[splint-discuss] Passed storage is stack

John Carter john.carter at tait.co.nz
Sun Apr 27 16:15:11 PDT 2008 

On Wed, 23 Apr 2008, Carsten.Agger at tietoenator.com wrote:

>
> Here's another splint warning pattern which occurs very frequently in the code I'm reviewing:
>
> struct_type s;
> member_type m;
>
> s = << ... >>
>
> s.m = &m;
>
> f(..., ..., &s, ..., ...);
>
>
> Storage m.s reachable from passed parameter is stack (should be implicitly only): &s
>  Storage derivable from a parameter does not match the alias kind expected for
>  the formal parameter. (Use -compmempass to inhibit warning)

Again it is a matter of explaining to splint, in the declaration your intent.

By default splint doesn't know your intend that f makes just brief us
of it and doesn't hold onto that pointer.

The mistake we usually make on seeing splint is to assume it analyses
f first, and then on the basis of that knowledge analyses the uses of
f.

Nope, it doesn't and perhaps more importantly, shouldn't do that.

It just looks at the declaration of f, makes certain (documented in
the manual) assumptions about it and then checks the client AND the
implementation on that basis.

ie. You haven't told splint what f will do with that pointer, so it's
made some reasonable, but in this case false assumptions about it.

In fact, this warning will catch a largish number of standard newbie to C bugs.

So assuming you're not a newbie to C and you know what you are
doing.... and know the danger of pointers to items on the stack...

You have to go to the declaration of f, in particular the declaration
of the pointer parameter you are using, and annotate that.

This is actually a _very_ good thing. Assuming you aren't the only
person maintaining this code... then perhaps in a couple of months
somebody comes along and changes the implementation of f to hold on to
that pointer.

"f" perhaps still works fine for the invocation that person is testing
it on, but now has a bug in the invocation you have before you!

If you don't use splint, or have just told splint to "shut up", that
bug will probably only be found by the customer...

With splint, and that annotation you have supplemented the declaration
of "f" with an important bit of documentation, "f" must not hold on to
that pointer, in some cases it will go invalid immediately after
return.


John Carter                             Phone : (64)(3) 358 6639
Tait Electronics                        Fax   : (64)(3) 359 4632
PO Box 1645 Christchurch                Email : john.carter at tait.co.nz
New Zealand

More information about the splint-discuss mailing list