|
Splint - Secure Programming Lint |
info@splint.org |
| Manual Contents - Other Formats | Section: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 A B C D E Sponsors - Credits |
There are four different types of flags:
· Global flags for controlling initializations and global behavior
· Message format flags for controlling how messages are displayed
· Mode selectors for coarse control of Splint checking
· Checking flags that control checking and what classes of messages are reported.
Global flags can be used in initialization files and at the command line; all other flags may also be used in control comments.
To the left of each flag name is a flag descriptor encoding what kind of flag it is and its default value. The descriptions are:
P: -
A plain flag. The value after the colon gives the default setting (e.g., this flag is off.)
m:--++
A mode checking flag. The value of the flag is set by the mode selector. The four signs give the setting in the weak, standard, checks and strict modes. (e.g., this flag is off in the weak and standard modes, and on in the checks and strict modes.)
shortcut
A shortcut flag. This flag sets other flags, so it has no default value.
Within a flag name, abbreviations may be used. Figure 25 shows the flag name abbreviations. The expanded and short forms are interchangeable in flag names.
Expanded Form
Short Form
constant
const
declaration
decl
function
fcn
global
glob
implicit, implied
imp
iterator
iter
length
len
modifies
mods
modify
mod
memory
mem
parameter
param
pointer
ptr
return
ret
variable
var
unconstrained, unconst
uncon
Figure 25. Flag Name Abbreviations
The expanded and short forms are interchangeable in flag names.
For example, globsimpmodsnothing and globalsimpliesmodifiesnothing denote the same flag. Abbreviations in flag names allow pronounceable, descriptive names to be used without making flag names excessively long (although one must admit even globsimpmodsnothing is a bit of a mouthful.)
To make flag names more readable, the space, dash (-), and underscore (_) characters may be used inside a flag name. Hence, globals-implies-modifies-nothing, glob_imps_modsnothing and globsimpmodsnothing are equivalent.
Global flags can be set at the command line or in an options file, but cannot be set locally using stylized comments. These flags control on-line help, initialization files, pre-processor flags, libraries and output.
On-line help provides documentation on Splint operation and flags. When a help flag is used, no checking is done by Splint. Help flags may be preceded by - or +.
help
Display general help overview, including list of additional help topics.
help <topic>
Display help on <topic>. Available topics:
annotations
describe annotations
comments
describe control comments
flags
describe flag categories
flags <category>
all flags pertaining to <category> (one of the categories listed by splint -help flags)
flags alpha
all flags in alphabetical order
flags full
print a full description of all flags
print information on mailing lists
modes
flags settings in modes
prefixcodes
character codes for setting namespace prefixes
references
print references to relevant papers and web sites
vars
describe environment variables
version
print maintainer and version information
help <flag>
Describe flag <flag>. (May list several flags.)
warn-flags
Display a warning when a flag is set in a surprising way. An error is reported if an obsolete flag is set, a flag is set to its current value (i.e., the + or - may be wrong), or a mode selector flag is set after mode checking flags that will be reset by the mode were set. By default, +warn-flags is on. To suppress flag warnings, use ‑warn-flags.
P: +
warn-rc
There was a problem reading an initialization file.
P: +
bad-flag
A flag is not recognized or used in an incorrect way.
P: +
fileextensions
Warn when command line file does not have a recognized extension.
These flags control directories and files used by Splint. They may be used from the command line or in an options file, but may not be used as control comments in the source code. Except where noted. they have the same meaning preceded by - or +.
tmpdir <directory>
Set directory for writing temp files. Default is /tmp/.
I<directory>
Add directory to path searched for C include files. Note there is no space after the I, to be consistent with C preprocessor flags.
S<directory>
Add directory to path search for .lcl specification files.
larchpath <path>
Set path to search for library files. Overrides LARCH_PATH environment variable.
lclimportdir <directory>
Set directory to search for LCL import files. OverridesLCLIMPORTDIR environment variable.
f <file>
Load options from <file>. If this flag is used from the command line, the default ~/.splintrc file is not loaded. This flag may be used in an options file to include another options file.
i <file>
Set LCL initilization file.
nof
Prevents the default options files (./.splintrcand ~/.splintrc) from being loaded. (Setting -nof overrides +nof, causing the options files to be loaded normally.)
sys-dirs
Set directories for system files (default is /usr/). Separate directories with the path separator for your operating system (e.g., semi-colons for Windows or colons for Unix: /usr/include:/usr/local/lib). Flag settings propagate to files in a system directory. If -sys-dir-errors is set, no errors are reported for files in system directories.
These flags are used to define or undefine pre-processor constants. The -I<directory> flag is also passed to the C pre-processor.
D<initializer>
Passed to the C pre-processor.
U<initializer>
Passed to the C pre-processor.
P: +
unrecogdirective
Preprocessor directive is not recognized.
P: +
preproc
Preprocessing error.
These flags control the creation and use of libraries.
dump <file>
Save state in <file> for loading. The default extension .lcd is added if <file> has no extension.
load <file>
Load state from <file> (created by -dump). The default extension .lcd is added if <file> has no extension. Only one library file may be loaded.
By default, the standard library is loaded if the -load flag is not used to load a user library. If no user library is loaded, one of the following flags may be used to select a different standard library. Precede the flag by + to load the described library (or to prevent a library from being loaded using no-lib). See Section 14.1 for information on the provided libraries.
no-lib
Do not load any library. This prevents the standard library from being loaded.
ansi-lib
Use the ANSI standard library (selected by default).
strict-lib
Use strict version of the ANSI standard library.
posix-lib
Use the POSIX standard library.
posix-strict-lib
Use the strict version of the POSIX standard library.
unix-lib
Use UNIX version of standard library.
unix-strict-lib
Use the strict version of the UNIX standard library.
which-lib
Print out the standard library filename and creation information.
P: +
newdecl
There is a new declaration that is not declared in a loaded library or earlier file. (Use this flag to check for consistency against a library.)
P: +
impconj
Make all alternate types implicit (useful for making system libraries).
These flags control what additional information Splint prints. Setting +<flag> causes the described information to be printed; setting -<flag> prevents it. By default, all these flags are off.
use-stderr
Send error messages to standard error (instead of standard output).
show-summary
Show a summary of all errors reported and suppressed. Counts of suppressed errors are not necessarily correct since turning a flag off may prevent some checking from being done to save computation, and errors that are not reported may propagate differently from when they are reported.
show-scan
Show file names are they are processed.
show-all-uses
Show list of uses of all external identifiers sorted by number of uses.
stats
Display number of lines processed and checking time.
time-dist
Display distribution of where checking time is spent.
quiet
Suppress herald and error count. (If quiet is not set, Splint prints out a herald with version information before checking begins, and a line summarizing the total number of errors reported.)
iso-lib
Use library based on the ISO standard library specification.
warn-unix-lib
Warn when the unix library is used. Unix library may not be compatible with all platforms.
which-lib
Print out the standard library filename and creation information.
limit <number>
At most <number> similar errors are reported consecutively. Further errors are suppressed, and a message showing the number of suppressed messages is printed.
message-stream <file>
Send status messages to <file>.
message-stream-stdout
Send status messages to standard output stream.
message-stream-stderr
Send status messages to standard error stream.
warning-stream <file>
Send warnings to <file>.
warning-stream-stdout
Send warnings to standard output stream.
warning-stream-stderr
Send warnings to standard error stream.
error-stream <file>
Send fatal errors to <file>.
error-stream-stdout
Send fatal errors to standard output stream.
error-stream-stderr
Send fatal errors to standard error stream.
Normally, Splint will expect to report no errors. The exit status will be success (0) if no errors are reported, and failure if any errors are reported. Flags can be used to set the expected number of reported errors. Because of the provided error suppression mechanisms, these options should probably not be used for final checking real programs but may be useful in developing programs using make.
expect <number>
Exactly <number> code errors are expected. Splint will exit with failure exit status unless <number> code errors are detected.
These flags control how messages are printed. They may be set at the command line, in options files, or locally in syntactic comments. The line-len and limit flags may be preceded by + or - with the same meaning; for the other flags, + turns on the describe printing and - turns it off. The box to the left of each flag gives its default value.
+
show-column
Show column number where error is found.
+
show-func
Show name of function (or macro) definition containing error. The function name is printed once before the first message detected in that function.
-
show-all-conjs
Show all possible alternate types (see Section 4.4).
-
paren-file-format
Use <file>(<line> ) format in messages. (Default is + for Win32 for compatibility with Microsoft VisualStudio.)
+
hints
Provide hints describing an error and how a message may be suppressed for the first error reported in each error class.
-
force-hints
Provide hints for all errors reported, even if the hint has already been displayed for the same error class.
80
line-len <number>
Set length of maximum message line to <number> characters. Splint will split messages longer than <number> characters long into multiple lines.
3
indentspaces <number>
Set the number of spaces to indent sub-messages.
3
locindentspaces <number>
Set number of spaces to indent sub-messages that start with file locations.
-
showdeephistory
Show all available information about storage mentioned in warnings.
-
showloadloc
Show location information for load files.
-
csv
Produce comma-separated values (CSV) warnings output file.
-
csvoverwrite
Overwrite exisiting CVS output file Show location information for load files.
-
htmlfileformat
Show file locations as links.
+
streamoverwrite
Warn and exit if a stream output file would overwrite an existing file.
Mode selects flags set the mode checking flags to predefined values. They provide a quick coarse-grain way of controlling what classes of errors are reported. Specific checking flags may be set after a mode flag to override the mode settings. Mode flags may be used locally, however the mode settings will override specific command line flag settings. A warning is produced if a mode flag is used after a mode checking flag has been set.
These are brief descriptions to give a general idea of what each mode does. To see the complete flag settings in each mode, use splint -help modes. A mode flag has the same effect when used with either + or -.
weak
Weak checking, intended for typical unannotated C code. No modifies checking, macro checking, rep exposure, or clean interface checking is done. Return values of type int may be ignored. The types bool, int, char and user-defined enum types are all equivalent. Old style declarations are unreported.
standard
The default mode. All checking done by weak, plus modifies checking, global, alias checking, use all parameters, using released storage, ignored return values or any type, macro checking, unreachable code, infinite loops, and fall through cases. The types bool, int and char are distinct. Old style declarations are reported.
checks
Moderately strict checking. All checking done by standard, plus must modification checking, rep exposure, return alias, memory management and complete interfaces.
strict
Absurdly strict checking. All checking done by checks, plus modifications and global variables used in unspecified functions, strict standard library, and strict typing of C operators. A special reward will be presented to the first person to produce a real program that produces no errors with strict checking.
These flags control checking done by Splint. They may be set locally using syntactic comments, from the command line, or in an options file. Some flags directly control whether a certain class of message is reported. Preceding the flag by + turns reporting on, and preceding the flag by - turns reporting off. Other flags control checking less directly by determining default values (what annotations are implicit), making types equivalent (to prevent certain type errors), controlling representation access, etc. For these flags, the effect of + is described, and the effect of - is the opposite (or explicitly explained if there is no clear opposite). The organization of this section mirrors Sections 2-14.
Null Dereferences (Section 2)
shortcut
null
A possibly null pointer may be dereferenced, or used somewhere a non-null pointer is expected. (sets nulldref, nullpass, nullassign, and nullstate
m:-+++
nullderef
A possibly null pointer is dereferenced. Value is either the result of a function which may return null (in which case, code should check it is not null), or a global, parameter or structure field declared with the null qualifier.
m:-+++
nullpass
A possibly null pointer is passed as a parameter corresponding to a formal parameter with no /*@null@*/ annotation. If NULL may be used for this parameter, add a /*@null@*/ annotation to the function parameter declaration.
m:-+++
nullret
Function returns a possibly null pointer, but is not declared using /*@null@*/ annotation of result. If function may return NULL, add /*@null@*/ annotation to the return value declaration.
m:-+++
nullstate
A possibly null pointer is reachable from a parameter or global variable that is not declared using a /*@null@*/ annotation.
m:-+++
nullassign
A reference with no null annotation is assigned or initialized to NULL. Use /*@null@*/ to declare the reference as a possibly null pointer.
Use Before Definition (Section 3)
m:-+++
usedef
The value of a location that may not be initialized on some execution path is used.
m:----
impouts
Allow unannotated pointer parameters to functions to be implicit out parameters.
m:-+++
compdef
Storage derivable from a parameter, return value or global variable is not completely defined.
m:-+++
uniondef
No field of a union is defined. (No error is reported if at least one union field is defined.)
m:-+++
mustdefine
Parameter declared with out is not defined before return or scope exit.
P:+
fullinitblock
Initializer does not set every field in the structure.
P:+
initallelments
Initializer does not define all elements of a declared array.
P:+
initsize
Initializer block contains more elements than the size of a declared array.
m:-+++
incondefs
A function, variable or constant is redefined with a different type.
m:-+++
functionderef
A function type is dereferenced. The ANSI standard allows this because of implicit conversion of function designators, however the dereference is unnecessary.
m:--++
redundantsharequal
A declaration of an immutable object uses a redundant observer qualifier.
m:-+++
misplacedsharequal
A declaration of an unsharable object uses a sharing annotation.
Types (Section 4 )
P: +
type
Type mismatch.
P: +
string-literal-too-long
A string literal is assigned to a char array too small to hold it.
m: -+++
string-literal-no-room
A string literal is assigned to a char array that is not big enough to hold the null terminator.
m: ++++
string-literal-no-room-final-null
A string literal is assigned to a char array that is not big enough to hold the final null terminator. This may not be a problem because a null character has been explictedly included in the string literal using an escape sequence.
m: --++
string-literal-smaller
A string literal is assigned to a char array that smaller than the string literal needs.
m: --++
enum-members
Type of initial values for enum members must be int.
Boolean Types (Section 4.2 )
These flags control the type name used to represent Booleans, and whether the Boolean type is abstract.
P: -
bool
Boolean type is an abstract type.
P: bool
booltype <name>
Set name of Boolean type to <name>.
P:FALSE
boolfalse <name>
Set name of Boolean false to <name>.
P: TRUE
booltrue <name>
Set name of Boolean true to <name>.
P: +
likelybool
Splint has found a type which appears to be the boolean type. Use the -booltype, -boolfalse and -booltrue flags to change the name of the default boolean type.
m:--++
pred-bool-ptr
Type of condition test is a pointer.
m:-+++
pred-bool-int
Type of condition test is an integral type.
m:++++
pred-bool-others
Type of condition test is not a Boolean, pointer or integral type.
shortcut
pred-bool
Sets predboolint, predboolptr and preboolothers.
P: +
pred-assign
The condition test is an assignment expression. If an assignment is intended, add an extra parentheses nesting (e.g., if ((a = b)) ...).
Primitive Operations
m:---+
ptr-arith
Arithmetic involving pointer and integer.
m: --++
nullptrarith
Pointer arithmetic using a possibly null pointer and integer.
m: ++--
boolops
The operand of a boolean operator is not a boolean. Use +ptrnegate to allow ! to be used on pointers.
m:++--
ptr-negate
Allow the operand of the ! operator to be a pointer.
m:---+
bitwise-signed
An operand to a bitwise operator is not an unsigned value. This may have unexpected results depending on the signed representations.
m: ---+
shiftimplementation
The left operand to a shift operator may be negative (behavior is implementation-defined).
m: -+++
shiftnegative
The right operand to a shift operator may be negative (behavior undefined).
m:-+++
shift-signed
The left operand to a shift operator is not an unsigned value.
m:---+
strict-ops
Primitive operation does not type check strictly.
m:---+
sizeof-type
Operand of sizeof operator is a type. (Safer to use int *x = sizeof (*x); instead of sizeof (int).)
Array Formal Parameters
These flags control reporting of common errors caused by confusion about the semantics of array formal parameters.
P: +
sizeof-formal-array
The sizeof operator is used on a parameter declared as an array. (In many instances this has unexpected behavior, since the result is the size of a pointer to the element type, not the number of elements in the array.)
P: +
fixed-formal-array
An array formal parameter is declared with a fixed size (e.g., int x[20]). This is likely to be confusing, since the size is ignored.
P: -
formal-array
A formal parameter is declared as an array. This is probably not a problem, but can be confusing since it is treated as a pointer.
Format Codes
P: +
format-code
Invalid format code in format string for printflike or scanflike function.
P: +
format-type
Type-mismatch in parameter corresponding to format code in a printflike or scanflike function.
P: +
format-const
Format parameter is not known at compile-time. This can lead to security vulnerabilities because the arguments cannot be type checked.
Main
P: +
main-type
Type of main does not match expected type (function returning an int, taking no parameters or two parameters of type int and char **.)
Comparisons
m:-+++
bool-compare
Comparison between Boolean values. This is dangerous since there may be multiple true values as any non-zero value is interpreted as true.
m:-+++
real-compare
Comparison involving float or double values. This is dangerous since it may produce unexpected results because floating point representations are inexact.
m:-+++
ptr-compare
Comparison between pointer and number.
m:-+++
unsigned-compare
An unsigned value is used in a comparison with zero in a way that is either a bug or confusing.
Type Equivalence
void-abstract
Allow void * to match pointers to abstract types. (Casting a pointer to an abstract type to a pointer to void is okay if +void-abstract is set.)
P: +
cast-fcn-ptr
A pointer to a function is cast to (or used as) a pointer to void (or vice versa).
m:+---
forward-decl
Forward declarations of pointers to abstract representation match abstract type.
m:-+++
imp-type
A variable declaration has no explicit type. The type is implicitly int.