From m at alanny.ru Wed Jan 13 10:43:04 2010 From: m at alanny.ru (AlannY) Date: Wed, 13 Jan 2010 21:43:04 +0300 Subject: [splint-discuss] Tell me more about @only@ Message-ID: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> Hi there. I'm newbie in splint, so I want to ask about @only@ annotation. I have a structure, which implements linked lists: struct my_struct { int n; /* doesn't matter */ /*@null@*/ struct my_struct *next; } Here is a problem. I'm allocating memory for new item in linked list and after that, I'm trying to *push* new item in list: new_item = (struct my_struct *) malloc (sizeof (struct my_struct)); if (new_item==NULL) abort (); memset (new_item, 0, sizeof (struct my_struct)); new_item->next = old_item; old_item = new_item; But splint tells me warning about memory leak: my_file.c:00:00: Implicitly only storage new_item->next (type struct my_struct *) not released before assignment: new_item->next = old_item A memory leak has been detected. Only-qualified storage is not released before the last reference to it is lost. (Use -mustfreeonly to inhibit warning) I really don't want to turn off -mustfreeonly, because I want to understand the problem. The my_struct->next is not declared as @only@ explicity, but I think that it becomes @only@ somewhere ;-( How to tell splint, that my_struct->next is not defined (because my_struct have just allocated with malloc) at all and this cannot be memory leak? Thank for patience. -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From n3npq at mac.com Wed Jan 13 11:23:33 2010 From: n3npq at mac.com (Jeff Johnson) Date: Wed, 13 Jan 2010 14:23:33 -0500 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> Message-ID: <97A6AA54-5D10-446E-B622-9A1DAC55B56E@mac.com> On Jan 13, 2010, at 1:43 PM, AlannY wrote: > Hi there. I'm newbie in splint, so I want to ask about @only@ annotation. > > I have a structure, which implements linked lists: > > struct my_struct { > int n; /* doesn't matter */ > /*@null@*/ struct my_struct *next; > } > > Here is a problem. I'm allocating memory for new item in linked list and > after that, I'm trying to *push* new item in list: > > new_item = (struct my_struct *) malloc (sizeof (struct my_struct)); > if (new_item==NULL) > abort (); > > memset (new_item, 0, sizeof (struct my_struct)); > > new_item->next = old_item; > old_item = new_item; > /*@only@*/ is the strongest annotation. Slightly weaker /*@onwned@*/ and /*@dependent@*/ are easier when link lists are involved. The difference (at least how I annotate) is that /*@owned@*/ goes on the link list anchor, where the free's are typically down, while /*@dependent@*/ goes on the chaining variables. There's also /*@shared@*/ which asserts nothing about malloc/free for pointers. IIRC, the defaults are /*@only@*/ for pointers, so one has to weaken the default assumptions. Note also that /*@null@*/ is quite painful sometimes. Replace with /*@relnull@*/ if the pain gets too great. Again, these are just hints from how I use splint annotations. YMMV and likely will. One has to focus quite carefully to understand what splint is warning about. > But splint tells me warning about memory leak: > > my_file.c:00:00: Implicitly only storage new_item->next (type struct my_struct *) not > released before assignment: new_item->next = old_item > A memory leak has been detected. Only-qualified storage is not released > before the last reference to it is lost. (Use -mustfreeonly to inhibit > warning) > > I really don't want to turn off -mustfreeonly, because I want to understand the problem. > hint: Understanding comes with some rather deep pain sometimes. True for splint and all lin-like annotations. So disable until you are ready to sort out the issue. If now, well, enjoy! ;-) > The my_struct->next is not declared as @only@ explicity, but I think that it becomes @only@ > somewhere ;-( > > How to tell splint, that my_struct->next is not defined (because my_struct have just allocated with malloc) > at all and this cannot be memory leak? > Try /*@dependent@*/ or possibly /*@shared@*/ instead of /*@only@*/. hth 73 de Jeff From splint at sympatico.ca Wed Jan 13 13:18:14 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Wed, 13 Jan 2010 16:18:14 -0500 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> (AlannY's message of "Wed, 13 Jan 2010 21:43:04 +0300") References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> Message-ID: <87iqb5zotl.fsf@sympatico.ca> On 13 Jan 2010, m at alanny.ru wrote: > struct my_struct { > int n; /* doesn't matter */ > /*@null@*/ struct my_struct *next; > } > new_item = (struct my_struct *) malloc (sizeof (struct my_struct)); > How to tell splint, that my_struct->next is not defined (because my_struct > have just allocated with malloc) > at all and this cannot be memory leak? Short answer: try, > struct my_struct { > int n; /* doesn't matter */ > /*@null@*/ /*@dependent@*/ struct my_struct *next; > } malloc() is annotated like this, extern /*@null@*/ /*@out@*/ /*@only@*/ void *malloc (size_t size) /*@modifies errno@*/ /*drl 09-20-001 added errno*/ /*@ensures MaxSet(result) == (size - 1); @*/ ; The '/*@null@*/' is independant of 'only'. By default all structure members are declared only (see sec 5.3 of the manual). This makes sense for things that are not links (like a dynamically sized string or buffer). For a link you might like /*@dependent@*/. I think this would solve your problem, but it is not as strict in the checking. I think that annotating old_item with 'only' would also work. Sections five and six of the manual will be helpful. The other thing is that calloc() could be used or explicitly setting 'next' with 'NULL' The difference in the annotation, extern /*@null@*/ /*@only@*/ void *calloc (size_t nobj, size_t size) /*@*/ The 'out' parameter means that things have yet to be defined. memset's return value might also be used if you insist on that, new_item = memset(new_item, 0, sizeof(*new_item)); Using memset is generally not the best as zero may not be appropriate in all circumstances. Ie, for some structure fields a value of one might be appropriate (now or in the future). If new_item will now and forever needs zero initialized elements, it is questionable whether calloc versus 'malloc/memset' is better... but if you think that the inline memset is more efficient, you can either annotate to ignore the error here or use a macro for 'malloc' and 'memset' which have alternative annotations. hth, Bill Pringlemeir. -- I never did give anybody hell. I just told the truth and they thought it was hell. - Harry S. Truman From splint at sympatico.ca Wed Jan 13 13:18:14 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Wed, 13 Jan 2010 16:18:14 -0500 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> (AlannY's message of "Wed, 13 Jan 2010 21:43:04 +0300") References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> Message-ID: <87iqb5zotl.fsf@sympatico.ca> On 13 Jan 2010, m at alanny.ru wrote: > struct my_struct { > int n; /* doesn't matter */ > /*@null@*/ struct my_struct *next; > } > new_item = (struct my_struct *) malloc (sizeof (struct my_struct)); > How to tell splint, that my_struct->next is not defined (because my_struct > have just allocated with malloc) > at all and this cannot be memory leak? Short answer: try, > struct my_struct { > int n; /* doesn't matter */ > /*@null@*/ /*@dependent@*/ struct my_struct *next; > } malloc() is annotated like this, extern /*@null@*/ /*@out@*/ /*@only@*/ void *malloc (size_t size) /*@modifies errno@*/ /*drl 09-20-001 added errno*/ /*@ensures MaxSet(result) == (size - 1); @*/ ; The '/*@null@*/' is independant of 'only'. By default all structure members are declared only (see sec 5.3 of the manual). This makes sense for things that are not links (like a dynamically sized string or buffer). For a link you might like /*@dependent@*/. I think this would solve your problem, but it is not as strict in the checking. I think that annotating old_item with 'only' would also work. Sections five and six of the manual will be helpful. The other thing is that calloc() could be used or explicitly setting 'next' with 'NULL' The difference in the annotation, extern /*@null@*/ /*@only@*/ void *calloc (size_t nobj, size_t size) /*@*/ The 'out' parameter means that things have yet to be defined. memset's return value might also be used if you insist on that, new_item = memset(new_item, 0, sizeof(*new_item)); Using memset is generally not the best as zero may not be appropriate in all circumstances. Ie, for some structure fields a value of one might be appropriate (now or in the future). If new_item will now and forever needs zero initialized elements, it is questionable whether calloc versus 'malloc/memset' is better... but if you think that the inline memset is more efficient, you can either annotate to ignore the error here or use a macro for 'malloc' and 'memset' which have alternative annotations. hth, Bill Pringlemeir. -- I never did give anybody hell. I just told the truth and they thought it was hell. - Harry S. Truman From m at alanny.ru Thu Jan 14 03:35:50 2010 From: m at alanny.ru (AlannY) Date: Thu, 14 Jan 2010 14:35:50 +0300 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <97A6AA54-5D10-446E-B622-9A1DAC55B56E@mac.com> References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> <97A6AA54-5D10-446E-B622-9A1DAC55B56E@mac.com> Message-ID: <20100114113549.GA20320@alanny-pc.lcl.starlink.ru> On Wed, Jan 13, 2010 at 02:23:33PM -0500, Jeff Johnson wrote: > > /*@only@*/ is the strongest annotation. > > Slightly weaker /*@onwned@*/ and /*@dependent@*/ are > easier when link lists are involved. The difference > (at least how I annotate) is that /*@owned@*/ goes > on the link list anchor, where the free's are typically > down, while /*@dependent@*/ goes on the chaining > variables. > > There's also /*@shared@*/ which asserts nothing about > malloc/free for pointers. > > IIRC, the defaults are /*@only@*/ for pointers, so one has to > weaken the default assumptions. > > Note also that /*@null@*/ is quite painful sometimes. Replace > with /*@relnull@*/ if the pain gets too great. > > Again, these are just hints from how I use splint annotations. YMMV and likely > will. One has to focus quite carefully to understand what splint > is warning about. > > hint: Understanding comes with some rather deep pain sometimes. True > for splint and all lin-like annotations. So disable until you are > ready to sort out the issue. If now, well, enjoy! ;-) > > Try /*@dependent@*/ or possibly /*@shared@*/ instead of /*@only@*/. > > hth > > 73 de Jeff Thanks, it helps. I'll continue research on @dependent at ... -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From Michael.Wojcik at Microfocus.com Thu Jan 14 06:31:23 2010 From: Michael.Wojcik at Microfocus.com (Michael Wojcik) Date: Thu, 14 Jan 2010 06:31:23 -0800 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <87iqb5zotl.fsf@sympatico.ca> References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> <87iqb5zotl.fsf@sympatico.ca> Message-ID: <81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> And while we're at it... > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- > bounces at cs.virginia.edu] On Behalf Of Bill Pringlemeir > Sent: Wednesday, 13 January, 2010 16:18 > > On 13 Jan 2010, m at alanny.ru wrote: > > > struct my_struct { > > int n; /* doesn't matter */ > > /*@null@*/ struct my_struct *next; > > } > > > new_item = (struct my_struct *) malloc (sizeof (struct my_struct)); Dump the cast. Unless this code MUST be compiled as both C and C++, the cast is unnecessary and can hide errors. Also, it's better to use the size of the target of the assignment rather than assuming its type: new_item = malloc(sizeof *new_item); That's also shorter and cleaner. > The 'out' parameter means that things have yet to be defined. > memset's return value might also be used if you insist on that, > > new_item = memset(new_item, 0, sizeof(*new_item)); > > Using memset is generally not the best as zero may not be appropriate > in all circumstances. Nor is there any guarantee that all-bits-zero is a null pointer representation. C guarantees that a literal zero will be converted to a null pointer value in a pointer context, but not that all-bits-zero is a valid null pointer. It could be a trap representation. (The same goes for floating-point types.) Because of sloppy programming and widespread use of calloc (which really only persists in the standard library for historical reasons - there's no good reason to ever use it), pretty much all implementations accept all-bits-zero as a null pointer representation. But relying on that is sloppiness. The best way to initialize a new dynamically-allocated structure is with structure copy, from a static, const structure that's implicitly initialized correctly. In the header: struct my_struct = { ... }; static const struct my_struct my_struct0 = {0}; In the function: struct my_struct *new_struct; new_struct = malloc(sizeof *new_struct); *new_struct = my_struct0; The {0} initializer always initializes the entire object (including all of aggregate types) to appropriate 0 representations: integers to 0, floating point fields to 0.0, pointers to a null pointer. (The "0" itself serves as the initializer for the first field, and all following fields get an implicit "0" initializer value.) Of course, here the {0} is redundant, since it's the default initializer for an object with static storage duration; but it serves as documentation and it's a place where you can put different initialization values if you need to, as Bill suggested. -- Michael Wojcik Principal Software Systems Developer, Micro Focus From splint at sympatico.ca Thu Jan 14 10:06:19 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Thu, 14 Jan 2010 13:06:19 -0500 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> (Michael Wojcik's message of "Thu, 14 Jan 2010 06:31:23 -0800") References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> <87iqb5zotl.fsf@sympatico.ca> <81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> Message-ID: <87d41czhlw.fsf@sympatico.ca> On 14 Jan 2010, Michael.Wojcik at microfocus.com wrote: > The best way to initialize a new dynamically-allocated structure is with > structure copy, from a static, const structure that's implicitly > initialized correctly. I doubt there is a 'best' way. 'best' always depend on your metrics. If you chose to explicitly initialize each element, p->a = 11; p->c = 22; /* etc... */ Then splint *will warn* if values are not initialized. Using the {0} construct might not be appropriate as there might not be thought put into initializer for new fields. Ie, defaulting to zero may hide an error in the initializer by making the code compile and pass all sorts of machine checks. Even an explicit structure initializer can fail for some field additions, const struct test default = { 11, 'b', 22, 0, -1}; /* ... */ *p = default; Everything but explicit initialization relies on a programmer who adds a field to think about the initialization case... and the down side is it is the least efficient in code space. The 'best' probably depends on the application domain (what the heck the structure will be used for and where it is being used (embedded, multi-platform, mission critical, game programming), etc). However, it sounds like the OP is happy with @dependant at . Fwiw, Bill Pringlemeir. -- I find this continuous feedback and interplay between pure mathematics and theoretical physics most fascinating. - Marco From Michael.Wojcik at microfocus.com Thu Jan 14 14:18:56 2010 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Thu, 14 Jan 2010 14:18:56 -0800 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <87d41czhlw.fsf@sympatico.ca> References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru><87iqb5zotl.fsf@sympatico.ca><81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> <87d41czhlw.fsf@sympatico.ca> Message-ID: <81F42F63D5BB344ABF294F8E80990C79CD543C@MTV-EXCHANGE.microfocus.com> > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss- > bounces at cs.virginia.edu] On Behalf Of Bill Pringlemeir > Sent: Thursday, 14 January, 2010 13:06 > > On 14 Jan 2010, Michael.Wojcik at microfocus.com wrote: > > > The best way to initialize a new dynamically-allocated structure is > > with structure copy, from a static, const structure that's implicitly > > initialized correctly. > > I doubt there is a 'best' way. 'best' always depend on your metrics. > If you chose to explicitly initialize each element, > > p->a = 11; > p->c = 22; > /* etc... */ > > Then splint *will warn* if values are not initialized. True enough. I should have written "a better way". As you say, explicit field-by-field initialization has its advantages (and drawbacks). Mostly I'd like to see C coders get away from memset (for initializing arbitrary structures) and calloc, which are relics of a bygone era. -- Michael Wojcik Principal Software Systems Developer, Micro Focus From ok at cs.otago.ac.nz Thu Jan 14 19:07:47 2010 From: ok at cs.otago.ac.nz (Richard O'Keefe) Date: Fri, 15 Jan 2010 16:07:47 +1300 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> <87iqb5zotl.fsf@sympatico.ca> <81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> Message-ID: <8068FDD7-CFF5-4AE8-8DE3-9F5764158306@cs.otago.ac.nz> On Jan 15, 2010, at 3:31 AM, Michael Wojcik wrote: > > Because of sloppy programming and widespread use of calloc (which > really > only persists in the standard library for historical reasons - there's > no good reason to ever use it), pretty much all implementations accept > all-bits-zero as a null pointer representation. But relying on that is > sloppiness. There was once a machine where the C null pointer representation was all bits one, I believe. And there was certainly a machine where the usual null pointer had an "I'm not valid" bit set. > The best way to initialize a new dynamically-allocated structure is > with > structure copy, from a static, const structure that's implicitly > initialized correctly. I once wrote a book about C that my colleagues dissuaded me from publishing. That's the only other place I've ever seen this advice, so I am thrilled to see it here. One advantage of the approach is that you *never* end up with uninitialised fields, even when you add new fields to the struct later on. From m at alanny.ru Thu Jan 14 22:49:40 2010 From: m at alanny.ru (AlannY) Date: Fri, 15 Jan 2010 09:49:40 +0300 Subject: [splint-discuss] Postconditions for function with @ensures maxSet@ Message-ID: <20100115064939.GA21461@alanny-pc.lcl.starlink.ru> Hi there. I'm having trouble with @ensures maxSet@ annotation. Here are some example (i've extracted malloc declaration from /lib/stdlib.h header): /*@null@*/ /*@out@*/ /*@only@*/ void* my_malloc (size_t size) /*@modifies errno@*/ /*@ensures maxSet(result) == (size - 1) @*/;; /*@null@*/ /*@out@*/ /*@only@*/ void* 7: my_malloc (size_t size) /*@modifies errno@*/ /*@ensures maxSet(result) == (size - 1) @*/ { return malloc (size); } int main (void) { void *t = NULL; t = my_malloc (10); return 0; } When trying to check with splint, I have the following error: test.c:7:1: Postconditions for my_malloc redeclared. Dropping previous postcondition: ensures maxSet(>) == + -1 A function, variable or constant is redefined with a different type. (Use -incondefs to inhibit warning) test.c:2:1: Declaration of my_malloc As you can see, annotations on declaration and definition are the same. But error arrives. Where is my mistake? -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From m at alanny.ru Fri Jan 15 04:28:21 2010 From: m at alanny.ru (AlannY) Date: Fri, 15 Jan 2010 15:28:21 +0300 Subject: [splint-discuss] Set that pointer defines Message-ID: <20100115122820.GA28786@alanny-pc.lcl.starlink.ru> Hi there. I have minor problem with pointers. I have a function, say, some_function, with param with /*@out@*/ annotation: void some_function (/*out*/ /*only*/ /*null*/ void *ptr) { } In the body, I'm calling another function, which checks if ptr defined. Later, if ptr is not defined, some_function returns. if (check_ptr(ptr)==0) return; After that, as you can see, ptr defined and I'm working with this defined pointer. Splint tells me, that ptr is not defined. my_file.c:000:00: Passed storage ptr not completely defined (*ptr is undefined): memcpy (..., ptr, ...) Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. (Use -compdef to inhibit warning) How to tell splint that, check_ptr function check if ptr defined and if not - returns, so it's impossible to use ptr after check. Thank you. -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From m at alanny.ru Fri Jan 15 06:23:54 2010 From: m at alanny.ru (AlannY) Date: Fri, 15 Jan 2010 17:23:54 +0300 Subject: [splint-discuss] Tell me more about -globstate Message-ID: <20100115142352.GA7173@alanny-pc.lcl.starlink.ru> Hi there. I've confronted with error message, which 2nd day cannot understand. On, here is it: test.c:6:15: Function returns with global referencing released storage A global variable does not satisfy its annotations when control is transferred. (Use -globstate to inhibit warning) test.c:6:10: Storage released And example: /*@null@*/ static void *root = NULL; /*@null@*/ void* my_function (void) { 6: return root; } What does it meat "A global variable does not satisfy its annotations". What annotation there must be? -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From m at alanny.ru Fri Jan 15 09:14:19 2010 From: m at alanny.ru (AlannY) Date: Fri, 15 Jan 2010 20:14:19 +0300 Subject: [splint-discuss] Splint and Thread Local Storage (TLS) Message-ID: <20100115171418.GA3210@alanny-pc.lcl.starlink.ru> Hi there. I'm newbie in splint and now I've faced with problem of Thread Local Data. My library uses threads (via pthread) and saves some very important information in thread local storage. Splint shows tons of warnings about memory leaks. How to tell splint, that some data my be used later, even if all references on it are gone. For example, I've got message about fresh storage: my_file.c:000:0: Fresh storage not released before return A memory leak has been detected. Storage allocated locally is not released before the last reference to it is lost. (Use -mustfreefresh to inhibit warning) my_file.c:000:00: Fresh storage created I understand, that it's very hard to keep track of that data. So, I'm looking for a *hack*. I tryed to set state-variable to TLS at the end of each function, that uses TLS, but without any success, splint still thinks, that all references gone. Thank you. -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From n3npq at mac.com Fri Jan 15 10:19:13 2010 From: n3npq at mac.com (Jeff Johnson) Date: Fri, 15 Jan 2010 13:19:13 -0500 Subject: [splint-discuss] Splint and Thread Local Storage (TLS) In-Reply-To: <20100115171418.GA3210@alanny-pc.lcl.starlink.ru> References: <20100115171418.GA3210@alanny-pc.lcl.starlink.ru> Message-ID: <9606310F-A377-4273-8CDA-14AA4174F85F@mac.com> On Jan 15, 2010, at 12:14 PM, AlannY wrote: > Hi there. I'm newbie in splint and now I've faced with problem of > Thread Local Data. > > My library uses threads (via pthread) and saves some very important > information in > thread local storage. > > Splint shows tons of warnings about memory leaks. How to tell > splint, that some data my be > used later, even if all references on it are gone. > You're in for a *LOT* of pain using splint on TLS imho. See the means to extend splint annotations with abstract "tainting" assertions. That could be a means to handle TLS annotations w splint (untested). A /*@only@*/ "works" if your code paths using TLS are sufficiently well contained that splint can see TLS used solely within the code path. You may need to warp your code paths so that TLS usage within, say, a single routine is identical to "mustfree" behavior. Otherwise, just disable all the warnings until you figger out how to annotate TLS. Again, jmho and what I would do. YMMV, likely will. > For example, I've got message about fresh storage: > > my_file.c:000:0: Fresh storage not released before return > A memory leak has been detected. Storage allocated locally is not > released > before the last reference to it is lost. (Use -mustfreefresh to > inhibit > warning) > my_file.c:000:00: Fresh storage created > > I understand, that it's very hard to keep track of that data. So, > I'm looking for a *hack*. > Disable whatever you don't want to see. 73 de Jeff > I tryed to set state-variable to TLS at the end of each function, > that uses TLS, but without any success, > splint still thinks, that all references gone. > > Thank you. > -- > )\._.,--....,'``. > /, _.. \ _\ (`._ ,. > `._.-(,_..'--(,_..'`-.;.' > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss From splint at sympatico.ca Fri Jan 15 11:07:37 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Fri, 15 Jan 2010 14:07:37 -0500 Subject: [splint-discuss] Set that pointer defines In-Reply-To: <20100115122820.GA28786@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 15 Jan 2010 15:28:21 +0300") References: <20100115122820.GA28786@alanny-pc.lcl.starlink.ru> Message-ID: <87wrzjw5ja.fsf@sympatico.ca> On 15 Jan 2010, m at alanny.ru wrote: > After that, as you can see, ptr defined and I'm working with this defined > pointer. > Splint tells me, that ptr is not defined. See section 2.1.1 of the manual. -- I never did give anybody hell. I just told the truth and they thought it was hell. - Harry S. Truman From splint at sympatico.ca Fri Jan 15 11:10:50 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Fri, 15 Jan 2010 14:10:50 -0500 Subject: [splint-discuss] Postconditions for function with @ensures maxSet@ In-Reply-To: <20100115064939.GA21461@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 15 Jan 2010 09:49:40 +0300") References: <20100115064939.GA21461@alanny-pc.lcl.starlink.ru> Message-ID: <87ska7w5dx.fsf@sympatico.ca> On 15 Jan 2010, m at alanny.ru wrote: > Hi there. I'm having trouble with @ensures maxSet@ annotation. > As you can see, annotations on declaration and definition are the same. But > error arrives. > Where is my mistake? You only need to define an annotation once. I would suggest that you always do it with the prototype unless you are relying on the function definition's position within the file (and have no prototype). -- If it weren't for pickpockets I'd have no sex life at all. - Rodney Dangerfield From splint at sympatico.ca Fri Jan 15 11:10:50 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Fri, 15 Jan 2010 14:10:50 -0500 Subject: [splint-discuss] Postconditions for function with @ensures maxSet@ In-Reply-To: <20100115064939.GA21461@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 15 Jan 2010 09:49:40 +0300") References: <20100115064939.GA21461@alanny-pc.lcl.starlink.ru> Message-ID: <87ska7w5dx.fsf@sympatico.ca> On 15 Jan 2010, m at alanny.ru wrote: > Hi there. I'm having trouble with @ensures maxSet@ annotation. > As you can see, annotations on declaration and definition are the same. But > error arrives. > Where is my mistake? You only need to define an annotation once. I would suggest that you always do it with the prototype unless you are relying on the function definition's position within the file (and have no prototype). -- If it weren't for pickpockets I'd have no sex life at all. - Rodney Dangerfield From splint at sympatico.ca Fri Jan 15 11:14:45 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Fri, 15 Jan 2010 14:14:45 -0500 Subject: [splint-discuss] Tell me more about -globstate In-Reply-To: <20100115142352.GA7173@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 15 Jan 2010 17:23:54 +0300") References: <20100115142352.GA7173@alanny-pc.lcl.starlink.ru> Message-ID: <87ockvw57e.fsf@sympatico.ca> On 15 Jan 2010, m at alanny.ru wrote: > What does it meat "A global variable does not satisfy its annotations". What > annotation there must be? Say root is set to non-null (via malloc). Then you do some stuff and another function does 'free(root)'. The value of 'root' must be set to NULL. You need to annotate functions to describe this. Globals are generally not too good. However, I think that Jeff Johnson's suggestion is good. Take splints hint and use -globstate to disable. Otherwise, read the manual (especially section 7.2). -- Feynman on EM : our ordinary intuitions are quite wrong. From splint at sympatico.ca Fri Jan 15 11:14:45 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Fri, 15 Jan 2010 14:14:45 -0500 Subject: [splint-discuss] Tell me more about -globstate In-Reply-To: <20100115142352.GA7173@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 15 Jan 2010 17:23:54 +0300") References: <20100115142352.GA7173@alanny-pc.lcl.starlink.ru> Message-ID: <87ockvw57e.fsf@sympatico.ca> On 15 Jan 2010, m at alanny.ru wrote: > What does it meat "A global variable does not satisfy its annotations". What > annotation there must be? Say root is set to non-null (via malloc). Then you do some stuff and another function does 'free(root)'. The value of 'root' must be set to NULL. You need to annotate functions to describe this. Globals are generally not too good. However, I think that Jeff Johnson's suggestion is good. Take splints hint and use -globstate to disable. Otherwise, read the manual (especially section 7.2). -- Feynman on EM : our ordinary intuitions are quite wrong. From splint at sympatico.ca Fri Jan 15 11:15:57 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Fri, 15 Jan 2010 14:15:57 -0500 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <81F42F63D5BB344ABF294F8E80990C79CD543C@MTV-EXCHANGE.microfocus.com> (Michael Wojcik's message of "Thu, 14 Jan 2010 14:18:56 -0800") References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> <87iqb5zotl.fsf@sympatico.ca> <81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> <87d41czhlw.fsf@sympatico.ca> <81F42F63D5BB344ABF294F8E80990C79CD543C@MTV-EXCHANGE.microfocus.com> Message-ID: <87k4vjw55e.fsf@sympatico.ca> On 14 Jan 2010, Michael.Wojcik at microfocus.com wrote: > Mostly I'd like to see C coders get away from memset (for initializing > arbitrary structures) and calloc, which are relics of a bygone era. I would rather work with them than people who leave it un-initialized. -- I believe that sex is one of the most beautiful, natural, wholesome things that money can buy. - Steve Martin From splint at sympatico.ca Fri Jan 15 11:07:37 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Fri, 15 Jan 2010 14:07:37 -0500 Subject: [splint-discuss] Set that pointer defines In-Reply-To: <20100115122820.GA28786@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 15 Jan 2010 15:28:21 +0300") References: <20100115122820.GA28786@alanny-pc.lcl.starlink.ru> Message-ID: <87wrzjw5ja.fsf@sympatico.ca> On 15 Jan 2010, m at alanny.ru wrote: > After that, as you can see, ptr defined and I'm working with this defined > pointer. > Splint tells me, that ptr is not defined. See section 2.1.1 of the manual. -- I never did give anybody hell. I just told the truth and they thought it was hell. - Harry S. Truman From m at alanny.ru Fri Jan 15 20:27:33 2010 From: m at alanny.ru (AlannY) Date: Sat, 16 Jan 2010 07:27:33 +0300 Subject: [splint-discuss] Tell me more about @only@ In-Reply-To: <87k4vjw55e.fsf@sympatico.ca> References: <20100113184302.GA11089@alanny-pc.lcl.starlink.ru> <87iqb5zotl.fsf@sympatico.ca> <81F42F63D5BB344ABF294F8E80990C79CD5438@MTV-EXCHANGE.microfocus.com> <87d41czhlw.fsf@sympatico.ca> <81F42F63D5BB344ABF294F8E80990C79CD543C@MTV-EXCHANGE.microfocus.com> <87k4vjw55e.fsf@sympatico.ca> Message-ID: <20100116042732.GA2525@alanny-pc.lcl.starlink.ru> On Fri, Jan 15, 2010 at 02:15:57PM -0500, Bill Pringlemeir wrote: > > I would rather work with them than people who leave it un-initialized. Indeed. -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From m at alanny.ru Sat Jan 16 01:47:47 2010 From: m at alanny.ru (AlannY) Date: Sat, 16 Jan 2010 12:47:47 +0300 Subject: [splint-discuss] Help me with @refcounted@ Message-ID: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> Hi there. I have another lame question now about using @refcounted@ annotation. Several days already I'm trying to solve it, but cannot. There are minor program, which uses refcounted as I can it imaging. Please don't send me to the manual to the section 5.4, I've already read it hundred times. typedef /*@refcounted@*/ struct ref* ref; struct ref { /*@refs@*/ int refcount; void *b; }; void c_ref (/*@null@*/ ref c) { if (c==NULL) return; c->refcount++; } void c_unref (/*@null@*/ /*@killref@*/ ref c) { if (c==NULL) return; c->refcount--; if (c->refcount<=0) free (c); } int main (void) { ref c = NULL; c = malloc (sizeof (struct ref)); c_ref (c); c_unref (c); return NULL; } I think, that I'm not understanding something fundamental about refcounted. Please, explain ;-) Thank for patience. -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From n3npq at mac.com Sat Jan 16 06:03:47 2010 From: n3npq at mac.com (Jeff Johnson) Date: Sat, 16 Jan 2010 09:03:47 -0500 Subject: [splint-discuss] Help me with @refcounted@ In-Reply-To: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> References: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> Message-ID: <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> On Jan 16, 2010, at 4:47 AM, AlannY wrote: > Hi there. I have another lame question now about using @refcounted@ > annotation. > > Several days already I'm trying to solve it, but cannot. > > There are minor program, which uses refcounted as I can it imaging. > Please don't send me to the manual to the section 5.4, I've already > read it hundred times. > > typedef /*@refcounted@*/ struct ref* ref; > > struct ref > { > /*@refs@*/ int refcount; > void *b; > }; > > void > c_ref (/*@null@*/ ref c) > { > if (c==NULL) > return; > > c->refcount++; > } > > void > c_unref (/*@null@*/ /*@killref@*/ ref c) > { > if (c==NULL) > return; > > c->refcount--; > if (c->refcount<=0) > free (c); > } > > int > main (void) > { > ref c = NULL; > c = malloc (sizeof (struct ref)); > c_ref (c); > c_unref (c); > return NULL; > } > > I think, that I'm not understanding something fundamental about refcounted. Please, explain ;-) > I', not seeing a specific question there ... ... but I can point you at a complete "real world" set of annotations using splint /*@refcounted@*/ and /*@only@*/ (and /*@abstract@*/ which is unique to splint). All of RPM development has used splint annotations for years. Grab a tarball (perhaps rpm-5.1.7.tar.gz) from http://rpm5.org/files/rpm/rpm-5.1 There are annotations using /*@refcounted@*/ throughout with naming like rpmfooNew(), rpmfooLink()/rpmfooUnlink(), and rpmfooFree() analogous to your example program. Note that splint helped immensely in getting a refcounted model in place to attach a mutex protected refcount everywhere to move to thread-safe objects. 73 de Jeff > Thank for patience. > > -- > )\._.,--....,'``. > /, _.. \ _\ (`._ ,. > `._.-(,_..'--(,_..'`-.;.' > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss From m at alanny.ru Sat Jan 16 07:12:13 2010 From: m at alanny.ru (AlannY) Date: Sat, 16 Jan 2010 18:12:13 +0300 Subject: [splint-discuss] Help me with @refcounted@ In-Reply-To: <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> References: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> Message-ID: <20100116151211.GA22912@alanny-pc.lcl.starlink.ru> On Sat, Jan 16, 2010 at 09:03:47AM -0500, Jeff Johnson wrote: > > I', not seeing a specific question there ... > > ... but I can point you at a complete "real world" set of > annotations using splint /*@refcounted@*/ and /*@only@*/ > (and /*@abstract@*/ which is unique to splint). > > All of RPM development has used splint annotations for years. Grab > a tarball (perhaps rpm-5.1.7.tar.gz) from > http://rpm5.org/files/rpm/rpm-5.1 > > There are annotations using /*@refcounted@*/ throughout with naming like > rpmfooNew(), rpmfooLink()/rpmfooUnlink(), and rpmfooFree() > analogous to your example program. > > Note that splint helped immensely in getting a refcounted model > in place to attach a mutex protected refcount everywhere to > move to thread-safe objects. I've downloaded rpm's sources and inspect them. There are, for example, undocumented annotation @newref@, but I don't know what it do. The problem is follow: when reference counter goes to zero and there are no more links to object, I should release space for this object. Example: void test_unref (/*@killref@*/ /*@only@*/ test t) { t->refcount--; if (t->refcount<=0) 20: free (t); } splint print 2 error messages, which confuses me: test.c:20:11: Reference counted storage passed as only param: free (t) Reference counted storage is transferred in a way that may not be consistent with the reference count. (Use -refcounttrans to inhibit warning) test.c:20:5: Variable t is released in true branch, but live in continuation. The state of a variable is different depending on which branch is taken. This means no annotation can sensibly be applied to the storage. (Use -branchstate to inhibit warning) test.c:20:5: in true branch: test.c:20:11: Storage t released And also error about memory leak at the end of main() function. Full example: typedef /*@abstract@*/ /*@refcounted@*/ struct test_s *test; struct test_s { /*@refs@*/ int refcount; }; /*@external@*/ test test_ref (test t) { t->refcount++; return t; } /*@external@*/ void test_unref (/*@killref@*/ /*@only@*/ test t) { t->refcount--; if (t->refcount<=0) free (t); } int main (void) { test c = NULL; c = malloc (sizeof (*c)); if (c==NULL) return 1; c->refcount = 1; c = test_ref (c); test_unref (c); test_unref (c); return 0; } -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From n3npq at mac.com Sat Jan 16 07:49:55 2010 From: n3npq at mac.com (Jeff Johnson) Date: Sat, 16 Jan 2010 10:49:55 -0500 Subject: [splint-discuss] Help me with @refcounted@ In-Reply-To: <20100116151211.GA22912@alanny-pc.lcl.starlink.ru> References: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> <20100116151211.GA22912@alanny-pc.lcl.starlink.ru> Message-ID: On Jan 16, 2010, at 10:12 AM, AlannY wrote: > On Sat, Jan 16, 2010 at 09:03:47AM -0500, Jeff Johnson wrote: >> >> I', not seeing a specific question there ... >> >> ... but I can point you at a complete "real world" set of >> annotations using splint /*@refcounted@*/ and /*@only@*/ >> (and /*@abstract@*/ which is unique to splint). >> >> All of RPM development has used splint annotations for years. Grab >> a tarball (perhaps rpm-5.1.7.tar.gz) from >> http://rpm5.org/files/rpm/rpm-5.1 >> >> There are annotations using /*@refcounted@*/ throughout with naming like >> rpmfooNew(), rpmfooLink()/rpmfooUnlink(), and rpmfooFree() >> analogous to your example program. >> >> Note that splint helped immensely in getting a refcounted model >> in place to attach a mutex protected refcount everywhere to >> move to thread-safe objects. > > I've downloaded rpm's sources and inspect them. There are, for example, > undocumented annotation @newref@, but I don't know what it do. > AFAIK /*@newref@*/ indicates that the /*@refs@/ variable has been incremented. > The problem is follow: when reference counter goes to zero and there are > no more links to object, I should release space for this object. > > Example: > void > test_unref (/*@killref@*/ /*@only@*/ test t) > { > t->refcount--; > if (t->refcount<=0) > 20: free (t); > } > > splint print 2 error messages, which confuses me: > > test.c:20:11: Reference counted storage passed as only param: free (t) > Reference counted storage is transferred in a way that may not be consistent > with the reference count. (Use -refcounttrans to inhibit warning) > test.c:20:5: Variable t is released in true branch, but live in continuation. > The state of a variable is different depending on which branch is taken. This > means no annotation can sensibly be applied to the storage. (Use -branchstate > to inhibit warning) > test.c:20:5: in true branch: > test.c:20:11: Storage t released > Yes. What I did (after wrestling quite a bit w splint) was to use /*@only@*/ or /*@killref@*/ (but not both) when annotating a dereferncing routine that has a lazy free when nrefs = 1 within. Initiallu I used /*@only@*/ which (in most of the code I saw) was sufficient to hint that a ptr should not be used after being passed to the routine that free's (or more technically dereferecnes). The other (and largely equivalent approach) is to use /*@killref@*/ which ends up confusing splint's implicit annotation of the argument to /*@only@*/ when the reference count goes from 1 -> 0 and one typically does a lazy free. I just disable the warnings around the free to get rid of the warnings. But mixing /*@only@*/ and /*@killref@*/ annotations cannot be done without also keeping track of the value of /*@refs@*/: the correct annotation would be an additional /*@only@*/ iff nrefs = 1. But the value of nrefs is very hard to track with static annotations. > And also error about memory leak at the end of main() function. > If test_unref() uses /*@only@*/ and not /*@killref@/, then splint should be able to see that the pointer has been free'd. The other approach would be to hide the malloc and have a creator that is annotated with /*@newref@*/. Its the mixture of /*@only@*/ and the refcounting annotations that can lead to spurious messages. hth 73 de Jeff From n3npq at mac.com Sat Jan 16 07:58:10 2010 From: n3npq at mac.com (Jeff Johnson) Date: Sat, 16 Jan 2010 10:58:10 -0500 Subject: [splint-discuss] Help me with @refcounted@ In-Reply-To: References: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> <20100116151211.GA22912@alanny-pc.lcl.starlink.ru> Message-ID: >> >> splint print 2 error messages, which confuses me: >> >> test.c:20:11: Reference counted storage passed as only param: free (t) >> Reference counted storage is transferred in a way that may not be consistent >> with the reference count. (Use -refcounttrans to inhibit warning) >> test.c:20:5: Variable t is released in true branch, but live in continuation. >> The state of a variable is different depending on which branch is taken. This >> means no annotation can sensibly be applied to the storage. (Use -branchstate >> to inhibit warning) >> test.c:20:5: in true branch: >> test.c:20:11: Storage t released >> > I forgot to mention /*@-branchstate@/, which I routinely disable globally these days. The types of issues that /-branchstate reports, while technically useful, are too hard to get right everywhere when retrofitting splint annotations on "real world" code. I turn on branchstate checking occaisonally to see the technical issues, but I seldom have the time and opportunity to actually "fix" the issue that different code branches have inconsistent results when the code paths rejoin. JMHO using splint, YMMV, likely will. 73 de Jeff From m at alanny.ru Sat Jan 16 08:31:47 2010 From: m at alanny.ru (AlannY) Date: Sat, 16 Jan 2010 19:31:47 +0300 Subject: [splint-discuss] Help me with @refcounted@ In-Reply-To: References: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> <20100116151211.GA22912@alanny-pc.lcl.starlink.ru> Message-ID: <20100116163145.GA1514@alanny-pc.lcl.starlink.ru> On Sat, Jan 16, 2010 at 10:58:10AM -0500, Jeff Johnson wrote: > > I forgot to mention /*@-branchstate@/, which I routinely disable > globally these days. The types of issues that /-branchstate reports, > while technically useful, are too hard to get right everywhere when > retrofitting splint annotations on "real world" code. > > I turn on branchstate checking occaisonally to see the technical issues, > but I seldom have the time and opportunity to actually "fix" the issue > that different code branches have inconsistent results when the code paths > rejoin. > > JMHO using splint, YMMV, likely will. > > 73 de Jeff Last question for today. I'm getting the following (one) warning: test.c:48:13: Reference counted storage passed as only param: free (t) Reference counted storage is transferred in a way that may not be consistent with the reference count. (Use -refcounttrans to inhibit warning) Is it normal to use -refcounttrans here, or there are better way with annotations? t is for reference counter type, but function free takes @only@ variable? Just skip? -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From n3npq at mac.com Sat Jan 16 08:50:20 2010 From: n3npq at mac.com (Jeff Johnson) Date: Sat, 16 Jan 2010 11:50:20 -0500 Subject: [splint-discuss] Help me with @refcounted@ In-Reply-To: <20100116163145.GA1514@alanny-pc.lcl.starlink.ru> References: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> <20100116151211.GA22912@alanny-pc.lcl.starlink.ru> <20100116163145.GA1514@alanny-pc.lcl.starlink.ru> Message-ID: <02839EF4-F03E-46E6-BE3F-286869704628@mac.com> On Jan 16, 2010, at 11:31 AM, AlannY wrote: > On Sat, Jan 16, 2010 at 10:58:10AM -0500, Jeff Johnson wrote: >> >> I forgot to mention /*@-branchstate@/, which I routinely disable >> globally these days. The types of issues that /-branchstate reports, >> while technically useful, are too hard to get right everywhere when >> retrofitting splint annotations on "real world" code. >> >> I turn on branchstate checking occaisonally to see the technical issues, >> but I seldom have the time and opportunity to actually "fix" the issue >> that different code branches have inconsistent results when the code paths >> rejoin. >> >> JMHO using splint, YMMV, likely will. >> >> 73 de Jeff > > Last question for today. I'm getting the following (one) warning: > > test.c:48:13: Reference counted storage passed as only param: free (t) > Reference counted storage is transferred in a way that may not be consistent > with the reference count. (Use -refcounttrans to inhibit warning) > > Is it normal to use -refcounttrans here, or there are better way with annotations? > t is for reference counter type, but function free takes @only@ variable? Just skip? > > -- > )\._.,--....,'``. > /, _.. \ _\ (`._ ,. > `._.-(,_..'--(,_..'`-.;.' > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss From n3npq at mac.com Sat Jan 16 08:55:36 2010 From: n3npq at mac.com (Jeff Johnson) Date: Sat, 16 Jan 2010 11:55:36 -0500 Subject: [splint-discuss] Help me with @refcounted@ In-Reply-To: <20100116163145.GA1514@alanny-pc.lcl.starlink.ru> References: <20100116094746.GA20854@alanny-pc.lcl.starlink.ru> <6C0F5290-F985-4E1E-8286-B26C750256D8@mac.com> <20100116151211.GA22912@alanny-pc.lcl.starlink.ru> <20100116163145.GA1514@alanny-pc.lcl.starlink.ru> Message-ID: Apologies for the empty msg. On Jan 16, 2010, at 11:31 AM, AlannY wrote: > > Last question for today. I'm getting the following (one) warning: > > test.c:48:13: Reference counted storage passed as only param: free (t) > Reference counted storage is transferred in a way that may not be consistent > with the reference count. (Use -refcounttrans to inhibit warning) > > Is it normal to use -refcounttrans here, or there are better way with annotations? > t is for reference counter type, but function free takes @only@ variable? Just skip? > I tend to disable in code if/when I never intend to "fix" usually not using /*@i@*/ /*@-refcounttrans@*/ ... /*@=refcounttrans@*/ and disable in a per-directory .splintrc file with -refcounttrans if the fixing is just waiting for a round 'tuit. Again, there's lots and lots of ways to use splint, this is just my fetishisms. hth 73 de Jeff From viktor at 3rr.at Mon Jan 18 11:01:33 2010 From: viktor at 3rr.at (Ing. Errath Viktor) Date: Mon, 18 Jan 2010 20:01:33 +0100 Subject: [splint-discuss] Frequenzy of found bugs Message-ID: <4B54B00D.30905@3rr.at> Hello My name ist viktor and I am new to this list. At the moment I'm writing a paper for my bachelor at the "Technikum Wien" (a university of applied sience in Vienna). My topic is a comparison of the posibilities of Static Code analyses Tools for C, Visual Basic, C# and Python. I was looking for a survey, a study, or something else that shows which problems occure at which frequenzy source codes. For example something like that: Problems with Pointers and Null dereference 10% Problems with undefined values 20% Problem with "Strong types" 15% Problems with Memory Management 40% and so on The only thing I found so long was a line in the SP-Lint manual: Page 25: "About half the bugs in typical C programs can be attributed to memory management problems." Does anyone know a survey or study where I can find further info regarding this matter? I would appreciate any help. Many thanks in advance viktor -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100118/d0c87d43/attachment.html From dimiter.andonov at gmail.com Mon Jan 18 11:26:26 2010 From: dimiter.andonov at gmail.com (Dimiter Andonov) Date: Mon, 18 Jan 2010 14:26:26 -0500 Subject: [splint-discuss] Unallocated storage warning Message-ID: <769769401001181126t573db742x9bb91903f682481a@mail.gmail.com> Hello guys, Here's a small application I use to test splint with: #include /*@only@*//*@out@*//*@null@*/ static int *alloc_int(void); static void free_int(/*@null@*//*@out@*/ int**); int main(void) { int *p = NULL; p = alloc_int(); if (p != NULL) { free_int(&p); } return EXIT_SUCCESS; } static int *alloc_int(void) { int *p = malloc(sizeof *p); return p; } static void free_int(int **p) /*@requires only *p@*/ { if (p != NULL) { free(*p); /* this is the line 29 */ *p = NULL; } } When I pass the app above to splint I am getting the following warning: main.c: (in function free_list) main.c:29:8: Unallocated storage *p passed as out parameter: *p An rvalue is used that may not be initialized to a value on some execution path. (Use -usedef to inhibit warning) Can someone, please, explain what's wrong with the code snippet above? Thanks, Dimiter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100118/dbc18073/attachment.html From mail_ben_schmidt at yahoo.com.au Thu Jan 21 01:56:37 2010 From: mail_ben_schmidt at yahoo.com.au (Ben Schmidt) Date: Thu, 21 Jan 2010 20:56:37 +1100 Subject: [splint-discuss] Bug assigning globals to globals Message-ID: <4B5824D5.2050406@yahoo.com.au> Hi! I'm relatively new to splint. I think I might have found a bug, though. Program: static /*@owned@*/ char * s; static /*@shared@*/ char * t; int main() /*@globals undef s, undef t@*/ { s=malloc(10); if (s==NULL) exit(EXIT_FAILURE); *s='\0'; t=s; return 0; } Expectation: No warnings. s and t are both undefined (and unallocated) when main is entered, and both defined when exiting. s is the owner of the allocation, and t an alias of it, which I believe I have annotated correctly. Result: || splint test.c || Splint 3.1.1 --- 03 Jan 2010 || || test.c: (in function main) test.c|8 col 4| Owned storage s assigned to shared: t = s || The owned reference to this storage is transferred to another reference || (e.g., by returning it) that does not have the owned annotation. This may || lead to a memory leak, since the new reference is not necessarily released. || (Use -ownedtrans to inhibit warning) || || Finished checking --- 1 code warning || make: *** [test] Error 1 Splint 3.1.2 does the same. Analysis: It appears that splint thinks s is going out of scope, so when assigned to t, it thinks the owner has abandoned its responsibility. However, s is global, and not going out of scope, so this should be fine. Is this a bug, or am I doing something wrong? Either way, is there a good way to fix it/work around it? Ben. From mail_ben_schmidt at yahoo.com.au Thu Jan 21 01:59:58 2010 From: mail_ben_schmidt at yahoo.com.au (Ben Schmidt) Date: Thu, 21 Jan 2010 20:59:58 +1100 Subject: [splint-discuss] Null as flag Message-ID: <4B58259E.80301@yahoo.com.au> Hi, I'm newish to splint. Something I'm struggling with and don't seem to be able to find anything in the docs (though I haven't read them thoroughly yet), is this: Can you have pointers in splint that basically have a convention where they are NULL if unallocated, or a meaningful value if they are? This means they need to be checked or known not to be NULL before used, but they still may be NULL. When freed they must also be set to NULL. When set to NULL they must be freed. That kind of thing. Is that possible with splint? Ben. From mail_ben_schmidt at yahoo.com.au Thu Jan 21 02:19:29 2010 From: mail_ben_schmidt at yahoo.com.au (Ben Schmidt) Date: Thu, 21 Jan 2010 21:19:29 +1100 Subject: [splint-discuss] pid_t on Mac OS X Message-ID: <4B582A31.3020804@yahoo.com.au> To get splint 3.1.2 to compile on Mac OS X I needed the following change: --- osd.c~ 2010-01-21 21:02:18.000000000 +1100 +++ osd.c 2010-01-21 21:02:25.000000000 +1100 @@ -516,7 +516,7 @@ # if defined (WIN32) || defined (OS2) && defined (__IBMC__) int pid = _getpid (); # else - __pid_t pid = getpid (); + pid_t pid = getpid (); # endif return (int) pid; I don't know what appropriate preprocessor macro could reliably check for that. My compiler has _PID_T defined, so maybe that? Alternatively, __APPLE__ is defined, but I'm not sure what it really means--whether it is a platform thing, or a gcc-version thing. __MACH__ might serve that purpose better. Not sure. _PID_T sounds like a reasonable bet to me. Ben. From splint at sympatico.ca Thu Jan 21 10:59:45 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Thu, 21 Jan 2010 13:59:45 -0500 Subject: [splint-discuss] pid_t on Mac OS X In-Reply-To: <4B582A31.3020804@yahoo.com.au> (Ben Schmidt's message of "Thu, 21 Jan 2010 21:19:29 +1100") References: <4B582A31.3020804@yahoo.com.au> Message-ID: <87ocknnv1a.fsf@sympatico.ca> On 21 Jan 2010, mail_ben_schmidt at yahoo.com.au wrote: > To get splint 3.1.2 to compile on Mac OS X I needed the following change: $ cvs log -rHEAD osd.c RCS file: /cvsroot/splint/splint/src/osd.c,v Working file: osd.c head: 1.44 branch: locks: strict access list: symbolic names: [snip] keyword substitution: kv total revisions: 46; selected revisions: 1 description: ---------------------------- revision 1.44 date: 2008/08/07 02:51:59; author: bpringlemeir; state: Exp; lines: +2 -2 Allow compile on apple platforms. osd.c Use pid_t instead of __pid_t as per open group. ============================================================================= From splint at sympatico.ca Thu Jan 21 11:15:22 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Thu, 21 Jan 2010 14:15:22 -0500 Subject: [splint-discuss] Null as flag In-Reply-To: <4B58259E.80301@yahoo.com.au> (Ben Schmidt's message of "Thu, 21 Jan 2010 20:59:58 +1100") References: <4B58259E.80301@yahoo.com.au> Message-ID: <87k4vbnub9.fsf@sympatico.ca> On 21 Jan 2010, mail_ben_schmidt at yahoo.com.au wrote: > Can you have pointers in splint that basically have a convention > where they are NULL if unallocated, or a meaningful value if they > are? Read chapter 2 of the manual. I don't say this to be demeaning. The manual is packed full of information. I had to read it several times before I could decode all of the nuance. Another helpful thing is to use google with the websight where splint is hosted. http://www.google.ca/#q=site%3Acs.virginia.edu+splint+null -- I'm not just a gardener, I'm a plant manager. From splint at sympatico.ca Thu Jan 21 14:38:00 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Thu, 21 Jan 2010 17:38:00 -0500 Subject: [splint-discuss] splint bugs on sourceforge.net In-Reply-To: <20080414191451.GC3873@loktak.appaji.net> (Y. Giridhar Appaji Nag's message of "Tue, 15 Apr 2008 00:44:53 +0530") References: <20080414191451.GC3873@loktak.appaji.net> Message-ID: <87fx5znkxj.fsf@sympatico.ca> On 14 Apr 2008, giridhar at appaji.net wrote: > Does someone monitor the bugs reported on splint at the sourceforge.net > bugs / patches trackers? > I filed a few bugs and atleast one patch there that Debain splint users > have reported. Maybe some of them should make their way into the bugs > page at http://www.splint.org/bugs.html I will try to apply these patches in the coming month (vararg macros and c99 variable declarations). Unfortunately other projects have de-railed my looking at Splint. Is it possible that if these patches were merged and a release made that they could be incorporated into 'squeeze' in the next month? The issues Dr. Evans noted are very relevant to the future of splint. I think that the gcc plug-in architecture is probably a good route to explore. However, the current gcc4.5 code that I have doesn't seem to give a pre-processing phase, so getting annotations from comments seems a challenge. As others have noted, splint doesn't do so well with convoluted code. The basic block, control flow graphs, etc that GCC provides would make a lot of the splint analysis much simpler/scalable and would allow people to expand to new languages supported by gcc. However, this is *alot* of work. So I would hope to fix a few small things in the current splint code base before attempting to make a splint plugin for gcc. Regards, Bill Pringlemeir. From m at alanny.ru Fri Jan 22 04:41:27 2010 From: m at alanny.ru (AlannY) Date: Fri, 22 Jan 2010 15:41:27 +0300 Subject: [splint-discuss] Tell me more about @observer@ Message-ID: <20100122124110.GA8418@alanny-pc.lcl.starlink.ru> Hi there. Several days already spent trying to understand what @observer@ annotation really do. I can undestand the following: /*@observer@*/ const char* my_func (e_t *e) { return e->name; } It's obvious. But what @observer@ means for structure fields and function parameters? For example: void my_func (/*@observer@*/ char *name) { ... } Will it tell, that *name is `const'? Or not? Or struct my_struct { /*@observer@*/ char *name; } Why we have it? For the my_struct->name = my_func which returns @observer@? Thanks for patience. -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' From mail_ben_schmidt at yahoo.com.au Tue Jan 26 00:52:10 2010 From: mail_ben_schmidt at yahoo.com.au (Ben Schmidt) Date: Tue, 26 Jan 2010 19:52:10 +1100 Subject: [splint-discuss] Null as flag In-Reply-To: <87k4vbnub9.fsf@sympatico.ca> References: <4B58259E.80301@yahoo.com.au> <87k4vbnub9.fsf@sympatico.ca> Message-ID: <4B5EAD3A.4010701@yahoo.com.au> On 22/01/10 6:15 AM, Bill Pringlemeir wrote: > On 21 Jan 2010, mail_ben_schmidt at yahoo.com.au wrote: > >> Can you have pointers in splint that basically have a convention >> where they are NULL if unallocated, or a meaningful value if they >> are? > > Read chapter 2 of the manual. I don't say this to be demeaning. The > manual is packed full of information. I had to read it several times > before I could decode all of the nuance. > > Another helpful thing is to use google with the websight where splint > is hosted. > > http://www.google.ca/#q=site%3Acs.virginia.edu+splint+null Thanks for the pointers, Bill (no pun intended; I bet you get that all the time on this list...). The specifics didn't help, I'm afraid, as I was very comfortable with chapter 2, and the Google search didn't help either. But the idea to 'decode nuance' did. In this case, it seems what I was missing is that state clauses don't work unless you use a /*@special@*/ annotation. Rereading the prose of the manual a bit more slowly and carefully for the sections that seemed relevant (7.4) enlightened me. Ben. From mail_ben_schmidt at yahoo.com.au Tue Jan 26 00:58:36 2010 From: mail_ben_schmidt at yahoo.com.au (Ben Schmidt) Date: Tue, 26 Jan 2010 19:58:36 +1100 Subject: [splint-discuss] pid_t on Mac OS X In-Reply-To: <87ocknnv1a.fsf@sympatico.ca> References: <4B582A31.3020804@yahoo.com.au> <87ocknnv1a.fsf@sympatico.ca> Message-ID: <4B5EAEBC.2020904@yahoo.com.au> On 22/01/10 5:59 AM, Bill Pringlemeir wrote: > On 21 Jan 2010, mail_ben_schmidt at yahoo.com.au wrote: > >> To get splint 3.1.2 to compile on Mac OS X I needed the following change: [...] > revision 1.44 > date: 2008/08/07 02:51:59; author: bpringlemeir; state: Exp; lines: +2 -2 > Allow compile on apple platforms. osd.c > Use pid_t instead of __pid_t as per open group. Excellent! Does this mean it might be a smarter idea to be using the CVS code of splint than the release? How stable is the CVS code? Ben. From bofh1234 at hotmail.com Tue Jan 26 19:06:50 2010 From: bofh1234 at hotmail.com (Jason blank) Date: Tue, 26 Jan 2010 22:06:50 -0500 Subject: [splint-discuss] Passed storage not completely defined Message-ID: Hello, I have the following block code which works but splint throws a message: Splint 3.1.2 --- 26 Jan 2010 Spec file not found: a.lcl a.c: (in function main) a.c:47:11: Passed storage array not completely defined (*array is undefined): Permute (array, ...) Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. (Use -compdef to inhibit warning) a.c:39:3: Storage *array allocated Finished checking --- 1 code warning Here is the code. Please keep in mind I did not write Permute. I found it on the web. I am trying to allocate an array where I don't know how many elements I am going to need. I also don't know the size of the elements. What did I do wrong? #include #include static void Permute(char *Perm[], size_t sizePerm, size_t unchanged) { size_t outer = 0; size_t inner = 0; size_t t = 0; char *temp[sizePerm]; if(sizePerm > unchanged) { for(outer = unchanged; outer < sizePerm; outer++) { *temp = Perm[outer]; for(inner = outer; inner > unchanged; inner--) { Perm[inner] = Perm[inner - 1]; } Perm[unchanged] = *temp; Permute(Perm, sizePerm, unchanged+1); for(inner = unchanged; inner < outer; inner++) { Perm[inner] = Perm[inner + 1]; } Perm[outer] = *temp; } } else { for (t=0;t References: Message-ID: <02415A2B789FA04E95FC0B1AA66F726E051F2092@basel.redcom.com> Hi Jason, Do you consider Perm to be a "returned storage which need not be defined," in other words, an output, not an input variable where the function cares about the values? If so, you can instrument the function to check the code appropriately. static void Permute(/*@out@*/ char *Perm[], size_t sizePerm, size_t unchanged) { There are many fine examples of other instrumentations in the Splint manual. In particular, I see an example of /*@out@*/ in chapter 3. Chris From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss-bounces at cs.virginia.edu] On Behalf Of Jason blank Sent: Tuesday, January 26, 2010 10:07 PM To: splint-discuss at mail.cs.virginia.edu Subject: [splint-discuss] Passed storage not completely defined Hello, I have the following block code which works but splint throws a message: Splint 3.1.2 --- 26 Jan 2010 Spec file not found: a.lcl a.c: (in function main) a.c:47:11: Passed storage array not completely defined (*array is undefined): Permute (array, ...) Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. (Use -compdef to inhibit warning) a.c:39:3: Storage *array allocated Finished checking --- 1 code warning Here is the code. Please keep in mind I did not write Permute. I found it on the web. I am trying to allocate an array where I don't know how many elements I am going to need. I also don't know the size of the elements. What did I do wrong? #include #include static void Permute(char *Perm[], size_t sizePerm, size_t unchanged) { size_t outer = 0; size_t inner = 0; size_t t = 0; char *temp[sizePerm]; if(sizePerm > unchanged) { for(outer = unchanged; outer < sizePerm; outer++) { *temp = Perm[outer]; for(inner = outer; inner > unchanged; inner--) { Perm[inner] = Perm[inner - 1]; } Perm[unchanged] = *temp; Permute(Perm, sizePerm, unchanged+1); for(inner = unchanged; inner < outer; inner++) { Perm[inner] = Perm[inner + 1]; } Perm[outer] = *temp; } } else { for (t=0;t -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100127/68d3dd71/attachment.html From Michael.Wojcik at microfocus.com Wed Jan 27 10:32:36 2010 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Wed, 27 Jan 2010 10:32:36 -0800 Subject: [splint-discuss] Passed storage not completely defined In-Reply-To: <02415A2B789FA04E95FC0B1AA66F726E051F2092@basel.redcom.com> References: <02415A2B789FA04E95FC0B1AA66F726E051F2092@basel.redcom.com> Message-ID: <81F42F63D5BB344ABF294F8E80990C79CD5471@MTV-EXCHANGE.microfocus.com> But Perm has been initialized - it points to the same object as "array" in main, which was initialized from the values in argv. And while Permute does not operate on the contents pointed to by the values in the Perm array, it does use those values (as it rearranges them). So an @out@ annotation would be incorrect, even if it suppresses the error. I don't see any reasonable interpretation here other than that the diagnostic from Splint is incorrect. In the call to Permute in main, "*array" is identical to "array[0]", and array[0] has been initialized unless one of the following holds: - argc < 2 (and the program should have checked for this, since it causes undefined behavior if argc==0 and implementation-defined behavior if argc==1, both of which are possible) - argv[1] is undefined (which should not happen in a hosted implementation if argc >= 2, and Splint should know that) Some other criticisms might be leveled against the code (why is temp in Permute an array, when only the first element is ever used?), but unless I'm missing something, this is an incorrect diagnostic from Splint. Michael Wojcik Principal Software Systems Developer, Micro Focus From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss-bounces at cs.virginia.edu] On Behalf Of Frayda, Christine Sent: Wednesday, 27 January, 2010 09:56 To: Discussions about the Splint annotation-assisted static analysisproject Subject: Re: [splint-discuss] Passed storage not completely defined Hi Jason, Do you consider Perm to be a "returned storage which need not be defined," in other words, an output, not an input variable where the function cares about the values? If so, you can instrument the function to check the code appropriately. static void Permute(/*@out@*/ char *Perm[], size_t sizePerm, size_t unchanged) { There are many fine examples of other instrumentations in the Splint manual. In particular, I see an example of /*@out@*/ in chapter 3. Chris From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss-bounces at cs.virginia.edu] On Behalf Of Jason blank Sent: Tuesday, January 26, 2010 10:07 PM To: splint-discuss at mail.cs.virginia.edu Subject: [splint-discuss] Passed storage not completely defined Hello, I have the following block code which works but splint throws a message: Splint 3.1.2 --- 26 Jan 2010 Spec file not found: a.lcl a.c: (in function main) a.c:47:11: Passed storage array not completely defined (*array is undefined): Permute (array, ...) Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. (Use -compdef to inhibit warning) a.c:39:3: Storage *array allocated Finished checking --- 1 code warning Here is the code. Please keep in mind I did not write Permute. I found it on the web. I am trying to allocate an array where I don't know how many elements I am going to need. I also don't know the size of the elements. What did I do wrong? #include #include static void Permute(char *Perm[], size_t sizePerm, size_t unchanged) { size_t outer = 0; size_t inner = 0; size_t t = 0; char *temp[sizePerm]; if(sizePerm > unchanged) { for(outer = unchanged; outer < sizePerm; outer++) { *temp = Perm[outer]; for(inner = outer; inner > unchanged; inner--) { Perm[inner] = Perm[inner - 1]; } Perm[unchanged] = *temp; Permute(Perm, sizePerm, unchanged+1); for(inner = unchanged; inner < outer; inner++) { Perm[inner] = Perm[inner + 1]; } Perm[outer] = *temp; } } else { for (t=0;t Click here to report this email as spam. This message has been scanned for viruses by MailController . No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.730 / Virus Database: 271.1.1/2638 - Release Date: 01/25/10 14:36:00 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100127/0b65e421/attachment-0001.html From n3npq at mac.com Wed Jan 27 10:56:54 2010 From: n3npq at mac.com (Jeff Johnson) Date: Wed, 27 Jan 2010 13:56:54 -0500 Subject: [splint-discuss] Passed storage not completely defined In-Reply-To: <81F42F63D5BB344ABF294F8E80990C79CD5471@MTV-EXCHANGE.microfocus.com> References: <02415A2B789FA04E95FC0B1AA66F726E051F2092@basel.redcom.com> <81F42F63D5BB344ABF294F8E80990C79CD5471@MTV-EXCHANGE.microfocus.com> Message-ID: <13B0D326-75AB-4BF3-94D4-BC9636FF6FBD@mac.com> On Jan 27, 2010, at 1:32 PM, Michael Wojcik wrote: > But Perm has been initialized - it points to the same object as "array" in main, which was initialized from the values in argv. > > And while Permute does not operate on the contents pointed to by the values in the Perm array, it does use those values (as it rearranges them). So an @out@ annotation would be incorrect, even if it suppresses the error. > > I don't see any reasonable interpretation here other than that the diagnostic from Splint is incorrect. In the call to Permute in main, "*array" is identical to "array[0]", and array[0] has been initialized unless one of the following holds: > > - argc < 2 (and the program should have checked for this, since it causes undefined behavior if argc==0 and implementation-defined behavior if argc==1, both of which are possible) > - argv[1] is undefined (which should not happen in a hosted implementation if argc >= 2, and Splint should know that) > > Some other criticisms might be leveled against the code (why is temp in Permute an array, when only the first element is ever used?), but unless I'm missing something, this is an incorrect diagnostic from Splint. > splint has difficulty apply annotations unambiguously when there are 2 levels of indirection. In you case you have a "char **". Try adding a "character pointer" typedef like typedef char * charptr_t; and then dimensioning the array as charptr_t array[]; or charptr_t *array; Then the scoping of splint annotations like /*@out@*/ (or otherwise) will be easier (for splint) to identify. hth 73 de Jeff > Michael Wojcik > Principal Software Systems Developer, Micro Focus > > > > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss-bounces at cs.virginia.edu] On Behalf Of Frayda, Christine > Sent: Wednesday, 27 January, 2010 09:56 > To: Discussions about the Splint annotation-assisted static analysisproject > Subject: Re: [splint-discuss] Passed storage not completely defined > > Hi Jason, > Do you consider Perm to be a ?returned storage which need not be defined,? in other words, an output, not an input variable where the function cares about the values? If so, you can instrument the function to check the code appropriately. > > static void Permute(/*@out@*/ char *Perm[], size_t sizePerm, size_t unchanged) { > > > There are many fine examples of other instrumentations in the Splint manual. In particular, I see an example of /*@out@*/ in chapter 3. > Chris > > From: splint-discuss-bounces at cs.virginia.edu [mailto:splint-discuss-bounces at cs.virginia.edu] On Behalf Of Jason blank > Sent: Tuesday, January 26, 2010 10:07 PM > To: splint-discuss at mail.cs.virginia.edu > Subject: [splint-discuss] Passed storage not completely defined > > Hello, > > I have the following block code which works but splint throws a message: > Splint 3.1.2 --- 26 Jan 2010 > > Spec file not found: a.lcl > a.c: (in function main) > a.c:47:11: Passed storage array not completely defined (*array is undefined): > Permute (array, ...) > Storage derivable from a parameter, return value or global is not defined. > Use /*@out@*/ to denote passed or returned storage which need not be defined. > (Use -compdef to inhibit warning) > a.c:39:3: Storage *array allocated > > Finished checking --- 1 code warning > > Here is the code. Please keep in mind I did not write Permute. I found it on the web. I am trying to allocate an array where I don't know how many elements I am going to need. I also don't know the size of the elements. What did I do wrong? > > #include > #include > > static void Permute(char *Perm[], size_t sizePerm, size_t unchanged) { > size_t outer = 0; > size_t inner = 0; > size_t t = 0; > char *temp[sizePerm]; > > if(sizePerm > unchanged) { > for(outer = unchanged; outer < sizePerm; outer++) { > *temp = Perm[outer]; > for(inner = outer; inner > unchanged; inner--) { > Perm[inner] = Perm[inner - 1]; > } > Perm[unchanged] = *temp; > Permute(Perm, sizePerm, unchanged+1); > > for(inner = unchanged; inner < outer; inner++) { > Perm[inner] = Perm[inner + 1]; > } > Perm[outer] = *temp; > } > } > else { > for (t=0;t printf("%s", Perm[t]); > } > printf("\n"); > } > } > > int main(int argc, char *argv[]) { > char **array; /* array to store words */ > size_t numtodo; > size_t temp; > > numtodo=(size_t)(argc)-1; > array=malloc(numtodo * sizeof(*array)); /*allocate size of array*/ > if (array == NULL) { > printf("can't allocate memory for array\n"); > exit(EXIT_FAILURE); > } > for (temp=0; temp < numtodo; temp++) { > array[temp] = argv[temp+1]; /*assign values to array */ > } > Permute(array,numtodo,0); > > free(array); > return 0; > } > > Hotmail: Free, trusted and rich email service. Get it now. > > > Click here to report this email as spam. > > This message has been scanned for viruses by MailController. > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.730 / Virus Database: 271.1.1/2638 - Release Date: 01/25/10 14:36:00 > > _______________________________________________ > splint-discuss mailing list > splint-discuss at mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100127/ee59c704/attachment.html From splint at sympatico.ca Wed Jan 27 14:20:08 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Wed, 27 Jan 2010 17:20:08 -0500 Subject: [splint-discuss] pid_t on Mac OS X In-Reply-To: <4B5EAEBC.2020904@yahoo.com.au> (Ben Schmidt's message of "Tue, 26 Jan 2010 19:58:36 +1100") References: <4B582A31.3020804@yahoo.com.au> <87ocknnv1a.fsf@sympatico.ca> <4B5EAEBC.2020904@yahoo.com.au> Message-ID: <87k4v35gx3.fsf@sympatico.ca> On 26 Jan 2010, mail_ben_schmidt at yahoo.com.au wrote: > Excellent! Does this mean it might be a smarter idea to be using the > CVS code of splint than the release? How stable is the CVS code? You tell me ;-) I think that you can have both co-exist on a system. I am interested in regressions of the HEAD versus the previous release. -- Little girls, like butterflies need no excuses. - Robert Heinlein From splint at sympatico.ca Wed Jan 27 15:03:44 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Wed, 27 Jan 2010 18:03:44 -0500 Subject: [splint-discuss] Tell me more about @observer@ In-Reply-To: <20100122124110.GA8418@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 22 Jan 2010 15:41:27 +0300") References: <20100122124110.GA8418@alanny-pc.lcl.starlink.ru> Message-ID: <87fx5r5ewf.fsf@sympatico.ca> On 22 Jan 2010, m at alanny.ru wrote: > Hi there. Several days already spent trying to understand what > @observer@ annotation really do. http://www.google.ca/#q=site%3Acs.virginia.edu+splint+const @observer@ is meant for memory allocation tracking. You want it to mean I won't change the memory associated with the pointer. These are two different concepts. Regards, Bill Pringlemeir. From splint at sympatico.ca Wed Jan 27 15:03:44 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Wed, 27 Jan 2010 18:03:44 -0500 Subject: [splint-discuss] Tell me more about @observer@ In-Reply-To: <20100122124110.GA8418@alanny-pc.lcl.starlink.ru> (AlannY's message of "Fri, 22 Jan 2010 15:41:27 +0300") References: <20100122124110.GA8418@alanny-pc.lcl.starlink.ru> Message-ID: <87fx5r5ewf.fsf@sympatico.ca> On 22 Jan 2010, m at alanny.ru wrote: > Hi there. Several days already spent trying to understand what > @observer@ annotation really do. http://www.google.ca/#q=site%3Acs.virginia.edu+splint+const @observer@ is meant for memory allocation tracking. You want it to mean I won't change the memory associated with the pointer. These are two different concepts. Regards, Bill Pringlemeir. From bofh1234 at hotmail.com Wed Jan 27 18:47:42 2010 From: bofh1234 at hotmail.com (Jason blank) Date: Wed, 27 Jan 2010 21:47:42 -0500 Subject: [splint-discuss] Passed storage not completely defined In-Reply-To: <81F42F63D5BB344ABF294F8E80990C79CD5471@MTV-EXCHANGE.microfocus.com> References: , <02415A2B789FA04E95FC0B1AA66F726E051F2092@basel.redcom.com>, <81F42F63D5BB344ABF294F8E80990C79CD5471@MTV-EXCHANGE.microfocus.com> Message-ID: From: Michael.Wojcik at microfocus.com But Perm has been initialized - it points to the same object as "array" in main, which was initialized from the values in argv. And while Permute does not operate on the contents pointed to by the values in the Perm array, it does use those values (as it rearranges them). So an @out@ annotation would be incorrect, even if it suppresses the error. I don't see any reasonable interpretation here other than that the diagnostic from Splint is incorrect. In the call to Permute in main, "*array" is identical to "array[0]", and array[0] has been initialized unless one of the following holds: - argc < 2 (and the program should have checked for this, since it causes undefined behavior if argc==0 and implementation-defined behavior if argc==1, both of which are possible) - argv[1] is undefined (which should not happen in a hosted implementation if argc >= 2, and Splint should know that) Some other criticisms might be leveled against the code (why is temp in Permute an array, when only the first element is ever used?), but unless I'm missing something, this is an incorrect diagnostic from Splint. The code I posted was an example program that demonstates the problem in as small a working program as possible. The whole program is to large to post. In the real program I do check the argument count. Good point about the temp array. I don't know what the answer is; I didn't write that code. I will fix it in my version. Thanks, _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/196390710/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100127/172f4914/attachment.html From splint at sympatico.ca Wed Jan 27 21:34:51 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Thu, 28 Jan 2010 00:34:51 -0500 Subject: [splint-discuss] Passed storage not completely defined In-Reply-To: (Jason blank's message of "Tue, 26 Jan 2010 22:06:50 -0500") References: Message-ID: <878wbi6bd0.fsf@sympatico.ca> On 26 Jan 2010, bofh1234 at hotmail.com wrote: > numtodo=(size_t)(argc)-1; > array=malloc(numtodo * sizeof(*array)); /*allocate size of array*/ > if (array == NULL) { > printf("can't allocate memory for array\n"); > exit(EXIT_FAILURE); > } + if(numtodo > 1) { > for (temp=0; temp < numtodo; temp++) { > array[temp] = argv[temp+1]; /*assign values to array */ > } /* If numtodo is zero, then array[0] will not be initialized. */ > Permute(array,numtodo,0); +} > > free(array); > return 0; > } Splint is correct. -- I can remember when riding motorcycles was dangerous and sex was safe. - Unknown From bofh1234 at hotmail.com Sat Jan 30 07:59:49 2010 From: bofh1234 at hotmail.com (Jason blank) Date: Sat, 30 Jan 2010 10:59:49 -0500 Subject: [splint-discuss] Passed storage not completely defined In-Reply-To: <878wbi6bd0.fsf@sympatico.ca> References: , <878wbi6bd0.fsf@sympatico.ca> Message-ID: > From: splint at sympatico.ca > On 26 Jan 2010, someone wrote: > > > numtodo=(size_t)(argc)-1; > > array=malloc(numtodo * sizeof(*array)); /*allocate size of array*/ > > if (array == NULL) { > > printf("can't allocate memory for array\n"); > > exit(EXIT_FAILURE); > > } > > + if(numtodo > 1) { > > > for (temp=0; temp < numtodo; temp++) { > > array[temp] = argv[temp+1]; /*assign values to array */ > > } > > /* If numtodo is zero, then array[0] will not be initialized. */ > > Permute(array,numtodo,0); > > +} > > > > > free(array); > > return 0; > > } > > Splint is correct. Thank you for the example. I tried it and splint gives the same message. #include #include static void Permute(char *Perm[], size_t sizePerm, size_t unchanged) { size_t outer = 0; size_t inner = 0; size_t t = 0; char *temp[sizePerm]; if(sizePerm > unchanged) { for(outer = unchanged; outer < sizePerm; outer++) { *temp = Perm[outer]; for(inner = outer; inner > unchanged; inner--) { Perm[inner] = Perm[inner - 1]; } Perm[unchanged] = *temp; Permute(Perm, sizePerm, unchanged+1); for(inner = unchanged; inner < outer; inner++) { Perm[inner] = Perm[inner + 1]; } Perm[outer] = *temp; } } else { for (t=0;t 1) { for (temp=0; temp < numtodo; temp++) { array[temp] = argv[temp+1]; /*assign values to array */ } Permute(array,numtodo,0); } free(array); return 0; } _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/196390707/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100130/61c1db6c/attachment.html From splint at sympatico.ca Sat Jan 30 21:50:22 2010 From: splint at sympatico.ca (Bill Pringlemeir) Date: Sun, 31 Jan 2010 00:50:22 -0500 Subject: [splint-discuss] Passed storage not completely defined In-Reply-To: (Jason blank's message of "Sat, 30 Jan 2010 10:59:49 -0500") References: <878wbi6bd0.fsf@sympatico.ca> Message-ID: <87mxzu4ych.fsf@sympatico.ca> On 30 Jan 2010, bofh1234 at hotmail.com wrote: > Thank you for the example. I tried it and splint gives the same message. I sent a message to say I was sorry, this seemed to be a bug, shortly after posting that (however, I did that with a different email address than registered and it is taking time to make it to the list). I had missed the fact that I added, array[0] = ""; I had this running in the debugger and the symbol type for the parameter changed due to this. Also memset() has the same behavior. Thanks, Bill Pringlemeir. -- Unfortunately, since the TCP and IP protocols were not designed by a committee, all these header fields serve some useful purpose and its not possible to simply omit some in the name of efficiency. - Van Jacobson, RFC 1144. From bofh1234 at hotmail.com Sun Jan 31 09:40:26 2010 From: bofh1234 at hotmail.com (Jason blank) Date: Sun, 31 Jan 2010 12:40:26 -0500 Subject: [splint-discuss] Passed storage not completely defined In-Reply-To: <87mxzu4ych.fsf@sympatico.ca> References: , <878wbi6bd0.fsf@sympatico.ca>, , <87mxzu4ych.fsf@sympatico.ca> Message-ID: > > Thank you for the example. I tried it and splint gives the same message. > > I sent a message to say I was sorry, this seemed to be a bug, shortly > after posting that (however, I did that with a different email address > than registered and it is taking time to make it to the list). I had > missed the fact that I added, > > array[0] = ""; > > I had this running in the debugger and the symbol type for the > parameter changed due to this. Also memset() has the same > behavior. > > Thanks, > Bill Pringlemeir. Thank you for update. If I add array[0]=""; just before the for loop it makes splint happy and the for loop replaces it will the correct value. So everything works as it should with an extra line of code which is not a big deal. Thanks, _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/196390710/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20100131/992d8247/attachment.html