1 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
\r
5 <title>Using Wrapper Functions</title>
\r
9 <div class="Section1">
\r
10 <h1>Using Wrapper Functions</h1>
\r
12 <p>The propose of this document is to provide an example of
\r
13 how to use wrapper functions to create programs that are
\r
14 more robust and that Splint can check more
\r
15 effectively. The C standard library function realloc
\r
16 has complex semantics and is easy to use incorrectly.
\r
17 Still, it is a popular function, and we are frequently
\r
18 asked how to use Splint to check code that uses
\r
19 realloc. We hope to answer these questions in this
\r
20 section. Additionally, we hope this example will
\r
21 provide insight into other ways to work around some of the
\r
22 limitations of Splint’s checking, and serve as a
\r
23 template for users wishing to create their own wrapper
\r
26 <p>Splint cannot currently describe general functions where
\r
27 some of the attributes are dependent on one or more of the
\r
28 possible return values. Often, functions are defined
\r
29 to modify their outputs, and perhaps allocate storage, but
\r
30 can also return an error indication, in which case none of
\r
31 the modifications or allocations will take place.</p>
\r
33 <p>One very common example of this is the C standard
\r
34 library function realloc( void *pointer, size_t
\r
35 size). When realloc succeeds, the pointer passed to
\r
36 it is no longer valid. The returned pointer points to
\r
37 available storage with the specified size, and the values
\r
38 are copied from the leading portion of the original storage
\r
39 indicated by the pointer passed to the function. When
\r
40 realloc returns a NULL pointer, and more than zero bytes
\r
41 were supposed to be allocated, no new storage has been
\r
42 allocated. The original pointer passed in is not
\r
43 deallocated and its contents are still accessible.
\r
44 (Under ANSI C '89 and later, malloc and realloc may return
\r
45 NULL if asked for zero bytes. In this case, realloc
\r
46 would release the old storage.)</p>
\r
48 <p>If you use realloc, -usereleased can be used to suppress
\r
49 warnings. However, this may result in legitimate
\r
50 warnings for other errors being suppressed as well.
\r
51 If you don't mind crafting your code to work around
\r
52 Splint's quirks, you can isolate this difficult-to-describe
\r
53 behavior to a single function that's easy to verify by
\r
54 inspection, and use that function elsewhere. For
\r
57 /*@-usereleased@*/<br>
\r
59 static /*@null@*/ void *<br>
\r
61 grow_or_free (/*@only@*/ void *ptr,
\r
64
\r
67 {<br>
\r
69 void
\r
72 newptr =
\r
73 realloc (ptr, newsize);<br>
\r
75 if (newptr ==
\r
76 NULL && newsize != 0) {<br>
\r
79
\r
80 /* Splint would complain,<br>
\r
83
\r
84 but this is correct. */<br>
\r
87
\r
91
\r
94 }<br>
\r
96 return
\r
99 }<br>
\r
101 /*@=usereleased@*/<br>
\r
103 <p>It would also be possible to use a function that always
\r
104 returns a valid pointer, and separately indicates whether
\r
105 it managed to change the size to that desired by the
\r
andersk / splint.git / blob