Splint - Secure Programming Lint
[email protected]
Manual Contents - Other Formats Section: 1  2  3  4  5  6  7  8  9  10  11  12  13  14  A  B  C  D  E     Sponsors - Credits

Appendix B                    Flags

There are four different types of flags:

·      Global flags for controlling initializations and global behavior

·      Message format flags for controlling how messages are displayed

·      Mode selectors for coarse control of Splint checking

·      Checking flags that control checking and what classes of messages are reported.

Global flags can be used in initialization files and at the command line; all other flags may also be used in control comments.

Key

To the left of each flag name is a flag descriptor encoding what kind of flag it is and its default value.  The descriptions are:

P: -

A plain flag.  The value after the colon gives the default setting (e.g., this flag is off.) 

 

m:--++

A mode checking flag.  The value of the flag is set by the mode selector.  The four signs give the setting in the weak, standard, checks and strict modes. (e.g., this flag is off in the weak and standard modes, and on in the checks and strict modes.)

 

shortcut

A shortcut flag.  This flag sets other flags, so it has no default value.

Flag Name Abbreviations

Within a flag name, abbreviations may be used.  Figure 25 shows the flag name abbreviations.  The expanded and short forms are interchangeable in flag names.

Expanded Form

Short Form

constant

const

declaration

decl

function

fcn

global

glob

implicit, implied

imp

iterator

iter

length

len

modifies

mods

modify

mod

memory

mem

parameter

param

pointer

ptr

return

ret

variable

var

unconstrained, unconst

uncon

Figure 25.  Flag Name Abbreviations

The expanded and short forms are interchangeable in flag names.

For example, globsimpmodsnothing and globalsimpliesmodifiesnothing denote the same flag.  Abbreviations in flag names allow pronounceable, descriptive names to be used without making flag names excessively long (although one must admit even globsimpmodsnothing is a bit of a mouthful.)

To make flag names more readable, the space, dash (-), and underscore (_) characters may be used inside a flag name.  Hence, globals-implies-modifies-nothing, glob_imps_­mods­nothing and globsimpmodsnothing are equivalent.

Global Flags

Global flags can be set at the command line or in an options file, but cannot be set locally using stylized comments.  These flags control on-line help, initialization files, pre-processor flags, libraries and output.

Help

On-line help provides documentation on Splint operation and flags.  When a help flag is used, no checking is done by Splint.  Help flags may be preceded by - or +.

help

Display general help overview, including list of additional help topics.

help <topic>

Display help on <topic>. Available topics:

annotations

describe annotations

comments

describe control comments

flags

describe flag categories

flags <category>

all flags pertaining to <category> (one of the categories listed by splint -help flags)

flags alpha        

all flags in alphabetical order

flags full

print a full description of all flags

mail

print information on mailing lists

modes

flags settings in modes

prefixcodes

character codes for setting namespace prefixes

references

print references to relevant papers and web sites

vars

describe environment variables

version

print maintainer and version information

 

help <flag>

Describe flag <flag>.  (May list several flags.)

warn-flags

Display a warning when a flag is set in a surprising way.  An error is reported if an obsolete flag is set, a flag is set to its current value (i.e., the + or - may be wrong), or a mode selector flag is set after mode checking flags that will be reset by the mode were set.  By default, +warn-flags is on.  To suppress flag warnings, use ‑warn-flags.

P: +

warn-rc

There was a problem reading an initialization file.

P: +

bad-flag

A flag is not recognized or used in an incorrect way.

P: +

fileextensions

Warn when command line file does not have a recognized extension.

Initialization

These flags control directories and files used by Splint.  They may be used from the command line or in an options file, but may not be used as control comments in the source code.  Except where noted. they have the same meaning preceded by - or +

tmpdir <directory>

Set directory for writing temp files.  Default is /tmp/.

I<directory>

Add directory to path searched for C include files.  Note there is no space after the I, to be consistent with C preprocessor flags.

S<directory>

Add directory to path search for .lcl specification files.

 

larchpath <path>

Set path to search for library files.  Overrides LARCH_PATH environment variable.

lclimportdir <directory>

Set directory to search for LCL import files.  OverridesLCLIMPORTDIR environment variable.

 

f <file>

Load options from <file>.  If this flag is used from the command line, the default ~/.splintrc file is not loaded.  This flag may be used in an options file to include another options file.

i <file>

Set LCL initilization file.

nof

Prevents the default options files (./.splintrcand ~/.splintrc) from being loaded.  (Setting -nof overrides +nof, causing the options files to be loaded normally.)

sys-dirs

Set directories for system files (default is /usr/).  Separate directories with the path separator for your operating system (e.g., semi-colons for Windows or colons for Unix: /usr/include:/usr/local/lib).  Flag settings propagate to files in a system directory.  If -sys-dir-errors is set, no errors are reported for files in system directories.

Pre-processor

These flags are used to define or undefine pre-processor constants.  The -I<directory> flag is also passed to the C pre-processor.

D<initializer>

Passed to the C pre-processor.

U<initializer>

Passed to the C pre-processor.

P: +

unrecogdirective

Preprocessor directive is not recognized.

P: +

preproc

Preprocessing error.

Libraries

These flags control the creation and use of libraries.

dump <file>

Save state in <file> for loading.  The default extension .lcd is added if <file> has no extension.

load <file>

Load state from <file> (created by -dump).  The default extension .lcd is added if <file> has no extension.  Only one library file may be loaded.

By default, the standard library is loaded if the -load flag is not used to load a user library.  If no user library is loaded, one of the following flags may be used to select a different standard library.  Precede the flag by + to load the described library (or to prevent a library from being loaded using no-lib). See Section 14.1 for information on the provided libraries.

no-lib

Do not load any library.  This prevents the standard library from being loaded.

ansi-lib

Use the ANSI standard library (selected by default).

strict-lib

Use strict version of the ANSI standard library.

posix-lib

Use the POSIX standard library.

posix-strict-lib

Use the strict version of the POSIX standard library.

unix-lib

Use UNIX version of standard library.

unix-strict-lib

Use the strict version of the UNIX standard library.

 

which-lib

Print out the standard library filename and creation information.

P: +

newdecl

There is a new declaration that is not declared in a loaded library or earlier file. (Use this flag to check for consistency against a library.)

P: +

impconj

Make all alternate types implicit (useful for making system libraries).

Output

These flags control what additional information Splint prints.  Setting +<flag> causes the described information to be printed; setting -<flag> prevents it.  By default, all these flags are off.

use-stderr

Send error messages to standard error (instead of standard output).

show-summary

Show a summary of all errors reported and suppressed.  Counts of suppressed errors are not necessarily correct since turning a flag off may prevent some checking from being done to save computation, and errors that are not reported may propagate differently from when they are reported.

show-scan

Show file names are they are processed.

show-all-uses

Show list of uses of all external identifiers sorted by number of uses.

stats

Display number of lines processed and checking time.

time-dist

Display distribution of where checking time is spent.

quiet

Suppress herald and error count.  (If quiet is not set, Splint prints out a herald with version information before checking begins, and a line summarizing the total number of errors reported.)

iso-lib

Use library based on the ISO standard library specification.

warn-unix-lib

Warn when the unix library is used. Unix library may not be compatible with all platforms.

which-lib

Print out the standard library filename and creation information.

limit <number>

At most <number> similar errors are reported consecutively.  Further errors are suppressed, and a message showing the number of suppressed messages is printed.

message-stream <file>

Send status messages to <file>.

message-stream-stdout

Send status messages to standard output stream.

message-stream-stderr

Send status messages to standard error stream.

warning-stream <file>

Send warnings to <file>.

warning-stream-stdout

Send warnings to standard output stream.

warning-stream-stderr

Send warnings to standard error stream.

error-stream <file>

Send fatal errors to <file>.

error-stream-stdout

Send fatal errors to standard output stream.

error-stream-stderr

Send fatal errors to standard error stream.

Expected Errors

Normally, Splint will expect to report no errors.  The exit status will be success (0) if no errors are reported, and failure if any errors are reported.  Flags can be used to set the expected number of reported errors.  Because of the provided error suppression mechanisms, these options should probably not be used for final checking real programs but may be useful in developing programs using make.

expect <number>

Exactly <number> code errors are expected.  Splint will exit with failure exit status unless <number> code errors are detected.

Message Format

These flags control how messages are printed.  They may be set at the command line, in options files, or locally in syntactic comments.  The line-len and limit flags may be preceded by + or - with the same meaning; for the other flags, + turns on the describe printing and - turns it off.  The box to the left of each flag gives its default value.

+

show-column

Show column number where error is found.

+

show-func

Show name of function (or macro) definition containing error.  The function name is printed once before the first message detected in that function.

-

show-all-conjs

Show all possible alternate types (see Section 4.4).

-

paren-file-format

Use <file>(<line> ) format in messages.  (Default is + for Win32 for compatibility with Microsoft VisualStudio.)

+

hints

Provide hints describing an error and how a message may be suppressed for the first error reported in each error class.

-

force-hints

Provide hints for all errors reported, even if the hint has already been displayed for the same error class.

80

line-len <number>

Set length of maximum message line to <number> characters.  Splint will split messages longer than <number> characters long into multiple lines.

3

indentspaces <number>

Set the number of spaces to indent sub-messages.

3

locindentspaces <number>

Set number of spaces to indent sub-messages that start with file locations.

-

showdeephistory

Show all available information about storage mentioned in warnings.

-

showloadloc

Show location information for load files.

-

csv

Produce comma-separated values (CSV) warnings output file.

-

csvoverwrite

Overwrite exisiting CVS output file Show location information for load files.

-

htmlfileformat

Show file locations as links.

+

streamoverwrite

Warn and exit if a stream output file would overwrite an existing file.

Mode Selector Flags

Mode selects flags set the mode checking flags to predefined values.  They provide a quick coarse-grain way of controlling what classes of errors are reported. Specific checking flags may be set after a mode flag to override the mode settings.  Mode flags may be used locally, however the mode settings will override specific command line flag settings.  A warning is produced if a mode flag is used after a mode checking flag has been set.

 

These are brief descriptions to give a general idea of what each mode does.  To see the complete flag settings in each mode, use splint -help modes. A mode flag has the same effect when used with either + or -.

weak

Weak checking, intended for typical unannotated C code.  No modifies checking, macro checking, rep exposure, or clean interface checking is done.  Return values of type int may be ignored.  The types bool, int, char and user-defined enum types are all equivalent.  Old style declarations are unreported.

standard

The default mode.  All checking done by weak, plus modifies checking, global, alias checking, use all parameters, using released storage, ignored return values or any type, macro checking, unreachable code, infinite loops, and fall through cases.  The types bool, int and char are distinct.  Old style declarations are reported.

 checks

Moderately strict checking.  All checking done by standard, plus must modification checking, rep exposure, return alias, memory management and complete interfaces.

strict

Absurdly strict checking.  All checking done by checks, plus modifications and global variables used in unspecified functions, strict standard library, and strict typing of C operators. A special reward will be presented to the first person to produce a real program that produces no errors with strict checking.

Checking Flags

These flags control checking done by Splint.  They may be set locally using syntactic comments, from the command line, or in an options file.  Some flags directly control whether a certain class of message is reported.  Preceding the flag by + turns reporting on, and preceding the flag by - turns reporting off.  Other flags control checking less directly by determining default values (what annotations are implicit), making types equivalent (to prevent certain type errors), controlling representation access, etc.  For these flags, the effect of + is described, and the effect of - is the opposite (or explicitly explained if there is no clear opposite).  The organization of this section mirrors Sections 2-14.

Null Dereferences (Section 2)

shortcut

null

A possibly null pointer may be dereferenced, or used somewhere a non-null pointer is expected. (sets nulldref, nullpass, nullassign, and nullstate

m:-+++

nullderef

A possibly null pointer is dereferenced. Value is either the result of a function which may return null (in which case, code should check it is not null), or a global, parameter or structure field declared with the null qualifier.

m:-+++

nullpass

A possibly null pointer is passed as a parameter corresponding to a formal parameter with no /*@[email protected]*/ annotation. If NULL may be used for this parameter, add a /*@[email protected]*/ annotation to the function parameter declaration.

m:-+++

nullret

Function returns a possibly null pointer, but is not declared using /*@[email protected]*/ annotation of result. If function may return NULL, add /*@[email protected]*/ annotation to the return value declaration.

m:-+++

nullstate

A possibly null pointer is reachable from a parameter or global variable that is not declared using a /*@[email protected]*/ annotation.

m:-+++

nullassign

A reference with no null annotation is assigned or initialized to NULL. Use /*@[email protected]*/ to declare the reference as a possibly null pointer.

Use Before Definition (Section 3)

m:-+++

usedef

The value of a location that may not be initialized on some execution path is used.

m:----

impouts

Allow unannotated pointer parameters to functions to be implicit out parameters.

m:-+++

compdef

Storage derivable from a parameter, return value or global variable is not completely defined.

m:-+++

uniondef

No field of a union is defined.  (No error is reported if at least one union field is defined.)

m:-+++

mustdefine

Parameter declared with out is not defined before return or scope exit.

P:+

fullinitblock

Initializer does not set every field in the structure.

P:+

initallelments

Initializer does not define all elements of a declared array.

P:+

initsize

Initializer block contains more elements than the size of a declared array.

m:-+++

incondefs

A function, variable or constant is redefined with a different type.

m:-+++

functionderef

A function type is dereferenced. The ANSI standard allows this because of implicit conversion of function designators, however the dereference is unnecessary.

m:--++

redundantsharequal

A declaration of an immutable object uses a redundant observer qualifier.

m:-+++

misplacedsharequal

A declaration of an unsharable object uses a sharing annotation.

Types (Section 4 )

 

P: +

type

Type mismatch.

P: +

string-literal-too-long

A string literal is assigned to a char array too small to hold it.

m: -+++

string-literal-no-room

A string literal is assigned to a char array that is not big enough to hold the null terminator.

m: ++++

string-literal-no-room-final-null

A string literal is assigned to a char array that is not big enough to hold the final null terminator. This may not be a problem because a null character has been explictedly included in the string literal using an escape sequence.

m: --++

string-literal-smaller

A string literal is assigned to a char array that smaller than the string literal needs.

m: --++

enum-members

Type of initial values for enum members must be int.

Boolean Types (Section 4.2 )

These flags control the type name used to represent Booleans, and whether the Boolean type is abstract.

 

P: -

bool

Boolean type is an abstract type.

P: bool

booltype <name>

Set name of Boolean type to <name>.

P:FALSE

boolfalse <name>

Set name of Boolean false to <name>.

P: TRUE

booltrue <name>

Set name of Boolean true to <name>.

P: +

likelybool

Splint has found a type which appears to be the boolean type. Use the -booltype, -boolfalse and -booltrue flags to change the name of the default boolean type.

Predicates

m:--++

pred-bool-ptr

Type of condition test is a pointer.

m:-+++

pred-bool-int

Type of condition test is an integral type.

m:++++

pred-bool-others

Type of condition test is not a Boolean, pointer or integral type.

shortcut

pred-bool

Sets predboolint, predboolptr and preboolothers.

P: +

pred-assign

The condition test is an assignment expression. If an assignment is intended, add an extra parentheses nesting (e.g., if ((a = b)) ...).

Primitive Operations

m:---+

ptr-arith

Arithmetic involving pointer and integer.

m: --++

nullptrarith

Pointer arithmetic using a possibly null pointer and integer.

m: ++--

boolops

The operand of a boolean operator is not a boolean. Use +ptrnegate to allow ! to be used on pointers.

m:++--

ptr-negate

Allow the operand of the ! operator to be a pointer.

m:---+

bitwise-signed 

An operand to a bitwise operator is not an unsigned value. This may have unexpected results depending on the signed representations.

m: ---+

shiftimplementation

The left operand to a shift operator may be negative (behavior is implementation-defined).

m: -+++

shiftnegative

The right operand to a shift operator may be negative (behavior undefined).

m:-+++

shift-signed

The left operand to a shift operator is not an unsigned value.

m:---+

strict-ops

Primitive operation does not type check strictly.

m:---+

sizeof-type

Operand of sizeof operator is a type.  (Safer to use int *x = sizeof (*x); instead of sizeof (int).)

Array Formal Parameters

These flags control reporting of common errors caused by confusion about the semantics of array formal parameters.

 

P: +

sizeof-formal-array

The sizeof operator is used on a parameter declared as an array.  (In many instances this has unexpected behavior, since the result is the size of a pointer to the element type, not the number of elements in the array.)

 

P: +

fixed-formal-array

An array formal parameter is declared with a fixed size (e.g., int x[20]).  This is likely to be confusing, since the size is ignored.

P: -

formal-array

A formal parameter is declared as an array.  This is probably not a problem, but can be confusing since it is treated as a pointer. 

Format Codes

P: +

format-code

Invalid format code in format string for printflike or scanflike function.

P: +

format-type

Type-mismatch in parameter corresponding to format code in a printflike or scanflike function.

P: +

format-const

Format parameter is not known at compile-time. This can lead to security vulnerabilities because the arguments cannot be type checked.

Main

P: +

main-type

Type of main does not match expected type (function returning an int, taking no parameters or two parameters of type int and char **.)

Comparisons

m:-+++

bool-compare

Comparison between Boolean values.  This is dangerous since there may be multiple true values as any non-zero value is interpreted as true.

m:-+++

real-compare

Comparison involving float or double values.  This is dangerous since it may produce unexpected results because floating point representations are inexact.

m:-+++

ptr-compare

Comparison between pointer and number.

m:-+++

unsigned-compare

An unsigned value is used in a comparison with zero in a way that is either a bug or confusing.

Type Equivalence

m: +---

void-abstract

Allow void * to match pointers to abstract types.  (Casting a pointer to an abstract type to a pointer to void is okay if +void-abstract is set.)

P: +

cast-fcn-ptr

 A pointer to a function is cast to (or used as) a pointer to void (or vice versa).

m:+---

forward-decl

Forward declarations of pointers to abstract representation match abstract type.

m:-+++

imp-type

A variable declaration has no explicit type.  The type is implicitly int.

P: +

incomplete-type

A formal parameter is declared with an incomplete type (e.g., int[][]).

m:+---

char-index

Allow char to index arrays.

m:----

enum-index

Allow members of enumtype to index arrays.

m:+---

bool-int

Make bool and int are equivalent.  (No type errors are reported when a Boolean is used where an integral type is expected and vice versa.)

m:+---

char-int

Make char and int types equivalent

m:+---

charunsignedchar

To allow char and unsigned char types to match use +charunsignedchar

m:++--

enum-int

Make enum and int types equivalent

m:+---

float-double

Make float and double types equivalent

m:----

ignore-quals

Ignore type qualifiers (long, short, unsigned).

m:++--

relax-quals

Report qualifier mismatches only if dangerous (information may be lost since a larger type is assigned to (or passed as) a smaller one or a comparison uses signed and unsigned values.)

m:----

ignore-signs

Ignore signs in type comparisons (unsigned matches signed).

 

P: -

long-integral

Allow long type to match an arbitrary integral type (e.g., dev_t).

m:+---

long-unsigned-integral

Allow unsigned long type to match an arbitrary integral type (e.g., dev_t).

P: -

match-any-integral

Allow any integral type to match an arbitrary

P: -

long-unsigned-unsigned-integral

Allow unsigned long type to match an arbitrary unsigned integral type (e.g., size_t).

m:+---

long-signed-integral

Allow long type to match an arbitrary signed integral type (e.g., ssize_t).

 

P: +

num-literal

Integer literals can be used as floats.

P: -

char-int-literal

A character constant may be used as an int.

P: +

zero-ptr

Literal 0 may be used as a pointer.

P: +

zero-bool

Treat 0 as a boolean.

P: -

relax-types

Allow all numeric types to match.

m: +---

shortint

Make short int and int types equivalent.

Abstract Types (Section 4.3 )

P: +

abstract

A data abstraction barrier is violated

P: -

imp-abstract

Implicit abstract annotation for type declarations that do not use concrete.

m:-+++

mut-rep

Representation of mutable type has sharing semantics.

Access (Section 4.3.1)

P: +

access-module

An abstract type defined in M.h (or specified in M.lcl) is accessible in M.c.

P: +

access-file

An abstract type named type is accessible in files named type.*

P: +

access-czech

An abstract type named type may be accessible in a function named type_name. (Section 12.1.1)

P: -

access-slovak

An abstract type named type may be accessible in a function named typeName.  (Section.12.1.2)

P: -

access-czechoslovak

An abstract type named type may be accessible in a function named type_name or typeName.  (Section 12.1.3)

shortcut

access-all

Sets access-module, access-file and access-czech.

Memory Management (Section 5 )

Reporting of memory management errors is controlled by flags setting checking and implicit annotations and code annotations. 

Deallocation Errors (Section 5.2)

m:-+++

use-released

Storage used after it may have been released.

m:---+

strict-use-released

An array element used after it may have been released.

Inconsistent Branches

m:-+++

branch-state

Storage has inconsistent states of alternate paths through a branch (e.g., it is released in the true branch of an if-statement, but there is no else branch.)

m:---+

strict-branch-state

Storage through array fetch has inconsistent states of alternate paths through a branch.  Since array elements are not checked accurately, this may lead to spurious errors.

m:--++

dep-arrays

Treat array elements as dependent storage.  Checking of array elements cannot be done accurately by Splint.  If dep-arrays is not set, array elements are assumed to be independent, so code that releases the same element more than once will produce no error.  If dep-arrays is set, array elements are assumed to be dependent, so code that releases the same element more that once will produce an error, but code that releases different elements correctly will produce a spurious error.

Memory Leaks

m:-+++

must-free

Allocated storage was not released before return or scope exit.  Errors are reported for only, fresh or owned storage.

m:-+++

mustfreefresh

Allocated storage was not released before return or scope exit. Errors are reported for fresh storage

m:-+++

mustfreeonly

Allocated storage was not released before return or scope exit. Errors are reported for only storage

shortcut

memchecks

Sets all dynamic memory checking flags (memimplicit, mustfree, mustdefine, mustnotalias, null, memtrans ).

m:-+++

comp-destroy

All only references derivable from out only parameter of type void * must be released.  (This is the type of the parameter to free, but may also be used for user-defined deallocation functions.)

m:---+

strict-destroy

Report complete destruction errors for array elements that may have been released.  (If strict-destroy is not set, Splint will assume that if any array element was released, the entire array was correctly released.)

Transfer Errors

A transfer error is reported when storage is transferred (by an assignment, passing a parameter, or returning) in a way that is inconsistent.

shortcut

mem-trans

Sets all memory transfer errors flags.

m:-+++

only-trans

Only storage transferred to non-only reference (memory leak).

m:-+++

ownedtrans

Owned storage transferred to non-owned reference (memory leak).

m:-+++

fresh-trans

Newly-allocated storage transferred to non-only reference (memory leak).

m:-+++

shared-trans

Shared storage transferred to non-shared reference

m:-+++

dependent-trans

Inconsistent dependent transfer. Dependent storage is transferred to a non-dependent reference.

m:-+++

temp-trans

Temporary storage (associated with a temp formal parameter) is transferred to a non-temporary reference.  The storage may be released or new aliases created.

m:-+++

kept-trans

Kept storage (storage what was passed as keep) transferred to non-temporary reference.

m:-+++

keep-trans

Keep storage is transferred in a way that may add a new alias to it, or release it.

m:-+++

refcount-trans

Reference counted storage is transferred in an inconsistent way.

m:-+++

newref-trans

A new reference transferred to a reference counted reference (reference count is not set correctly).

m:-+++

immediate-trans

An immediate address (result of &) is transferred inconsistently.

m:-+++

static-trans

Static storage is transferred in an inconsistent way.

m:-+++

expose-trans

Inconsistent exposure transfer. Exposed storage is transferred to a non-exposed, non-observer reference.

m:-+++

observer-trans

Inconsistent observer transfer. Observer storage is transferred to a non-observer reference.

m:-+++

unqualified-trans

Unqualified storage is transferred in an inconsistent way.

Initializers

m:--++

only-unq-global-trans

Only storage transferred to an unqualified global or static reference. This may lead to a memory leak, since the new reference is not necessarily released.

m:--++

static-init-trans

Static storage is used as an initial value in an inconsistent way.

m:--++

unqualified-init-trans

Unqualified storage is used as an initial value in an inconsistent way.

Derived Storage

m:-+++

comp-mem-pass

Storage derivable from a parameter does not match the alias kind expected for the formal parameter.

Stack References

m:++++

stack-ref

A stack reference is pointed to by an external reference when the function returns.  Since the call frame will be destroyed when the function returns the return value will point to dead storage. (Section 5.2.6)

Implicit Memory Annotations (Section 5.3 )

shortcut

all-imp-only

Sets glob-imp-only, ret-imp-only, struct-imp-only, specglobimponly, specretimponly and specstructimponly .

P: +

glob-imp-only

Assume unannotated global storage is only.

P: +

param-imp-temp

Assume unannotated parameter is temp.

P: +

ret-imp-only

Assume unannotated returned storage is only.

P: +

struct-imp-only

Assume unannotated structure or union field is only.

shortcut

code-imp-only

Sets glob-imp-only, ret-imp-only and struct-imp-only.

m:-+++

mem-imp

Report memory errors for unqualified storage.

m:----

pass-unknown

Passing a value as an unannotated parameter clears its annotation.  This will prevent many spurious errors from being report for unannotated programs, but eliminates the possibility of detecting many errors.

Sharing (Section 6)

Aliasing (Section 6.1 )

m:-+++

alias-unique

An actual parameter that is passed as a unique formal parameter is aliased by another parameter or global variable.

m:-+++

may-alias-unique

An actual parameter that is passed as a unique formal parameter may be aliased by another parameter or global variable.

m:-+++

must-not-alias

An alias has been added to a temp-qualifier parameter or global that is visible externally when the function returns. 

m:--++

ret-alias

A function returns an alias to parameter or global.

Exposure (Section 6.2 )

shortcut

rep-expose

The internal representation of an abstract type is visible to the caller.  This means clients may have access to a pointer into the abstract representation.  (Sets assign-expose, ret-expose, and cast-expose.)

m:--++

assign-expose

Abstract representation is exposed by an assignment or passed parameter.

m:--++

cast-expose

Abstract representation is exposed through a cast.

m:--++

ret-expose

Abstract representation is exposed by a return value.

Observer Modifications

P: +

mod-observer

Possible modification of observer storage.

m:---+

mod-observer-uncon

Storage declared with observer may be modified through a call to an unconstrained function.

String Literals (Section 6.2.1)

m:--++

read-only-trans

Report memory transfer errors for initializations to read-only string literals

m:-+++

read-only-strings

String literals are read-only (ISO semantics).  An error is reported if a string literal may be modified or released.

Function Interfaces (Section 7 )

Modification (Section 7.1)

P: +

modifies

Undocumented modification of caller-visible state.  Without +moduncon, modification errors are only reported in the definitions of functions declared with a modifies clause (or specified).

m:--++

must-mod

Documented modification is not detected.  An object listed in the modifies clause for a function, is not modified by the implementation.

shortcut

mod-uncon

Report modification errors in functions declared without a modifies clause.(Sets mod-nomods, mod-globs-nomods and mod-strict-globs-nomods.)

m:---+

mod-nomods

Report modification errors (not involving global variables) in functions declared without a modifies clause.

m:---+

mod-uncon-nomods

An unconstrained function is called in a function body where modifications are checked.  Since the unconstrained function may modify anything, there may be undetected modifications in the checked function.

m:---+

mod-internal-strict

A function that modifies internalState is called from a function that does not list internalState in its modifies clause.

m:---+

mod-file-sys

A function modifies the file system but does not list fileSystem in its modifies clause.

Global Variables (Section 7.2 )

Errors involving the use and modification of global and file static variables are reported depending on flag settings, annotations where the global variable is declared, and whether or not the function where the global is used was declared with a globals clause.

P: +

globs

Undocumented use of a checked global variable in a function with a globals list.

m:++++

glob-use

A global listed in the globals list is not used in the implementation.

m:---+

glob-noglobs

Use of a checked global in a function with no globals list.

m:---+

internal-globs

Undocumented use of internal state (should have globals internalState).

m:---+

internal-globs-noglobs

        Use of internal state in function with no globals list.

m:-+++

glob-state

A function returns with global in inconsistent state (null or undefined)

m:--++

all-globs

Report use and modification errors for globals not annotated with unchecked.

m:++++

check-strict-globs

Report use and modification errors for checkedstrict globals.

Modification of Global Variables

m:-+++

mod-globs

Undocumented modification of a checked global variable.

m:---+

mod-globs-unchecked

Undocumented modification of an unchecked global variable.

m:---+

mod-globs-nomods

Undocumented modification of a checked global variable in a function with no modifies clause.

m:---+

mod-strict-globs-nomods

Undocumented modification of a checkedstrict global variable in a function declared with no modifies clause.

Globals Lists and Modifies Clauses

m:---+

warn-missing-globs

Global variable used in modifies clause is not listed in globals list.  (The global is added to the globals list.)

m:---+

warn-missing-globs-noglobs

Global variable used in modifies clause of a function with no globals list.

m:--++

globs-imp-mods-nothing

A function declared with a globals list but no modifies clause is assumed to modify nothing.

m:----

mods-imp-noglobs

A function declared with a modifies clause but no globals list is assumed to use no globals.

Implicit Checking Annotations

m:----

imp-checked-globs

Implicit checked annotation on global variables with no checking annotation.

m:----

imp-checked-statics

Implicit checked qualifier file static scope variables with no checking annotation.

m:----

imp-checkmod-globs

Implicit checkmod qualifier on global variables with no checking annotation.

 

m:----

imp-checkmod-statics

Implicit checkmod qualifier file static scope variables with no checking annotation.

m:---+

imp-checkedstrict-globs

Implicit checked qualifier on global variables with no checking annotation.

m:---+

imp-checkedstrict-statics

Implicit checked qualifier file static scope variables with no checking annotation.

m:--++

imp-checkmod-internals

Implicit checkmod qualifier on function scope static variables with no checking annotation.

m:-+++

 

Global Aliasing

shortcut

glob-alias

Function returns with global aliasing external state (sets checkstrict-glob-alias, checked-glob-alias, checkmod-glob-alias and unchecked-glob-alias).

m:-+++

checkstrict-glob-alias

Function returns with a checkedstrict global aliasing external state.

m:-+++

checked-glob-alias

Function returns with a checked global aliasing external state.

m:-+++

checkmod-glob-alias

Function returns with a checkmod global aliasing external state.

m:--++

unchecked-glob-alias

Function returns with an unchecked global aliasing external state.

Declaration Consistency (Section 7.3)

m:-+++

incon-defs

Identifier redeclared or redefined with inconsistent type.

m:-+++

incon-defs-lib

Identifier defined in a library is redefined with inconsistent type.

m:----

overload

Standard library function overloaded.

m:-+++

match-fields

A struct or enum type is redefined with inconsistent fields or members.

Macros (Section 11 )

These flags control expansion and checking of macro definitions and invocations.

Macro Expansion

These flags control which macros are checked as functions or constants, and which are expanded in the pre-processing phase.  Macros preceded by /*@[email protected]*/ are never expanded regardless of these flag settings.  These flags may be used in source-file control comments.

P: -

fcn-macros

Macros defined with parameter lists are not expanded and are checked as functions.

P: -

const-macros

Macros defined without parameter lists are not expanded and are checked as constants.

shortcut

all-macros

Sets fcn-macros and const-macros.

P: -

lib-macros

Macros defining identifiers declared in a loaded library are not expanded and are checked according to the library information. 

Macro Definitions

These flags control what errors are reported in macro definitions.

m:-+++

macro-stmt

Macro definition is not syntactically equivalent to function.  This means if the macro is used as a statement (e.g., if (test) macro();) unexpected behavior may result.  One fix is to surround the macro body with do { … } while (FALSE).

m:-+++

macro-return

The body of a macro declared as a function uses a return statement. This exhibits behavior that could not be implemented by a function.

m:-+++

macro-assign

A macro parameter is used as the left side of an assignment expression.

m:-+++

macro-parens

A macro parameter is used without parentheses (in potentially dangerous context).

m:---+

macro-empty

Macro definition of a function is empty.  

m:-+++

macro-redef

Macro is redefined.  There is another macro defined with the same name.

m:-+++

macro-unrecog 

An unrecognized identifier appears in a macro definition.  Since the identifier may be defined where the macro is used, this could be okay, but Splint will not be able to check the unrecognized identifier appropriately.

Corresponding Declarations

m:++++

macro-match-name

An iter or constant macro is defined using a different name from the one used in the previous syntactic comment

shortcut

macro-decl

A macro definition has no corresponding declaration.  (Sets macrofcndecl and macroconstdecl.)

m:-+++

macro-fcn-decl

Macro definition with parameter list has no corresponding function prototype. Without a prototype, the types of the macro result and parameters are unknown.

m:-+++

macro-const-decl

A macro definition without parameter list has no corresponding constant declaration.   

P: +

next-line-macros

A constant or iter declaration is not immediately followed by a macro definition.

Side Effect Free Parameters (Section 11.2.1 )

These flags control error reporting for parameters with inconsistent side effects in invocations of checked function macros and function calls.

m:-+++

sef-params

An actual parameter with side effects is passed as a formal parameter declared with sef.

m:--++

sef-uncon

An actual parameter involving a call to an unconstrained function (declared without modifies clause) that may modify anything is passed as a sef parameter.

Iterators

P: +

iterbalance

Iter is not balanced with end <iter>.

P: +

iteryield

Iter yield parameter is inappropriate.

P: -

has-yield

An iterator has been declared with no parameters annotated with yield.

Naming Conventions (Section 12)

P: +

name-checks

Turns all name checking on or off without changing other settings.

Type-Based Naming Conventions (Section 12.1)

Czech Naming Convention

shortcut

czech

Selects complete Czech naming convention (sets access-czech, czech-fcns, czech-vars, czech-consts, czech-macros, and czech-types).

P: +

access-czech

Allow access to abstract types following Czech naming convention.  The representation of an abstract type named t is accessible in the definition of a function or constant named t_name.

P: -

czech-fcns

Function or iterator name is not consistent with Czech naming convention.

P: -

czech-vars

 Variable name is not consistent with Czech naming convention.

P: -

czech-macros

 Expanded macro name is not consistent with Czech naming convention.

P: -

czech-consts

Constant name is not consistent with Czech naming convention.

P: -

czech-types

Type name is not consistent with Czech naming convention.  Czech type names must not use the underscore character.

Slovak Naming Convention

shortcut

slovak

Selects complete Slovak naming convention (sets access-slovak, slovak-fcns, slovak-vars, slovak-consts, slovak-macros, and slovak-types).

P: -

access-slovak

Allow access to abstract types following Slovak naming convention. The representation of an abstract type named t is accessible in the definition of a function or constant named tName.

P: -

slovak-fcns

Function or iterator name is not consistent with Slovak naming convention.

P: -

slovak-macros

Expanded macro name is not consistent with Slovak naming convention.

P: -

slovak-vars

 Variable name is not consistent with Slovak naming convention.

P: -

slovak-consts

 Constant name is not consistent with Slovak naming convention.

P: -

slovak-types

Type name is not consistent with Slovak naming convention.  Slovak type names may not include uppercase letters.

Czechoslovak Naming Convention

shortcut

czechoslovak

Selects complete Czechoslovak naming convention (sets access-czechoslovak, czechoslovak-fcns, czechoslovak-vars, czechoslovak-consts, czechoslovak-macros, and czechoslovak-types).

P: -

access-czechoslovak

Allow access to abstract types by Czechoslovak naming convention. The representation of an abstract type named t is accessible in the definition of a function or constant named t_name or tName.

P: -

czechoslovak-fcns

 Function name is not consistent with Czechoslovak naming convention.

P: -

czechoslovak-macros

Expanded macro name is not consistent with Czechoslovak naming convention.

P: -

czechoslovak-vars

Variable name is not consistent with Czechoslovak naming convention.

P: -

czechoslovak-consts

Constant name is not consistent with Czechoslovak naming convention.

P: -

czechoslovak-types

Type name is not consistent with Czechoslovak naming convention. Czechoslovak type names may not include uppercase letters or the underscore character.

Namespace Prefixes (Section 12.2)

macro-var-prefix <prefix string>

Set namespace prefix for variables declared in a macro body.  (Default is m_.)

P: +

macro-var-prefix-exclude

A variable declared outside a macro body starts with the macro-var-prefix.

tag-prefix <prefix string>

Set namespace prefix of struct, union or enum tag identifiers.

P: -

tag-prefix-exclude

An identifier that is not a tag starts with the tagprefix.

enum-prefix <prefix string>

Set namespace prefix for enum members.

P: -

enum-prefix-exclude

An identifier that is not an enum member starts with the enumprefix.

file-static-prefix  <prefix string>

Set namespace prefix for file static declarations.

P: -

file-static-prefix-exclude

An identifier that is not file static starts with the filestaticprefix.

global-prefix <prefix string>

Set namespace prefix for global variables.

P: -

global-prefix-exclude

An identifier that is not a global variable starts with the globalprefix.

type-prefix <prefix string>

Set namespace prefix for user-defined types.

P: -

type-prefix-exclude

An identifier that is not a type name starts with the typeprefix.

external-prefix <prefix string>

Set namespace prefix for external identifiers.

P: -

external-prefix-exclude

An identifier that is not external starts with the externalprefix.

local-prefix <prefix string>

Set namespace prefix for local variables.

P: -

local-prefix-exclude

 An identifier that is not a local variable starts with the localprefix.

unchecked-macro-prefix  <prefix string>

Set namespace prefix for unchecked macros.

P: -

unchecked-macro-prefix-exclude

An identifier that is not the name of an unchecked macro starts with the uncheckedmacroprefix.

const-prefix <prefix string>

Set namespace prefix for constants.

P: -

const-prefix-exclude

An identifier that is not a constant starts with the constantprefix.

iter-prefix <prefix string>

Set namespace prefix for iterators.

P: -

iter-prefix-exclude

An identifier that is not an iter starts with the iterprefix.

proto-param-prefix  <prefix string>

Set namespace prefix for parameters in function prototypes.

P: -

proto-param-prefix-exclude

An identifier that is not a parameter in a function prototype starts with the protoprarmprefix.

m:--++

proto-param-name

A parameter in a function prototype has a name (can interfere with macro definitions).

m:---+

proto-param-match

The name of a parameter in a function definition does not match the corresponding name of the parameter in a function prototype (after removing the protoparamprefix).

Naming Restrictions (Section 12.3)

m:-+++

shadow

Declaration reuses name visible in outer scope.

Reserved Names

m:--++

ansi-reserved

External name conflicts with name reserved for the compiler or standard library.

m:---+

ansi-reserved-internal

 Internal name conflicts with name reserved for the compiler or standard library.

m:--++

iso-reserved

External name is reserved for system use by ISO C99 standard.

m:---+

iso-reserved-internal

Internal name is reserved for system in ISO C99 standard (this should not be necessary unless you are worried about C library implementations that violate the standard and use macros).

m:--++

cpp-names

Internal or external name conflicts with a C++ reserved word.  (Will cause problems if program is compiled with a C++ compiler.)

Distinct External Names

P: -

distinct-external-names

An external name is not distinguishable from another external name using externalnamelen significant characters.

P: 6

external-name-len  <number>

Sets the number of significant characters in an external name (ANSI default minimum is 6).  Sets +distinct-external-names.

P: -

external-name-case-insensitive

Make alphabetic case insignificant in external names.  According to ANSI standard, case need not be significant in an external name.  If +distinct-external-names is not set, sets +distinct-external-names with unlimited external name length.

Distinct Internal Names

m:----

distinct-internal-names

An internal name is not distinguishable from another internal name using internalnamelen significant characters.   (Also effected by internal-name-case-insensitive and internal-name-lookalike.)

P: 31

internal-name-len  <number>

Set the number of significant characters in an internal name. Sets +distinct-internal-names.

P: -

internal-name-case-insensitive

Set whether case is significant an internal names (-internal-name-case-insensitive means case is significant).  If +distinct-internal-names is not set, sets +distinct-internal-names with unlimited internal name length.

P: -

internal-name-lookalike

 Set whether similar looking characters (e.g., “1” and “l”) match in internal names.

Control Flow (Section 8)

Undefined Evaluation Order (Section 8.2 )

m:-+++

eval-order

Behavior of an expression is unspecified or implementation-dependent because sub-expressions contain interfering side effects that may be evaluated in any order.

m:---+

eval-order-uncon

An expression may be undefined because a sub-expression contains a call to an unconstrained function (no modifies clause) that may modify something that may be modified or used by another sub-expression.

Problematic Control Structures (Section 8.3 )

m:-+++

inf-loops

Likely infinite loop is detected (Section 8.3.1).

m:--++

inf-loops-uncon

Likely infinite loop is detected.  Loop test or body calls an unconstrained function that may produce an undetected modification.

m:---+

elseif-complete

There is no finals else following an else if construct (Section 8.3.5).

m:-+++

case-break

There is a non-empty case in a switch not followed by a break(Section 8.3.2 ).

m:-+++

first-case

The first statement after a switch is not a case.

m:-+++

Duplicate-case

Duplicate cases in switch.

m:-+++

miss-case

A switch on an enum type is missing a case for a member of the enumerator.

P+

emptyreturn

Empty return in function declared to return value.

P+

alwaysexits

Loop predicate always exits.

shortcut

loop-exec

Assume all loops execute at least once.  This effects use-before-definition and memory checking.  It should probably not be used globally, but may be used surrounding a particular loop that is known to always execute to prevent spurious messages. (sets for-loop-exec, while-loop-exec and iter-loop-exec

P-

for-loop-exec

Assume all for loops execute at least once. This effects use-before-definition and memory checking. It should probably not be used globally, but may be used surrounding a particular loop that is known to always execute to prevent spurious messages.

P-

while-loop-exec

Assume all while loops execute at least once. This effects use-before-definition and memory checking. It should probably not be used globally, but may be used surrounding a particular loop that is known to always execute to prevent spurious messages.

P-

iter-loop-exec

Assume all iter loops execute at least once. This effects use-before-definition and memory checking. It should probably not be used globally, but may be used surrounding a particular loop that is known to always execute to prevent spurious messages.

P+

obvious-loop-exec

Assume loop that can be determined to always execute always does.

Deep Break (Section 8.3.3 )

shortcut

deep-break

Report errors for break statements inside a nested while, for or switch.  (Sets all nested break and continue flags.)

m:--++

loop-loop-break

There is a break inside a while, for or iterator loop that is inside a while, for or iterator loop. Mark with /*@[email protected]*/ to suppress the message.

m:--++

switch-loop-break

There is abreak inside a while, for or iterator loop that is inside a switch statement.  Mark with /*@[email protected]*/.

m:---+

loop-switch-break

There is abreak inside a switch statement that is inside a while, for or iterator loop.  Mark with /*@[email protected]*/.

m:---+

switch-switch-break

There is abreak inside a switch statement that is inside another switch statement.  Mark with /*@[email protected]*/.

m:---+

loop-loop-continue

There is a continue inside a while, for or iterator loop that is inside a while, for or iterator loop.  Mark with /*@[email protected]*/.

Loop and if Bodies (Section 8.3.4)

shortcut

all-empty

An if, while or for statement has no body (sets if-empty, while-empty and for-empty.)

shortcut

all-block

The body of an if, while or for statement is not a block (sets if-block, while-block and for-block.)

m:--++

while-empty

A while statement has no body.

m:---+

while-block

 The body of a while statement is not a block

m:---+

for-empty

A for statement has no body.

m:---+

for-block

The body of a for statement is not a block.

m:++++

if-empty

An if statement has no body.

m:---+

ifblock

The body of an if statement is not a block.

Suspicious Statements (Section 8.4)

m:-+++

unreachable

Code is not reached on any possible execution.

m:-+++

noeffect

Statement has no effect.

m:---+

noeffect-uncon

Statement involving call to unconstrained function may have no effect.

m:-+++

noret

There is a path with no return in a function declared to return a non-void value.

Ignored Return Values (Section 8.4.2 )

These flags control when errors are reported for function calls that do not use the return value.  Casting the function call to void or declaring the called function to return /*@alt [email protected]*/.

m:-+++

ret-val-bool

Return value of type bool ignored.

m:-+++

ret-val-int

Return value of type int ignored.

m:++++

ret-val-other

Return value of type other than bool or int ignored.

shortcut

ret-val

Return value ignored (Sets retvalbool, retvalint, retvalother.)

Memory Bounds (Section 9)

shortcut

bounds

Memory read or write may be out of bounds of allocated storage (sets boundsread and boundswrite

m:----

boundsread

A memory read references memory beyond the allocated storage (also sets likelyboundsread.

m:----

boundswrite

A memory write may write to an address beyond the allocated buffer (also sets likelyboundswrite.

shortcut

likelybounds

Likely memory read or write is likely to be out of bounds of allocated storage (sets likelyboundsread and likelyboundswrite)

m:----

likelyboundsread

A likely memory read references memory beyond the allocated storage (also sets likelyboundsread.

m:----

likelyboundswrite

A memory write is likely to write to an address beyond the allocated buffer.

m:----

fcnpost

Display function post conditions.

m:----

redundantconstraints

Display seemingly redundant conditions.

m:----

checkpost

The functions implementation may not satidfy a post condition given in an ensures clause.

P-

showconstraintparens

Display parentheses around constraint terms.

P+

showconstraintlocation

Display location for every constraint generated.


The following flags are mainly of interest to Splint developers. The default values are adequate in normal use. They are included for completeness.

P-

debugfcnconstraint

Perform buffer overflow checking even if the errors would be inhibited.

P-

implictconstraints

Generate implicit constraints for functions.  This is an experimental option.  Currently this option reduces the number of bounds errors but causes real error to be missed.

P-

orconstraint

This flags affects the internal constraint resolution.  If set, the internal constraint resolution is more accurate.  The performance impact is minimal so there is little reason not to have this flag set.

Extensible Checking (Section 13 )

P-

mts <filename>

Load meta state declaration and corresponding xh file.

m:++++

statetransfer

Transfer violates user-defined state rules.

m:++++

statemerge

Control path merge violates user-defined state merge rules.

Completeness (Section 13 )

Unused Declarations (Section 13.1 )

These flags control when errors are reported for declarations that are never used.  The unused annotation can be used to prevent unused errors from being report for a particular declaration.

m:---+

top-use

An external declaration is not used in any file.

m:-+++

const-use

Constant never used.

m:-+++

enum-mem-use

Member of enumerator never used.

m:++++

var-use

Variable never used.

m:-+++

param-use

Function parameter never used.

m:++++

fcn-use

Function is never used.

m:++++

type-use

Defined type never used.

m:-+++

field-use

Field of structure or union type is never used.

m:---+

unused-special

Declaration in a special file (corresponding to .l or .y file) is unused.

Complete Programs (Section 13.2)

m:--++

decl-undef

Function, variable, iterator or constant declared but never defined.

shortcut

partial

Check as partial system (sets -decl-undef, -export-local and prevents checking of macros in headers without corresponding .c files.)

Exports

m:---+

export-local

A declaration is exported but not used outside this module.  (Declaration can use the static qualifier.)

m:--++

export-header

A declaration (other than a variable) is exported but does not appear in a header file.

m:--++

export-header-var

A variable declaration is exported but does not appear in a header file.

Unrecognized Identifiers

P: +

unrecog

An unrecognized identifier is used.

P: +

sys-unrecog

Report unrecognized identifiers that start with the system prefix, __ (two underscores).

P: -

repeat-unrecog

Report multiple messages for unrecognized identifiers.  If repeatunrecog is not set, an error is reported only the first time a particular unrecognized identifier appears in the file.

Multiple Definition and Declarations

P: +

redef

A function or variable is defined more than once.

m:--++

redecl

An identifier is declared more than once.

m:-+++

nested-extern

An extern declaration is used inside a function body.

ISO Conformance

m:--++

noparams

A function is declared without a parameter list prototype.

m:---+

old-style

Function definition is in old style syntax.  Standard prototype syntax is preferred.

m:-+++

exit-arg

Argument to exit has implementation defined behavior.  The only valid arguments to exit are EXIT_SUCCESS, EXIT_FAILURE and 0.  An error is reported if Splint can determine statically that the argument to exit is not one of these.

P: +

use-varargs

Report if <varargs.h> is used (should use stdarg.h).

Limits

The ANSI Standard includes limits on minimum numbers that a conforming compiler must support.  Whether of not a particular compiler exceeds these limits, it is worth checking that a program does not exceed them so that other compilers may safely compile it.  In addition, exceeding a limit may indicate a problem in the code (e.g., it is too complex if the control nest depth limit is exceeded) that should be fixed regardless of the compiler.  Splint checks the following limits.  For each limit, the maximum value may be set from the command line (or locally using a stylized comment).  The minimum limits were increased for the ISO C99 specification.  If the iso99-limits flag is used, all limits are checked with the minimum values of an ISO C99 conforming compiler.  If the ansi89-limits flag is used, all limits are checked with the minimum values of an ANSI C89 conforming compiler.

shortcut

ansi89-limits

Check for violations of minimum limits prescribed by ANSI C89 standard (sets control-nest-depth, string-literal-len, include-nest, num-struct-fields, and num-enum-members).

shortcut

iso99-limits

Check for violations of minimum limits prescribed by ISO C99 standard (sets control-nest-depth, string-literal-len, include-nest, num-struct-fields, and num-enum-members).

m:---+

control-nest-depth  <number>

Set maximum nesting depth of compound statements, iteration control structures, and selection control structures (ISO C99 minimum is 63; ANSI C89 minimum is 15).

m:---+

string-literal-len  <number>

Set maximum length of string literals (ISO C99 minimum is 4095; ANSI C89 minimum is 509).

m:---+

num-struct-fields  <number>

Set maximum number of fields in a struct or union (ISO C99 minimum is 1023; ANSI minimum is 127).

m:---+

num-enum-members <number>

Set maximum number of members of an enum type (ISO C99 minimum is 1023; ANSI minimum is 127).

m:--++

include-nest <number>

Set maximum number of nested #include files (ISO C99 minimum is 63; ANSI minimum is 8).

Header Inclusion (Section 14.3 )

P: +

skip-ansi-headers

Prevent inclusion of header files in a system directory with names that match standard ANSI headers. The symbolic information in the standard library is used instead.  Flag in effect only if a library that includes the standard library is used.  The ANSI headers are: assert, ctype, errno, float, limits, locale, math, setjmp, signal, stdarg, stddef, stdio, stdlib, strings, string, time, and wchar.

P: +

skip-iso-headers

Prevent inclusion of header files in a system directory with names that match standard ISO C99 headers. The symbolic information in the standard library is used instead.  In effect only if a library that includes the standard library is used.  The ISO C99 headers are: assert, complex, ctype, errno, fenv, float, inttypes, iso646, limits, locale, math, setjmp, signal, stdarg, stdbool, stddef, stdio, stdlib, string, tgmath, time, wchar, and wctype.

P: +

skip-posix-headers

Prevent inclusion of header files in a system directory with names that match standard POSIX headers. The symbolic information in the standard library is used instead.  In effect only if a library that includes the POSIX library is used.  The skipped POSIX headers are: dirent, fcntl, grp, pwd, termios, sys/stat, sys/times, sys/types, sys/utsname, sys/wait, unistd, and utime.

P: +

warn-posix-headers

Report use of a POSIX header when checking a program with a non-POSIX library.

 

P: +

warn-unix-headers

Warn the user that the unix library may not be compatible with all platforms.

P: -

skip-sys-headers

Prevent inclusion of all header files in system directories.

P: +

sys-dir-expand-macros

Expand macros in system directories regardless of other settings, except for macros corresponding to names defined in a load library.

m:---+

sys-dir-errors

Report errors in files in system directories (set by -sys-dirs).  

 

P:+

warn-sys-files

Warn when a system file was listed as a command line file but Splint is not set to report errors for system files. This prevents accidentally missing warnings in system files when Splint is run in a system directory.

global: -

single-include

Optimize header inclusion to only include each header file once.

global: -

never-include

Use library information instead of including header files.

global: -

case-insensitive-filenames

File names are case insensitive (file.h and FILE.H are the same file).

Comments

These flags control how syntactic comments are interpreted.

P: @

comment-char <char>

Set the marker character for syntactic comments.  Comments beginning with /*<char> are interpreted by Splint.

P: -

noaccess

Ignore access comments.

P: -

nocomments

Ignore all stylized comments.

P: +

sup-counts

Actual number of errors does not match number in /*@i<n>@*/

P: +

lint-comments

Interpret traditional lint comments (/*FALLTHROUGH*/, /*NOTREACHED*/, /*PRINTFLIKE*/).

m:-+++

warn-lint-comments

Print a warning and suggest an alternative when a traditional lint comment is used.   

P: +

unrecog-comments

Stylized comment is unrecognized.

P: +

unrecog-flag-comments

Semantic comment attempts to set a flag that is not recognized.

P: +

annotationerror

A declaration uses an invalid annotation.

P: +

commenterror

A syntactic comment is used inconsistently.

Parsing

P: -

continue-comment

A line continuation marker (\) appears inside a comment on the same line as the comment close. Preprocessors should handle this correctly, but it causes problems for some preprocessors.

P: +

nest-comment

A comment open sequence (/*) appears inside a comment.  This usually indicates that an earlier comment was not closed.

P: -

slashslashcomment

A // comment is used.  ISO C99 allows // comments, but earlier standards did not.

P: +

duplicate-quals

Report duplicate type qualifiers (e.g., unsigned unsigned).

P: +

gnu-extensions

Support some GNU and Microsoft language extensions.

P: +

syntax

Parse error.

P: -

try-to-recover

Try to recover from a parse error.  If trytorecover is not set, Splint will abort checking after a parse error is detected.  If it is set, Splint will attempt to recover, but Splint does performs only minimal error recovery.  It is likely that trying to recover after a parse error will lead to an internal assertion failing.

Warn use

m: -+++

bufferoverflow

Use of function that may lead to buffer overflow.

m: ++++

bufferoverflowhigh

Use of function that may lead to buffer overflow.

m: --++

implementationoptional

Use of a declarator that is implementation optional, not required by ISO99.

m: --++

multithreaded

Non-reentrant function should not be used in multithreaded code.

m: --++

portability

Use of function that may have implementation-dependent behavior.

m: --++

superuser

Call to function restricted to superusers.

m: ---+

toctou

Possible time of check, time of use vulnerability.

m: ----

unixstandard

Use of function that need not be provided by UNIX implementations

ITS4 compatibility flags

P: -

its4mostrisky

Security vulnerability classified as most risky in its4 database.

P: -

its4veryrisky

Security vulnerability classified as very risky in its4 database.

P: -

its4risky

Security vulnerability classified as risky in its4 database.

P: -

its4moderate

Security vulnerability classified as moderate risk in its4 database.

P: -

its4low

Security vulnerability classified as risky in its4 database.

Debug flags

P: 3

bugslimit

Set maximum number of bugs detected before giving up.

m: ----

debugfcnconstraint

Perform buffer overflow checking even if the errors would be surpressed.

P: -

grammar

Debug parsing. Prints bison generated debuging information.

P: -

keep

Do not delete temporary files.

P: -

nopp

Do not pre-process input files.

P: -

showsourceloc

Display the source code location where a warning is produced.

Next: Appendix C. Annotations
Return to Contents

Splint Manual
[email protected]
1. Operation - 2. Null Dereferences - 3. Undefined Values - 4. Types - 5. Memory Management - 6. Sharing
7. Function Interfaces - 8. Control Flow - 9. Buffer Sizes - 10. Extensible Checking - 11. Macros
12. Naming Conventions - 13. Completeness - 14. Libraries and Header File Inclusion
Appendices: A. Availability - B. Flags - C. Annotations - D. Specifications - E. Annotated Bibliography - Index