| Splint - Secure Programming Lint | evans@virginia.edu |
|
Download
-
Documentation
-
Manual
-
Links Source - Linux - Publications - Talks |
Reporting Bugs Sponsors - Credits |
|
Splint - Secure Programming Lint |
|
| Download - Documentation - Manual - Links | Sponsors - Credits |
This page documents reported bugs in Splint 3.1.2 Splint Bugs
Please check this page and make sure you are using the latest release (Splint 3.1.2) before submitting a bug report. If you discover a bug that is not documented here, please report it to splint-bug@cs.virginia.edu. We prefer to receive bug reports by email, but you may also use the web form on the SourceForge project page. Include enough information and relevant files so that the bug may be reproduced. See http://www.splint.org/changes.html for a detailed change log.
Confirmed Bugs
osd.c does not support Apple
Patched osd.c to support Apple.Function Pointers and memory management(Reported by Rob Cas, fixed in cvs code and build 3 distribution, 8 August 2007)
Splint reports spurious errors for memory allocation concerning function pointers. Types declared as function pointers should not default to only storage.Unrelease fresh owned storage not reported(Reported by Brian Quinlan, 26 Oct 2004.)
Splint does not report memory leaks for freshly allocated owned storage that is not released:Multi-line comments in macros and line numbers#includetypedef struct { /*@owned@*/ int *pOwned; } TestStruct; void testSplint(void) { TestStruct myStruct; myStruct.pOwned = (int*)malloc(sizeof(int)); } /* No warning: should report memory leak. */ (Reported by Brian Quinlan, 26 Oct 2004.)
Splint will miscalculate line numbers after multi-line comments in macro definitions. For example,Definitions in switches#define FOO /* a macro with a multiline comment * gets the linecount wrong */(Reported by Kevin Broadey, 17 September 2004.)Splint incorrectly misses undefined variables on switch paths involving default cases:Parsing Syntactic commentsstatic int foo (int a) { int i, j; switch (a) { case 0: /* j not set on this path */ i = 3; break; default: /* i not set on this path */ j = 0; break; } return i + j; /* no error for j */ }(Reported by Kevin Broadey, 17 September 2004.)Splint will report an internal error for unbalanced syntactic comments like--mode flagsvoid foo(/*@only*/ /*@null@*/ int*) {}(Reported by Tim Sylvester, 28 Jan 2004.)
Splint will report an internal error if a mode flag is used with -- (e.g., --strict).Parsing Casts(Reported by Toralf Foerster, 18 Dec 2003.)
Splint cannot parse the statement (int) x += 18;.Unsigned Promotion(Reported by Scott Simon, 23 Oct 2003)
Splint incorrectly types arithmetic expressions involving unsigned and signed expressions (e.g., unsigned + signed is typed as unsigned).Initializations Order(Reported by Cat Zimmermann, 21 August 2003. Fixed in CVS 24 August 2003.)
Correction: (1 November 2003): This is not a correct interpretation of the ISO standard. The type of unsigned + signed should be unsigned.
Splint doesn't analyze variable initializations in order. For example, it will report that pointer1 is uninitialized inSpliced Macroschar *pointer1=(char*)malloc(strlen(line)+1), *pointer2=pointer1;(Reported by Andrew Bishop.)
If a string literal is spliced that involves a macro constant (that is not expanded), splint will produce a parse error. e.g., "__" TARGET_CPU.boolean names with -nolibSplint reports an internal error if -booltrue or -boolfalse are defined with -nolib. Reported by Anders Bäck.Unbraced Switch StatementsSplint produces an internal error for unbraced switch statements (which are permitted by ISO C99). For example,switch(2) case 1: case 3: return(1); return(0);(Reported by Dirk Noss)Bugs Fixed in 3.1.1
Splint does not build on OS XMultiple passes on type definitions with /*@alt@*/Splint 3.0.1.6 does not build on OS X. This should be fixed in CVS.
We believe this was a problem with automake. We are now using a new version of automake and this seems to have fixed the problem. We have successfully compiled the CVS version on SourceForge's compile farm's Mac OS X server.Splint will produce a parse error if a type definition like,Include flag handlingtypedef long /*@alt int@*/ newtype;is processed twice (for example if it is in a header file included multiple times).Reorted by Simon Hosie, fixed in CVS (2002-12-12).
Splint now support -I <dir>, -i <dir> as well as the original -I<dir>.Multiple globals clausesChanged in CVS (2002-12-12) will be in 3.0.1.7.
Splint will produce a warning message, but then crash on an internal error if multiple globals clauses are used. Reported by Gayath Ratnayaka.Spurious bounds errors in for loopsFixed in CVS (2002-12-04) will be in 3.0.1.7.
A bug caused Splint to spuriously report bounds errors in certain for loops such as:Spurious bounds errors in if-else statementsint a[12]; for (i = 0; i < 12; i++) a[i] = 0;Fixed in CVS (2002-09-05) will be in 3.0.1.7.Constraints were not generated correctly from the if statement test for each branch of an if-else statement. This caused spurious bounds erros.Incorrect Path Displayed
Fixed in CVS (2002-10-10) will be in 3.0.1.7. Reported by Xiaolan Zhang.Splint incorrectly reported the file name path in error messages when it was given the absolute path name of a file outside of the current directory and the subdirectories below the current directory.Crashes if started with -i instead of -I
e.g. after cd /home/; splint /tmp/prog.c Splint will report tmp/prog.c instead of /tmp/prog.c
Fixed in CVS (2002-10-14) will be in 3.0.1.7.Splint crashed if it was started with the -i flags and given an invalid argument. This was problematic because -i is easily confused with -I.sizeof
Fixed in CVS (2002-10-21) will be in 3.0.1.7. Bug reported by Jesse Laird.Splint did not correctly handle code in which sizeof is applied to a string literal. e.g. malloc (sizeof ("abcd") ); This caused Splint to report spurious bounds errors.Directories in file list
Fixed in CVS (2002-11-29) will be in 3.0.1.7. Bug was reported by Xiaolan ZhangSplint produces an internal bug report when directories are listed as source files (e.g., splint .). Reportes by Ullrich von Bassewitz. Fixed in development code (2002-07-17), not yet in CVS.emptyreturn flagThe emptyreturn flag doesn't work (it should be "emptyret" in flags.def). Reported by Adam Clarke. Fixed in CVS (2002-07-08), will be in 3.0.1.7. (This is a temporary fix; a better solution to canonicalizing flag names will be incorporated into a later release.)getgrgid, getgrnam, getpwnam
These functions from grp.h in the Posix and Unix libraries should be declared to return /*@observer@*/ references. Reported by Enrico Scholz. Fixed in CVS (2002-07-08), will be in 3.0.1.7.sys/resource.hThe sys/resource.h segment of the Unix library was not updated to SUSv3. The type of rlim_t, struct rlimit and struct rusage have been updated. Reported by Enrico Scholz. Fixed in CVS (2002-07-08), will be in 3.0.1.7.Standard library missing snprintfsnprintf is in the unix library, but not the standard library. It was added to ISO C99, so should be in the standard library. Reported by Olivier L'Heureux. Fixed in CVS (2002-07-08), will be in 3.0.1.7.Char literal initializersSplint misinterprets initializations of char arrays with string literals (see ISO 6.7.8, Example 8):char s[] = "abc"; char *p = "abc";s is modifiable (not an observer); p is an observer. Reported by Olivier L'Heureux. Fixed in CVS (before 2002-07-05), will be in 3.0.1.7.pre-processor macros
The pre-processor will lose necessary whitespace before an identifier that corresponds to the name of a parameterized macro inside a macro expansion. For example,typedef void (*ErrorProc_t)( void ); typedef void (*WriteProc_t)( int, ErrorProc_t); #define ErrorProc_t(name) void (name) ( void ) #define PrintProc_t(name) void (name) ( int Num, ErrorProc_t /*<- this whitespace is lost!->*/ errorProc ) static PrintProc_t (foo1);Fixed in CVS (2002-07-03), will be in 3.0.1.7. Reported by Adam Clarke.offsetof syntax
Splint cannot parse offsetof expressions where the field designator is an array fetch: offsetof(some_struct_t,d[index]). Fixed in CVS (2002-07-02), will be in 3.0.1.7. Reported by Asger Overby.struct iovec and struct msghdr declarationsThe unix.h library declares the struct iovec and struct msghdr structures without /*@dependent@*/ annotations on their pointer fields; the implicit only annotations are incorrect for these. The library declarations were changed to:forward enum tagsstruct iovec { /*@dependent@*/ void *iov_base; size_t iov_len; /*: maxSet(iov_base) = iov_len */ }; struct msghdr { /*@dependent@*/ void *msg_name; socklen_t msg_namelen; /*: maxSet (msg_name) >= msg_namelen */ /*@dependent@*/ struct iovec *msg_iov; /* scatter/gather array */ int msg_iovlen; /* # elements in msg_iov */ /*: maxSet (msg_iov) >= msg_iovlen */ /*@dependent@*/ void *msg_control; /* ancillary data, see below */ socklen_t msg_controllen; /*: maxSet (msg_control) >= msg_controllen */ int msg_flags; /* flags on received message */ } ;Fixed in CVS (2002-07-02), will be in 3.0.1.7. Reported by Enrico Scholz.Splint reports spurious redeclartion warnings for forward enum tags. Fixed in CVS, will be in 3.0.1.7.Line Numbers after multi-line macro instantiationsSplint will report the wrong line number after a multi-line macro instantiation (it only counts as one line). Reported by Andreas Rasmusson. Fixed in CVS, will be in 3.0.1.7.GCC_INCLUDE_DIR definitionGCC_INCLUDE_DIR is not defined properly by configure on systems where gcc is not found. If you build on such a system, you need to manually edit config.h to include the definition:Array InitializersFixed in CVS, will be in 3.0.1.7 release./* system include directory */ #define GCC_INCLUDE_DIR "/usr/include"Splint does not handle array initializations with missing values correctly, for example int a[][2] = {{1,2},{3,4},{5,6}}. (Reported by Ka-Liong Lau)Warning message for -shiftsignedThe warning message for shiftsigned flag referse to the shiftsize flag which does not exist. It should be shiftimplementation instead. Reported by Melson Beebe. Fixed in CVS, 13 Feb 2002.-skipisoheadersThe skipisoheaders flag does not work as documented. (It should be the same as skipansiheaders.) Reported by Jeroen Ruigrok van der Werven. Fixed in CVS, will be in 3.0.1.7.BUFSIZ
The standard library declares BUFSIZ as int, but it should be size_t. Reported by Walter Briscoe. Fixed in CVS, will be in 3.0.1.7.
Types with fixed sized arrays
Splint may crash if there is a typedef involving a fixed size array. For example: typedef int Buf[5]; This problem will only occur if the flags bounds, boundsread, or boundswrite are set. A message like:*** Internal Bug at ctype.c:2687: llassert failed: (ctentry_getKind (cte) == CTK_COMPLEX) || (ctentry_getKind (cte) == CTK_ARRAY) [errno: 25]will be printed before splint crashes. (Reported by Jim Francis ) Fixed in CVS, 25 Jan 2002.Char array initialized with strings containing escape sequences
Splint may erroneously warn that a "string literal is assigned to a char array too small to hold it" if an array is initialized with a string containing escape sequences. (Reported by Jeff Johnson) Fixed in CVS, 22 Jan 2002.Double Compilations
On some platforms, if -j is used to do a parallel make, Splint will compile some files more than once. We're not sure why this happens, but recommend not using the -j option to make.(Reported by Matthias Andree, 14 Jan 2002.)
|
|
|
||||||