: These warnings are possible only in optimizing compilation, because they require data flow information that is computed only when optimizing. If you do not specify -O, you will not get these warnings. So gcc can be made to report uninitialized variables. From lholzheid at bihl-wiedemann.de Tue May 12 06:39:26 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 12 May 2009 15:39:26 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> Message-ID: <20090512133926.GC21851@svr5.bihl-wiedemann.de> On Tue, 2009-05-12 15:16:03 +0200, Nido wrote: > Here's a hack I used for another project > > /* Yes this is meant to be uninitialised */ > unsigned int seed = (unsigned int)&seed; Maybe you meant `seed' to be un-initialized, but you actually initialized it to `some arbitrary number not equal to zero'. The same could be achieved with e.g. "unsigned int seed = 17;". ;-) Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From aaron.davies at gmail.com Tue May 12 07:32:12 2009 From: aaron.davies at gmail.com (Aaron Davies) Date: Tue, 12 May 2009 22:32:12 +0800 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> Message-ID: On Tue, May 12, 2009 at 7:58 PM, Sebastian Waschik wrote: > 1. You use sometimes use not a real blank (0x20) but a chracter that > looks like a blank (0xa0). isn't that nbsp? vijay, do you write code in microsoft word? (or did you perhaps type up that example in outlook?) if so, this is a horrible idea, for many reasons i don't have time to go into, and i strong suggest trying out something like notepad++. -- Aaron Davies aaron.davies at gmail.com From aaron.davies at gmail.com Tue May 12 07:27:56 2009 From: aaron.davies at gmail.com (Aaron Davies) Date: Tue, 12 May 2009 22:27:56 +0800 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512133926.GC21851@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> <20090512133926.GC21851@svr5.bihl-wiedemann.de> Message-ID: On Tue, May 12, 2009 at 9:39 PM, Ludolf Holzheid wrote: > On Tue, 2009-05-12 15:16:03 +0200, Nido wrote: >> Here's a hack I used for another project >> >> /* Yes this is meant to be uninitialised */ >> unsigned int seed = (unsigned int)&seed; > > Maybe you meant `seed' to be un-initialized, but you actually > initialized it to `some arbitrary number not equal to zero'. The same > could be achieved with e.g. "unsigned int seed = 17;". > > ;-) Isn't it non-deterministic though? Given the name, I assume that's what he was trying to achieve. -- Aaron Davies aaron.davies at gmail.com From aaron.davies at gmail.com Tue May 12 07:36:28 2009 From: aaron.davies at gmail.com (Aaron Davies) Date: Tue, 12 May 2009 22:36:28 +0800 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905120559m37ad0639p415c82b4a76a4e7f@mail.gmail.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512123203.GB21851@svr5.bihl-wiedemann.de> <581ef6d60905120559m37ad0639p415c82b4a76a4e7f@mail.gmail.com> Message-ID: On Tue, May 12, 2009 at 8:59 PM, Vijayendra Suman wrote: > Thanks for the response, this gives me what I wanted to check. > Actually, I wanted to run splint on glibc code, specially the loader code. > Do you think it is possible to check such functions with splint, I would > like to give this extension. > > Also, I want to get the same result from a CPP code, I will try to use the > splint code to get this result. Do any one has suggestion for it. Boilerplate responses, AFAIK (I'm a complete Splint newb, so everyone please feel free to shoot me down): Regarding glibc, splint checks ANSI C, not GCC C. Regarding "CPP", I'm not exactly sure what you're asking. ".cpp" is a common C++ source file extension; if you're asking if you can use splint on C++, i"m pretty sure the answer is "splint checks C, not C++". It's also the name of the C pre-processor; if your question concerns that, you'll have to rephrase it, as I don't understand it. -- Aaron Davies aaron.davies at gmail.com From lholzheid at bihl-wiedemann.de Tue May 12 10:17:22 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Tue, 12 May 2009 19:17:22 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> <20090512133926.GC21851@svr5.bihl-wiedemann.de> Message-ID: <20090512171722.GD21851@svr5.bihl-wiedemann.de> On Tue, 2009-05-12 22:27:56 +0800, Aaron Davies wrote: > On Tue, May 12, 2009 at 9:39 PM, Ludolf Holzheid > wrote: > > On Tue, 2009-05-12 15:16:03 +0200, Nido wrote: > >> Here's a hack I used for another project > >> > >> /* Yes this is meant to be uninitialised */ > >> unsigned int seed = (unsigned int)&seed; > > > > Maybe you meant `seed' to be un-initialized, but you actually > > initialized it to `some arbitrary number not equal to zero'. The same > > could be achieved with e.g. "unsigned int seed = 17;". > > > > ;-) > > Isn't it non-deterministic though? Given the name, I assume that's > what he was trying to achieve. On machines with separate (virtual) address space for each process, I expect this to be the same value for each run. Much less deterministic is the standard "seed = time();"-statement. This still gives no real random numbers, but the value at least varies between program invocations. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From Michael.Wojcik at microfocus.com Tue May 12 10:43:17 2009 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Tue, 12 May 2009 10:43:17 -0700 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com><20090512103346.GA21851@svr5.bihl-wiedemann.de><581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com><20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de><20090512133926.GC21851@svr5.bihl-wiedemann.de> Message-ID: <11352F9641010A418AD5057945A3A6590118BEFB@MTV-EXCHANGE.microfocus.com> > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- > bounces at cs.virginia.edu] On Behalf Of Aaron Davies > Sent: Tuesday, 12 May, 2009 10:28 > > On Tue, May 12, 2009 at 9:39 PM, Ludolf Holzheid wiedemann.de> wrote: > > On Tue, 2009-05-12 15:16:03 +0200, Nido wrote: > >> Here's a hack I used for another project > >> > >> /* Yes this is meant to be uninitialised */ unsigned int seed = > >> (unsigned int)&seed; > > > > Maybe you meant `seed' to be un-initialized, but you actually > > initialized it to `some arbitrary number not equal to zero'. The same > > could be achieved with e.g. "unsigned int seed = 17;". > > Isn't it non-deterministic though? Given the name, I assume that's what > he was trying to achieve. It may be non-deterministic, depending on the execution environment - C makes no guarantees either way. But it's unlikely to have much, if any, entropy. Nido's example is unclear: we don't know if this object has automatic or static storage duration. In Vijayendra's example, the object was automatic but in main(), so it probably doesn't matter, since relatively few C programs call main recursively. So the address is likely fixed at startup. Even for an automatic variable, the number of call paths entering most functions is fairly small, and there's little non-determinism in consumption of automatic storage. Most hosted C implementations these days run in virtual-memory environments, so objects with static storage duration are typically at fixed virtual addresses, and objects with automatic storage are typically offset from a fixed base. Consequently, the address of an object can often be predicted as a member of a fairly small subset of possible addresses with good probability. Whether such an address is likely to have more or less entropy than the contents of an uninitialized automatic variable depends on implementation, environment, and runtime behavior. But neither is a good source of entropy. -- Michael Wojcik Principal Software Systems Developer, Micro Focus From n3npq at mac.com Tue May 12 11:22:21 2009 From: n3npq at mac.com (Jeff Johnson) Date: Tue, 12 May 2009 14:22:21 -0400 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <11352F9641010A418AD5057945A3A6590118BEFB@MTV-EXCHANGE.microfocus.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> <20090512133926.GC21851@svr5.bihl-wiedemann.de> <11352F9641010A418AD5057945A3A6590118BEFB@MTV-EXCHANGE.microfocus.com> Message-ID: <383115D0-3BD8-4775-9A4C-F7623A737467@mac.com> On May 12, 2009, at 1:43 PM, Michael Wojcik wrote: >> From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- >> bounces at cs.virginia.edu] On Behalf Of Aaron Davies >> Sent: Tuesday, 12 May, 2009 10:28 >> >> On Tue, May 12, 2009 at 9:39 PM, Ludolf Holzheid > wiedemann.de> wrote: >>> On Tue, 2009-05-12 15:16:03 +0200, Nido wrote: >>>> Here's a hack I used for another project >>>> >>>> /* Yes this is meant to be uninitialised */ unsigned int seed = >>>> (unsigned int)&seed; >>> >>> Maybe you meant `seed' to be un-initialized, but you actually >>> initialized it to `some arbitrary number not equal to zero'. The > same >>> could be achieved with e.g. "unsigned int seed = 17;". >> >> Isn't it non-deterministic though? Given the name, I assume that's > what >> he was trying to achieve. > > It may be non-deterministic, depending on the execution environment > - C > makes no guarantees either way. But it's unlikely to have much, if > any, > entropy. > There's a fundamental issue wrto static annotations (like splint) vs. run-time instrumentation (like valgrind). Identifying (and statically annotating) every possible path in a program is -- in general -- infeasible. Consider a code path that depends on how an application is configured. Sure one can add assertions to indicate the domain of application of splint annotations. But are splint annotations the correct tool for eliminating uninitialized variables? Its rather easy to find uninitialized variables using valgrind instead. All I really mean to point out is that splint can't find every flaw, nor can valgrind. The combination of tools is far better than either. 73 de Jeff From nido at foxserver.be Tue May 12 13:08:41 2009 From: nido at foxserver.be (Nido) Date: Tue, 12 May 2009 22:08:41 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <383115D0-3BD8-4775-9A4C-F7623A737467@mac.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> <20090512133926.GC21851@svr5.bihl-wiedemann.de> <11352F9641010A418AD5057945A3A6590118BEFB@MTV-EXCHANGE.microfocus.com> <383115D0-3BD8-4775-9A4C-F7623A737467@mac.com> Message-ID: 2009/5/12 Jeff Johnson : > > On May 12, 2009, at 1:43 PM, Michael Wojcik wrote: > >>> From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- >>> bounces at cs.virginia.edu] On Behalf Of Aaron Davies >>> Sent: Tuesday, 12 May, 2009 10:28 >>> >>> On Tue, May 12, 2009 at 9:39 PM, Ludolf Holzheid >> wiedemann.de> wrote: >>>> On Tue, 2009-05-12 15:16:03 +0200, Nido wrote: >>>>> Here's a hack I used for another project >>>>> >>>>> /* Yes this is meant to be uninitialised */ unsigned int seed = >>>>> (unsigned int)&seed; >>>> >>>> Maybe you meant `seed' to be un-initialized, but you actually >>>> initialized it to `some arbitrary number not equal to zero'. The >> same >>>> could be achieved with e.g. "unsigned int seed = 17;". >>> >>> Isn't it non-deterministic though? Given the name, I assume that's >> what >>> he was trying to achieve. >> >> It may be non-deterministic, depending on the execution environment >> - C >> makes no guarantees either way. But it's unlikely to have much, if >> any, >> entropy. I see now. Using Fedora Linux 10 it does give a different number every time it is executed, but usually relatively close to some certain value. Further along the line it xor'd with the current second and nanosecond before it's fed to the srandom function. > There's a fundamental issue wrto static annotations (like splint) vs. > run-time instrumentation (like valgrind). > > Identifying (and statically annotating) every possible path in > a program is -- in general -- infeasible. > > Consider a code path that depends on how an application is configured. > Sure one can add assertions to indicate the domain of application > of splint annotations. > > But are splint annotations the correct tool for eliminating > uninitialized > variables? > > Its rather easy to find uninitialized variables using valgrind instead. > > All I really mean to point out is that splint can't find every flaw, > nor can valgrind. The combination of tools is far better than either. > > 73 de Jeff > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > From vijayendra.suman at gmail.com Tue May 12 21:54:57 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Wed, 13 May 2009 10:24:57 +0530 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> Message-ID: <581ef6d60905122154sb90066ek4c78241268fe9e97@mail.gmail.com> Hello Sebastian, > Two problems: > 1. You use sometimes use not a real blank (0x20) but a chracter that > looks like a blank (0xa0). > > 2. In C it is not allowed to definie functions inside other > functions. I did not even know gcc accepts this. > 1. I am not sure about this character '0xa0', I used vim editor for this, I am not sure how come such characters come in a standard vim editor, I will check with this problem. I think dos2unix utility should be able to convert this kind of issue, if all it is there. 2. I use gcc my o/p for gcc -v is [root at localhost vijay]# gcc -v Using built-in specs. Target: i386-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile --enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --with-cpu=generic --host=i386-redhat-linux Thread model: posix gcc version 4.1.2 20070925 (Red Hat 4.1.2-33) I also tried with another version of gcc on my other system with gcc version [root at suman_linux vijay]# gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.6/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.6 20060404 (Red Hat 3.4.6-8) This also compiles the code perfectly fine with gcc -o my my.c -O -Wall Many of open source C projects have been using this functionality example glibc...., Also it may be used where we need to call common functions with different definition. Please, have a look at this part of code #include static void Call(int *a) { int StatusUpdate; int MyOne() { return 1; } if (a==NULL) return; if (*a == 1 ) StatusUpdate = MyOne(); else StatusUpdate = (*a); } int main() { int call; /* call is not initialized */ int MyOne() { return 2; } Call( &call); MyOne(); return 0; } Again this gives me a error with splint [root at suman_linux vijay]# splint 1.c Splint 3.1.1 --- 15 Jun 2004 1.c:6:3: Parse Error. (For help on parse errors, see splint -help parseerrors.) *** Cannot continue. Sincere Regards Vijayendra Suman On Tue, May 12, 2009 at 5:28 PM, Sebastian Waschik wrote: > Hello, > > Vijayendra Suman writes: > > Hello All, > > Thanks for the prompt response, > > Here is the small piece of code this is compilable > > 1 #include > > 2 void Call(int *a) > > 3 { > > 4 int StatusUpdate; > > 5 int MyOne() > > 6 { > > Two problems: > 1. You use sometimes use not a real blank (0x20) but a chracter that > looks like a blank (0xa0). > > 2. In C it is not allowed to definie functions inside other > functions. I did not even know gcc accepts this. > > > With cleanup a get the following messages. Source code follows. > > Greetings from Hamburg > Sebastian Waschik > > > Splint 3.1.1 --- 21 Apr 2006 > > test.c: (in function main) > test.c:26:8: Passed storage &call not completely defined: Call (&call) > Storage derivable from a parameter, return value or global is not > defined. > Use /*@out@*/ to denote passed or returned storage which need not be > defined. > (Use -compdef to inhibit warning) > test.c:23:14: Parameter argc not used > A function parameter is not used in the body of the function. If the > argument > is needed for type compatibility or future plans, use /*@unused@*/ in the > argument declaration. (Use -paramuse to inhibit warning) > test.c:23:27: Parameter argv not used > test.c:2:5: Variable exported but not used outside test: StatusUpdate > A declaration is exported, but not used outside this module. Declaration > can > use static qualifier. (Use -exportlocal to inhibit warning) > test.c:3:5: Function exported but not used outside test: MyOne > test.c:7:1: Definition of MyOne > test.c:8:5: Function exported but not used outside test: MyTwo > test.c:12:1: Definition of MyTwo > test.c:14:6: Function exported but not used outside test: Call > test.c:21:1: Definition of Call > > > #include > int StatusUpdate; > int MyOne() > { > printf("One \n"); > return 1; > } > int MyTwo() > { > printf("Two \n"); > return 2; > } > > void Call(int *a) > { > if (a==NULL) return; > if (*a == 1 ) > StatusUpdate = MyOne(); > else > StatusUpdate = MyTwo(); > } > > int main(int argc, char * argv[]) > { > int call; /* call is not initialized */ > Call(&call); > return 0; > } > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090513/0686b31b/attachment-0001.html From lholzheid at bihl-wiedemann.de Wed May 13 01:15:26 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 13 May 2009 10:15:26 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <383115D0-3BD8-4775-9A4C-F7623A737467@mac.com> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> <20090512133926.GC21851@svr5.bihl-wiedemann.de> <11352F9641010A418AD5057945A3A6590118BEFB@MTV-EXCHANGE.microfocus.com> <383115D0-3BD8-4775-9A4C-F7623A737467@mac.com> Message-ID: <20090513081526.GB23041@svr5.bihl-wiedemann.de> On Tue, 2009-05-12 14:22:21 -0400, Jeff Johnson wrote: > > There's a fundamental issue wrto static annotations (like splint) vs. > run-time instrumentation (like valgrind). > > Identifying (and statically annotating) every possible path in > a program is -- in general -- infeasible. > > Consider a code path that depends on how an application is configured. > Sure one can add assertions to indicate the domain of application > of splint annotations. > > But are splint annotations the correct tool for eliminating > uninitialized > variables? > > Its rather easy to find uninitialized variables using valgrind instead. Well, the two tools, while identifying similar programming mistakes, do totally different things: o Static code analysis identifies suspicious source code lines, no matter if executed or not, while o run-time code analysis detects program misbehavior if and only if the path is actually executed during the test. It depends on the kind of the program and the execution environment the program runs in, which of the two matches your needs and which is available at all. For instance, Vijayendra wants to check code that seems to depend on GCC extensions. This locks splint out. I use splint to check my own sources (so I can arrange them with splint in mind). My code is to run on deeply embedded, highly specialized hardware, for which valgrind is not available. Moreover, as my software is safety-related, it is full of safety-bags such as non-empty default clauses in switch statements that already handle all possible values of the switch expression. It is not feasible to actually execute all of these paths (the hard way is error injection). Vijayendra's target system seems to be a hosted execution environment, without the stringent constraints of my (free-standing) execution environment, so I expect valgrind to be available. I wouldn't want to write a test program to run an exhaustive test for the glibc under valgrind, though. > All I really mean to point out is that splint can't find every flaw, > nor can valgrind. The combination of tools is far better than either. Of course, if both tools are available and usable, the combination of the tools is best. But this is not always the case. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From vijayendra.suman at gmail.com Wed May 13 02:13:54 2009 From: vijayendra.suman at gmail.com (Vijayendra Suman) Date: Wed, 13 May 2009 14:43:54 +0530 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <20090513081526.GB23041@svr5.bihl-wiedemann.de> References: <581ef6d60905120236y16504180ved930ad136800c65@mail.gmail.com> <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> <20090512133926.GC21851@svr5.bihl-wiedemann.de> <11352F9641010A418AD5057945A3A6590118BEFB@MTV-EXCHANGE.microfocus.com> <383115D0-3BD8-4775-9A4C-F7623A737467@mac.com> <20090513081526.GB23041@svr5.bihl-wiedemann.de> Message-ID: <581ef6d60905130213o3aedf896sc52260b8d37d454e@mail.gmail.com> Hello Ludolf, Yes, I agree a mix of both that is - Valgrind - Static analyzer is fit for my case, but there is a problem particularly in my case which are as followings - I am still working on the making the H/W board based on Arm Processor up which will take some more time, this why i want to make sure the code is clean and ready to run on the target so that i do not waste time to debug problems which may be avoided before hand. - The code base is very big and so not all code paths will be executed even if my H/W is ready in next 1-2 weeks, so valgrind will only help in the control path of executed code. - And to be sorry the code base has a mix of C, C++ codes and taking a look at all the code will take some time. Sincere Regards Vijayendra Suman On Wed, May 13, 2009 at 1:45 PM, Ludolf Holzheid < lholzheid at bihl-wiedemann.de> wrote: > On Tue, 2009-05-12 14:22:21 -0400, Jeff Johnson wrote: > > > > There's a fundamental issue wrto static annotations (like splint) vs. > > run-time instrumentation (like valgrind). > > > > Identifying (and statically annotating) every possible path in > > a program is -- in general -- infeasible. > > > > Consider a code path that depends on how an application is configured. > > Sure one can add assertions to indicate the domain of application > > of splint annotations. > > > > But are splint annotations the correct tool for eliminating > > uninitialized > > variables? > > > > Its rather easy to find uninitialized variables using valgrind instead. > > Well, the two tools, while identifying similar programming mistakes, > do totally different things: > > o Static code analysis identifies suspicious source code lines, > no matter if executed or not, while > > o run-time code analysis detects program misbehavior if and only if > the path is actually executed during the test. > > It depends on the kind of the program and the execution environment > the program runs in, which of the two matches your needs and which is > available at all. > > For instance, Vijayendra wants to check code that seems to depend on > GCC extensions. This locks splint out. I use splint to check my own > sources (so I can arrange them with splint in mind). > > My code is to run on deeply embedded, highly specialized hardware, for > which valgrind is not available. Moreover, as my software is > safety-related, it is full of safety-bags such as non-empty default > clauses in switch statements that already handle all possible values > of the switch expression. It is not feasible to actually execute all > of these paths (the hard way is error injection). > > Vijayendra's target system seems to be a hosted execution environment, > without the stringent constraints of my (free-standing) execution > environment, so I expect valgrind to be available. I wouldn't want to > write a test program to run an exhaustive test for the glibc under > valgrind, though. > > > All I really mean to point out is that splint can't find every flaw, > > nor can valgrind. The combination of tools is far better than either. > > Of course, if both tools are available and usable, the combination of > the tools is best. But this is not always the case. > > Ludolf > > -- > > --------------------------------------------------------------- > Ludolf Holzheid Tel: +49 621 339960 > Bihl+Wiedemann GmbH Fax: +49 621 3392239 > Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de > D-68199 Mannheim, Germany > --------------------------------------------------------------- > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- https://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy Regards Vijayendra Suman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20090513/217ec9b9/attachment.html From lholzheid at bihl-wiedemann.de Wed May 13 03:09:27 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Wed, 13 May 2009 12:09:27 +0200 Subject: [splint-discuss] How to check Uninitialized variable In-Reply-To: <581ef6d60905130213o3aedf896sc52260b8d37d454e@mail.gmail.com> References: <20090512103346.GA21851@svr5.bihl-wiedemann.de> <581ef6d60905120422l5ca25dc0vb577bfdb791a4865@mail.gmail.com> <20090512115850.3E0D.0.NOFFLE@nb.i.familie-waschik.de> <20090512133926.GC21851@svr5.bihl-wiedemann.de> <11352F9641010A418AD5057945A3A6590118BEFB@MTV-EXCHANGE.microfocus.com> <383115D0-3BD8-4775-9A4C-F7623A737467@mac.com> <20090513081526.GB23041@svr5.bihl-wiedemann.de> <581ef6d60905130213o3aedf896sc52260b8d37d454e@mail.gmail.com> Message-ID: <20090513100927.GC23041@svr5.bihl-wiedemann.de> On Wed, 2009-05-13 14:43:54 +0530, Vijayendra Suman wrote: > [..] > - The code base is very big and so not all code paths will be executed > even if my H/W is ready in next 1-2 weeks, so valgrind will only help in the > control path of executed code. Hi Vijayendra, I wouldn't focus too much on checking third-party code for my own projects (given they are proven to be portable and widespread as it is the case for glibc). I am sure the maintainers of the libraries in question do a better job in running tests on or doing reviews for their own code. Both, static and run-time code analysis, need deep knowledge of the code under test, as you'll have to correctly annotate the sources for a meaningful static code analysis and you have to run the library under valgrind with reasonable test programs. If you just want to _use_ the libraries in question (in contrast to working on them), focus on your own code instead and try to use the third-party libraries the same way as most others do, in order to hit the code paths best tested. (Provided, of course, your project is not safety-related. Otherwise, you'd have to avoid third-party code as much as possible. For safety-related software, I even don't use standard libc functions such as memcpy()). Ludolf (who is sorry about this thread somehow triggered his "do tests you fully understand only" statement) -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid at bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From kay at dohmanngmbh.de Thu May 14 02:50:55 2009 From: kay at dohmanngmbh.de (Kay Dohmann) Date: Thu, 14 May 2009 11:50:55 +0200 Subject: [splint-discuss] How to introduce new checks Message-ID: <4A0BE97F.2070404@dohmanngmbh.de> Hi all! Splint is a great tool and it helped me a lot in my programming. But now I need your help to realize an idea. As far as I understand you can extend the behaviour of Splint via .mts files (described a bit in section 10 of the manual). What I wanted to do is to introduce a "blocking" state. I want to be able to annotate functions as nonblocking and those functions would only be allowed to call other nonblocking functions. So I created a blocking.mts file like this: attribute blockingness context clause oneof blocking, nonblocking annotations blocking clause ==> blocking nonblocking clause ==> nonblocking transfers blocking as nonblocking ==> error "Blocking section inside a nonblocking section." merge blocking + nonblocking ==> blocking defaults clause ==> blocking end When I try to use this definition with splint -mts blocking.mts source.c <...> then splint crashes: F:\splint\src\ctypeList.c:72: at source point splint.rc:23:15: *** Internal Bug at F:\splint\src\ctypeList.c:72: llassert failed: ctypeList_isDefined (s) [errno: 0] *** Please report bug to splint-bug at splint.org *** (attempting to continue, results may be incorrect) *** Segmentation Violation *** Location (not trusted): splint.rc:23:15 *** Last code point: F:\splint\src\llmain.c:433 *** Previous code point: F:\splint\src\llmain.c:407 *** Please report bug to splint-bug at splint.org (Yeah, in fact the '-mts blocking.mts' is inside of a splint.rc file, but adding this was the only change in the splint.rc file.) Can anybody give me a hint what I could have done wrong? Thanks for your help! Best Regards, Kay Dohmann From kay at dohmanngmbh.de Thu May 14 04:31:52 2009 From: kay at dohmanngmbh.de (Kay Dohmann) Date: Thu, 14 May 2009 13:31:52 +0200 Subject: [splint-discuss] How to introduce new checks In-Reply-To: <4A0BE97F.2070404@dohmanngmbh.de> References: <4A0BE97F.2070404@dohmanngmbh.de> Message-ID: <4A0C0128.10504@dohmanngmbh.de> > [...] > When I try to use this definition with > splint -mts blocking.mts source.c <...> Ah, sorry. Of course it is and was splint -mts blocking source.c <...> what I call. > then splint crashes: > [...] Best Regards, Kay Dohmann From kay at dohmanngmbh.de Mon May 18 04:54:19 2009 From: kay at dohmanngmbh.de (Kay Dohmann) Date: Mon, 18 May 2009 13:54:19 +0200 Subject: [splint-discuss] How to introduce new checks In-Reply-To: <4A0BE97F.2070404@dohmanngmbh.de> References: <4A0BE97F.2070404@dohmanngmbh.de> Message-ID: <4A114C6B.3000201@dohmanngmbh.de> Hi again! Is noone here who could help me? Or is my problem/idea not clear? Best Regards, Kay Dohmann From nido at foxserver.be Mon May 18 05:27:09 2009 From: nido at foxserver.be (Nido) Date: Mon, 18 May 2009 14:27:09 +0200 Subject: [splint-discuss] How to introduce new checks In-Reply-To: <4A114C6B.3000201@dohmanngmbh.de> References: <4A0BE97F.2070404@dohmanngmbh.de> <4A114C6B.3000201@dohmanngmbh.de> Message-ID: I don't know how this stuff works; so I can not help you with that. sorry. 2009/5/18 Kay Dohmann : > Hi again! > > Is noone here who could help me? Or is my problem/idea not clear? > > Best Regards, > Kay Dohmann > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss From splint at coreland.ath.cx Mon May 25 11:21:36 2009 From: splint at coreland.ath.cx (splint at coreland.ath.cx) Date: Mon, 25 May 2009 16:21:36 +0100 Subject: [splint-discuss] Exporting declarations Message-ID: <20090525152136.GA76170@logik.internal.network> Hello. I'm writing a program that uses functions defined in an external library (as some people do, you know). Splint is giving me warnings such as: copy.h:18:3: Constant exported, but not specified: COPY_OK copy.h:40:25: Function exported, but not specified: copy_init A function is exported, but not specified. (Use -exportfcn to inhibit warning) I've been over the manual a couple of times but can't see how I'm supposed to specify 'copy_init'. Am I supposed to use the external LCL specification language? I would rather write a specification that just suppress warnings. From jandcmoore at gmail.com Tue May 26 01:53:33 2009 From: jandcmoore at gmail.com (Jonathan and Caroline Moore) Date: Tue, 26 May 2009 06:53:33 +0100 Subject: [splint-discuss] Exporting declarations In-Reply-To: <20090525152136.GA76170@logik.internal.network> References: <20090525152136.GA76170@logik.internal.network> Message-ID: <8bf7d05b0905252253s780a46f9v66b6e3ad7b8b8129@mail.gmail.com> Are you returning something with static duration? Some code fragments will help pin down the insecurity splint is highlighting. Jonathan 2009/5/25 : > Hello. > > I'm writing a program that uses functions defined in an external library > (as some people do, you know). Splint is giving me warnings such as: > > copy.h:18:3: Constant exported, but not specified: COPY_OK > copy.h:40:25: Function exported, but not specified: copy_init > ?A function is exported, but not specified. (Use -exportfcn to inhibit > ?warning) > > I've been over the manual a couple of times but can't see how I'm supposed > to specify 'copy_init'. Am I supposed to use the external LCL specification > language? I would rather write a specification that just suppress warnings. > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > -- Jonathan (and Caroline) Jonathan and Caroline Moore JandCMoore at gmail.com (Jonathan) CandJMoore at gmail.com (Caroline) http://jandcmoore.googlepages.com/ From splint at coreland.ath.cx Tue May 26 11:47:13 2009 From: splint at coreland.ath.cx (splint at coreland.ath.cx) Date: Tue, 26 May 2009 16:47:13 +0100 Subject: [splint-discuss] Specifying malloc() (null pointers in LCL) Message-ID: <20090526154713.GA97351@logik.internal.network> Hello. I'm trying to write a formal specification of a function very similar to malloc(). Here's a definition in LCL: void * alloc (unsigned long size) { requires size > 0; ensures fresh (*result); } Here's the generated .lh file: #include "bool.h" extern void *alloc (unsigned long /* size */); /* Output from Splint 3.1.2 */ The problem with this is that alloc() might return NULL and despite trawling through the documentation for LCL, I can't work out the proper way to express 'might return NULL' in LCL so that the generated definition has the proper /*@null@*/ annotations. Unfortunately, I'm still not exactly clear on the relationship between splint and LCL. Is it intended that you should have to edit the generated output in order to get splint to accept it? From splint at coreland.ath.cx Tue May 26 11:52:33 2009 From: splint at coreland.ath.cx (splint at coreland.ath.cx) Date: Tue, 26 May 2009 16:52:33 +0100 Subject: [splint-discuss] Specifying malloc() (null pointers in LCL) In-Reply-To: <20090526154713.GA97351@logik.internal.network> References: <20090526154713.GA97351@logik.internal.network> Message-ID: <20090526155233.GA12431@logik.internal.network> On 2009-05-26 16:47:13, splint at coreland.ath.cx wrote: > Hello. > > I'm trying to write a formal specification of a function > very similar to malloc(). Managed to answer my own question about five seconds after sending the last mail by just trying things at random: $ cat alloc.lcl only out null void * alloc (unsigned long size) { requires size > 0; ensures fresh (*result); } $ cat alloc.lh extern void *alloc (unsigned long /* size */); $ cat alloc.c #include "alloc.h" #include void * alloc (unsigned long size) { return malloc ((size_t) size); } $ splint +strict +partial alloc.c alloc.h alloc.lcl Splint 3.1.2 --- 24 May 2009 Finished checking --- no warnings Bit bemused that nowhere does any of the documentation I've been able to find on LCL specify anything called "out", "null" or "only". Are these splint extensions? Is there some enormous reference manual on LCL that I'm missing somewhere? From splint at coreland.ath.cx Tue May 26 13:10:00 2009 From: splint at coreland.ath.cx (splint at coreland.ath.cx) Date: Tue, 26 May 2009 18:10:00 +0100 Subject: [splint-discuss] Undeclared operator: maxRead Message-ID: <20090526171000.GA76502@logik.internal.network> >From alloc.lcl: /* * Allocate new storage of size size_new, copy size_old bytes * of pointer to new storage, deallocate original storage and * assign new storage to pointer. */ int alloc_re (only out void **pointer, unsigned long size_old, unsigned long size_new) { requires (size_old > 0) /\ (size_new > 0) /\ (maxRead (*pointer) == size_old); ensures ((result == 0) \/ (result == 1)) /\ (maxRead (*pointer) == size_new); } $ splint +strict +lh alloc.lcl Splint 3.1.2 --- 24 May 2009 alloc.lcl:42:6: Undeclared operator: maxRead alloc.lcl:45:6: Undeclared operator: maxRead Finished checking --- 2 spec warnings no code processed Not sure what's happening here... From splint at coreland.ath.cx Tue May 26 13:26:28 2009 From: splint at coreland.ath.cx (splint at coreland.ath.cx) Date: Tue, 26 May 2009 18:26:28 +0100 Subject: [splint-discuss] Another LCL error. Message-ID: <20090526172628.GA20177@logik.internal.network> $ cat bin.lcl /* * Copy size bytes of source to target. */ void bin_copy (const void * source, void * target, unsigned long size) { requires (maxRead (source) >= size) /\ (maxSet (target) >= size); ensures (maxRead (target) >= size); } $ splint +strict +partial bin.lcl Splint 3.1.2 --- 24 May 2009 bin.lcl:6:11: syntax error: Token code: constTOKEN, Token String: const *** Cannot continue From splint at coreland.ath.cx Tue May 26 09:19:29 2009 From: splint at coreland.ath.cx (splint at coreland.ath.cx) Date: Tue, 26 May 2009 14:19:29 +0100 Subject: [splint-discuss] Exporting declarations In-Reply-To: <8bf7d05b0905252253s780a46f9v66b6e3ad7b8b8129@mail.gmail.com> References: <20090525152136.GA76170@logik.internal.network> <8bf7d05b0905252253s780a46f9v66b6e3ad7b8b8129@mail.gmail.com> Message-ID: <20090526131929.GA92986@logik.internal.network> On 2009-05-26 06:53:33, Jonathan and Caroline Moore wrote: > Are you returning something with static duration? > > Some code fragments will help pin down the insecurity splint is highlighting. > Uh, the entire file is: #ifndef COPY_H #define COPY_H void copy (char [], char []); #endif I don't think the problem is related to storage. I think splint is saying I need to place the function in a specification. Sort of answered my own question... $ cat copy.lcl void copy (char source[], char target[]) { requires nullTerminated (source^); modifies target; ensures lenStr (target') >= lenStr (source^); } Splint seems happy with the above.