4 "HTML Tidy for Solaris (vers 1st March 2003), see www.w3.org"
6 <link rel="stylesheet" type="text/css" href=
7 "../manual.css" title="style1">
8 <title>Splint Manual</title>
9 <style type="text/css">
11 /* Font Definitions */
13 {font-family:Helvetica;
14 panose-1:2 11 5 4 2 2 2 2 2 4;}
17 panose-1:2 7 4 9 2 2 5 2 4 4;}
19 {font-family:"Tms Rmn";
20 panose-1:2 2 6 3 4 5 5 2 3 4;}
23 panose-1:2 11 6 4 2 2 2 3 2 4;}
25 {font-family:"New York";
26 panose-1:2 4 5 3 6 5 6 2 3 4;}
29 panose-1:0 0 0 0 0 0 0 0 0 0;}
31 {font-family:Wingdings;
32 panose-1:5 0 0 0 0 0 0 0 0 0;}
34 {font-family:"MS Mincho";
35 panose-1:2 2 6 9 4 2 5 8 3 4;}
38 panose-1:2 3 6 0 0 1 1 1 1 1;}
41 panose-1:2 1 6 0 3 1 1 1 1 1;}
43 {font-family:PMingLiU;
44 panose-1:2 1 6 1 0 1 1 1 1 1;}
46 {font-family:"MS Gothic";
47 panose-1:2 11 6 9 7 2 5 8 2 4;}
50 panose-1:2 11 6 0 0 1 1 1 1 1;}
53 panose-1:2 1 6 0 3 1 1 1 1 1;}
56 panose-1:2 1 6 9 0 1 1 1 1 1;}
59 panose-1:2 2 6 9 4 3 5 8 3 5;}
62 panose-1:2 11 6 0 0 1 1 1 1 1;}
65 panose-1:2 4 6 3 5 7 5 2 3 3;}
67 {font-family:"Angsana New";
68 panose-1:2 2 6 3 5 4 5 2 3 4;}
70 {font-family:"Cordia New";
71 panose-1:2 11 3 4 2 2 2 2 2 4;}
74 panose-1:0 0 4 0 0 0 0 0 0 0;}
77 panose-1:0 0 4 0 0 0 0 0 0 0;}
80 panose-1:1 10 5 2 5 3 6 3 3 3;}
83 panose-1:0 0 4 0 0 0 0 0 0 0;}
86 panose-1:0 0 4 0 0 0 0 0 0 0;}
89 panose-1:0 0 4 0 0 0 0 0 0 0;}
92 panose-1:0 0 4 0 0 0 0 0 0 0;}
95 panose-1:0 0 4 0 0 0 0 0 0 0;}
98 panose-1:0 0 4 0 0 0 0 0 0 0;}
100 {font-family:"Estrangella Edessa";
101 panose-1:0 0 0 0 0 0 0 0 0 0;}
103 {font-family:"Arial Unicode MS";
104 panose-1:0 0 0 0 0 0 0 0 0 0;}
107 panose-1:2 11 6 4 3 5 4 4 2 4;}
109 {font-family:"Book Antiqua";
110 panose-1:2 4 6 2 5 3 5 3 3 4;}
112 {font-family:"Arial Narrow";
113 panose-1:2 11 5 6 2 2 2 3 2 4;}
116 panose-1:0 0 0 0 0 0 0 0 0 0;}
118 {font-family:Marlett;
119 panose-1:0 0 0 0 0 0 0 0 0 0;}
121 {font-family:"News Gothic MT";
122 panose-1:2 11 5 4 2 2 3 2 2 4;}
124 {font-family:"Lucida Sans Unicode";
125 panose-1:2 11 6 2 3 5 4 2 2 4;}
127 {font-family:"Century Gothic";
128 panose-1:2 11 5 2 2 2 2 2 2 4;}
130 {font-family:"Abadi MT Condensed Light";
131 panose-1:2 11 3 6 3 1 1 1 1 3;}
133 {font-family:"Matisse ITC";
134 panose-1:4 4 4 3 3 13 2 2 7 4;}
136 {font-family:Westminster;
137 panose-1:4 4 5 6 3 15 2 2 7 2;}
139 {font-family:"Lucida Console";
140 panose-1:2 11 6 9 4 5 4 2 2 4;}
142 {font-family:"Arial Black";
143 panose-1:2 11 10 4 2 1 2 2 2 4;}
145 {font-family:"Comic Sans MS";
146 panose-1:3 15 7 2 3 3 2 2 2 4;}
148 {font-family:Verdana;
149 panose-1:2 11 6 4 3 5 4 4 2 4;}
151 {font-family:Webdings;
152 panose-1:5 3 1 2 1 5 9 6 7 3;}
154 {font-family:"Verdana Ref";
155 panose-1:2 11 6 4 3 5 4 4 2 4;}
157 {font-family:"Georgia Ref";
158 panose-1:2 4 5 2 5 4 5 2 3 3;}
160 {font-family:RefSpecialty;
161 panose-1:2 0 5 0 0 0 0 0 0 0;}
163 {font-family:"MS Reference 1";
164 panose-1:5 0 0 0 0 0 0 0 0 0;}
166 {font-family:"MS Reference 2";
167 panose-1:0 0 0 0 0 0 0 0 0 0;}
170 panose-1:0 0 4 0 0 0 0 0 0 0;}
172 {font-family:"Mediascape OSD Icon";
173 panose-1:2 11 6 3 5 3 2 2 2 4;}
176 panose-1:2 11 7 3 3 0 0 0 0 7;}
178 {font-family:"Agency FB";
179 panose-1:0 1 6 6 4 0 0 4 0 3;}
181 {font-family:Algerian;
182 panose-1:4 2 7 5 4 10 2 6 7 2;}
184 {font-family:"Arial Rounded MT Bold";
185 panose-1:2 15 7 4 3 5 4 3 2 4;}
187 {font-family:"Baskerville Old Face";
188 panose-1:2 2 6 2 8 5 5 2 3 3;}
190 {font-family:"Bauhaus 93";
191 panose-1:4 3 9 5 2 11 2 2 12 2;}
193 {font-family:"Bell MT";
194 panose-1:2 2 5 3 6 3 5 2 3 3;}
196 {font-family:"Berlin Sans FB";
197 panose-1:2 14 6 2 2 5 2 2 3 6;}
199 {font-family:"Bernard MT Condensed";
200 panose-1:2 5 8 6 6 9 5 2 4 4;}
202 {font-family:"Blackadder ITC";
203 panose-1:4 2 5 5 5 16 7 2 13 2;}
205 {font-family:"Bookman Old Style";
206 panose-1:2 5 6 4 5 5 5 2 2 4;}
208 {font-family:"Bradley Hand ITC";
209 panose-1:3 7 4 2 5 3 2 3 2 3;}
211 {font-family:"Britannic Bold";
212 panose-1:2 11 9 3 6 7 3 2 2 4;}
214 {font-family:Broadway;
215 panose-1:4 4 9 5 8 11 2 2 5 2;}
217 {font-family:"Brush Script MT";
218 panose-1:3 6 8 2 4 4 6 7 3 4;}
220 {font-family:"Californian FB";
221 panose-1:2 7 4 3 6 8 11 3 2 4;}
223 {font-family:"Calisto MT";
224 panose-1:2 4 6 3 5 5 5 3 3 4;}
226 {font-family:Castellar;
227 panose-1:2 10 4 2 6 4 6 1 3 1;}
229 {font-family:Centaur;
230 panose-1:2 3 5 4 5 2 5 2 3 4;}
232 {font-family:"Century Schoolbook";
233 panose-1:2 4 6 4 5 5 5 2 3 4;}
235 {font-family:Chiller;
236 panose-1:4 2 4 4 3 16 7 2 6 2;}
238 {font-family:"Colonna MT";
239 panose-1:4 2 8 5 6 2 2 3 2 3;}
241 {font-family:"Cooper Black";
242 panose-1:2 8 9 4 4 3 11 2 4 4;}
244 {font-family:"Copperplate Gothic Bold";
245 panose-1:2 14 7 5 2 2 6 2 4 4;}
247 {font-family:"Copperplate Gothic Light";
248 panose-1:2 14 5 7 2 2 6 2 4 4;}
250 {font-family:"Curlz MT";
251 panose-1:4 4 4 4 5 7 2 2 2 2;}
253 {font-family:"Edwardian Script ITC";
254 panose-1:3 3 3 2 4 7 7 13 8 4;}
256 {font-family:Elephant;
257 panose-1:2 2 9 4 9 5 5 2 3 3;}
259 {font-family:"Engravers MT";
260 panose-1:2 9 7 7 8 5 5 2 3 4;}
262 {font-family:"Eras Bold ITC";
263 panose-1:2 11 9 7 3 5 4 2 2 4;}
265 {font-family:"Eras Demi ITC";
266 panose-1:2 11 8 5 3 5 4 2 8 4;}
268 {font-family:"Eras Light ITC";
269 panose-1:2 11 4 2 3 5 4 2 8 4;}
271 {font-family:"Eras Medium ITC";
272 panose-1:2 11 6 2 3 5 4 2 8 4;}
274 {font-family:"Felix Titling";
275 panose-1:4 6 5 5 6 2 2 2 10 4;}
277 {font-family:"Footlight MT Light";
278 panose-1:2 4 6 2 6 3 10 2 3 4;}
281 panose-1:3 6 9 2 4 5 2 7 2 3;}
283 {font-family:"Franklin Gothic Book";
284 panose-1:2 11 5 3 2 1 2 2 2 4;}
286 {font-family:"Franklin Gothic Demi";
287 panose-1:2 11 7 3 2 1 2 2 2 4;}
289 {font-family:"Franklin Gothic Demi Cond";
290 panose-1:2 11 7 6 3 4 2 2 2 4;}
292 {font-family:"Franklin Gothic Heavy";
293 panose-1:2 11 9 3 2 1 2 2 2 4;}
295 {font-family:"Franklin Gothic Medium";
296 panose-1:2 11 6 3 2 1 2 2 2 4;}
298 {font-family:"Franklin Gothic Medium Cond";
299 panose-1:2 11 6 6 3 4 2 2 2 4;}
301 {font-family:"Freestyle Script";
302 panose-1:3 8 4 2 3 2 5 11 4 4;}
304 {font-family:"French Script MT";
305 panose-1:3 2 4 2 4 6 7 4 6 5;}
307 {font-family:Garamond;
308 panose-1:2 2 4 4 3 3 1 1 8 3;}
311 panose-1:4 4 5 4 6 16 7 2 13 2;}
313 {font-family:"Gill Sans MT";
314 panose-1:2 11 5 2 2 1 4 2 2 3;}
316 {font-family:"Gill Sans MT Condensed";
317 panose-1:2 11 5 6 2 1 4 2 2 3;}
319 {font-family:"Gill Sans Ultra Bold";
320 panose-1:2 11 10 2 2 1 4 2 2 3;}
322 {font-family:"Gill Sans Ultra Bold Condensed";
323 panose-1:2 11 10 6 2 1 4 2 2 3;}
325 {font-family:"Gill Sans MT Ext Condensed Bold";
326 panose-1:2 11 9 2 2 1 4 2 2 3;}
328 {font-family:"Gloucester MT Extra Condensed";
329 panose-1:2 3 8 8 2 6 1 1 1 1;}
331 {font-family:"Goudy Old Style";
332 panose-1:2 2 5 2 5 3 5 2 3 3;}
334 {font-family:"Goudy Stout";
335 panose-1:2 2 9 4 7 3 11 2 4 1;}
337 {font-family:Haettenschweiler;
338 panose-1:2 11 7 6 4 9 2 6 2 4;}
340 {font-family:"Harlow Solid Italic";
341 panose-1:4 3 6 4 2 15 2 2 13 2;}
343 {font-family:Harrington;
344 panose-1:4 4 5 5 5 10 2 2 7 2;}
346 {font-family:"High Tower Text";
347 panose-1:2 4 5 2 5 5 6 3 3 3;}
349 {font-family:"Imprint MT Shadow";
350 panose-1:4 2 6 5 6 3 3 3 2 2;}
352 {font-family:Jokerman;
353 panose-1:4 9 6 5 6 13 6 2 7 2;}
355 {font-family:"Juice ITC";
356 panose-1:4 4 4 3 4 10 2 2 2 2;}
358 {font-family:"Kristen ITC";
359 panose-1:3 5 5 2 4 2 2 3 2 2;}
361 {font-family:"Kunstler Script";
362 panose-1:3 3 4 2 2 6 7 13 13 6;}
364 {font-family:"Lucida Bright";
365 panose-1:2 4 6 2 5 5 5 2 3 4;}
367 {font-family:"Lucida Calligraphy";
368 panose-1:3 1 1 1 1 1 1 1 1 1;}
370 {font-family:"Lucida Fax";
371 panose-1:2 6 6 2 5 5 5 2 2 4;}
373 {font-family:"Lucida Handwriting";
374 panose-1:3 1 1 1 1 1 1 1 1 1;}
376 {font-family:"Lucida Sans";
377 panose-1:2 11 6 2 3 5 4 2 2 4;}
379 {font-family:"Lucida Sans Typewriter";
380 panose-1:2 11 5 9 3 5 4 3 2 4;}
382 {font-family:Magneto;
383 panose-1:4 3 8 5 5 8 2 2 13 2;}
385 {font-family:"Maiandra GD";
386 panose-1:2 14 5 2 3 3 8 2 2 4;}
388 {font-family:"Matura MT Script Capitals";
389 panose-1:3 2 8 2 6 6 2 7 2 2;}
391 {font-family:Mistral;
392 panose-1:3 9 7 2 3 4 7 2 4 3;}
394 {font-family:"Modern No\. 20";
395 panose-1:2 7 7 4 7 5 5 2 3 3;}
397 {font-family:"Niagara Engraved";
398 panose-1:4 2 5 2 7 7 3 3 2 2;}
400 {font-family:"Niagara Solid";
401 panose-1:4 2 5 2 7 7 2 2 2 2;}
403 {font-family:"OCR A Extended";
404 panose-1:2 1 5 9 2 1 2 1 3 3;}
406 {font-family:"Old English Text MT";
407 panose-1:3 4 9 2 4 5 8 3 8 6;}
410 panose-1:4 5 6 2 8 7 2 2 2 3;}
412 {font-family:"Palace Script MT";
413 panose-1:3 3 3 2 2 6 7 12 11 5;}
415 {font-family:Papyrus;
416 panose-1:3 7 5 2 6 5 2 3 2 5;}
418 {font-family:Parchment;
419 panose-1:3 4 6 2 4 7 8 4 8 4;}
421 {font-family:Perpetua;
422 panose-1:2 2 5 2 6 4 1 2 3 3;}
424 {font-family:"Perpetua Titling MT";
425 panose-1:2 2 5 2 6 5 5 2 8 4;}
427 {font-family:Playbill;
428 panose-1:4 5 6 3 10 6 2 2 2 2;}
430 {font-family:"Poor Richard";
431 panose-1:2 8 5 2 5 5 5 2 7 2;}
433 {font-family:Pristina;
434 panose-1:3 6 4 2 4 4 6 8 2 4;}
436 {font-family:"Rage Italic";
437 panose-1:3 7 5 2 4 5 7 7 3 4;}
440 panose-1:4 4 8 5 5 8 9 2 6 2;}
442 {font-family:Rockwell;
443 panose-1:2 6 6 3 2 2 5 2 4 3;}
445 {font-family:"Rockwell Condensed";
446 panose-1:2 6 6 3 5 4 5 2 1 4;}
448 {font-family:"Rockwell Extra Bold";
449 panose-1:2 6 9 3 4 5 5 2 4 3;}
451 {font-family:"Informal Roman";
452 panose-1:3 6 4 2 3 4 6 11 2 4;}
454 {font-family:"Script MT Bold";
455 panose-1:3 4 6 2 4 6 7 8 9 4;}
457 {font-family:"Showcard Gothic";
458 panose-1:4 2 9 4 2 1 2 2 6 4;}
460 {font-family:"Snap ITC";
461 panose-1:4 4 10 7 6 10 2 2 2 2;}
463 {font-family:Stencil;
464 panose-1:4 4 9 5 13 8 2 2 4 4;}
466 {font-family:"Tempus Sans ITC";
467 panose-1:4 2 4 4 3 13 7 2 2 2;}
469 {font-family:"Trebuchet MS";
470 panose-1:2 11 6 3 2 2 2 2 2 4;}
472 {font-family:"Tw Cen MT";
473 panose-1:2 11 6 2 2 1 4 2 6 3;}
475 {font-family:"Tw Cen MT Condensed";
476 panose-1:2 11 6 6 2 1 4 2 2 3;}
478 {font-family:"Viner Hand ITC";
479 panose-1:3 7 5 2 3 5 2 2 2 3;}
481 {font-family:Vivaldi;
482 panose-1:3 2 6 2 5 5 6 9 8 4;}
484 {font-family:"Vladimir Script";
485 panose-1:3 5 4 2 4 4 7 7 3 5;}
487 {font-family:"Wide Latin";
488 panose-1:2 10 10 7 5 5 5 2 4 4;}
490 {font-family:"Wingdings 2";
491 panose-1:5 2 1 2 1 5 7 7 7 7;}
493 {font-family:"Wingdings 3";
494 panose-1:5 4 1 2 1 8 7 7 7 7;}
496 {font-family:"Berlin Sans FB Demi";
497 panose-1:2 14 8 2 2 5 2 2 3 6;}
499 {font-family:"Tw Cen MT Condensed Extra Bold";
500 panose-1:2 11 8 3 2 0 0 0 0 4;}
502 {font-family:"Almanac MT";
503 panose-1:5 1 1 1 1 1 1 1 1 1;}
505 {font-family:"Beesknees ITC";
506 panose-1:4 4 10 5 5 13 2 2 5 2;}
508 {font-family:"Holidays MT";
509 panose-1:5 1 1 1 1 1 1 1 1 1;}
511 {font-family:"Monotype Sorts";
512 panose-1:1 1 6 1 1 1 1 1 1 1;}
514 {font-family:"Monotype Sorts 2";
515 panose-1:5 2 1 2 1 2 8 2 8 8;}
517 {font-family:"Pepita MT";
518 panose-1:3 6 4 2 4 5 2 7 8 4;}
520 {font-family:"Vacation MT";
521 panose-1:5 1 1 1 1 1 1 1 1 1;}
523 {font-family:"Map Symbols";
524 panose-1:0 5 1 2 1 7 6 2 5 7;}
526 {font-family:"Bookshelf Symbol 3";
527 panose-1:5 5 1 2 1 7 6 2 5 7;}
529 {font-family:Georgia;
530 panose-1:2 4 5 2 5 4 5 2 3 3;}
532 {font-family:"MS Outlook";
533 panose-1:5 0 0 0 0 0 0 0 0 0;}
535 {font-family:"Berling Antiqua";
536 panose-1:2 2 6 2 6 4 5 3 4 2;}
538 {font-family:Bookdings;
539 panose-1:5 0 0 0 0 0 0 0 0 0;}
541 {font-family:"Frutiger Linotype";
542 panose-1:2 11 6 4 3 5 4 4 2 4;}
544 {font-family:"Andale Mono";
545 panose-1:2 11 5 9 0 0 0 0 0 4;}
548 panose-1:2 11 8 6 3 9 2 5 2 4;}
550 {font-family:"Monotype Corsiva";
551 panose-1:3 1 1 1 1 2 1 1 1 1;}
553 {font-family:"MT Extra";
554 panose-1:5 5 1 2 1 2 5 2 2 2;}
556 {font-family:ProgramTwo;
557 panose-1:0 0 0 0 0 0 0 0 0 0;}
558 /* Style Definitions */
559 p.MsoNormal, li.MsoNormal, div.MsoNormal
561 margin-bottom:.0001pt;
564 font-family:"Times New Roman";}
572 page-break-before:always;
573 page-break-after:avoid;
575 font-family:"Times New Roman";}
583 page-break-after:avoid;
585 font-family:"Times New Roman";}
593 page-break-after:avoid;
595 font-family:"Times New Roman";}
603 page-break-after:avoid;
605 font-family:"Times New Roman";}
614 font-family:"Times New Roman";
624 font-family:"Times New Roman";
627 p.MsoHeading7, li.MsoHeading7, div.MsoHeading7
634 page-break-before:always;
635 page-break-after:avoid;
637 font-family:"Times New Roman";
639 p.MsoHeading8, li.MsoHeading8, div.MsoHeading8
646 page-break-after:avoid;
648 font-family:"Times New Roman";
650 p.MsoHeading9, li.MsoHeading9, div.MsoHeading9
657 page-break-after:avoid;
659 font-family:"Times New Roman";
661 p.MsoIndex1, li.MsoIndex1, div.MsoIndex1
666 margin-bottom:.0001pt;
670 font-family:"Times New Roman";}
671 p.MsoIndex2, li.MsoIndex2, div.MsoIndex2
676 margin-bottom:.0001pt;
680 font-family:"Times New Roman";}
681 p.MsoIndex3, li.MsoIndex3, div.MsoIndex3
686 margin-bottom:.0001pt;
690 font-family:"Times New Roman";}
691 p.MsoIndex4, li.MsoIndex4, div.MsoIndex4
696 margin-bottom:.0001pt;
700 font-family:"Times New Roman";}
701 p.MsoIndex5, li.MsoIndex5, div.MsoIndex5
706 margin-bottom:.0001pt;
710 font-family:"Times New Roman";}
711 p.MsoIndex6, li.MsoIndex6, div.MsoIndex6
716 margin-bottom:.0001pt;
720 font-family:"Times New Roman";}
721 p.MsoIndex7, li.MsoIndex7, div.MsoIndex7
726 margin-bottom:.0001pt;
730 font-family:"Times New Roman";}
731 p.MsoIndex8, li.MsoIndex8, div.MsoIndex8
736 margin-bottom:.0001pt;
740 font-family:"Times New Roman";}
741 p.MsoIndex9, li.MsoIndex9, div.MsoIndex9
746 margin-bottom:.0001pt;
750 font-family:"Times New Roman";}
751 p.MsoToc1, li.MsoToc1, div.MsoToc1
758 font-family:"Times New Roman";
760 p.MsoToc2, li.MsoToc2, div.MsoToc2
765 margin-bottom:.0001pt;
768 font-family:"Times New Roman";}
769 p.MsoToc3, li.MsoToc3, div.MsoToc3
774 margin-bottom:.0001pt;
777 font-family:"Times New Roman";}
778 p.MsoToc4, li.MsoToc4, div.MsoToc4
783 margin-bottom:.0001pt;
786 font-family:"Times New Roman";}
787 p.MsoToc5, li.MsoToc5, div.MsoToc5
792 margin-bottom:.0001pt;
795 font-family:"Times New Roman";}
796 p.MsoToc6, li.MsoToc6, div.MsoToc6
801 margin-bottom:.0001pt;
804 font-family:"Times New Roman";}
805 p.MsoToc7, li.MsoToc7, div.MsoToc7
810 margin-bottom:.0001pt;
813 font-family:"Times New Roman";}
814 p.MsoToc8, li.MsoToc8, div.MsoToc8
819 margin-bottom:.0001pt;
822 font-family:"Times New Roman";}
823 p.MsoToc9, li.MsoToc9, div.MsoToc9
828 margin-bottom:.0001pt;
831 font-family:"Times New Roman";}
832 p.MsoFootnoteText, li.MsoFootnoteText, div.MsoFootnoteText
834 margin-bottom:.0001pt;
837 font-family:"Times New Roman";}
838 p.MsoCommentText, li.MsoCommentText, div.MsoCommentText
840 margin-bottom:.0001pt;
843 font-family:"Times New Roman";}
844 p.MsoHeader, li.MsoHeader, div.MsoHeader
846 margin-bottom:.0001pt;
849 font-family:"Times New Roman";
852 p.MsoFooter, li.MsoFooter, div.MsoFooter
854 margin-bottom:.0001pt;
857 font-family:"Times New Roman";}
858 p.MsoIndexHeading, li.MsoIndexHeading, div.MsoIndexHeading
860 margin-bottom:.0001pt;
863 font-family:"Times New Roman";}
864 p.MsoCaption, li.MsoCaption, div.MsoCaption
871 font-family:"Times New Roman";
873 p.MsoTof, li.MsoTof, div.MsoTof
878 margin-bottom:.0001pt;
882 font-family:"Times New Roman";}
883 span.MsoFootnoteReference
884 {vertical-align:super;}
886 {vertical-align:baseline;}
887 p.MsoListBullet, li.MsoListBullet, div.MsoListBullet
892 margin-bottom:.0001pt;
894 text-indent:-12.95pt;
896 font-family:"Times New Roman";}
897 p.MsoTitle, li.MsoTitle, div.MsoTitle
906 p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
914 p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
916 margin-bottom:.0001pt;
919 font-family:"Times New Roman";}
922 margin-bottom:.0001pt;
924 font-family:"Courier New";}
925 p.TextFontCX, li.TextFontCX, div.TextFontCX
927 margin-bottom:.0001pt;
930 font-family:"Times New Roman";}
931 p.Appendix, li.Appendix, div.Appendix
937 page-break-after:avoid;
939 font-family:"Times New Roman";
941 p.Heading10, li.Heading10, div.Heading10
947 page-break-after:avoid;
949 font-family:"Times New Roman";
950 letter-spacing:-.4pt;
952 p.Heading11, li.Heading11, div.Heading11
958 page-break-after:avoid;
960 font-family:"Times New Roman";
961 letter-spacing:-.4pt;
971 {font-family:"Courier New";}
973 {font-family:"Courier New";
979 {font-family:"Courier New";
983 {font-family:"Times New Roman";
985 p.Author, li.Author, div.Author
994 p.Verbatim, li.Verbatim, div.Verbatim
996 margin-bottom:.0001pt;
998 font-family:"Courier New";
1000 p.lclintrun, li.lclintrun, div.lclintrun
1002 margin-bottom:.0001pt;
1004 font-family:"Arial Narrow";}
1005 p.IndentText, li.IndentText, div.IndentText
1010 margin-bottom:.0001pt;
1013 font-family:"Times New Roman";}
1014 p.beforelist, li.beforelist, div.beforelist
1017 margin-bottom:6.0pt;
1021 font-family:"Times New Roman";}
1022 p.example, li.example, div.example
1025 margin-bottom:6.0pt;
1028 font-family:"Courier New";
1030 p.skiplist, li.skiplist, div.skiplist
1035 margin-bottom:.0001pt;
1038 font-family:"Times New Roman";}
1039 p.afterlist, li.afterlist, div.afterlist
1044 margin-bottom:.0001pt;
1047 font-family:"Times New Roman";}
1048 p.betweenlists, li.betweenlists, div.betweenlists
1051 margin-bottom:6.0pt;
1055 font-family:"Times New Roman";}
1056 p.indentbefore, li.indentbefore, div.indentbefore
1059 margin-bottom:6.0pt;
1063 font-family:"Times New Roman";}
1064 p.indentbefore0, li.indentbefore0, div.indentbefore0
1067 margin-bottom:6.0pt;
1071 font-family:"Times New Roman";}
1075 p.Sidebar, li.Sidebar, div.Sidebar
1077 margin-bottom:.0001pt;
1079 font-family:"Times New Roman";}
1080 p.URL, li.URL, div.URL
1082 margin-bottom:.0001pt;
1086 span.StyleKeywordBold
1087 {font-family:"Courier New";
1090 p.ProgramName, li.ProgramName, div.ProgramName
1092 margin-bottom:.0001pt;
1097 {font-family:"Courier New";}
1098 span.ProgramNameChar
1099 {font-family:Arial;}
1101 {font-family:ProgramTwo;
1103 p.fileName, li.fileName, div.fileName
1108 margin-bottom:.0001pt;
1111 p.FileName0, li.FileName0, div.FileName0
1116 margin-bottom:.0001pt;
1120 {font-family:Arial;}
1122 {text-decoration:none;}
1124 {text-decoration:underline;}
1126 {text-decoration:line-through;
1128 /* Page Definitions */
1131 margin:1.0in 1.25in .75in 1.25in;}
1136 margin:1.0in 1.25in 1.0in 99.35pt;}
1141 margin:1.0in 1.25in 1.0in 99.35pt;}
1146 margin:1.0in 1.25in 1.0in 99.0pt;}
1151 margin:1.0in 1.25in 1.0in 1.25in;}
1156 margin:1.0in 1.25in 1.0in 1.25in;}
1161 margin:1.0in 1.25in 1.0in 1.25in;}
1166 margin:1.0in 1.25in 1.0in 1.25in;}
1169 /* List Definitions */
1171 {margin-bottom:0in;}
1173 {margin-bottom:0in;}
1178 <!--#include virtual="header.html"-->
1179 <div class="Section1">
1180 <p class="MsoTitle"><img width="189" height="219" src=
1181 "manual-301_files/image001.jpg" hspace="12"><a name=
1182 "_Ref533872469"></a></p>
1183 <p class="MsoTitle"><a name="_Ref483663680"></a><span class=
1184 "MsoCommentReference"><span style=
1185 'font-size:20.0pt'> </span></span></p>
1186 <p class="MsoTitle"><span class=
1187 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1188 </span></span></p>
1189 <p class="MsoTitle"><span class=
1190 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1191 </span></span></p>
1192 <p class="MsoTitle"><span class=
1193 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1194 </span></span></p>
1195 <p class="MsoTitle"><span class=
1196 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1197 Splint Manual</span></span></p>
1198 <p class="MsoTitle"><span class=
1199 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1200 </span></span></p>
1201 <p class="MsoSubtitle"><span class=
1202 "MsoCommentReference"><span style=
1203 'font-size: 18.0pt;font-family:"Book Antiqua"'>Version
1204 3.0.1.7</span></span></p>
1205 <p class="MsoSubtitle"><span class=
1206 "MsoCommentReference"><span style=
1207 'font-size: 18.0pt;font-family:"Book Antiqua"'>17 March
1208 2003</span></span></p>
1209 <p class="MsoSubtitle"><span class=
1210 "MsoCommentReference"><span style=
1211 'font-size: 15.5pt'> </span></span></p>
1212 <p class="MsoSubtitle"><span class=
1213 "MsoCommentReference"><span style=
1214 'font-size: 15.5pt'> </span></span></p>
1215 <p class="MsoSubtitle"><span class=
1216 "MsoCommentReference"><span style=
1217 'font-size: 15.5pt'> </span></span></p>
1218 <p class="MsoNormal"><span class=
1219 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1220 </span></span></p>
1221 <p class="MsoNormal"><span class=
1222 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1223 </span></span></p>
1224 <p class="MsoNormal"><span class=
1225 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1226 </span></span></p>
1227 <p class="MsoNormal"><span class=
1228 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1229 </span></span></p>
1230 <p class="TextFontCX"><span class=
1231 "MsoCommentReference"><span style='font-size:15.5pt'> </span></span></p>
1232 <p class="TextFontCX" align="right" style=
1233 'margin-right: -58.5pt;text-align:right'><img width="364"
1234 height="181" src="manual-301_files/image002.gif" align="left"
1235 hspace="12" alt="Text Box:
1236 Secure Programming Group
1237 University of Virginia
1238 Department of Computer Science
1241 <p class="TextFontCX" style=
1242 'margin-left:28.35pt; text-indent:-14.15pt'><span class=
1243 "MsoCommentReference"><span style=
1244 'font-size: 15.5pt'> </span></span></p>
1245 <p class="TextFontCX" align="right" style=
1246 'margin-right: 9.0pt;text-align:right'><span class=
1247 "MsoCommentReference"><i><span style=
1248 'font-size:14.0pt'> </span></i></span></p></div>
1249 <span class="MsoCommentReference"><b><i><span style=
1250 'font-size:14.0pt;font-family: Arial'><br clear="all" style=
1251 'page-break-before:auto'></span></i></b></span>
1252 <div class="Section2"><span class=
1253 "MsoCommentReference"><span style='font-size: 15.5pt;font-family:"Times New Roman"'>
1254 <br clear="all" style='page-break-before: always'></span></span>
1255 <p class="TextFontCX"><span class=
1256 "MsoCommentReference"><b><span style=
1257 'font-size:14.0pt;font-family:Arial'> </span></b></span></p>
1258 <h4 style='margin-left:0in;text-indent:0in'><span class=
1259 "MsoCommentReference"><span style=
1260 'font-size:14.0pt'>Authors</span></span></h4>
1261 <p class="TextFontCX">This manual was written by David Evans,
1262 except for Section 9 and Appendix B which were written by David
1263 Larochelle and David Evans.</p>
1264 <h4 style='margin-left:0in;text-indent:0in'><span class=
1265 "MsoCommentReference"><span style=
1266 'font-size:14.0pt'>Credits</span></span></h4>
1267 <p class="TextFontCX">Splint is developed and maintained by the
1268 Secure Programming Group at the University of Virginia Department
1269 of Computer Science. David Evans is the project leader and
1270 the primary developer of Splint. David Larochelle developed
1271 the memory bounds checking. University of Virginia students
1272 Chris Barker, David Friedman, Mike Lanouette and Hien Phan all
1273 contributed significantly to the development of Splint.</p>
1274 <p class="TextFontCX"> </p>
1275 <p class="TextFontCX">Splint is the successor to LCLint, a tool
1276 originally developed as a joint research project between the
1277 Massachusetts Institute of Technology and Digital Equipment
1278 Corporation’s System Research Center. David Evans was
1279 the primary designed and developer of LCLint. John Guttag and
1280 Jim Horning had the original idea for a static checking tool for
1281 detecting inconsistencies between LCL specifications and their C
1282 implementations. They provided valuable advice on its
1283 functionality and design and were instrumental in its
1284 development. </p>
1285 <p class="TextFontCX"> </p>
1286 <p class="TextFontCX">Splint incorporates the original LCL checker
1287 developed by Yang Meng Tan. This was built on the DECspec
1288 Project (Joe Wild, Gary Feldman, Steve Garland, and Bill
1289 McKeeman). The LSL checker used by LCLint was developed by
1290 Steve Garland. The original C grammar for LCLint was provided
1291 by Nate Osgood. This work has also benefited greatly from
1292 discussions with Mike Burrows, David Friedman, Stephen Garland,
1293 Colin Godfrey, Steve Harrison, Yanlin Huang, Daniel Jackson, John
1294 Knight, David Larochelle, Angelika Leeb, Ulana Legedza, Gary
1295 McGraw, Anya Pogosyants, Avneesh Saxena, Seejo Sebastine, Navneet
1296 Singh, Raymie Stata, Yang Meng Tan, and Mark Vandevoorde. I
1297 especially thank Angelika Leeb for many constructive comments on
1298 improving an early version of this document, Raymie Stata and Mark
1299 Vandevoorde for technical assistance, and Dorothy Curtis, Paco
1300 Hope, Scott Ruffner, Christina Jackson, David Ladd, and Jessica
1301 Greer for systems assistance.</p>
1302 <p class="TextFontCX"> </p>
1303 <p class="TextFontCX">Much of Splint’s development has been
1304 driven by feedback from users in academia and industry. Many
1305 more people than I can mention here have made contributions by
1306 suggesting improvements, reporting bugs, porting early versions of
1307 Splint to other platforms. Particularly heroic contributions
1308 have been made by Nelson Beebe, Eric Bloodworth, Jutta Degener,
1309 Rick Farnbach, Chris Flatters, Huver Hu, Alexander Mai, John Gerard
1310 Malecki, Thomas G. McWilliams, Michael Meskes, Richard
1311 O’Keefe, Jens Schweikhardt, Albert L. Ting and Jim Zelenka.
1312 Martin “Herbert” Dietze and Mike Smith performed
1313 valiantly in producing the original Win32 and OS2 ports. Tim
1314 Van Holder produced the <span class="Keyword"><span style=
1315 'font-size:10.0pt;font-family:Arial;color:windowtext'>automake</span></span>
1316 and <span class="Keyword"><span style=
1317 'font-size:10.0pt;font-family:Arial; color:windowtext'>autoconf</span></span>
1318 distribution. </p>
1319 <p class="TextFontCX"> </p>
1320 <p class="TextFontCX">Splint research at the University of Virginia
1321 is currently funded in part by a grant from the NASA Langley
1322 Research Center, an NSF CAREER Award for swarm programming, and an
1323 NSF CCLI Award for using analysis to teach software
1324 engineering. David Larochelle is funded by a USENIX student
1325 research grant. <span style=
1326 'font-size:20.0pt'> </span></p></div>
1327 <span class="MsoCommentReference"><span style=
1328 'font-size:15.5pt;font-family:"Times New Roman"'><br clear="all"
1329 style='page-break-before:right'></span></span>
1330 <div class="Section3">
1331 <p class="MsoToc1" align="center" style='text-align:center'>
1332 <span class="MsoCommentReference"><span style=
1333 'font-size:15.5pt'>Contents</span></span></p>
1334 <p class="MsoToc1">1<span style=
1335 'font-size:12.0pt;font-weight:normal'> </span>
1336 <a href=#operation>Operation</a>................................................................................................................
1338 <p class="MsoToc2">1.1<span style=
1339 'font-size:12.0pt'> </span>
1340 Warnings.............................................................................................................
1342 <p class="MsoToc2">1.2<span style=
1343 'font-size:12.0pt'> </span>
1344 Flags....................................................................................................................
1346 <p class="MsoToc2">1.3<span style=
1347 'font-size:12.0pt'> </span> Stylized
1348 Comments...............................................................................................
1350 <p class="MsoToc3">1.3.1<span style=
1351 'font-size:12.0pt'> </span>
1352 Annotations...................................................................................................
1354 <p class="MsoToc3">1.3.2<span style=
1355 'font-size:12.0pt'> </span> Setting
1356 Flags..................................................................................................
1358 <p class="MsoToc1">2<span style=
1359 'font-size:12.0pt;font-weight:normal'> </span>
1361 Dereferences</a>...................................................................................................
1363 <p class="MsoToc3">2.1.1<span style=
1364 'font-size:12.0pt'> </span> Predicate
1365 Functions........................................................................................
1367 <p class="MsoToc3">2.1.2<span style=
1368 'font-size:12.0pt'> </span> Notnull
1369 Annotations........................................................................................
1371 <p class="MsoToc3">2.1.3<span style=
1372 'font-size:12.0pt'> </span> Relaxing Null
1373 Checking..................................................................................
1375 <p class="MsoToc1">3<span style=
1376 'font-size:12.0pt;font-weight:normal'> </span>
1379 Values</a>....................................................................................................
1381 <p class="MsoToc3">3.1.1<span style=
1382 'font-size:12.0pt'> </span> Undefined
1383 Parameters...................................................................................
1385 <p class="MsoToc3">3.1.2<span style=
1386 'font-size:12.0pt'> </span> Relaxing
1387 Checking.........................................................................................
1389 <p class="MsoToc3">3.1.3<span style=
1390 'font-size:12.0pt'> </span> Partially
1392 Structures............................................................................
1394 <p class="MsoToc1">4<span style=
1395 'font-size:12.0pt;font-weight:normal'> </span>
1397 Types</a>.......................................................................................................................
1399 <p class="MsoToc2">4.1<span style=
1400 'font-size:12.0pt'> </span> Built in C
1401 Types....................................................................................................
1403 <p class="MsoToc3">4.1.1<span style=
1404 'font-size:12.0pt'> </span>
1405 Characters....................................................................................................
1407 <p class="MsoToc3">4.1.2<span style=
1408 'font-size:12.0pt'> </span>
1409 Enumerators..................................................................................................
1411 <p class="MsoToc3">4.1.3<span style=
1412 'font-size:12.0pt'> </span> Numeric
1413 Types..............................................................................................
1415 <p class="MsoToc3">4.1.4<span style=
1416 'font-size:12.0pt'> </span> Arbitrary
1418 Types.................................................................................
1420 <p class="MsoToc2">4.2<span style=
1421 'font-size:12.0pt'> </span> Boolean
1422 Types.....................................................................................................
1424 <p class="MsoToc2">4.3<span style=
1425 'font-size:12.0pt'> </span> Abstract
1426 Types.....................................................................................................
1428 <p class="MsoToc3">4.3.1<span style=
1429 'font-size:12.0pt'> </span> Controlling
1430 Access.........................................................................................
1432 <p class="MsoToc3">4.3.2<span style=
1433 'font-size:12.0pt'> </span>
1434 Mutability......................................................................................................
1436 <p class="MsoToc2">4.4<span style=
1437 'font-size:12.0pt'> </span>
1438 Polymorphism.......................................................................................................
1440 <p class="MsoToc1">5<span style=
1441 'font-size:12.0pt;font-weight:normal'> </span>
1444 Management</a>............................................................................................
1446 <p class="MsoToc2">5.1<span style=
1447 'font-size:12.0pt'> </span> Storage
1448 Model......................................................................................................
1450 <p class="MsoToc2">5.2<span style=
1451 'font-size:12.0pt'> </span> Deallocation
1452 Errors...............................................................................................
1454 <p class="MsoToc3">5.2.1<span style=
1455 'font-size:12.0pt'> </span> Unshared
1456 References....................................................................................
1458 <p class="MsoToc3">5.2.2<span style=
1459 'font-size:12.0pt'> </span> Temporary
1460 Parameters..................................................................................
1462 <p class="MsoToc3">5.2.3<span style=
1463 'font-size:12.0pt'> </span> Owned and
1465 References.................................................................
1467 <p class="MsoToc3">5.2.4<span style=
1468 'font-size:12.0pt'> </span> Keep
1469 Parameters...........................................................................................
1471 <p class="MsoToc3">5.2.5<span style=
1472 'font-size:12.0pt'> </span> Shared
1473 References........................................................................................
1475 <p class="MsoToc3">5.2.6<span style=
1476 'font-size:12.0pt'> </span> Stack
1477 References..........................................................................................
1479 <p class="MsoToc3">5.2.7<span style=
1480 'font-size:12.0pt'> </span> Inner
1481 Storage.................................................................................................
1483 <p class="MsoToc2">5.3<span style=
1484 'font-size:12.0pt'> </span> Implicit Memory
1485 Annotations.................................................................................
1487 <p class="MsoToc2">5.4<span style=
1488 'font-size:12.0pt'> </span> Reference
1489 Counting..............................................................................................
1491 <p class="MsoToc1">6<span style=
1492 'font-size:12.0pt;font-weight:normal'> </span>
1494 Sharing</a>....................................................................................................................
1496 <p class="MsoToc2">6.1<span style=
1497 'font-size:12.0pt'> </span>
1498 Aliasing................................................................................................................
1500 <p class="MsoToc3">6.1.1<span style=
1501 'font-size:12.0pt'> </span> Unique
1502 Parameters........................................................................................
1504 <p class="MsoToc3">6.1.2<span style=
1505 'font-size:12.0pt'> </span> Returned
1506 Parameters.....................................................................................
1508 <p class="MsoToc2">6.2<span style=
1509 'font-size:12.0pt'> </span>
1510 Exposure..............................................................................................................
1512 <p class="MsoToc3">6.2.1<span style=
1513 'font-size:12.0pt'> </span> Read-Only
1514 Storage........................................................................................
1516 <p class="MsoToc3">6.2.2<span style=
1517 'font-size:12.0pt'> </span> Exposed
1518 Storage............................................................................................
1520 <p class="MsoToc1">7<span style=
1521 'font-size:12.0pt;font-weight:normal'> </span>
1524 Interfaces</a>.................................................................................................
1526 <p class="MsoToc2">7.1<span style=
1527 'font-size:12.0pt'> </span>
1528 Modifications........................................................................................................
1530 <p class="MsoToc3">7.1.1<span style=
1531 'font-size:12.0pt'> </span> State
1532 Modifications........................................................................................
1534 <p class="MsoToc3">7.1.2<span style=
1535 'font-size:12.0pt'> </span> Missing Modifies
1536 Clauses...............................................................................
1538 <p class="MsoToc2">7.2<span style=
1539 'font-size:12.0pt'> </span> Global
1540 Variables...................................................................................................
1542 <p class="MsoToc3">7.2.1<span style=
1543 'font-size:12.0pt'> </span> Controlling
1545 Checking..........................................................................
1547 <p class="MsoToc3">7.2.2<span style=
1548 'font-size:12.0pt'> </span> Definition
1549 State..............................................................................................
1551 <p class="MsoToc2">7.3<span style=
1552 'font-size:12.0pt'> </span> Declaration
1553 Consistency........................................................................................
1555 <p class="MsoToc2">7.4<span style=
1556 'font-size:12.0pt'> </span> State
1557 Clauses.......................................................................................................
1559 <p class="MsoToc2">7.5<span style=
1560 'font-size:12.0pt'> </span> Requires and
1562 Clauses...............................................................................
1564 <p class="MsoToc1">8<span style=
1565 'font-size:12.0pt;font-weight:normal'> </span>
1568 Flow</a>...........................................................................................................
1570 <p class="MsoToc2">8.1<span style=
1571 'font-size:12.0pt'> </span>
1572 Execution.............................................................................................................
1574 <p class="MsoToc2">8.2<span style=
1575 'font-size:12.0pt'> </span> Undefined
1576 Behavior..............................................................................................
1578 <p class="MsoToc2">8.3<span style=
1579 'font-size:12.0pt'> </span> Problematic
1581 Structures..............................................................................
1583 <p class="MsoToc3">8.3.1<span style=
1584 'font-size:12.0pt'> </span> Likely Infinite
1585 Loops......................................................................................
1587 <p class="MsoToc3">8.3.2<span style=
1588 'font-size:12.0pt'> </span>
1589 Switches.......................................................................................................
1591 <p class="MsoToc3">8.3.3<span style=
1592 'font-size:12.0pt'> </span> Deep
1593 Breaks.................................................................................................
1595 <p class="MsoToc3">8.3.4<span style=
1596 'font-size:12.0pt'> </span> Loop and If
1597 Bodies........................................................................................
1599 <p class="MsoToc3">8.3.5<span style=
1600 'font-size:12.0pt'> </span> Complete
1601 Logic.............................................................................................
1603 <p class="MsoToc2">8.4<span style=
1604 'font-size:12.0pt'> </span> Suspicious
1605 Statements...........................................................................................
1607 <p class="MsoToc3">8.4.1<span style=
1608 'font-size:12.0pt'> </span> Statements with
1610 Effects............................................................................
1612 <p class="MsoToc3">8.4.2<span style=
1613 'font-size:12.0pt'> </span> Ignored Return
1614 Values...................................................................................
1616 <p class="MsoToc1">9<span style=
1617 'font-size:12.0pt;font-weight:normal'> </span>
1620 Sizes</a>.............................................................................................................
1622 <p class="MsoToc2">9.1<span style=
1623 'font-size:12.0pt'> </span> Checking
1624 Accesses..............................................................................................
1626 <p class="MsoToc2">9.2<span style=
1627 'font-size:12.0pt'> </span> Annotating
1629 Sizes........................................................................................
1631 <p class="MsoToc2">9.3<span style=
1632 'font-size:12.0pt'> </span>
1633 Warnings.............................................................................................................
1635 <p class="MsoToc1">10<span style=
1636 'font-size:12.0pt;font-weight:normal'> </span>
1637 <a href=#extensible>
1639 Checking</a>............................................................................................
1641 <p class="MsoToc2">10.1<span style=
1642 'font-size:12.0pt'> </span>
1644 Attributes............................................................................................
1646 <p class="MsoToc2">10.2<span style=
1647 'font-size:12.0pt'> </span>
1648 Annotations......................................................................................................
1650 <p class="MsoToc2">10.3<span style=
1651 'font-size:12.0pt'> </span>
1652 Example...........................................................................................................
1654 <p class="MsoToc1">11<span style=
1655 'font-size:12.0pt;font-weight:normal'> </span>
1657 Macros</a>..................................................................................................................
1659 <p class="MsoToc2">11.1<span style=
1660 'font-size:12.0pt'> </span>
1662 Macros...............................................................................................
1664 <p class="MsoToc2">11.2<span style=
1665 'font-size:12.0pt'> </span>
1667 Macros.........................................................................................
1669 <p class="MsoToc3">11.2.1<span style=
1670 'font-size:12.0pt'> </span> Side
1672 Parameters.......................................................................
1674 <p class="MsoToc2">11.3<span style=
1675 'font-size:12.0pt'> </span>
1677 Checking...............................................................................
1679 <p class="MsoToc2">11.4<span style=
1680 'font-size:12.0pt'> </span>
1681 Iterators...........................................................................................................
1683 <p class="MsoToc3">11.4.1<span style=
1684 'font-size:12.0pt'> </span>
1686 Iterators.......................................................................................
1688 <p class="MsoToc3">11.4.2<span style=
1689 'font-size:12.0pt'> </span>
1691 Iterators...........................................................................................
1693 <p class="MsoToc1">12<span style=
1694 'font-size:12.0pt;font-weight:normal'> </span>
1697 Conventions</a>............................................................................................
1699 <p class="MsoToc2">12.1<span style=
1700 'font-size:12.0pt'> </span>
1702 Conventions......................................................................
1704 <p class="MsoToc3">12.1.1<span style=
1705 'font-size:12.0pt'> </span>
1707 Names.............................................................................................
1709 <p class="MsoToc3">12.1.2<span style=
1710 'font-size:12.0pt'> </span>
1712 Names............................................................................................
1714 <p class="MsoToc3">12.1.3<span style=
1715 'font-size:12.0pt'> </span>
1717 Names..................................................................................
1719 <p class="MsoToc2">12.2<span style=
1720 'font-size:12.0pt'> </span>
1722 Prefixes.........................................................................................
1724 <p class="MsoToc2">12.3<span style=
1725 'font-size:12.0pt'> </span>
1727 Restrictions..........................................................................................
1729 <p class="MsoToc3">12.3.1<span style=
1730 'font-size:12.0pt'> </span>
1732 Names........................................................................................
1734 <p class="MsoToc3">12.3.2<span style=
1735 'font-size:12.0pt'> </span>
1737 Names...........................................................................................
1739 <p class="MsoToc1">13<span style=
1740 'font-size:12.0pt;font-weight:normal'> </span>
1741 <a href=#completeness>
1742 Completeness</a>.......................................................................................................
1744 <p class="MsoToc2">13.1<span style=
1745 'font-size:12.0pt'> </span>
1747 Declarations.........................................................................................
1749 <p class="MsoToc2">13.2<span style=
1750 'font-size:12.0pt'> </span>
1752 Programs...........................................................................................
1754 <p class="MsoToc3">13.2.1<span style=
1755 'font-size:12.0pt'> </span>
1756 Unnecessarily External
1757 Names....................................................................
1759 <p class="MsoToc3">13.2.2<span style=
1760 'font-size:12.0pt'> </span>
1761 Declarations Missing from
1762 Headers.............................................................
1764 <p class="MsoToc1">14<span style=
1765 'font-size:12.0pt;font-weight:normal'> </span>
1767 Libraries and Header File
1768 Inclusion</a>....................................................................
1770 <p class="MsoToc2">14.1<span style=
1771 'font-size:12.0pt'> </span>
1773 Libraries.............................................................................................
1775 <p class="MsoToc3">14.1.1<span style=
1776 'font-size:12.0pt'> </span> ISO
1778 Library..................................................................................
1780 <p class="MsoToc3">14.1.2<span style=
1781 'font-size:12.0pt'> </span>
1783 Library...........................................................................................
1785 <p class="MsoToc3">14.1.3<span style=
1786 'font-size:12.0pt'> </span> UNIX
1787 Library............................................................................................
1789 <p class="MsoToc3">14.1.4<span style=
1790 'font-size:12.0pt'> </span>
1792 Libraries............................................................................................
1794 <p class="MsoToc2">14.2<span style=
1795 'font-size:12.0pt'> </span>
1797 Libraries..........................................................................................
1799 <p class="MsoToc3">14.2.1<span style=
1800 'font-size:12.0pt'> </span>
1801 Generating the Standard
1802 Libraries................................................................
1804 <p class="MsoToc2">14.3<span style=
1805 'font-size:12.0pt'> </span>
1807 Inclusion.........................................................................................
1809 <p class="MsoToc3">14.3.1<span style=
1810 'font-size:12.0pt'> </span>
1812 Constants.............................................................................
1814 <p class="MsoToc1">Appendix A<span style=
1815 'font-size:12.0pt;font-weight:normal'> </span>
1816 <a href=#availability>
1817 Availability</a>...............................................................................................
1819 <p class="MsoToc1">Appendix B<span style=
1820 'font-size:12.0pt;font-weight:normal'> </span>
1822 Flags</a>........................................................................................................
1824 <p class="MsoToc2">Global
1825 Flags...................................................................................................................
1828 Help..........................................................................................................................
1831 Initialization................................................................................................................
1834 Pre-processor............................................................................................................
1837 Libraries....................................................................................................................
1840 Output.......................................................................................................................
1842 <p class="MsoToc3">Expected
1843 Errors.........................................................................................................
1845 <p class="MsoToc2">Message
1846 Format............................................................................................................
1848 <p class="MsoToc2">Mode Selector
1849 Flags.......................................................................................................
1851 <p class="MsoToc2">Checking
1852 Flags...............................................................................................................
1855 Key...........................................................................................................................
1858 Types........................................................................................................................
1860 <p class="MsoToc3">Function
1861 Interfaces.....................................................................................................
1863 <p class="MsoToc3">Memory
1864 Management................................................................................................
1867 Sharing......................................................................................................................
1869 <p class="MsoToc3">Use Before Definition <i>(Section
1870 3)</i>...............................................................................
1872 <p class="MsoToc3">Null Dereferences <i>(Section
1873 2)</i>....................................................................................
1875 <p class="MsoToc3">Macros <i>(Section
1876 7)</i>....................................................................................................
1879 Iterators.....................................................................................................................
1881 <p class="MsoToc3">Naming
1882 Conventions...................................................................................................
1884 <p class="MsoToc3">Other
1885 Checks.............................................................................................................
1887 <p class="MsoToc2">Flag Name
1888 Abbreviations................................................................................................
1890 <p class="MsoToc1">Appendix C<span style=
1891 'font-size:12.0pt;font-weight:normal'> </span>
1892 <a href=#annotations>
1893 Annotations</a>.............................................................................................
1895 <p class="MsoToc3">Suppressing
1896 Warnings.................................................................................................
1898 <p class="MsoToc2">Syntactic
1899 Annotations.....................................................................................................
1902 Functions...................................................................................................................
1904 <p class="MsoToc3">Iterators (Section
1905 11.4)...............................................................................................
1907 <p class="MsoToc3">Constants (Section
1908 11.1).............................................................................................
1910 <p class="MsoToc3">Alternate Types (Section
1911 4.4)......................................................................................
1913 <p class="MsoToc3">Declarator
1914 Annotations...............................................................................................
1916 <p class="MsoToc3">Type
1917 Access..............................................................................................................
1919 <p class="MsoToc3">Macro
1920 Expansion......................................................................................................
1922 <p class="MsoToc3">Arbitrary Integral
1923 Types............................................................................................
1925 <p class="MsoToc3">Traditional Lint
1926 Comments........................................................................................
1928 <p class="MsoToc2">Metastate
1929 Definitions....................................................................................................
1931 <p class="MsoToc1">Appendix D<span style=
1932 'font-size:12.0pt;font-weight:normal'> </span>
1933 <a href=#specifications>
1934 Specifications<a/>.........................................................................................
1936 <p class="MsoToc3">Specification
1937 Flags....................................................................................................
1940 Appendix E<span style=
1941 'font-size:12.0pt;font-weight:normal'> </span>
1944 Bibliography</a>........................................................................
1947 <p class="TextFontCX"> </p></div>
1948 <span class="MsoCommentReference"><b><i><span style=
1949 'font-size:15.5pt;font-family: "Times New Roman";text-transform:uppercase'>
1950 <br clear="all" style=
1951 'page-break-before: right'></span></i></b></span>
1952 <div class="Section4">
1953 <p class="TextFontCX"><span style=
1954 'font-size:16.0pt'> </span></p>
1955 <p class="MsoNormal" align="center" style='text-align:center'>
1956 <b><span style='font-size:16.0pt'>Splint User’s
1957 Manual</span></b></p>
1958 <p class="MsoNormal" align="center" style='text-align:center'>
1960 <p class="MsoNormal" align="center" style='text-align:center'>
1962 <p class="MsoNormal" align="center" style='text-align:center'>7
1964 <p class="TextFontCX"> </p>
1965 <p class="TextFontCX">Splint<a href="#_ftn1" name="_ftnref1"
1966 title=""><span class="MsoFootnoteReference"><span class=
1967 "MsoFootnoteReference"><span style=
1968 'font-size:11.0pt;font-family:"Times New Roman"'>[1]</span></span></span></a>
1969 is a tool for statically checking C programs for security
1970 vulnerabilities and programming mistakes. Splint does many
1971 of the traditional lint checks including unused declarations,
1972 type inconsistencies, use before definition, unreachable code,
1973 ignored return values, execution paths with no return, likely
1974 infinite loops, and fall through cases. More powerful
1975 checks are made possible by additional information given in
1976 source code annotations. Annotations are stylized
1977 comments that document assumptions about functions, variables,
1978 parameters and types. In addition to the checks
1979 specifically enabled by annotations, many of the traditional
1980 lint checks are improved by exploiting this additional
1982 <p class="TextFontCX"> </p>
1983 <p class="TextFontCX">As more effort is put into annotating
1984 programs, better checking results. A representational
1985 effort-benefit curve for using Splint is shown in Figure 1.
1986 Splint is designed to be flexible and allow programmers to select
1987 appropriate points on the effort-benefit curve for particular
1988 projects. As different checks are turned on and more
1989 information is given in code annotations the number of bugs that
1990 can be detected increases dramatically.</p>
1991 <p class="TextFontCX"> </p>
1992 <p class="beforelist">Problems detected by Splint include:</p>
1993 <p class="TextFontCX" style=
1994 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
1995 'font-family:Symbol'>·<span style=
1996 'font:7.0pt "Times New Roman"'> </span></span>
1997 Dereferencing a possibly null pointer (Section 2);</p>
1998 <p class="TextFontCX" style=
1999 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2000 'font-family:Symbol'>·<span style=
2001 'font:7.0pt "Times New Roman"'> </span></span>
2002 Using possibly undefined storage or returning storage that is not
2003 properly defined (Section 3);</p>
2004 <p class="MsoListBullet"><span style=
2005 'font-family:Symbol'>·<span style=
2006 'font:7.0pt "Times New Roman"'> </span></span>
2007 Type mismatches, with greater precision and flexibility than
2008 provided by C compilers (Section 4.1–4.2);</p>
2009 <p class="MsoListBullet"><span style=
2010 'font-family:Symbol'>·<span style=
2011 'font:7.0pt "Times New Roman"'> </span></span>
2012 Violations of information hiding (Section 4.3);</p>
2013 <p class="TextFontCX" style=
2014 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2015 'font-family:Symbol'>·<span style=
2016 'font:7.0pt "Times New Roman"'> </span></span>
2017 Memory management errors including uses of dangling references and
2018 memory leaks (Section 5);</p>
2019 <p class="TextFontCX" style=
2020 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2021 'font-family:Symbol'>·<span style=
2022 'font:7.0pt "Times New Roman"'> </span></span>
2023 Dangerous aliasing (Section 6);</p>
2024 <p class="TextFontCX" style=
2025 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2026 'font-family:Symbol'>·<span style=
2027 'font:7.0pt "Times New Roman"'> </span></span>
2028 Modifications and global variable uses that are inconsistent with
2029 specified interfaces (Section 7);</p>
2030 <p class="TextFontCX" style=
2031 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2032 'font-family:Symbol'>·<span style=
2033 'font:7.0pt "Times New Roman"'> </span></span>
2034 Problematic control flow such as likely infinite loops (Section
2035 8.3.1), fall through cases or incomplete switches (Section 8.3.2),
2036 and suspicious statements (Section 8.4);</p>
2037 <p class="TextFontCX" style=
2038 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2039 'font-family:Symbol'>·<span style=
2040 'font:7.0pt "Times New Roman"'> </span></span>
2041 Buffer overflow vulnerabilities (Section 9);</p>
2042 <p class="TextFontCX" style=
2043 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2044 'font-family:Symbol'>·<span style=
2045 'font:7.0pt "Times New Roman"'> </span></span>
2046 Dangerous macro implementations or invocations (Section 11);
2048 <p class="TextFontCX" style=
2049 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2050 'font-family:Symbol'>·<span style=
2051 'font:7.0pt "Times New Roman"'> </span></span>
2052 Violations of customized naming conventions. (Section
2054 <p class="TextFontCX"> </p>
2055 <p class="MsoCaption"> </p>
2056 <center><img width="572" height="350" src=
2057 "manual-301_files/image003.gif">
2061 <p class="MsoCaption"><a name="_Toc534824605"></a><a name=
2062 "_Ref534821281">Figure</a> 1. Typical Effort-Benefit
2064 <p class="TextFontCX"> </p>
2065 <p class="TextFontCX">Splint checking can be customized to select
2066 what classes of errors are reported using command line flags and
2067 stylized comments in the code. In addition, users can define
2068 new annotations and associated checks to extend Splint’s
2069 checking or to enforce application specific properties (Section
2071 <p class="TextFontCX"><a name="_Ref343085763"></a><a name=
2072 "_Ref343065516"> </a></p>
2073 <p class="TextFontCX"><b>About This Document</b></p>
2074 <p class="TextFontCX">This document is a guide to using
2075 Splint. Section 1 explains how to run Splint, interpret
2076 messages and control checking. Sections 2–13 describe
2077 particular checks done by Splint. There are some minor
2078 dependencies between sections, but in general they can be read in
2079 any order. Section 14 covers issues involving libraries and
2080 header file inclusion important for running Splint on large
2082 <p class="TextFontCX"> </p>
2083 <p class="TextFontCX">This document does not describe technical
2084 details of the checking. For technical background and
2085 analysis of Splint’s effectiveness in practice, see the
2086 papers available at <a href=
2087 "http://www.splint.org/"><span style='font-size:10.0pt;font-family:Arial'>
2088 http://www.splint.org</span></a>. </p>
2090 <table cellspacing="0" cellpadding="0" hspace="0" width="80%"
2091 style="border-collapse: collapse" bordercolor="#111111">
2093 <td valign="top" align="left" style=
2094 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
2095 <p class="TextFontCX" align="right" style='text-align:right'>
2096 <a name="_Ref349497354"></a><a name=
2097 "_Ref348079997"><i><span style='font-size:9.0pt'>Since human
2098 beings themselves are not fully debugged yet, there will be
2099 bugs in your code no matter what you do.</span></i></a></p>
2100 <p class="TextFontCX" align="right" style=
2101 'margin-left:4.5pt;text-align:right'><span style=
2102 'font-size:9.0pt'>Chris Mason,</span><i><span style=
2103 'font-size:9.0pt'>Zero-defects memo</span></i>
2104 <span style='font-size:9.0pt'>(quoted in <i>Microsoft
2105 Secrets</i>, Cusumano and
2106 Selby)</span></p></td></tr></table></center>
2107 <h1 style='margin-left:0in;text-indent:0in'><a name=
2108 "Section1"></a><a name="_Toc534974932"></a><a name=
2109 "_Ref348785755">1<span style=
2110 'font:7.0pt "Times New Roman"'> </span>
2111 <a id="operation" name="operation"> Operation</a></h1>
2112 <p class="TextFontCX">Splint is invoked by listing files to be
2113 checked. Initialization files, command line flags, and
2114 stylized comments may be used to customize checking globally and
2116 <p class="TextFontCX"> </p>
2117 <p class="TextFontCX">The best way to learn to use Splint, of
2118 course, is to actually use it (if you don’t already have
2119 Splint installed on your system, see Appendix A). Before you
2120 read much further in this document, I recommend finding a small C
2121 program. Then, try running:</p>
2122 <p class="example" align="left">splint *.c</p>
2125 <p class="TextFontCX">For the most C programs, this will produce a
2126 large number of warnings. To turn off reporting for some of
2127 the warnings, try:<a name="_Ref347468509"></a><a name=
2128 "_Ref345591726"></a><a name="_Ref345568136"></a><a name=
2129 "_Ref345515100"></a><a name="_Ref345497041"></a><a name=
2130 "_Ref345435155"></a><a name="_Ref345257971"></a><a name=
2131 "_Ref344916723"></a><a name="_Ref344907348"></a><a name=
2132 "_Ref344891202"></a><a name="_Toc344355397"></a></p>
2133 <p class="example" align="left">splint -weak *.c</p>
2136 <p class="TextFontCX">The <span class="Flag"><span style=
2137 'font-size:10.0pt'>-weak</span></span> flag is a mode flag that
2138 sets many checking parameters to select weaker checking than is
2139 done in the default mode. Other Splint flags will be
2140 introduced in the following sections; a complete list is given in
2142 <h2 style='margin-left:0in;text-indent:0in'><a name=
2143 "_Toc534974933"></a><a name="_Toc344355435">1.1<span style=
2144 'font:7.0pt "Times New Roman"'> </span>
2146 <p class="beforelist">A typical warning message is:</p>
2147 <p class="IndentText" align="left" style="margin-bottom: 0.0003pt">
2148 <span style='font-size:10.0pt;font-family:Arial'>sample.c: (in
2149 function faucet)</span></p>
2150 <p class="IndentText" align="left"><span style=
2151 'font-size:10.0pt;font-family:Arial'>sample.c:11:12</span><span style='font-size:10.0pt; font-family:Arial'>
2152 : Fresh storage x not released before return</span></p>
2153 <p class="IndentText" align="left"><span style=
2154 'font-size:10.0pt;font-family:Arial'> A memory leak has been
2155 detected. Storage allocated locally is not released</span></p>
2156 <p class="IndentText" align="left"><span style=
2157 'font-size:10.0pt;font-family:Arial'> before the last
2158 reference to it is lost. (Use -mustfreefresh to inhibit</span></p>
2159 <p class="IndentText" align="left"><span style=
2160 'font-size:10.0pt;font-family:Arial'> warning)</span></p>
2161 <p class="IndentText" align="left"><span style=
2162 'font-size:10.0pt;font-family:Arial'> sample.c:5:47:
2163 Fresh storage x allocated</span></p>
2166 <p class="afterlist">The first line gives the name of the function
2167 in which the error is found. This is printed before the first
2168 message reported for a function. The second line is the text
2169 of the message. This message reports a memory
2170 leak—storage allocated in a function is not deallocated
2171 before the function returns. The file name, line and column
2172 number where the error is located precedes the text. </p>
2173 <p class="TextFontCX"> </p>
2174 <p class="TextFontCX">The next line is a hint giving more
2175 information about the suspected error, including information on how
2176 the warning message may be suppressed. For this message,
2177 using the <span class="Flag"><span style=
2178 'font-size:10.0pt'>‑mustfreefresh</span></span> flag
2179 would prevent this warning from being reported. This flag can
2180 be set at the command line, or more precisely just around the code
2181 point in question by using annotations (see Section 1.3.2).</p>
2182 <p class="TextFontCX"> </p>
2183 <p class="TextFontCX">The final line of the message gives
2184 additional location information. For this message, it tells
2185 where the leaking storage was allocated.</p>
2186 <p class="TextFontCX"> </p>
2187 <p class="beforelist">The generic message format is (parts enclosed
2188 in square brackets are optional):</p>
2189 <p class="Verbatim" align="left"><span style=
2190 'font-family:Arial'> [<file>:<line> (in
2191 <context>)]</span></p>
2192 <p class="Verbatim" align="left"><span style=
2193 'font-family:Arial'>
2194 <file>:<line>[,<column>]:
2195 <i>message</i></span></p>
2196 <p class="Verbatim" align="left"><span style=
2197 'font-family:Arial'>
2198 [<i>hint</i>]</span></p>
2199 <p class="Verbatim" align="left"><span style=
2200 'font-family:Arial'>
2201 <file>:<line>,<column>: <i>extra location
2202 information, if appropriate</i></span></p>
2205 <p class="afterlist">Users can customize the format and content of
2206 messages printed by Splint. The function context is not
2207 printed if <span class="Flag"><span style=
2208 'font-size:10.0pt'>-showfunc</span></span> is used.
2209 Column numbers are not printed if <span class=
2210 "Flag"><span style='font-size:10.0pt'>‑showcol</span></span> is
2211 used. The <span class="Flag"><span style=
2212 'font-size:10.0pt'>+parenfileformat</span></span> flag
2213 can be used to generate file locations in the format
2214 recognized by Microsoft Visual Studio. If <span class=
2216 'font-size:10.0pt'>+parenfileformat</span></span> is set, the
2217 line number follows the file name in parentheses (e.g.,
2218 <span class="PlainText"><span style=
2219 'font-size:10.0pt;font-family:Arial'>sample.c(11)</span></span>.)
2220 Messages are split into lines of length less than the
2221 value set using <span class="Flag"><span style=
2222 'font-size:10.0pt'>-linelen
2223 <i><number></i></span></span>. The default line
2224 length is 80 characters. Splint attempts to split lines
2225 in a sensible place as near to the line length limit as
2227 <p class="afterlist" style='margin-top:0in'> </p>
2228 <p class="afterlist" style='margin-top:0in'>The <span class=
2230 'font-size:10.0pt'>‑hints</span></span> prevents any
2231 hints from being printed. Normally, a hint is given only the
2232 first time a class of error is reported. To have Splint print
2233 a hint for every message regardless, use <span class=
2235 'font-size:10.0pt'>+forcehints</span></span>.</p>
2236 <h2 style='margin-left:0in;text-indent:0in'><a name=
2237 "_Toc534974934"></a><a name="_Ref348343333"></a><a name=
2238 "_Ref348343330"></a><a name="_Ref348092990"></a><a name=
2239 "_Ref344882148"></a><a name="_Ref344870278"></a><a name=
2240 "_Toc344355436">1.2<span style=
2241 'font:7.0pt "Times New Roman"'> </span>
2243 <p class="TextFontCX">So that many programming styles can be
2244 supported, Splint provides several hundred flags for controlling
2245 checking and message reporting. Some of the flags are
2246 introduced in the body of this document. Appendix B describes
2247 every flag. Modes and shortcut flags are provided for setting
2248 many flags at once. Individual flags can override the mode
2250 <p class="TextFontCX"> </p>
2251 <p class="TextFontCX">Flags are preceded by <span class=
2252 "Flag"><span style='font-size:10.0pt'>+</span></span> or
2253 <span class="Flag"><span style=
2254 'font-size:10.0pt'>-</span></span>. When a flag is preceded
2255 by <span class="Flag"><span style=
2256 'font-size:10.0pt'>+</span></span> we say it is <i>on</i>; when it
2257 is preceded by <span class="Flag"><span style=
2258 'font-size:10.0pt'>-</span></span> it is <i>off</i>. The precise
2259 meaning of on and off depends on the type of flag. </p>
2260 <p class="TextFontCX"> </p>
2261 <p class="TextFontCX">The <span class="Flag"><span style=
2262 'font-size:10.0pt'>+</span></span>/<span class=
2263 "Flag"><span style='font-size:10.0pt'>-</span></span> flag
2264 settings are used for consistency and clarity, but contradict
2265 standard UNIX usage and it is easy to accidentally use the
2266 wrong one. To reduce the likelihood of using the wrong
2267 flag, Splint issues warnings when a flag is set in an unusual
2268 way. Warnings are issued when a flag is redundantly set
2269 to the value it already had (these errors are not reported if
2270 the flag is set using a stylized comment), if a mode flag or
2271 special flag is set after a more specific flag that will be
2272 set by the general flag was already set, if value flags are
2273 given unreasonable values, of if flags are set in an
2274 inconsistent way. The <span class="Flag"><span style=
2275 'font-size: 10.0pt'>-warnflags</span></span> flag
2276 suppresses these warnings.</p>
2277 <p class="TextFontCX"> </p>
2278 <p class="TextFontCX">Default flag settings will be read from
2279 <span class="Keyword"><span style=
2280 'font-size:10.0pt;font-family: Arial;color:windowtext'>~/.splintrc</span></span> if
2281 it is readable. If there is a <span class=
2282 "Keyword"><span style=
2283 'font-size:10.0pt;font-family:Arial;color:windowtext'>.splintrc</span></span> file
2284 in the working directory, settings in this file will be read next
2285 and its settings will override those in <span class=
2286 "Keyword"><span style=
2287 'font-size:10.0pt;font-family:Arial; color:windowtext'>~/.splintrc</span></span>.
2288 Command-line flags override settings in either file. The
2289 syntax of the <span class="Keyword"><span style=
2290 'font-size:10.0pt;font-family:Arial;color:windowtext'>.splintrc</span></span> file
2291 is the same as that of command-line flags, except that flags may be
2292 on separate lines and the <span class="CodeText"><span style=
2293 'font-size:10.0pt'>#</span></span> character may be used to
2294 indicate that the remainder of the line is a comment. The
2295 <span class="Flag"><span style=
2296 'font-size:10.0pt'>-nof</span></span> flag prevents the
2297 <span class="Keyword"><span style=
2298 'font-size:10.0pt;font-family: Arial;color:windowtext'>~/.splintrc</span></span> file
2299 from being loaded. The <span class="Flag"><span style=
2300 'font-size:10.0pt'>-f</span></span> <span class=
2302 'font-size:10.0pt'><i><filename></i></span></span> flag
2303 loads options from <i>filename</i>.</p>
2304 <p class="TextFontCX"> </p>
2305 <p class="TextFontCX">To make flag names more readable, hyphens
2306 (<span class="Flag"><span style=
2307 'font-size:10.0pt'>-</span></span>), underscores
2308 (<span class="Flag"><span style=
2309 'font-size:10.0pt'>_</span></span>) and spaces in flags at
2310 the command line are ignored. Hence, <span class=
2312 'font-size:10.0pt'>warnflags</span></span>, <span class=
2314 'font-size:10.0pt'>warn-flags</span></span> and <span class=
2316 'font-size:10.0pt'>warn_flags</span></span> all select the
2317 <span class="Flag"><span style=
2318 'font-size:10.0pt'>warnflags</span></span> option.</p>
2319 <h2 style='margin-left:0in;text-indent:0in'><a name=
2320 "_Toc534974935"></a><a name="_Toc344355442"></a><a name=
2321 "_Ref343086686">1.3<span style=
2322 'font:7.0pt "Times New Roman"'> </span>
2323 Stylized Comments</a></h2>
2324 <p class="TextFontCX">Stylized comments are used to provide extra
2325 information about a type, variable or function interface to improve
2326 checking, or to control flag settings locally.</p>
2327 <p class="TextFontCX"> </p>
2328 <p class="TextFontCX">All stylized comments begin with
2329 <span class="CodeText"><span style=
2330 'font-size:10.0pt'>/*@</span></span> and are closed by the
2331 end of the comment. The role of the <span class=
2332 "CodeText"><span style=
2333 'font-size:10.0pt'>@</span></span> may be played by any
2334 printable character. Use <span class=
2335 "Flag"><span style='font-size:10.0pt'>-commentchar</span></span><span class="Flag">
2337 'font-size:10.0pt'> <i><char></i></span></span> to
2338 select a different stylized comment marker.</p>
2339 <h3 style='margin-left:0in;text-indent:0in'><a name=
2340 "_Toc534974936">1.3.1<span style=
2341 'font:7.0pt "Times New Roman"'> </span>
2342 Annotations</a></h3>
2343 <p class="TextFontCX">Annotations are stylized comments that follow
2344 a definite syntax. Although they are comments, they may only
2345 be used in fixed grammatical contexts (e.g., like a type
2347 <p class="TextFontCX"> </p>
2348 <p class="TextFontCX">Sections 2–6­ describe
2349 annotations for expressing assumptions about variables,
2350 parameters, return values, structure fields and
2351 type definitions. For example, <span class=
2352 "Annot"><span style='font-size:10.0pt'>/*@null@*/</span></span> is
2353 used to express an assumption that a parameter may be NULL.
2354 Section 7 describes annotations for describing function
2355 interfaces. Other annotations are described in later sections
2356 and Section 10 describes mechanisms users can employ to define new
2357 annotations. A summary of annotations is found in Appendix
2359 <p class="TextFontCX"> </p>
2360 <p class="TextFontCX">Some annotations, known as control comments,
2361 may appear between any two tokens in a C program (unlike regular C
2362 comments, control comments should not be used within a single token
2363 as they introduce new separators in the code). Syntactically,
2364 they are no different from standard comments. Control
2365 comments are used to provide source-level control of Splint
2366 checking. They may be used to suppress spurious messages, set
2367 flags, and control checking locally in other ways.</p>
2368 <h3 style='margin-left:0in;text-indent:0in'><a name=
2369 "_Toc534974937"></a><a name="_Ref534648584">1.3.2<span style=
2370 'font:7.0pt "Times New Roman"'> </span>
2371 Setting Flags</a></h3>
2372 <p class="TextFontCX">Most flags (all except those characterized as
2373 “global” in Appendix B) can be set locally using
2374 control comments. A control comment can set flags locally to
2375 override the command line settings. The original flag
2376 settings are restored before processing the next file. The syntax
2377 for setting flags in control comments is the same as that of the
2378 command line, except that flags may also be preceded by
2379 <span class="CodeText"><span style=
2380 'font-size:10.0pt'>=</span></span> to restore their setting
2381 to the original command-line value. For instance,</p>
2382 <p class="example"><span class="Annot"><span style=
2383 'font-size:10.0pt'>/*@+charint</span></span> <span class=
2384 "Annot"><span style=
2385 'font-size:10.0pt'>-modifies</span></span><span class=
2386 "Annot"><span style=
2387 'font-size:10.0pt'>=showfunc</span></span><span class=
2388 "Annot"><span style='font-size:10.0pt'>@*/</span></span></p>
2389 <p class="TextFontCX">sets <span class="Flag"><span style=
2390 'font-size:10.0pt'>charint</span></span> on (this makes
2391 <span class="CodeText"><span style=
2392 'font-size:10.0pt'>char</span></span> and <span class=
2393 "CodeText"><span style='font-size:10.0pt'>int</span></span>
2394 indistinguishable types), sets <span class=
2395 "Flag"><span style='font-size:10.0pt'>modifies</span></span>
2396 off (this prevents reporting of modification errors), and
2397 sets <span class="Flag"><span style=
2398 'font-size:10.0pt'>showfunc</span></span> to its
2399 original setting (this controls whether or not the name
2400 of a function <a name="_Toc344355449">is displayed before a
2401 message).</a><a name="_Ref348845205"></a><a name=
2402 "_Ref348845200"></a> <a name="_Ref348785779"></a></p>
2403 <h1 style='margin-left:0in;text-indent:0in'><a name=
2404 "_Toc534974938"></a><a name="_Ref534641443"></a><a name=
2405 "_Ref534093860"></a><a name="_Ref534050017"></a><a name=
2406 "_Ref534008843">2<span style=
2407 'font:7.0pt "Times New Roman"'> </span>
2408 <a id="null" name="null">Null Dereferences</a></a></h1>
2409 <p class="TextFontCX">A common cause of program failures is when a
2410 null pointer is dereferenced. Splint detects these
2411 errors by distinguishing possibly <span class=
2412 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>
2413 pointers at interface boundaries.</p>
2414 <p class="TextFontCX"> </p>
2415 <p class="TextFontCX">The <span class="Annot"><span style=
2416 'font-size:10.0pt'>null</span></span> annotation is used to
2417 indicate that a pointer value may be <span class=
2418 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>.
2419 A pointer declared with no <span class="Annot"><span style=
2420 'font-size:10.0pt'>null</span></span> annotation, may not be
2421 <span class="CodeText"><span style=
2422 'font-size:10.0pt'>NULL</span></span>. If null checking is
2423 turned on (controlled by <span class="Flag"><span style=
2424 'font-size:10.0pt'>null</span></span>), Splint will report an error
2425 when a possibly null pointer is passed as a parameter, returned as
2426 a result, or assigned to an external reference with no
2427 <span class="Annot"><span style=
2428 'font-size:10.0pt'>null</span></span> qualifier.</p>
2429 <p class="TextFontCX"> </p>
2430 <p class="TextFontCX">If a pointer is declared with the
2431 <span class="Annot"><span style=
2432 'font-size:10.0pt'>null</span></span> annotation, the code
2433 must check that it is not <span class="CodeText"><span style=
2434 'font-size:10.0pt'>NULL</span></span> on all paths leading to
2435 a dereference of the pointer (or the pointer being returned
2436 or passed as a value with no <span class="Annot"><span style=
2437 'font-size:10.0pt'>null</span></span> annotation).
2438 Dereferences of possibly null pointers may be protected by
2439 conditional statements or <span class="CodeText"><span style=
2440 'font-size:10.0pt'>assert</span></span>ions (to see how
2441 <span class="CodeText"><span style=
2442 'font-size:10.0pt'>assert</span></span> is declared see
2443 Section 8.1) that check the pointer is not <span class=
2444 "CodeText"><span style=
2445 'font-size:10.0pt'>NULL</span></span>.</p>
2446 <p class="TextFontCX"> </p>
2447 <p class="TextFontCX">Consider two implementations of
2448 <span class="CodeText"><span style=
2449 'font-size:10.0pt'>firstChar</span></span> in Figure 2. For
2450 <span class="CodeText"><span style=
2451 'font-size:10.0pt'>firstChar1</span></span>, Splint reports
2452 an error since the pointer that is dereferenced is declared
2453 with a <span class="Annot"><span style=
2454 'font-size:10.0pt'>null</span></span> annotation.
2455 For <span class="CodeText"><span style=
2456 'font-size:10.0pt'>firstChar2</span></span>, no error is
2457 reported since the true branch of the <span class=
2458 "CodeText"><span style='font-size:10.0pt'>s ==
2459 NULL</span></span> if statement returns, so the dereference
2460 of <span class="CodeText"><span style=
2461 'font-size:10.0pt'>s</span></span> is only reached if
2462 <span class="CodeText"><span style=
2463 'font-size:10.0pt'>s</span></span> is not <span class=
2464 "CodeText"><span style=
2465 'font-size:10.0pt'>NULL</span></span>.</p>
2467 <table class="MsoNormalTable" border="0" cellspacing="0"
2468 cellpadding="0" style=
2469 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
2471 <td valign="top" style=
2472 'width:207.0pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
2473 <p class="TextFontCX" align="center" style='text-align:center'>
2474 <span class="Keyword"><b><span style=
2475 'font-size:10.0pt; color:white'>null.c</span></b></span></p></td>
2476 <td valign="top" style=
2477 'width:220.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
2478 <p class="TextFontCX" align="center" style='text-align:center'>
2479 <b><span style='color:white'>Running
2480 Splint</span></b></p></td></tr>
2482 <td valign="top" style=
2483 'width:207.0pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
2484 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
2485 <p class="Verbatim"><span style='font-size:9.0pt'>char firstChar1
2486 (/*@null@*/ char *s)</span></p>
2487 <p class="Verbatim"><span style='font-size:9.0pt'>{<br></span>
2488 <span class="Line"><span style=
2489 'font-size:8.0pt'>3</span></span><span style=
2490 'font-size:9.0pt'> return *s;</span></p>
2491 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p>
2492 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
2493 <p class="Verbatim"><span style='font-size:9.0pt'>char firstChar2
2494 (/*@null@*/ char *s)</span></p>
2495 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
2496 <p class="Verbatim"><span style='font-size:9.0pt'> if
2497 (s == NULL) return ‘\0’;<br></span> <span class=
2499 'font-size:8.0pt'>9</span></span><span style='font-size:9.0pt'>
2500 return *s;</span></p>
2501 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p></td>
2502 <td valign="top" style=
2503 'width:220.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
2504 <p class="lclintrun">> splint null.c</p>
2505 <p class="lclintrun">Splint 3.0.1</p>
2506 <p class="lclintrun"> </p>
2507 <p class="lclintrun">null.c: (in function firstChar1)</p>
2508 <p class="lclintrun">null.c:3:11: Dereference of possibly null
2510 <p class="lclintrun"> null.c:1:35: Storage s may become
2512 <p class="lclintrun"> </p>
2513 <p class="lclintrun">Finished checking --- 1 code warning found</p>
2514 <p class="TextFontCX"> </p></td></tr></table>
2515 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
2516 style="border-collapse: collapse" bordercolor="#111111">
2518 <td valign="top" align="left" style=
2519 'padding-top:6.5pt;padding-right: 9.35pt;padding-bottom:6.5pt;padding-left:9.35pt'>
2520 <p class="MsoCaption"><a name="_Ref534981289"></a><a name=
2521 "_Toc534824606"></a><a name="_Ref534981293">Figure 2</a>.
2523 <p class="MsoNormal" align="left" style=
2524 'margin-top:0in;margin-right:26.55pt; margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;text-align:left; background:white'>
2525 <span style='font-size:10.0pt'>Output from running Splint is
2526 displayed in</span> <span style=
2527 'font-size:10.0pt;font-family:"Arial Narrow"'>sans-serif</span>
2528 <span style='font-size:10.0pt'>font. The command line is
2529 preceded by</span> <span style=
2530 'font-size:10.0pt;font-family:Arial'>></span><span style=
2531 'font-size: 10.0pt'>, the rest is output from Splint.
2532 Explanations added to the code or splint output are shown in
2533 <i>italics</i>. Code shown in the figures in this document is
2534 available from the splint web site,</span> <span style=
2535 'font-size:10.0pt;font-family:Arial'>http://www.splint.org</span><span style='font-size:10.0pt'>
2536 . No error is reported for line 9, since the dereference is
2537 reached only if</span> <span class="CodeText"><span style=
2538 'font-size:10.0pt'>s</span></span> <span style=
2539 'font-size:10.0pt'>is non-null. For most of the figures, the
2540 options</span> <span class="Flag"><span style=
2541 'font-size:9.0pt'>-linelen 55 -hints –showcol</span></span>
2542 <span style='font-size:10.0pt'>were used to produce condensed
2543 output, and</span> <span class="Flag"><span style=
2544 'font-size:9.0pt'>–exportlocal</span></span>
2545 <span style='font-size:10.0pt'>to inhibit warnings about
2547 declarations. </span></p></td></tr></table></center>
2548 <h3 style='margin-left:0in;text-indent:0in'><a name=
2549 "_Toc534974939"></a><a name="_Ref344185475">2.1.1<span style=
2550 'font:7.0pt "Times New Roman"'> </span>
2551 Predicate Functions</a></h3>
2552 <p class="TextFontCX">Another way to protect null dereference, is
2553 to declare a function using <span class="Annot"><span style=
2554 'font-size:10.0pt'>nullwhentrue</span></span> or <span class=
2555 "Annot"><span style=
2556 'font-size:10.0pt'>falsewhennull</span></span>(these annotations
2557 where originally <span class="Annot"><span style=
2558 'font-size:10.0pt'>falsenull</span></span> and <span class=
2559 "Annot"><span style='font-size:10.0pt'>truenull</span></span>, but
2560 were renamed to clarify the logical asymmetry; <span class=
2561 "Annot"><span style='font-size:10.0pt'>falsenull</span></span> and
2562 <span class="Annot"><span style=
2563 'font-size:10.0pt'>truenull</span></span> may still be used) and
2564 call the function in a conditional statement before the
2565 <span class="Annot"><span style=
2566 'font-size:10.0pt'>null</span></span>-annotated pointer is
2567 dereferenced. </p>
2568 <p class="TextFontCX"> </p>
2569 <p class="TextFontCX">If a function annotated with
2570 <span class="Annot"><span style=
2571 'font-size:10.0pt'>nullwhentrue</span></span> returns true it
2572 means its first passed parameter is <span class=
2573 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>.
2574 If it returns false, the parameter is not <span class=
2575 "CodeText"><span style=
2576 'font-size:10.0pt'>NULL</span></span>. Note that it may
2577 return true for a parameter that is not <span class=
2578 "CodeText"><span style=
2579 'font-size:10.0pt'>NULL</span></span>. A more
2580 descriptive name for <span class="Annot"><span style=
2581 'font-size:10.0pt'>nullwhentrue</span></span> would be
2582 “if the result is false, the parameter was not
2583 null”. For example, if <span class=
2584 "CodeText"><span style=
2585 'font-size:10.0pt'>isNull</span></span> is declared as,</p>
2586 <p class="example"> /*@nullwhentrue@*/ bool isNull
2587 (/*@null@*/ char *x);</p>
2588 <p class="beforelist">we could write <span class=
2589 "CodeText"><span style=
2590 'font-size: 10.0pt'>firstChar2</span></span>:</p>
2591 <p class="Verbatim"> char firstChar2 (/*@null@*/ char
2593 <p class="Verbatim"> {</p>
2594 <p class="Verbatim" style='margin-left:.5in'>if (isNull (s)) return
2597 <p class="Verbatim"> }</p>
2598 <p class="afterlist">No error is reported since the dereference of
2599 <span class="CodeText"><span style=
2600 'font-size:10.0pt'>s</span></span> is only reached if
2601 <span class="CodeText"><span style=
2602 'font-size:10.0pt'>isNull(s)</span></span> is false, and
2603 since <span class="CodeText"><span style=
2604 'font-size:10.0pt'>isNull</span></span> is declared with the
2605 <span class="Annot"><span style=
2606 'font-size:10.0pt'>nullwhentrue</span></span> annotation this
2607 means <span class="CodeText"><span style=
2608 'font-size:10.0pt'>s</span></span> must not be null.</p>
2609 <p class="TextFontCX"> </p>
2610 <p class="TextFontCX">The <span class="Annot"><span style=
2611 'font-size:10.0pt'>falsewhennull</span></span> annotation is not
2612 quite the logical opposite of <span class=
2613 "Annot"><span style='font-size:10.0pt'>nullwhentrue</span></span>.
2614 If a function declared with <span class="Annot"><span style=
2615 'font-size:10.0pt'>falsewhennull</span></span> returns true,
2616 it means its parameter is definitely not <span class=
2617 "CodeText"><span style=
2618 'font-size:10.0pt'>NULL</span></span>. If it returns
2619 false, the parameter may or may not be <span class=
2620 "CodeText"><span style=
2621 'font-size:10.0pt'>NULL</span></span>. That is a
2622 <span class="Annot"><span style=
2623 'font-size:10.0pt'>falsewhennull</span></span> always returns
2624 false when passed a <span class="CodeText"><span style=
2625 'font-size: 10.0pt'>NULL</span></span> parameter; it may
2626 sometimes return false when passed a non-<span class=
2627 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>
2629 <p class="TextFontCX"> </p>
2630 <p class="beforelist">For example, we could define
2631 <span class="CodeText"><span style=
2632 'font-size:10.0pt'>isNonEmpty</span></span> to return true if
2633 its parameter is not <span class="CodeText"><span style=
2634 'font-size:10.0pt'>NULL</span></span> and has least one
2635 character before the <span class="CodeText"><span style=
2636 'font-size:10.0pt'>NUL</span></span> terminator:</p>
2637 <p class="Verbatim"> /*@falsewhennull@*/ bool
2638 isNonEmpty (/*@null@*/ char *x)</p>
2639 <p class="Verbatim"> {</p>
2640 <p class="Verbatim"> return (x != NULL
2641 && *x != ‘\0’);</p>
2642 <p class="Verbatim"> }</p>
2643 <p class="afterlist">Splint does not check that the implementation
2644 of a function declared with <span class="Annot"><span style=
2645 'font-size:10.0pt'>nullwhentrue</span></span> or <span class=
2646 "Annot"><span style='font-size:10.0pt'>falsewhennull</span></span>
2647 is consistent with its annotation, but assumes the annotation is
2648 correct when code that calls the function is checked.</p>
2649 <h3 style='margin-left:0in;text-indent:0in'><a name=
2650 "_Toc534974940">2.1.2<span style=
2651 'font:7.0pt "Times New Roman"'> </span>
2652 Notnull Annotations</a></h3>
2653 <p class="TextFontCX">The <span class="Annot"><span style=
2654 'font-size:10.0pt'>notnull</span></span> annotation specifies that
2655 a declarator is definitely not <span class=
2656 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>.
2657 By default, this is assumed, but it may be necessary to use
2658 <span class="Annot"><span style=
2659 'font-size:10.0pt'>notnull</span></span> to override a
2660 <span class="Annot"><span style=
2661 'font-size:10.0pt'>null</span></span> in a type
2662 definition. The <span class="Annot"><span style=
2663 'font-size:10.0pt'>null</span></span> annotation may be used
2664 in a type definition to indicate that all instances of the
2665 type may be <span class="CodeText"><span style=
2666 'font-size:10.0pt'>NULL</span></span>. For declarations
2667 of a type declared using <span class="Annot"><span style=
2668 'font-size:10.0pt'>null</span></span>, the <span class=
2669 "Annot"><span style='font-size:10.0pt'>null</span></span>
2670 annotation in the type definition may be overridden with
2671 <span class="Annot"><span style=
2672 'font-size:10.0pt'>notnull</span></span>. This is
2673 particularly useful for parameters to hidden <span class=
2674 "CodeText"><span style=
2675 'font-size:10.0pt'>static</span></span> operations of
2676 abstract types (see Section 4.3) where the null test has
2677 already been done before the function is called, or function
2678 results known to never be <span class="CodeText"><span style=
2679 'font-size:10.0pt'>NULL</span></span>. For an abstract
2680 type, <span class="Flag"><span style=
2681 'font-size:10.0pt'>notnull</span></span> may not be used for
2682 parameters to external functions, since clients should not be
2683 aware of when the concrete representation may by <span class=
2684 "CodeText"><span style=
2685 'font-size:10.0pt'>NULL</span></span>. Parameters to
2686 static functions in the implementation module, however, may
2687 be declared using <span class="Annot"><span style=
2688 'font-size:10.0pt'>notnull</span></span>, since they may only
2689 be called from places where the representation is
2690 accessible. Return values for <span class=
2691 "CodeText"><span style=
2692 'font-size:10.0pt'>static</span></span> or external functions
2693 may be declared using <span class="Annot"><span style=
2694 'font-size:10.0pt'>notnull</span></span>. </p>
2695 <h3 style='margin-left:0in;text-indent:0in'><a name=
2696 "_Toc534974941"></a><a name="_Ref347853058">2.1.3<span style=
2697 'font:7.0pt "Times New Roman"'> </span>
2698 Relaxing Null Checking</a></h3>
2699 <p class="TextFontCX">An additional annotation, <span class=
2700 "Annot"><span style='font-size:10.0pt'>relnull</span></span> may be
2701 used to relax null checking. No error is reported when a
2702 <span class="Annot"><span style=
2703 'font-size:10.0pt'>relnull</span></span> value is dereferenced, or
2704 when a possibly null value is assigned to an identifier declared
2705 using <span class="Annot"><span style=
2706 'font-size:10.0pt'>relnull</span></span>.</p>
2707 <p class="TextFontCX"> </p>
2708 <p class="TextFontCX">This is generally used for structure fields
2709 that may or may not be null depending on some other
2710 constraint. Splint does not report and error when
2711 <span class="CodeText"><span style=
2712 'font-size:10.0pt'>NULL</span></span> is assigned to a
2713 <span class="Annot"><span style=
2714 'font-size:10.0pt'>relnull</span></span> reference, or when a
2715 <span class="Annot"><span style=
2716 'font-size:10.0pt'>relnull</span></span> reference is
2717 dereferenced. It is up to the programmer to ensure that
2718 this constraint is satisfied before the pointer is
2720 <h1 style='margin-left:0in;text-indent:0in'><a name=
2721 "_Ref348845237"></a><a name="_Ref347254431"></a><a name=
2722 "_Ref347169350"></a><a name="_Ref344916590"></a><a name=
2723 "_Ref344907893"></a><a name="_Toc344355407"></a><a name=
2724 "_Toc534974942"></a><a name="_Ref534641444"></a><a name=
2725 "_Ref534093775"></a><a name="_Ref534093769"></a><a name=
2726 "_Ref534049950">3<span style=
2727 'font:7.0pt "Times New Roman"'> </span>
2728 <a id="undefined" name="undefined">Undefined Values</a></a></h1>
2729 <p class="TextFontCX">Like many static checkers, Splint detects
2730 instances where the value of a location is used before it is
2731 defined. This analysis is done at the procedural level.
2732 If there is a path through the procedure that uses a local variable
2733 before it is defined, a use before definition error is
2734 reported. The <span class="Flag"><span style=
2735 'font-size:10.0pt'>usedef</span></span> flag controls use before
2736 definition checking.</p>
2737 <p class="TextFontCX"> </p>
2738 <p class="TextFontCX">Splint can do more checking than standard
2739 checkers though, because the annotations can be used to describe
2740 what storage must be defined and what storage may be undefined at
2741 interface points. Unannotated references are expected to be
2742 completely defined at interface points. This means all
2743 storage reachable from a global variable, parameter to a function,
2744 or function return value is defined before and after a function
2746 <h3 style='margin-left:0in;text-indent:0in'><a name=
2747 "_Toc534974943"></a><a name="_Ref347811030"></a><a name=
2748 "_Ref347204458">3.1.1<span style=
2749 'font:7.0pt "Times New Roman"'> </span>
2750 Undefined Parameters</a></h3>
2751 <p class="TextFontCX">Sometimes, function parameters or return
2752 values are expected to reference undefined or partially defined
2753 storage. For example, a pointer parameter may be intended
2754 only as an address to store a result, or a memory allocator may
2755 return allocated but undefined storage. The
2756 <span class="Annot"><span style=
2757 'font-size:10.0pt'>out</span></span> annotation denotes
2758 a pointer to storage that may be undefined.</p>
2759 <p class="TextFontCX"> </p>
2760 <p class="TextFontCX">Splint does not report an error when a
2761 pointer to allocated but undefined storage is passed as an
2762 <span class="Annot"><span style=
2763 'font-size:10.0pt'>out</span></span> parameter. Within the
2764 body of a function, Splint will assume an <span class=
2765 "Annot"><span style='font-size:10.0pt'>out</span></span> parameter
2766 is allocated but not necessarily bound to a value, so an error is
2767 reported if its value is used before it is defined. </p>
2768 <p class="TextFontCX"> </p>
2769 <p class="TextFontCX">Splint reports an error if storage reachable
2770 by the caller after the call is not defined when the function
2771 returns. This can be suppressed by <span class=
2773 'font-size: 10.0pt'>-must-define</span></span>. After a call
2774 returns, an actual parameter corresponding to an <span class=
2775 "Annot"><span style='font-size:10.0pt'>out</span></span> parameter
2776 is assumed to be completely defined.</p>
2777 <p class="TextFontCX"> </p>
2778 <p class="TextFontCX">When checking unannotated programs, many
2779 spurious use before definition errors may be reported
2780 If <span class="Flag"><span style=
2781 'font-size:10.0pt'>impouts</span></span> is on, no error is
2782 reported when an incompletely-defined parameter is passed to a
2783 formal parameter with no definition annotation, and the actual
2784 parameter is assumed to be defined after the call. The
2785 <span class="Annot"><span style=
2786 'font-size:10.0pt'>/*@in@*/</span></span> annotation can be
2787 used to denote a parameter that must be completely defined, even if
2788 <span class="Flag"><span style=
2789 'font-size:10.0pt'>imp-outs</span></span> is on. If
2790 <span class="Flag"><span style=
2791 'font-size:10.0pt'>imp-outs</span></span> is off, there is an
2792 implicit <span class="Annot"><span style=
2793 'font-size:10.0pt'>in</span></span> annotation on every parameter
2794 with no definition annotation.</p>
2795 <p class="TextFontCX"> </p>
2796 <table class="MsoNormalTable" border="0" cellspacing="0"
2797 cellpadding="0" style='margin-left:.9pt;border-collapse:collapse'>
2799 <td width="40%" valign="top" style=
2800 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
2801 <p class="TextFontCX" align="center" style='text-align:center'>
2802 <span class="Keyword"><b><span style=
2803 'font-size:10.0pt; color:white'>usedef.c</span></b></span></p></td>
2804 <td valign="top" style=
2805 'border-top:1.5pt solid black; border-left:medium none;border-bottom:medium none;border-right:1.5pt solid black; background:black;padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
2806 <p class="TextFontCX" align="center" style='text-align:center'>
2807 <b><span style='color:white'>Running
2808 Splint</span></b></p></td></tr>
2810 <td valign="top" style=
2811 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
2812 <p class="MsoNormal"><span class="Keyword"><span style=
2813 'font-size:10.0pt; color:windowtext'>extern void</span></span></p>
2814 <p class="MsoNormal"><span class="Keyword"><span style=
2815 'font-size:10.0pt; color:windowtext'> setVal (/*@out@*/ int
2816 *x);</span></span></p>
2817 <p class="MsoNormal"><span class="Keyword"><span style=
2818 'font-size:10.0pt; color:windowtext'>extern int</span></span></p>
2819 <p class="MsoNormal"><span class="Keyword"><span style=
2820 'font-size:10.0pt; color:windowtext'> getVal (/*@in@*/ int
2821 *x);</span></span></p>
2822 <p class="MsoNormal"><span class="Keyword"><span style=
2823 'font-size:10.0pt; color:windowtext'>extern int
2824 mysteryVal</span></span></p>
2825 <p class="MsoNormal"><span class="Keyword"><span style=
2826 'font-size:10.0pt; color:windowtext'> (int
2827 *x);</span></span></p>
2828 <p class="MsoNormal"><span class="Keyword"><span style=
2829 'font-size:10.0pt; color:windowtext'> </span></span></p>
2830 <p class="MsoNormal" align="left" style='text-align:left'>
2831 <span class="Keyword"><span style=
2832 'font-size:10.0pt;color:windowtext'>int dumbfunc</span></span></p>
2833 <p class="MsoNormal" align="left" style='text-align:left'>
2834 <span class="Keyword"><span style=
2835 'font-size:10.0pt;color:windowtext'> (/*@out@*/ int *x,
2836 int i)</span></span></p>
2837 <p class="MsoNormal"><span class="Keyword"><span style=
2838 'font-size:10.0pt; color:windowtext'>{</span></span></p>
2839 <p class="MsoNormal"><span class="Keyword"><span style=
2840 'font-size:10.0pt; color:windowtext'> if (i >
2841 3)</span></span></p>
2842 <p class="MsoNormal"><span class="Line"><span style=
2843 'font-size:8.0pt'>11</span></span><span class=
2844 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2845 return *x;</span></span></p>
2846 <p class="MsoNormal"><span class="Keyword"><span style=
2847 'font-size:10.0pt; color:windowtext'> else if (i >
2848 1)</span></span></p>
2849 <p class="MsoNormal"><span class="Line"><span style=
2850 'font-size:8.0pt'>13</span></span><span class=
2851 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2852 return getVal (x);</span></span></p>
2853 <p class="MsoNormal"><span class="Keyword"><span style=
2854 'font-size:10.0pt; color:windowtext'> else if (i ==
2855 0)</span></span></p>
2856 <p class="MsoNormal"><span class="Line"><span style=
2857 'font-size:8.0pt'>15</span></span><span class=
2858 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2859 return mysteryVal (x);</span></span></p>
2860 <p class="MsoNormal"><span class="Keyword"><span style=
2861 'font-size:10.0pt; color:windowtext'> else</span></span></p>
2862 <p class="MsoNormal"><span class="Keyword"><span style=
2863 'font-size:10.0pt; color:windowtext'>
2865 <p class="MsoNormal"><span class="Line"><span style=
2866 'font-size:8.0pt'>18</span></span><span class=
2867 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2868 setVal (x);</span></span></p>
2869 <p class="MsoNormal"><span class="Line"><span style=
2870 'font-size:8.0pt'>19</span></span><span class=
2871 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2872 return *x;</span></span></p>
2873 <p class="MsoNormal"><span class="Keyword"><span style=
2874 'font-size:10.0pt; color:windowtext'>
2876 <p class="Verbatim"><span class="Keyword"><span style=
2877 'color:windowtext'>}</span></span></p></td>
2878 <td valign="top" style=
2879 'border-top:medium none;border-left:medium none; border-bottom:1.5pt solid black;border-right:1.5pt solid black;padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
2880 <p class="lclintrun">> splint usedef.c</p>
2881 <p class="lclintrun">usedef.c:11: Value *x used before
2883 <p class="lclintrun">usedef.c:13: Passed storage x not completely
2885 <p class="lclintrun">
2886
2887 (*x is undefined): getVal (x)</p>
2888 <p class="lclintrun">usedef.c:15: Passed storage x not completely
2890 <p class="lclintrun">
2891
2892 (*x is undefined): mysteryVal (x)</p>
2893 <p class="lclintrun"> </p>
2894 <p class="lclintrun">Finished checking --- 3 code warnings</p>
2895 <p class="TextFontCX"><i> </i></p>
2896 <p class="IndentText" style=
2897 'margin-top:0in;margin-right:.85pt;margin-bottom: 0in;margin-left:0in;margin-bottom:.0001pt;page-break-after:avoid'>
2898 <i>No error is reported for line 18, since the incompletely defined
2899 storage</i> <span class="CodeText"><span style=
2900 'font-size:10.0pt'>x</span></span> <i>is passed as an</i>
2901 <span class="CodeText"><span style=
2902 'font-size:10.0pt'>out</span></span> <i>parameter. After the
2903 call,</i> <span class="CodeText"><span style=
2904 'font-size: 10.0pt'>x</span></span> <i>may be dereferenced,
2905 since</i> <span class="Annot"><span style=
2906 'font-size:10.0pt'>setVal</span></span> <i>is assumed to completely
2907 define its</i> <span class="Annot"><span style=
2908 'font-size:10.0pt'>out</span></span> <i>parameter. The
2909 warning for line 15 would not appear if</i> <span class=
2910 "Flag"><span style='font-size:10.0pt'>+impouts</span></span>
2911 <i>were used since there is no</i> <span class=
2912 "Annot"><span style='font-size:10.0pt'>in</span></span>
2913 <i>annotation on the parameter to</i> <span class=
2915 'font-size: 10.0pt'>mysteryVal</span></span><i>.</i></p></td></tr></table>
2917 <div align="center">
2919 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
2920 style="border-collapse: collapse" bordercolor="#111111">
2922 <td valign="top" align="left" style=
2923 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
2924 <p class="MsoCaption"><a name="_Ref347764461"></a><a name=
2925 "_Ref347853047"></a><a name="_Toc534824607">Figure 3. Use
2926 before Definition</a></p></td></tr></table></center></div></div>
2929 <h3 style='margin-left:0in;text-indent:0in'><a name=
2930 "_Toc534974944">3.1.2<span style=
2931 'font:7.0pt "Times New Roman"'> </span>
2932 Relaxing Checking</a></h3>
2933 <p class="TextFontCX">The <span class="Annot"><span style=
2934 'font-size:10.0pt'>reldef</span></span> annotation relaxes
2935 definition checking for a particular declaration. Storage
2936 declared with a <span class="Annot"><span style=
2937 'font-size:10.0pt'>reldef</span></span> annotation is assumed to be
2938 defined when it is used, but no error is reported if it is not
2939 defined before it is returned or passed as a parameter.</p>
2940 <p class="TextFontCX"> </p>
2941 <p class="TextFontCX">It is up to the programmer to check
2942 <span class="Annot"><span style=
2943 'font-size:10.0pt'>reldef</span></span> fields are used
2944 correctly. They should be avoided in most cases, but
2945 may be useful for fields of structures that may or may not be
2946 defined depending on other constraints. </p>
2947 <h3 style='margin-left:0in;text-indent:0in'><a name=
2948 "_Toc534974945"></a><a name="_Ref347853043">3.1.3<span style=
2949 'font:7.0pt "Times New Roman"'> </span>
2950 Partially Defined Structures</a></h3>
2951 <p class="TextFontCX">The <span class="Annot"><span style=
2952 'font-size:10.0pt'>partial</span></span> annotation can be used to
2953 relax checking of structure fields. A structure with
2954 undefined fields may be passed as a <span class=
2955 "Annot"><span style='font-size: 10.0pt'>partial</span></span>
2956 parameter or returned as a <span class="Annot"><span style=
2957 'font-size:10.0pt'>partial</span></span> result. Inside
2958 a function body, no error is reported when the field of a
2959 <span class="Annot"><span style=
2960 'font-size:10.0pt'>partial</span></span> structure is
2961 used. After a call, all fields of a structure that is
2962 passed as a <span class="Annot"><span style=
2963 'font-size:10.0pt'>partial</span></span> parameter are
2964 assumed to be completely defined.</p>
2965 <h1 style='margin-left:0in;text-indent:0in'><a name=
2966 "_Ref534977413"></a><a name="_Toc534974946">4<span style=
2967 'font:7.0pt "Times New Roman"'> </span>
2968 <a id="types" name="types">
2970 <p class="TextFontCX">Strong type checking often reveals
2971 programming errors. Splint can check primitive C types more
2972 strictly and flexibly than typical compilers (4.1) and provides
2973 support a Boolean type (4.2). In addition, users can define
2974 abstract types that provide information hiding (0).</p>
2975 <h2 style='margin-left:0in;text-indent:0in'><a name=
2976 "_Toc534974947"></a><a name="_Ref534642132"></a><a name=
2977 "_Ref533964147"></a><a name="_Toc344355401">4.1<span style=
2978 'font:7.0pt "Times New Roman"'> </span>
2979 Built in C Types</a></h2>
2980 <p align="right"><span style='font-size:9.0pt'><i>Two types
2981 have</i> compatible <i>type if their types are the
2982 same.</i></span></p>
2983 <p class="TextFontCX" align="right" style='text-align:right'>
2984 <span style='font-size:9.0pt'><span style='font-size:9.0pt'>ANSI C,
2985 3.1.2.6.</span></span></p>
2986 <p class="Sidebar"> </p>
2990 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
2991 Splint supports stricter checking of built in C types. The
2992 <span class="CodeText"><span style=
2993 'font-size:10.0pt'>char</span></span> and <span class=
2994 "CodeText"><span style='font-size:10.0pt'>enum</span></span> types
2995 can be checked as distinct types, and the different numeric types
2996 can be type-checked strictly.</p>
2997 <h3 style='margin-left:0in;text-indent:0in'><a name=
2998 "_Toc534974948">4.1.1<span style=
2999 'font:7.0pt "Times New Roman"'> </span>
3001 <p class="TextFontCX">The primitive <span class=
3002 "CodeText"><span style='font-size:10.0pt'>char</span></span> type
3003 can be type-checked as a distinct type. If <span class=
3004 "CodeText"><span style='font-size:10.0pt'>char</span></span> is
3005 used as a distinct type, common errors involving assigning
3006 <span class="CodeText"><span style=
3007 'font-size:10.0pt'>int</span></span>s to <span class=
3008 "CodeText"><span style='font-size:10.0pt'>char</span></span>s are
3010 <p class="TextFontCX"> </p>
3011 <p class="TextFontCX">The <span class="Flag"><span style=
3012 'font-size:10.0pt'>+charint</span></span> flag can be used for
3013 checking legacy programs where <span class=
3014 "CodeText"><span style='font-size:10.0pt'>char</span></span>
3015 and <span class="CodeText"><span style=
3016 'font-size:10.0pt'>int</span></span> are used
3017 interchangeably. If <span class="Flag"><span style=
3018 'font-size:10.0pt'>charint</span></span> is on, <span class=
3019 "CodeText"><span style='font-size:10.0pt'>char</span></span>
3020 types indistinguishable from <span class=
3021 "CodeText"><span style=
3022 'font-size:10.0pt'>int</span></span>s. To keep
3023 <span class="CodeText"><span style=
3024 'font-size:10.0pt'>char</span></span> and <span class=
3025 "Keyword"><span style='font-size:10.0pt'>int</span></span> as
3026 distinct types, but allow chars to be used to index arrays,
3027 use <span class="Flag"><span style=
3028 'font-size:10.0pt'>+charindex</span></span>.</p>
3029 <h3 style='margin-left:0in;text-indent:0in'><a name=
3030 "_Toc534974949">4.1.2<span style=
3031 'font:7.0pt "Times New Roman"'> </span>
3032 Enumerators</a></h3>
3033 <p class="TextFontCX">Standard C treats user-declared
3034 <span class="CodeText"><span style=
3035 'font-size:10.0pt'>enum</span></span> types just like
3036 integers. An arbitrary integral value may be assigned
3037 to an <span class="CodeText"><span style=
3038 'font-size:10.0pt'>enum</span></span> type, whether or not it
3039 was listed as an enumerator member. Splint checks each
3040 user-defined <span class="CodeText"><span style=
3041 'font-size:10.0pt'>enum</span></span> type as distinct
3042 type. An error is reported if a value that is not an
3043 enumerator member is assigned to the <span class=
3044 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
3045 type, or if an <span class="CodeText"><span style=
3046 'font-size:10.0pt'>enum</span></span> type is used as an
3047 operand to an arithmetic operator. If the <span class=
3048 "Flag"><span style='font-size:10.0pt'>enumint</span></span>
3049 flag is on, <span class="CodeText"><span style=
3050 'font-size:10.0pt'>enum</span></span> and <span class=
3051 "CodeText"><span style='font-size:10.0pt'>int</span></span>
3052 types may be used interchangeably. Like <span class=
3054 'font-size:10.0pt'>charindex</span></span>, if the
3055 <span class="Flag"><span style=
3056 'font-size:10.0pt'>enumindex</span></span> flag is on,
3057 <span class="CodeText"><span style=
3058 'font-size:10.0pt'>enum</span></span> types may be used to
3060 <h3 style='margin-left:0in;text-indent:0in'><a name=
3061 "_Toc534974950">4.1.3<span style=
3062 'font:7.0pt "Times New Roman"'> </span>
3063 Numeric Types</a></h3>
3064 <p class="TextFontCX">Splint reports where numeric types are
3065 used in dangerous or inconsistent ways. With the strictest
3066 checking, Splint will report an error anytime numeric types do not
3067 match exactly. If the <span class="Flag"><span style=
3068 'font-size:10.0pt'>relax-quals</span></span> flag is on, only those
3069 inconsistencies that may corrupt values are reported. For
3070 example, if an <span class="CodeText"><span style=
3071 'font-size:10.0pt'>int</span></span> is assigned to a variable of
3072 type <span class="CodeText"><span style=
3073 'font-size: 10.0pt'>long</span></span> (or passed as a
3074 <span class="CodeText"><span style=
3075 'font-size:10.0pt'>long</span></span> formal parameter),
3076 Splint will not report an error if <span class=
3078 'font-size:10.0pt'>relax-quals</span></span> is on since a
3079 <span class="CodeText"><span style=
3080 'font-size:10.0pt'>long</span></span> must have at least
3081 enough bits to store an <span class="CodeText"><span style=
3082 'font-size:10.0pt'>int</span></span> without data loss.
3083 On the other hand, an error would be reported if the
3084 <span class="CodeText"><span style=
3085 'font-size:10.0pt'>long</span></span> were assigned to an
3086 <span class="CodeText"><span style=
3087 'font-size:10.0pt'>int</span></span>, since the <span class=
3088 "CodeText"><span style='font-size:10.0pt'>int</span></span>
3089 type may not have enough bits to store the <span class=
3090 "CodeText"><span style='font-size:10.0pt'>long</span></span>
3092 <p class="TextFontCX"> </p>
3093 <p class="TextFontCX">Similarly, if a <span class=
3094 "CodeText"><span style='font-size:10.0pt'>signed</span></span>
3095 value is assigned to an <span class="CodeText"><span style=
3096 'font-size:10.0pt'>unsigned</span></span>, Splint will report an
3097 error since an <span class="CodeText"><span style=
3098 'font-size:10.0pt'>unsigned</span></span> type cannot represent all
3099 <span class="CodeText"><span style=
3100 'font-size:10.0pt'>signed</span></span> values correctly. If
3101 the <span class="Flag"><span style=
3102 'font-size:10.0pt'>+ignore-signs</span></span> flag is on, checking
3103 is relaxed to ignore all sign qualifiers in type comparisons (this
3104 is not recommended, since it will suppress reporting of real bugs,
3105 but may be necessary for quickly checking certain legacy
3107 <h3 style='margin-left:0in;text-indent:0in'><a name=
3108 "_Toc534974951">4.1.4<span style=
3109 'font:7.0pt "Times New Roman"'> </span>
3110 Arbitrary Integral Types</a></h3>
3111 <p class="TextFontCX">Some types are declared to be integral types,
3112 but the concrete type may be implementation dependent. For
3113 example, the standard library declares the types <span class=
3114 "CodeText"><span style='font-size:10.0pt'>size_t</span></span>,
3115 <span class="CodeText"><span style=
3116 'font-size:10.0pt'>ptr_diff</span></span> and <span class=
3117 "CodeText"><span style='font-size:10.0pt'>wchar_t</span></span>,
3118 but does not constrain their types other than limiting them to
3119 integral types. Programs may rely on them being integral
3120 types (e.g., can use <span class="CodeText"><span style=
3121 'font-size:10.0pt'>+</span></span> operator on two
3122 <span class="CodeText"><span style=
3123 'font-size:10.0pt'>size_t</span></span> operands), but should
3124 not rely on a particular representation (e.g., <span class=
3125 "CodeText"><span style='font-size: 10.0pt'>long
3126 unsigned</span></span>). </p>
3127 <p class="TextFontCX"> </p>
3128 <p class="TextFontCX">Splint supports three different kinds of
3129 arbitrary integral types:</p>
3130 <p class="TextFontCX"> </p>
3131 <p class="TextFontCX"><span class="Annot"><span style=
3132 'font-size:10.0pt'>/*@integraltype@*/</span></span></p>
3133 <p class="TextFontCX"><span class="Annot"><font size=
3134 "2"> </font></span> An arbitrary integral
3135 type. The actual type may be any one of <span class=
3136 "CodeText"><span style='font-size:10.0pt'>short</span></span>,
3137 <span class="CodeText"><span style=
3138 'font-size:10.0pt'>int</span></span>, <span class=
3139 "CodeText"><span style='font-size:10.0pt'>long</span></span>,
3140 <span class="CodeText"><span style='font-size:10.0pt'>unsigned
3141 short</span></span>, <span class="CodeText"><span style=
3142 'font-size:10.0pt'>unsigned</span></span>, or <span class=
3143 "CodeText"><span style='font-size:10.0pt'>unsigned
3144 long</span></span>.</p>
3145 <p class="TextFontCX"><span class="Annot"><span style=
3146 'font-size:10.0pt'>/*@unsignedintegraltype@*/</span></span></p>
3147 <p class="TextFontCX"><span class="Annot"><font size=
3148 "2"> </font></span> An arbitrary unsigned integral
3149 type. The actual type may be any one of <span class=
3150 "CodeText"><span style='font-size:10.0pt'>unsigned
3151 short</span></span>, <span class="CodeText"><span style=
3152 'font-size:10.0pt'>unsigned</span></span>, or <span class=
3153 "CodeText"><span style='font-size:10.0pt'>unsigned
3154 long</span></span>.</p>
3155 <p class="TextFontCX"><span class="Annot"><span style=
3156 'font-size:10.0pt'>/*@signedintegraltype@*/</span></span></p>
3157 <p class="TextFontCX"><span class="Annot"><font size=
3158 "2"> </font></span> An arbitrary signed integral
3159 type. The actual type may be any one of <span class=
3160 "CodeText"><span style='font-size:10.0pt'>short</span></span>,
3161 <span class="CodeText"><span style=
3162 'font-size:10.0pt'>int</span></span>, or <span class=
3163 "CodeText"><span style='font-size:10.0pt'>long</span></span>.</p>
3164 <p class="TextFontCX"> </p>
3165 <p class="TextFontCX">Splint reports an error if the code depends
3166 on the actual representation of a type declared as an arbitrary
3167 integral. The <span class="Flag"><span style=
3168 'font-size:10.0pt'>match-any-integral</span></span> flag
3169 relaxes checking and allows an arbitrary integral type is allowed
3170 to match any integral type.</p>
3171 <p class="TextFontCX"> </p>
3172 <p class="TextFontCX">Other flags set the arbitrary integral types
3173 to a concrete type. These should only be used if portability
3174 to platforms that may use different representations is not
3175 important. The <span class="Flag"><span style=
3176 'font-size:10.0pt'>long-integral</span></span> and
3177 <span class="Flag"><span style=
3178 'font-size:10.0pt'>long-unsigned-integral</span></span> flags
3179 set the type corresponding to <span class=
3180 "Annot"><span style='font-size: 10.0pt'>/*@integraltype@*/</span></span> to
3181 be <span class="CodeText"><span style=
3182 'font-size:10.0pt'>unsigned long</span></span> and
3183 <span class="CodeText"><span style=
3184 'font-size:10.0pt'>long</span></span> respectively. The
3185 <span class="Flag"><span style=
3186 'font-size:10.0pt'>long-unsigned-unsigned-integral</span></span> flag
3187 sets the type corresponding to <span class=
3188 "Annot"><span style=
3189 'font-size: 10.0pt'>/*@unsignedintegraltype@*/</span></span>
3190 to be <span class="CodeText"><span style=
3191 'font-size:10.0pt'>unsigned long</span></span>. The
3192 <span class="Flag"><span style=
3193 'font-size:10.0pt'>long-signed-integral</span></span> flag
3194 sets the type corresponding to <span class=
3195 "Annot"><span style=
3196 'font-size:10.0pt'>/*@signedintegraltype@*/</span></span> to
3197 be <span class="CodeText"><span style=
3198 'font-size:10.0pt'>long</span></span>.</p>
3199 <h2 style='margin-left:0in;text-indent:0in'><a name=
3200 "_Toc534974952"></a><a name="_Ref534642133"></a><a name=
3201 "_Ref533964143"></a><a name="_Ref344892413"></a><a name=
3202 "_Toc344355400">4.2<span style=
3203 'font:7.0pt "Times New Roman"'> </span>
3204 Boolean Types</a></h2>
3205 <p class="TextFontCX">Pre-ISO99 C had no Boolean representation
3206 – the result of a comparison operator was an integer, and no
3207 type checking is done for test expressions. C99 introduced a
3208 Boolean type (<span class="CodeText"><span style=
3209 'font-size:10.0pt'>_Bool</span></span> and <span class=
3210 "CodeText"><span style='font-size:10.0pt'>bool</span></span>,
3211 <span class="CodeText"><span style=
3212 'font-size:10.0pt'>true</span></span> and <span class=
3213 "CodeText"><span style='font-size:10.0pt'>false</span></span>
3214 macros in <span style=
3215 'font-size:10.0pt;font-family:Arial'>stdbool.h</span>), but did not
3216 strengthen the type checking. Splint supports a Boolean type
3217 that can be checked distinctly from integral types. Many
3218 common errors can be detected by introducing a distinct Boolean
3219 type and stronger type checking.</p>
3220 <p class="TextFontCX"> </p>
3221 <p class="TextFontCX">Splint checks that the test expression in an
3222 <span class="CodeText"><span style=
3223 'font-size:10.0pt'>if</span></span>, <span class=
3224 "CodeText"><span style='font-size:10.0pt'>while</span></span>, or
3225 <span class="CodeText"><span style=
3226 'font-size:10.0pt'>for</span></span> statement or an operand of a
3227 <span class="CodeText"><span style=
3228 'font-size:10.0pt'>&&</span></span>, <span class=
3229 "CodeText"><span style='font-size:10.0pt'>||</span></span> or
3230 <span class="CodeText"><span style=
3231 'font-size:10.0pt'>!</span></span>operator is a Boolean. If
3232 the type of a test expression is not a Boolean, Splint will produce
3233 a warning depending on the type of the test expression and flag
3234 settings. If the test expression has pointer type, the
3235 warning is inhibited by <span class="Flag"><span style=
3236 'font-size:10.0pt'>–predboolptr</span></span> (this can be
3237 used to prevent messages for the idiom of testing if a pointer is
3238 not null without a comparison). If it is type
3239 <span class="CodeText"><span style=
3240 'font-size:10.0pt'>int</span></span>, the warnings is
3241 inhibited by <span class="Flag"><span style=
3242 'font-size:10.0pt'>-pred-bool-int</span></span>. For
3243 all other types, Splint warns unless <span class=
3245 'font-size: 10.0pt'>-pred-bool-others</span></span> is
3246 set. Relations, comparisons and certain standard
3247 library functions are declared to return Booleans.</p>
3248 <p class="TextFontCX"> </p>
3249 <p class="TextFontCX">Since using <span class=
3250 "CodeText"><span style='font-size:10.0pt'>=</span></span> instead
3251 of <span class="CodeText"><span style=
3252 'font-size:10.0pt'>==</span></span> is such a common bug, reporting
3253 of test expressions that are assignments is controlled by the
3254 separate <span class="Flag"><span style=
3255 'font-size:10.0pt'>pred-assign</span></span> flag. The
3256 message can be suppressed by adding extra parentheses around the
3257 test expression.</p>
3258 <p class="TextFontCX"> </p>
3259 <p class="TextFontCX">Use the <span class="Flag"><span style=
3260 'font-size:10.0pt'>–booltype
3261 <name></span></span> flag to select the type name is
3262 used to represent Boolean values. There is no default Boolean
3263 type, although <span class="CodeText"><span style=
3264 'font-size: 10.0pt'>bool</span></span> is used by convention.
3265 The names <span class="CodeText"><span style=
3266 'font-size:10.0pt'>TRUE</span></span> and <span class=
3267 "CodeText"><span style='font-size:10.0pt'>FALSE</span></span> are
3268 assumed to represent true and false Boolean values. To change
3269 the names of true and false, use <span class=
3270 "Flag"><span style='font-size:10.0pt'>-booltrue</span></span>
3271 and <span class="Flag"><span style=
3272 'font-size:10.0pt'>-boolfalse</span></span>. (The
3273 Splint distribution includes an implementation of
3274 <span class="CodeText"><span style=
3275 'font-size:10.0pt'>bool</span></span>, in <span class=
3276 "CodeText"><span style=
3277 'font-size:10.0pt;color:windowtext'>lib/bool.h</span></span>.
3278 However, it isn’t necessary to use this implementation
3279 to get the benefits of Boolean checking.)</p>
3280 <p class="TextFontCX"> </p>
3281 <p class="TextFontCX">Figure 4 illustrates some of the Boolean
3282 checking done by Splint. </p>
3283 <p class="TextFontCX"> </p>
3285 <table class="MsoNormalTable" border="0" cellspacing="0"
3286 cellpadding="0" style=
3287 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
3288 <tr style='height:13.3pt'>
3289 <td valign="top" style=
3290 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.3pt'>
3291 <p class="TextFontCX" align="center" style='text-align:center'>
3292 <span class="Keyword"><b><span style=
3293 'font-size:10.0pt; color:white'>bool.c</span></b></span></p></td>
3294 <td valign="top" style=
3295 'border-top:1.5pt solid black; border-left:medium none;border-bottom:medium none;border-right:1.5pt solid black; background:black;padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
3296 <p class="TextFontCX" align="center" style='text-align:center'>
3297 <b><span style='color:white'>Running
3298 Splint</span></b></p></td></tr>
3300 <td valign="top" style=
3301 'width:2.0in;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:156.15pt'>
3302 <p class="Verbatim"># include "bool.h"</p>
3303 <p class="Verbatim">int f (int i, char *s,</p>
3304 <p class="Verbatim"> bool b1, bool b2)</p>
3305 <p class="Verbatim">{</p>
3306 <p class="Verbatim"><span class="Line"><span style=
3307 'font-size:8.0pt'> 6</span></span> if (i = 3)</p>
3308 <p class="Verbatim"><span class="Line"><span style=
3309 'font-size:8.0pt'> 7</span></span> return
3311 <p class="Verbatim"><span class="Line"><span style=
3312 'font-size:8.0pt'> 8</span></span> if (!i || s)</p>
3313 <p class="Verbatim"><span class="Line"><span style=
3314 'font-size:8.0pt'> 9</span></span> return
3316 <p class="Verbatim"><span class="Line"><span style=
3317 'font-size:8.0pt'>10</span></span> if (s)</p>
3318 <p class="Verbatim"><span class="Line"><span style=
3319 'font-size:8.0pt'>11</span></span> return 7;</p>
3320 <p class="Verbatim"><span class="Line"><span style=
3321 'font-size:8.0pt'>12</span></span> if (b1 == b2)</p>
3322 <p class="Verbatim"><span class="Line"><span style=
3323 'font-size:8.0pt'>13</span></span> return 3;</p>
3324 <p class="Verbatim"><span class="Line"><span style=
3325 'font-size:8.0pt'>14</span></span> return 2;</p>
3326 <p class="Verbatim">}</p></td>
3327 <td valign="top" style=
3328 'border-top:medium none;border-left: medium none;border-bottom:1.5pt solid black;border-right:1.5pt solid black; padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
3329 <p class="lclintrun">> splint bool.c +predboolptr
3330 –booltype bool</p>
3331 <p class="lclintrun"> </p>
3332 <p class="lclintrun">bool.c:6: Test expression for if is assignment
3333 expression: i = 3</p>
3334 <p class="lclintrun">bool.c:6: Test expression for if not bool,
3336 <p class="lclintrun">bool.c:7: Return value type bool does not
3337 match declared type int: b1</p>
3338 <p class="lclintrun">bool.c:8: Operand of ! is non-boolean (int):
3340 <p class="lclintrun">bool.c:8: Right operand of || is non-boolean
3341 (char *): !i || s</p>
3342 <p class="lclintrun">bool.c:10: Test expression for if not bool,
3344 <p class="lclintrun">bool.c:12: Use of == with bool variables
3345 (risks inconsistency because</p>
3346 <p class="lclintrun">
3347
3348 of multiple true values): b1 == b2</p>
3349 <p class="lclintrun"> </p>
3350 <p class="lclintrun" style='page-break-after:avoid'>Finished
3351 checking --- 7 code warnings found</p></td></tr></table>
3352 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
3354 <td valign="top" align="left" style=
3355 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
3356 <p class="MsoCaption"><a name="_Ref533964137"></a><a name=
3357 "_Toc534824608"></a><a name="_Ref534821769">Figure 4</a>.
3358 Boolean Checking</p></td></tr></table></center>
3359 <h2 style='margin-left:0in;text-indent:0in'><a name=
3360 "_Toc534974953"></a><a name="_Ref534970776">4.3<span style=
3361 'font:7.0pt "Times New Roman"'> </span>
3362 Abstract Types</a></h2>
3363 <p class="TextFontCX">Information hiding is a technique for
3364 handling complexity. By hiding implementation details,
3365 programs can be understood and developed in distinct modules and
3366 the effects of a change can be localized. One technique for
3367 information hiding is data abstraction. An
3368 abstract type is used to represent some natural program
3369 abstraction. It provides functions for manipulating instances
3370 of the type. The module that implements these functions is
3371 called the <i>implementation</i> module. We call the
3372 functions that are part of the implementation of an abstract type
3373 the <i>operations</i> of the type. Other modules that use the
3374 abstract type are called <i>clients</i>.</p>
3375 <p class="TextFontCX"> </p>
3376 <p class="TextFontCX">Clients may use the type name and operations,
3377 but should not manipulate or rely on the actual representation of
3378 the type. Only the implementation module may manipulate the
3379 representation of an abstract type. This hides information,
3380 since implementers and maintainers of client modules should not
3381 need to know anything about how the abstract type is implemented.
3382 It provides modularity, since the representation of an abstract
3383 type can be changed without having to change any client code.</p>
3384 <p class="TextFontCX"> </p>
3385 <p class="TextFontCX">Splint supports abstract types by detecting
3386 places where client code depends on the concrete representation of
3387 an abstract type. Some examples of abstraction violations
3388 detected by Splint are shown in Figure 5.</p>
3389 <p class="beforelist"> </p>
3390 <p class="beforelist">To declare an abstract type, the
3391 <span class="Annot"><span style=
3392 'font-size:10.0pt'>abstract</span></span> annotation is
3393 added to a <span class="CodeText"><span style=
3394 'font-size:10.0pt'>typedef</span></span>. For example
3395 (in <span class="Keyword"><span style=
3396 'font-size:10.0pt;font-family: Arial;color:windowtext'>mstring.h</span></span>),</p>
3397 <p class="example">typedef /*@abstract@*/ char *mstring;</p>
3398 <p class="TextFontCX">declares <span class=
3399 "CodeText"><span style='font-size:10.0pt'>mstring</span></span>
3400 as an abstract type. It is implemented using a
3401 <span class="CodeText"><span style='font-size:10.0pt'>char
3402 *</span></span>, but clients of the type should not depend on
3403 or need to be aware of this. If it later becomes
3404 apparent that a better representation such as a string table
3405 should be used, we should be able to change the
3406 implementation of <span class="CodeText"><span style=
3407 'font-size: 10.0pt'>mstring</span></span> without having to
3408 change or inspect any client code.</p>
3409 <p class="TextFontCX"> </p>
3410 <p class="TextFontCX">In a client module, abstract types are
3411 checked by name, not structure. Splint reports an error if an
3412 instance of <span class="CodeText"><span style=
3413 'font-size:10.0pt'>mstring</span></span> is passed as a
3414 <span class="CodeText"><span style='font-size:10.0pt'>char
3415 *</span></span> (for instance, as an argument to <span class=
3416 "CodeText"><span style=
3417 'font-size: 10.0pt'>strlen</span></span>), since the
3418 correctness of this call depends on the representation of the
3419 abstract type. Splint also reports errors if any C
3420 operator except assignment (<span class=
3421 "CodeText"><span style='font-size:10.0pt'>=</span></span>) or
3422 <span class="CodeText"><span style=
3423 'font-size:10.0pt'>sizeof</span></span> is used on an
3424 abstract type. The assignment operator is allowed since
3425 its semantics do not depend on the representation of the type
3426 (for abstract types whose instances can change value, a
3427 client does need to know if assignment has copy or sharing
3428 semantics as discussed in Section 4.3.2). The use of
3429 <span class="CodeText"><span style=
3430 'font-size:10.0pt'>sizeof</span></span> is also
3431 permitted, since this is the only way for clients to allocate
3432 pointers to the abstract type. Type casting objects to
3433 or from abstract types in a client module is an abstraction
3434 violation and will generate a warning message.</p>
3435 <p class="TextFontCX"> </p>
3436 <p class="TextFontCX">Normally, Splint will assume a type
3437 definition is not abstract unless the <span class=
3438 "Annot"><span style='font-size:10.0pt'>/*@abstract@*/</span></span>
3439 qualifier is used. If instead you want all user-defined types
3440 to be abstract types unless they are marked as <span class=
3441 "Annot"><span style='font-size:10.0pt'>concrete</span></span>, the
3442 <span class="Flag"><span style=
3443 'font-size:10.0pt'>+imp-abstract</span></span> flag can be
3444 used. This adds an implicit <span class=
3445 "Annot"><span style='font-size:10.0pt'>abstract</span></span>
3446 annotation to any <span class="CodeText"><span style=
3447 'font-size:10.0pt'>typedef</span></span> that is not marked
3448 with <span class="Annot"><span style=
3449 'font-size:10.0pt'>/*@concrete@*/</span></span>.</p>
3450 <p class="TextFontCX"> </p>
3452 <table class="MsoNormalTable" border="0" cellspacing="0"
3453 cellpadding="0" style=
3454 'width:418.5pt;margin-left:.9pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
3455 <tr style='height:13.45pt'>
3456 <td valign="top" style=
3457 'width:211.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
3458 <p class="TextFontCX" align="center" style='text-align:center'>
3459 <span class="Keyword"><b><span style=
3460 'font-size:10.0pt; color:white'>palindrome.c</span></b></span></p></td>
3461 <td valign="top" style=
3462 'width:207.0pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
3463 <p class="TextFontCX" align="center" style='text-align:center'>
3464 <b><span style='color:white'>Running
3465 Splint</span></b></p></td></tr>
3466 <tr style='height:196.2pt'>
3467 <td valign="top" style=
3468 'width:211.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:196.2pt'>
3469 <p class="Verbatim"><span style='font-size:9.0pt'># include
3471 <p class="Verbatim"><span style='font-size:9.0pt'># include
3472 "mstring.h"</span></p>
3473 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
3474 <p class="Verbatim"><span style='font-size:9.0pt'>bool isPalindrome
3475 (mstring s)</span></p>
3476 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
3477 <p class="Verbatim"><span class="Line"><span style=
3478 'font-size:8.0pt'> 6</span></span> <span style=
3479 'font-size:9.0pt'>char *current = (char *) s;</span></p>
3480 <p class="Verbatim"><span class="Line"><span style=
3481 'font-size:8.0pt'> 7</span></span> <span style=
3482 'font-size:9.0pt'>int i, len = (int) strlen (s);</span></p>
3483 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
3484 <p class="Verbatim"><span style='font-size:9.0pt'> for (i =
3485 0; i <= (len+1) / 2; i++)</span></p>
3486 <p class="Verbatim"><span style=
3487 'font-size:9.0pt'> {</span></p>
3488 <p class="Verbatim"><span class="Line"><span style=
3489 'font-size:8.0pt'>11</span></span><span style=
3490 'font-size:9.0pt'> if (current[i] !=
3491 s[len-i-1])</span></p>
3492 <p class="Verbatim"><span style=
3493 'font-size:9.0pt'> return
3495 <p class="Verbatim"><span style=
3496 'font-size:9.0pt'> }</span></p>
3497 <p class="Verbatim"><span style='font-size:9.0pt'> return
3499 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p>
3500 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
3501 <p class="Verbatim"><span style='font-size:9.0pt'>bool callPal
3503 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
3504 <p class="Verbatim"><span class="Line"><span style=
3505 'font-size:8.0pt'>19</span></span><i><span style=
3506 'font-size:9.0pt;font-family:Arial'> </span></i>
3507 <span style='font-size:9.0pt'>return (isPalindrome
3508 ("bob"));</span></p>
3509 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p></td>
3510 <td valign="top" style=
3511 'width:207.0pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:196.2pt'>
3512 <p class="lclintrun">> splint palindrome.c</p>
3513 <p class="lclintrun"> </p>
3514 <p class="lclintrun">palindrome.c:6: Cast from underlying</p>
3515 <p class="lclintrun"> abstract type mstring:
3517 <p class="lclintrun">palindrome.c:7: Function strlen expects
3519 <p class="lclintrun"> 1 to be char * gets
3521 <p class="lclintrun">palindrome.c:11: Array fetch from
3523 <p class="lclintrun"> (mstring): s[len - i -
3525 <p class="lclintrun">palindrome.c:19: Function isPalindrome</p>
3526 <p class="lclintrun"> expects arg 1 to be mstring
3528 <p class="lclintrun"> "bob"</p>
3529 <p class="TextFontCX"> </p>
3530 <p class="lclintrun">Finished checking --- 4 code warnings</p>
3531 <p class="TextFontCX"><span style=
3532 'font-size: 9.0pt;font-family:Times'> </span></p></td></tr></table>
3533 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
3535 <td valign="top" style=
3536 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
3537 <p class="MsoCaption"><a name="_Toc534824609"></a><a name=
3538 "_Toc347255385"></a><a name="_Ref344908730"></a><a name=
3539 "_Ref344908735">Figure 5</a>. Information Hiding
3540 Violations</p></td></tr></table></center>
3541 <p align="right"><i><span style=
3542 'font-size:9.0pt'> Traditionally, programming books wax
3543 mathematical when they arrive at the topic of abstract data
3545 Such books make it seem as if you’d never actually use an
3546 abstract data type except as a sleep aid.</span></i></p>
3548 <p class="TextFontCX" align="right" style='text-align:right'>
3550 'font-size:9.0pt'> </span></i>
3551 <span style='font-size:9.0pt'> Steve
3552 McConnell</span></p>
3553 <p class="TextFontCX"><i> </i></p>
3554 <h3 style='margin-left:0in;text-indent:0in'><a name=
3555 "_Toc534974954"></a><a name="_Ref344892422"></a><a name=
3556 "_Ref344870884"></a><a name="_Toc344355398">4.3.1<span style=
3557 'font:7.0pt "Times New Roman"'> </span>
3558 Controlling Access</a></h3>
3559 <p class="TextFontCX">Where code may manipulate the representation
3560 of an abstract type, we say the code has <i>access</i> to that
3561 type. If code has access to an abstract type, the
3562 representation of the type and the abstract type are
3563 indistinguishable. Usually, a single program module that is
3564 the only code that has access to the type representation implements
3565 an abstract type. Sometimes, more complicated access control
3566 is desired if the implementation of an abstract type is split
3567 across program files, or particular client code needs to access the
3569 <p class="TextFontCX"> </p>
3570 <p class="beforelist">There are a several ways of selecting what
3571 code has access the representation of an abstract type:</p>
3572 <p class="TextFontCX" style=
3573 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
3574 'font-family:Symbol'>·<span style=
3575 'font:7.0pt "Times New Roman"'> </span></span>
3576 Modules. An abstract type defined in <i><span style=
3577 'font-size: 10.0pt;font-family:Arial'>M</span></i><span class="Keyword">
3579 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
3580 is accessible in <i><span style=
3581 'font-size:10.0pt;font-family:Arial'>M</span></i><span class=
3582 "Keyword"><span style=
3583 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>.
3584 Controlled by the <span class="Flag"><span style=
3585 'font-size:10.0pt'>accessmodule</span></span> flag. This
3586 means when <span class="Flag"><span style=
3587 'font-size:10.0pt'>accessmodule</span></span> is on, as it is by
3588 default, the module access rule is in effect. If
3589 <span class="Flag"><span style=
3590 'font-size:10.0pt'>accessmodule</span></span> is off (when
3591 <span class="Flag"><span style=
3592 'font-size:10.0pt'>-access-module</span></span> is used), the
3593 module access rule is not in effect and an abstract type
3594 defined in <i><span style=
3595 'font-size:10.0pt;font-family:Arial'>M</span></i><span class=
3596 "Keyword"><span style=
3597 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
3598 is not necessarily accessible in <i><span style=
3599 'font-size:10.0pt;font-family: Arial'>M</span></i><span class="Keyword">
3601 'font-size:10.0pt; font-family:Arial;color:windowtext'>.c</span></span>.</p>
3602 <p class="TextFontCX" style=
3603 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
3604 'font-family:Symbol'>·<span style=
3605 'font:7.0pt "Times New Roman"'> </span></span>
3606 File names. An abstract type named <span class=
3607 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
3608 is accessible in files named <span class=
3609 "CodeText"><i><span style='font-size:10.0pt'>type.<extension></span></i></span>.
3610 For example, the representation of <span class=
3611 "CodeText"><span style=
3612 'font-size: 10.0pt'>mstring</span></span> is accessible in
3613 <span class="CodeText"><span style=
3614 'font-size:10.0pt'>mstring.h</span></span> and <span class=
3615 "CodeText"><span style=
3616 'font-size:10.0pt'>mstring.c</span></span>. Controlled
3617 by the <span class="Flag"><span style=
3618 'font-size:10.0pt'>access-file</span></span> flag.</p>
3619 <p class="MsoListBullet"><span style=
3620 'font-family:Symbol'>·<span style=
3621 'font:7.0pt "Times New Roman"'> </span></span>
3622 Function names. An abstract type named <span class=
3623 "CodeText"><i><span style=
3624 'font-size: 10.0pt'>type</span></i></span> may be accessible in a
3625 function named <span class="CodeText"><i><span style=
3626 'font-size:10.0pt'>type_name</span></i></span> or
3627 <span class="CodeText"><i><span style=
3628 'font-size:10.0pt'>typeName</span></i></span>. For
3629 example, <span class="CodeText"><span style=
3630 'font-size:10.0pt'>mstring_length</span></span> and
3631 <span class="CodeText"><span style=
3632 'font-size:10.0pt'>mstringLength</span></span> would have
3633 access to the <span class="CodeText"><span style=
3634 'font-size:10.0pt'>mstring</span></span> abstract type.
3635 Controlled by <span class="Flag"><span style=
3636 'font-size:10.0pt'>accessfunction</span></span> and the
3637 naming convention (see Section 12).</p>
3638 <p class="TextFontCX" style=
3639 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
3640 'font-family:Symbol'>·<span style=
3641 'font:7.0pt "Times New Roman"'> </span></span>
3642 Access control comments. The syntax <span class=
3643 "Annot"><span style='font-size:10.0pt'>/*@access
3644 <i>type</i>,<sup>+</sup>@*/</span></span><a href="#_ftn2"
3645 name="_ftnref2" title=""><span class=
3646 "MsoFootnoteReference"><span class=
3647 "MsoFootnoteReference"><span style=
3648 'font-size:11.0pt;font-family:"Times New Roman"'>[2]</span></span></span></a>
3649 allows the following code to access the representation of
3650 <span class="CodeText"><i><span style=
3651 'font-size:10.0pt'>type</span></i></span>. Similarly,
3652 <span class="Annot"><span style=
3653 'font-size:10.0pt'>/*@noaccess</span></span> <span class=
3654 "Annot"><span style=
3655 'font-size:10.0pt'><i>type</i>,<sup>+</sup>@*/</span></span>
3656 restricts access to the representation of <span class=
3657 "CodeText"><i><span style=
3658 'font-size: 10.0pt'>type</span></i></span>. The type in
3659 a <span class="Annot"><span style=
3660 'font-size:10.0pt'>noaccess</span></span> comment must have
3661 been declared as an abstract type.</p>
3662 <h3 style='margin-left:0in;text-indent:0in'><a name=
3663 "_Toc534974955"></a><a name="_Toc344355399"></a><a name=
3664 "_Ref343240525"></a><a name="_Ref343240518">4.3.2<span style=
3665 'font:7.0pt "Times New Roman"'> </span>
3667 <p class="TextFontCX">We can view types as being <i>mutable</i> or
3668 <i>immutable</i>. A type is mutable if passing it as a
3669 parameter to a function call can change the value of an instance of
3670 the type. For example, the primitive type <span class=
3671 "CodeText"><span style='font-size:10.0pt'>int</span></span> is
3672 immutable. If <span class="CodeText"><span style=
3673 'font-size:10.0pt'>i</span></span> is a local variable of type
3674 <span class="CodeText"><span style=
3675 'font-size:10.0pt'>int</span></span> and no variables point to the
3676 location where <span class="CodeText"><span style=
3677 'font-size:10.0pt'>i</span></span> is stored, the value of
3678 <span class="CodeText"><span style=
3679 'font-size:10.0pt'>i</span></span> must be the same before and
3680 after the call <span class="CodeText"><span style=
3681 'font-size:10.0pt'>f (i)</span></span>. Structure and union
3682 types are also immutable, since they are copied when they are
3683 passed as arguments. On the other hand, pointer types are
3684 mutable. If <span class="CodeText"><span style=
3685 'font-size:10.0pt'>x</span></span> is a local variable of type
3686 <span class="CodeText"><span style='font-size:10.0pt'>int
3687 *</span></span>, the value of <span class=
3688 "CodeText"><span style='font-size:10.0pt'>*x</span></span>
3689 (and hence, the value of the object <span class=
3690 "CodeText"><span style='font-size:10.0pt'>x</span></span>)
3691 can be changed by the function call <span class=
3692 "CodeText"><span style=
3693 'font-size:10.0pt'>g(x)</span></span>. </p>
3694 <p class="TextFontCX"> </p>
3695 <p class="TextFontCX">The mutability of a concrete type is
3696 determined by its type definition. For abstract types, mutability
3697 does not depend on the type representation but on what operations
3698 the type provides. If an abstract type has operations that may
3699 change the value of instances of the type, the type is
3700 mutable. If not, it is immutable. The value of an
3701 instance of an immutable type never changes. Since object
3702 sharing is noticeable only for mutable types, they are checked
3703 differently from immutable types.</p>
3704 <p class="TextFontCX"> </p>
3705 <p class="beforelist">The <span class="Annot"><span style=
3706 'font-size:10.0pt'>/*@mutable@*/</span></span> and
3707 <span class="Annot"><span style=
3708 'font-size:10.0pt'>/*@immutable@*/</span></span> annotations
3709 are used to declare an abstract type as mutable or
3710 immutable. (If neither is used, the abstract type is
3711 assumed to be mutable.) For example,</p>
3712 <p class="Verbatim"> typedef /*@abstract@*/
3713 /*@mutable@*/ char *mstring;</p>
3714 <p class="Verbatim"> typedef /*@abstract@*/
3715 /*@immutable@*/ int weekDay;</p>
3716 <p class="afterlist">declares <span class=
3717 "CodeText"><span style='font-size:10.0pt'>mstring</span></span>
3718 as a mutable abstract type and <span class=
3719 "CodeText"><span style=
3720 'font-size: 10.0pt'>weekDay</span></span> as an immutable
3722 <p class="TextFontCX"> </p>
3723 <p class="TextFontCX">Clients of a mutable abstract type need to
3724 know the semantics of assignment. After the assignment
3725 expression <span class="CodeText"><span style='font-size:10.0pt'>s
3726 = t</span></span>, do <span class="CodeText"><span style=
3727 'font-size:10.0pt'>s</span></span> and <span class=
3728 "CodeText"><span style='font-size:10.0pt'>t</span></span> refer to
3729 the same object (that is, will changes to the value of
3730 <span class="CodeText"><span style=
3731 'font-size:10.0pt'>s</span></span> also change the value of
3732 <span class="CodeText"><span style=
3733 'font-size:10.0pt'>t</span></span>).</p>
3734 <p class="TextFontCX"> </p>
3735 <p class="TextFontCX">Splint prescribes that all abstract types
3736 have sharing semantics, so <span class=
3737 "CodeText"><span style='font-size:10.0pt'>s</span></span> and
3738 <span class="CodeText"><span style=
3739 'font-size:10.0pt'>t</span></span> would indeed be the same
3740 object. Splint will produce a warning if a mutable type
3741 is implemented with a representation (e.g., a <span class=
3742 "CodeText"><span style=
3743 'font-size:10.0pt'>struct</span></span>) that does not
3744 provide sharing semantics (controlled by <span class=
3746 'font-size:10.0pt'>mutrep</span></span> flag). </p>
3747 <p class="TextFontCX"> </p>
3748 <p class="TextFontCX">The mutability of an abstract type is not
3749 necessarily the same as the mutability of its representation. We
3750 could use the immutable concrete type <span class=
3751 "CodeText"><span style='font-size:10.0pt'>int</span></span> to
3752 represent mutable strings using an index into a string table, or
3753 declare <span class="CodeText"><span style=
3754 'font-size:10.0pt'>mstring</span></span> as immutable as long as no
3755 operations are provided that modify the value of an
3756 <span class="CodeText"><span style=
3757 'font-size:10.0pt'>mstring</span></span>.</p>
3758 <h2 style='margin-left:0in;text-indent:0in'><a name=
3759 "_Toc534974956"></a><a name="_Toc344355422"></a><a name=
3760 "_Ref343109614">4.4<span style=
3761 'font:7.0pt "Times New Roman"'> </span>
3762 Polymorphism</a></h2>
3763 <p class="TextFontCX">In C, all declarators must be declared to
3764 have exactly one type. This makes it impossible to write
3765 functions that operate on more than one type of parameter –
3766 for example, we cannot use the same square function for
3767 <span class="CodeText"><span style=
3768 'font-size:10.0pt'>int</span></span>s and <span class=
3769 "CodeText"><span style=
3770 'font-size:10.0pt'>float</span></span>s. Because of the
3771 stricter type checking made possible by Splint, it is often
3772 useful to declare a parameter that has more than one possible
3774 <p class="TextFontCX"> </p>
3775 <p class="TextFontCX">Splint provides alternate types to indicate
3776 that a declaration may be one of several possible types. The
3777 <span class="Annot"><span style='font-size:10.0pt'>/*@alt
3778 <i>type</i>,<sup>+</sup>@*/</span></span> annotation creates a
3779 union type. For example, <span class=
3780 "CodeText"><span style='font-size:10.0pt'>int</span></span>
3781 <a href="mailto:/*@alt"><span class="Annot"><span style=
3782 'font-size:10.0pt'>/*@alt</span></span></a><span class=
3783 "Annot"><span style='font-size:10.0pt'>char,
3784 unsigned</span></span> <a href="mailto:char@*/"><span class=
3785 "Annot"><span style=
3786 'font-size:10.0pt'>char@*/</span></span></a><span class=
3787 "CodeText"><span style='font-size:10.0pt'>c</span></span>
3788 declares <span class="CodeText"><span style=
3789 'font-size:10.0pt'>c</span></span> such that either an
3790 <span class="CodeText"><span style=
3791 'font-size:10.0pt'>int</span></span>, <span class=
3792 "CodeText"><span style='font-size:10.0pt'>char</span></span>
3793 or <span class="CodeText"><span style=
3794 'font-size:10.0pt'>unsigned char</span></span> value may be
3795 assigned to it without warning.</p>
3796 <p class="TextFontCX"> </p>
3797 <p class="TextFontCX">One use of alternate types is to specify the
3798 type of a macro that operates on multiple types of operands (see
3799 Section 11.2.1). Alternate types are also useful for
3800 declaring functions for which the return value may be safely
3801 ignored (see Section 8.4.2). A function can be declared to
3802 return <span class="CodeText"><i><span style=
3803 'font-size:10.0pt'>t</span></i></span> <a href=
3804 "mailto:/*@alt"><span class="Annot"><span style=
3805 'font-size:10.0pt'>/*@alt</span></span></a><a href=
3806 "mailto:void@*/"><span class="Annot"><span style=
3807 'font-size:10.0pt'>void@*/</span></span></a> to indicate that it
3808 returns a value of type <span class=
3809 "CodeText"><i><span style='font-size:10.0pt'>t</span></i></span>,
3810 but there should be not warning if that value is ignored.</p>
3811 <h1 style='margin-left:0in;text-indent:0in'><a name=
3812 "_Toc534974957"></a><a name="_Ref534008388">5<span style=
3813 'font:7.0pt "Times New Roman"'> </span>
3814 <a id="memory" name="memory">
3815 Memory Management</a>
3817 <p class="TextFontCX">About half the bugs in typical C programs can
3818 be attributed to memory management problems. Memory
3819 management bugs are notoriously difficult to detect through
3820 traditional techniques. Often, the symptom of the bug is far
3821 removed from its actual source. Memory management bugs often
3822 only appear sporadically and some bugs may only be apparent when
3823 compiler optimizations are turned on or the code is compiled on a
3824 different platform. Run-time tools offer some help, but are
3825 cumbersome to use and limited to detecting errors that occur when
3826 test cases are run. By detecting these errors statically, we
3827 can be confident that certain types of errors will never occur and
3828 provide verified documentation on the memory management behavior of
3829 a program. </p>
3830 <p class="TextFontCX"> </p>
3831 <p class="beforelist">Splint can detect many memory management
3832 errors at compile time including using storage that may have been
3833 deallocated (Section 5.2), memory leaks (Section 5.2), or
3834 returning a pointer to stack-allocated storage (Section
3836 <p align="right"><i><span style='font-size:9.0pt'>Yea, from the
3837 table of my memory I'll wipe away all trivial fond records, all
3839 all forms, all pressures past, that youth and observation copied
3840 there.</span></i><br>
3841 <span style='font-size:9.0pt'>Hamlet prefers
3842 garbage collection (Shakespeare, Hamlet. Act I, Scene
3844 <p class="afterlist">Most of these checks depend on annotations
3845 added to programs to document assumptions related to memory
3846 management and pointer values. By documenting these
3847 assumptions for function interfaces, variables, type definitions
3848 and structure fields, memory management bugs can be detected at
3849 their source — where an assumption is violated. In
3850 addition, precise documentation about memory management decisions
3851 makes it easier to change code.</p>
3852 <h2 style='margin-left:0in;text-indent:0in'><a name=
3853 "_Toc534974958"></a><a name="_Toc344355408">5.1<span style=
3854 'font:7.0pt "Times New Roman"'> </span>
3855 Storage Model</a></h2>
3856 <p class="TextFontCX">This section describes execution-time
3857 concepts for describing the state of storage more precisely than
3858 can be done using standard C terminology. Certain uses of
3859 storage are likely to indicate program bugs, and are reported as
3860 anomalies.<a href="#_ftn3" name="_ftnref3" title=
3861 ""><span class="MsoFootnoteReference"><b><span class=
3862 "MsoFootnoteReference"><b><span style=
3863 'font-size:11.0pt;font-family:"Times New Roman"'>[3]</span></b></span></b></span></a></p>
3864 <p class="TextFontCX"> </p>
3865 <p class="TextFontCX">Splint assumes a CLU-like object storage
3866 model.<a href="#_ftn4" name="_ftnref4" title=""><span class=
3867 "MsoFootnoteReference"><span class=
3868 "MsoFootnoteReference"><span style=
3869 'font-size:11.0pt;font-family:"Times New Roman"'>[4]</span></span></span></a>
3870 An <i>object</i> is a typed region of storage. Some objects
3871 use a fixed amount of storage that is allocated and deallocated
3872 automatically by the compiler. Other objects use dynamic
3873 storage that must be managed by the program.</p>
3874 <p class="TextFontCX"> </p>
3875 <p class="TextFontCX">Storage is <i>undefined</i> if it has not
3876 been assigned a value, and <i>defined</i> after it has been
3877 assigned a value. An object is <i>completely defined</i> if
3878 all storage that may be reached from it is defined. What
3879 storage is reachable from an object depends on the type and value
3880 of the object. For example, if <span class=
3881 "CodeText"><span style='font-size:10.0pt'>p</span></span> is a
3882 pointer to a structure, <span class="CodeText"><span style=
3883 'font-size:10.0pt'>p</span></span> is completely defined if the
3884 value of <span class="CodeText"><span style=
3885 'font-size:10.0pt'>p</span></span> is <span class=
3886 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>, or if
3887 every field of the structure <span class=
3888 "CodeText"><span style='font-size:10.0pt'>p</span></span>
3889 points to is completely defined.</p>
3890 <p class="TextFontCX"> </p>
3891 <p class="TextFontCX">When an expression is used as the left side
3892 of an assignment expression we say it is <i>used as an
3893 lvalue</i>. Its location in memory is used, but not its
3894 value. Undefined storage may be used as an lvalue since only
3895 its location is needed. When storage is used in any other
3896 way, such as on the right side of an assignment, as an operand to a
3897 primitive operator (including the indirection operator,
3898 <span class="CodeText"><span style=
3899 'font-size:10.0pt'>*</span></span>),<a href="#_ftn5" name=
3900 "_ftnref5" title=""><span class=
3901 "MsoFootnoteReference"><span class=
3902 "MsoFootnoteReference"><span style=
3903 'font-size:11.0pt;font-family:"Times New Roman"'>[5]</span></span></span></a>
3904 or as a function parameter, we say it is <i>used as an
3905 rvalue</i>. It is an anomaly to use undefined storage
3907 <p class="TextFontCX"> </p>
3908 <p class="TextFontCX">A <i>pointer</i> is a typed memory
3909 address. A pointer is either <i>live</i> or
3910 <i>dead</i>. A live pointer is either <span class=
3911 "CodeText"><span style='font-size:10.0pt'>NULL</span></span> or an
3912 address within allocated storage. A pointer that points to an
3913 object is an <i>object</i> pointer. A pointer that points
3914 inside an object (e.g., to the third element of an allocated block)
3915 is an <i>offset</i> pointer. A pointer that points to
3916 allocated storage that is not defined is an <i>allocated</i>
3917 pointer. The result of dereferencing an allocated pointer is
3918 undefined storage. Hence, it is an anomaly to use it as an
3919 rvalue. A dead (or “dangling”) pointer does not
3920 point to allocated storage. A pointer becomes dead if the
3921 storage it points to is deallocated (e.g., the pointer is passed to
3922 the <span class="CodeText"><span style=
3923 'font-size:10.0pt'>free</span></span> library function.) It
3924 is an anomaly to use a dead pointer as an rvalue.</p>
3925 <p class="TextFontCX"> </p>
3926 <p class="TextFontCX">There is a special object <i>null</i>
3927 corresponding to the <span class="CodeText"><span style=
3928 'font-size:10.0pt'>NULL</span></span>pointer in a C program.
3929 A pointer that may have the value <span class=
3930 "CodeText"><span style='font-size:10.0pt'>NULL</span></span> is a
3931 <i>possibly-null</i> pointer. It is an anomaly to use a
3932 possibly-null pointer where a non-null pointer is expected (e.g.,
3933 certain function arguments or the indirection operator).</p>
3934 <h2 style='margin-left:0in;text-indent:0in'><a name=
3935 "_Toc534974959"></a><a name="_Ref347476065"></a><a name=
3936 "_Ref347469133"></a><a name="_Ref347465595"></a><a name=
3937 "_Ref344893840"></a><a name="_Toc344355409">5.2<span style=
3938 'font:7.0pt "Times New Roman"'> </span>
3939 Deallocation Errors</a></h2>
3940 <p class="TextFontCX">There are two kinds of deallocation errors
3941 with which we are concerned: deallocating storage when there
3942 are other live references to the same storage, or failing to
3943 deallocate storage before the last reference to it is lost.
3944 To handle these deallocation errors, we introduce a concept of an
3945 obligation to release storage. Every time storage is
3946 allocated, it creates an obligation to release the storage.
3947 This obligation is attached to the reference to which the storage
3948 is assigned.<a href="#_ftn6" name="_ftnref6" title=
3949 ""><span class="MsoFootnoteReference"><span class=
3950 "MsoFootnoteReference"><span style=
3951 'font-size:11.0pt;font-family:"Times New Roman"'>[6]</span></span></span></a>
3952 Before the scope of the reference is exited or it is assigned
3953 to a new value, the storage to which it points must be
3954 released. Annotations can be used to indicate that
3955 this obligation is transferred through a return value,
3956 function parameter or assignment to an external
3958 <p align="right"><i><span style='font-size:9.0pt'>‘Tis in my
3959 memory lock’d, and you yourself shall keep the key of
3961 <span style='font-size:9.0pt'>Ophelia prefers explicit
3962 deallocation (Hamlet. Act I, Scene iii)</span></p>
3963 <h3 style='margin-left:0in;text-indent:0in'><a name=
3964 "_Toc534974960">5.2.1<span style=
3965 'font:7.0pt "Times New Roman"'> </span>
3966 Unshared References</a></h3>
3967 <p class="TextFontCX">The <span class="Annot"><span style=
3968 'font-size:10.0pt'>only</span></span> annotation is used to
3969 indicate a reference is the only pointer to the object it points
3970 to. We can view the reference as having an obligation to
3971 release this storage. This obligation is satisfied by
3972 transferring it to some other reference in one of three ways:</p>
3973 <p class="MsoListBullet"><span style=
3974 'font-family:Symbol'>·<span style=
3975 'font:7.0pt "Times New Roman"'> </span></span>
3976 pass it as an actual parameter corresponding to a formal parameter
3977 declared with an <span class="Annot"><span style=
3978 'font-size:10.0pt'>only</span></span>
3979 annotation </p>
3980 <p class="MsoListBullet"><span style=
3981 'font-family:Symbol'>·<span style=
3982 'font:7.0pt "Times New Roman"'> </span></span>
3983 assign it to an external reference declared with an
3984 <span class="Annot"><span style=
3985 'font-size:10.0pt'>only</span></span> annotation</p>
3986 <p class="MsoListBullet"><span style=
3987 'font-family:Symbol'>·<span style=
3988 'font:7.0pt "Times New Roman"'> </span></span>
3989 return it as a result declared with an <span class=
3990 "Annot"><span style='font-size:10.0pt'>only</span></span>
3992 <p class="afterlist">After the release obligation is transferred,
3993 the original reference is a dead pointer and the storage it points
3994 to may not be used.</p>
3995 <p class="TextFontCX"> </p>
3996 <p class="TextFontCX">All obligations to release storage stem from
3997 primitive allocation routines (e.g., <span class=
3998 "CodeText"><span style='font-size:10.0pt'>malloc</span></span>),
3999 and are ultimately satisfied by calls to <span class=
4000 "CodeText"><span style='font-size:10.0pt'>free</span></span>.
4001 The standard library declared the primitive allocation and
4002 deallocation routines.</p>
4003 <p class="TextFontCX"> </p>
4004 <p class="TextFontCX">The basic memory allocator,
4005 <span class="CodeText"><span style=
4006 'font-size:10.0pt'>malloc</span></span>, is declared:</p>
4007 <p class="example"><a href="mailto:/*@only@*/">/*@only@*/</a>
4008 /*@null@*/ void *malloc (size_t size);</p>
4009 <p class="TextFontCX">It returns an object that is referenced only
4010 by the function return value. </p>
4011 <p class="TextFontCX"> </p>
4012 <p class="TextFontCX">The deallocator, <span class=
4013 "CodeText"><span style='font-size:10.0pt'>free</span></span>, is
4014 declared:<a href="#_ftn7" name="_ftnref7" title=
4015 ""><span class="MsoFootnoteReference"><span class=
4016 "MsoFootnoteReference"><span style=
4017 'font-size:11.0pt;font-family:"Times New Roman"'>[7]</span></span></span></a></p>
4018 <p class="example">void free (/*@only@*/ <a href=
4019 "mailto:/*@out@*/">/*@out@*/</a> <a href=
4020 "mailto:/*@null@*/">/*@null@*/</a> void *ptr);</p>
4022 <table class="MsoNormalTable" border="0" cellspacing="0"
4023 cellpadding="0" style=
4024 'margin-left:5.4pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
4026 <td valign="top" style=
4027 'width:193.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4028 <p class="TextFontCX" align="center" style='text-align:center'>
4029 <a name="_Ref344990094"><span class="Keyword"><b><span style=
4030 'font-size:10.0pt;color:white'>only.c</span></b></span></a></p></td>
4031 <td valign="top" style=
4032 'width:225.0pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4033 <p class="TextFontCX" align="center" style='text-align:center'>
4034 <b><span style='color:white'>Running
4035 Splint</span></b></p></td></tr>
4037 <td valign="top" style=
4038 'width:193.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4039 <p class="Verbatim"><i><span style=
4040 'font-size:8.0pt;font-family:Arial'>1 </span></i>
4041 <span style='font-size:9.5pt'>extern /*@only@*/ int
4043 <p class="Verbatim"><span style='font-size:9.5pt'> </span></p>
4044 <p class="Verbatim"><span style='font-size:9.5pt'>/*@only@*/ int
4046 <p class="Verbatim"><span style='font-size:9.5pt'>f (/*@only@*/ int
4047 *x, int *y,</span></p>
4048 <p class="Verbatim"><span style='font-size:9.5pt'> int
4050 <p class="Verbatim"><span style='font-size:9.5pt'> /*@globals
4052 <p class="Verbatim"><span style='font-size:9.5pt'>{</span></p>
4053 <p class="Verbatim"><i><span style=
4054 'font-size:8.0pt;font-family:Arial'> 8</span></i>
4055 <span style='font-size:9.5pt'>int *m = (int *)</span></p>
4056 <p class="Verbatim"><i><span style=
4057 'font-size:8.0pt;font-family:Arial'> 9</span></i><span style='font-size:9.5pt'>
4058 malloc (sizeof (int));</span></p>
4059 <p class="Verbatim"><span style='font-size:9.5pt'> </span></p>
4060 <p class="Verbatim"><i><span style=
4061 'font-size:8.0pt;font-family:Arial'>11</span></i>
4062 <span style='font-size:9.5pt'>glob =
4063 y; </span> <i><span style=
4064 'font-size:9.5pt; font-family:"Times New Roman"'>Memory
4066 <p class="Verbatim"><i><span style=
4067 'font-size:8.0pt;font-family:Arial'>12</span></i>
4068 <span style='font-size:9.5pt'>free (x);</span></p>
4069 <p class="Verbatim"><i><span style=
4070 'font-size:8.0pt;font-family:Arial'>13</span></i>
4071 <span style='font-size:9.5pt'>*m =
4072 *x; </span> <i><span style=
4073 'font-size:9.5pt; font-family:"Times New Roman"'>Use after
4075 <p class="Verbatim"><i><span style=
4076 'font-size:8.0pt;font-family:Arial'>14</span></i>
4077 <span style='font-size:9.5pt'>return
4078 z; </span> <i><span style=
4079 'font-size:9.5pt; font-family:"Times New Roman"'>Memory leak
4080 detected</span></i><i><span style=
4081 'font-size:9.5pt;font-family:Arial'> </span></i></p>
4082 <p class="TextFontCX"><span style=
4083 'font-size: 9.5pt'>}</span></p></td>
4084 <td valign="top" style=
4085 'width:225.0pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4086 <p class="lclintrun">> splint only.c</p>
4087 <p class="lclintrun">only.c:11: Only storage glob (type int *) not
4089 <p class="lclintrun">
4090
4091 before assignment: glob = y</p>
4092 <p class="lclintrun"> only.c:1: Storage glob becomes
4094 <p class="lclintrun">only.c:11: Implicitly temp storage y assigned
4096 <p class="lclintrun">
4097
4099 <p class="lclintrun">only.c:13: Dereference of possibly null
4101 <p class="lclintrun"> only.c:8: Storage m may become
4103 <p class="lclintrun">only.c:13: Variable x used after being
4105 <p class="lclintrun"> only.c:12: Storage x released</p>
4106 <p class="lclintrun">only.c:14: Implicitly temp storage z returned
4108 <p class="lclintrun">only.c:14: Fresh storage m not released before
4110 <p class="lclintrun" style='page-break-after:avoid'>
4111 only.c:9: Fresh storage m
4112 allocated </p></td></tr></table>
4113 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4115 <td valign="top" align="left" style=
4116 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
4117 <p class="MsoCaption"><a name="_Toc534824610">Figure 6.
4118 Memory Management</a></p></td></tr></table>
4119 <p class="TextFontCX">The parameter to <span class=
4120 "CodeText"><span style='font-size:10.0pt'>free</span></span> must
4121 reference an unshared object. Since the parameter is declared
4122 using <span class="Annot"><span style=
4123 'font-size:10.0pt'>only</span></span>, the caller may not use the
4124 referenced object after the call, and may not pass in a reference
4125 to a shared object. There is nothing special about
4126 <span class="CodeText"><span style=
4127 'font-size:10.0pt'>malloc</span></span> and <span class=
4128 "CodeText"><span style='font-size:10.0pt'>free</span></span>
4129 — their behavior can be described entirely in terms of the
4130 provided annotations.</p>
4131 <h3 style='margin-left:0in;text-indent:0in'><a name=
4132 "_Ref347468963"></a><a name="_Toc534974961"></a><a name=
4133 "_Ref347469360">5.2.2<span style=
4134 'font:7.0pt "Times New Roman"'> </span>
4135 Temporary Parameters</a></h3>
4136 <p class="TextFontCX">The <span class="Annot"><span style=
4137 'font-size:10.0pt'>temp</span></span> annotation is used to
4138 declare a function parameter that is used temporarily by the
4139 function. An error is reported if the function releases the
4140 storage associated with a <span class="Annot"><span style=
4141 'font-size:10.0pt'>temp</span></span> formal parameter or creates
4142 new aliases to it that are visible after the function
4143 returns. Any storage may be passed as a <span class=
4144 "Annot"><span style='font-size:10.0pt'>temp</span></span>
4145 parameter, and it satisfies its original memory constraints after
4146 the function returns.</p>
4147 <h3 style='margin-left:0in;text-indent:0in'><a name=
4148 "_Toc534974962">5.2.3<span style=
4149 'font:7.0pt "Times New Roman"'> </span>
4150 Owned and Dependent References</a></h3>
4151 <p class="TextFontCX">In real programs it is sometimes necessary to
4152 have storage that is shared between several possibly
4153 references. The <span class="Annot"><span style=
4154 'font-size:10.0pt'>owned</span></span> and <span class=
4155 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
4156 annotations provide a more flexible way of managing storage, at the
4157 cost of less checking. The <span class=
4158 "Annot"><span style='font-size:10.0pt'>owned</span></span>
4159 annotation denotes a reference with an obligation to release
4160 storage. Unlike <span class="Annot"><span style=
4161 'font-size:10.0pt'>only</span></span>, however, other
4162 external references marked with <span class=
4163 "Annot"><span style=
4164 'font-size:10.0pt'>dependent</span></span> annotations may
4165 share this object. It is up to the programmer to ensure
4166 that the lifetime of a <span class="Annot"><span style=
4167 'font-size:10.0pt'>dependent</span></span> reference is
4168 contained within the lifetime of the corresponding
4169 <span class="Annot"><span style=
4170 'font-size:10.0pt'>owned</span></span> reference.</p>
4171 <h3 style='margin-left:0in;text-indent:0in'><a name=
4172 "_Toc534974963"></a><a name="_Ref347805800">5.2.4<span style=
4173 'font:7.0pt "Times New Roman"'> </span>
4174 Keep Parameters</a></h3>
4175 <p class="TextFontCX">The <span class="Annot"><span style=
4176 'font-size:10.0pt'>keep</span></span> annotation is similar to
4177 <span class="Annot"><span style=
4178 'font-size:10.0pt'>only</span></span>, except the caller may use
4179 the reference after the call. The called function must assign
4180 the <span class="Annot"><span style=
4181 'font-size:10.0pt'>keep</span></span> parameter to an
4182 <span class="Annot"><span style=
4183 'font-size:10.0pt'>only</span></span> reference, or pass it
4184 as a <span class="Annot"><span style=
4185 'font-size:10.0pt'>keep</span></span> parameter to another
4186 function. It is up to the programmer to make sure that
4187 the calling function does not use this reference after it is
4188 released. The <span class="Annot"><span style=
4189 'font-size:10.0pt'>keep</span></span> annotation is useful
4190 for adding an object to a collection (e.g., a symbol table),
4191 where it is known that it will not be deallocated until the
4193 <h3 style='margin-left:0in;text-indent:0in'><a name=
4194 "_Toc534974964"></a><a name="_Ref347469304">5.2.5<span style=
4195 'font:7.0pt "Times New Roman"'> </span>
4196 Shared References</a></h3>
4197 <p class="TextFontCX">If Splint is used to check a program designed
4198 to be used in a garbage-collected environment, there may be storage
4199 that is shared by one or more references and never explicitly
4200 released. The <span class="Annot"><span style=
4201 'font-size:10.0pt'>shared</span></span> annotation declares storage
4202 that may be shared arbitrarily, but never released.</p>
4203 <h3 style='margin-left:0in;text-indent:0in'><a name=
4204 "_Toc534974965"></a><a name="_Ref348341639">5.2.6<span style=
4205 'font:7.0pt "Times New Roman"'> </span>
4206 Stack References</a></h3>
4207 <p class="TextFontCX">Local variables that are not allocated
4208 dynamically are stored on a call stack. When a function
4209 returns, its stack frame is deallocated, destroying the storage
4210 associated with the function’s local variables. A
4211 memory error occurs if a pointer into this storage is live after
4212 the function returns. Splint detects errors involving stack
4213 references exported from a function through return values or
4214 assignments to references reachable from global variables or actual
4215 parameters. No annotations are needed to detect stack
4216 reference errors, since it is clear from a declaration if storage
4217 is allocated on the function stack. Figure 7 gives and
4218 example of errors reported involving stack-allocated storage.</p>
4220 <table class="MsoNormalTable" border="0" cellspacing="0"
4221 cellpadding="0" style=
4222 'margin-left:5.4pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
4224 <td valign="top" style=
4225 'width:2.25in;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4226 <p class="TextFontCX" align="center" style='text-align:center'>
4227 <span class="Keyword"><b><span style=
4228 'font-size:10.0pt; color:white'>stack.c</span></b></span></p></td>
4229 <td valign="top" style=
4230 'width:256.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4231 <p class="TextFontCX" align="center" style='text-align:center'>
4232 <b><span style='color:white'>Running
4233 Splint</span></b></p></td></tr>
4235 <td valign="top" style=
4236 'width:2.25in;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4237 <p class="Verbatim">int *glob;</p>
4238 <p class="Verbatim"> </p>
4239 <p class="Verbatim">/*@dependent@*/ int *</p>
4240 <p class="Verbatim"> f (int **x)</p>
4241 <p class="Verbatim">{</p>
4242 <p class="Verbatim"> int sa[2] = { 0, 1 };</p>
4243 <p class="Verbatim"> int loc = 3;</p>
4244 <p class="Verbatim"> </p>
4245 <p class="Verbatim"><span class="Line"><span style=
4246 'font-size:8.0pt'> 9</span></span> glob = &loc;</p>
4247 <p class="Verbatim"><span class="Line"><span style=
4248 'font-size:8.0pt'>10</span></span> *x = &sa[0];</p>
4249 <p class="Verbatim"> </p>
4250 <p class="Verbatim"><span class="Line"><span style=
4251 'font-size:8.0pt'>12</span></span> return &loc;</p>
4252 <p class="Verbatim">} </p></td>
4253 <td valign="top" style=
4254 'width:256.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4255 <p class="lclintrun">> splint stack.c</p>
4256 <p class="lclintrun">stack.c:12: Stack-allocated storage &loc
4258 <p class="lclintrun">
4259
4260 from return value: &loc</p>
4261 <p class="lclintrun">stack.c:12: Stack-allocated storage *x
4263 <p class="lclintrun">
4264
4266 <p class="lclintrun"> stack.c:10: Storage *x becomes
4268 <p class="lclintrun">stack.c:12: Stack-allocated storage glob
4270 <p class="lclintrun">
4271
4272 from global glob</p>
4273 <p class="lclintrun"> stack.c:9: Storage glob becomes
4275 <p class="lclintrun"> </p>
4276 <p class="TextFontCX" align="left" style=
4277 'text-align:left;page-break-after:avoid'><i>A</i>
4278 <span class="Annot"><span style=
4279 'font-size:10.0pt'>dependent</span></span> <i>annotation is
4280 used on the return value. Without this, other warnings
4281 would be reported, since the result would have an
4282 implicit</i> <span class="Annot"><span style=
4283 'font-size: 10.0pt'>only</span></span>
4284 <i>annotation.</i></p></td></tr></table>
4285 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4287 <td valign="top" style=
4288 'padding-top:5.05pt;padding-right: 9.35pt;padding-bottom:5.05pt;padding-left:9.35pt'>
4289 <p class="MsoCaption"><a name="_Toc534824611"></a><a name=
4290 "_Ref534821941">Figure 7</a>. Stack-Allocated
4291 Storage</p></td></tr></table></center>
4292 <h3 style='margin-left:0in;text-indent:0in'><a name=
4293 "_Toc534974966">5.2.7<span style=
4294 'font:7.0pt "Times New Roman"'> </span>
4295 Inner Storage</a></h3>
4296 <p class="TextFontCX">An annotation always applies to the outermost
4297 level of storage. For example,</p>
4298 <p class="example">/*@only@*/ int **x;</p>
4299 <p class="beforelist">declares <span class=
4300 "CodeText"><span style='font-size:10.0pt'>x</span></span> as
4301 an unshared pointer to a pointer to an <span class=
4302 "CodeText"><span style=
4303 'font-size:10.0pt'>int</span></span>. The <span class=
4304 "Flag"><span style='font-size:10.0pt'>only</span></span>
4305 annotation applies to <span class="CodeText"><span style=
4306 'font-size:10.0pt'>x</span></span>, but not to <span class=
4307 "CodeText"><span style=
4308 'font-size:10.0pt'>*x</span></span>. To apply
4309 annotations to inner storage a type definition may be
4311 <p class="Verbatim"> typedef /*@only@*/ int *oip;</p>
4312 <p class="Verbatim"> /*@only@*/ oip *x;</p>
4313 <p class="afterlist">Now, x is an <span class=
4314 "Annot"><span style='font-size:10.0pt'>only</span></span>
4315 pointer to an <span class="Annot"><span style=
4316 'font-size:10.0pt'>oip</span></span>, which is an
4317 <span class="Annot"><span style=
4318 'font-size:10.0pt'>only</span></span> pointer to an
4319 <span class="Annot"><span style=
4320 'font-size:10.0pt'>int</span></span>.</p>
4321 <p class="afterlist">When annotations are used in type definitions,
4322 they may be overridden in instance declarations. For
4324 <p class="example">/*@dependent@*/ oip x;</p>
4325 <p class="TextFontCX">makes <span class=
4326 "CodeText"><span style='font-size:10.0pt'>x</span></span> a
4327 <span class="Annot"><span style=
4328 'font-size:10.0pt'>dependent</span></span> pointer to an
4329 <span class="CodeText"><span style=
4330 'font-size:10.0pt'>int</span></span>. Another way to
4331 apply annotations to inner storage is to use a state clause
4332 (see Section 7.4).</p>
4333 <h2 style='margin-left:0in;text-indent:0in'><a name=
4334 "_Toc534974967"></a><a name="_Ref347812243"></a><a name=
4335 "_Ref344893978"></a><a name="_Toc344355410">5.3<span style=
4336 'font:7.0pt "Times New Roman"'> </span>
4337 Implicit Memory Annotations</a></h2>
4338 <p class="TextFontCX">Since it is important that Splint can check
4339 unannotated programs effectively, the meaning of declarations with
4340 no memory annotations is chosen to minimize the number of
4341 annotations needed to get useful checking on an unannotated
4343 <p class="TextFontCX"> </p>
4344 <p class="TextFontCX">An implicit memory management annotation may
4345 be assumed for declarations with no explicit memory management
4346 annotation. Implicit annotations are checked identically to
4347 the corresponding explicit annotation, except error messages
4348 indicate that they result from an implicit annotation. Figure
4349 8 illustrates some implicit annotations.</p>
4350 <p class="TextFontCX"> </p>
4351 <p class="TextFontCX">Unannotated function parameters are assumed
4352 to be <span class="Annot"><span style=
4353 'font-size:10.0pt'>temp</span></span>. This means if memory
4354 checking is turned on for an unannotated program, all functions
4355 that release storage referenced by a parameter or assign a global
4356 variable to alias the storage will produce error messages.
4357 (Controlled by <span class="Flag"><span style=
4358 'font-size:10.0pt'>paramimptemp</span></span>.)</p>
4359 <p class="TextFontCX"> </p>
4361 <table class="MsoNormalTable" border="0" cellspacing="0"
4362 cellpadding="0" style=
4363 'width:423.0pt;margin-left:.9pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
4364 <tr style='page-break-inside:avoid'>
4365 <td colspan="2" valign="top" style=
4366 'width:423.0pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4367 <p class="TextFontCX" align="center" style='text-align:center'>
4368 <span class="Keyword"><b><span style=
4369 'font-size:10.0pt; color:white'>implicit.c</span></b></span></p></td></tr>
4371 <td valign="top" style=
4372 'width:207.0pt;border-top:none;border-left: solid black 1.5pt;border-bottom:solid black 1.5pt;border-right:none; padding:0in 5.4pt 0in 5.4pt'>
4373 <p class="Verbatim">typedef struct {</p>
4374 <p class="Verbatim"> <span class=
4375 "implicit"><b>only</b></span> char *name;</p>
4376 <p class="Verbatim"> int val;</p>
4377 <p class="Verbatim">} *rec;</p>
4378 <p class="Verbatim"> </p>
4379 <p class="Verbatim">extern <span class=
4380 "implicit"><b>only</b></span> rec rec_last ;</p>
4381 <p class="Verbatim"> </p>
4382 <p class="Verbatim">extern <span class=
4383 "implicit"><b>only</b></span> rec</p>
4384 <p class="Verbatim"> rec_create (<span class=
4385 "implicit"><b>temp</b></span> char *name,</p>
4386 <p class="Verbatim">
4387
4389 <p class="TextFontCX"><i>Annotations in</i> <span class=
4390 "Keyword"><b><i><span style=
4391 'font-size:10.0pt;color:windowtext'>italics</span></i></b></span>
4392 <i>are not present in the code, but may be implied depending on
4393 flag settings.</i></p></td>
4394 <td valign="top" style=
4395 'width:3.0in;border-top:none;border-left:none; border-bottom:solid black 1.5pt;border-right:solid black 1.5pt;padding:0in 5.4pt 0in 5.4pt'>
4396 <p class="TextFontCX"> </p>
4397 <p class="TextFontCX" align="left" style='text-align:left'>
4398 <i>Implicit</i> <span class="Annot"><i><span style=
4399 'font-size:10.0pt'>only</span></i></span> <i>annotation on mutable
4400 structure field if</i> <span class="Flag"><span style=
4401 'font-size:10.0pt'>structimponly</span></span> <i>is on.</i></p>
4402 <p class="lclintrun"><i> </i></p>
4403 <p class="TextFontCX" align="left" style='text-align:left'>
4404 <i>Implicit</i> <span class="Annot"><span style=
4405 'font-size:10.0pt'>only</span></span> <i>annotation on mutable
4406 global variables if</i> <span class="Flag"><span style=
4407 'font-size:10.0pt'>globimponly</span></span> <i>is on.</i></p>
4408 <p class="TextFontCX" align="left" style='text-align:left'>
4410 <p class="TextFontCX" align="left" style=
4411 'text-align:left;page-break-after:avoid'><i>Implicit</i>
4412 <span class="Annot"><span style=
4413 'font-size:10.0pt'>only</span></span> <i>annotation on mutable
4414 function result if</i> <span class="Flag"><span style=
4415 'font-size: 10.0pt'>retimponly</span></span> <i>is set.
4416 Implicit</i> <span class="Annot"><span style=
4417 'font-size:10.0pt'>temp</span></span> <i>annotation on mutable
4418 parameter if</i> <span class="Flag"><span style=
4419 'font-size:10.0pt'>paramimptemp</span></span> <i>is
4420 set.</i></p></td></tr></table>
4421 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4423 <td valign="top" align="left" style=
4424 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
4425 <p class="MsoCaption"><a name="_Toc534824612"></a><a name=
4426 "_Ref534822006">Figure 8</a>. Implicit
4427 Annotations</p></td></tr></table></center>
4428 <p class="TextFontCX">Unannotated return values, structure fields
4429 and global variables are assumed to be <span class=
4430 "Annot"><span style='font-size:10.0pt'>only</span></span>.
4431 With implicit annotations (on by default), turning on memory
4432 checking for an unannotated program will produce errors for any
4433 function that does not return unshared storage or assignment of
4434 shared storage to a global variable or structure field. If an
4435 exposure qualifier is used (see Section 6.2), the implied
4436 <span class="Annot"><span style=
4437 'font-size: 10.0pt'>dependent</span></span> annotation is used
4438 instead of the more generally implied <span class=
4439 "Annot"><span style='font-size:10.0pt'>only</span></span>
4440 annotation. (Controlled by <span class=
4441 "Flag"><span style='font-size:10.0pt'>retimponly</span></span>,
4442 <span class="Flag"><span style=
4443 'font-size:10.0pt'>structimponly</span></span> and
4444 <span class="Flag"><span style=
4445 'font-size:10.0pt'>globimponly</span></span>. The
4446 <span class="Flag"><span style=
4447 'font-size:10.0pt'>allimponly</span></span> flag sets
4448 all of the implicit only flags.) </p>
4449 <h2 style='margin-left:0in;text-indent:0in'><a name=
4450 "_Toc534974968"></a><a name="_Ref534970957"></a><a name=
4451 "_Ref347469058"></a><a name="_Ref344907383"></a><a name=
4452 "_Toc344355411">5.4<span style=
4453 'font:7.0pt "Times New Roman"'> </span>
4454 Reference Counting</a></h2>
4455 <p class="TextFontCX">Another approach to memory management is to
4456 add a field to a type to explicitly keep track of the number of
4457 references to that storage. Every time a reference is added
4458 or lost the reference count is adjusted accordingly; if it would
4459 become zero, the storage is released. Reference counting it
4460 difficult to do without automatic checking since it is easy to
4461 forget to increment or decrement the reference count, and
4462 exceedingly difficult to track down these errors.</p>
4463 <p class="TextFontCX"> </p>
4464 <p class="TextFontCX">Splint supports reference counting by using
4465 annotations to constrain the use of reference counted storage in a
4466 manner similar to other memory management annotations.</p>
4467 <p class="TextFontCX"> </p>
4468 <p class="TextFontCX">A reference counted type is declared using
4469 the <span class="Annot"><span style=
4470 'font-size:10.0pt'>refcounted</span></span> annotation. Only
4471 pointer to <span class="CodeText"><span style=
4472 'font-size:10.0pt'>struct</span></span> types may be declared as
4473 <span class="Annot"><span style=
4474 'font-size:10.0pt'>refcounted</span></span>, since reference
4475 counted storage must have a field to count the references.
4476 One field in the structure (or integral type) is preceded by the
4477 <span class="Annot"><span style=
4478 'font-size:10.0pt'>refs</span></span> annotation to indicate that
4479 the value of this field is the number of live references to the
4480 structure. For example (in <span class="Keyword"><span style=
4481 'font-size:10.0pt;font-family:Arial; color:windowtext'>rstring.h</span></span>),</p>
4482 <p class="Verbatim" style='margin-top:6.0pt'>
4483 typedef /*@abstract@*/
4484 /*@refcounted@*/ struct {</p>
4485 <p class="Verbatim">
4486 /*@refs@*/ int refs;</p>
4487 <p class="Verbatim"> char
4489 <p class="Verbatim"> } *rstring;</p>
4490 <p class="afterlist">declares <span class=
4491 "CodeText"><span style='font-size:10.0pt'>rstring</span></span>
4492 as an abstract, reference-counted type. The
4493 <span class="CodeText"><span style=
4494 'font-size:10.0pt'>refs</span></span> field counts the number
4495 of references and the <span class="CodeText"><span style=
4496 'font-size:10.0pt'>contents</span></span> field holds the
4497 contents of a string.</p>
4498 <p class="TextFontCX"> </p>
4500 <table class="MsoNormalTable" border="0" cellspacing="0"
4501 cellpadding="0" style=
4502 'width:425.5pt;margin-left:.2in;border-collapse:collapse'>
4504 <td valign="top" style=
4505 'width:267.05pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4506 <p class="TextFontCX" align="center" style='text-align:center'>
4507 <span class="Keyword"><b><span style=
4508 'font-size:10.0pt; color:white'>rstring.c</span></b></span></p></td>
4509 <td valign="top" style=
4510 'width:158.45pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4511 <p class="TextFontCX" align="center" style='text-align:center'>
4512 <b><span style='color:white'>Running
4513 Splint</span></b></p></td></tr>
4515 <td valign="top" style=
4516 'width:267.05pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4517 <p class="Verbatim"><span style='font-size:9.0pt'># include
4518 "rstring.h"</span></p>
4519 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
4520 <p class="Verbatim"><span style='font-size:9.0pt'>static rstring
4521 rstring_ref (rstring r)</span></p>
4522 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
4523 <p class="Verbatim"><span style='font-size:9.0pt'>
4524 r->refs++;</span></p>
4525 <p class="Verbatim"><span class="Line"><span style=
4526 'font-size:8.0pt'>6</span></span> <span style=
4527 'font-size:9.0pt'>return r;</span></p>
4528 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p>
4529 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
4530 <p class="Verbatim"><span style='font-size:9.0pt'>rstring
4531 rstring_first (rstring r1, rstring r2)</span></p>
4532 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
4533 <p class="Verbatim"><span style='font-size:9.0pt'> if (strcmp
4534 (r1->contents, r2->contents) < 0)</span></p>
4535 <p class="Verbatim"><span class="Line"><span style=
4536 'font-size:8.0pt'>12</span></span><span style=
4537 'font-size:9.0pt'> return r1;</span></p>
4538 <p class="Verbatim"><span style='font-size:9.0pt'>
4540 <p class="Verbatim"><span class="Line"><span style=
4541 'font-size:8.0pt'>14</span></span><span style=
4542 'font-size:9.0pt'> return rstring_ref
4544 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p></td>
4545 <td valign="top" style=
4546 'width:158.45pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4547 <p class="lclintrun">> splint rstring.c</p>
4548 <p class="lclintrun">rstring.c:12: Reference counted </p>
4549 <p class="lclintrun"> storage returned without
4551 <p class="lclintrun"> reference count: r1</p>
4552 <p class="lclintrun"><i> </i></p>
4553 <p class="TextFontCX" align="left" style='text-align:left'>
4554 <i><span style='font-size:10.0pt'>No error is reported for line 6
4555 since the reference count was incremented. No error is
4556 reported for line 14, since</span></i> <span class=
4557 "CodeText"><i><span style=
4558 'font-size:10.0pt'>rstring_ref</span></i></span><i><span style='font-size:10.0pt'>
4559 returns a new reference.</span></i></p>
4560 <p class="TextFontCX" align="left" style=
4561 'text-align:left;page-break-after:avoid'><span style=
4562 'font-size:10.0pt'> </span></p></td></tr></table>
4563 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
4566 <td valign="top" align="left" style=
4567 'padding-top:.1in;padding-right: 0in;padding-bottom:.1in;padding-left:0in'>
4568 <p class="MsoCaption"><a name="_Toc534824613"></a><a name=
4569 "_Ref534822069">Figure 9</a>. Reference
4570 Counting</p></td></tr></table></center>
4573 <p class="TextFontCX">All functions that return <span class=
4574 "Annot"><span style='font-size:10.0pt'>refcounted</span></span>
4575 storage must increase the reference count before returning.
4576 Splint cannot determine if the reference count was increased, so
4577 any function that directly returns a reference to
4578 <span class="Annot"><span style=
4579 'font-size:10.0pt'>refcounted</span></span> storage will
4580 produce an error. This is avoided, by using a function
4581 to return a new reference (e.g., <span class=
4582 "CodeText"><span style=
4583 'font-size:10.0pt'>rstring_ref</span></span> in Figure
4585 <p class="TextFontCX"> </p>
4586 <p class="TextFontCX">A reference counted type may be passed as a
4587 <span class="Annot"><span style=
4588 'font-size:10.0pt'>temp</span></span> or <span class=
4589 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
4590 parameter. It may not be passed as an <span class=
4591 "Annot"><span style='font-size:10.0pt'>only</span></span>
4592 parameter. Instead, the <span class=
4593 "Annot"><span style='font-size:10.0pt'>killref</span></span>
4594 annotation is used to denote a parameter whose reference is
4595 eliminated by the function call. Like <span class=
4596 "Annot"><span style='font-size:10.0pt'>only</span></span>
4597 parameters, an actual parameter corresponding to a
4598 <span class="Annot"><span style=
4599 'font-size:10.0pt'>killref</span></span> formal parameter may
4600 not be used in the calling function after the call.
4601 Splint checks that the implementation of a function releases
4602 all <span class="Annot"><span style=
4603 'font-size:10.0pt'>killref</span></span> parameters, either
4604 by passing them as <span class="Annot"><span style=
4605 'font-size: 10.0pt'>killref</span></span> parameters, or
4606 assigning or returning them without increasing the reference
4608 <h1 style='margin-left:0in;text-indent:0in'><a name=
4609 "_Ref348845247"></a><a name="_Ref348796245"></a><a name=
4610 "_Toc344355413"></a><a name="_Ref344355210"></a><a name=
4611 "_Ref343064238"></a><a name="_Ref343064188"></a><a name=
4612 "_Toc534974969"></a><a name="_Ref534642796"></a><a name=
4613 "_Ref534642146">6<span style=
4614 'font:7.0pt "Times New Roman"'> </span>
4615 <a id="sharing" name="sharing">
4616 Sharing</a></a></h1>
4617 <p class="TextFontCX">Errors involving unexpected sharing of
4618 storage can cause serious problems. Undocumented sharing may
4619 lead to unpredictable modifications, and some library calls (e.g.,
4620 <span class="CodeText"><span style=
4621 'font-size:10.0pt'>strcpy</span></span>) have undefined behavior if
4622 parameters share storage. Another class of sharing errors
4623 occurs when clients of an abstract type may obtain a reference to
4624 mutable storage that is part of the abstract representation.
4625 This exposes the representation of the abstract type, since clients
4626 may modify an instance of the abstract type indirectly through this
4628 <h2 style='margin-left:0in;text-indent:0in'><a name=
4629 "_Ref534977801"></a><a name="_Toc534974970">6.1<span style=
4630 'font:7.0pt "Times New Roman"'> </span>
4632 <p class="TextFontCX">Splint detects errors involving dangerous
4633 aliasing of parameters. Some of these errors are already
4634 detected through the standard memory annotations (e.g.,
4635 <span class="Annot"><span style=
4636 'font-size:10.0pt'>only</span></span> parameters may not
4637 be aliases.) Two additional annotations are
4638 provided for constraining aliasing of parameters and return
4640 <h3 style='margin-left:0in;text-indent:0in'><a name=
4641 "_Toc534974971"></a><a name="_Ref347469444">6.1.1<span style=
4642 'font:7.0pt "Times New Roman"'> </span>
4643 Unique Parameters</a></h3>
4644 <p class="TextFontCX">The <span class="Annot"><span style=
4645 'font-size:10.0pt'>unique</span></span> annotation denotes a
4646 parameter that may not be aliased by any other storage reachable
4647 from the function implementation — that is, any storage
4648 reachable through the other parameters or global variables used by
4649 the function. The <span class="Annot"><span style=
4650 'font-size:10.0pt'>unique</span></span> annotation places similar
4651 constraints on function parameters as the <span class=
4652 "Annot"><span style='font-size:10.0pt'>only</span></span>
4653 annotation, but it does not transfer the obligation to release
4654 storage. Splint will report an error if a <span class=
4655 "Annot"><span style='font-size:10.0pt'>unique</span></span>
4656 parameter may be aliased by another parameter or global
4658 <p class="TextFontCX"> </p>
4659 <p class="TextFontCX">Splint reports an error if a function returns
4660 a reference to storage reachable from one of its parameters (if
4661 <span class="Flag"><span style=
4662 'font-size:10.0pt'>retalias</span></span> is on) since this may
4663 introduce unexpected aliases in the body of the calling function
4664 when the result is assigned.</p>
4665 <p class="TextFontCX"> </p>
4666 <p class="TextFontCX">Figure 10 illustrated sharing checks.
4667 An error is reported since the first parameter to the library
4668 function <span class="CodeText"><span style=
4669 'font-size:10.0pt'>strcpy</span></span> is declared with
4670 unique. If a <span class="CodeText"><span style=
4671 'font-size:10.0pt'>unique</span></span> qualifier were added to the
4672 parameter declaration for <span class="CodeText"><span style=
4673 'font-size:10.0pt'>s</span></span> or <span class=
4674 "CodeText"><span style='font-size:10.0pt'>t</span></span>, no error
4675 would be reported. </p>
4677 <table class="MsoNormalTable" border="0" cellspacing="0"
4678 cellpadding="0" style=
4679 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
4681 <td valign="top" style=
4682 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4683 <p class="TextFontCX" align="center" style='text-align:center'>
4684 <span class="Keyword"><b><span style=
4685 'font-size:10.0pt; color:white'>unique.c</span></b></span></p></td>
4686 <td valign="top" style=
4687 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4688 <p class="TextFontCX" align="center" style='text-align:center'>
4689 <b><span style='color:white'>Running
4690 Splint</span></b></p></td></tr>
4692 <td valign="top" style=
4693 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4694 <p class="Verbatim"># include <string.h></p>
4695 <p class="Verbatim"> </p>
4696 <p class="Verbatim">void </p>
4697 <p class="Verbatim">capitalize (/*@out@*/ char *s,</p>
4698 <p class="Verbatim">
4699 char *t)</p>
4700 <p class="Verbatim">{</p>
4701 <p class="Verbatim"><span class="Line"><span style=
4702 'font-size:8.0pt'> 7</span></span> strcpy (s, t);</p>
4703 <p class="Verbatim"> *s = toupper (*s);</p>
4704 <p class="Verbatim">}</p></td>
4705 <td valign="top" style=
4706 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4707 <p class="lclintrun">> splint unique.c</p>
4708 <p class="lclintrun"> </p>
4709 <p class="lclintrun">unique.c: (in function capitalize)</p>
4710 <p class="lclintrun">unique.c:7: Parameter 1 (s) to function strcpy
4712 <p class="lclintrun"> declared unique but may be
4713 aliased externally by</p>
4714 <p class="lclintrun"> parameter 2 (t)</p>
4715 <p class="lclintrun"> </p></td></tr></table>
4716 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4718 <td valign="top" align="left" style=
4719 'padding-top:6.5pt;padding-right: 9.35pt;padding-bottom:6.5pt;padding-left:9.35pt'>
4720 <p class="MsoCaption"><a name="_Toc534824614"></a><a name=
4721 "_Ref534822167">Figure 10</a>. Unique
4722 parameters</p></td></tr></table></center>
4723 <h3 style='margin-left:0in;text-indent:0in'><a name=
4724 "_Toc534974972"></a><a name="_Ref347469448">6.1.2<span style=
4725 'font:7.0pt "Times New Roman"'> </span>
4726 Returned Parameters</a></h3>
4727 <p class="TextFontCX">The <span class="Annot"><span style=
4728 'font-size:10.0pt'>returned</span></span> annotation denotes a
4729 parameter that may be aliased by the return value. Splint
4730 checks the call assuming the result may be an alias to the
4731 <span class="Annot"><span style=
4732 'font-size:10.0pt'>returned</span></span> parameter.</p>
4733 <p class="TextFontCX"> </p>
4734 <p class="TextFontCX">Consider the following code excerpt:</p>
4735 <p class="TextFontCX"> </p>
4736 <p class="Verbatim">extern intSet intSet_insert (/*@returned@*/
4737 intSet s, int x);</p>
4738 <p class="Verbatim"> </p>
4739 <p class="Verbatim">intSet intSet_singleton (int x)</p>
4740 <p class="Verbatim">{</p>
4741 <p class="Verbatim"><span class="Line"><span style=
4742 'font-size:8.0pt'>7</span></span> return (intSet_insert
4743 (intSet_new (), x));</p>
4744 <p class="TextFontCX">}</p>
4745 <p class="TextFontCX"> </p>
4746 <p class="TextFontCX">Without the <span class=
4747 "Annot"><span style='font-size:10.0pt'>returned</span></span>
4748 qualifier on the parameter to <span class=
4749 "CodeText"><span style=
4750 'font-size:10.0pt'>intSet_insert</span></span>, a memory leak
4751 error would be reported for line 7, since the <span class=
4752 "Annot"><span style='font-size:10.0pt'>only</span></span>
4753 storage returned by <span class="CodeText"><span style=
4754 'font-size:10.0pt'>intSet_new</span></span> is not
4755 released. Because of the <span class=
4756 "Annot"><span style='font-size:10.0pt'>returned</span></span>
4757 qualifier, Splint assumes the result of <span class=
4758 "CodeText"><span style=
4759 'font-size:10.0pt'>intSet_insert</span></span> is the same
4760 storage as its first parameter, in this case the storage
4761 returned by <span class="CodeText"><span style=
4762 'font-size:10.0pt'>intSet_new</span></span>. No error
4763 is reported, since the only storage is then transferred
4764 through the return value (which has an implicit only
4765 annotation, see Section 5.3).</p>
4766 <h2 style='margin-left:0in;text-indent:0in'><a name=
4767 "_Ref344907981"></a><a name="_Ref344894258"></a><a name=
4768 "_Ref344809320"></a><a name="_Toc344355414"></a><a name=
4769 "_Toc534974973"></a><a name="_Ref345591408"></a><a name=
4770 "_Ref345591053">6.2<span style=
4771 'font:7.0pt "Times New Roman"'> </span>
4773 <p class="TextFontCX">Splint detects places where the
4774 representation of an abstract type is exposed. This occurs if
4775 a client has a pointer to storage that is part of the
4776 representation of an instance of the abstract type. The
4777 client can then modify or examine the storage this points to, and
4778 manipulate the value of the abstract type instance without using
4780 <p class="TextFontCX"> </p>
4781 <p class="TextFontCX">There are three ways a representation may be
4783 <p class="TextFontCX" style=
4784 'margin-left:.25in; text-indent:-.25in'>1.<span style=
4785 'font:7.0pt "Times New Roman"'> </span>
4786 Returning (or assigning to a global variable) an object that
4787 includes a pointer to a mutable component of an abstract
4788 type representation. (Controlled by <span class=
4790 'font-size:10.0pt'>ret-expose</span></span>).</p>
4791 <p class="TextFontCX" style=
4792 'margin-left:.25in; text-indent:-.25in'>2.<span style=
4793 'font:7.0pt "Times New Roman"'> </span>
4794 Assigning a mutable component of an abstract object to storage
4795 reachable from an actual parameter or a global variable that may be
4796 used after the call. This means the client may
4797 manipulate the abstract object using the actual parameter after the
4798 call. Note that if the corresponding formal parameter is
4799 declared <span class="Annot"><span style=
4800 'font-size:10.0pt'>only</span></span>, the caller may not use the
4801 actual parameter after the call so the representation is not
4802 exposed. (Controlled by <span class="Flag"><span style=
4803 'font-size:10.0pt'>assign-expose</span></span>).</p>
4804 <p class="TextFontCX" style=
4805 'margin-left:.25in; text-indent:-.25in'>3.<span style=
4806 'font:7.0pt "Times New Roman"'> </span>
4807 Casting mutable storage to or from an abstract type.
4808 (Controlled by <span class="Flag"><span style=
4809 'font-size:10.0pt'>cast-expose</span></span>).</p>
4810 <p class="afterlist">Annotations may be used to allow exposed
4811 storage to be returned safely by restricting how the caller may use
4812 the returned storage.</p>
4813 <h3 style='margin-left:0in;text-indent:0in'><a name=
4814 "_Toc534974974"></a><a name="_Ref347469553">6.2.1<span style=
4815 'font:7.0pt "Times New Roman"'> </span>
4816 Read-Only Storage</a></h3>
4817 <p class="beforelist">It is often useful for a function to return a
4818 pointer to internal storage (or an instance of a mutable abstract
4819 type) that is intended only as an <i>observer</i>. The caller
4820 may use the result, but should not modify the storage it points
4821 to. For example, consider a naïve implementation of the
4822 <span class="CodeText"><span style=
4823 'font-size:10.0pt'>employee_getName</span></span> operation for the
4824 abstract <span class="CodeText"><span style=
4825 'font-size:10.0pt'>employee</span></span> type:</p>
4826 <p class="Verbatim"> typedef /*@abstract@*/ struct
4828 <p class="Verbatim"> char *name;</p>
4829 <p class="Verbatim"> int id;</p>
4830 <p class="Verbatim"> } *employee;</p>
4831 <p class="Verbatim"> …</p>
4832 <p class="Verbatim"> char *employee_getName (employee
4833 e) { return e->name; }</p>
4834 <p class="afterlist">Splint produces a message to indicate that the
4835 return value exposes the representation. One solution would
4836 be to return a fresh copy of <span class=
4837 "CodeText"><span style='font-size:10.0pt'>e->name</span></span>.
4838 This is expensive, though, especially if we expect
4839 <span class="CodeText"><span style=
4840 'font-size:10.0pt'>employee_getName</span></span> is used
4841 mainly just to get a string for searching or printing.
4842 Instead, we could change the declaration of <span class=
4843 "CodeText"><span style=
4844 'font-size:10.0pt'>employee_getName</span></span> to:</p>
4845 <p class="example">extern /*@observer@*/ char *employee_getName
4847 <p class="TextFontCX">Now, the original implementation is
4848 correct. The declaration indicates that the caller may not
4849 modify the result, so it is acceptable to return shared
4850 storage. (The program must also not use the returned observer
4851 storage after any other calls to the abstract type module using the
4852 same parameter. Splint does not attempt to check this, and in
4853 practice it is rarely a problem.) Splint checks that the
4854 caller does not modify the return value. An error is reported
4855 if observer storage is modified directly, passed as a function
4856 parameter that may be modified, assigned to a global variable or
4857 reference derivable from a global variable that is not declared
4858 with an <span class="Annot"><span style=
4859 'font-size: 10.0pt'>observer</span></span> annotation , or returned
4860 as a function result or a reference derivable from the function
4861 result that is not annotation with an <span class=
4862 "Annot"><span style='font-size:10.0pt'>observer</span></span>
4864 <h4 style='margin-left:0in;text-indent:0in'><a name=
4865 "_Ref347469563"></a><a name="_Ref348017065">String
4867 <p class="TextFontCX">A program that attempts to modify a
4868 string literal has undefined behavior [ISO, 6.4.5]. This is
4869 not enforced by most C compilers, and can lead to particularly
4870 pernicious bugs that only appear when optimizations are turned on
4871 and the compiler attempts to minimize storage for string
4872 literals. Splint can be used to check that string literals
4873 are not modified, by treating them as -<span class=
4874 "Annot"><span style=
4875 'font-size:10.0pt'>observer</span></span> storage. If
4876 <span class="Flag"><span style=
4877 'font-size:10.0pt'>+read-only-strings</span></span> is set (default
4878 in standard mode), Splint will report an error if a string literal
4880 <h3 style='margin-left:0in;text-indent:0in'><a name=
4881 "_Toc534974975">6.2.2<span style=
4882 'font:7.0pt "Times New Roman"'> </span>
4883 Exposed Storage</a></h3>
4884 <p class="TextFontCX">Sometimes it is necessary to expose the
4885 representation of an abstract type. This may be evidence of a
4886 design flaw, but in some cases is justified for efficiency
4887 reasons. The <span class="Annot"><span style=
4888 'font-size:10.0pt'>exposed</span></span> annotation denotes
4889 storage that is exposed. It may be used on a return value for
4890 results that reference storage internal to an abstract
4891 representation, on a parameter value to indicate a parameter that
4892 may be assigned directly to part of an abstract representation
4893 (note that if the parameter is annotated with <span class=
4894 "Annot"><span style='font-size:10.0pt'>only</span></span>, it is
4895 not an error to assign it to part of an abstract representation,
4896 since the caller may not use the storage after the call returns),
4897 or on a field of an abstract representation to indicate that
4898 external references to the storage may exist. <a name=
4899 "_Toc344355415"></a><a name="_Ref343064165"></a><a name=
4900 "_Ref347254440"></a><a name="_Ref347169365">An error is reported
4901 if</a> <span class="Annot"><span style=
4902 'font-size:10.0pt'>exposed</span></span> storage is released, but
4903 unlike an <span class="Annot"><span style=
4904 'font-size:10.0pt'>observer</span></span>, no error is reported if
4905 it is modified. Figure 11 shows examples of exposure problems
4906 detected by Splint.</p>
4907 <p class="TextFontCX"> </p>
4909 <table class="MsoNormalTable" border="0" cellspacing="0"
4910 cellpadding="0" style=
4911 'margin-left:6.75pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
4913 <td width="45%" valign="top" style=
4914 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4915 <p class="TextFontCX" align="center" style='text-align:center'>
4916 <span class="Keyword"><b><span style=
4917 'font-size:10.0pt; color:white'>exposure.c</span></b></span></p></td>
4918 <td valign="top" style=
4919 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4920 <p class="TextFontCX" align="center" style='text-align:center'>
4921 <b><span style='color:white'>Running
4922 Splint</span></b></p></td></tr>
4924 <td valign="top" style=
4925 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4926 <p class="Verbatim"># include "employee.h"</p>
4927 <p class="Verbatim"> </p>
4928 <p class="Verbatim">char *</p>
4929 <p class="Verbatim">employee_getName (employee e)</p>
4930 <p class="Verbatim">{</p>
4931 <p class="Verbatim"><span class="Line"><span style=
4932 'font-size:8.0pt'>6</span></span> return e->name;</p>
4933 <p class="Verbatim">}</p>
4934 <p class="Verbatim"> </p>
4935 <p class="Verbatim">/*@observer@*/ char *</p>
4936 <p class="Verbatim">employee_obsName (employee e)</p>
4937 <p class="Verbatim">{ return e->name; }</p>
4938 <p class="Verbatim"> </p>
4939 <p class="Verbatim">/*@exposed@*/ char *</p>
4940 <p class="Verbatim">employee_exposeName (employee e)</p>
4941 <p class="Verbatim">{ return e->name; }</p>
4942 <p class="Verbatim"> </p>
4943 <p class="Verbatim">void</p>
4944 <p class="Verbatim">employee_capName (employee e)</p>
4945 <p class="Verbatim">{</p>
4946 <p class="Verbatim"> char *name;</p>
4947 <p class="Verbatim"> </p>
4948 <p class="Verbatim"> name = employee_obsName (e);</p>
4949 <p class="Verbatim"><span class="Line"><span style=
4950 'font-size:8.0pt'>23</span></span> *name = toupper (*name);</p>
4951 <p class="Verbatim">}</p></td>
4952 <td valign="top" style=
4953 'border-top:none;border-left:none; border-bottom:solid black 1.5pt;border-right:solid black 1.5pt;padding:0in 5.4pt 0in 5.4pt'>
4954 <p class="lclintrun">> splint exposure.c +checks</p>
4955 <p class="lclintrun"> </p>
4956 <p class="lclintrun">exposure.c:6: Function returns reference
4958 <p class="lclintrun">
4959
4960 parameter e: e->name</p>
4961 <p class="lclintrun">exposure.c:6: Return value exposes rep of</p>
4962 <p class="lclintrun">
4963
4964 employee: e->name</p>
4965 <p class="lclintrun">exposure.c:6: Released storage e->name
4967 <p class="lclintrun">
4968
4969 from parameter at return point</p>
4970 <p class="lclintrun"> exposure.c:6: Storage e->name
4972 <p class="lclintrun">exposure.c:23: Suspect modification of
4974 <p class="lclintrun">
4975
4976 name: *name = toupper(*name)</p>
4977 <p class="TextFontCX" style='page-break-after: avoid'> </p>
4978 <p class="TextFontCX" align="left" style=
4979 'text-align:left;page-break-after:avoid'><i><span style=
4980 'font-size: 10.0pt'>Three messages are reported for line 6 where a
4981 mutable field of an abstract type is returned with no sharing
4982 qualifier (without</span></i> <span class="Flag"><span style=
4983 'font-size:10.0pt'>+checks</span></span><i><span style=
4984 'font-size:10.0pt'>only the third one would be reported.) The
4985 error for line 23 reports a modification of an observer. If
4986 the call in line 22 were changed to call</span></i>
4987 <span class="CodeText"><span style=
4988 'font-size: 10.0pt'>employee_exposeName</span></span><i><span style='font-size:10.0pt'>
4989 , no error would be reported.</span></i></p></td></tr></table>
4990 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4992 <td valign="top" style=
4993 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
4994 <p class="MsoCaption"><a name="_Toc534824615">Figure 11.
4995 Exposure</a></p></td></tr></table></center>
4996 <p class="TextFontCX"> </p>
4997 <h1 style='margin-left:0in;text-indent:0in'><a name=
4998 "_Ref361649198"></a><a name="_Ref361649165"></a><a name=
4999 "_Ref354415790"></a><a name="_Ref350062908"></a><a name=
5000 "_Ref348845273"></a><a name="_Ref345591297"></a><a name=
5001 "_Ref344916609"></a><a name="_Ref344894369"></a><a name=
5002 "_Ref344891459"></a><a name="_Ref344798185"></a><a name=
5003 "_Toc344355418"></a><a name="_Toc534974976"></a><a name=
5004 "_Ref534014913"></a><a name="_Ref534014715"></a><a name=
5005 "_Ref348871484">7<span style=
5006 'font:7.0pt "Times New Roman"'> </span>
5007 <a id="function" name="function">
5008 Function Interfaces</a></a></h1>
5009 <p class="TextFontCX">Functions communicate with their calling
5010 environment through an interface. The caller communicates the
5011 values of actual parameters and global variables to the function,
5012 and the function communicates to the caller through the return
5013 value, global variables and storage reachable from the actual
5014 parameters. By keeping interfaces narrow (restricting the
5015 amount of information visible across a function interface), we can
5016 understand and implement functions independently. </p>
5017 <p class="TextFontCX"> </p>
5018 <p class="TextFontCX">A function prototype documents the interface
5019 to a function. It serves as a contract between the function
5020 and its caller. In early versions of C, the function
5021 “prototype” was very limited. It described the
5022 type returned by the function but nothing about its
5023 parameters. ANSI C (1989) provided function prototypes with
5024 the ability to add information on the number and types of parameter
5025 to a function. Splint provides the means to express much more
5026 about a function interface such as what global variable the
5027 function may use and what values visible to the caller it may
5029 <p class="TextFontCX"> </p>
5030 <p class="TextFontCX">The extra interface information places
5031 constraints on both how the function may be called and how it may
5032 be implemented. Splint reports places where these constraints
5033 are not satisfied. Typically, these indicate bugs in the code
5034 or errors in the interface documentation.</p>
5035 <p class="TextFontCX"> </p>
5036 <p class="TextFontCX">This section describes annotations that may
5037 be added to a function declaration to document what global
5038 variables the function implementation may use and what values
5039 visible to its caller it may modify.</p>
5040 <h2 style='margin-left:0in;text-indent:0in'><a name=
5041 "_Toc534974977"></a><a name="_Ref348845225"></a><a name=
5042 "_Ref344908335"></a><a name="_Ref344892358"></a><a name=
5043 "_Toc344355403">7.1<span style=
5044 'font:7.0pt "Times New Roman"'> </span>
5045 Modifications</a></h2>
5046 <p class="TextFontCX">The modifies clause lists what values visible
5047 to the caller may be modified by a function. Modifies clauses
5048 limit what values a function may modify, but they do not require
5049 that listed values are always modified. The declaration,</p>
5050 <p class="example">int f (int *p, int *q) /*@modifies *p@*/;</p>
5051 <p class="TextFontCX">declares a function <span class=
5052 "CodeText"><span style='font-size:10.0pt'>f</span></span> that may
5053 modify the value pointed to by its first argument but may not
5054 modify the value of its second argument or any global state.</p>
5055 <p class="TextFontCX"> </p>
5056 <p class="TextFontCX">Splint checks that a function does not modify
5057 any caller-visible value not encompassed by its modifies clause and
5058 does modify all values listed in its modifies clause on some
5059 possible execution of the function. Figure 12 shows an
5060 example of modifies checking done by Splint.</p>
5061 <p class="TextFontCX"> </p>
5063 <table class="MsoNormalTable" border="0" cellspacing="0"
5064 cellpadding="0" style='margin-left:5.4pt;border-collapse:collapse'
5067 <td width="40%" valign="top" style=
5068 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.5pt'>
5069 <p class="TextFontCX" align="center" style='text-align:center'>
5070 <a name="_Ref344908343"><span class="Keyword"><b><span style=
5071 'font-size:10.0pt;color:white'>modify.c</span></b></span></a></p></td>
5072 <td width="60%" valign="top" style=
5073 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.5pt'>
5074 <p class="TextFontCX" align="center" style='text-align:center'>
5075 <b><span style='color:white'>Running
5076 Splint</span></b></p></td></tr>
5077 <tr style='height:120.9pt'>
5078 <td valign="top" style=
5079 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:120.9pt'>
5080 <p class="Verbatim">void setx (int *x, int *y)</p>
5081 <p class="Verbatim"> /*@modifies *x@*/</p>
5082 <p class="Verbatim">{</p>
5083 <p class="Verbatim"><span class="Line"><span style=
5084 'font-size:8.0pt'>4</span></span> *y = *x;</p>
5085 <p class="Verbatim">}</p>
5086 <p class="Verbatim"> </p>
5087 <p class="Verbatim">void sety (int *x, int *y)</p>
5088 <p class="Verbatim"> /*@modifies *y@*/</p>
5089 <p class="Verbatim">{</p>
5090 <p class="Verbatim"> setx (y, x);</p>
5091 <p class="Verbatim">}</p></td>
5092 <td width="60%" valign="top" style=
5093 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:120.9pt'>
5094 <p class="lclintrun">> splint modify.c +checks</p>
5095 <p class="lclintrun">modify.c:4: Undocumented modification of *y:
5097 <p class="lclintrun">modify.c:5: Suspect object listed in modifies
5099 <p class="lclintrun">
5100
5101 not modified: *x</p>
5102 <p class="lclintrun"> modify.c:1: Declaration of
5104 <p class="TextFontCX"><i><span style=
5105 'font-size: 10.0pt'> </span></i></p>
5106 <p class="TextFontCX" style='page-break-after: avoid'>
5107 <i><span style='font-size:10.0pt'>There are
5108 n</span></i><i><span style='font-size:10.0pt'>o errors
5109 for</span></i> <span class="CodeText"><span style=
5110 'font-size:10.0pt'>sety</span></span><i><span style=
5111 'font-size:10.0pt'>– the call to</span></i>
5112 <span class="CodeText"><span style=
5113 'font-size:10.0pt'>setx</span></span><i><span style=
5114 'font-size:10.0pt'>modifies the value<br>
5115 pointed to by its first parameter (</span></i><span class=
5116 "CodeText"><span style=
5117 'font-size:10.0pt'>y</span></span><i><span style=
5118 'font-size:10.0pt'>) as documented by the<br>
5119 modifies clause. The</span></i> <span class=
5121 'font-size:10.0pt'>checks</span></span><i><span style=
5122 'font-size:10.0pt'>mode turns on</span></i> <span class=
5124 'font-size:10.0pt'>mustmod</span></span><i><span style=
5125 'font-size:10.0pt'>checking,<br>
5126 so the second error concerning missing documented<br>
5127 modifications is reported.</span></i></p></td></tr>
5129 <td style='border:none'></td>
5130 <td style='border:none'></td></tr></table>
5131 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5133 <td valign="top" style=
5134 'padding-top:4.3pt;padding-right: .3in;padding-bottom:4.3pt;padding-left:.3in'>
5135 <p class="MsoCaption"><a name="_Toc534824616"></a><a name=
5136 "_Ref534822865">Figure 12</a>.
5137 Modification</p></td></tr></table></center>
5140 <h3 style='margin-left:0in;text-indent:0in'><a name=
5141 "_Toc534974978">7.1.1<span style=
5142 'font:7.0pt "Times New Roman"'> </span>
5143 State Modifications</a></h3>
5144 <p class="beforelist">A few special names are provided for
5145 describing function modifications that effect state not
5146 identifiable through parameters or global variables:</p>
5147 <p class="TextFontCX"><span class="Annot"><span style=
5148 'font-size:10.0pt'>internalState</span></span></p>
5149 <p class="IndentText">The function modifies some internal state
5150 (that is, the value of a <span class="CodeText"><span style=
5151 'font-size:10.0pt'>static</span></span> variable). Even
5152 though a client cannot access the internal state directly, it is
5153 important to know that something may be modified by the function
5154 call both for clear documentation and for checking undefined order
5155 of evaluation (Section 8.2) and side effect free parameters
5156 (Section 11.2.1).</p>
5157 <p class="TextFontCX"><span class="Annot"><span style=
5158 'font-size:10.0pt'>fileSystem</span></span></p>
5159 <p class="IndentText">The function modifies the file system.
5160 Any modification that may change the system state is considered a
5161 file system modification. All functions that modify an object
5162 of type pointer to <span class="CodeText"><span style=
5163 'font-size:10.0pt'>FILE</span></span> also modify the file
5164 system. In addition, functions that do not modify a
5165 <span class="CodeText"><span style=
5166 'font-size:10.0pt'>FILE</span></span> pointer but modify some state
5167 that is visible outside this process also modify the file system
5168 (e.g., <span class="CodeText"><span style=
5169 'font-size:10.0pt'>rename</span></span>). The flag
5170 <span class="Flag"><span style=
5171 'font-size:10.0pt'>mod-file-system</span></span> controls reporting
5172 of undocumented file system modifications.</p>
5173 <p class="MsoListBullet"><span class="Annot"><span style=
5174 'font-size:10.0pt'>nothing</span></span></p>
5175 <p class="IndentText">The function modifies nothing (i.e., it is
5176 side effect free).</p>
5177 <p class="TextFontCX" style='margin-left:.5in'> </p>
5178 <p class="TextFontCX">The annotation, <span class=
5179 "Annot"><span style='font-size:10.0pt'>/*@*/</span></span> in a
5180 function declaration or definition (after the parameter list,
5181 before the semi-colon or function body) denotes a function that
5182 modifies nothing and does not use any global variables (see Section
5184 <h3 style='margin-left:0in;text-indent:0in'><a name=
5185 "_Toc534974979"></a><a name="_Ref345591515">7.1.2<span style=
5186 'font:7.0pt "Times New Roman"'> </span>
5187 Missing Modifies Clauses</a></h3>
5188 <p class="TextFontCX">Splint is designed so programs with many
5189 functions that are declared without modifies clauses can be checked
5190 effectively. Unless <span class="Flag"><span style=
5191 'font-size:10.0pt'>modnomods</span></span> is in on, no
5192 modification errors are reported checking a function declared with
5193 no modifies clause. </p>
5194 <p class="TextFontCX"> </p>
5195 <p class="TextFontCX">A function with no modifies clause is an
5196 <i>unconstrained</i> function since there are no documented
5197 constraints on what it may modify. When an unconstrained
5198 function is called, it is checked differently from a function
5199 declared with a modifies clause. To prevent spurious errors,
5200 no modification error is reported at the call site unless the
5201 <span class="Flag"><span style=
5202 'font-size:10.0pt'>mod-uncon</span></span> flag is on.
5203 Flags control whether errors involving unconstrained functions are
5204 reported for other checks that depend on modifications (side effect
5205 free macro parameters (Section 11.2.1), undefined evaluation
5206 order (Section 8.2), and likely infinite loops (Section
5208 <h2 style='margin-left:0in;text-indent:0in'><a name=
5209 "_Ref534980042"></a><a name="_Toc534974980"></a><a name=
5210 "_Ref534972121"></a><a name="_Ref348845219"></a><a name=
5211 "_Ref347475720"></a><a name="_Ref347171487"></a><a name=
5212 "_Ref344908307"></a><a name="_Ref344893725"></a><a name=
5213 "_Toc344355404">7.2<span style=
5214 'font:7.0pt "Times New Roman"'> </span>
5215 Global Variables</a></h2>
5216 <p class="TextFontCX">Another aspect of a function’s
5217 interface, is the global variables it uses. A globals list in
5218 a function declaration lists external variables that may be used in
5219 the function body. Splint checks that global variables used
5220 in a procedure match those listed in its globals list. A global is
5221 used in a function if it appears in the body directly, or it is in
5222 the globals list of a function called in the body. Splint reports
5223 if a global that is used in a procedure is not listed in its
5224 globals list, and if a listed global is not used in the function
5225 implementation. Figure 13 shows an example function
5226 definition with a globals list and associated checking done by
5229 <table class="MsoNormalTable" border="0" cellspacing="0"
5230 cellpadding="0" style=
5231 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
5232 <tr style='height:13.25pt'>
5233 <td valign="top" style=
5234 'width:202.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.25pt'>
5235 <p class="TextFontCX" align="center" style='text-align:center'>
5236 <span class="Keyword"><b><span style=
5237 'font-size:10.0pt; color:white'>globals.c</span></b></span></p></td>
5238 <td valign="top" style=
5239 'width:220.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.25pt'>
5240 <p class="TextFontCX" align="center" style='text-align:center'>
5241 <b><span style='color:white'>Running
5242 Splint</span></b></p></td></tr>
5243 <tr style='height:70.65pt'>
5244 <td valign="top" style=
5245 'width:202.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:70.65pt'>
5246 <p class="Verbatim"><span style='font-size:9.5pt'>int glob1,
5248 <p class="Verbatim"><span style='font-size:9.5pt'> </span></p>
5249 <p class="Verbatim"><span class="Line"><span style=
5250 'font-size:8.0pt'>3</span></span> <span style='font-size:9.5pt'>int
5251 f (void) /*@globals glob1;@*/</span></p>
5252 <p class="Verbatim"><span style='font-size:9.5pt'>{</span></p>
5253 <p class="Verbatim"><span class="Line"><span style=
5254 'font-size:8.0pt'>5 </span></span> <span style=
5255 'font-size:9.5pt'>return glob2;</span></p>
5256 <p class="Verbatim"><span style='font-size:9.5pt'>}</span></p></td>
5257 <td valign="top" style=
5258 'width:220.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:70.65pt'>
5259 <p class="lclintrun">> splint globals.c +checks</p>
5260 <p class="lclintrun"> </p>
5261 <p class="lclintrun">globals.c:5: Undocumented use of global
5263 <p class="lclintrun">globals.c:3: Global glob1 listed but not
5265 <p class="lclintrun"> </p>
5266 <p class="lclintrun" style='page-break-after:avoid'>
5267 </p></td></tr></table>
5268 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5270 <td valign="top" align="left" style=
5271 'padding-top:8.65pt;padding-right: 9.35pt;padding-bottom:8.65pt;padding-left:9.35pt'>
5272 <p class="MsoCaption"><a name="_Ref349498221"></a><a name=
5273 "_Ref349498215"></a><a name="_Ref347468808"></a><a name=
5274 "_Ref347468791"></a><a name="_Ref344908072"></a><a name=
5275 "_Ref344908069"></a><a name="_Ref344893745"></a><a name=
5276 "_Toc344355405"></a><a name="_Toc534824617"></a><a name=
5277 "_Ref534822988">Figure 13</a>. Global
5278 Variables</p></td></tr></table></center>
5279 <h3 style='margin-left:0in;text-indent:0in'><a name=
5280 "_Toc534974981">7.2.1<span style=
5281 'font:7.0pt "Times New Roman"'> </span>
5282 Controlling Globals Checking</a></h3>
5283 <p class="TextFontCX">Whether on not an error is reported for a use
5284 of a global variable in a given function depends on the scope of
5285 the variable (file <span class="CodeText"><span style=
5286 'font-size:10.0pt'>static</span></span> or external), the checking
5287 annotation used in the variable declaration or the implicit
5288 annotation if no checking annotation is used, whether or not the
5289 function is declared with a globals list, and flag settings.</p>
5290 <p class="TextFontCX"> </p>
5291 <p class="beforelist">A global or file static variable declaration
5292 may be preceded by an annotation to indicate how the variable
5293 should be checked. In order of decreasing checks, the
5294 annotations are:</p>
5295 <p class="TextFontCX"><span class="Annot"><span style=
5296 'font-size:10.0pt'>/*@checkedstrict@*/</span></span></p>
5297 <p class="IndentText">Strictest checking. Undocumented uses
5298 and modifications of the variable are reported in all functions
5299 whether or not they have a globals list (unless <span class=
5301 'font-size:10.0pt'>check-strict-globs</span></span> is off).</p>
5302 <p class="TextFontCX"><span class="Annot"><span style=
5303 'font-size:10.0pt'>/*@checked@*/</span></span></p>
5304 <p class="IndentText">Undocumented use of the variable is reported
5305 in a function with a globals list, but not in a function declared
5306 with no globals (unless <span class="Flag"><span style=
5307 'font-size:10.0pt'>glob-noglobs</span></span> is on).<a name=
5309 <p class="TextFontCX"><span class="Annot"><span style=
5310 'font-size:10.0pt'>/*@checkmod@*/</span></span></p>
5311 <p class="IndentText">Undocumented uses of the variable are not
5312 reported, but undocumented modifications are reported.
5313 (If <span class="Flag"><span style=
5314 'font-size:10.0pt'>mod-globs-nomods</span></span> is on, errors are
5315 reported even in functions declared with no modifies clause or
5317 <p class="TextFontCX"><span class="Annot"><span style=
5318 'font-size:10.0pt'>/*@unchecked@*/</span></span></p>
5319 <p class="IndentText">No messages are reported for undocumented use
5320 or modification of this global variable.</p>
5321 <p class="afterlist">If a variable has none of these annotations,
5322 an implicit annotation is determined by the flag
5324 <p class="TextFontCX"> </p>
5325 <p class="TextFontCX">Different flags control the implicit
5326 annotation for variables declared with global scope and variables
5327 declared with file scope (i.e., using the <span class=
5328 "CodeText"><span style='font-size:10.0pt'>static</span></span>
5329 storage qualifier). To set the implicit annotation for global
5330 variables declared in <span class="Flag"><i><span style=
5331 'font-size:10.0pt'>context</span></i></span> (<span class=
5332 "Flag"><span style='font-size:10.0pt'>globs</span></span> for
5333 external variables or <span class="Flag"><span style=
5334 'font-size:10.0pt'>statics</span></span> for file static variable)
5335 to be <span class="Flag"><i><span style=
5336 'font-size:10.0pt'>annotation</span></i></span> (<span class=
5337 "Flag"><span style='font-size:10.0pt'>checked</span></span>,
5338 <span class="Flag"><span style=
5339 'font-size:10.0pt'>checkmod</span></span>, <span class=
5340 "Flag"><span style='font-size:10.0pt'>checkedstrict</span></span>)
5341 use <span class="Flag"><span style=
5342 'font-size:10.0pt'>imp<i><annotation>
5343 <context></i></span></span>. For example,
5344 <span class="Flag"><span style=
5345 'font-size:10.0pt'>+imp-checked-strict-statics</span></span>
5346 makes the implicit checking on unqualified file static
5347 variables <span class="Flag"><span style=
5348 'font-size:10.0pt'>checkedstrict</span></span>. See
5349 Appendix B for a complete list of globals checking flags.</p>
5350 <h3 style='margin-left:0in;text-indent:0in'><a name=
5351 "_Toc534974982"></a><a name="_Ref534971010">7.2.2<span style=
5352 'font:7.0pt "Times New Roman"'> </span></a>
5353 Definition State</h3>
5354 <p class="TextFontCX">Annotations can be used in the globals list
5355 of a function declaration to describe the states of global
5356 variables before and after the call. If a global is preceded
5357 by <span class="Annot"><span style=
5358 'font-size:10.0pt'>undef</span></span>, it is assumed to be
5359 undefined before the call. Thus, no error is reported if the global
5360 is not defined when the function is called, but an error is
5361 reported if the global is used in the function body before it is
5362 defined. The <span class="Annot"><span style=
5363 'font-size:10.0pt'>killed</span></span> annotation denotes a
5364 global variable that may be undefined when the call
5365 returns. For globals that contain dynamically allocated
5366 storage, a <span class="Annot"><span style=
5367 'font-size:10.0pt'>killed</span></span> global variable is similar
5368 to an <span class="Annot"><span style=
5369 'font-size:10.0pt'>only</span></span> parameter (Section
5370 5.2). An error is reported if it contains the only reference
5371 to storage that is not released before the call returns.
5372 Figure 14 illustrated <span class="Annot"><span style=
5373 'font-size:10.0pt'>killed</span></span> and <span class=
5374 "Annot"><span style='font-size:10.0pt'>undef</span></span>
5377 <table class="MsoNormalTable" border="0" cellspacing="0"
5378 cellpadding="0" style=
5379 'margin-left:.9pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
5381 <td valign="top" style=
5382 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5383 <p class="TextFontCX" align="center" style='text-align:center'>
5384
5385 <span class="Keyword"><b><span style=
5386 'font-size:10.0pt;color:white'>annotglobs.c</span></b></span></p></td>
5387 <td valign="top" style=
5388 'width:198.8pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5389 <p class="TextFontCX" align="center" style='text-align:center'>
5390 <b><span style='color:white'>Running
5391 Splint</span></b></p></td></tr>
5393 <td valign="top" style=
5394 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:236.7pt'>
5395 <p class="Verbatim">int globnum;</p>
5396 <p class="Verbatim"> </p>
5397 <p class="Verbatim">struct {</p>
5398 <p class="Verbatim"> char *firstname, *lastname;</p>
5399 <p class="Verbatim"> int id;</p>
5400 <p class="Verbatim">} globname;</p>
5401 <p class="Verbatim"> </p>
5402 <p class="Verbatim">void</p>
5403 <p class="Verbatim">initialize (/*@only@*/ char *name)</p>
5404 <p class="Verbatim"> /*@globals undef globnum,</p>
5405 <p class="Verbatim">
5406
5407 undef globname @*/</p>
5408 <p class="Verbatim">{</p>
5409 <p class="Verbatim"><span class="Line"><span style=
5410 'font-size:8.0pt'>13</span></span> globname.id = globnum;</p>
5411 <p class="Verbatim"> globname.lastname = name;</p>
5412 <p class="Verbatim"><span class="Line"><span style=
5413 'font-size:8.0pt'>15</span></span>}</p>
5414 <p class="Verbatim"> </p>
5415 <p class="Verbatim">void finalize (void)</p>
5416 <p class="Verbatim"> /*@globals killed globname@*/</p>
5417 <p class="Verbatim">{</p>
5418 <p class="Verbatim"> free (globname.lastname);</p>
5419 <p class="Verbatim"><span class="Line"><span style=
5420 'font-size:8.0pt'>21</span></span> }</p></td>
5421 <td valign="top" style=
5422 'width:198.8pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:236.7pt'>
5423 <p class="lclintrun">> splint annotglobs.c</p>
5424 <p class="lclintrun"> </p>
5425 <p class="lclintrun">annotglobs.c:13: Undef global globnum used</p>
5426 <p class="lclintrun">
5427
5428 before definition</p>
5429 <p class="lclintrun">annotglobs.c:15: Global storage globname</p>
5430 <p class="lclintrun"> contains 1 undefined field
5432 <p class="lclintrun"> returns: firstname</p>
5433 <p class="lclintrun">annotglobs.c:21: Only storage</p>
5434 <p class="lclintrun"> globname.firstname (type
5436 <p class="lclintrun"> from killed global is not
5438 <p class="lclintrun" style='page-break-after:avoid'>
5439 (memory leak)</p></td></tr></table>
5440 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5442 <td valign="top" align="left" style=
5443 'padding-top:10.1pt;padding-right: 9.35pt;padding-bottom:10.1pt;padding-left:9.35pt'>
5444 <p class="MsoCaption"><a name="_Toc534824618"></a><a name=
5445 "_Ref534823055">Figure 14</a>. Annotated Globals
5446 Lists</p></td></tr></table></center>
5447 <h2 style='margin-left:0in;text-indent:0in'><a name=
5448 "_Toc534974983"></a><a name="_Ref344894947"></a><a name=
5449 "_Toc344355406">7.3<span style=
5450 'font:7.0pt "Times New Roman"'> </span>
5451 Declaration Consistency</a></h2>
5452 <p class="TextFontCX">Splint checks that function declarations and
5453 definitions are consistent. The general rule is that the
5454 <i>first</i> declaration of a function implies all later
5455 declarations and definitions. If a function is declared in a
5456 header file, the first declaration processed is its first
5457 declaration (if it is declared in more than one header file an
5458 error is reported if <span class="Flag"><span style=
5459 'font-size:10.0pt'>redecl</span></span> is set)
5460 <span style='display:none'>(if the same function is declared
5461 in more than one header file ???)</span>. Otherwise,
5462 the first declaration in the file defining the function is
5463 its first declaration.</p>
5464 <p class="TextFontCX"> </p>
5465 <p class="TextFontCX">Later declarations may not include variables
5466 in the globals list that were not included in the first
5467 declaration. The exception to this is when the first
5468 declaration is in a header file and the later declaration or
5469 definition includes file static variables. Since these are
5470 not visible in the header file, they can not be included in the
5471 header file declaration. Similarly, the modifies clause of a
5472 later declaration may not include objects that are not modifiable
5473 in the first declaration. The later declaration may be more
5474 specific. For example, if the header declaration is:</p>
5475 <p class="example" style='text-indent:.3in'>extern void setName
5476 (employee e, char *s) /*@modifies e@*/;</p>
5477 <p class="TextFontCX">the later declaration could be,</p>
5478 <p class="example"> void setName (employee e, char *)
5479 /*@modifies e->name@*/;</p>
5480 <p class="TextFontCX">If <span class="CodeText"><span style=
5481 'font-size:10.0pt'>employee</span></span> is an abstract type, the
5482 declaration in the header should not refer to a particular
5483 implementation (i.e., it shouldn’t rely on there being a
5484 <span class="CodeText"><span style=
5485 'font-size:10.0pt'>name</span></span> field), but the
5486 implementation declaration can be more specific. </p>
5487 <p class="TextFontCX"> </p>
5488 <p class="TextFontCX">This rule also applies to file static
5489 variables. The header declaration for a function that
5490 modifies a file static variable should use <span class=
5491 "Annot"><span style='font-size:10.0pt'>modifies
5492 internalState</span></span> since file static variables are not
5493 visible to clients. The implementation declaration should
5494 list the actual file static variables that may be modified.</p>
5495 <h2 style='margin-left:0in;text-indent:0in'><a name=
5496 "_Toc534974984"></a><a name="_Ref354411787">7.4<span style=
5497 'font:7.0pt "Times New Roman"'> </span>
5498 State Clauses</a></h2>
5499 <p class="TextFontCX">Sometimes it is necessary to specify function
5500 interfaces at a lower level than is possible with the standard
5501 annotations. For example, if a function defines some fields
5502 of a returned structure but does not define all the fields.
5503 The <span class="Annot"><span style=
5504 'font-size:10.0pt'>/*@special@*/</span></span> annotation is used
5505 to mark a parameter, global variable, or return value that is
5506 described using state clauses. </p>
5507 <p class="TextFontCX"> </p>
5508 <p class="TextFontCX">State clauses may be used to constrain the
5509 state of a parameter or return value before or after a call.
5510 One or more state clauses may appear in a function declaration,
5511 before the modifies or globals clauses. State clauses may be
5512 listed in any order, but the same state clause should not be used
5513 more than once. In a state clause list, <span class=
5514 "CodeText"><span style='font-size:10.0pt'>result</span></span> is
5515 used to refer to the return value of the function. </p>
5516 <p class="TextFontCX"> </p>
5517 <p class="TextFontCX" style='margin-bottom:6.0pt'>The following
5518 state clauses are used to describe the definition state or
5519 parameters before and after the function is called and the return
5520 value after the function returns:</p>
5521 <p class="TextFontCX"><span class="Annot"><span style=
5522 'font-size:10.0pt'>/*@uses
5523 <i><references></i>@*/</span></span></p>
5524 <p class="indentbefore0">References in a <span class=
5525 "Annot"><span style='font-size:10.0pt'>uses</span></span> clause
5526 must be completely defined before the function is called.
5527 They are assumed to be defined at function entrance when the
5528 function is checked.</p>
5529 <p class="TextFontCX"><span class="Annot"><span style=
5530 'font-size:10.0pt'>/*@sets
5531 <i><references></i>@*/</span></span></p>
5532 <p class="indentbefore0">References in a <span class=
5533 "Annot"><span style='font-size:10.0pt'>sets</span></span> clause
5534 must be allocated before the function is called. They are
5535 completely defined after the function returns. They are assumed to
5536 be allocated but undefined storage at function entrance and an
5537 error is reported if there is a path on which they are not defined
5538 before the function returns.</p>
5539 <p class="TextFontCX"><span class="Annot"><span style=
5540 'font-size:10.0pt'>/*@defines
5541 <i><references></i>@*/</span></span></p>
5542 <p class="indentbefore0">References in a <span class=
5543 "Annot"><span style='font-size:10.0pt'>defines</span></span> clause
5544 must not refer to unshared, allocated storage before the function
5545 is called. They are completely defined after the function
5546 returns. When the function is checked, they are assumed to be
5547 undefined at function entrance and an error is reported if there is
5548 a path on which they are not defined before the function
5550 <p class="TextFontCX"><span class="Annot"><span style=
5551 'font-size:10.0pt'>/*@allocates
5552 <i><references></i>@*/</span></span></p>
5553 <p class="indentbefore0">References in an <span class=
5554 "Annot"><span style='font-size:10.0pt'>allocates</span></span>
5555 clause must be unallocated before the function is called.
5556 They are allocated but not necessarily defined after the function
5557 returns. An error is reported if there is a path through the
5558 function on which they are not allocated before the function
5560 <p class="TextFontCX"><span class="Annot"><span style=
5561 'font-size:10.0pt'>/*@releases
5562 <references>@*/</span></span></p>
5563 <p class="IndentText">References in the <span class=
5564 "Annot"><span style='font-size:10.0pt'>releases</span></span>
5565 clause are deallocated by the function. They must be storage
5566 that could be passed as an <span class="Annot"><span style=
5567 'font-size:10.0pt'>only</span></span> parameter before the
5568 function is called, and are dead pointers after the function
5569 returns. They are assumed to be defined at function entrance
5570 and an error is reported if they refer to live, allocated storage
5571 at any return point.</p>
5572 <p class="TextFontCX"> </p>
5573 <p class="TextFontCX">Some examples of state clauses are shown in
5574 Figure 15. The <span class="Annot"><span style=
5575 'font-size: 10.0pt'>defines</span></span> clause for
5576 <span class="CodeText"><span style=
5577 'font-size:10.0pt'>record_new</span></span> indicates that
5578 the <span class="CodeText"><span style=
5579 'font-size:10.0pt'>id</span></span> field of the structure
5580 pointed to by the result is defined, but the <span class=
5581 "CodeText"><span style='font-size:10.0pt'>name</span></span>
5582 field is not. So, <span class="CodeText"><span style=
5583 'font-size:10.0pt'>record_create</span></span> needs to call
5584 <span class="CodeText"><span style=
5585 'font-size:10.0pt'>record_setName</span></span> to define the
5586 name field. Similarly, the <span class=
5587 "Annot"><span style='font-size:10.0pt'>releases</span></span>
5588 clause for <span class="CodeText"><span style=
5589 'font-size:10.0pt'>record_clearName</span></span> indicates
5590 that no storage is associated with the <span class=
5591 "CodeText"><span style='font-size:10.0pt'>name</span></span>
5592 field of its parameter after the return, so no failure to
5593 deallocate storage message is produced for the call to
5594 <span class="CodeText"><span style=
5595 'font-size:10.0pt'>free</span></span> in <span class=
5596 "CodeText"><span style=
5597 'font-size:10.0pt'>record_free</span></span>. The
5598 <span class="Annot"><span style='font-size:10.0pt'>ensures
5599 isnull</span></span> clause is described in the next
5602 <table class="MsoNormalTable" border="0" cellspacing="0"
5603 cellpadding="0" style=
5604 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
5606 <td valign="top" style=
5607 'width:423.0pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
5608 <p class="TextFontCX" align="center" style='text-align:center'>
5609 <span class="Keyword"><b><span style=
5610 'font-size:10.0pt; color:white'>clauses.c</span></b></span></p></td></tr>
5612 <td valign="top" style=
5613 'width:423.0pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
5614 <p class="Verbatim">typedef struct</p>
5615 <p class="Verbatim">{</p>
5616 <p class="Verbatim"> int id;</p>
5617 <p class="Verbatim"> /*@only@*/ char *name;</p>
5618 <p class="Verbatim">} *record;</p>
5619 <p class="Verbatim"> </p>
5620 <p class="Verbatim">static /*@special@*/ record record_new
5622 <p class="Verbatim"> /*@defines result->id@*/</p>
5623 <p class="Verbatim">{</p>
5624 <p class="Verbatim"> record r = (record) malloc (sizeof
5626 <p class="Verbatim"> </p>
5627 <p class="Verbatim"> assert (r != NULL);</p>
5628 <p class="Verbatim"> r->id = 3;</p>
5629 <p class="Verbatim"> return r;</p>
5630 <p class="Verbatim">}</p>
5631 <p class="Verbatim"> </p>
5632 <p class="Verbatim">static void</p>
5633 <p class="Verbatim"> record_setName (/*@special@*/
5634 record r, /*@only@*/ char *name)</p>
5635 <p class="Verbatim"> /*@defines r->name@*/</p>
5636 <p class="Verbatim">{</p>
5637 <p class="Verbatim"> r->name = name;</p>
5638 <p class="Verbatim">}</p>
5639 <p class="Verbatim"> </p>
5640 <p class="Verbatim">record record_create (/*@only@*/ char
5642 <p class="Verbatim">{</p>
5643 <p class="Verbatim"> record r = record_new ();</p>
5644 <p class="Verbatim"> record_setName (r, name);</p>
5645 <p class="Verbatim"> return r;</p>
5646 <p class="Verbatim">}</p>
5647 <p class="Verbatim"> </p>
5648 <p class="Verbatim">void record_clearName (/*@special@*/ record
5650 <p class="Verbatim"> /*@releases r->name@*/</p>
5651 <p class="Verbatim"> /*@ensures isnull
5653 <p class="Verbatim">{</p>
5654 <p class="Verbatim"> free (r->name);</p>
5655 <p class="Verbatim"> r->name = NULL;</p>
5656 <p class="Verbatim">}</p>
5657 <p class="Verbatim"> </p>
5658 <p class="Verbatim">void record_free (/*@only@*/ record r)</p>
5659 <p class="Verbatim">{</p>
5660 <p class="Verbatim"> record_clearName (r);</p>
5661 <p class="Verbatim"> free (r);</p>
5662 <p class="Verbatim">}</p>
5663 <p class="Verbatim" style='page-break-after:avoid'>
5664 </p></td></tr></table>
5665 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5667 <td valign="top" style=
5668 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
5669 <p class="MsoCaption"><a name="_Toc534824619"></a><a name=
5670 "_Ref354412972">Figure 15</a>. State
5671 Clauses</p></td></tr></table></center>
5672 <p class="TextFontCX"><span class="Keyword"><span style=
5673 'font-size:10.0pt'> </span></span></p>
5674 <h2 style='margin-left:0in;text-indent:0in'><a name=
5675 "_Toc534974985"></a><a name="_Ref534888798">7.5<span style=
5676 'font:7.0pt "Times New Roman"'> </span>
5677 Requires and Ensures Clauses</a></h2>
5678 <p class="TextFontCX">More general assumptions about state of
5679 parameters and globals before and after a function is called can be
5680 described using <span class="Annot"><i><span style=
5681 'font-size:10.0pt'>requires</span></i></span> and
5682 <span class="Annot"><i><span style=
5683 'font-size:10.0pt'>ensures</span></i></span> clauses. A
5684 <span class="Annot"><span style=
5685 'font-size:10.0pt'>requires</span></span> clause specifies a
5686 predicate that must be true at a call site; when checking a
5687 function implementation Splint assumes the constraints given
5688 in its <span class="Annot"><span style=
5689 'font-size:10.0pt'>requires</span></span> clauses are true at
5690 function entry. An <span class="Annot"><span style=
5691 'font-size:10.0pt'>ensures</span></span> clause specifies a
5692 predicate that is true at a call site after the call returns;
5693 when checking a function implementation Splint warns if there
5694 is an execution path that does not return with a state that
5695 satifies the constraints given in its <span class=
5696 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
5697 clauses. A function declaration can have many
5698 <span class="Annot"><span style=
5699 'font-size:10.0pt'>requires</span></span> and <span class=
5700 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
5701 clauses as long as their meanings are not contradictory.</p>
5702 <p class="TextFontCX"> </p>
5703 <p class="TextFontCX">The following constraints can be stated using
5704 <span class="Annot"><span style=
5705 'font-size:10.0pt'>requires</span></span> and <span class=
5706 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
5708 <h6 style='margin-left:0in;text-indent:0in'><b>Aliasing
5709 Annotations</b></h6>
5710 <p class="TextFontCX"><span class="Annot"><span style=
5711 'font-size:10.0pt'>/*@requires
5712 only<i><references></i>@*/</span></span>; <span class=
5713 "Annot"><span style='font-size:10.0pt'>/*@ensures
5714 only<i><references></i>@*/</span></span></p>
5715 <p class="TextFontCX"><span class="Annot"><span style=
5716 'font-size:10.0pt'>/*@requires
5717 shared<i><references></i>@*/</span></span>;
5718 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5719 shared<i><references></i>@*/</span></span></p>
5720 <p class="TextFontCX"><span class="Annot"><span style=
5721 'font-size:10.0pt'>/*@requires
5722 owned<i><references></i>@*/</span></span>; <span class=
5723 "Annot"><span style='font-size:10.0pt'>/*@ensures
5724 owned<i><references></i>@*/</span></span></p>
5725 <p class="TextFontCX"><span class="Annot"><span style=
5726 'font-size:10.0pt'>/*@requires
5727 dependent<i><references></i>@*/</span></span>;
5728 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5729 dependent<i><references></i>@*/</span></span></p>
5730 <p class="IndentText">References refer to <span class=
5731 "Annot"><span style='font-size:10.0pt'>only</span></span>,
5732 <span class="Annot"><span style=
5733 'font-size:10.0pt'>shared</span></span>, <span class=
5734 "Annot"><span style='font-size:10.0pt'>owned</span></span> or
5735 <span class="Annot"><span style=
5736 'font-size:10.0pt'>dependent</span></span> storage before
5737 (<span class="Annot"><span style=
5738 'font-size:10.0pt'>requires</span></span>) or after
5739 (<span class="Annot"><span style=
5740 'font-size:10.0pt'>ensures</span></span>) the call.</p>
5741 <h6 style='margin-left:0in;text-indent:0in'><b>Exposure
5742 Annotations</b></h6>
5743 <p class="TextFontCX"><span class="Annot"><span style=
5744 'font-size:10.0pt'>/*@requires
5745 observer<i><references></i>@*/</span></span>;
5746 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5747 observer<i><references></i>@*/</span></span></p>
5748 <p class="TextFontCX"><span class="Annot"><span style=
5749 'font-size:10.0pt'>/*@requires
5750 exposed<i><references></i>@*/</span></span>;
5751 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5752 exposed <i><references></i>@*/</span></span></p>
5753 <p class="IndentText">References refer to <span class=
5754 "Annot"><span style='font-size:10.0pt'>observer</span></span> or
5755 <span class="Annot"><span style=
5756 'font-size:10.0pt'>exposed</span></span> storage before
5757 (<span class="Annot"><span style=
5758 'font-size:10.0pt'>requires</span></span>) or after
5759 (<span class="Annot"><span style=
5760 'font-size:10.0pt'>ensures</span></span>) the call.</p>
5761 <h6 style='margin-left:0in;text-indent:0in'><b>Null</b>
5762 <b>State</b><b>Annotations</b></h6>
5763 <p class="TextFontCX"><span class="Annot"><span style=
5764 'font-size:10.0pt'>/*@requires
5765 isnull<i><references></i>@*/</span></span>;
5766 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5767 isnull<i><references></i>@*/</span></span></p>
5768 <p class="IndentText">References have the value <span class=
5769 "CodeText"><span style='font-size:10.0pt'>NULL</span></span> before
5770 (<span class="Annot"><span style=
5771 'font-size:10.0pt'>requires</span></span>) or after
5772 (<span class="Annot"><span style=
5773 'font-size:10.0pt'>ensures</span></span>) the call.
5774 Note, this is not the same name or meaning as the
5775 <span class="Annot"><span style=
5776 'font-size:10.0pt'>null</span></span> annotation (which means
5777 the value may or may not be <span class="Annot"><span style=
5778 'font-size:10.0pt'>NULL</span></span>.)</p>
5779 <p class="TextFontCX"><span class="Annot"><span style=
5780 'font-size:10.0pt'>/*@requires
5781 notnull<i><references></i>@*/</span></span>;
5782 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5783 notnull<i><references></i>@*/</span></span></p>
5784 <p class="IndentText">References do not have the value
5785 <span class="CodeText"><span style=
5786 'font-size:10.0pt'>NULL</span></span> before (<span class=
5787 "Annot"><span style=
5788 'font-size:10.0pt'>requires</span></span>) or after
5789 (<span class="Annot"><span style=
5790 'font-size:10.0pt'>ensures</span></span>) the call.</p>
5791 <p class="TextFontCX"> </p>
5792 <h1 style='margin-left:0in;text-indent:0in'><a name=
5793 "_Toc534974986"></a><a name="_Ref534642886"></a><a name=
5794 "_Ref483663682">8<span style=
5795 'font:7.0pt "Times New Roman"'> </span>
5796 <a id="control" name="control">
5797 Control Flow</a></a></h1>
5798 <p class="TextFontCX">The section describes checking done by Splint
5799 related to control flow. Many of these checks are
5800 significantly improved because of the extra information that is
5801 known about the program when annotations are provided.</p>
5802 <h2 style='margin-left:0in;text-indent:0in'><a name=
5803 "_Toc534974987"></a><a name="_Ref345859337"></a><a name=
5804 "_Ref344907653"></a><a name="_Ref344894343"></a><a name=
5805 "_Ref344873752"></a><a name="_Toc344355417">8.1<span style=
5806 'font:7.0pt "Times New Roman"'> </span>
5808 <p class="TextFontCX">To detect certain errors and avoid spurious
5809 errors, it is important to know something about the control flow
5810 behavior of called functions. Without additional information,
5811 Splint assumes that all functions eventually return and execution
5812 continues normally at the call site. </p>
5813 <p class="TextFontCX"> </p>
5814 <p class="TextFontCX">The <span class="Annot"><span style=
5815 'font-size:10.0pt'>noreturn</span></span> annotation is used
5816 to denote a function that never returns<a href="#_ftn8" name=
5817 "_ftnref8" title=""><span class=
5818 "MsoFootnoteReference"><span class="MsoFootnoteReference"><span style='font-size:11.0pt;font-family:"Times New Roman"'>
5819 [8]</span></span></span></a>. For example,</p>
5820 <p class="example"><span class="Annot"><span style=
5821 'font-size:10.0pt'>extern /*@noreturn@*/ void fatalerror
5822 (/*@observer@*/ char *s);</span></span></p>
5823 <p class="beforelist">declares <span class=
5824 "CodeText"><span style='font-size:10.0pt'>fatalerror</span></span>
5825 to never return. This enables Splint to correctly
5826 analyze code like,</p>
5827 <p class="TextFontCX"><span class="Keyword"><span style=
5828 'font-size:10.0pt'> if (x == NULL) fatalerror
5829 ("Yikes!");</span></span></p>
5830 <p class="TextFontCX"><span class="Keyword"><span style=
5831 'font-size:10.0pt'> *x = 3;</span></span></p>
5832 <p class="afterlist">Other functions may return, but sometimes (or
5833 usually) return normally. The <span class=
5834 "Annot"><span style='font-size:10.0pt'>maynotreturn</span></span>
5835 annotation denotes a function that may or may not
5836 return. This may be useful for documentation, but does
5837 not help checking much, since Splint must assume that a
5838 function declared with <span class="Annot"><span style=
5839 'font-size:10.0pt'>maynotreturn</span></span> returns
5840 normally when checking the code. The <span class=
5841 "Annot"><span style=
5842 'font-size:10.0pt'>alwaysreturns</span></span> annotation
5843 denotes a function that always returns (but Splint does no
5844 checking to verify this).</p>
5845 <p class="TextFontCX"> </p>
5846 <p class="TextFontCX">To describe non-returning functions more
5847 precisely, the <span class="Annot"><span style=
5848 'font-size:10.0pt'>noreturnwhentrue</span></span> and
5849 <span class="Annot"><span style=
5850 'font-size:10.0pt'>noreturnwhenfalse</span></span> annotations
5851 may be used. Similar to <span class=
5852 "Annot"><span style='font-size: 10.0pt'>nullwhentrue</span></span>
5853 and <span class="Annot"><span style=
5854 'font-size:10.0pt'>falsewhennull</span></span> (see Section
5855 2.1.1), <span class="Annot"><span style=
5856 'font-size:10.0pt'>noreturnwhentrue</span></span> and
5857 <span class="Annot"><span style=
5858 'font-size:10.0pt'>noreturnwhenfalse</span></span> mean that
5859 a function never returns if the value of its first argument
5860 is true (<span class="Annot"><span style=
5861 'font-size:10.0pt'>noreturnwhentrue</span></span>) or false
5862 (<span class="Annot"><span style=
5863 'font-size:10.0pt'>noreturnwhenfalse</span></span>).
5864 They may be used only on functions whose first argument is a
5865 Boolean. </p>
5866 <p class="TextFontCX"> </p>
5867 <p class="TextFontCX" style='margin-bottom:6.0pt'>Hence, a function
5868 declared with <span class="Annot"><span style=
5869 'font-size:10.0pt'>noreturnwhenwfalse</span></span> must not return
5870 if the value of its argument is false. For example, the
5871 standard library declares <span class="Keyword"><span style=
5872 'font-size:10.0pt'>assert</span></span> as<a href="#_ftn9"
5873 name="_ftnref9" title=""><span class=
5874 "MsoFootnoteReference"><span class=
5875 "MsoFootnoteReference"><span style=
5876 'font-size:11.0pt;font-family:"Times New Roman"'>[9]</span></span></span></a>:</p>
5877 <p class="example" style=
5878 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:0in;margin-bottom:.0001pt;text-indent:.5in'>
5879 /*@noreturnwhenfalse@*/ void</p>
5880 <p class="example" style=
5881 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:0in;margin-bottom:.0001pt;text-indent:.5in'>
5882 assert (/*@sef@*/ bool /*@alt int@*/ pred);</p>
5883 <p class="beforelist" style='margin-top:6.0pt'>This way, code
5885 <p class="Verbatim"> assert (x != NULL);</p>
5886 <p class="Verbatim"> *x = 3;</p>
5887 <p class="TextFontCX">is checked without reporting a false warning,
5888 since the <span class="Annot"><span style=
5889 'font-size:10.0pt'>noreturnwhenwfalse</span></span> annotation on
5890 <span class="CodeText"><span style=
5891 'font-size:10.0pt'>assert</span></span> means the deference of
5892 <span class="CodeText"><span style=
5893 'font-size:10.0pt'>x</span></span> is not reached is
5894 <span class="CodeText"><span style='font-size:10.0pt'>x !=
5895 NULL</span></span> is false.</p>
5896 <h2 style='margin-left:0in;text-indent:0in'><a name=
5897 "_Toc534974988"></a><a name="_Ref350066608">8.2<span style=
5898 'font:7.0pt "Times New Roman"'> </span>
5899 Undefined</a> Behavior</h2>
5900 <p class="TextFontCX">The order in which side effects take place in
5901 a C program is not entirely defined by the code. Certain
5902 execution points are known as <i>sequence points</i> — a
5903 function call (after the arguments have been evaluated), the end of
5904 a full expression (an initializer, expression in an expression
5905 statement, the control expression of an <span class=
5906 "CodeText"><span style='font-size:10.0pt'>if</span></span>,
5907 <span class="CodeText"><span style=
5908 'font-size:10.0pt'>switch</span></span>, <span class=
5909 "CodeText"><span style='font-size:10.0pt'>while</span></span> or
5910 <span class="CodeText"><span style=
5911 'font-size:10.0pt'>do</span></span> statement, each expression of a
5912 <span class="CodeText"><span style=
5913 'font-size:10.0pt'>for</span></span> statement, and the expression
5914 in a <span class="CodeText"><span style=
5915 'font-size: 10.0pt'>return</span></span> statement), and after the
5916 first operand or a <span class="CodeText"><span style=
5917 'font-size:10.0pt'>&&</span></span>, <span class=
5918 "CodeText"><span style='font-size:10.0pt'>||</span></span>,
5919 <span class="CodeText"><span style=
5920 'font-size:10.0pt'>?</span></span> or <span class=
5921 "CodeText"><span style='font-size:10.0pt'>,</span></span>
5923 <p class="TextFontCX"> </p>
5924 <p class="TextFontCX">All side effects before a sequence point must
5925 be complete before the sequence point, and no evaluations after the
5926 sequence point shall have taken place. Between sequence
5927 points, side effects and evaluations may take place in any
5928 order. Hence, the order in which expressions or arguments are
5929 evaluated is not specified. Compilers are free to evaluate
5930 function arguments and parts of expressions (that do not contain
5931 sequence points) in any order. The behavior of code is
5932 undefined if it uses a value that is modified by another expression
5933 that is not required to be evaluated before or after the other
5935 <p class="TextFontCX"> </p>
5936 <p class="TextFontCX">Splint detects instances where undetermined
5937 order of evaluation produces undefined behavior. If
5938 modifies clauses and globals lists are used, this checking is
5939 enabled in expressions involving function calls. Evaluation order
5940 checking is controlled by the <span class="Flag"><span style=
5941 'font-size:10.0pt'>eval-order</span></span> flag.</p>
5943 <table class="MsoNormalTable" border="0" cellspacing="0"
5944 cellpadding="0" style=
5945 'margin-left:13.05pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
5947 <td valign="top" style=
5948 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5949 <p class="TextFontCX" align="center" style='text-align:center'>
5950
5951 <span class="Keyword"><b><span style=
5952 'font-size:10.0pt;color:white'>order.c</span></b></span></p></td>
5953 <td valign="top" style=
5954 'width:198.8pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5955 <p class="TextFontCX" align="center" style='text-align:center'>
5956 <b><span style='color:white'>Running
5957 Splint</span></b></p></td></tr>
5959 <td valign="top" style=
5960 'width:148.95pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
5961 <p class="Verbatim">extern int glob;</p>
5962 <p class="Verbatim"> </p>
5963 <p class="Verbatim">extern int mystery (void);</p>
5964 <p class="Verbatim"> </p>
5965 <p class="Verbatim">extern int modglob (void)</p>
5966 <p class="Verbatim"> /*@globals glob@*/</p>
5967 <p class="Verbatim"> /*@modifies glob@*/;</p>
5968 <p class="Verbatim"> </p>
5969 <p class="Verbatim">int f (int x, int y[])</p>
5970 <p class="Verbatim">{</p>
5971 <p class="Verbatim"><span class="Line"><span style=
5972 'font-size:8.0pt'>11</span></span> int i = x++ * x;</p>
5973 <p class="Verbatim"> </p>
5974 <p class="Verbatim"><span class="Line"><span style=
5975 'font-size:8.0pt'>13</span></span> y[i] = i++;</p>
5976 <p class="Verbatim"><span class="Line"><span style=
5977 'font-size:8.0pt'>14</span></span> i += modglob() * glob;</p>
5978 <p class="Verbatim"><span class="Line"><span style=
5979 'font-size:8.0pt'>15</span></span> i += mystery() * glob;</p>
5980 <p class="Verbatim"><span class="Line"><span style=
5981 'font-size:8.0pt'>16</span></span> return i;</p>
5982 <p class="Verbatim">}</p></td>
5983 <td valign="top" style=
5984 'width:275.4pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
5985 <p class="lclintrun">> splint order.c +evalorderuncon</p>
5986 <p class="lclintrun">order.c:11: Expression has undefined behavior
5988 <p class="lclintrun"> right operand modified by
5989 left operand): x++ * x</p>
5990 <p class="lclintrun">order.c:13: Expression has undefined behavior
5992 <p class="lclintrun"> uses i, modified by right
5993 operand): y[i] = i++</p>
5994 <p class="lclintrun">order.c:14: Expression has undefined behavior
5996 <p class="lclintrun"> right operand modified by
5998 <p class="lclintrun"> modglob() * glob</p>
5999 <p class="lclintrun">order.c:15: Expression has undefined
6001 <p class="lclintrun"> (unconstrained function
6002 mystery used in left operand</p>
6003 <p class="lclintrun"> may set global variable
6004 glob used in right operand):</p>
6005 <p class="lclintrun"> mystery() * glob</p>
6006 <p class="TextFontCX" align="left" style='text-align:left'>
6008 <p class="TextFontCX" align="left" style=
6009 'text-align:left;page-break-after:avoid'><i>The warning for line 14
6010 is reported because the modifies clause of</i> <span class=
6011 "CodeText"><span style='font-size:10.0pt'>modglob</span></span>
6012 <i>indicated that it may modify</i> <span class=
6013 "CodeText"><span style=
6014 'font-size:10.0pt'>glob</span></span><i>. The behavior is
6015 undefined since we don’t know if</i> <span class=
6016 "CodeText"><span style='font-size:10.0pt'>glob</span></span> <i>is
6017 evaluated before, after or during the</i> <i>modification.
6018 The line 15 warning would not be reported without</i>
6019 <span class="Flag"><span style=
6020 'font-size:10.0pt'>+evalorderuncon</span></span><i>.</i></p></td></tr></table>
6021 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6023 <td valign="top" style=
6024 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
6025 <p class="MsoCaption"><a name="_Toc534824620"></a><a name=
6026 "_Ref534823183">Figure 16</a>. Evaluation
6027 Order</p></td></tr></table></center>
6028 <p class="TextFontCX"> </p>
6029 <p class="TextFontCX">When checking systems without modifies and
6030 globals information (see Section 7), evaluation order checking may
6031 report errors when unconstrained functions are called in procedure
6032 arguments. Since Splint has no annotations to constrain what
6033 these functions may modify, it cannot be guaranteed that the
6034 evaluation order is defined if another argument calls an
6035 unconstrained function or uses a global variable or storage
6036 reachable from a parameter to the unconstrained function. Its
6037 best to add modifies and globals clauses to constrain the
6038 unconstrained functions in ways that eliminate the possibility of
6039 undefined behavior. For large legacy systems, this may
6040 require too much effort. Instead, the <span class=
6042 'font-size:10.0pt'>‑eval-order-uncon</span></span> flag may
6043 be used to prevent reporting of undefined behavior due to the order
6044 of evaluation of unconstrained functions. Figure 16
6045 illustrates detection of undefined behavior.</p>
6047 <table class="MsoNormalTable" border="0" cellspacing="0"
6048 cellpadding="0" style=
6049 'margin-left:18.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
6051 <td valign="top" style=
6052 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6053 <p class="TextFontCX" align="center" style='text-align:center'>
6054 <span class="Keyword"><b><span style=
6055 'font-size:10.0pt; color:white'>loop.c</span></b></span></p></td>
6056 <td valign="top" style=
6057 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6058 <p class="TextFontCX" align="center" style='text-align:center'>
6059 <b><span style='color:white'>Running
6060 Splint</span></b></p></td></tr>
6061 <tr style='height:143.1pt'>
6062 <td valign="top" style=
6063 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:143.1pt'>
6064 <p class="Verbatim">extern int glob1, glob2;</p>
6065 <p class="Verbatim">extern int f (void)</p>
6066 <p class="Verbatim"> /*@globals glob1@*/</p>
6067 <p class="Verbatim"> /*@modifies nothing@*/;</p>
6068 <p class="Verbatim">extern void g (void)</p>
6069 <p class="Verbatim"> /*@modifies glob2@*/ ;</p>
6070 <p class="Verbatim">extern void h (void) ;</p>
6071 <p class="Verbatim"> </p>
6072 <p class="Verbatim">void upto (int x)</p>
6073 <p class="Verbatim">{</p>
6074 <p class="Verbatim"><span class="Line"><span style=
6075 'font-size:8.0pt'>14</span></span> while (x > f ())
6077 <p class="Verbatim"><span class="Line"><span style=
6078 'font-size:8.0pt'>15</span></span> while (f () < 3)
6080 <p class="Verbatim">}</p></td>
6081 <td valign="top" style=
6082 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:143.1pt'>
6083 <p class="lclintrun">> splint loop.c +infloopsuncon</p>
6084 <p class="lclintrun">loop.c:14: Suspected infinite loop. No
6086 <p class="lclintrun"> loop test (x, glob1) is
6087 modified by test or loop</p>
6088 <p class="lclintrun"> body.</p>
6089 <p class="lclintrun">loop.c:15: Suspected infinite loop. No
6091 <p class="lclintrun"> values modified.
6092 Modification possible through</p>
6093 <p class="lclintrun"> unconstrained calls: h</p>
6094 <p class="TextFontCX" style='page-break-after: avoid'><i>An error
6095 is reported for line 14 since the only value modified by<br>
6096 the loop test or body if</i> <span class=
6097 "CodeText"><span style='font-size: 10.0pt'>glob2</span></span>
6098 <i>and the value of the loop test<br>
6099 does not depend on</i> <span class="CodeText"><span style=
6100 'font-size:10.0pt'>glob2</span></span><i>. The error for line
6102 reported without</i> <span class="Flag"><span style=
6103 'font-size:10.0pt'>+infloopsuncon</span></span><i>.</i></p></td></tr></table>
6104 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6106 <td valign="top" style=
6107 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
6108 <p class="MsoCaption"><a name="_Toc534824621"></a><a name=
6109 "_Ref534823256">Figure 17</a>. Infinite
6110 Loops</p></td></tr></table></center>
6111 <h2 style='margin-left:0in;text-indent:0in'><a name=
6112 "_Toc534974989"></a><a name="_Ref344892701"></a><a name=
6113 "_Toc344355430">8.3<span style=
6114 'font:7.0pt "Times New Roman"'> </span>
6115 Problematic Control Structures</a></h2>
6116 <p class="TextFontCX">A number of control structures that are
6117 syntactically legal may indicate likely bugs in programs.
6118 Splint can detect errors involving likely infinite
6119 loops (Section 8.3.1), fall through cases and missing cases in
6120 <span class="CodeText"><span style=
6121 'font-size:10.0pt'>switch</span></span> statements (Section
6122 8.3.2), <span class="CodeText"><span style=
6123 'font-size:10.0pt'>break</span></span> statements within deeply
6124 nested loops or switches (Section 8.3.3), clauses of
6125 <span class="CodeText"><span style=
6126 'font-size:10.0pt'>if</span></span>, <span class=
6127 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6128 or <span class="CodeText"><span style=
6129 'font-size:10.0pt'>for</span></span> statements that are
6130 empty statements or unblocked single statements (Section
6131 8.3.4) and incomplete if-else logic (Section 8.3.5).
6132 Although any of these may appear in a correct program,
6133 depending on the programming style used they may indicate
6134 likely bugs or style violations that should be detected and
6136 <h3 style='margin-left:0in;text-indent:0in'><a name=
6137 "_Toc534974990"></a><a name="_Ref344810086">8.3.1<span style=
6138 'font:7.0pt "Times New Roman"'> </span>
6139 Likely Infinite Loops</a></h3>
6140 <p class="TextFontCX">Splint reports an error if it detects a loop
6141 that appears to be infinite. An error is reported for a loop
6142 that does not modify any value used in its condition test inside
6143 the body of the loop or in the condition test itself. This
6144 checking is enhanced by modifies clauses and globals lists (see
6145 Section 7) since they <a name="_Ref344818734">provide more
6146 information about what global variable may be used in the condition
6147 test and what values may be modified by function calls in the loop
6149 <p class="TextFontCX"> </p>
6150 <p class="TextFontCX">Figure 17 shows examples of infinite
6151 loops detected by Splint. An error is reported for the loop in
6152 line 14, since neither of the values used in the loop condition
6153 (<span class="CodeText"><span style=
6154 'font-size:10.0pt'>x</span></span> directly and <span class=
6155 "CodeText"><span style='font-size:10.0pt'>glob1</span></span>
6156 through the call to <span class="CodeText"><span style=
6157 'font-size:10.0pt'>f</span></span>) is modified by the body of the
6158 loop. If the declaration of <span class=
6159 "CodeText"><span style='font-size:10.0pt'>g</span></span> is
6160 changed to include <span class="CodeText"><span style=
6161 'font-size:10.0pt'>glob1</span></span> in the modifies clause no
6162 error is reported. (In this example, if we assume the
6163 annotations are correct, then the programmer has probably called
6164 the wrong function in the loop body. This isn’t
6165 surprising, given the horrible choices of function and variable
6167 <p class="TextFontCX"> </p>
6168 <p class="TextFontCX">If an unconstrained function is called within
6169 the loop body, Splint will assume that it modifies a value used in
6170 the condition test and not report an infinite loop error, unless
6171 <span class="Flag"><span style=
6172 'font-size:10.0pt'>infloopsuncon</span></span> is on. If
6173 <span class="Flag"><span style=
6174 'font-size:10.0pt'>infloopsuncon</span></span> is on, Splint will
6175 report infinite loop errors for loops where there is no explicit
6176 modification of a value used in the condition test, but where they
6177 may be an undetected modification through a call to an
6178 unconstrained function (e.g., line 12 in Figure 17).</p>
6179 <p class="TextFontCX"> </p>
6180 <p class="TextFontCX"> </p>
6181 <p class="TextFontCX" align="center" style='text-align:center'>
6182 <span style='font-size:10.0pt'> </span></p>
6183 <h3 style='margin-left:0in;text-indent:0in'><a name=
6184 "_Toc534974991"></a><a name="_Ref349899747"></a><a name=
6185 "_Ref345591205">8.3.2<span style=
6186 'font:7.0pt "Times New Roman"'> </span>
6188 <p class="TextFontCX">The automatic fall through of C switch
6189 statements is almost never the intended behavior.<a href="#_ftn10"
6190 name="_ftnref10" title=""><span class=
6191 "MsoFootnoteReference"><span class=
6192 "MsoFootnoteReference"><span style=
6193 'font-size:11.0pt;font-family:"Times New Roman"'>[10]</span></span></span></a>
6194 Splint detects <span class="CodeText"><span style=
6195 'font-size:10.0pt'>case</span></span> statements with code that may
6196 fall through to the next <span class="CodeText"><span style=
6197 'font-size:10.0pt'>case</span></span>. The <span class=
6198 "Flag"><span style='font-size:10.0pt'>casebreak</span></span> flag
6199 controls reporting of fall through cases. A single fall
6200 through case may be marked by preceding the <span class=
6201 "CodeText"><span style='font-size:10.0pt'>case</span></span>
6202 keyword with <span class="Annot"><span style=
6203 'font-size:10.0pt'>/*@fallthrough@*/</span></span> to indicate
6204 explicitly that execution falls through to this case. See
6205 Figure 18 for an example.</p>
6206 <p class="TextFontCX"> </p>
6207 <p class="TextFontCX">For switches on <span class=
6208 "CodeText"><span style='font-size:10.0pt'>enum</span></span> types,
6209 Splint reports an error if a member of the enumerator does not
6210 appear as a case in the switch body (and there is no
6211 <span class="CodeText"><span style=
6212 'font-size:10.0pt'>default</span></span> case).
6213 (Controlled by <span class="Flag"><span style=
6214 'font-size:10.0pt'>misscase</span></span>.)</p>
6216 <table class="MsoNormalTable" border="0" cellspacing="0"
6217 cellpadding="0" style=
6218 'margin-left:.2in;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
6220 <td valign="top" style=
6221 'width:3.0in;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6222 <p class="TextFontCX" align="center" style='text-align:center'>
6223 <span class="Keyword"><b><span style=
6224 'font-size:10.0pt; color:white'>switch.c</span></b></span></p></td>
6225 <td valign="top" style=
6226 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6227 <p class="TextFontCX" align="center" style='text-align:center'>
6228 <b><span style='color:white'>Running
6229 Splint</span></b></p></td></tr>
6231 <td valign="top" style=
6232 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
6233 <p class="Verbatim">typedef enum {</p>
6234 <p class="Verbatim"> YES, NO, DEFINITELY,</p>
6235 <p class="Verbatim"> PROBABLY, MAYBE } ynm;</p>
6236 <p class="Verbatim">void decide (ynm y)</p>
6237 <p class="Verbatim">{</p>
6238 <p class="Verbatim"> switch (y)</p>
6239 <p class="Verbatim"> {</p>
6240 <p class="Verbatim"> case PROBABLY:</p>
6241 <p class="Verbatim"> case NO: printf ("No!");</p>
6242 <p class="Verbatim"><span class="Line"><span style=
6243 'font-size:8.0pt'>10</span></span> case MAYBE: printf
6245 <p class="Verbatim">
6246
6247 /*@fallthrough@*/</p>
6248 <p class="Verbatim"> case YES: printf
6250 <p class="Verbatim"><span class="Line"><span style=
6251 'font-size:8.0pt'>13</span></span> }</p>
6252 <p class="Verbatim">}</p></td>
6253 <td valign="top" style=
6254 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
6255 <p class="lclintrun">> splint switch.c</p>
6256 <p class="lclintrun">switch.c:10: Fall through case (no preceding
6258 <p class="lclintrun">switch.c:13: Missing case in switch:
6260 <p class="TextFontCX"> </p>
6261 <p class="MsoCaption" align="left" style='text-align:left'>
6262 <i><span style='font-weight:normal'>No fall through error is
6263 reported for the</span></i> <span class=
6264 "CodeText"><span style='font-weight:normal'>NO</span></span><i><span style='font-weight:normal'>
6266 since there are no statements associated with the<br>
6267 previous case. </span></i></p>
6268 <p class="TextFontCX" style='page-break-after: avoid'><i>The</i>
6269 <span class="Annot"><span style=
6270 'font-size:10.0pt'>/*@fallthrough@*/</span></span> <i>comment
6272 a message from being produced for the<br></i> <span class=
6273 "Annot"><span style='font-size:10.0pt'>YES</span></span>
6274 <i>case.</i></p></td></tr></table>
6275 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6277 <td valign="top" style=
6278 'padding-top:0in;padding-right: 9.0pt;padding-bottom:0in;padding-left:9.0pt'>
6279 <p class="MsoCaption"><a name="_Toc344355431"></a><a name=
6280 "_Ref344881581"></a><a name="_Toc534824622"></a><a name=
6281 "_Ref534823308">Figure 18</a>. Switch
6282 Cases</p></td></tr></table></center>
6283 <h3 style='margin-left:0in;text-indent:0in'><a name=
6284 "_Toc534974992"></a><a name="_Ref534971227">8.3.3<span style=
6285 'font:7.0pt "Times New Roman"'> </span>
6286 Deep Breaks</a></h3>
6287 <p class="TextFontCX">There is no syntax provided by C (other than
6288 <span class="CodeText"><span style=
6289 'font-size:10.0pt'>goto</span></span>) for breaking out of a nested
6290 loop. All <span class="CodeText"><span style=
6291 'font-size:10.0pt'>break</span></span> and <span class=
6292 "CodeText"><span style='font-size:10.0pt'>continue</span></span>
6293 statements act only on the innermost surrounding loop or
6294 switch. This can lead to serious problems<a href="#_ftn11"
6295 name="_ftnref11" title=""><span class=
6296 "MsoFootnoteReference"><span class=
6297 "MsoFootnoteReference"><span style=
6298 'font-size:11.0pt;font-family:"Times New Roman"'>[11]</span></span></span></a>
6299 when a programmer intends to break the outer loop or switch
6300 instead. Splint optionally reports warnings for
6301 <span class="CodeText"><span style=
6302 'font-size: 10.0pt'>break</span></span> and <span class=
6303 "CodeText"><span style=
6304 'font-size: 10.0pt'>continue</span></span> statements in
6305 nested contexts.</p>
6306 <p class="beforelist"> </p>
6307 <p class="beforelist">Four types of <span class=
6308 "CodeText"><span style='font-size: 10.0pt'>break</span></span>
6309 warnings are reported:</p>
6310 <p class="MsoListBullet"><span style=
6311 'font-family:Symbol'>·<span style=
6312 'font:7.0pt "Times New Roman"'> </span></span>
6313 <span class="CodeText"><span style=
6314 'font-size:10.0pt'>break</span></span> inside a loop
6315 (<span class="CodeText"><span style=
6316 'font-size:10.0pt'>while</span></span> or <span class=
6317 "CodeText"><span style='font-size:10.0pt'>for</span></span>)
6318 that is inside a loop. Controlled by <span class=
6320 'font-size:10.0pt'>looploopbreak</span></span>. To
6321 indicate that a <span class="CodeText"><span style=
6322 'font-size:10.0pt'>break</span></span> is inside an inner
6323 loop, precede the <span class="CodeText"><span style=
6324 'font-size:10.0pt'>break</span></span> by <a href=
6325 "mailto:/*@innerbreak@*/"><span class="Annot"><span style=
6326 'font-size: 10.0pt'>/*@innerbreak@*/</span></span></a>.</p>
6327 <p class="MsoListBullet"><span style=
6328 'font-family:Symbol'>·<span style=
6329 'font:7.0pt "Times New Roman"'> </span></span>
6330 <span class="CodeText"><span style=
6331 'font-size:10.0pt'>break</span></span> inside a loop that is inside
6332 a <span class="CodeText"><span style=
6333 'font-size:10.0pt'>switch</span></span> statement. Controlled
6334 by <span class="Flag"><span style=
6335 'font-size:10.0pt'>switchloopbreak</span></span>. To mark the
6336 <span class="CodeText"><span style=
6337 'font-size:10.0pt'>break</span></span> as a loop break, precede the
6338 <span class="CodeText"><span style=
6339 'font-size:10.0pt'>break</span></span> by <span class=
6340 "Annot"><span style=
6341 'font-size:10.0pt'>/*@loopbreak@*/</span></span>.</p>
6342 <p class="MsoListBullet"><span style=
6343 'font-family:Symbol'>·<span style=
6344 'font:7.0pt "Times New Roman"'> </span></span>
6345 <span class="CodeText"><span style=
6346 'font-size:10.0pt'>break</span></span> inside a <span class=
6347 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
6348 statement that is inside a loop. Controlled by
6349 <span class="Flag"><span style=
6350 'font-size:10.0pt'>loopswitchbreak</span></span>. To
6351 mark the <span class="CodeText"><span style=
6352 'font-size:10.0pt'>break</span></span> as a switch break,
6353 precede the <span class="CodeText"><span style=
6354 'font-size:10.0pt'>break</span></span> by <span class=
6355 "Annot"><span style=
6356 'font-size:10.0pt'>/*@switchbreak@*/</span></span>.</p>
6357 <p class="MsoListBullet"><span style=
6358 'font-family:Symbol'>·<span style=
6359 'font:7.0pt "Times New Roman"'> </span></span>
6360 <span class="CodeText"><span style=
6361 'font-size:10.0pt'>break</span></span> inside a <span class=
6362 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
6363 inside another <span class="CodeText"><span style=
6364 'font-size:10.0pt'>switch</span></span>. Controlled by
6365 <span class="Flag"><span style=
6366 'font-size:10.0pt'>switchswitchbreak</span></span>. To
6367 indicate that the <span class="CodeText"><span style=
6368 'font-size:10.0pt'>break</span></span> is for the inner switch, use
6369 <span class="Annot"><span style=
6370 'font-size:10.0pt'>/*@innerbreak@*/</span></span>.</p>
6371 <p class="afterlist">Since <span class=
6372 "CodeText"><span style='font-size:10.0pt'>continue</span></span>
6373 only makes sense within loops, warnings are only reported for
6374 <span class="CodeText"><span style=
6375 'font-size:10.0pt'>continue</span></span> statements within
6376 nested loops. (Controlled by <span class=
6378 'font-size: 10.0pt'>looploopcontinue</span></span>.) A
6379 safe inner <span class="CodeText"><span style=
6380 'font-size:10.0pt'>continue</span></span> may be preceded by
6381 <span class="Annot"><span style=
6382 'font-size:10.0pt'>/*@innercontinue@*/</span></span> to
6383 suppress error messages locally. The <span class=
6384 "Flag"><span style='font-size:10.0pt'>deepbreak</span></span>
6385 flag sets all nested break and continue checking flags.</p>
6386 <p class="TextFontCX"> </p>
6387 <p class="TextFontCX">Splint warns if the marker preceding a
6388 <span class="CodeText"><span style=
6389 'font-size:10.0pt'>break</span></span> is not consistent with its
6390 placement. A warning results if <span class=
6391 "Annot"><span style='font-size:10.0pt'>innerbreak</span></span>
6392 precedes a <span class="CodeText"><span style=
6393 'font-size:10.0pt'>break</span></span> that is not breaking an
6394 inner loop, <span class="Annot"><span style=
6395 'font-size:10.0pt'>switchbreak</span></span> precedes a
6396 <span class="CodeText"><span style=
6397 'font-size:10.0pt'>break</span></span> that is not breaking a
6398 switch, or <span class="Annot"><span style=
6399 'font-size: 10.0pt'>loopbreak</span></span> precedes a
6400 <span class="CodeText"><span style=
6401 'font-size:10.0pt'>break</span></span> that is not breaking a
6403 <h3 style='margin-left:0in;text-indent:0in'><a name=
6404 "_Toc534974993"></a><a name="_Ref347246280">8.3.4<span style=
6405 'font:7.0pt "Times New Roman"'> </span></a>
6406 Loop and If Bodies</h3>
6407 <p class="beforelist">An empty statement after an
6408 <span class="CodeText"><span style=
6409 'font-size:10.0pt'>if</span></span>, <span class=
6410 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6411 or <span class="CodeText"><span style=
6412 'font-size:10.0pt'>for</span></span> often indicates a
6413 potential bug. A single statement (i.e., not a compound
6414 block) after an <span class="CodeText"><span style=
6415 'font-size:10.0pt'>if</span></span>, <span class=
6416 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6417 or <span class="CodeText"><span style=
6418 'font-size:10.0pt'>for</span></span> is not likely to
6419 indicate a bug, but make the code harder to read and
6420 edit. Splint can report errors for if or loop
6421 statements with empty bodies or bodies that are not compound
6422 statements. Separate flags control checking for
6423 statements following an <span class="CodeText"><span style=
6424 'font-size:10.0pt'>if</span></span>, <span class=
6425 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6426 or <span class="CodeText"><span style=
6427 'font-size:10.0pt'>for</span></span>:</p>
6428 <p class="MsoListBullet"><span style=
6429 'font-family:Symbol'>·<span style=
6430 'font:7.0pt "Times New Roman"'> </span></span>
6431 <span class="Flag"><span style=
6432 'font-size:10.0pt'>[if</span></span>,<span class=
6433 "Flag"><span style='font-size:10.0pt'>while</span></span>,<span class="Flag">
6434 <span style='font-size:10.0pt'>for]empty</span></span> —
6435 report errors for empty bodies (e.g., <span class=
6436 "CodeText"><span style='font-size:10.0pt'>if (x > 3)
6437 ;</span></span> )</p>
6438 <p class="MsoListBullet"><span style=
6439 'font-family:Symbol'>·<span style=
6440 'font:7.0pt "Times New Roman"'> </span></span>
6441 <span class="Flag"><span style=
6442 'font-size:10.0pt'>[if</span></span>,<span class=
6443 "Flag"><span style='font-size:10.0pt'>while</span></span>,<span class="Flag">
6444 <span style='font-size:10.0pt'>for]block</span></span> —
6445 report errors for non-block bodies (e.g., <span class=
6446 "CodeText"><span style='font-size:10.0pt'>if (x > 3)
6447 x++;</span></span>)</p>
6448 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
6449 <span class="Keyword"><span style=
6450 'font-size:10.0pt'> </span></span></p>
6451 <p class="afterlist">The <span class="CodeText"><span style=
6452 'font-size:10.0pt'>if</span></span> statement checks also apply to
6453 the body of the <span class="CodeText"><span style=
6454 'font-size:10.0pt'>else</span></span> clause. No
6455 <span class="Flag"><span style=
6456 'font-size:10.0pt'>ifblock</span></span> warning is reported
6457 if the body of the <span class="CodeText"><span style=
6458 'font-size:10.0pt'>else</span></span> clause is an
6459 <span class="CodeText"><span style=
6460 'font-size:10.0pt'>if</span></span> statement, to allow
6461 conventional <span class="CodeText"><span style=
6462 'font-size: 10.0pt'>else if</span></span> chains. </p>
6463 <h3 style='margin-left:0in;text-indent:0in'><a name=
6464 "_Toc534974994"></a><a name="_Ref347246283">8.3.5<span style=
6465 'font:7.0pt "Times New Roman"'> </span>
6466 Complete Logic</a></h3>
6467 <p class="beforelist">Although it may be perfectly reasonable in
6468 many contexts, an <span class="CodeText"><span style=
6469 'font-size:10.0pt'>if</span></span>-<span class=
6470 "CodeText"><span style='font-size:10.0pt'>else</span></span> chain
6471 with no final <span class="CodeText"><span style=
6472 'font-size:10.0pt'>else</span></span> may indicate missing logic or
6473 forgetting to check error cases. If <span class=
6474 "Flag"><span style='font-size:10.0pt'>elseif-complete</span></span>
6475 is on, Splint warns when an <span class=
6476 "CodeText"><span style='font-size:10.0pt'>if</span></span>
6477 statement that is the body of an <span class=
6478 "CodeText"><span style='font-size: 10.0pt'>else</span></span>
6479 clause does not have a matching <span class=
6480 "CodeText"><span style='font-size:10.0pt'>else</span></span>
6481 clause. For example, the code,</p>
6482 <p class="Verbatim"> if (x == 0) { return "nil"; }</p>
6483 <p class="Verbatim"> else if (x == 1) { return "many";
6485 <p class="afterlist">results in a warning since the second
6486 <span class="CodeText"><span style=
6487 'font-size:10.0pt'>if</span></span> has no matching
6488 <span class="CodeText"><span style=
6489 'font-size:10.0pt'>else</span></span> branch.</p>
6490 <h2 style='margin-left:0in;text-indent:0in'><a name=
6491 "_Toc534974995"></a><a name="_Ref344892802">8.4<span style=
6492 'font:7.0pt "Times New Roman"'> </span>
6493 Suspicious Statements</a></h2>
6494 <p class="TextFontCX">Splint detects errors involving statements
6495 with no apparent effects (Section 8.4.1) and statements that ignore
6496 the result of a called function (Section 8.4.2).</p>
6497 <h3 style='margin-left:0in;text-indent:0in'><a name=
6498 "_Toc534974996"></a><a name="_Ref347247824">8.4.1<span style=
6499 'font:7.0pt "Times New Roman"'> </span>
6500 Statements with No Effects</a></h3>
6501 <p class="TextFontCX">Splint can report errors for statements that
6502 have no effect. (Controlled by <span class=
6503 "Flag"><span style='font-size:10.0pt'>no-effect</span></span>.)
6504 Because of modifies clauses, Splint can detect more errors
6505 than traditional checkers. Unless the <span class=
6507 'font-size:10.0pt'>no-effect-uncon</span></span> flag is
6508 on, errors are not reported for statements that involve calls
6509 to unconstrained functions since the unconstrained function
6510 may cause a modification. Figure 19 shows examples of
6511 Splint’s no effect checking.</p>
6513 <table class="MsoNormalTable" border="0" cellspacing="0"
6514 cellpadding="0" style=
6515 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
6517 <td valign="top" style=
6518 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6519 <p class="TextFontCX" align="center" style='text-align:center'>
6520 <a name="_Ref344893305"></a><a name=
6521 "_Ref344874935"><span class="StyleKeywordBold"><span style=
6522 'font-size:10.0pt'>noeffect.c</span></span></a></p></td>
6523 <td valign="top" style=
6524 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6525 <p class="TextFontCX" align="center" style='text-align:center'>
6526 <b><span style='color:white'>Running
6527 Splint</span></b></p></td></tr>
6529 <td valign="top" style=
6530 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
6531 <p class="Verbatim">extern void</p>
6532 <p class="Verbatim"> nomodcall (int *x) /*@*/;</p>
6533 <p class="IndentText"><i>Recall /*@*/ is shorthand for<br>
6534 modifies nothing and use<br>
6536 <p class="Verbatim">extern void mysterycall (int *x);</p>
6537 <p class="Verbatim"> </p>
6538 <p class="Verbatim">int noeffect (int *x, int y)</p>
6539 <p class="Verbatim">{</p>
6540 <p class="Verbatim"> y == *x;</p>
6541 <p class="Verbatim"> nomodcall (x);</p>
6542 <p class="Verbatim"> mysterycall (x);</p>
6543 <p class="Verbatim"> return *x;</p>
6544 <p class="Verbatim">}</p></td>
6545 <td valign="top" style=
6546 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
6547 <p class="lclintrun">> splint noeffect.c +noeffectuncon</p>
6548 <p class="lclintrun">noeffect.c:6: Statement has no effect: y ==
6550 <p class="lclintrun">noeffect.c:7: Statement has no effect:
6552 <p class="lclintrun">noeffect.c:8: Statement has no effect
6554 <p class="lclintrun"> undetected modification
6556 <p class="lclintrun"> unconstrained function
6558 <p class="lclintrun"> mysterycall(x)</p>
6559 <p class="IndentText"><i> </i></p>
6560 <p class="IndentText" style='page-break-after:avoid'><i>The warning
6561 for line 8 would not be<br>
6562 reported without</i> <span class="Flag"><span style=
6563 'font-size: 10.0pt'>+noeffectuncon</span></span>.</p></td></tr></table>
6564 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6566 <td valign="top" style=
6567 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
6568 <p class="MsoCaption"><a name="_Ref534813977"></a><a name=
6569 "_Toc534824623"></a><a name="_Ref534823396">Figure 19</a>.
6570 Statements with No Effect</p></td></tr></table></center>
6571 <h3 style='margin-left:0in;text-indent:0in'><a name=
6572 "_Ref534978820"></a><a name="_Toc534974997">8.4.2<span style=
6573 'font:7.0pt "Times New Roman"'> </span>
6574 Ignored Return Values</a></h3>
6575 <p class="TextFontCX">Splint reports an error when a return value
6576 is ignored. Checking may be controlled based on the type of
6577 the return value: <span class="Flag"><span style=
6578 'font-size:10.0pt'>ret-val-int</span></span> controls reporting of
6579 ignored return values of type <span class=
6580 "Keyword"><span style='font-size:10.0pt'>int</span></span>,
6581 and <span class="Flag"><span style=
6582 'font-size:10.0pt'>ret-val-bool</span></span> for return
6583 values of type <span class="Keyword"><span style=
6584 'font-size:10.0pt'>bool</span></span>, and <span class=
6586 'font-size:10.0pt'>ret-val-others</span></span> for all
6587 other types. A function statement may be cast to
6588 <span class="Keyword"><span style=
6589 'font-size:10.0pt'>void</span></span> to prevent this error
6590 from being reported.</p>
6591 <p class="TextFontCX"> </p>
6592 <p class="TextFontCX">Alternate types (Section 4.4) can be
6593 used to declare functions that return values that may safely be
6594 ignored by declaring the result type to alternately be
6595 <span class="Keyword"><span style=
6596 'font-size:10.0pt'>void</span></span>. Several
6597 functions in the standard library are specified to
6598 alternately return <span class="Keyword"><span style=
6599 'font-size:10.0pt'>void</span></span> to prevent ignored
6600 return value errors for standard library functions (e.g.,
6601 <span class="Keyword"><span style=
6602 'font-size:10.0pt'>strcpy</span></span>) where the result may
6603 be safely ignored (see Section 14.1). Figure 20 shows
6604 examples of ignored return value errors reported by
6606 <p class="MsoNormal" align="left" style=
6607 'text-align:left;background:white'><span style=
6608 'font-size:10.0pt'> </span></p>
6610 <table class="MsoNormalTable" border="0" cellspacing="0"
6611 cellpadding="0" style='margin-left:9.9pt;border-collapse:collapse'>
6613 <td valign="top" style=
6614 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6615 <p class="TextFontCX" align="center" style='text-align:center'>
6616 <span class="Keyword"><b><span style=
6617 'font-size:10.0pt; color:white'>ignore.c</span></b></span></p></td>
6618 <td valign="top" style=
6619 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6620 <p class="TextFontCX" align="center" style='text-align:center'>
6621 <b><span style='color:white'>Running
6622 Splint</span></b></p></td></tr>
6624 <td valign="top" style=
6625 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
6626 <p class="Verbatim"># include “bool.h”</p>
6627 <p class="Verbatim">extern int fi (void);</p>
6628 <p class="Verbatim">extern bool fb (void);</p>
6629 <p class="Verbatim">extern int /*@alt void@*/</p>
6630 <p class="Verbatim"> fv (void);</p>
6631 <p class="Verbatim"> </p>
6632 <p class="Verbatim">int ignore (void)</p>
6633 <p class="Verbatim">{</p>
6634 <p class="Verbatim"><span class="Line"><span style=
6635 'font-size:8.0pt'> 8</span></span> fi ();</p>
6636 <p class="Verbatim"><span class="Line"><span style=
6637 'font-size:8.0pt'> 9</span></span> (void) fi ();</p>
6638 <p class="Verbatim"><span class="Line"><span style=
6639 'font-size:8.0pt'>10</span></span> fb ();</p>
6640 <p class="Verbatim"><span class="Line"><span style=
6641 'font-size:8.0pt'>11</span></span> fv ();</p>
6642 <p class="Verbatim"><span class="Line"><span style=
6643 'font-size:8.0pt'>12</span></span> return fv ();</p>
6644 <p class="Verbatim">}</p></td>
6645 <td valign="top" style=
6646 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
6647 <p class="lclintrun">> splint ignore.c</p>
6648 <p class="lclintrun"> </p>
6649 <p class="lclintrun">ignore.c:8: Return value (type int) ignored:
6651 <p class="lclintrun">ignore.c:10: Return value (type bool) ignored:
6653 <p class="lclintrun"> </p>
6654 <p class="MsoNormal" style='background:white'><i><span style=
6655 'font-size:10.0pt'>The message for line 8 would not be reported
6656 if</span></i> <span class="Flag"><span style=
6657 'font-size:10.0pt'>‑retvalint</span></span><i><span style='font-size:10.0pt'>
6659 for line 10, if</span></i> <span class="Flag"><span style=
6660 'font-size:10.0pt'>‑retvalbool</span></span><i><span style='font-size:10.0pt'>
6661 is set.</span></i></p>
6662 <p class="MsoNormal" style='background:white'><i><span style=
6663 'font-size:10.0pt'> </span></i></p>
6664 <p class="MsoNormal" style='background:white'><i><span style=
6665 'font-size:10.0pt'> No message is reported for line 9 because
6666 the result is cast to</span></i> <span class=
6667 "CodeText"><span style='font-size:10.0pt'>void</span></span><i><span style='font-size:10.0pt'>
6669 and no message is reported for line 11 because</span></i>
6670 <span class="CodeText"><span style=
6671 'font-size:10.0pt'>fv</span></span><i><span style=
6672 'font-size:10.0pt'>is declared<br>
6673 to alternately return</span></i> <span class=
6674 "CodeText"><span style=
6675 'font-size:10.0pt'>void</span></span><i><span style=
6676 'font-size:10.0pt'>.</span></i></p>
6677 <p class="TextFontCX" style='page-break-after: avoid'>
6678 </p></td></tr></table>
6680 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6682 <td valign="top" style=
6683 'padding-top:0in;padding-right: 9.0pt;padding-bottom:0in;padding-left:9.0pt'>
6684 <p class="MsoCaption"><a name="_Toc534824624"></a><a name=
6685 "_Ref534823436">Figure 20</a>. Ignored Return
6686 Values</p></td></tr></table></div></center>
6687 <p class="MsoNormal" align="left" style=
6688 'text-align:left;background:white'><span style=
6689 'font-size:10.0pt'> </span></p>
6691 'font-size:16.0pt;font-family:"Times New Roman"'><br clear="all"
6692 style='page-break-before:always'></span></b>
6693 <h1 style='margin-left:0in;text-indent:0in;page-break-before:auto'>
6694 <a name="_Toc534974998"></a><a name="_Ref534963019"></a><a name=
6695 "_Ref534962975">9<span style=
6696 'font:7.0pt "Times New Roman"'> </span>
6697 <a id="buffer" name="buffer">
6698 Buffer Sizes</a></a></h1>
6699 <p class="TextFontCX">Buffer overflow errors are a particularly
6700 dangerous type of bug in C programs. They are directly
6701 responsible for about half of all security attacks
6702 [Larochelle01]. For performance reasons, C does not perform
6703 run time bounds checking. Referencing storage outside
6704 allocated regions can cause memory corruption and lead to strange
6705 behavior. Moreover, buffer overflow bugs are particularly
6706 insidious because they can go undetected in testing or normal use,
6707 but usually result in security critical bugs. Reads beyond
6708 the end of a buffer can cause the program to leak
6709 information. Writes beyond the end a buffer (buffer
6710 overflows) can usually be exploited make the program run arbitrary
6711 code. Attackers can exploit these programming bugs to replace
6712 the return address on the stack and place arbitrary code in memory
6713 thereby gaining full access to the machine. Splint is able to
6714 detect many memory bounds errors. <a href="#_ftn12" name=
6715 "_ftnref12" title=""><span style=
6716 'font-size:11.0pt; font-family:"Times New Roman"'>[12]</span></a> </p>
6717 <h2 style='margin-left:0in;text-indent:0in'><a name=
6718 "_Toc534974999">9.1<span style=
6719 'font:7.0pt "Times New Roman"'> </span>
6720 Checking Accesses</a></h2>
6721 <p class="TextFontCX">Splint models blocks of contiguous memory
6722 using two properties: <span class="Annot"><span style=
6723 'font-size:10.0pt'>maxSet</span></span> and <span class=
6724 "Annot"><span style='font-size:10.0pt'>maxRead</span></span>.
6725 Given a buffer <span class="CodeText"><i><span style=
6726 'font-size:10.0pt'>b</span></i></span>, <span class=
6727 "Annot"><span style=
6728 'font-size:10.0pt'>maxSet(<i>b</i>)</span></span> denotes the
6729 highest address beyond <span class="CodeText"><i><span style=
6730 'font-size:10.0pt'>b</span></i></span> that can be safely used as
6731 an lvalue. For the declaration <span class=
6732 "CodeText"><span style='font-size:10.0pt'>char
6733 buf[MAXSIZE]</span></span> we have <span class=
6734 "Annot"><span style='font-size: 10.0pt'>maxSet(buf)</span></span>
6735 <span class="CodeText"><span style='font-size: 10.0pt'>=
6736 MAXSIZE - 1</span></span>. Similarly, <span class=
6737 "Annot"><span style='font-size:10.0pt'>maxRead</span></span>
6738 denotes the highest index of a buffer that can be safely used
6739 an rvalue. It is inappropriate to read an uninitialized
6740 element or beyond the <span class="CodeText"><span style=
6741 'font-size:10.0pt'>NUL</span></span> terminator of a null
6742 terminated buffer.</p>
6743 <p class="TextFontCX"> </p>
6744 <p class="TextFontCX">When a buffer is accessed as an lvalue,
6745 Splint generates a precondition constraint involving the
6746 <span class="Annot"><span style=
6747 'font-size:10.0pt'>maxSet</span></span> property. When a
6748 buffer is accessed as an rvalue, Splint generates a precondition
6749 constraint involving the <span class="Annot"><span style=
6750 'font-size:10.0pt'>maxRead</span></span> property. For the
6751 expression <span class="CodeText"><span style=
6752 'font-size:10.0pt'>*<i>ptr</i></span></span>, Splint generates the
6753 constraints <span class="Annot"><span style=
6754 'font-size:10.0pt'>maxSet(<i>ptr</i>)</span></span>
6755 <span class="CodeText"><span style='font-size:10.0pt'>>=
6756 0</span></span> or <span class="Annot"><span style=
6757 'font-size:10.0pt'>maxRead(<i>ptr</i>)</span></span>
6758 <span class="CodeText"><span style='font-size:10.0pt'>>=
6759 0</span></span> depending on whether <span class=
6760 "CodeText"><i><span style=
6761 'font-size:10.0pt'>ptr</span></i></span> is used as an lvalue
6762 or rvalue. Similarly, for accesses of the form
6763 <span class="CodeText"><span style=
6764 'font-size:10.0pt'>ptr[i]</span></span>, splint generates the
6765 constraints <span class="Annot"><span style=
6766 'font-size:10.0pt'>maxSet(<i>ptr</i>)</span></span>
6767 <span class="CodeText"><span style='font-size:10.0pt'>>=
6768 i</span></span> or <span class="Annot"><span style=
6769 'font-size:10.0pt'>maxRead(<i>ptr</i>)</span></span>
6770 <span class="CodeText"><span style='font-size:10.0pt'>>=
6771 i</span></span>. If <span class="Flag"><span style=
6772 'font-size:10.0pt'>+boundswrite</span></span> is set, Splint
6773 warns if it is unable to resolve a constraint involving
6774 <span class="Annot"><span style=
6775 'font-size:10.0pt'>maxSet</span></span>. If <span class=
6777 'font-size:10.0pt'>+boundsread</span></span> is set, Splint
6778 warns about unresolved <span class="Annot"><span style=
6779 'font-size:10.0pt'>maxRead</span></span> constraints
6781 <p class="TextFontCX"> </p>
6782 <p class="TextFontCX">Splint generates postconditions for
6783 statements to help resolve precondition constraints. When a
6784 buffer is written to we know that an element of a buffer is
6785 initialized and is safe to read. We generate the
6786 postcondition <span class="Annot"><span style=
6787 'font-size:10.0pt'>maxRead(<i>ptr</i>)</span></span>
6788 <span class="CodeText"><span style='font-size:10.0pt'>>=
6789 0</span></span> if the buffer is accessed using <span class=
6790 "CodeText"><span style='font-size:10.0pt'>*ptr</span></span>
6791 or <span class="Annot"><span style=
6792 'font-size:10.0pt'>maxRead(ptr)</span></span> <span class=
6793 "CodeText"><span style='font-size:10.0pt'>>=
6794 i</span></span> if the buffer is accessed using <span class=
6795 "CodeText"><i><span style=
6796 'font-size:10.0pt'>ptr</span></i></span><span class=
6797 "CodeText"><span style=
6798 'font-size:10.0pt'>[<i>i</i>]</span></span>. Splint
6799 generates additional postconditions for a variety of C
6800 constructs. For assignment statements, Splint generates
6801 a postcondition equating the two operands. Splint also
6802 generates post condition constraints for the <span class=
6803 "Annot"><span style='font-size:10.0pt'>maxSet</span></span>
6804 value of fixed sized arrays.</p>
6805 <h2 style='margin-left:0in;text-indent:0in'><a name=
6806 "_Toc534975000">9.2<span style=
6807 'font:7.0pt "Times New Roman"'> </span>
6808 Annotating Buffer Sizes</a></h2>
6809 <p class="TextFontCX">Function declarations may include
6810 <span class="Annot"><span style=
6811 'font-size:10.0pt'>requires</span></span> and <span class=
6812 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
6813 clauses that specify assumptions about buffer sizes for
6814 function preconditions. They are interpreted like
6815 <span class="Annot"><span style=
6816 'font-size:10.0pt'>requires</span></span> and <span class=
6817 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
6818 clauses for simple memory states (see Section 7.5) but can be
6819 more expressive. When a function with a <span class=
6820 "Annot"><span style='font-size:10.0pt'>requires</span></span>
6821 clause is called, the call site must be checked to satisfy
6822 the constraints implied by the <span class=
6823 "Annot"><span style='font-size:10.0pt'>requires</span></span>
6824 clause. Similarly, an <span class="Annot"><span style=
6825 'font-size:10.0pt'>ensures</span></span> clause can be used
6826 to specify function post conditions. If the
6827 <span class="Flag"><span style=
6828 'font-size:10.0pt'>+checkpost</span></span> flag is set,
6829 Splint warns if it cannot verify that a function
6830 implementation satisfies its declared postconditions.</p>
6831 <p class="TextFontCX"> </p>
6832 <p class="TextFontCX">Constraints can contain function parameters
6833 as well as global variables and integer constants. The unary
6834 operators, <span class="Annot"><span style=
6835 'font-size:10.0pt'>maxSet</span></span> and <span class=
6836 "Annot"><span style='font-size:10.0pt'>maxRead</span></span> which
6837 correspond to the properties described above are also supported.
6838 Multiple predicates may be conjoined using <span class=
6839 "CodeText"><span style=
6840 'font-size: 10.0pt'>/\</span></span>. </p>
6841 <p class="TextFontCX"> </p>
6842 <p class="TextFontCX">For example, the standard library annotates
6843 <span class="CodeText"><span style=
6844 'font-size:10.0pt'>strcpy</span></span>:</p>
6845 <p class="MsoPlainText" style='line-height:normal'> </p>
6846 <p class="Verbatim" style='margin-left:22.5pt'>void /*@alt char *
6848 <p class="Verbatim" style='margin-left:22.5pt;text-indent:13.5pt'>
6849 (/*@unique@*/ /*@out@*/ /*@returned@*/ char *s1, char *s2)</p>
6850 <p class="Verbatim" style='margin-left:.5in'>/*@modifies *s1@*/</p>
6851 <p class="Verbatim" style='margin-left:.5in'>/*@requires maxSet(s1)
6852 >= maxRead(s2) @*/</p>
6853 <p class="Verbatim"> /*@ensures
6854 maxRead(s1) == maxRead (s2) @*/; </p>
6855 <p class="MsoPlainText" style=
6856 'margin-left:.5in;line-height:normal'><b> </b></p>
6857 <p class="MsoPlainText" style=
6858 'text-align:justify;line-height:normal'>The <span class=
6859 "Annot"><span style='font-size:10.0pt'>requires</span></span>
6860 clause indicates that the buffer passed as <span class=
6861 "CodeText"><span style='font-size:10.0pt'>s1</span></span> must be
6862 large enough to hold the string passed as <span class=
6863 "CodeText"><span style='font-size:10.0pt'>s2</span></span>.
6864 The <span class="Annot"><span style=
6865 'font-size:10.0pt'>ensures</span></span> clause specifies that
6866 <span class="Annot"><span style=
6867 'font-size:10.0pt'>maxRead</span></span> of <span class=
6868 "CodeText"><span style='font-size:10.0pt'>s1</span></span> after
6869 the call is equal to <span class="Annot"><span style=
6870 'font-size:10.0pt'>maxRead</span></span> of <span class=
6871 "CodeText"><span style='font-size:10.0pt'>s2</span></span>.
6872 In cases where the size of <span class=
6873 "CodeText"><span style='font-size:10.0pt'>s2</span></span> is
6874 unknown, programs should use <span class=
6875 "CodeText"><span style=
6876 'font-size: 10.0pt'>strncpy</span></span>, annotated as:</p>
6877 <p class="Verbatim"> </p>
6878 <p class="Verbatim" style='margin-left:22.5pt'>void /*@alt char *
6880 <p class="Verbatim" style='margin-left:22.5pt'>
6881 (/*@unique@*/ /*@out@*/ /*@returned@*/ char *s1, char *s2,</p>
6882 <p class="Verbatim" style='margin-left:22.5pt;text-indent:13.5pt'>
6883 size_t n)</p>
6884 <p class="Verbatim" style='margin-left:22.5pt'>
6885 /*@modifies *s1@*/ </p>
6886 <p class="Verbatim" style='margin-left:22.5pt'> /*@requires
6887 maxSet(s1) >= ( n - 1 ); @*/</p>
6888 <p class="Verbatim" style='margin-left:22.5pt'> /*@ensures
6889 maxRead (s2) >= maxRead(s1) /\ maxRead (s1) <= n;@*/;</p>
6890 <p class="TextFontCX"> </p>
6891 <p class="TextFontCX">The syntax for buffer size constraint clauses
6893 <p class="TextFontCX"> </p>
6894 <p class="TextFontCX" align="left" style=
6895 'margin-left: 22.5pt;text-align:left'><i><span lang=
6896 "FR">constraint</span></i> <span lang="FR"> </span>
6897 <span style='font-family:Symbol'>Þ</span> <span lang=
6898 "FR">(</span><span class="Annot"><span style=
6899 'font-size:10.0pt'>requires</span></span> <span lang="FR">|</span>
6900 <span class="Annot"><span style=
6901 'font-size:10.0pt'>ensures</span></span><span lang="FR">)
6902 <i>consExpr relOp consExpr</i></span></p>
6903 <p class="TextFontCX" align="left" style=
6904 'margin-left: 22.5pt;text-align:left'><i><span lang=
6905 "FR">relOp</span></i> <span lang=
6906 "FR"> </span> <span style=
6907 'font-family:Symbol'>Þ</span> <span class=
6908 "Annot"><span style='font-size: 10.0pt'>==</span></span>
6909 <span lang="FR">|</span> <span class="Annot"><span style=
6910 'font-size:10.0pt'>></span></span> <span lang=
6911 "FR">|</span> <span class="Annot"><span style=
6912 'font-size:10.0pt'>>=</span></span> <span lang=
6913 "FR">|</span> <span class="Annot"><span style=
6914 'font-size:10.0pt'><</span></span> <span lang=
6915 "FR">|</span> <span class="Annot"><span style=
6916 'font-size:10.0pt'><=</span></span></p>
6917 <p class="TextFontCX" align="left" style=
6918 'margin-left: 22.5pt;text-align:left'><i><span lang=
6919 "FR">consExpr </span></i> <span style=
6920 'font-family:Symbol'>Þ</span> <i><span lang=
6921 "FR">consExpression binOp consExpr</span></i> | <i>unaryOp</i>
6922 <span class="Annot"><span style=
6923 'font-size:10.0pt'>(</span></span><i>consExpr</i>
6924 <span class="Annot"><span style=
6925 'font-size:10.0pt'>)</span></span> | <i>term</i></p>
6926 <p class="TextFontCX" align="left" style=
6927 'margin-left: 22.5pt;text-align:left'><i>binOp</i>
6928 <span style=
6929 'font-family:Symbol'>Þ</span> <span class=
6930 "Annot"><span style='font-size:10.0pt'>+</span></span> |
6931 <span class="Annot"><span style=
6932 'font-size:10.0pt'>-</span></span></p>
6933 <p class="TextFontCX" align="left" style=
6934 'margin-left: 22.5pt;text-align:left'><i>unaryOp</i>
6935 <span style='font-family:Symbol'>Þ</span> <span class=
6936 "Annot"><span style='font-size:10.0pt'>maxSet</span></span> |
6937 <span class="Annot"><span style=
6938 'font-size:10.0pt'>maxRead</span></span></p>
6939 <p class="TextFontCX" align="left" style=
6940 'margin-left: 22.5pt;text-align:left'><i>term</i>
6941 <span style=
6942 'font-family:Symbol'>Þ</span> <i>identifier</i> |
6943 <i>literal</i> | <span class="Annot"><span style=
6944 'font-size: 10.0pt'>result</span></span></p>
6945 <h2 style='margin-left:0in;text-indent:0in'><a name=
6946 "_Toc534975001">9.3<span style=
6947 'font:7.0pt "Times New Roman"'> </span>
6948 Less Stringent Checking</a></h2>
6949 For some programs, Splint's standard bounds checking produces an
6950 unacceptably high number of warnings. Because of this, Splint now
6951 prioritizes warnings using a simple heuristic. The flags
6952 <span class="Flag"><span style=
6953 'font-size:10.0pt'>likely-bounds</span></span>, <span class=
6955 'font-size:10.0pt'>likely-bounds-writes</span></span>, and
6956 <span class="Flag"><span style=
6957 'font-size:10.0pt'>likely-bounds-read</span></span> are similar to
6958 <span class="Flag"><span style=
6959 'font-size:10.0pt'>bounds</span></span>,<span class=
6960 "Flag"><span style='font-size:10.0pt'>bounds-write</span></span>,
6961 and <span class="Flag"><span style=
6962 'font-size:10.0pt'>bounds-read</span></span>, but they only cause
6963 Splint to produce warnings for what it determines are likely bounds
6964 errors. Splint classifies an unresolved constraint as a likely
6965 bounds error if it can reduce the constraint to a numerical
6966 inconsistency such as <span class="Verbatim">5 >= 10</span>.
6967 Warnings for these constraints are more likely to be legitimate --
6968 indicating real bugs or the lack of annotations. Additionally, when
6969 these warnings are false positives, it is easier for humans to
6970 recognize them as spurious. These flags generate significantly
6971 fewer errors (an order of magnitude in some cases), and the errors
6972 generated are easier to understand. However, this does not come
6973 without cost. The checking is significantly less precise and is
6974 likely to miss real errors.
6975 <h2 style='margin-left:0in;text-indent:0in'><a name=
6976 "_Toc534975001">9.4<span style=
6977 'font:7.0pt "Times New Roman"'> </span>
6979 <p class="TextFontCX">Since bounds checking is more complex than
6980 other checks done by Splint, memory bounds warnings contain
6981 extensive information about the unresolved constraint.
6982 Warning messages for unresolved constraints contain both the
6983 original constraints and the simplified form of the constraint
6984 which cannot be resolved. If the constraint was derived from
6985 a function precondition, the original precondition is included in
6986 the error message. If the <span class=
6987 "Flag"><span style='font-size:10.0pt'>+showconstraintlocation</span></span>
6988 flag is set, the message includes the expression that the
6989 constraint is derived from. The <span class=
6991 'font-size:10.0pt'>+showconstraintparens</span></span> flag
6992 directs Splint to display fully parenthesized constraints in
6993 warnings to remove ambiguity.</p>
6994 <p class="TextFontCX"> </p>
6995 <p class="TextFontCX">Consider the code excerpt below containing a
6996 trivial out-of-bounds write:</p>
6997 <p class="Verbatim"> </p>
6998 <p class="Verbatim" style='text-indent:.5in'>int buf[10];</p>
6999 <p class="Verbatim" style='text-indent:.5in'>buf[10] = 3;</p>
7000 <p class="TextFontCX"> </p>
7001 <p class="TextFontCX" style='margin-bottom:6.0pt'>Splint warns:</p>
7002 <p align="left" class="lclintrun" style='margin-left:.5in'>
7003 setChar.c:5:4: Likely out-of-bounds store:<br>
7004 buf[10] = 3</p>
7005 <p class="lclintrun" align="left" style='margin-left:.5in'>
7006 Unable to resolve constraint: requires 9 >=
7008 <p class="lclintrun" align="left" style=
7009 'margin-top:0in;margin-right:0in;margin-bottom:6.0pt; margin-left:.5in'>
7010 needed to satisfy precondition: requires
7011 maxSet(buf @ setChar.c:5:4) >= 10</p>
7012 <p class="TextFontCX">Splint has simplified the constraint from the
7013 <span class="Annot"><span style=
7014 'font-size:10.0pt'>requires</span></span> clause to
7015 <span class="CodeText"><span style='font-size:10.0pt'>9 >=
7016 10</span></span> by substituting for the known value of
7017 <span class="Annot"><span style=
7018 'font-size:10.0pt'>maxSet(buf)</span></span> and generated a
7019 warning because 9(the highest index of <span class=
7020 "CodeText"><span style='font-size:10.0pt'>buf</span></span>
7021 that may be safely written to) is not greater than or equal
7023 <p class="TextFontCX"> </p>
7024 <p class="TextFontCX">A more realistic example is shown Figure
7025 21. The function <span class="CodeText"><span style=
7026 'font-size:10.0pt'>updateEnv</span></span> is a naïve
7027 implementation of a function to copy an environmental
7028 variable. There is no standard restriction on the length of
7029 the return value of <span class="CodeText"><span style=
7030 'font-size:10.0pt'>getenv</span></span> so this can cause a buffer
7031 overflow. A safe version of <span class=
7032 "CodeText"><span style='font-size:10.0pt'>updateEnv</span></span>
7033 (such as <span class="CodeText"><span style=
7034 'font-size:10.0pt'>updateEnvSafe</span></span> in Figure 21) would
7035 ensure that the buffer is large enough to hold the environment
7036 variable string before copying.</p>
7037 <p class="TextFontCX"> </p>
7038 <p class="TextFontCX"> </p>
7039 <p class="TextFontCX">The <span class="Annot"><span style=
7040 'font-size:10.0pt'>requires</span></span> clause means Splint will
7041 report a warning if a call to <span class=
7042 "CodeText"><span style='font-size:10.0pt'>updateEnvSafe</span></span>
7043 passed in a buffer as <span class="CodeText"><span style=
7044 'font-size:10.0pt'>str</span></span> that is not big enough
7045 to hold the value passed as <span class=
7046 "CodeText"><span style=
7047 'font-size:10.0pt'>strSize</span></span> characters.</p>
7048 <p class="TextFontCX"> </p>
7049 <p class="TextFontCX">In many cases, functions will have multiple
7050 unresolved constraints which are similar. For example, if a
7051 subsequence statement writes to the next element of a buffer.
7052 Usually all these constraints represent all real problems or are
7053 all spurious. If the <span class="Flag"><span style=
7054 'font-size:10.0pt'>+redundantconstraints</span></span> flag is set,
7055 Splint reports even apparently redundant warning messages.
7056 Otherwise, if satisfying one unresolved constraint would imply
7057 satisfying another, Splint only prints a warning message for the
7058 stronger constraint.</p>
7059 <p class="TextFontCX"> </p>
7061 <table class="MsoNormalTable" border="0" cellspacing="0"
7062 cellpadding="0" style='margin-left:9.9pt;border-collapse:collapse'>
7064 <td valign="top" style=
7065 'width:202.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:12.15pt'>
7066 <p class="TextFontCX" align="center" style='text-align:center'>
7067 <span class="Keyword"><b><span style=
7068 'font-size:10.0pt; color:white'>bounds.c</span></b></span></p></td>
7069 <td valign="top" style=
7070 'width:3.0in;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:12.15pt'>
7071 <p class="TextFontCX" align="center" style='text-align:center'>
7072 <b><span style='color:white'>Running
7073 Splint</span></b></p></td></tr>
7075 <td valign="top" style=
7076 'width:202.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
7077 <p class="Verbatim"><span style=
7078 'font-family:Courier'> </span></p>
7079 <p class="Verbatim"><span style='font-family:Courier'>void
7080 updateEnv(char * str)</span></p>
7081 <p class="Verbatim"><span style='font-family:Courier'>{</span></p>
7082 <p class="Verbatim"><span style='font-family:Courier'>
7083 char * tmp;</span></p>
7084 <p class="Verbatim"><i><span style=
7085 'font-size:9.0pt;font-family:Courier'>7</span></i><span style='font-family:Courier'>
7086 tmp = getenv(“MYENV”);</span></p>
7087 <p class="Verbatim"><span style='font-family:Courier'>
7088 if (tmp != NULL)</span></p>
7089 <p class="Verbatim"><i><span style=
7090 'font-size:9.0pt;font-family:Courier'>9</span></i><span style='font-family:Courier'>
7091 strcpy (str, tmp);</span></p>
7092 <p class="Verbatim"><span style='font-family:Courier'>}</span></p>
7093 <p class="Verbatim"><span style=
7094 'font-family:Courier'> </span></p>
7095 <p class="Verbatim"><span style='font-family:Courier'>void
7096 updateEnvSafe (char * str,</span></p>
7097 <p class="Verbatim"><span style=
7098 'font-family:Courier'>
7099 size_t strSize)</span></p>
7100 <p class="Verbatim"><span style='font-family:Courier'> </span>
7101 <a href="mailto:/*@requires"><span style=
7102 'font-family:Courier'>/*@requires</span></a> <span style=
7103 'font-family:Courier'>maxSet(str)</span></p>
7104 <p class="Verbatim"><span style=
7105 'font-family:Courier'>
7106 >= strSize –1@*/</span></p>
7107 <p class="Verbatim"><span style='font-family:Courier'>{</span></p>
7108 <p class="Verbatim"><span style='font-family:Courier'>
7109 char * tmp;</span></p>
7110 <p class="Verbatim"><span style='font-family:Courier'>
7111 tmp = getenv(“MYENV”);</span></p>
7112 <p class="Verbatim"><span style='font-family:Courier'>
7113 if (tmp != NULL)</span></p>
7114 <p class="Verbatim"><span style='font-family:Courier'>
7116 <p class="Verbatim"><span style=
7117 'font-family:Courier'> strncpy (str,
7119 <p class="Verbatim"><span style=
7120 'font-family:Courier'>
7121 strSize -1);</span></p>
7122 <p class="Verbatim"><span style=
7123 'font-family:Courier'> str[strSize
7124 -1] = ‘/0’;</span></p>
7125 <p class="Verbatim"><span style='font-family:Courier'>
7127 <p class="Verbatim"><span style=
7128 'font-family:Courier'>}</span></p></td>
7129 <td valign="top" style=
7130 'width:3.0in;border-top:none;border-left:none; border-bottom:solid black 1.5pt;border-right:solid black 1.5pt;padding:0in 5.4pt 0in 5.4pt'>
7131 <p class="lclintrun">> splint bounds.c +bounds
7132 +showconstraintlocation</p>
7133 <p class="lclintrun"> </p>
7134 <p class="lclintrun">bounds.c:9: Possible out-of-bounds store:</p>
7135 <p class="lclintrun"> strcpy(str, tmp)</p>
7136 <p class="lclintrun"> Unable to resolve
7138 <p class="lclintrun"> requires maxSet(str @
7139 bounds.c:9) >=</p>
7140 <p class="lclintrun"> maxRead(getenv("MYENV") @
7142 <p class="lclintrun"> needed to satisfy
7144 <p class="lclintrun"> requires maxSet(str @
7145 bounds.c:9) >=</p>
7146 <p class="lclintrun"> maxRead(tmp @
7148 <p class="lclintrun"> derived from strcpy
7149 precondition: requires</p>
7150 <p class="lclintrun"> maxSet(<parameter 1>)
7152 <p class="lclintrun"> maxRead(<parameter
7153 2>)</p></td></tr></table>
7154 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
7156 <td valign="top" style=
7157 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
7158 <p class="MsoCaption"><a name="_Ref534909813"></a><a name=
7159 "_Ref534909817">Figure 21</a>. Memory
7160 Bounds</p></td></tr></table></center>
7163 <p class="TextFontCX">The <span class="Flag"><span style=
7164 'font-size:10.0pt'>+functionpost</span></span> flag is useful for
7165 determining if array bounds warnings are spurious. If this
7166 flag is set, Splint will print the constraints that it established
7167 at the end of the function. If the warnings are spurious,
7168 localized control comments can be used to suppress them.</p>
7169 <p class="TextFontCX"> </p>
7170 <p class="TextFontCX"> </p>
7171 <p class="TextFontCX"> </p>
7172 <h1 style='margin-left:0in;text-indent:0in'><a name=
7173 "_Toc534975002"></a><a name="_Ref534642928"></a><a name=
7174 "_Ref534642285">10<span style=
7175 'font:7.0pt "Times New Roman"'> </span>
7176 <a id="extensible" name="extensible">
7177 Extensible Checking</a></a></h1>
7178 <p class="TextFontCX">Splint provides mechanisms for defining new
7179 checks and annotations using metastate definitions.
7180 User-defined checks can be used to check and document properties
7181 not supported by the provided checks.<a href="#_ftn13" name=
7182 "_ftnref13" title=""><span class=
7183 "MsoFootnoteReference"><span class="MsoFootnoteReference"><span style='font-size:11.0pt;font-family:"Times New Roman"'>
7184 [13]</span></span></span></a></p>
7185 <p class="TextFontCX"> </p>
7186 <p class="TextFontCX">A large class of useful checks can be
7187 described as constraints on attributes associated with program
7188 objects or the global execution state. Unlike types, however, the
7189 values of these attributes can change along an execution
7190 path. Splint provides a general language that lets users
7191 define attributes associated with different kinds of program
7192 objects as well as rules that both constrain attributes’
7193 values at interface points and specify how attributes
7195 <p class="TextFontCX"> </p>
7196 <p class="TextFontCX">Because user-defined attribute checking is
7197 integrated with normal checking, Splint’s analysis of
7198 user-defined attributes can take advantage of other analyses, such
7199 as alias and nullness analysis.</p>
7200 <h2 style='margin-left:0in;text-indent:0in'><a name=
7201 "_Toc534975003">10.1<span style=
7202 'font:7.0pt "Times New Roman"'> </span>
7203 Defining Attributes</a></h2>
7204 <p class="TextFontCX">To define an attribute, create a metastate
7205 file (<span class="ProgramNameChar"><span style=
7206 'font-size: 10.0pt'>.mts</span></span>) that defined the possible
7207 values and transfer rules of the attribute. Attributes can
7208 either be associated with a particular kind of program object (for
7209 example, all <span class="CodeText"><span style=
7210 'font-size:10.0pt'>char *</span></span>’s) or with the global
7211 state (whether or not the network has been initialized). The
7212 <span class="Flag"><span style='font-size:10.0pt'>–mts
7213 <i><file></i></span></span> flag is used to direct Splint to
7214 read a metastate file (which will be found on the
7215 <span class="CodeText"><span style=
7216 'font-size:10.0pt'>LARCH_PATH</span></span> with default
7217 extension <span class="ProgramNameChar"><span style=
7218 'font-size:10.0pt'>.mts</span></span>).</p>
7219 <p class="TextFontCX"> </p>
7220 <p class="TextFontCX">An example attribute definition is shown in
7221 Figure 22. It defines the <span class=
7222 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7223 attribute for recording whether or not a <span class=
7224 "CodeText"><span style='font-size: 10.0pt'>char
7225 *</span></span> came from a possibly untrustworthy
7226 source. Knowing whether a value is possibly hostile is
7227 useful for preventing several security vulnerabilities
7228 including format string bugs.<a href="#_ftn14" name=
7229 "_ftnref14" title=""><span class=
7230 "MsoFootnoteReference"><span class=
7231 "MsoFootnoteReference"><span style=
7232 'font-size:11.0pt;font-family:"Times New Roman"'>[14]</span></span></span></a>
7233 (A simpler way to detect format vulnerabilities is to warn
7234 for any format string that is unknown at compile time. Splint
7235 provides this checking, issuing a warning if the <span class=
7237 'font-size:10.0pt'>+formatconst</span></span> flag is set and
7238 finds any unknown format strings at compile time. This can
7239 produce spurious messages, however, because there might be
7240 unknown format strings that are not vulnerable to hostile
7242 <p class="TextFontCX"> </p>
7243 <p class="TextFontCX">The first three lines of the attribute
7244 definition define the <span class="Annot"><span style=
7245 'font-size:10.0pt'>taintedness</span></span> attribute associated
7246 with <span class="CodeText"><span style='font-size:10.0pt'>char
7247 *</span></span> objects, which can be in one of two states:
7248 <span class="Annot"><span style=
7249 'font-size:10.0pt'>untainted</span></span> or <span class=
7250 "Annot"><span style='font-size:10.0pt'>tainted</span></span>.
7251 The <span class="Annot"><span style=
7252 'font-size:10.0pt'>context</span></span> clause gives a context
7253 selector for which objects have the attribute. In this
7254 case, <span class="Annot"><span style='font-size:10.0pt'>reference
7255 char *</span></span> means that every reference that is a
7256 <span class="CodeText"><span style='font-size:10.0pt'>char
7257 *</span></span> has an associated <span class=
7258 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7259 attribute. Other contexts include <span class=
7260 "Annot"><span style=
7261 'font-size: 10.0pt'>parameter</span></span> (only parameter
7262 declarations), <span class="Annot"><span style=
7263 'font-size:10.0pt'>literal</span></span> (only string or
7264 number literals), and <span class="Annot"><span style=
7265 'font-size:10.0pt'>null</span></span> (only known
7266 <span class="CodeText"><span style=
7267 'font-size:10.0pt'>NULL</span></span> values).
7268 Attribute can also be defined that are not associated with
7269 any particular object, but instead are associated with the
7270 global state of a program execution. The <span class=
7271 "Annot"><span style='font-size:10.0pt'>global</span></span>
7272 keyword is used before <span class="Annot"><span style=
7273 'font-size:10.0pt'>attribute</span></span> to define a global
7275 <p class="TextFontCX"> </p>
7276 <p class="TextFontCX">The <span class="Annot"><span style=
7277 'font-size:10.0pt'>oneof</span></span> clause introduces two
7278 identifiers for representing the <span class=
7279 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7280 value: <span class="Annot"><span style=
7281 'font-size:10.0pt'>untainted</span></span> for references
7282 that are not derived from untrustworthy input, and
7283 <span class="Annot"><span style=
7284 'font-size:10.0pt'>tainted</span></span> for references that
7285 may contain hostile data. </p>
7286 <p class="TextFontCX"> </p>
7287 <p class="TextFontCX">The <span class="Annot"><span style=
7288 'font-size:10.0pt'>annotations</span></span> clause defines two new
7289 annotations that may be used to describe <span class=
7290 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7291 assumptions. In this case, the annotations match the names of
7292 the value choices, but they may be any identifier. The clause
7293 <span class="Annot"><span style='font-size:10.0pt'>tainted
7294 <b>reference ==></b> tainted</span></span> defines the
7295 <span class="Annot"><span style=
7296 'font-size:10.0pt'>tainted</span></span> annotation that may be
7297 used on a reference to indicate that it has <span class=
7298 "Annot"><span style='font-size: 10.0pt'>tainted</span></span>
7301 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
7303 <td valign="top" align="left" height="264" style=
7304 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
7305 <p class="Verbatim"><span class="Annot"><b>attribute</b></span>
7306 <span class="Annot">taintedness</span></p>
7307 <p class="Verbatim"><span class="Annot"> <b>context</b>
7308 <b>reference</b> char *</span></p>
7309 <p class="Verbatim"><span class="Annot"> <b>oneof</b>
7310 untainted, tainted</span></p>
7311 <p class="Verbatim"><span class="Annot">
7312 <b>annotations</b></span></p>
7313 <p class="Verbatim"><span class="Annot">
7314 tainted <b>reference ==></b> tainted</span></p>
7315 <p class="Verbatim"><span class="Annot">
7316 untainted <b>reference ==></b> untainted</span></p>
7317 <p class="Verbatim"><span class="Annot">
7318 <b>transfers</b></span></p>
7319 <p class="Verbatim"><span class="Annot">
7320 tainted <b>as</b> untainted <b>==> error</b> "Possibly tainted
7321 storage used where untainted required."</span></p>
7322 <p class="Verbatim"><span class="Annot">
7323 <b>merge</b></span></p>
7324 <p class="Verbatim"><span class=
7325 "Annot"> tainted <b>+</b> untainted
7326 <b>==></b> tainted</span></p>
7327 <p class="Verbatim"><span class="Annot">
7328 <b>defaults</b></span></p>
7329 <p class="Verbatim"><span class=
7330 "Annot"> reference <b>==></b>
7332 <p class="Verbatim"><span class="Annot">
7333 literal <b>==></b> untainted</span></p>
7334 <p class="Verbatim"><span class=
7335 "Annot"> null <b>==></b>
7336 untainted</span></p>
7337 <p class="Verbatim"><span class="Annot"><b>end</b></span></p>
7338 <p class="MsoCaption"><a name="_Ref534921559">Figure 22</a>.
7339 Taintedness Attribute</p></td></tr></table></center>
7342 <p class="TextFontCX"> </p>
7343 <p class="TextFontCX">The <span class="Annot"><span style=
7344 'font-size:10.0pt'>transfers</span></span> clause defines rules for
7345 state changes and warning when objects are passed as parameters,
7346 returned, or assigned to externally visible references. The
7347 rule, <span class="Annot"><span style='font-size:10.0pt'>tainted
7348 <b>as</b> untainted <b>==> error</b> "Possibly tainted storage
7349 used where untainted required."</span></span>, means it is an error
7350 to pass a <span class="Annot"><span style=
7351 'font-size:10.0pt'>tainted</span></span> value as a parameter that
7352 has <span class="Annot"><span style=
7353 'font-size:10.0pt'>untainted</span></span> taintedness. All
7354 other transfers are implicitly permitted, and leave the passed
7355 storage in the same state as before the transfer. We may also
7356 use a <span class="Annot"><span style=
7357 'font-size:10.0pt'>transfers</span></span> clause to indicate that
7358 the reference changes state after a transfer. A
7359 <span class="Annot"><span style=
7360 'font-size:10.0pt'>losereference</span></span> clause (not
7361 used in taintedness) is similar to a <span class=
7362 "Annot"><span style=
7363 'font-size:10.0pt'>transfers</span></span> clause, except it
7364 is used to provide rules for when a reference to storage is
7365 lost, either by leaving the scope in which it was declared,
7366 returning from a function, or assigning it to a new
7368 <p class="TextFontCX"> </p>
7369 <p class="TextFontCX">The <span class="Annot"><span style=
7370 'font-size:10.0pt'>merge</span></span> clause defined rules for
7371 combining state along paths. The clause<span class=
7372 "Annot"><span style='font-size:10.0pt'>merge tainted + untainted
7373 ==> tainted</span></span> indicates that combining
7374 <span class="Annot"><span style=
7375 'font-size:10.0pt'>tainted</span></span> and <span class=
7376 "Annot"><span style=
7377 'font-size:10.0pt'>untainted</span></span> objects produces a
7378 <span class="Annot"><span style=
7379 'font-size:10.0pt'>tainted</span></span> object. Thus, if a
7380 reference is <span class="Annot"><span style=
7381 'font-size:10.0pt'>tainted</span></span> along one control
7382 path and <span class="Annot"><span style=
7383 'font-size:10.0pt'>untainted</span></span> along another
7384 control path, checking assumes that it is <span class=
7385 "Annot"><span style=
7386 'font-size:10.0pt'>tainted</span></span>after the two
7387 branches merge. It is also used to merge taintedness states
7388 in function specifications (see the <span class=
7389 "CodeText"><span style=
7390 'font-size:10.0pt'>strcat</span></span> example in the next
7391 section). We can also define error combinations so that
7392 a warning is reported if the states on different paths are
7394 <p class="TextFontCX"> </p>
7395 <p class="TextFontCX">The <span class="Annot"><span style=
7396 'font-size:10.0pt'>defaults</span></span> clause specifies default
7397 values used for declarators without explicit attribute annotations.
7398 We choose default values to make it easy to start checking an
7399 unannotated program. Here we assume unannotated references are
7400 <span class="Annot"><span style=
7401 'font-size:10.0pt'>tainted</span></span> and Splint will report a
7402 warning where unannotated references are passed to functions that
7403 require untainted parameters. The warnings indicate either a format
7404 bug in the code or a place where an <span class=
7405 "Annot"><span style='font-size:10.0pt'>untainted</span></span>
7406 annotation should be added. Running Splint again after adding
7407 the annotation will propagate the newly documented assumption
7408 through the program.</p>
7409 <p class="TextFontCX"> </p>
7410 <p class="TextFontCX" style='margin-bottom:6.0pt'>The full grammar
7411 for metastate definitions is given in Appendix C.</p>
7412 <h2 style='margin-left:0in;text-indent:0in'><a name=
7413 "_Toc534975004">10.2<span style=
7414 'font:7.0pt "Times New Roman"'> </span>
7415 Annotations</a></h2>
7416 <p class="TextFontCX">The annotations defined by metastate
7417 definitions can be used like normal annotations. The context
7418 specifier for an annotation indicates where it may be used.
7419 For the taintedness example, we can use <span class=
7420 "Annot"><span style='font-size:10.0pt'>tainted</span></span> and
7421 <span class="Annot"><span style=
7422 'font-size:10.0pt'>untainted</span></span> as annotations wherever
7423 <span class="Annot"><span style=
7424 'font-size:10.0pt'>only</span></span> could be used. This
7425 includes <span class="Annot"><span style=
7426 'font-size:10.0pt'>ensures</span></span> and <span class=
7427 "Annot"><span style='font-size:10.0pt'>requires</span></span>
7428 clauses, which allows us to specify functions that modify state
7429 associated with metastate definitions. The syntax
7430 <span class="Annot"><i><span style=
7431 'font-size: 10.0pt'><expr></span></i></span><span class="Annot">
7433 'font-size: 10.0pt'>:<i><attribute></i></span></span> is used
7434 to refer to the value of the user-defined attribute for expression
7435 <span class="Annot"><i><span style=
7436 'font-size:10.0pt'><expr></span></i></span>. </p>
7437 <p class="TextFontCX"> </p>
7438 <p class="TextFontCX">It is often necessary to extend the library
7439 specifications with metastate annotations. We don’t
7440 want to have different versions of the library for different
7441 metastate annotations, so instead Splint provides a mechanism for
7442 adding annotations separately using an <span class=
7443 "ProgramNameChar"><span style='font-size:10.0pt'>.xh</span></span>
7444 file. For the taintedness example, we do this by providing
7445 annotated declarations in the <span class=
7446 "ProgramNameChar"><span style=
7447 'font-size:10.0pt'>tainted.xh</span></span> file. Example
7448 specifications in this file include:</p>
7449 <p class="TextFontCX"> </p>
7450 <p class="Verbatim">int printf (/*@untainted@*/ char *fmt,
7452 <p class="Verbatim"> </p>
7453 <p class="Verbatim">char *fgets (char *s, int n, FILE *stream)
7454 /*@ensures tainted s@*/ ;</p>
7455 <p class="Verbatim"> </p>
7456 <p class="Verbatim">char *strcat (/*@returned@*/ char *s1,
7458 <p class="Verbatim"> /*@ensures s1:taintedness =
7459 s1:taintedness | s2:taintedness @*/</p>
7460 <p class="TextFontCX"> </p>
7461 <p class="TextFontCX">The <span class="CodeText"><span style=
7462 'font-size:10.0pt'>strcat</span></span> specification uses
7463 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
7464 s1:taintedness = s1:taintedness | s2:taintedness @*/</span></span>
7465 to indicate that the taintedness of <span class=
7466 "CodeText"><span style='font-size:10.0pt'>s1</span></span> after
7467 <span class="CodeText"><span style=
7468 'font-size:10.0pt'>strcat</span></span> returns is the result of
7469 merging the taintedness of <span class=
7470 "CodeText"><span style='font-size:10.0pt'>s1</span></span>
7471 and <span class="CodeText"><span style=
7472 'font-size:10.0pt'>s2</span></span> before the call.
7473 Because the parameters lack annotations, they are implicitly
7474 tainted according to the default rules and either untainted
7475 or tainted references can be passed as parameters to
7476 <span class="CodeText"><span style=
7477 'font-size:10.0pt'>strcat</span></span>. The <span class=
7478 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
7479 clause means that after <span class="CodeText"><span style=
7480 'font-size:10.0pt'>strcat</span></span> returns the first
7481 parameter (and the result, because of the returned annotation
7482 on <span class="CodeText"><span style=
7483 'font-size:10.0pt'>s1</span></span>) will be tainted if
7484 either passed object was tainted. Splint merges the two
7485 taintedness states using the attribute definition
7486 rules—hence, if the <span class="CodeText"><span style=
7487 'font-size:10.0pt'>s1</span></span> parameter is untainted
7488 and the <span class="CodeText"><span style=
7489 'font-size:10.0pt'>s2</span></span> parameter is tainted, the
7490 result and first parameter will be tainted after <span class=
7491 "CodeText"><span style=
7492 'font-size:10.0pt'>strcat</span></span> returns.</p>
7493 <p class="TextFontCX"> </p>
7494 <h1 style='margin-left:0in;text-indent:0in'><a name=
7495 "_Toc534975006"></a><a name="_Ref534642895"></a><a name=
7496 "_Ref534642215">11<span style=
7497 'font:7.0pt "Times New Roman"'> </span>
7498 <a id="macros" name="macros">
7500 <p class="TextFontCX">Macros are commonly used in C programs to
7501 implement constants or to mimic functions without the overhead of a
7502 function call. Macros that are used to implement functions
7503 are a persistent source of bugs in C programs, since they may not
7504 behave like the intended function when they are invoked with
7505 certain parameters or used in certain syntactic contexts. </p>
7506 <p class="TextFontCX"> </p>
7507 <p class="TextFontCX">Splint eliminates most of the potential
7508 problems by detecting macros with dangerous implementations and
7509 dangerous macro invocations. Whether or not a macro
7510 definition is checked or expanded normally depends on flag settings
7511 and control comments (see Section 11.3). Stylized macros can
7512 also be used to define control structures for iterating through
7513 many values (see Section 11.4).</p>
7514 <h2 style='margin-left:0in;text-indent:0in'><a name=
7515 "_Toc534975007"></a><a name="_Ref361651263"></a><a name=
7516 "_Ref344916524"></a><a name="_Ref344908437"></a><a name=
7517 "_Toc344355419">11.1<span style=
7518 'font:7.0pt "Times New Roman"'> </span>
7519 Constant Macros</a></h2>
7520 <p class="TextFontCX">Macros may be used to implement
7521 constants. To get type-checking for constant macros, use the
7522 <span class="Annot"><span style=
7523 'font-size:10.0pt'>constant</span></span> annotation. For
7525 <p class="example">/*@constant null char *mstring_undefined@*/</p>
7526 <p class="TextFontCX">Declared constants are not expanded and are
7527 checked according to the declaration. A constant with a
7528 <span class="Annot"><span style=
7529 'font-size:10.0pt'>null</span></span> annotation may be used as
7530 <span class="Annot"><span style=
7531 'font-size:10.0pt'>only</span></span> storage.</p>
7532 <h2 style='margin-left:0in;text-indent:0in'><a name=
7533 "_Toc534975008"></a><a name="_Toc344355420"></a><a name=
7534 "_Ref343363760">11.2<span style=
7535 'font:7.0pt "Times New Roman"'> </span>
7536 Function-like Macros</a></h2>
7537 <p class="TextFontCX">Using macros to imitate functions is
7538 notoriously dangerous. Consider this broken macro for
7539 squaring a number:</p>
7540 <p class="example"># define square(x) x * x</p>
7541 <p class="TextFontCX">This works fine for a simple invocation like
7542 <span class="CodeText"><span style=
7543 'font-size:10.0pt'>square(i)</span></span>. It behaves
7544 unexpectedly, though, if it is instantiated with a parameter that
7545 has a side effect. For example, <span class=
7546 "CodeText"><span style=
7547 'font-size: 10.0pt'>square(i++)</span></span> expands to
7548 <span class="CodeText"><span style='font-size:10.0pt'>i++ *
7549 i++</span></span>. Not only does this give the incorrect
7550 result, it has undefined behavior since the order in which the
7551 operands are evaluated is not defined. (See Section 8.2 for
7552 more information on how expressions exhibiting undefined evaluation
7553 order behavior are detected by Splint.) To correct the
7554 problem we either need to rewrite the macro so that its parameter
7555 is evaluated exactly once, or prevent clients from invoking the
7556 macro with a parameter that has a side effect. </p>
7557 <p class="TextFontCX"> </p>
7558 <p class="TextFontCX">Another possible problem with macros is that
7559 they may produce unexpected results because of operator precedence
7560 rules. The instantiation, <span class=
7561 "CodeText"><span style='font-size:10.0pt'>square(i+1)</span></span>
7562 expands to <span class="CodeText"><span style=
7563 'font-size:10.0pt'>i+1*i+1</span></span>, which evaluates to
7564 <span class="CodeText"><span style=
7565 'font-size:10.0pt'>i+i+1</span></span> instead of the square
7566 of <span class="CodeText"><span style=
7567 'font-size:10.0pt'>i+1</span></span>. To ensure the
7568 expected behavior, the macro parameter should be enclosed in
7569 parentheses where it is used in the macro body.</p>
7570 <p class="TextFontCX"> </p>
7571 <p class="TextFontCX">Macros may also behave unexpectedly if they
7572 are not syntactically equivalent to an expression. Consider
7573 the macro definition,</p>
7574 <p class="example"># define incCounts() ntotal++;
7576 <p class="TextFontCX">This works fine, unless it is used as a
7577 statement. For example,</p>
7578 <p class="example">if (x < 3) incCounts();</p>
7579 <p class="TextFontCX">increments <span class=
7580 "CodeText"><span style='font-size:10.0pt'>ntotal</span></span>
7581 if <span class="CodeText"><span style='font-size:10.0pt'>x
7582 < 3</span></span> but always increments <span class=
7583 "CodeText"><span style=
7584 'font-size:10.0pt'>ncurrent</span></span>.</p>
7585 <p class="TextFontCX"> </p>
7586 <p class="TextFontCX">One solution is to use the comma operator to
7587 define the macro:</p>
7588 <p class="example"># define incCounts() (ntotal++,
7590 <p class="beforelist">More complicated macros can be written using
7591 a <span class="CodeText"><span style='font-size:10.0pt'>do …
7592 while</span></span> construction:</p>
7593 <p class="Verbatim"> # define incCounts() \</p>
7594 <p class="Verbatim"> do { ntotal++;
7595 ncurrent++; } while (FALSE)</p>
7596 <p class="afterlist">Splint detects these pitfalls in macro
7597 definitions, and checks that a macro behaves as much like a
7598 function as possible. A client should only be able to tell
7599 that a function was implemented by a macro if it attempts to use
7600 the macro as a pointer to a function.</p>
7601 <p class="MsoListBullet"> </p>
7602 <p class="beforelist">Splint does these checks on a macro
7603 definition corresponding to a function:</p>
7604 <p class="MsoListBullet"><span style=
7605 'font-family:Symbol'>·<span style=
7606 'font:7.0pt "Times New Roman"'> </span></span>
7607 Each parameter to a macro (except those declared to be side effect
7608 free, see Section 11.2.1) must be used exactly once in all possible
7609 executions of the macro, so side effecting arguments behave as
7610 expected.<a href="#_ftn15" name="_ftnref15" title=
7611 ""><span class="MsoFootnoteReference"><span class=
7612 "MsoFootnoteReference"><span style=
7613 'font-size:11.0pt;font-family:"Times New Roman"'>[15]</span></span></span></a>
7614 (Controlled by <span class="Flag"><span style=
7615 'font-size:10.0pt'>macroparams</span></span>.)</p>
7616 <p class="MsoListBullet"><span style=
7617 'font-family:Symbol'>·<span style=
7618 'font:7.0pt "Times New Roman"'> </span></span>
7619 A parameter to a macro may not be used as the left-hand side of an
7620 assignment expression or as the operand of an increment or
7621 decrement operator in the macro text, since this produces
7622 non-functional behavior. (Controlled by <span class=
7624 'font-size:10.0pt'>macroassign</span></span>.)</p>
7625 <p class="MsoListBullet"><span style=
7626 'font-family:Symbol'>·<span style=
7627 'font:7.0pt "Times New Roman"'> </span></span>
7628 Macro parameters must be enclosed in parentheses when they are used
7629 in potentially dangerous contexts. (Controlled by
7630 <span class="Flag"><span style=
7631 'font-size: 10.0pt'>macroparens</span></span>.)</p>
7632 <p class="MsoListBullet"><span style=
7633 'font-family:Symbol'>·<span style=
7634 'font:7.0pt "Times New Roman"'> </span></span>
7635 A macro definition must be syntactically equivalent to a statement
7636 when it is invoked followed by a semicolon. (Controlled by
7637 <span class="Flag"><span style=
7638 'font-size:10.0pt'>macrostmt</span></span>.)</p>
7639 <p class="MsoListBullet"><span style=
7640 'font-family:Symbol'>·<span style=
7641 'font:7.0pt "Times New Roman"'> </span></span>
7642 The type of the macro body must match the return type of the
7643 corresponding function. If the macro is declared with type
7644 <span class="CodeText"><span style=
7645 'font-size:10.0pt'>void</span></span>, its body may have any type
7646 but the macro value may not be used.</p>
7647 <p class="MsoListBullet"><span style=
7648 'font-family:Symbol'>·<span style=
7649 'font:7.0pt "Times New Roman"'> </span></span>
7650 All variables declared in the body of a macro definition must be in
7651 the macro variable namespace, so they do not conflict with
7652 variables in the scope where the macro is invoked (which may be
7653 used in the macro parameters). By default, the macro
7654 namespace is all names prefixed by <span class=
7655 "CodeText"><span style='font-size:10.0pt'>m_</span></span>.
7656 (See Section 12.2 for information on controlling namespaces.)</p>
7657 <p class="afterlist">At the call site, a macro is checked like any
7658 other function call.</p>
7659 <h3 style='margin-left:0in;text-indent:0in'><a name=
7660 "_Toc534975009"></a><a name="_Toc344355421"></a><a name=
7661 "_Ref343109609">11.2.1<span style=
7662 'font:7.0pt "Times New Roman"'> </span> Side
7663 Effect Free Parameters</a></h3>
7664 <p class="beforelist">Suppose we really do want to implement
7665 <span class="CodeText"><span style=
7666 'font-size:10.0pt'>square</span></span> as a macro, but want do so
7667 in a safe way. One way to do this is to require that it is
7668 never invoked with a parameter that has a side effect. Splint
7669 will check that this constraint holds, if the parameter is
7670 annotated to be side effect free. That is, the expression
7671 corresponding to this parameter must not modify any state, so it
7672 does not matter how many times it is evaluated. The
7673 <span class="Annot"><span style=
7674 'font-size:10.0pt'>sef</span></span> annotation is used to denote a
7675 parameter that may not have any side effects:</p>
7676 <p class="Verbatim"><span style='font-size:9.5pt'>
7677 extern int square (/*@sef@*/ int x);</span></p>
7678 <p class="Verbatim"><span style='font-size:9.5pt'> #
7679 define square(x) ((x) *(x))</span></p>
7680 <p class="afterlist">Now, Splint will not report an error checking
7681 the definition of <span class="CodeText"><span style=
7682 'font-size:10.0pt'>square</span></span> even though
7683 <span class="CodeText"><span style=
7684 'font-size:10.0pt'>x</span></span> is used more than
7686 <p class="TextFontCX"> </p>
7687 <p class="TextFontCX">A message will be reported, however, if
7688 <span class="CodeText"><span style=
7689 'font-size:10.0pt'>square</span></span> is invoked with a parameter
7690 that has a side effect. For the code fragment,</p>
7691 <p class="example">square (i++)</p>
7692 <p class="beforelist">Splint produces the message:</p>
7693 <p class="Verbatim"> <span style=
7694 'font-family:Arial'>Parameter 1 to square is declared sef,</span>
7695 <span style='font-family:Arial'>but the argument may modify:
7697 <p class="betweenlists">It is also an error to pass a macro
7698 parameter that is not annotated with <span class=
7699 "Annot"><span style='font-size:10.0pt'>sef</span></span> as a
7700 <span class="Annot"><span style=
7701 'font-size:10.0pt'>sef</span></span> macro parameter in the body of
7702 a macro definition. For example,</p>
7703 <p class="Verbatim"><span style='font-size:9.5pt'>
7704 extern int sumsquares (int x, int y);</span></p>
7705 <p class="Verbatim"><span style='font-size:9.5pt'> #
7706 define sumsquares(x,y) (square(x) + square(y))</span></p>
7707 <p class="afterlist">Although <span class=
7708 "CodeText"><span style='font-size:10.0pt'>x</span></span>
7709 only appears once in the definition of <span class=
7710 "CodeText"><span style=
7711 'font-size:10.0pt'>sumsquares</span></span> it will be
7712 evaluated twice since <span class="CodeText"><span style=
7713 'font-size:10.0pt'>square</span></span> is expanded.</p>
7714 <p class="TextFontCX"> </p>
7715 <p class="TextFontCX">A parameter may be passed as a
7716 <span class="Annot"><span style=
7717 'font-size:10.0pt'>sef</span></span> parameter without an
7718 error being reported, if Splint can determine that evaluating
7719 the parameter has no side effects. For function calls,
7720 the modifies clause is used to determine if a side effect is
7721 possible.<a href="#_ftn16" name="_ftnref16" title=
7722 ""><span class="MsoFootnoteReference"><span class=
7723 "MsoFootnoteReference"><span style=
7724 'font-size:11.0pt;font-family:"Times New Roman"'>[16]</span></span></span></a>
7725 To prevent many spurious errors, if the called function has
7726 no modifies clause, Splint will report an error only if
7727 <span class="Flag"><span style=
7728 'font-size: 10.0pt'>sef-uncon</span></span> is on.
7729 Justifiably paranoid programmers will insist on setting
7730 <span class="Flag"><span style=
7731 'font-size:10.0pt'>sef-uncon</span></span> on, and will add
7732 modifies clauses to unconstrained functions that are used in
7733 <span class="Annot"><span style=
7734 'font-size:10.0pt'>sef</span></span> macro arguments.</p>
7735 <p class="TextFontCX"> </p>
7736 <p class="beforelist">One common application of macros is to get
7737 around the lack of polymorphism in C. We can use the
7738 <span class="Annot"><span style='font-size: 10.0pt'>/*@alt
7739 <type>,<sup>+</sup>@></span></span> syntax (see
7740 Section 4.4) to indicate that an alternate type may be used.
7742 <p class="Verbatim"><span style='font-size:9.5pt'> extern int
7743 /*@alt float@*/ square (/*@sef@*/ int /*@alt float@*/
7745 <p class="Verbatim"><span style='font-size:9.5pt'> # define
7746 square(x) ((x) *(x))</span></p>
7747 <p class="afterlist">declares <span class=
7748 "CodeText"><span style='font-size:10.0pt'>square</span></span>
7749 for both <span class="CodeText"><span style=
7750 'font-size:10.0pt'>int</span></span>s and <span class=
7751 "CodeText"><span style=
7752 'font-size:10.0pt'>float</span></span>s. Note however,
7753 that the return type is either <span class=
7754 "CodeText"><span style='font-size:10.0pt'>int</span></span>
7755 or <span class="CodeText"><span style=
7756 'font-size:10.0pt'>float</span></span>, regardless of the
7757 actual parameter type. This is weaker than what is
7758 actually known about the return type.</p>
7759 <h2 style='margin-left:0in;text-indent:0in'><a name=
7760 "_Toc534975010"></a><a name="_Ref347227227">11.3<span style=
7761 'font:7.0pt "Times New Roman"'> </span>
7762 Controlling Macro Checking</a></h2>
7763 <p class="TextFontCX">By default, Splint expands macros normally
7764 and checks the resulting code after macros have been
7765 expanded. Flags and control comments may be used to control
7766 which macros are expanded and which are checked as functions or
7768 <p class="TextFontCX"> </p>
7769 <p class="TextFontCX">If the <span class="Flag"><span style=
7770 'font-size:10.0pt'>fcn-macros</span></span> flag is on, Splint
7771 assumes all macros defined with parameter lists implement functions
7772 and checks them accordingly. Parameterized macros are not
7773 expanded and are checked as functions with unknown result and
7774 parameter types (or using the types in the prototype, if one is
7775 given). The analogous flag for macros that define constants
7776 is <span class="Flag"><span style=
7777 'font-size:10.0pt'>const-macros</span></span>. If it is on,
7778 macros with no parameter lists are assumed to be constants, and
7779 checked accordingly. The <span class=
7780 "Flag"><span style='font-size:10.0pt'>all-macros</span></span>
7781 flag sets both <span class="Flag"><span style=
7782 'font-size:10.0pt'>fcn-macros</span></span> and <span class=
7784 'font-size:10.0pt'>const-macros</span></span>. If the
7785 <span class="Flag"><span style=
7786 'font-size:10.0pt'>macro-fcn-decl</span></span> flag is
7787 set, a message reports parameterized macros with no
7788 corresponding function prototype. If the <span class=
7790 'font-size:10.0pt'>macro-const-decl</span></span> flag
7791 is set, a similar message reports macros with no parameters
7792 that have no corresponding constant declaration.</p>
7793 <p class="TextFontCX"> </p>
7794 <p class="beforelist">The macro checks described in the previous
7795 sections make sense only for macros that are intended to replace
7796 functions or constants. When <span class=
7797 "Flag"><span style='font-size:10.0pt'>fcnmacros</span></span>
7798 or <span class="Flag"><span style=
7799 'font-size:10.0pt'>constmacros</span></span> is on, more
7800 general macros need to be marked so they will not be checked
7801 as functions or constants, and will be expanded
7802 normally. Macros that are not meant to behave like
7803 functions should be preceded by the /<span class=
7804 "Annot"><span style=
7805 'font-size:10.0pt'>*@notfunction@*/</span></span>comment.
7807 <p class="Verbatim"><span style='font-size:9.5pt'>
7808 /*@notfunction@*/</span></p>
7809 <p class="Verbatim"><span style='font-size:9.5pt'> #
7810 define forever for(;;)</span></p>
7811 <p class="afterlist">Macros preceded by <span class=
7812 "Annot"><span style='font-size: 10.0pt'>notfunction</span></span>
7813 are expanded normally before regular checking is done. If a
7814 macro that is not syntactically equivalent to a statement without a
7815 semi-colon (e.g., a macro which enters a new scope) is not preceded
7816 by <span class="Annot"><span style=
7817 'font-size:10.0pt'>notfunction</span></span>, parse errors may
7818 result when <span class="Flag"><span style=
7819 'font-size:10.0pt'>fcn-macros</span></span> or
7820 <span class="Flag"><span style=
7821 'font-size:10.0pt'>const-macros</span></span> is on.</p>
7822 <h2 style='margin-left:0in;text-indent:0in'><a name=
7823 "_Ref345771875"></a><a name="_Ref345489124"></a><a name=
7824 "_Toc344355423"></a><a name="_Toc534975011"></a><a name=
7825 "_Ref361651257"></a><a name="_Ref349897909"></a><a name=
7826 "_Ref344916532"></a><a name="_Ref344908410"></a><a name=
7827 "_Toc344355424">11.4<span style=
7828 'font:7.0pt "Times New Roman"'> </span>
7830 <p class="TextFontCX">It is often useful to be able to execute the
7831 same code for many different values. For example, we may want
7832 to sum all elements in an <span class="CodeText"><span style=
7833 'font-size:10.0pt'>intSet</span></span> that represents a set of
7834 integers. If <span class="CodeText"><span style=
7835 'font-size:10.0pt'>intSet</span></span> is an abstract type, there
7836 is no easy way of doing this in a client module without depending
7837 on the concrete representation of the type. Instead, we could
7838 provide such a mechanism as part of the type’s
7839 implementation. We call a mechanism for looping through many
7840 values an <i>iterator</i>.</p>
7841 <p class="TextFontCX"> </p>
7842 <p class="TextFontCX">The C language provides no mechanism for
7843 creating user-defined iterators. Splint supports a stylized
7844 form of iterators declared using syntactic comments and defined
7846 <p class="TextFontCX"> </p>
7847 <p class="TextFontCX">Iterator declarations are similar to function
7848 declarations except instead of returning a value, they assign
7849 values to their <span class="Annot"><span style=
7850 'font-size:10.0pt'>yield</span></span> parameters in each
7851 iteration. For example, we could add this iterator
7852 declaration to <span class="Keyword"><span style=
7853 'font-size:10.0pt;font-family: Arial;color:windowtext'>intSet.h</span></span>:</p>
7854 <p class="example">/*@iter intSet_elements (intSet s, yield int
7856 <p class="TextFontCX">The <span class="Annot"><span style=
7857 'font-size:10.0pt'>yield</span></span> annotation means that the
7858 variable passed as the second actual argument is declared as a
7859 local variable of type <span class="CodeText"><span style=
7860 'font-size:10.0pt'>int</span></span> and assigned a value in each
7862 <h3 style='margin-left:0in;text-indent:0in'><a name=
7863 "_Toc534975012">11.4.1<span style=
7864 'font:7.0pt "Times New Roman"'> </span> Defining
7866 <p class="beforelist">An iterator is defined using a macro.
7867 Here’s one (not particularly efficient) way of defining
7868 <span class="CodeText"><span style=
7869 'font-size:10.0pt'>intSet_elements</span></span>:</p>
7870 <p class="Verbatim"> typedef /*@abstract@*/ struct
7872 <p class="Verbatim"> int
7874 <p class="Verbatim"> int
7876 <p class="Verbatim"> } intSet;</p>
7877 <p class="Verbatim"> …</p>
7878 <p class="Verbatim"> # define intSet_elements(s,m_el)
7880 <p class="Verbatim"> { int m_i; \</p>
7881 <p class="Verbatim"> for (m_i =
7882 (0); m_i <= ((s)->nelements); m_i++) { \</p>
7883 <p class="Verbatim">
7884 int
7885 m_el = (s)->elements[(m_i)];</p>
7886 <p class="Verbatim"> </p>
7887 <p class="Verbatim"> # define end_intSet_elements
7889 <p class="afterlist">Each time through the loop, the yield
7890 parameter <span class="CodeText"><span style=
7891 'font-size:10.0pt'>m_el</span></span> is assigned to the next
7892 value. After each value has been assigned to
7893 <span class="CodeText"><span style=
7894 'font-size:10.0pt'>m_el</span></span> for one iteration, the
7895 loop terminates. Variables declared by the iterator
7896 macro (including the <span class="Annot"><span style=
7897 'font-size:10.0pt'>yield</span></span> parameter) are
7898 preceded by the macro variable namespace prefix <span class=
7899 "CodeText"><span style='font-size:10.0pt'>m_</span></span>
7900 (see Section 11.2) to avoid conflicts with variables defined
7901 in the scope where the iterator is used.</p>
7902 <h3 style='margin-left:0in;text-indent:0in'><a name=
7903 "_Toc534975013">11.4.2<span style=
7904 'font:7.0pt "Times New Roman"'> </span> Using
7906 <p class="TextFontCX">The general structure for using an iterator
7908 <p class="example"><i>iter</i> (<i><params></i>) stmt;
7910 <p class="beforelist">For example, a client could use
7911 <span class="CodeText"><span style=
7912 'font-size:10.0pt'>intSet_elements</span></span> to sum the
7913 elements of an <span class="CodeText"><span style=
7914 'font-size:10.0pt'>intSet</span></span>:</p>
7915 <p class="Verbatim"> intSet s;</p>
7916 <p class="Verbatim"> int sum = 0;</p>
7917 <p class="Verbatim"> ...</p>
7918 <p class="Verbatim"> intSet_elements (s, el) {</p>
7919 <p class="Verbatim" style='text-indent:.5in'>sum += el;</p>
7920 <p class="Verbatim"> } end_intSet_elements;</p>
7921 <p class="afterlist">The actual parameter corresponding to a yield
7922 parameter, <span class="CodeText"><span style=
7923 'font-size:10.0pt'>el</span></span>, is not declared in the
7924 function scope. Instead, it is declared by the iterator and
7925 assigned to an appropriate value for each iteration.</p>
7926 <p class="TextFontCX"> </p>
7927 <p class="beforelist">Splint will do the following checks for uses
7928 of stylized iterators:</p>
7929 <p class="MsoListBullet"><span style=
7930 'font-family:Symbol'>·<span style=
7931 'font:7.0pt "Times New Roman"'> </span></span>
7932 An invocation of the iterator <span class=
7933 "CodeText"><i><span style='font-size:10.0pt'>iter</span></i></span>
7934 must be balanced by a corresponding end, named <span class=
7935 "CodeText"><span style=
7936 'font-size:10.0pt'>end_<i>iter</i></span></span>.</p>
7937 <p class="MsoListBullet"><span style=
7938 'font-family:Symbol'>·<span style=
7939 'font:7.0pt "Times New Roman"'> </span></span>
7940 All actual parameters must be defined, except those corresponding
7941 to yield parameters.</p>
7942 <p class="MsoListBullet"><span style=
7943 'font-family:Symbol'>·<span style=
7944 'font:7.0pt "Times New Roman"'> </span></span>
7945 Yield parameters must be new identifiers, not declared in the
7946 current scope or any enclosing scope.</p>
7947 <p class="afterlist">Iterators are a bit awkward to implement, but
7948 they enable compact, easily understood client code. For
7949 abstract collection types, an iterator can be used to enable
7950 clients to operate on elements of the collection without breaking
7951 data abstraction.<a name="_Ref348845281"></a><a name=
7952 "_Toc344355425"></a><a name="_Ref343247905"></a></p>
7953 <h1 style='margin-left:0in;text-indent:0in'><a name=
7954 "_Toc534975014"></a><a name="_Ref483663681"></a><a name=
7955 "_Ref350065611">12<span style=
7956 'font:7.0pt "Times New Roman"'> </span>
7957 <a id="naming" name="naming">
7958 Naming Conventions</a></a></h1>
7959 <p class="TextFontCX">Naming conventions tend to be a religious
7960 issue. Generally, it doesn't matter too much what naming convention
7961 is followed as long as one is chosen and followed
7962 religiously. There are two kinds of naming conventions
7963 supported by Splint. Type-based naming conventions (Section
7964 12.1) constrain identifier names according to the abstract
7965 types that are accessible where the identifier is
7966 defined. Prefix naming conventions (Section 12.2) constrain
7967 the initial characters of identifier names according to what is
7968 being declared and its scope. Naming conventions may be
7969 combined or different conventions may be selected for different
7970 kinds of identifiers. In addition, Splint supports checking
7971 that names do not conflict with names reserved for the standard
7972 library or implementation (Section 12.3) and are sufficiently
7973 distinguishable from other names.</p>
7974 <h2 style='margin-left:0in;text-indent:0in'><a name=
7975 "_Toc534975015"></a><a name="_Ref348079373"></a><a name=
7976 "_Ref347240654"></a><a name="_Toc344355426">12.1<span style=
7977 'font:7.0pt "Times New Roman"'> </span>
7978 Type-Based Naming Conventions</a></h2>
7979 <p class="TextFontCX">Generic naming conventions constrain valid
7980 names of identifiers. By limiting valid names, namespaces may
7981 be preserved and programs may be more easily understood since the
7982 name gives clues as to how and where the name is defined and how it
7984 <p class="TextFontCX"> </p>
7985 <p class="TextFontCX">Names may be constrained by the scope of the
7986 name (external, file static, internal), the file in which the
7987 identifier is defined, the type of the identifier, and global
7989 <h3 style='margin-left:0in;text-indent:0in'><a name=
7990 "_Toc534975016"></a><a name=
7991 "_Ref347994687">12.1.1<span style='font:7.0pt "Times New Roman"'> </span>
7992 Czech Names</a></h3>
7993 <p class="TextFontCX">Czech<a href="#_ftn17" name="_ftnref17"
7994 title=""><span class="MsoFootnoteReference"><span class=
7995 "MsoFootnoteReference"><span style=
7996 'font-size:11.0pt;font-family:"Times New Roman"'>[17]</span></span></span></a>
7997 names denote operations and variables of abstract types by
7998 preceding the names by <span class="CodeText"><i><span style=
7999 'font-size:10.0pt'><type></span></i></span><span class=
8000 "CodeText"><span style='font-size:10.0pt'>_</span></span>.
8001 The remainder of the name should begin with a lowercase
8002 character, but may use any other character besides the
8003 underscore. Types may be named using any non-underscore
8005 <p class="TextFontCX"> </p>
8006 <p class="TextFontCX" style='margin-bottom:6.0pt'>The Czech naming
8007 convention is selected by the <span class="Flag"><span style=
8008 'font-size:10.0pt'>czech</span></span> flag. If
8009 <span class="Flag"><span style=
8010 'font-size:10.0pt'>access-czech</span></span> is on, a function,
8011 variable, constant or iterator named <span class=
8012 "CodeText"><i><span style=
8013 'font-size:10.0pt'><type></span></i></span><span class=
8014 "CodeText"><span style=
8015 'font-size:10.0pt'>_<i><name></i></span></span> has access to
8016 the abstract type <span class="CodeText"><i><span style=
8017 'font-size:10.0pt'><type></span></i></span>. Reporting
8018 of violations of the Czech naming convention is controlled by
8019 different flags depending on what is being declared:</p>
8020 <p class="TextFontCX"><span class="Flag"><span style=
8021 'font-size:10.0pt'>czech-fcns</span></span></p>
8022 <p class="TextFontCX" style='margin-left:13.5pt'>Functions and
8023 iterators. An error is reported for a function name of the
8024 form <span class="CodeText"><i><span style=
8025 'font-size:10.0pt'><prefix></span></i></span><span class="CodeText">
8026 <span style='font-size:10.0pt'>_<i><name></i></span></span>
8027 where <span class="CodeText"><i><span style=
8028 'font-size:10.0pt'><prefix></span></i></span> is not the name
8029 of an accessible type. Note that if <span class=
8030 "Flag"><span style='font-size:10.0pt'>accessczech</span></span> is
8031 on, a type named <span class="CodeText"><i><span style=
8032 'font-size:10.0pt'><prefix></span></i></span> would be
8033 accessible in a function beginning with <span class=
8034 "CodeText"><i><span style=
8035 'font-size:10.0pt'><prefix></span></i></span><span class="CodeText">
8036 <span style='font-size:10.0pt'>_</span></span>. If
8037 <span class="Flag"><span style=
8038 'font-size:10.0pt'>access-czech</span></span> is off, an error is
8039 reported instead. An error is reported for a function name
8040 that does not have an underscore if any abstract types are
8041 accessible where the function is defined.</p>
8042 <p class="TextFontCX"><span class="Flag"><span style=
8043 'font-size:10.0pt'>czech-vars</span></span></p>
8044 <p class="TextFontCX"><span class="Flag"><span style=
8045 'font-size:10.0pt'>czech-constants</span></span></p>
8046 <p class="TextFontCX"><span class="Flag"><span style=
8047 'font-size:10.0pt'>czech-macros</span></span></p>
8048 <p class="IndentText">Variables, constants and expanded macros.
8049 An error is reported if the identifier name starts with
8050 <span class="CodeText"><i><span style=
8051 'font-size:10.0pt'><prefix></span></i></span><span class="CodeText">
8052 <span style='font-size:10.0pt'>_</span></span>and
8053 <span class="CodeText"><i><span style=
8054 'font-size:10.0pt'>prefix</span></i></span> is not the name
8055 of an accessible abstract type, or if an abstract type is
8056 accessible and the identifier name does not begin with
8057 <span class="CodeText"><i><span style=
8058 'font-size:10.0pt'><type></span></i></span><span class=
8059 "CodeText"><span style='font-size:10.0pt'>_</span></span>
8060 where <span class="CodeText"><i><span style=
8061 'font-size:10.0pt'>type</span></i></span> is the name of an
8062 accessible abstract type. If <span class=
8064 'font-size:10.0pt'>access-czech</span></span> is on, the
8065 representation of the type is visible in the constant or
8066 variable definition.</p>
8067 <p class="TextFontCX"><span class="Flag"><span style=
8068 'font-size:10.0pt'>czech-types</span></span></p>
8069 <p class="TextFontCX" style='margin-left:13.5pt'>User-defined
8070 types. An error is reported if a type name includes an
8071 underscore character.</p>
8072 <p class="Sidebar" align="right">Of course, this is a complete
8073 jumble to the uninitiated, and that’s the joke.</p>
8074 <p class="Sidebar" align="right" style='text-align:right'>
8075 <i>Charles Simonyi, on the Hungarian naming convention</i></p>
8076 <h3 style='margin-left:0in;text-indent:0in'><a name=
8077 "_Toc534975017"></a><a name=
8078 "_Ref344878566">12.1.2<span style='font:7.0pt "Times New Roman"'> </span>
8079 Slovak Names</a></h3>
8080 <p class="TextFontCX">Slovak names are similar to Czech names,
8081 except they are spelled differently. A Slovak name is of the
8082 form <span class="CodeText"><i><span style=
8083 'font-size:10.0pt'><type><Name></span></i></span>.
8084 The type prefix may not use uppercase characters. The
8085 remainder of the name starts with the first uppercase
8087 <p class="TextFontCX"> </p>
8088 <p class="TextFontCX">The <span class="Flag"><span style=
8089 'font-size:10.0pt'>slovak</span></span> flag selects the
8090 Slovak naming convention. Like Czech names, it may be used
8091 with <span class="Flag"><span style=
8092 'font-size:10.0pt'>access-slovak</span></span> to control
8093 access to abstract representations. The <span class=
8094 "Flag"><span style='font-size:10.0pt'>slovak-fcns</span></span>,
8095 <span class="Flag"><span style=
8096 'font-size:10.0pt'>slovak-vars</span></span>, <span class=
8098 'font-size:10.0pt'>slovak-constants</span></span>, and
8099 <span class="Flag"><span style=
8100 'font-size:10.0pt'>slovak-macros</span></span> flags are
8101 analogous to the similar Czech flags. If <span class=
8103 'font-size:10.0pt'>slovak-type</span></span> is on, an error
8104 is reported if a type name includes an uppercase letter.</p>
8105 <h3 style='margin-left:0in;text-indent:0in'><a name=
8106 "_Toc534975018"></a><a name=
8107 "_Ref347994743">12.1.3<span style='font:7.0pt "Times New Roman"'> </span>
8108 Czechoslovak Names</a></h3>
8109 <p class="TextFontCX">Czechoslovak names are a combination of Czech
8110 names and Slovak names. Operations may be named either
8111 <span class="CodeText"><i><span style=
8112 'font-size:10.0pt'><type></span></i></span><span class=
8113 "CodeText"><span style='font-size:10.0pt'>_</span></span> followed
8114 by any sequence of non-underscore characters, or <span class=
8115 "CodeText"><i><span style=
8116 'font-size:10.0pt'><type></span></i></span> followed by an
8117 uppercase letter and any sequence of characters. Czechoslovak
8118 names have been out of favor since 1993, but may be necessary for
8119 checking legacy code. The <span class="Flag"><span style=
8120 'font-size:10.0pt'>czechoslovak-fcns</span></span>,
8121 <span class="Flag"><span style=
8122 'font-size:10.0pt'>czechoslovak-vars</span></span>,
8123 <span class="Flag"><span style=
8124 'font-size:10.0pt'>czechoslovak-macros</span></span>, and
8125 <span class="Flag"><span style=
8126 'font-size:10.0pt'>czechoslovak-constants</span></span>
8127 flags are analogous to the similar Czech flags. If
8128 <span class="Flag"><span style=
8129 'font-size:10.0pt'>czechoslovak-type</span></span> is
8130 on, an error is reported if a type name contains either an
8131 uppercase letter or an underscore character.</p>
8132 <h2 style='margin-left:0in;text-indent:0in'><a name=
8133 "_Toc534975019"></a><a name="_Ref347240687"></a><a name=
8134 "_Ref347222192">12.2<span style=
8135 'font:7.0pt "Times New Roman"'> </span>
8136 Namespace Prefixes</a></h2>
8137 <p class="TextFontCX">Another way to restrict names is to constrain
8138 the leading character sequences of various kinds of
8139 identifiers. For example, the names of all user-defined types
8140 might begin with <span class="CodeText"><span style=
8141 'font-size:10.0pt'>T</span></span> followed by an uppercase letter
8142 and all file static names begin with an uppercase letter.
8143 This may be useful for enforcing a namespace (e.g., all names
8144 exported by the X-windows library should begin with
8145 <span class="CodeText"><span style=
8146 'font-size:10.0pt'>X</span></span>) or just making programs
8147 easier to understand by establishing an enforced
8148 convention. Splint can be used to constrain identifiers
8149 in this way to detect identifiers inconsistent with
8151 <p class="TextFontCX"> </p>
8152 <p class="TextFontCX">All namespace flags are of the form,
8153 <span class="Flag"><span style=
8154 'font-size:10.0pt'>-<i><context></i>prefix
8155 <i><string></i></span></span>. For example, the macro
8156 variable namespace restricting identifiers declared in macro bodies
8157 to be preceded by <span class="CodeText"><span style=
8158 'font-size:10.0pt'>m_</span></span> would be selected by
8159 <span class="Flag"><span style=
8160 'font-size:10.0pt'>-macrovarprefix</span></span> <span class=
8161 "Flag"><span style='font-size:10.0pt'>"m_"</span></span>. The
8162 string may contain regular characters that may appear in a C
8163 identifier. These must match the initial characters of the
8164 identifier name. In addition, special characters (shown in
8165 Figure 23) can be used to denote a class of characters.<a href=
8166 "#_ftn18" name="_ftnref18" title=""><span class=
8167 "MsoFootnoteReference"><span class=
8168 "MsoFootnoteReference"><span style=
8169 'font-size:11.0pt;font-family:"Times New Roman"'>[18]</span></span></span></a>
8170 The <span class="CodeText"><span style=
8171 'font-size:10.0pt'>*</span></span> character may be used at the end
8172 of a prefix string to specify the rest of the identifier is zero or
8173 more characters matching the character immediately before the
8174 <span class="CodeText"><span style=
8175 'font-size:10.0pt'>*</span></span>. For example, the prefix
8176 string <span class="CodeText"><span style=
8177 'font-size:10.0pt'>T&*</span></span> matches <span class=
8178 "CodeText"><span style='font-size:10.0pt'>T</span></span> or
8179 <span class="CodeText"><span style=
8180 'font-size:10.0pt'>TWINDOW</span></span> but not <span class=
8181 "CodeText"><span style='font-size:10.0pt'>Twin</span></span>.</p>
8182 <p class="beforelist"> </p>
8183 <p class="beforelist">Different prefixes can be selected for the
8184 following identifier contexts:</p>
8185 <table class="MsoNormalTable" border="0" cellspacing="0"
8186 cellpadding="0" style='margin-left:.45in;border-collapse:collapse'>
8188 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8189 <p class="TextFontCX"><span class="Flag"><span style=
8190 'font-size:10.0pt'>macro-var-prefix</span></span></p></td>
8191 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8192 <p class="TextFontCX">Any variable declared inside a macro
8195 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8196 <p class="TextFontCX"><span class="Flag"><span style=
8197 'font-size:10.0pt'>unchecked-macro-prefix</span></span></p></td>
8198 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8199 <p class="TextFontCX">Any macro that is not checked as a function
8200 or constant (see Section 11.4)</p></td></tr>
8202 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8203 <p class="TextFontCX"><span class="Flag"><span style=
8204 'font-size:10.0pt'>tag-prefix</span></span></p></td>
8205 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8206 <p class="TextFontCX">Tags for <span class=
8207 "CodeText"><span style='font-size:10.0pt'>struct</span></span>,
8208 <span class="CodeText"><span style=
8209 'font-size:10.0pt'>union</span></span> and <span class=
8210 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
8211 declarations</p></td></tr>
8213 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8214 <p class="TextFontCX"><span class="Flag"><span style=
8215 'font-size:10.0pt'>enum-prefix</span></span></p></td>
8216 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8217 <p class="TextFontCX">Members of <span class=
8218 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
8221 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8222 <p class="TextFontCX"><span class="Flag"><span style=
8223 'font-size:10.0pt'>type-prefix</span></span></p></td>
8224 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8225 <p class="TextFontCX">Name of a user-defined type</p></td></tr>
8227 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8228 <p class="TextFontCX"><span class="Flag"><span style=
8229 'font-size:10.0pt'>file-static-prefix</span></span></p></td>
8230 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8231 <p class="TextFontCX">Any identifier with file static
8234 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8235 <p class="TextFontCX"><span class="Flag"><span style=
8236 'font-size:10.0pt'>glob-var-prefix</span></span></p></td>
8237 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8238 <p class="TextFontCX">Any variable (not of function type) with
8239 global scope</p></td></tr>
8241 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8242 <p class="TextFontCX"><span class="Flag"><span style=
8243 'font-size:10.0pt'>const-prefix</span></span></p></td>
8244 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8245 <p class="TextFontCX">Any constant (see Section 11.1)</p></td></tr>
8247 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8248 <p class="TextFontCX"><span class="Flag"><span style=
8249 'font-size:10.0pt'>iter-prefix</span></span></p></td>
8250 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8251 <p class="TextFontCX">An iterator (see Section 11.4)</p></td></tr>
8253 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8254 <p class="TextFontCX"><span class="Flag"><span style=
8255 'font-size:10.0pt'>proto-param-prefix</span></span></p></td>
8256 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8257 <p class="TextFontCX">A parameter in a function declaration
8258 prototype</p></td></tr>
8260 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8261 <p class="TextFontCX"><span class="Flag"><span style=
8262 'font-size:10.0pt'>external-prefix</span></span></p></td>
8263 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8264 <p class="TextFontCX">Any exported identifier</p></td></tr></table>
8265 <p class="afterlist">If an identifier is in more than one of the
8266 namespace contexts, the most specific defined namespace prefix is
8267 used (e.g., a global variable is also an exported identifier,
8268 so if <span class="Flag"><span style=
8269 'font-size:10.0pt'>global-var-prefix</span></span> is set, it is
8270 checked against the variable name; if not, the identifier is
8271 checked against the <span class="Flag"><span style=
8272 'font-size:10.0pt'>external-prefix</span></span>.)</p>
8273 <p class="TextFontCX"> </p>
8274 <p class="TextFontCX">For each prefix flag, a corresponding flag
8275 named <span class="Flag"><i><span style=
8276 'font-size:10.0pt'><prefixname></span></i></span><span class="Flag">
8277 <span style='font-size:10.0pt'>exclude</span></span> controls
8278 whether errors are reported if identifiers in a different namespace
8279 match the namespace prefix. For example, if
8280 <span class="Flag"><span style=
8281 'font-size: 10.0pt'>macro-var-prefix-exclude</span></span> is
8282 on, Splint checks that no identifier that is not a variable
8283 declared inside a macro body uses the macro variable
8285 <p class="TextFontCX"> </p>
8286 <p class="beforelist">Here is a (somewhat draconian) sample naming
8288 <table class="MsoNormalTable" border="0" cellspacing="0"
8289 cellpadding="0" style='margin-left:5.4pt;border-collapse:collapse'>
8291 <td valign="top" style=
8292 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8293 <p class="TextFontCX"><span class="Flag"><span style=
8294 'font-size:10.0pt'>-unchecked-macro-prefix</span></span>
8295 <span class="Flag"><span style=
8296 'font-size:10.0pt'>"~*"</span></span></p></td>
8297 <td valign="top" style=
8298 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8299 <p class="TextFontCX">Unchecked macros have no lowercase
8300 letters.</p></td></tr>
8302 <td valign="top" style=
8303 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8304 <p class="TextFontCX"><span class="Flag"><span style=
8305 'font-size:10.0pt'>-type-prefix</span></span> <span class=
8307 'font-size:10.0pt'>"T^&*"</span></span></p></td>
8308 <td valign="top" style=
8309 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8310 <p class="TextFontCX">All type names begin with <span class=
8311 "CodeText"><span style='font-size:10.0pt'>T</span></span> followed
8312 by an uppercase letter. The rest of the name is all lowercase
8313 letters.</p></td></tr>
8315 <td valign="top" style=
8316 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8317 <p class="TextFontCX"><span class="Flag"><span style=
8318 'font-size:10.0pt'>+type-prefix-exclude</span></span></p></td>
8319 <td valign="top" style=
8320 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8321 <p class="TextFontCX">No identifier that does not name a
8322 user-defined type name begins with the type name
8323 prefix.</p></td></tr>
8325 <td valign="top" style=
8326 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8327 <p class="TextFontCX"><span class="Flag"><span style=
8328 'font-size:10.0pt'>-file-static-prefix</span></span>
8329 <span class="Flag"><span style=
8330 'font-size:10.0pt'>"^&&&"</span></span></p></td>
8331 <td valign="top" style=
8332 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8333 <p class="TextFontCX">File static scope variables begin with an
8334 uppercase letter and three lowercase letters.</p></td></tr>
8336 <td valign="top" style=
8337 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8338 <p class="TextFontCX"><span class="Flag"><span style=
8339 'font-size:10.0pt'>-proto-param-prefix "p_"</span></span></p></td>
8340 <td valign="top" style=
8341 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8342 <p class="TextFontCX">All parameters in prototypes must begin with
8343 <span class="CodeText"><span style=
8344 'font-size:10.0pt'>p_</span></span>.</p></td></tr>
8346 <td valign="top" style=
8347 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8348 <p class="TextFontCX"><span class="Flag"><span style=
8349 'font-size:10.0pt'>-glob-var-prefix "G"</span></span></p></td>
8350 <td valign="top" style=
8351 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8352 <p class="TextFontCX">All global variables start with
8353 <span class="CodeText"><span style=
8354 'font-size:10.0pt'>G</span></span>.</p></td></tr>
8356 <td valign="top" style=
8357 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8358 <p class="TextFontCX"><span class="Flag"><span style=
8359 'font-size:10.0pt'>+glob-var-prefix-exclude</span></span></p></td>
8360 <td valign="top" style=
8361 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8362 <p class="TextFontCX">No identifier that is not a
8363 global variable starts with <span class=
8364 "CodeText"><span style='font-size:10.0pt'>G</span></span>.</p></td></tr></table>
8365 <p class="beforelist"> </p>
8366 <p class="beforelist">The prefix for parameters in function
8367 prototypes is useful for making sure parameter names are not in
8368 conflict with macros defined before the function prototype.
8369 In most cases, it may be preferable to not name prototype
8370 parameters. If the <span class="Flag"><span style=
8371 'font-size:10.0pt'>proto-param-name</span></span> flag is set,
8372 an error is reported for any named parameter in a prototype
8373 declaration. If a <span class="Flag"><span style=
8374 'font-size:10.0pt'>proto-param-prefix</span></span> is set, no
8375 error is reported for unnamed parameters.</p>
8376 <p class="TextFontCX">It may also be useful to check the names of
8377 prototype parameters correspond to the names in definitions.
8378 While using header files as documentation is not generally
8379 recommended, it is common enough practice that it makes sense to
8380 check that parameter names are consistent. A discrepancy may
8381 indicate an error in the parameter order in the function
8382 prototype. If <span class="Flag"><span style=
8383 'font-size:10.0pt'>proto-param-match</span></span> is set,
8384 Splint will report an error if the name of a definition parameter
8385 does not match the corresponding prototype parameter (after
8386 removing the <span class="Flag"><span style=
8387 'font-size:10.0pt'>protoparamprefix</span></span>).</p>
8389 <table class="MsoNormalTable" border="0" cellspacing="0"
8390 cellpadding="0" style=
8391 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
8393 <td valign="top" style=
8394 'width:22.0pt;border-top:solid black 1.5pt; border-left:solid black 1.5pt;border-bottom:none;border-right:none; padding:0in 5.4pt 0in 5.4pt'>
8395 <p class="TextFontCX"><span class="CodeText"><span style=
8396 'font-size:10.0pt'>^</span></span></p></td>
8397 <td valign="top" style=
8398 'width:401.55pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8399 <p class="TextFontCX">Any uppercase letter, <span class=
8400 "CodeText"><span style=
8401 'font-size:10.0pt'>A</span></span>-<span class=
8402 "CodeText"><span style=
8403 'font-size:10.0pt'>Z</span></span></p></td></tr>
8405 <td valign="top" style=
8406 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8407 <p class="TextFontCX"><span class="CodeText"><span style=
8408 'font-size:10.0pt'>&</span></span></p></td>
8409 <td valign="top" style=
8410 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8411 <p class="TextFontCX">Any lowercase letter, <span class=
8412 "CodeText"><span style=
8413 'font-size:10.0pt'>a</span></span>-<span class=
8414 "CodeText"><span style=
8415 'font-size:10.0pt'>z</span></span></p></td></tr>
8417 <td valign="top" style=
8418 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8419 <p class="TextFontCX"><span class="CodeText"><span style=
8420 'font-size:10.0pt'>%</span></span></p></td>
8421 <td valign="top" style=
8422 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8423 <p class="TextFontCX">Any character that is not an uppercase letter
8424 (allows lowercase letters, digits and underscore)</p></td></tr>
8426 <td valign="top" style=
8427 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8428 <p class="TextFontCX"><span class="CodeText"><span style=
8429 'font-size:10.0pt'>~</span></span></p></td>
8430 <td valign="top" style=
8431 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8432 <p class="TextFontCX">Any character that is not a lowercase letter
8433 (allows uppercase letters, digits and underscore)</p></td></tr>
8435 <td valign="top" style=
8436 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8437 <p class="TextFontCX"><span class="CodeText"><span style=
8438 'font-size:10.0pt'>$</span></span></p></td>
8439 <td valign="top" style=
8440 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8441 <p class="TextFontCX">Any letter (<span class=
8442 "CodeText"><span style=
8443 'font-size:10.0pt'>a</span></span>-<span class=
8444 "CodeText"><span style='font-size:10.0pt'>z</span></span>,
8445 <span class="CodeText"><span style=
8446 'font-size:10.0pt'>A</span></span>-<span class=
8447 "CodeText"><span style=
8448 'font-size:10.0pt'>Z</span></span>)</p></td></tr>
8450 <td valign="top" style=
8451 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8452 <p class="TextFontCX"><span class="CodeText"><span style=
8453 'font-size:10.0pt'>/</span></span></p></td>
8454 <td valign="top" style=
8455 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8456 <p class="TextFontCX">Any letter or digit (<span class=
8457 "CodeText"><span style=
8458 'font-size:10.0pt'>A</span></span>-<span class=
8459 "CodeText"><span style='font-size:10.0pt'>Z</span></span>,
8460 <span class="CodeText"><span style=
8461 'font-size:10.0pt'>a</span></span>-<span class=
8462 "CodeText"><span style='font-size:10.0pt'>z</span></span>,
8463 <span class="CodeText"><span style=
8464 'font-size:10.0pt'>0</span></span>-<span class=
8465 "CodeText"><span style=
8466 'font-size:10.0pt'>9</span></span>)</p></td></tr>
8468 <td valign="top" style=
8469 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8470 <p class="TextFontCX"><span class="CodeText"><span style=
8471 'font-size:10.0pt'>?</span></span></p></td>
8472 <td valign="top" style=
8473 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8474 <p class="TextFontCX">Any character valid in a C
8475 identifier</p></td></tr>
8477 <td valign="top" style=
8478 'width:22.0pt;border-top:none;border-left:solid black 1.5pt; border-bottom:solid black 1.5pt;border-right:none;padding:0in 5.4pt 0in 5.4pt'>
8479 <p class="TextFontCX"><span class="CodeText"><span style=
8480 'font-size:10.0pt'>#</span></span></p></td>
8481 <td valign="top" style=
8482 'width:401.55pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8483 <p class="TextFontCX" style='page-break-after: avoid'>Any digit,
8484 <span class="CodeText"><span style=
8485 'font-size:10.0pt'>0</span></span>-<span class=
8486 "CodeText"><span style=
8487 'font-size:10.0pt'>9</span></span></p></td></tr></table>
8488 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
8490 <td valign="top" style=
8491 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
8492 <p class="MsoCaption"><a name="_Toc534824625"></a><a name=
8493 "_Ref347220245"></a><a name="_Ref347220226"></a><a name=
8494 "_Toc347255399"></a><a name="_Ref347222037"></a><a name=
8495 "_Ref347222045"></a><a name="_Ref534824531">Figure 23</a>.
8496 Prefix Character Codes</p></td></tr></table></center>
8497 <h2 style='margin-left:0in;text-indent:0in'><a name=
8498 "_Toc534975020"></a><a name="_Ref348079479"></a><a name=
8499 "_Ref347240790"></a><a name="_Toc344355427">12.3<span style=
8500 'font:7.0pt "Times New Roman"'> </span>
8501 Naming Restrictions</a></h2>
8502 <p class="TextFontCX">Additional naming restrictions can be used to
8503 check that names do no conflict with names reserved for the
8504 standard library, and that identifier are sufficiently distinct
8505 (either for the compiler and linker, or for the programmer.)
8506 Restrictions may be different for names that are needed by the
8507 linker (<i>external</i> names) and names that are only needed
8508 during compilations (<i>internal</i> names). Names of
8509 non-<span class="CodeText"><span style=
8510 'font-size:10.0pt'>static</span></span> functions and global
8511 variables are external; all other names are internal.</p>
8512 <p class="Sidebar" align="right"><a name=
8513 "_Ref350062822"></a><a name="_Ref348845288"></a><a name=
8514 "_Toc344355429"></a><a name="_Ref343248602"> </a></p>
8515 <p class="Sidebar" align="right">The decision to retain the old
8516 six-character case-insensitive restriction on significance was most
8518 <p class="Sidebar" align="right" style='text-align:right'><i>ANSI C
8520 <h3 style='margin-left:0in;text-indent:0in'><a name=
8521 "_Toc534975021">12.3.1<span style=
8522 'font:7.0pt "Times New Roman"'> </span> Reserved
8524 <p class="TextFontCX">Many names are reserved for the
8525 implementation and standard library. A complete list of
8526 reserved names can be found in [vdL, p. 126-128]. Some name
8527 prefixes such as <span class="CodeText"><span style=
8528 'font-size:10.0pt'>str</span></span> followed by a lowercase
8529 character are reserved for future library extensions. Most C
8530 compilers do not detect naming conflicts, and they can lead to
8531 unpredictable program behavior. If <span class=
8532 "Flag"><span style='font-size:10.0pt'>ansi-reserved</span></span>
8533 is on, Splint warns about external names that conflict with
8534 reserved names. If <span class="Flag"><span style=
8535 'font-size:10.0pt'>ansi-reserved-internal</span></span> is on,
8536 warnings are also produced for internal names.</p>
8537 <p class="TextFontCX"> </p>
8538 <p class="TextFontCX">If <span class="Flag"><span style=
8539 'font-size:10.0pt'>+cpp-names</span></span> is set, Splint warns
8540 about identifier names that are keywords or reserved words in
8541 C++. This is useful if the code may later be compiled with a
8542 C++ compiler (of course, this is not enough to ensure the meaning
8543 of the code is not changed when it is compiled as C++.)</p>
8544 <h3 style='margin-left:0in;text-indent:0in'><a name=
8545 "_Toc534975022">12.3.2<span style=
8546 'font:7.0pt "Times New Roman"'> </span> Distinct
8548 <p class="TextFontCX">Splint can check that names differ within a
8549 given number of characters, optionally ignoring alphabetic case and
8550 differences between characters that look similar. The number
8551 of significant characters may be different for external and
8552 internal names. </p>
8553 <p class="TextFontCX"> </p>
8554 <p class="TextFontCX">Using <span class="Flag"><span style=
8555 'font-size:10.0pt'>+distinct-external-names</span></span> sets
8556 the number of significant characters for external names to six and
8557 makes alphabetical case insignificant for external names.
8558 This is the minimum significance acceptable in an ANSI-conforming
8559 compiler. Most modern compilers exceed these minimums (which
8560 are particularly hard to follow if one uses the Czech or Slovak
8561 naming convention). The number of significant characters can
8562 be changed using the <span class="Flag"><span style=
8563 'font-size:10.0pt'>external-name-length
8564 <i><number></i></span></span> flag. If
8565 <span class="Flag"><span style=
8566 'font-size:10.0pt'>external-name-case-insensitive</span></span>
8567 is on, alphabetical case is ignored in comparing external
8568 names. Splint reports identifiers that differ only in
8569 alphabetic case.</p>
8570 <p class="TextFontCX">For internal identifiers, a conforming
8571 compiler must recognize at least 31 characters and treat
8572 alphabetical cases distinctly. Nevertheless, it may still be
8573 useful to check that internal names are more distinct then required
8574 by the compiler to minimize the likelihood that identifiers are
8575 confused in the program. Analogously to external names, the
8576 <span class="Flag"><span style=
8577 'font-size:10.0pt'>internal-name-length</span></span><span class="Flag">
8579 'font-size:10.0pt'> <i><number></i></span></span> flag
8580 sets the number of significant characters in an internal name and
8581 <span class="Flag"><span style=
8582 'font-size:10.0pt'>internal-name-case-insensitive</span></span>
8583 sets the case sensitivity. The <span class=
8584 "Flag"><span style='font-size:10.0pt'>internal-name-look-alike</span></span>
8585 flag further restricts distinctions between
8586 identifiers. When set, similar-looking characters match
8587 — the lowercase letter <span class=
8588 "CodeText"><span style='font-size:10.0pt'>l</span></span>
8589 matches the uppercase letter <span class=
8590 "CodeText"><span style='font-size:10.0pt'>I</span></span> and
8591 the number <span class="CodeText"><span style=
8592 'font-size:10.0pt'>1</span></span>; the letter <span class=
8593 "CodeText"><span style='font-size:10.0pt'>O</span></span> or
8594 <span class="CodeText"><span style=
8595 'font-size:10.0pt'>o</span></span> matches the number
8596 <span class="CodeText"><span style=
8597 'font-size:10.0pt'>0</span></span>; <span class=
8598 "CodeText"><span style='font-size:10.0pt'>5</span></span>
8599 matches <span class="CodeText"><span style=
8600 'font-size:10.0pt'>S</span></span>; and <span class=
8601 "CodeText"><span style='font-size:10.0pt'>2</span></span>
8602 matches <span class="CodeText"><span style=
8603 'font-size:10.0pt'>Z</span></span>. Identifiers that
8604 are not distinct except for look-alike characters will
8605 produce an error message. External names are also
8606 internal names, so they must satisfy both the external and
8607 internal distinct identifier checks. Figure 24 provides
8608 some examples of distinct name checking.</p>
8610 <table class="MsoNormalTable" border="0" cellspacing="0"
8611 cellpadding="0" style=
8612 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
8614 <td valign="top" style=
8615 'width:166.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
8616 <p class="TextFontCX" align="center" style='text-align:center'>
8617 <span class="Keyword"><b><span style=
8618 'font-size:10.0pt; color:white'>names.c</span></b></span></p></td>
8619 <td valign="top" style=
8620 'width:256.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
8621 <p class="TextFontCX" align="center" style='text-align:center'>
8622 <b><span style='color:white'>Running
8623 Splint</span></b></p></td></tr>
8625 <td valign="top" style=
8626 'width:166.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
8627 <p class="Verbatim"><span class="Line"><span style=
8628 'font-size:8.0pt'> </span></span>char *stringrev (char
8630 <p class="Verbatim"> </p>
8631 <p class="Verbatim"><span class="Line"><span style=
8632 'font-size:8.0pt'>3</span></span> int f (int x)</p>
8633 <p class="Verbatim"><span class="Line"><span style=
8634 'font-size:8.0pt'> </span></span> {</p>
8635 <p class="Verbatim"><span class="Line"><span style=
8636 'font-size:8.0pt'>5</span></span> int lookalike = 1;</p>
8637 <p class="Verbatim"><span class="Line"><span style=
8638 'font-size:8.0pt'>6</span></span> int looka1ike = 2;</p>
8639 <p class="Verbatim"> </p>
8640 <p class="Verbatim"> if (x > 3)</p>
8641 <p class="Verbatim"> {</p>
8642 <p class="Verbatim"><span class="Line"><span style=
8643 'font-size:8.0pt'>10</span></span> int x =
8645 <p class="Verbatim"> x +=
8647 <p class="Verbatim"> }</p>
8648 <p class="Verbatim"> </p>
8649 <p class="Verbatim"> return x;</p>
8650 <p class="Verbatim">}
8651 </p></td>
8652 <td valign="top" style=
8653 'width:256.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8654 <p class="lclintrun">> splint names.c
8655 +distinctinternalnames </p>
8656 <p class="lclintrun">
8657
8658 +internalnamelookalike +isoreserved</p>
8659 <p class="lclintrun"> </p>
8660 <p class="lclintrun">names.c:1: Name stringreverse is reserved for
8662 <p class="lclintrun"> library extensions.
8663 Functions that begin with</p>
8664 <p class="lclintrun"> "str" and a lowercase
8665 letter may be added to</p>
8666 <p class="lclintrun"> <stdlib.h> or
8667 <string.h>. (ISO99:7.26.9)</p>
8668 <p class="lclintrun">names.c:6: Internal identifier looka1ike is
8670 <p class="lclintrun"> distinguishable from
8671 lookalike except by lookalike</p>
8672 <p class="lclintrun"> characters</p>
8673 <p class="lclintrun"> names.c:5: Declaration of
8675 <p class="lclintrun">names.c:10: Variable x shadows outer
8677 <p class="lclintrun" style='page-break-after:avoid'>
8678 names.c:3: Previous declaration of x: int</p></td></tr></table>
8679 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
8681 <td valign="top" style=
8682 'padding-top:5.05pt;padding-right: 9.35pt;padding-bottom:5.05pt;padding-left:9.35pt'>
8683 <p class="MsoCaption"><a name="_Ref343085825"></a><a name=
8684 "_Ref343085797"></a><a name="_Ref343065542"></a><a name=
8685 "_Ref349992283"></a><a name="_Ref534642902"></a><a name=
8686 "_Ref534642319"></a><a name="_Toc534824626"></a><a name=
8687 "_Ref534823650">Figure 24</a>. Distinct
8688 Names</p></td></tr></table></center>
8689 <h1 style='margin-left:0in;text-indent:0in'><a name=
8690 "_Ref534981356"></a><a name="_Ref534978939"></a><a name=
8691 "_Toc534975023">13<span style=
8692 'font:7.0pt "Times New Roman"'> </span>
8693 <a id="completeness" name="completeness">
8694 Completeness</a></a></h1>
8695 <p class="TextFontCX">Splint can report warnings for unused
8696 declarations and exported declarations that are not used
8698 <h2 style='margin-left:0in;text-indent:0in'><a name=
8699 "_Toc534975024"></a><a name="_Ref534744216">13.1<span style=
8700 'font:7.0pt "Times New Roman"'> </span>
8701 Unused Declarations</a></h2>
8702 <p class="TextFontCX">Splint detects constants, functions,
8703 parameters, variables, types, enumerator members, and structure or
8704 union fields that are declared but never used. The flags
8705 <span class="Flag"><span style=
8706 'font-size:10.0pt'>constuse</span></span>, <span class=
8707 "Flag"><span style='font-size:10.0pt'>fcnuse</span></span>,
8708 <span class="Flag"><span style=
8709 'font-size:10.0pt'>paramuse</span></span>, <span class=
8710 "Flag"><span style='font-size:10.0pt'>varuse</span></span>,
8711 <span class="Flag"><span style=
8712 'font-size:10.0pt'>typeuse</span></span>, <span class=
8713 "Flag"><span style='font-size:10.0pt'>enummemuse</span></span> and
8714 <span class="Flag"><span style=
8715 'font-size:10.0pt'>fielduse</span></span> control whether unused
8716 declaration errors are reported for each kind of declaration.
8717 Errors for exported declarations are reported only if
8718 <span class="Flag"><span style=
8719 'font-size:10.0pt'>topuse</span></span> is on (see Section
8721 <p class="TextFontCX"><a name="_Ref349900444"></a><a name=
8722 "_Ref349850608"></a><a name="_Ref349850429"> </a></p>
8723 <p class="TextFontCX">The <span class="Annot"><span style=
8724 'font-size:10.0pt'>/*@unused@*/</span></span> annotation can
8725 be used before a declaration to indicate that the item declared
8726 need not be used. Unused declaration errors are not reported
8727 for identifiers declared with <span class=
8728 "Annot"><span style='font-size:10.0pt'>unused</span></span><a name="_Toc344355432">
8729 </a><a name="_Ref343110935">.</a></p>
8730 <h2 style='margin-left:0in;text-indent:0in'><a name=
8731 "_Toc534975025"></a><a name="_Toc344355433"></a><a name=
8732 "_Ref343110504">13.2<span style=
8733 'font:7.0pt "Times New Roman"'> </span>
8734 Complete</a> Programs</h2>
8735 <p class="TextFontCX">Splint can be used on both complete and
8736 partial programs. When checking complete programs,
8737 additional checks can be done to ensure that every identifier
8738 declared by the program is defined and used, and that functions
8739 that do not need to be exported are declared <span class=
8740 "CodeText"><span style='font-size:10.0pt'>static</span></span>.</p>
8741 <p class="TextFontCX"> </p>
8742 <p class="TextFontCX">Splint checks that all declared variables and
8743 functions are defined (controlled by <span class=
8744 "Flag"><span style='font-size:10.0pt'>compdef</span></span><span class="Flag">
8745 <span style='font-size:10.0pt'>)</span></span>. Declarations
8746 of functions and variables that are defined in an external library,
8747 may be preceded by <span class="Annot"><span style=
8748 'font-size:10.0pt'>/*@external@*/</span></span> to suppress
8749 undefined declaration errors.</p>
8750 <p class="TextFontCX"> </p>
8751 <p class="TextFontCX">Splint reports external declarations that are
8752 unused (controlled by <span class="Flag"><span style=
8753 'font-size:10.0pt'>topuse</span></span>). Which declarations
8754 are reported also depends on the declaration use flags (Section
8755 13.1). The <span class="Flag"><span style=
8756 'font-size:10.0pt'>+partial</span></span> flag sets flags for
8757 checking a partial system. Top-level unused declarations,
8758 undefined declarations, and unnecessary external names are not
8759 reported if <span class="Flag"><span style=
8760 'font-size:10.0pt'>+partial</span></span> is set.</p>
8761 <h3 style='margin-left:0in;text-indent:0in'><a name=
8762 "_Toc534975026">13.2.1<span style=
8763 'font:7.0pt "Times New Roman"'> </span>
8764 Unnecessarily External Names</a></h3>
8765 <p class="TextFontCX">Splint can report variables and functions
8766 that are declared with global scope (i.e., without using
8767 <span class="CodeText"><span style=
8768 'font-size:10.0pt'>static</span></span>), that are not used outside
8769 the file in which they are defined. In a stand-alone system,
8770 these identifiers should usually be declared using
8771 <span class="CodeText"><span style=
8772 'font-size:10.0pt'>static</span></span> to limit their
8773 scope. If the <span class="Flag"><span style=
8774 'font-size:10.0pt'>export-static</span></span> flag is on,
8775 Splint will report declarations that could have file
8776 scope. It should only be used when all relevant source
8777 files are listed on the Splint command line; otherwise,
8778 variables and functions may be incorrectly identified as only
8779 used in the file scope since Splint did not process the other
8780 file in which they are used.</p>
8781 <h3 style='margin-left:0in;text-indent:0in'><a name=
8782 "_Toc534975027">13.2.2<span style=
8783 'font:7.0pt "Times New Roman"'> </span>
8784 Declarations Missing from Headers</a></h3>
8785 <p class="TextFontCX">A common practice in C programming styles, is
8786 that every function or variable exported by <span class=
8787 "Keyword"><i><span style=
8788 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
8790 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>
8791 is declared in <span class="Keyword"><i><span style=
8792 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
8794 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.
8795 If the <span class="Flag"><span style=
8796 'font-size:10.0pt'>export-header</span></span> flag is on, Splint
8797 will report exported declarations in <span class=
8798 "Keyword"><i><span style=
8799 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
8801 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>
8802 that are not declared in <span class=
8803 "Keyword"><i><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
8804 M</span></i></span><span class="Keyword"><span style=
8805 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.</p>
8806 <h1 style='margin-left:0in;text-indent:0in'><a name=
8807 "_Toc534975028"></a><a name="_Ref534642392"></a><a name=
8808 "_Ref349900301">14<span style=
8809 'font:7.0pt "Times New Roman"'> </span>
8810 <a id="libraries" name="libraries">
8811 Libraries</a> and Header File Inclusion</a></h1>
8812 <p class="TextFontCX">Libraries can be used to record interface
8813 information. A library containing information about the
8814 standard C Library is used to enable checking of library
8815 calls. Program libraries can be created to enable fast
8816 checking of single modules in a large program.</p>
8817 <h2 style='margin-left:0in;text-indent:0in'><a name=
8818 "_Toc534975029"></a><a name="_Ref534035506"></a><a name=
8819 "_Ref348801560"></a><a name="_Ref347465531"></a><a name=
8820 "_Ref344887939"></a><a name="_Toc344355445">14.1<span style=
8821 'font:7.0pt "Times New Roman"'> </span>
8822 Standard Librar</a>ies</h2>
8823 <p class="TextFontCX">In order to check calls to library functions,
8824 Splint uses an annotated standard library. This contains more
8825 information about function interfaces then is available in the
8826 system header files since it uses annotations. Further, it
8827 contains only those functions documented in the ISO C99
8828 standard. Many systems include extra functions in their
8829 system libraries; programs that use these functions cannot be
8830 compiled on other systems that do not provide them. Certain
8831 types defined by the library are treated as abstract types
8832 (e.g., a program should not rely on how the <span class=
8833 "CodeText"><span style='font-size:10.0pt'>FILE</span></span> type
8834 is implemented). When checking source code, Splint does
8835 include system headers corresponding to files in the library, but
8836 instead uses the library description of the standard library.</p>
8837 <p class="TextFontCX"> </p>
8838 <p class="TextFontCX">The Splint distribution includes several
8839 different standard libraries: the ANSI standard library, the POSIX
8840 standard library<a href="#_ftn19" name="_ftnref19" title=
8841 ""><span class="MsoFootnoteReference"><span class=
8842 "MsoFootnoteReference"><span style=
8843 'font-size:11.0pt;font-family:"Times New Roman"'>[19]</span></span></span></a>,
8844 and a UNIX library based on the Open Group’s Single Unix
8845 Specification. Each library comes in two versions: the
8846 standard version and the strict version.</p>
8847 <h3 style='margin-left:0in;text-indent:0in'><a name=
8848 "_Toc534975030">14.1.1<span style=
8849 'font:7.0pt "Times New Roman"'> </span> ISO
8850 Standard Library</a></h3>
8851 <p class="TextFontCX">The default behavior of Splint is to use the
8852 ISO standard library (loaded from <span class=
8853 "CodeText"><span style=
8854 'font-size:10.0pt'>standard.lcd</span></span>). This library
8855 is based on the standard library described in the ISO C99
8857 <h3 style='margin-left:0in;text-indent:0in'><a name=
8858 "_Toc534975031">14.1.2<span style=
8859 'font:7.0pt "Times New Roman"'> </span> POSIX
8861 <p class="TextFontCX">The POSIX library is selected by the
8862 <span class="Flag"><span style=
8863 'font-size:10.0pt'>+posixlib</span></span> flag. The
8864 POSIX library is based on the IEEE Std 1003.1-1990. </p>
8865 <h3 style='margin-left:0in;text-indent:0in'><a name=
8866 "_Toc534975032">14.1.3<span style=
8867 'font:7.0pt "Times New Roman"'> </span> UNIX
8869 <p class="afterlist">The UNIX library is selected by the
8870 <span class="Flag"><span style=
8871 'font-size:10.0pt'>+unixlib</span></span> flag. This library
8872 is based on the Open Group’s Single Unix Specification,
8873 Version 2. In the UNIX library, <span class=
8874 "CodeText"><span style='font-size:10.0pt'>free</span></span> is
8875 declared with a non-null parameter. ISO specifies that
8876 <span class="CodeText"><span style=
8877 'font-size:10.0pt'>free</span></span> should handle the argument
8878 <span class="CodeText"><span style=
8879 'font-size:10.0pt'>NULL</span></span>, but several UNIX platforms
8880 crash if <span class="CodeText"><span style=
8881 'font-size:10.0pt'>NULL</span></span> is passed to
8882 <span class="CodeText"><span style=
8883 'font-size:10.0pt'>free</span></span>.</p>
8884 <h3 style='margin-left:0in;text-indent:0in'><a name=
8885 "_Toc534975033">14.1.4<span style=
8886 'font:7.0pt "Times New Roman"'> </span> Strict
8888 <p class="TextFontCX">Stricter versions of the libraries are used
8889 is the <span class="Flag"><span style=
8890 'font-size:10.0pt'>-ansi-strict</span></span>, <span class=
8892 'font-size:10.0pt'>posix-strict-lib</span></span> or
8893 <span class="Flag"><span style=
8894 'font-size:10.0pt'>unix-strict-lib</span></span> flag is used.
8895 These libraries use a stricter interpretation of the library.
8896 They will detect more errors in some programs, but may to produce
8897 many spurious errors for typical code.</p>
8898 <p class="TextFontCX"> </p>
8899 <p class="beforelist">The differences between the standard
8900 libraries and the strict libraries are:</p>
8901 <p class="MsoListBullet"><span style=
8902 'font-family:Symbol'>·<span style=
8903 'font:7.0pt "Times New Roman"'> </span></span>
8904 The standard libraries declare the printing functions
8905 (<span class="CodeText"><span style=
8906 'font-size:10.0pt'>fprintf</span></span>, <span class=
8907 "CodeText"><span style=
8908 'font-size:10.0pt'>printf</span></span>, and <span class=
8909 "CodeText"><span style=
8910 'font-size:10.0pt'>sprintf</span></span>) that may return
8911 error codes to return <span class="CodeText"><span style=
8912 'font-size:10.0pt'>int</span></span> or <span class=
8913 "CodeText"><span style=
8914 'font-size:10.0pt'>void</span></span>. This prevents
8915 typical programs from leading to deluge of ignored return
8916 value errors, but may mean some relevant errors are not
8917 detected. In the strict library, they are declared to
8918 return <span class="CodeText"><span style=
8919 'font-size:10.0pt'>int</span></span>, so ignored return value
8920 errors will be reported (depending on other flag
8921 settings). Programs should check that this return value
8922 is non-negative.</p>
8923 <p class="MsoListBullet"><span style=
8924 'font-family:Symbol'>·<span style=
8925 'font:7.0pt "Times New Roman"'> </span></span>
8926 The standard libraries declare some parameters and return values to
8927 be alternate types (<span class="CodeText"><span style=
8928 'font-size:10.0pt'>int</span></span> or <span class=
8929 "CodeText"><span style='font-size:10.0pt'>bool</span></span>, or
8930 <span class="CodeText"><span style=
8931 'font-size:10.0pt'>int</span></span> or <span class=
8932 "CodeText"><span style=
8933 'font-size:10.0pt'>char</span></span>). The ISO C99 standard
8934 specifies these types as <span class="CodeText"><span style=
8935 'font-size: 10.0pt'>int</span></span> to be compatible with older
8936 versions of the library, but logically they make more sense as
8937 <span class="CodeText"><span style=
8938 'font-size:10.0pt'>bool</span></span> or <span class=
8939 "CodeText"><span style='font-size:10.0pt'>char</span></span>.
8940 In the strict library, the stronger type is used. The
8941 parameter to <span class="CodeText"><span style=
8942 'font-size:10.0pt'>assert</span></span> is <span class=
8943 "CodeText"><span style='font-size:10.0pt'>int</span></span> or
8944 <span class="CodeText"><span style=
8945 'font-size:10.0pt'>bool</span></span> in the standard library, and
8946 <span class="CodeText"><span style=
8947 'font-size:10.0pt'>bool</span></span> in the strict library.
8948 The parameter to the character functions <span class=
8949 "CodeText"><span style='font-size:10.0pt'>isalnum</span></span>,
8950 <span class="CodeText"><span style=
8951 'font-size:10.0pt'>isalpha</span></span>, <span class=
8952 "CodeText"><span style='font-size:10.0pt'>iscntrl</span></span>,
8953 <span class="CodeText"><span style=
8954 'font-size:10.0pt'>isdigit</span></span>, <span class=
8955 "CodeText"><span style='font-size:10.0pt'>isgraph</span></span>,
8956 <span class="CodeText"><span style=
8957 'font-size:10.0pt'>islower</span></span>, <span class=
8958 "CodeText"><span style='font-size:10.0pt'>isprint</span></span>,
8959 <span class="CodeText"><span style=
8960 'font-size:10.0pt'>ispunct</span></span>, <span class=
8961 "CodeText"><span style='font-size:10.0pt'>isspace</span></span>,
8962 <span class="CodeText"><span style=
8963 'font-size:10.0pt'>isupper</span></span>, <span class=
8964 "CodeText"><span style='font-size:10.0pt'>isxdigit</span></span>,
8965 <span class="CodeText"><span style=
8966 'font-size:10.0pt'>tolower</span></span> and
8967 <span class="CodeText"><span style=
8968 'font-size:10.0pt'>toupper</span></span> is <span class=
8969 "CodeText"><span style='font-size:10.0pt'>char</span></span>
8970 or <span class="CodeText"><span style=
8971 'font-size:10.0pt'>unsigned char</span></span> or
8972 <span class="CodeText"><span style=
8973 'font-size:10.0pt'>int</span></span> in the standard library
8974 and <span class="CodeText"><span style=
8975 'font-size:10.0pt'>char</span></span> in the strict
8976 library. The type of the return value of the character
8977 classification functions (all of the previous character
8978 functions except <span class="CodeText"><span style=
8979 'font-size:10.0pt'>tolower</span></span> and <span class=
8980 "CodeText"><span style=
8981 'font-size:10.0pt'>toupper</span></span>) is <span class=
8982 "CodeText"><span style='font-size:10.0pt'>bool</span></span>
8983 or <span class="CodeText"><span style=
8984 'font-size:10.0pt'>int</span></span> in the standard library
8985 and <span class="CodeText"><span style=
8986 'font-size:10.0pt'>bool</span></span> in the strict
8987 library. The type of the first parameter to
8988 <span class="CodeText"><span style=
8989 'font-size:10.0pt'>ungetc</span></span> is <span class=
8990 "CodeText"><span style='font-size:10.0pt'>char</span></span>
8991 or <span class="CodeText"><span style=
8992 'font-size:10.0pt'>int</span></span> in the standard library
8993 and <span class="CodeText"><span style=
8994 'font-size:10.0pt'>char</span></span> in the strict library
8995 (<span class="CodeText"><span style=
8996 'font-size:10.0pt'>EOF</span></span> should not be passed to
8997 <span class="CodeText"><span style=
8998 'font-size:10.0pt'>ungetc</span></span>). The second
8999 parameter to <span class="CodeText"><span style=
9000 'font-size:10.0pt'>strchr</span></span> and <span class=
9001 "CodeText"><span style=
9002 'font-size:10.0pt'>strrchr</span></span> is <span class=
9003 "CodeText"><span style='font-size:10.0pt'>char</span></span>
9004 or <span class="CodeText"><span style=
9005 'font-size:10.0pt'>int</span></span> in the standard library
9006 and <span class="CodeText"><span style=
9007 'font-size:10.0pt'>char</span></span> in the strict
9009 <p class="MsoListBullet"><span style=
9010 'font-family:Symbol'>·<span style=
9011 'font:7.0pt "Times New Roman"'> </span></span>
9012 The global variables <span class="CodeText"><span style=
9013 'font-size:10.0pt'>stdin</span></span>, <span class=
9014 "CodeText"><span style=
9015 'font-size:10.0pt'>stdout</span></span> and <span class=
9016 "CodeText"><span style=
9017 'font-size:10.0pt'>stderr</span></span> are declared as
9018 <span class="CodeText"><span style=
9019 'font-size:10.0pt'>unchecked</span></span> variables (see Section
9020 7.2) in the standard libraries. In the strict libraries, they
9021 are<span class="CodeText"><span style=
9022 'font-size:10.0pt'>checked</span></span>.</p>
9023 <p class="MsoListBullet"><span style=
9024 'font-family:Symbol'>·<span style=
9025 'font:7.0pt "Times New Roman"'> </span></span>
9026 The global variable <span class="CodeText"><span style=
9027 'font-size:10.0pt'>errno</span></span> is declared
9028 <span class="CodeText"><span style=
9029 'font-size:10.0pt'>unchecked</span></span> in the
9030 standard libraries, but declared <span class=
9031 "CodeText"><span style=
9032 'font-size:10.0pt'>checkedstrict</span></span> in the
9033 strict libraries.</p>
9034 <p class="TextFontCX"> </p>
9035 <p class="TextFontCX">If no library flag is used, Splint will load
9036 the standard library, <span class="Keyword"><span style=
9037 'font-size:10.0pt;font-family:Arial;color:windowtext'>standard.lcd</span></span>.
9038 If <span class="Flag"><span style=
9039 'font-size:10.0pt'>+nolib</span></span> is set, no library is
9040 loaded. The library source files can easily be modified, and
9041 new libraries created to better suit a particular application.</p>
9042 <h2 style='margin-left:0in;text-indent:0in'><a name=
9043 "_Toc534975034"></a><a name="_Toc344355447">14.2<span style=
9044 'font:7.0pt "Times New Roman"'> </span>
9045 Generating Libraries</a></h2>
9046 <p class="TextFontCX">To enable running Splint on large systems,
9047 mechanisms are provided for creating libraries containing necessary
9048 information. This means source files can be checked
9049 independently, after a library has been created. The command line
9050 option <span class="Flag"><span style=
9051 'font-size:10.0pt'>-dump</span></span> <span class=
9052 "Flag"><span style='font-size:10.0pt'><i>library</i></span></span>
9053 stores information in the file <span class=
9054 "Keyword"><i><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
9055 library</span></i></span> (the default extension <span class=
9056 "Keyword"><span style=
9057 'font-size:10.0pt;font-family:Arial; color:windowtext'>.lcd</span></span>
9058 is added). Then, <span class="Flag"><span style=
9059 'font-size:10.0pt'>-load</span></span> <span class=
9060 "Flag"><span style='font-size:10.0pt'><i>library</i></span></span>
9061 loads the library. The library contains interface information
9062 from the files checked when the library was created.</p>
9063 <h3 style='margin-left:0in;text-indent:0in'><a name=
9064 "_Toc534975035">14.2.1<span style=
9065 'font:7.0pt "Times New Roman"'> </span> Generating
9066 the Standard Libraries</a></h3>
9067 <p class="TextFontCX">The standard libraries are generated from
9068 header files included in the Splint distribution. Some
9069 libraries are generated from more than one header file. Since
9070 the POSIX library subsumes the standard library, the headers for
9071 the standard and POSIX libraries are combined to produce the POSIX
9072 library. Similarly, the UNIX library is composed of the
9073 standard, POSIX and UNIX headers. The header files include
9074 some sections that are conditionally selected by defining
9075 <span class="CodeText"><span style=
9076 'font-size:10.0pt'>STRICT</span></span>. The commands to
9077 generate the standard libraries are:</p>
9078 <p class="example" style=
9079 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9080 splint -nolib ansi.h -dump ansi</p>
9081 <p class="example" style=
9082 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9083 splint -nolib -DSTRICT ansi.h -dump ansistrict</p>
9084 <p class="example" style=
9085 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9086 splint -nolib ansi.h posix.h -dump posix</p>
9087 <p class="example" style=
9088 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9089 splint -nolib -DSTRICT ansi.h posix.h -dump posixstrict</p>
9090 <p class="example" style=
9091 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9092 splint -nolib ansi.h posix.h unix.h -dump unix</p>
9093 <p class="example" style=
9094 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9095 splint -nolib -DSTRICT ansi.h posix.h unix.h -dump unixstrict</p>
9096 <h2 style='margin-left:0in;text-indent:0in'><a name=
9097 "_Ref534979539"></a><a name="_Toc534975036"></a><a name=
9098 "_Ref348080056"></a><a name="_Toc344355448">14.3<span style=
9099 'font:7.0pt "Times New Roman"'> </span>
9100 Header File Inclusion</a></h2>
9101 <p class="TextFontCX">The standard behavior of Splint on
9103 <p class="example"><span class="Keyword"><span style=
9104 'font-size:10.0pt'>#include <<i>X</i>.h></span></span></p>
9105 <p class="TextFontCX">is to search for a file named
9106 <span class="Keyword"><i><span style=
9107 'font-size:10.0pt;font-family:Arial; color:windowtext'>X</span></i></span><span class="Keyword">
9109 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9110 on the include search path (set using <span class=
9111 "Flag"><span style='font-size: 10.0pt'>–I</span></span>) and
9112 then the system base include path (read from the <span class=
9113 "CodeText"><span style='font-size:10.0pt'>include</span></span>
9114 environment variable if set or using a default value, usually
9115 <span class="Keyword"><span style=
9116 'font-size:10.0pt;font-family:Arial;color:windowtext'>/usr/include</span></span>).
9117 If <span class="Keyword"><i><span style=
9118 'font-size:10.0pt;font-family:Arial; color:windowtext'>X</span></i></span><span class="Keyword">
9120 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9121 is the name of a header file in a loaded standard library and
9122 <span class="Keyword"><i><span style=
9123 'font-size:10.0pt;font-family:Arial;color:windowtext'>X</span></i></span><span class="Keyword">
9125 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9126 is found in a directory that is a system directory (as set by the
9127 <span class="Flag"><span style=
9128 'font-size:10.0pt'>-sysdirs</span></span> flag; the default is
9129 <span class="Keyword"><span style=
9130 'font-size:10.0pt;font-family:Arial;color:windowtext'>/usr/include</span></span>),
9131 <span class="Keyword"><i><span style=
9132 'font-size:10.0pt;font-family:Arial; color:windowtext'>X</span></i></span><span class="Keyword">
9134 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9135 will not be included if <span class="Flag"><span style=
9136 'font-size:10.0pt'>+skip-iso-headers</span></span> or
9137 <span class="Flag"><span style=
9138 'font-size:10.0pt'>+skip-posix-headers</span></span> (depending
9139 on whether <span class="Keyword"><i><span style=
9140 'font-size:10.0pt;font-family:Arial;color:windowtext'>X</span></i></span><span class="Keyword">
9142 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9143 is an ISO or POSIX header file) is on (both are on by
9144 default). To force all headers to be included normally, use
9145 <span class="Flag"><span style=
9146 'font-size: 10.0pt'>‑skip-iso-headers</span></span>. </p>
9147 <p class="TextFontCX"> </p>
9148 <p class="TextFontCX">Sometimes headers in system directories
9149 contain non-standard syntax that Splint is unable to parse.
9150 The <span class="Flag"><span style=
9151 'font-size:10.0pt'>+skip-sys-headers</span></span> flag may be
9152 used to prevent any include file in a system directory from being
9154 <p class="TextFontCX"> </p>
9155 <p class="TextFontCX">Splint is fast enough that it can be run on
9156 medium-size (10,000 line) programs without performance
9157 concerns. Libraries can be used to enable efficient checking
9158 of small modules in large programs. To further improve
9159 performance, header file inclusion can be optimized.</p>
9160 <p class="TextFontCX"> </p>
9161 <p class="TextFontCX">When processing a complete system in which
9162 many files include the same headers, a large fraction of processing
9163 time is wasted re-reading header files unnecessarily. If you
9164 are checking a 100-file program, and every file includes
9165 <span class="Flag"><span style=
9166 'font-size:10.0pt;font-family:Arial;color:windowtext'>utils.h</span></span>,
9167 Splint will have to process <span class=
9168 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
9169 utils.h</span></span> 100 times (as would most C compilers).
9170 If the <span class="Flag"><span style=
9171 'font-size:10.0pt'>+single-include</span></span> flag is used, each
9172 header file is processed only once. Single header file
9173 processing produces a significant efficiency improvement when
9174 checking large programs split into many files, but is only safe if
9175 the same header file included in different contexts always has the
9176 same meaning (i.e., it does not depend on preprocessor variable
9177 defined differently at different inclusion sites).</p>
9178 <p class="TextFontCX"> </p>
9179 <p class="TextFontCX">When processing a single file in a large
9180 system, a large fraction of the time is spent processing included
9181 header files. This can be avoided if the information in the
9182 header files is stored in a library instead. If
9183 <span class="Flag"><span style=
9184 'font-size:10.0pt'>+never-include</span></span> is set,
9185 inclusion of files ending in <span class="Flag"><span style=
9186 'font-size: 10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9187 is prevented. Files with different suffixes are
9188 included normally. To do this the header files must not
9189 include any expanded macros. That is, the header file must be
9190 processed with <span class="Flag"><span style=
9191 'font-size:10.0pt'>+all-macros</span></span>, and there must
9192 be no <span class="Annot"><span style=
9193 'font-size:10.0pt'>/*@notfunction@*/</span></span> control
9194 comments in the header. Then, the <span class=
9196 'font-size:10.0pt'>+never-include</span></span> flag may be
9197 used to prevent inclusion of header files. Alternately,
9198 non-function macros can be moved to a different file with a
9199 name that does not end in <span class="Keyword"><span style=
9200 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.
9201 Remember, that this file must be included directly from the
9202 <span class="Keyword"><span style=
9203 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>
9204 file, since if it is included from an <span class=
9205 "Keyword"><span style=
9206 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9207 file indirectly, that <span class="Keyword"><span style=
9208 'font-size:10.0pt; font-family:Arial;color:windowtext'>.h</span></span>
9209 file is ignored so the other file is never included.</p>
9210 <p class="TextFontCX"> </p>
9211 <p class="TextFontCX">These options can be used for significant
9212 performance improvements on large systems. The performance
9213 depends on how the code is structured, but checking a single module
9214 in a large program is several times faster if libraries and
9215 <span class="Flag"><span style=
9216 'font-size:10.0pt'>+noinclude</span></span> are used.</p>
9217 <h3 style='margin-left:0in;text-indent:0in'><a name=
9218 "_Toc534975037">14.3.1<span style=
9219 'font:7.0pt "Times New Roman"'> </span>
9220 Preprocessing Constants</a></h3>
9221 <p class="TextFontCX">Splint defines the preprocessor constant
9222 <span class="CodeText"><span style=
9223 'font-size:10.0pt'>S_SPLINT_S</span></span> when preprocessing
9224 source files. If you want to include code that is processed
9225 only when Splint is used, surround the code with</p>
9226 <p class="TextFontCX" align="left" style='text-align: left'>
9227 <span class="Keyword"><span style=
9228 'font-size:10.0pt'> </span></span></p>
9229 <p class="TextFontCX" align="left" style='text-align: left'>
9230 <span class="Keyword"><span style='font-size:10.0pt'># ifdef
9231 S_SPLINT_S</span></span></p>
9232 <p class="TextFontCX" align="left" style='text-align: left'>
9233 …</p>
9234 <p class="TextFontCX"><span class="Keyword"><span style=
9235 'font-size:10.0pt'># endif</span></span></p>
9236 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
9237 <a name="_Toc534975038"></a><a name="_Toc344355451"></a><a name=
9238 "_Ref343065611">Appendix A<span style=
9239 'font:7.0pt "Times New Roman"'> </span>
9240 <a id="availability" name="availability">
9241 Availability</a></a></p>
9242 <p class="afterlist">The web home page for Splint is
9243 <span class="Keyword"><span style=
9244 'font-size:10.0pt;font-family:Arial;color:windowtext'><a href=
9245 "http://www.splint.org/">http://www.splint.org</a></span></span>.
9246 It includes this guide in HTML format, samples demonstrating
9247 Splint, and links to related web sites. Splint is
9248 available as source code and binary executables for several
9249 platforms. Splint may be freely distributed and
9250 modified under the GNU General Public License. The
9251 latest development code is available through SourceForge.</p>
9252 <p class="TextFontCX"> </p>
9253 <p class="TextFontCX">Splint development is largely driven by
9254 suggestions and comments from users. We are also very
9255 interested in hearing about your experiences using Splint in
9256 developing or maintaining programs, enforcing coding standards, or
9257 teaching courses. For general information, suggestions, and
9258 questions on Splint send mail to <span class=
9259 "Keyword"><span style='font-size:10.0pt;font-family:Arial;color:windowtext'>
9260 splint@cs.virginia.edu</span></span>.</p>
9261 <p class="TextFontCX"> </p>
9262 <p class="TextFontCX">To report a bug in Splint send a message to
9263 <span class="Keyword"><span style=
9264 'font-size:10.0pt;font-family: Arial;color:windowtext'>splint-bug@cs.virginia.edu</span></span>.</p>
9265 <p class="TextFontCX"> </p>
9266 <p class="beforelist">There are two mailing lists associated with
9268 <p class="URL"><span class="Keyword"><span style=
9269 'font-family:Arial;color:windowtext'>splint-announce@virginia.edu</span></span></p>
9270 <p class="IndentText">Reserved for announcements of new releases
9271 and bug fixes. All users should add themselves to this
9273 <p class="URL"><span class="Keyword"><span style=
9274 'font-family:Arial;color:windowtext'>splint-interest@virginia.edu</span></span></p>
9275 <p class="IndentText">Informal discussions on the use and
9276 development of Splint. </p>
9277 <p class="TextFontCX"> </p>
9278 <p class="TextFontCX"><a name="_Ref344882161"></a><a name=
9279 "_Ref344871249"></a><a name="_Ref344870532"></a><a name=
9280 "_Ref344870294">To subscribe to a mailing list, send a message
9281 to</a> <span class="PlainText"><span style=
9282 'font-size:10.0pt;font-family:Arial'>majordomo@virginia.edu</span></span>
9283 containing the body</p>
9284 <p class="URL"><span class="Keyword"><span style=
9285 'font-family:Arial;color:windowtext'>subscribe
9286 splint-announce</span></span><span style=
9287 'font-size:11.0pt;font-family:"Times New Roman"'>or</span>
9288 <span class="Keyword"><span style=
9289 'font-family:Arial;color:windowtext'>subscribe
9290 splint-interest</span></span><a name=
9291 "_Ref348343340"></a><a name="_Ref348330382">.</a></p>
9292 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
9293 <a name="_Toc534975039"></a><a name="_Ref397875360">Appendix
9295 'font:7.0pt "Times New Roman"'> </span>
9296 <a id="flags" name="flags">
9298 </a><a name="_Toc344355437"></a></p>
9299 <p class="beforelist">There are four different types of flags:</p>
9300 <p class="MsoListBullet"><span style=
9301 'font-family:Symbol'>·<span style=
9302 'font:7.0pt "Times New Roman"'> </span></span>
9303 Global flags for controlling initializations and global
9305 <p class="MsoListBullet"><span style=
9306 'font-family:Symbol'>·<span style=
9307 'font:7.0pt "Times New Roman"'> </span></span>
9308 Message format flags for controlling how messages are displayed</p>
9309 <p class="MsoListBullet"><span style=
9310 'font-family:Symbol'>·<span style=
9311 'font:7.0pt "Times New Roman"'> </span></span>
9312 Mode selectors for coarse control of Splint checking</p>
9313 <p class="MsoListBullet"><span style=
9314 'font-family:Symbol'>·<span style=
9315 'font:7.0pt "Times New Roman"'> </span></span>
9316 Checking flags that control checking and what classes of messages
9318 <p class="afterlist">Global flags can be used in initialization
9319 files and at the command line; all other flags may also be used in
9320 control comments.</p>
9321 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9322 <a name="_Toc534975050">Key</a></p>
9323 <p class="beforelist">To the left of each flag name is a flag
9324 descriptor encoding what kind of flag it is and its default
9325 value. The descriptions are:</p>
9327 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9328 height="14" align="left">
9330 <td valign="top" align="left" height="14" style=
9331 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9332 <p class="TextFontCX" align="center" style=
9333 'text-align:center;background:#CCCCCC'><span style=
9334 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
9335 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
9336 <p class="TextFontCX">A <i>plain</i> flag. The value after
9337 the colon gives the default setting (e.g., this flag is
9339 <p class="TextFontCX"> </p>
9341 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9342 height="14" align="left">
9344 <td valign="top" align="left" height="14" style=
9345 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9346 <p class="TextFontCX" align="center" style=
9347 'text-align:center;background:#CCCCCC'><span style=
9348 'font-size:10.0pt'>m:</span><span class="Flag"><span style=
9349 'font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
9350 <p class="TextFontCX">A <i>mode checking flag</i>. The value
9351 of the flag is set by the mode selector. The four signs give
9352 the setting in the weak, standard, checks and strict modes. (e.g.,
9353 this flag is off in the weak and standard modes, and on in the
9354 checks and strict modes.)</p>
9355 <p class="TextFontCX"> </p>
9357 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9358 height="14" align="left">
9360 <td valign="top" align="left" height="14" style=
9361 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9362 <p class="TextFontCX" align="center" style=
9363 'text-align:center;background:#CCCCCC'><span style=
9364 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
9365 <p class="TextFontCX">A <i>shortcut</i> flag. This flag sets
9366 other flags, so it has no default value.</p>
9367 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
9368 <a name="_Toc534975061">Flag Name Abbreviations</a></p>
9369 <p class="beforelist">Within a flag name, abbreviations may be
9370 used. Figure 25 shows the flag name abbreviations. The
9371 expanded and short forms are interchangeable in flag names.</p>
9373 <table class="MsoNormalTable" border="0" cellspacing="0"
9374 cellpadding="0" style=
9375 'margin-left:99.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
9377 <td valign="top" style=
9378 'width:171.0pt;border:none;border-bottom:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
9379 <p class="TextFontCX" align="center" style='text-align:center'>
9380 Expanded Form</p></td>
9381 <td valign="top" style=
9382 'width:67.5pt;border:none;border-bottom:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
9383 <p class="TextFontCX" align="center" style='text-align:center'>
9384 Short Form</p></td></tr>
9386 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9387 <p class="TextFontCX"><span class="Flag"><span style=
9388 'font-size:10.0pt'>constant</span></span></p></td>
9389 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9390 <p class="TextFontCX"><span class="Flag"><span style=
9391 'font-size:10.0pt'>const</span></span></p></td></tr>
9393 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9394 <p class="TextFontCX"><span class="Flag"><span style=
9395 'font-size:10.0pt'>declaration</span></span></p></td>
9396 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9397 <p class="TextFontCX"><span class="Flag"><span style=
9398 'font-size:10.0pt'>decl</span></span></p></td></tr>
9400 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9401 <p class="TextFontCX"><span class="Flag"><span style=
9402 'font-size:10.0pt'>function</span></span></p></td>
9403 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9404 <p class="TextFontCX"><span class="Flag"><span style=
9405 'font-size:10.0pt'>fcn</span></span></p></td></tr>
9407 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9408 <p class="TextFontCX"><span class="Flag"><span style=
9409 'font-size:10.0pt'>global</span></span></p></td>
9410 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9411 <p class="TextFontCX"><span class="Flag"><span style=
9412 'font-size:10.0pt'>glob</span></span></p></td></tr>
9414 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9415 <p class="TextFontCX"><span class="Flag"><span style=
9416 'font-size:10.0pt'>implicit</span></span><span class=
9418 'font-size:10.0pt;font-family:"Times New Roman"'>,</span></span>
9419 <span class="Flag"><span style=
9420 'font-size:10.0pt'>implied</span></span></p></td>
9421 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9422 <p class="TextFontCX"><span class="Flag"><span style=
9423 'font-size:10.0pt'>imp</span></span></p></td></tr>
9425 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9426 <p class="TextFontCX"><span class="Flag"><span style=
9427 'font-size:10.0pt'>iterator</span></span></p></td>
9428 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9429 <p class="TextFontCX"><span class="Flag"><span style=
9430 'font-size:10.0pt'>iter</span></span></p></td></tr>
9432 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9433 <p class="TextFontCX"><span class="Flag"><span style=
9434 'font-size:10.0pt'>length</span></span></p></td>
9435 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9436 <p class="TextFontCX"><span class="Flag"><span style=
9437 'font-size:10.0pt'>len</span></span></p></td></tr>
9439 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9440 <p class="TextFontCX"><span class="Flag"><span style=
9441 'font-size:10.0pt'>modifies</span></span></p></td>
9442 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9443 <p class="TextFontCX"><span class="Flag"><span style=
9444 'font-size:10.0pt'>mods</span></span></p></td></tr>
9446 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9447 <p class="TextFontCX"><span class="Flag"><span style=
9448 'font-size:10.0pt'>modify</span></span></p></td>
9449 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9450 <p class="TextFontCX"><span class="Flag"><span style=
9451 'font-size:10.0pt'>mod</span></span></p></td></tr>
9453 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9454 <p class="TextFontCX"><span class="Flag"><span style=
9455 'font-size:10.0pt'>memory</span></span></p></td>
9456 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9457 <p class="TextFontCX"><span class="Flag"><span style=
9458 'font-size:10.0pt'>mem</span></span></p></td></tr>
9460 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9461 <p class="TextFontCX"><span class="Flag"><span style=
9462 'font-size:10.0pt'>parameter</span></span></p></td>
9463 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9464 <p class="TextFontCX"><span class="Flag"><span style=
9465 'font-size:10.0pt'>param</span></span></p></td></tr>
9467 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9468 <p class="TextFontCX"><span class="Flag"><span style=
9469 'font-size:10.0pt'>pointer</span></span></p></td>
9470 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9471 <p class="TextFontCX" style='page-break-after: avoid'>
9472 <span class="Flag"><span style=
9473 'font-size:10.0pt'>ptr</span></span></p></td></tr>
9475 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9476 <p class="TextFontCX"><span class="Flag"><span style=
9477 'font-size:10.0pt'>return</span></span></p></td>
9478 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9479 <p class="TextFontCX"><span class="Flag"><span style=
9480 'font-size:10.0pt'>ret</span></span></p></td></tr>
9482 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9483 <p class="TextFontCX"><span class="Flag"><span style=
9484 'font-size:10.0pt'>variable</span></span></p></td>
9485 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9486 <p class="TextFontCX"><span class="Flag"><span style=
9487 'font-size:10.0pt'>var</span></span></p></td></tr>
9489 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9490 <p class="TextFontCX"><span class="Flag"><span style=
9491 'font-size:10.0pt'>unconstrained, unconst</span></span></p></td>
9492 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9493 <p class="TextFontCX" style='page-break-after: avoid'>
9494 <span class="Flag"><span style=
9495 'font-size:10.0pt'>uncon</span></span></p></td></tr></table>
9496 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
9498 <td valign="top" style=
9499 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
9500 <p class="MsoCaption"><a name="_Toc534824627"></a><a name=
9501 "_Ref534824456">Figure 25</a>. Flag Name
9502 Abbreviations</p></td></tr></table></center>
9503 <p class="beforelist">The expanded and short forms are
9504 interchangeable in flag names.</p>
9505 <p class="beforelist">For example, <span class=
9506 "Flag"><span style='font-size:10.0pt'>globsimpmodsnothing</span></span>
9507 and <span class="Flag"><span style=
9508 'font-size:10.0pt'>globalsimpliesmodifiesnothing</span></span>
9509 denote the same flag. Abbreviations in flag names allow
9510 pronounceable, descriptive names to be used without making
9511 flag names excessively long (although one must admit even
9512 <span class="Flag"><span style=
9513 'font-size:10.0pt'>globsimpmodsnothing</span></span> is a bit
9515 <p class="TextFontCX">To make flag names more readable, the space,
9516 dash (<span class="Flag"><span style=
9517 'font-size:10.0pt'>-</span></span>), and underscore
9518 (<span class="Flag"><span style=
9519 'font-size:10.0pt'>_</span></span>) characters may be used
9520 inside a flag name. Hence, <span class=
9522 'font-size:10.0pt'>globals-implies-modifies-nothing</span></span>,
9523 <span class="Flag"><span style=
9524 'font-size:10.0pt'>glob_imps_­mods­nothing</span></span>
9525 and <span class="Flag"><span style=
9526 'font-size:10.0pt'>globsimpmodsnothing</span></span> are
9528 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
9529 <a name="_Toc534975040">Global Flags</a></p>
9530 <p class="TextFontCX">Global flags can be set at the command line
9531 or in an options file, but cannot be set locally using stylized
9532 comments. These flags control on-line help, initialization
9533 files, pre-processor flags, libraries and output.</p>
9534 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9535 <a name="_Toc534975041">Help</a></p>
9536 <p class="beforelist">On-line help provides documentation on Splint
9537 operation and flags. When a help flag is used, no checking is
9538 done by Splint. Help flags may be preceded by
9539 <span class="Flag"><span style=
9540 'font-size:10.0pt'>-</span></span> or <span class=
9541 "Flag"><span style='font-size:10.0pt'>+</span></span>.</p>
9542 <p class="TextFontCX"><span class="Flag"><span style=
9543 'font-size:10.0pt'>help</span></span></p>
9544 <p class="IndentText">Display general help overview, including list
9545 of additional help topics.</p>
9546 <p class="TextFontCX"><span class="Flag"><span style=
9547 'font-size:10.0pt'>help</span></span> <span class=
9549 'font-size:10.0pt'><topic></span></span></p>
9550 <p class="indentbefore">Display help on <i><topic></i>.
9551 Available topics:</p>
9552 <table class="MsoNormalTable" border="0" cellspacing="0"
9553 cellpadding="0" style=
9554 'width:400.5pt;margin-left:27.9pt;border-collapse:collapse'>
9556 <td valign="top" style=
9557 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9558 <p class="TextFontCX" style='text-indent:5.4pt'><span class=
9560 'font-size:10.0pt'>annotations</span></span></p></td>
9561 <td valign="top" style=
9562 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9563 <p class="TextFontCX" align="left" style='text-align:left'>describe
9564 annotations</p></td></tr>
9566 <td valign="top" style=
9567 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9568 <p class="TextFontCX"><span class="Flag"><span style=
9569 'font-size:10.0pt'>comments</span></span></p></td>
9570 <td valign="top" style=
9571 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9572 <p class="TextFontCX" align="left" style='text-align:left'>describe
9573 control comments</p></td></tr>
9575 <td valign="top" style=
9576 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9577 <p class="TextFontCX"><span class="Flag"><span style=
9578 'font-size:10.0pt'>flags</span></span></p></td>
9579 <td valign="top" style=
9580 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9581 <p class="TextFontCX" align="left" style='text-align:left'>describe
9582 flag categories</p></td></tr>
9584 <td valign="top" style=
9585 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9586 <p class="TextFontCX"><span class="Flag"><span style=
9587 'font-size:10.0pt'>flags
9588 <i><category></i></span></span></p></td>
9589 <td valign="top" style=
9590 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9591 <p class="TextFontCX" align="left" style='text-align:left'>all
9592 flags pertaining to <category> (one of the categories listed
9593 by <span class="Flag"><span style='font-size:10.0pt'>splint -help
9594 flags</span></span>)</p></td></tr>
9596 <td valign="top" style=
9597 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9598 <p class="TextFontCX"><span class="Flag"><span style=
9599 'font-size:10.0pt'>flags alpha</span></span>
9600 </p></td>
9601 <td valign="top" style=
9602 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9603 <p class="TextFontCX" align="left" style='text-align:left'>all
9604 flags in alphabetical order</p></td></tr>
9606 <td valign="top" style=
9607 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9608 <p class="TextFontCX"><span class="Flag"><span style=
9609 'font-size:10.0pt'>flags full</span></span></p></td>
9610 <td valign="top" style=
9611 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9612 <p class="TextFontCX" align="left" style='text-align:left'>print a
9613 full description of all flags</p></td></tr>
9615 <td valign="top" style=
9616 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9617 <p class="TextFontCX"><span class="Flag"><span style=
9618 'font-size:10.0pt'>mail</span></span></p></td>
9619 <td valign="top" style=
9620 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9621 <p class="TextFontCX" align="left" style='text-align:left'>print
9622 information on mailing lists</p></td></tr>
9624 <td valign="top" style=
9625 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9626 <p class="TextFontCX"><span class="Flag"><span style=
9627 'font-size:10.0pt'>modes</span></span></p></td>
9628 <td valign="top" style=
9629 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9630 <p class="TextFontCX" align="left" style='text-align:left'>flags
9631 settings in modes</p></td></tr>
9633 <td valign="top" style=
9634 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9635 <p class="TextFontCX"><span class="Flag"><span style=
9636 'font-size:10.0pt'>prefixcodes</span></span></p></td>
9637 <td valign="top" style=
9638 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9639 <p class="TextFontCX" align="left" style='text-align:left'>
9640 character codes for setting namespace prefixes</p></td></tr>
9642 <td valign="top" style=
9643 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9644 <p class="TextFontCX"><span class="Flag"><span style=
9645 'font-size:10.0pt'>references</span></span></p></td>
9646 <td valign="top" style=
9647 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9648 <p class="TextFontCX" align="left" style='text-align:left'>print
9649 references to relevant papers and web sites</p></td></tr>
9651 <td valign="top" style=
9652 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9653 <p class="TextFontCX"><span class="Flag"><span style=
9654 'font-size:10.0pt'>vars</span></span></p></td>
9655 <td valign="top" style=
9656 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9657 <p class="TextFontCX" align="left" style='text-align:left'>describe
9658 environment variables</p></td></tr>
9660 <td valign="top" style=
9661 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9662 <p class="TextFontCX"><span class="Flag"><span style=
9663 'font-size:10.0pt'>version</span></span></p></td>
9664 <td valign="top" style=
9665 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9666 <p class="TextFontCX" align="left" style='text-align:left'>print
9667 maintainer and version information</p>
9668 <p class="TextFontCX" align="left" style='text-align:left'>
9669 </p></td></tr></table>
9670 <p class="afterlist"><span class="Flag"><span style=
9671 'font-size:10.0pt'>help</span></span> <span class=
9673 'font-size:10.0pt'><flag></span></span></p>
9674 <p class="IndentText">Describe flag <i><flag></i>. (May
9675 list several flags.)</p>
9676 <p class="TextFontCX"><span class="Flag"><span style=
9677 'font-size:10.0pt'>warn-flags</span></span></p>
9678 <p class="IndentText">Display a warning when a flag is set in a
9679 surprising way. An error is reported if an obsolete flag is
9680 set, a flag is set to its current value (i.e., the
9681 <span class="Flag"><span style=
9682 'font-size:10.0pt'>+</span></span> or <span class=
9683 "Flag"><span style='font-size:10.0pt'>-</span></span> may be
9684 wrong), or a mode selector flag is set after mode checking
9685 flags that will be reset by the mode were set. By
9686 default, <span class="Flag"><span style=
9687 'font-size:10.0pt'>+warn-flags</span></span> is on. To
9688 suppress flag warnings, use <span class="Flag"><span style=
9689 'font-size:10.0pt'>‑warn-flags</span></span>.</p>
9691 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9692 height="14" align="left">
9694 <td valign="top" align="left" height="14" style=
9695 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9696 <p class="TextFontCX" align="center" style=
9697 'text-align:center;background:#CCCCCC'><span style=
9698 'font-size:10.0pt'>P:</span> <span class=
9699 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9700 <p class="TextFontCX"><span class="Flag"><span style=
9701 'font-size:10.0pt'>warn-rc</span></span></p>
9702 <p class="IndentText">There was a problem reading an initialization
9705 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9706 height="14" align="left">
9708 <td valign="top" align="left" height="14" style=
9709 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9710 <p class="TextFontCX" align="center" style=
9711 'text-align:center;background:#CCCCCC'><span style=
9712 'font-size:10.0pt'>P:</span> <span class=
9713 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9714 <p class="TextFontCX"><span class="Flag"><span style=
9715 'font-size:10.0pt'>bad-flag</span></span></p>
9716 <p class="IndentText">A flag is not recognized or used in an
9719 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9720 height="14" align="left">
9722 <td valign="top" align="left" height="14" style=
9723 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9724 <p class="TextFontCX" align="center" style=
9725 'text-align:center;background:#CCCCCC'><span style=
9726 'font-size:10.0pt'>P:</span> <span class=
9727 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9728 <p class="TextFontCX"><span class="Flag"><span style=
9729 'font-size:10.0pt'>fileextensions</span></span></p>
9730 <p class="IndentText">Warn when command line file does not have a
9731 recognized extension.</p>
9732 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9733 <a name="_Toc534975042">Initialization</a></p>
9734 <p class="beforelist">These flags control directories and files
9735 used by Splint. They may be used from the command line or in
9736 an options file, but may not be used as control comments in the
9737 source code. Except where noted. they have the same meaning
9738 preceded by <span class="Flag"><span style=
9739 'font-size:10.0pt'>-</span></span> or <span class=
9740 "Flag"><span style='font-size:10.0pt'>+</span></span>. </p>
9741 <p class="TextFontCX"><span class="Flag"><span style=
9742 'font-size:10.0pt'>tmpdir</span></span> <span class=
9744 'font-size:10.0pt'><i><directory></i></span></span></p>
9745 <p class="IndentText">Set directory for writing temp files.
9746 Default is <span class="ProgramNameChar"><span style=
9747 'font-size:10.0pt'>/tmp/</span></span>.</p>
9748 <p class="TextFontCX"><span class="Flag"><span style=
9749 'font-size:10.0pt'>I<i><directory></i></span></span></p>
9750 <p class="IndentText">Add directory to path searched for C include
9751 files. Note there is no space after the <span class=
9752 "Flag"><span style='font-size:10.0pt'>I</span></span>, to be
9753 consistent with C preprocessor flags.</p>
9754 <p class="TextFontCX"><span class="Flag"><span style=
9755 'font-size:10.0pt'>S<i><directory></i></span></span></p>
9756 <p class="IndentText">Add directory to path search for
9757 <span class="ProgramNameChar"><span style=
9758 'font-size:10.0pt'>.lcl</span></span> specification
9760 <p class="IndentText"> </p>
9761 <p class="TextFontCX"><span class="Flag"><span style=
9762 'font-size:10.0pt'>larchpath</span></span> <span class=
9764 'font-size:10.0pt'><i><path></i></span></span></p>
9765 <p class="IndentText">Set path to search for library files.
9766 Overrides <span class="CodeText"><span style=
9767 'font-size:10.0pt'>LARCH_PATH</span></span> environment
9769 <p class="TextFontCX"><span class="Flag"><span style=
9770 'font-size:10.0pt'>lclimportdir</span></span> <span class=
9772 'font-size:10.0pt'><i><directory></i></span></span></p>
9773 <p class="IndentText">Set directory to search for LCL import
9774 files. Overrides<span class="CodeText"><span style=
9775 'font-size:10.0pt'>LCLIMPORTDIR</span></span> environment
9777 <p class="IndentText"> </p>
9778 <p class="TextFontCX"><span class="Flag"><span style=
9779 'font-size:10.0pt'>f</span></span> <span class=
9780 "Flag"><span style='font-size:10.0pt'><i><file></i></span></span></p>
9781 <p class="MsoNormal" style='margin-left:13.5pt'>Load options from
9782 <span class="Flag"><i><span style=
9783 'font-size:10.0pt'><file></span></i></span>. If this
9784 flag is used from the command line, the default <span class=
9785 "FileNameChar"><span style=
9786 'font-size:10.0pt'>~/.splintrc</span></span> file is not
9787 loaded. This flag may be used in an options file to include
9788 another options file.</p>
9789 <p class="TextFontCX"><span class="Flag"><span style=
9790 'font-size:10.0pt'>i</span></span> <span class=
9791 "Flag"><span style='font-size:10.0pt'><i><file></i></span></span></p>
9792 <p class="MsoNormal" style='margin-left:13.5pt'>Set LCL
9793 initilization file.</p>
9794 <p class="TextFontCX"><span class="Flag"><span style=
9795 'font-size:10.0pt'>nof</span></span></p>
9796 <p class="IndentText">Prevents the default options files
9797 (<span class="FileNameChar"><span style=
9798 'font-size:10.0pt'>./.splintrc</span></span>and <span class=
9799 "FileNameChar"><span style=
9800 'font-size:10.0pt'>~/.splintrc</span></span>) from being
9801 loaded. (Setting <span class="Flag"><span style=
9802 'font-size:10.0pt'>-nof</span></span> overrides <span class=
9803 "Flag"><span style='font-size:10.0pt'>+nof</span></span>, causing
9804 the options files to be loaded normally.)</p>
9805 <p class="TextFontCX"><span class="Flag"><span style=
9806 'font-size:10.0pt'>sys-dirs</span></span></p>
9807 <p class="IndentText">Set directories for system files (default is
9808 <span class="FileNameChar"><span style=
9809 'font-size:10.0pt'>/usr/</span></span>). Separate directories
9810 with the path separator for your operating system (e.g.,
9811 semi-colons for Windows or colons for Unix: <span class=
9812 "FileNameChar"><span style=
9813 'font-size:10.0pt'>/usr/include:/usr/local/lib</span></span>).
9814 Flag settings propagate to files in a system directory. If
9815 <span class="Flag"><span style=
9816 'font-size:10.0pt'>-sys-dir-errors</span></span> is set, no errors
9817 are reported for files in system directories.</p>
9818 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9819 <a name="_Toc534975043"></a><a name=
9820 "_Ref345883190">Pre-processor</a></p>
9822 <p class="beforelist">These flags are used to define or undefine
9823 pre-processor constants. The <span class=
9824 "Flag"><span style='font-size:10.0pt'>-I<i><directory></i></span></span>
9825 flag is also passed to the C pre-processor.</p>
9826 <p class="TextFontCX"><span class="Flag"><span style=
9827 'font-size:10.0pt'>D<initializer></span></span></p>
9828 <p class="IndentText">Passed to the C pre-processor.</p>
9830 <p class="FileName0" style='margin-left:0in'><span class=
9831 "Flag">U<initializer></span></p>
9832 <p class="IndentText">Passed to the C pre-processor.</p>
9835 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9836 height="14" align="left">
9838 <td valign="top" align="left" height="14" style=
9839 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9840 <p class="TextFontCX" align="center" style=
9841 'text-align:center;background:#CCCCCC'><span style=
9842 'font-size:10.0pt'>P:</span> <span class=
9843 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9844 <p class="TextFontCX"><span class="Flag"><span style=
9845 'font-size:10.0pt'>unrecogdirective</span></span></p>
9846 <p class="IndentText">Preprocessor directive is not recognized.
9850 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9851 height="14" align="left">
9853 <td valign="top" align="left" height="14" style=
9854 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9855 <p class="TextFontCX" align="center" style=
9856 'text-align:center;background:#CCCCCC'><span style=
9857 'font-size:10.0pt'>P:</span> <span class=
9858 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9859 <p class="TextFontCX"><span class="Flag"><span style=
9860 'font-size:10.0pt'>preproc</span></span></p>
9861 <p class="IndentText">Preprocessing error.
9865 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9866 <a name="_Toc534975044">Libraries</a></p>
9867 <p class="beforelist">These flags control the creation and use of
9869 <p class="TextFontCX"><span class="Flag"><span style=
9870 'font-size:10.0pt'>dump</span></span> <span class=
9872 'font-size:10.0pt'><i><file></i></span></span></p>
9873 <p class="IndentText">Save state in <span class=
9874 "Flag"><i><span style=
9875 'font-size: 10.0pt'><file></span></i></span> for
9876 loading. The default extension <span class=
9877 "ProgramNameChar"><span style='font-size:10.0pt'>.lcd</span></span>
9878 is added if <span class="Flag"><i><span style=
9879 'font-size:10.0pt'><file></span></i></span> has no
9881 <p class="TextFontCX"><span class="Flag"><span style=
9882 'font-size:10.0pt'>load</span></span><span class=
9883 "Flag"><span style='font-size:10.0pt'> <i><file></i></span></span></p>
9884 <p class="IndentText">Load state from <span class=
9885 "Flag"><i><span style=
9886 'font-size: 10.0pt'><file></span></i></span> (created by
9887 <span class="Flag"><span style=
9888 'font-size:10.0pt'>-dump</span></span>). The default
9889 extension <span class="FileNameChar"><span style=
9890 'font-size:10.0pt'>.lcd</span></span> is added if
9891 <span class="Flag"><i><span style=
9892 'font-size:10.0pt'><file></span></i></span> has no
9893 extension. Only one library file may be loaded.</p>
9894 <p class="betweenlists">By default, the standard library is loaded
9895 if the <span class="Flag"><span style=
9896 'font-size:10.0pt'>-load</span></span> flag is not used to load a
9897 user library. If no user library is loaded, one of the
9898 following flags may be used to select a different standard
9899 library. Precede the flag by <span class=
9900 "Flag"><span style='font-size:10.0pt'>+</span></span> to load
9901 the described library (or to prevent a library from being
9902 loaded using <span class="Flag"><span style=
9903 'font-size:10.0pt'>no-lib</span></span>). See Section 14.1
9904 for information on the provided libraries.</p>
9905 <p class="TextFontCX"><span class="Flag"><span style=
9906 'font-size:10.0pt'>no-lib</span></span></p>
9907 <p class="IndentText">Do not load any library. This prevents
9908 the standard library from being loaded.</p>
9909 <p class="TextFontCX"><span class="Flag"><span style=
9910 'font-size:10.0pt'>ansi-lib</span></span></p>
9911 <p class="IndentText">Use the ANSI standard library (selected by
9913 <p class="TextFontCX"><span class="Flag"><span style=
9914 'font-size:10.0pt'>strict-lib</span></span></p>
9915 <p class="IndentText">Use strict version of the ANSI standard
9917 <p class="TextFontCX"><span class="Flag"><span style=
9918 'font-size:10.0pt'>posix-lib</span></span></p>
9919 <p class="IndentText">Use the POSIX standard library.</p>
9920 <p class="TextFontCX"><span class="Flag"><span style=
9921 'font-size:10.0pt'>posix-strict-lib</span></span></p>
9922 <p class="IndentText">Use the strict version of the POSIX standard
9924 <p class="TextFontCX"><span class="Flag"><span style=
9925 'font-size:10.0pt'>unix-lib</span></span></p>
9926 <p class="IndentText">Use UNIX version of standard library.</p>
9927 <p class="TextFontCX"><span class="Flag"><span style=
9928 'font-size:10.0pt'>unix-strict-lib</span></span></p>
9929 <p class="IndentText">Use the strict version of the UNIX standard
9931 <p class="IndentText"> </p>
9932 <p class="TextFontCX"><span class="Flag"><span style=
9933 'font-size:10.0pt'>which-lib</span></span></p>
9934 <p class="IndentText">Print out the standard library filename and
9935 creation information.</p>
9938 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9939 height="14" align="left">
9941 <td valign="top" align="left" height="14" style=
9942 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9943 <p class="TextFontCX" align="center" style=
9944 'text-align:center;background:#CCCCCC'><span style=
9945 'font-size:10.0pt'>P:</span> <span class=
9946 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9947 <p class="TextFontCX"><span class="Flag"><span style=
9948 'font-size:10.0pt'>newdecl</span></span></p>
9949 <p class="IndentText">There is a new declaration that is not declared in a loaded library or
9950 earlier file. (Use this flag to check for consistency against a library.)
9955 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9956 height="14" align="left">
9958 <td valign="top" align="left" height="14" style=
9959 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9960 <p class="TextFontCX" align="center" style=
9961 'text-align:center;background:#CCCCCC'><span style=
9962 'font-size:10.0pt'>P:</span> <span class=
9963 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9964 <p class="TextFontCX"><span class="Flag"><span style=
9965 'font-size:10.0pt'>impconj</span></span></p>
9966 <p class="IndentText">Make all alternate types implicit (useful for making system libraries).
9969 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9970 <a name="_Toc534975045">Output</a></p>
9971 <p class="beforelist">These flags control what additional
9972 information Splint prints. Setting <span class=
9974 'font-size:10.0pt'>+<i><flag></i></span></span> causes the
9975 described information to be printed; setting <span class=
9977 'font-size:10.0pt'>-<i><flag></i></span></span> prevents
9978 it. By default, all these flags are off.</p>
9979 <p class="TextFontCX"><span class="Flag"><span style=
9980 'font-size:10.0pt'>use-stderr</span></span></p>
9981 <p class="IndentText">Send error messages to standard error
9982 (instead of standard output).</p>
9983 <p class="TextFontCX"><span class="Flag"><span style=
9984 'font-size:10.0pt'>show-summary</span></span></p>
9985 <p class="IndentText">Show a summary of all errors reported and
9986 suppressed. Counts of suppressed errors are not necessarily
9987 correct since turning a flag off may prevent some checking from
9988 being done to save computation, and errors that are not reported
9989 may propagate differently from when they are reported.</p>
9990 <p class="TextFontCX"><span class="Flag"><span style=
9991 'font-size:10.0pt'>show-scan</span></span></p>
9992 <p class="IndentText">Show file names are they are processed.</p>
9993 <p class="TextFontCX"><span class="Flag"><span style=
9994 'font-size:10.0pt'>show-all-uses</span></span></p>
9995 <p class="IndentText">Show list of uses of all external identifiers
9996 sorted by number of uses.</p>
9997 <p class="TextFontCX"><span class="Flag"><span style=
9998 'font-size:10.0pt'>stats</span></span></p>
9999 <p class="IndentText">Display number of lines processed and
10001 <p class="TextFontCX"><span class="Flag"><span style=
10002 'font-size:10.0pt'>time-dist</span></span></p>
10003 <p class="IndentText">Display distribution of where checking time
10005 <p class="TextFontCX"><span class="Flag"><span style=
10006 'font-size:10.0pt'>quiet</span></span></p>
10007 <p class="IndentText">Suppress herald and error count. (If
10008 <span class="Flag"><span style=
10009 'font-size:10.0pt'>quiet</span></span> is not set, Splint prints
10010 out a herald with version information before checking begins, and a
10011 line summarizing the total number of errors reported.)</p>
10012 <p class="TextFontCX"><span class="Flag"><span style=
10013 'font-size:10.0pt'>which-lib</span></span></p>
10014 <p class="IndentText">Print out the standard library filename and
10015 creation information.</p>
10016 <p class="TextFontCX"><span class="Flag"><span style=
10017 'font-size:10.0pt'>limit</span></span> <span class=
10018 "Flag"><span style=
10019 'font-size:10.0pt'><i><number></i></span></span></p>
10020 <p class="IndentText">At most <span class=
10021 "Flag"><i><span style='font-size:10.0pt'><number></span></i></span>
10022 similar errors are reported consecutively. Further
10023 errors are suppressed, and a message showing the number of
10024 suppressed messages is printed.</p>
10025 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10026 <a name="_Toc534975046">Expected Errors</a></p>
10027 <p class="beforelist">Normally, Splint will expect to report no
10028 errors. The exit status will be success (<span class=
10029 "Keyword"><span style='font-size:10.0pt'>0</span></span>) if no
10030 errors are reported, and failure if any errors are reported.
10031 Flags can be used to set the expected number of reported
10032 errors. Because of the provided error suppression mechanisms,
10033 these options should probably not be used for final checking real
10034 programs but may be useful in developing programs using make.</p>
10035 <p class="TextFontCX"><span class="Flag"><span style=
10036 'font-size:10.0pt'>expect</span></span> <span class=
10037 "Flag"><span style=
10038 'font-size:10.0pt'><i><number></i></span></span></p>
10039 <p class="IndentText">Exactly <span class=
10040 "Flag"><i><span style='font-size:10.0pt'><number></span></i></span>
10041 code errors are expected. Splint will exit with failure
10042 exit status unless <span class="Flag"><i><span style=
10043 'font-size:10.0pt'><number></span></i></span> code
10044 errors are detected.</p>
10045 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
10046 <a name="_Toc534975047">Message Format</a></p>
10047 <p class="beforelist">These flags control how messages are
10048 printed. They may be set at the command line, in options
10049 files, or locally in syntactic comments. The
10050 <span class="Flag"><span style=
10051 'font-size:10.0pt'>line-len</span></span> and <span class=
10052 "Flag"><span style='font-size:10.0pt'>limit</span></span>
10053 flags may be preceded by <span class="Flag"><span style=
10054 'font-size:10.0pt'>+</span></span> or <span class=
10055 "Flag"><span style='font-size:10.0pt'>-</span></span> with
10056 the same meaning; for the other flags, <span class=
10057 "Flag"><span style='font-size: 10.0pt'>+</span></span> turns
10058 on the describe printing and <span class="Flag"><span style=
10059 'font-size:10.0pt'>-</span></span> turns it off. The
10060 box to the left of each flag gives its default value.</p>
10062 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10063 height="14" align="left">
10065 <td valign="top" align="left" height="14" style=
10066 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10067 <p class="TextFontCX" align="center" style=
10068 'text-align:center;background:#CCCCCC'><span class=
10069 "Flag"><span style=
10070 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10071 <p class="TextFontCX"><span class="Flag"><span style=
10072 'font-size:10.0pt'>show-column</span></span></p>
10073 <p class="IndentText">Show column number where error is found.</p>
10075 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10076 height="14" align="left">
10078 <td valign="top" align="left" height="14" style=
10079 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10080 <p class="TextFontCX" align="center" style=
10081 'text-align:center;background:#CCCCCC'><span class=
10082 "Flag"><span style=
10083 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10084 <p class="TextFontCX"><span class="Flag"><span style=
10085 'font-size:10.0pt'>show-func</span></span></p>
10086 <p class="IndentText">Show name of function (or macro) definition
10087 containing error. The function name is printed once before
10088 the first message detected in that function.</p>
10090 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10091 height="14" align="left">
10093 <td valign="top" align="left" height="14" style=
10094 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10095 <p class="TextFontCX" align="center" style=
10096 'text-align:center;background:#CCCCCC'><span class=
10097 "Flag"><span style=
10098 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10099 <p class="TextFontCX"><span class="Flag"><span style=
10100 'font-size:10.0pt'>show-all-conjs</span></span></p>
10101 <p class="IndentText">Show all possible alternate types (see
10104 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10105 height="14" align="left">
10107 <td valign="top" align="left" height="14" style=
10108 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10109 <p class="TextFontCX" align="center" style=
10110 'text-align:center;background:#CCCCCC'><span class=
10111 "Flag"><span style=
10112 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10113 <p class="TextFontCX"><span class="Flag"><span style=
10114 'font-size:10.0pt'>paren-file-format</span></span></p>
10115 <p class="IndentText">Use <span class="Flag"><i><span style=
10116 'font-size:10.0pt'><file></span></i></span><span class=
10117 "CodeText"><span style=
10118 'font-size:10.0pt'>(</span></span><span class=
10119 "Flag"><i><span style='font-size:10.0pt'><line></span></i></span><span class="CodeText">
10120 <span style='font-size:10.0pt'>)</span></span> format in
10121 messages. (Default is + for Win32 for compatibility with
10122 Microsoft VisualStudio.)</p>
10124 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10125 height="14" align="left">
10127 <td valign="top" align="left" height="14" style=
10128 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10129 <p class="TextFontCX" align="center" style=
10130 'text-align:center;background:#CCCCCC'><span class=
10131 "Flag"><span style=
10132 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10133 <p class="TextFontCX"><span class="Flag"><span style=
10134 'font-size:10.0pt'>hints</span></span></p>
10135 <p class="IndentText">Provide hints describing an error and how a
10136 message may be suppressed for the first error reported in each
10139 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10140 height="14" align="left">
10142 <td valign="top" align="left" height="14" style=
10143 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10144 <p class="TextFontCX" align="center" style=
10145 'text-align:center;background:#CCCCCC'><span class=
10146 "Flag"><span style=
10147 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10148 <p class="TextFontCX"><span class="Flag"><span style=
10149 'font-size:10.0pt'>force-hints</span></span></p>
10150 <p class="IndentText">Provide hints for all errors reported, even
10151 if the hint has already been displayed for the same error
10154 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10155 height="14" align="left">
10157 <td valign="top" align="left" height="14" style=
10158 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10159 <p class="TextFontCX" align="center" style=
10160 'text-align:center;background:#CCCCCC'><span class=
10161 "Flag"><span style=
10162 'font-size:10.0pt'>80</span></span></p></td></tr></table></div>
10163 <p class="TextFontCX"><span class="Flag"><span style=
10164 'font-size:10.0pt'>line-len</span></span> <span class=
10165 "Flag"><span style=
10166 'font-size:10.0pt'><i><number></i></span></span></p>
10167 <p class="IndentText">Set length of maximum message line to
10168 <span class="Flag"><i><span style=
10169 'font-size:10.0pt'><number></span></i></span>
10170 characters. Splint will split messages longer than
10171 <span class="Flag"><i><span style=
10172 'font-size: 10.0pt'><number></span></i></span> characters
10173 long into multiple lines.</p>
10176 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10177 height="14" align="left">
10179 <td valign="top" align="left" height="14" style=
10180 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10181 <p class="TextFontCX" align="center" style=
10182 'text-align:center;background:#CCCCCC'><span class=
10183 "Flag"><span style=
10184 'font-size:10.0pt'>3</span></span></p></td></tr></table></div>
10185 <p class="TextFontCX"><span class="Flag"><span style=
10186 'font-size:10.0pt'>indentspaces</span></span> <span class=
10187 "Flag"><span style=
10188 'font-size:10.0pt'><i><number></i></span></span></p>
10189 <p class="IndentText">
10190 Set the number of spaces to indent sub-messages.
10192 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
10193 <a name="_Toc534975048">Mode Selector Flags</a></p>
10194 <p class="TextFontCX">Mode selects flags set the mode checking
10195 flags to predefined values. They provide a quick coarse-grain
10196 way of controlling what classes of errors are reported. Specific
10197 checking flags may be set after a mode flag to override the mode
10198 settings. Mode flags may be used locally, however the mode
10199 settings will override specific command line flag settings. A
10200 warning is produced if a mode flag is used after a mode checking
10201 flag has been set.</p>
10202 <p class="TextFontCX"> </p>
10203 <p class="beforelist">These are brief descriptions to give a
10204 general idea of what each mode does. To see the complete flag
10205 settings in each mode, use <span class="Flag"><span style=
10206 'font-size:10.0pt'>splint -help modes</span></span>. A mode flag
10207 has the same effect when used with either <span class=
10208 "Flag"><span style='font-size:10.0pt'>+</span></span> or
10209 <span class="Flag"><span style=
10210 'font-size:10.0pt'>-</span></span>.</p>
10211 <p class="TextFontCX"><span class="Flag"><span style=
10212 'font-size:10.0pt'>weak</span></span></p>
10213 <p class="IndentText">Weak checking, intended for typical
10214 unannotated C code. No modifies checking, macro checking, rep
10215 exposure, or clean interface checking is done. Return values
10216 of type <span class="CodeText"><span style=
10217 'font-size:10.0pt'>int</span></span> may be ignored. The
10218 types <span class="CodeText"><span style=
10219 'font-size:10.0pt'>bool</span></span>, <span class=
10220 "CodeText"><span style='font-size:10.0pt'>int</span></span>,
10221 <span class="CodeText"><span style=
10222 'font-size:10.0pt'>char</span></span> and user-defined
10223 <span class="CodeText"><span style=
10224 'font-size:10.0pt'>enum</span></span> types are all
10225 equivalent. Old style declarations are unreported.</p>
10226 <p class="TextFontCX"><span class="Flag"><span style=
10227 'font-size:10.0pt'>standard</span></span></p>
10228 <p class="IndentText">The default mode. All checking done by
10229 <span class="Flag"><span style=
10230 'font-size:10.0pt'>weak</span></span>, plus modifies checking,
10231 global, alias checking, use all parameters, using released storage,
10232 ignored return values or any type, macro checking, unreachable
10233 code, infinite loops, and fall through cases. The types
10234 <span class="CodeText"><span style=
10235 'font-size:10.0pt'>bool</span></span>, <span class=
10236 "CodeText"><span style='font-size:10.0pt'>int</span></span> and
10237 <span class="CodeText"><span style=
10238 'font-size:10.0pt'>char</span></span> are distinct. Old style
10239 declarations are reported.</p>
10240 <p class="TextFontCX"> <span class="Flag"><span style=
10241 'font-size:10.0pt'>checks</span></span></p>
10242 <p class="IndentText">Moderately strict checking. All
10243 checking done by <span class="Flag"><span style=
10244 'font-size:10.0pt'>standard</span></span>, plus must modification
10245 checking, rep exposure, return alias, memory management and
10246 complete interfaces.</p>
10247 <p class="TextFontCX"><span class="Flag"><span style=
10248 'font-size:10.0pt'>strict</span></span></p>
10249 <p class="IndentText">Absurdly strict checking. All checking
10250 done by <span class="Flag"><span style=
10251 'font-size:10.0pt'>checks</span></span>, plus modifications and
10252 global variables used in unspecified functions, strict standard
10253 library, and strict typing of C operators. A special reward will be
10254 presented to the first person to produce a real program that
10255 produces no errors with <span class="Flag"><span style=
10256 'font-size:10.0pt'>strict</span></span> checking.</p>
10257 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
10258 <a name="_Ref344798116"></a><a name="_Toc534975049">Checking
10260 <p class="TextFontCX">These flags control checking done by
10261 Splint. They may be set locally using syntactic comments,
10262 from the command line, or in an options file. Some flags
10263 directly control whether a certain class of message is
10264 reported. Preceding the flag by <span class=
10265 "Flag"><span style='font-size:10.0pt'>+</span></span> turns
10266 reporting on, and preceding the flag by <span class=
10267 "Flag"><span style='font-size:10.0pt'>-</span></span> turns
10268 reporting off. Other flags control checking less directly by
10269 determining default values (what annotations are implicit), making
10270 types equivalent (to prevent certain type errors), controlling
10271 representation access, etc. For these flags, the effect of
10272 <span class="Flag"><span style='font-size:10.0pt'>+</span></span>
10273 is described, and the effect of <span class=
10274 "Flag"><span style='font-size:10.0pt'>-</span></span> is the
10275 opposite (or explicitly explained if there is no clear
10276 opposite). The organization of this section mirrors
10278 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10279 <a name="_Toc534975051"></a>
10280 <a name="_Toc534975056">Null
10281 Dereferences</a> <span class="TextFontCXChar"><span style=
10282 'font-size:11.0pt; font-weight:normal'>(Section
10283 2)</span></span></p>
10286 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10287 height="14" align="left">
10289 <td valign="top" align="left" height="14" style=
10290 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10291 <p class="TextFontCX" align="center" style=
10292 'text-align:center;background:#CCCCCC'><span style=
10293 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
10294 <p class="TextFontCX"><span class="Flag"><span style=
10295 'font-size:10.0pt'>null</span></span></p>
10296 <p class="IndentText">A possibly null pointer may be dereferenced,
10297 or used somewhere a non-null pointer is expected. (sets nulldref, nullpass, nullassign, and nullstate</p>
10300 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10301 height="14" align="left">
10303 <td valign="top" align="left" height="14" style=
10304 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10305 <p class="TextFontCX" align="center" style=
10306 'text-align:center;background:#CCCCCC'><span style=
10307 'font-size:10.0pt'>m:</span><span class=
10308 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10309 <p class="TextFontCX"><span class="Flag"><span style=
10310 'font-size:10.0pt'>
10313 <p class="IndentText">A possibly null pointer is dereferenced. Value is either the result of a function which may return null (in which case,
10314 code should check it is not null), or a global, parameter or structure field declared with the null qualifier.
10320 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10321 height="14" align="left">
10323 <td valign="top" align="left" height="14" style=
10324 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10325 <p class="TextFontCX" align="center" style=
10326 'text-align:center;background:#CCCCCC'><span style=
10327 'font-size:10.0pt'>m:</span><span class=
10328 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10329 <p class="TextFontCX"><span class="Flag"><span style=
10330 'font-size:10.0pt'>
10333 <p class="IndentText">
10334 A possibly null pointer is passed as a parameter corresponding to a formal parameter with no /*@null@*/ annotation. If NULL may be
10335 used for this parameter, add a /*@null@*/ annotation to the function parameter declaration.
10338 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10339 height="14" align="left">
10341 <td valign="top" align="left" height="14" style=
10342 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10343 <p class="TextFontCX" align="center" style=
10344 'text-align:center;background:#CCCCCC'><span style=
10345 'font-size:10.0pt'>m:</span><span class=
10346 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10347 <p class="TextFontCX"><span class="Flag"><span style=
10348 'font-size:10.0pt'>
10351 <p class="IndentText">
10352 Function returns a possibly null pointer, but is not declared using /*@null@*/ annotation of result. If function may return NULL, add /*@null@*/ annotation to the return value declaration.
10356 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10357 height="14" align="left">
10359 <td valign="top" align="left" height="14" style=
10360 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10361 <p class="TextFontCX" align="center" style=
10362 'text-align:center;background:#CCCCCC'><span style=
10363 'font-size:10.0pt'>m:</span><span class=
10364 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10365 <p class="TextFontCX"><span class="Flag"><span style=
10366 'font-size:10.0pt'>
10369 <p class="IndentText">
10370 A possibly null pointer is reachable from a parameter or global variable that is not declared using a /*@null@*/ annotation.
10375 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10376 height="14" align="left">
10378 <td valign="top" align="left" height="14" style=
10379 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10380 <p class="TextFontCX" align="center" style=
10381 'text-align:center;background:#CCCCCC'><span style=
10382 'font-size:10.0pt'>m:</span><span class=
10383 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10384 <p class="TextFontCX"><span class="Flag"><span style=
10385 'font-size:10.0pt'>
10388 <p class="IndentText">
10389 A reference with no null annotation is assigned or initialized to NULL. Use /*@null@*/ to declare the reference as a possibly null pointer.
10392 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10393 <a name="_Toc534975055">Use Before Definition</a>
10394 <span class="TextFontCXChar"><span style=
10395 'font-size:11.0pt; font-weight:normal'>(Section
10396 3)</span></span></p>
10398 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10399 height="14" align="left">
10401 <td valign="top" align="left" height="14" style=
10402 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10403 <p class="TextFontCX" align="center" style=
10404 'text-align:center;background:#CCCCCC'><span style=
10405 'font-size:10.0pt'>m:</span><span class=
10406 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10407 <p class="TextFontCX"><span class="Flag"><span style=
10408 'font-size:10.0pt'>usedef</span></span></p>
10409 <p class="IndentText">The value of a location that may not be
10410 initialized on some execution path is used.</p>
10412 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10413 height="14" align="left">
10415 <td valign="top" align="left" height="14" style=
10416 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10417 <p class="TextFontCX" align="center" style=
10418 'text-align:center;background:#CCCCCC'><span style=
10419 'font-size:10.0pt'>m:</span><span class=
10420 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
10421 <p class="TextFontCX"><span class="Flag"><span style=
10422 'font-size:10.0pt'>impouts</span></span></p>
10423 <p class="IndentText">Allow unannotated pointer parameters to
10424 functions to be implicit out parameters.</p>
10426 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10427 height="14" align="left">
10429 <td valign="top" align="left" height="14" style=
10430 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10431 <p class="TextFontCX" align="center" style=
10432 'text-align:center;background:#CCCCCC'><span style=
10433 'font-size:10.0pt'>m:</span><span class=
10434 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10435 <p class="TextFontCX"><span class="Flag"><span style=
10436 'font-size:10.0pt'>compdef</span></span></p>
10437 <p class="IndentText">Storage derivable from a parameter, return
10438 value or global variable is not completely defined.</p>
10440 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10441 height="14" align="left">
10443 <td valign="top" align="left" height="14" style=
10444 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10445 <p class="TextFontCX" align="center" style=
10446 'text-align:center;background:#CCCCCC'><span style=
10447 'font-size:10.0pt'>m:</span><span class=
10448 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10449 <p class="TextFontCX"><span class="Flag"><span style=
10450 'font-size:10.0pt'>uniondef</span></span></p>
10451 <p class="IndentText">No field of a union is defined. (No
10452 error is reported if at least one union field is defined.)</p>
10454 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10455 height="14" align="left">
10457 <td valign="top" align="left" height="14" style=
10458 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10459 <p class="TextFontCX" align="center" style=
10460 'text-align:center;background:#CCCCCC'><span style=
10461 'font-size:10.0pt'>m:</span><span class=
10462 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10463 <p class="TextFontCX"><span class="Flag"><span style=
10464 'font-size:10.0pt'>mustdefine</span></span></p>
10465 <p class="IndentText">Parameter declared with <span class=
10466 "Keyword"><span style='font-size:10.0pt'>out</span></span> is not
10467 defined before return or scope exit.</p>
10470 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10473 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10474 height="14" align="left">
10476 <td valign="top" align="left" height="14" style=
10477 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10478 <p class="TextFontCX" align="center" style=
10479 'text-align:center;background:#CCCCCC'><span style=
10480 'font-size:10.0pt'>P:</span><span class=
10481 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10482 <p class="TextFontCX"><span class="Flag"><span style=
10483 'font-size:10.0pt'>
10486 <p class="IndentText">
10487 Initializer does not set every field in the structure.
10492 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10493 height="14" align="left">
10495 <td valign="top" align="left" height="14" style=
10496 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10497 <p class="TextFontCX" align="center" style=
10498 'text-align:center;background:#CCCCCC'><span style=
10499 'font-size:10.0pt'>P:</span><span class=
10500 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10501 <p class="TextFontCX"><span class="Flag"><span style=
10502 'font-size:10.0pt'>
10505 <p class="IndentText">
10506 Initializer does not define all elements of a declared array.
10511 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10512 height="14" align="left">
10514 <td valign="top" align="left" height="14" style=
10515 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10516 <p class="TextFontCX" align="center" style=
10517 'text-align:center;background:#CCCCCC'><span style=
10518 'font-size:10.0pt'>P:</span><span class=
10519 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10520 <p class="TextFontCX"><span class="Flag"><span style=
10521 'font-size:10.0pt'>
10524 <p class="IndentText">
10525 Initializer block contains more elements than the size of a declared array.
10530 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10531 height="14" align="left">
10533 <td valign="top" align="left" height="14" style=
10534 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10535 <p class="TextFontCX" align="center" style=
10536 'text-align:center;background:#CCCCCC'><span style=
10537 'font-size:10.0pt'>m:</span><span class=
10538 "Keyword"><span style='font-size:10.0pt'>---</span></span></p></td></tr></table></div>
10539 <p class="TextFontCX"><span class="Flag"><span style=
10540 'font-size:10.0pt'>
10543 <p class="IndentText">
10544 Pointer parameters to unspecified functions may be implicit <span class=
10545 "Keyword"><span style='font-size:10.0pt'>out</span></span> parameters.
10548 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10549 Declarations<span class="TextFontCXChar"><span style=
10550 'font-size:11.0pt; font-weight:normal'></span></span>
10551 <span class="TextFontCXChar">
10553 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
10556 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10557 height="14" align="left">
10559 <td valign="top" align="left" height="14" style=
10560 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10561 <p class="TextFontCX" align="center" style=
10562 'text-align:center;background:#CCCCCC'><span style=
10563 'font-size:10.0pt'>m:</span><span class=
10564 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10565 <p class="TextFontCX"><span class="Flag"><span style=
10566 'font-size:10.0pt'>
10569 <p class="IndentText">
10570 A function, variable or constant is redefined with a different type.
10574 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10575 height="14" align="left">
10577 <td valign="top" align="left" height="14" style=
10578 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10579 <p class="TextFontCX" align="center" style=
10580 'text-align:center;background:#CCCCCC'><span style=
10581 'font-size:10.0pt'>m:</span><span class=
10582 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10583 <p class="TextFontCX"><span class="Flag"><span style=
10584 'font-size:10.0pt'>
10587 <p class="IndentText">
10588 A function type is dereferenced. The ANSI standard allows this because of
10589 implicit conversion of function designators, however the dereference is unnecessary.
10593 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10594 height="14" align="left">
10596 <td valign="top" align="left" height="14" style=
10597 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10598 <p class="TextFontCX" align="center" style=
10599 'text-align:center;background:#CCCCCC'><span style=
10600 'font-size:10.0pt'>m:</span><span class=
10601 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10602 <p class="TextFontCX"><span class="Flag"><span style=
10603 'font-size:10.0pt'>
10606 <p class="IndentText">
10607 A declaration of an immutable object uses a redundant observer qualifier.
10612 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10613 height="14" align="left">
10615 <td valign="top" align="left" height="14" style=
10616 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10617 <p class="TextFontCX" align="center" style=
10618 'text-align:center;background:#CCCCCC'><span style=
10619 'font-size:10.0pt'>m:</span><span class=
10620 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10621 <p class="TextFontCX"><span class="Flag"><span style=
10622 'font-size:10.0pt'>
10625 <p class="IndentText">
10626 A declaration of an unsharable object uses a sharing annotation.
10629 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10630 Types <span class="TextFontCXChar"><span style=
10631 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
10632 <span class="TextFontCXChar"><span style=
10633 'font-size:11.0pt; font-weight:normal'>4</span></span>
10634 <span class="TextFontCXChar">
10636 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
10637 <p class="IndentText"> </p>
10640 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10641 height="14" align="left">
10643 <td valign="top" align="left" height="14" style=
10644 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10645 <p class="TextFontCX" align="center" style=
10646 'text-align:center;background:#CCCCCC'><span style=
10647 'font-size:10.0pt'>P:</span> <span class=
10648 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10649 <p class="TextFontCX"><span class="Flag"><span style=
10650 'font-size:10.0pt'>
10653 <p class="IndentText">Type mismatch.</p>
10656 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10657 height="14" align="left">
10659 <td valign="top" align="left" height="14" style=
10660 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10661 <p class="TextFontCX" align="center" style=
10662 'text-align:center;background:#CCCCCC'><span style=
10663 'font-size:10.0pt'>P:</span> <span class=
10664 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10665 <p class="TextFontCX"><span class="Flag"><span style=
10666 'font-size:10.0pt'>
10667 string-literal-too-long
10669 <p class="IndentText">
10670 A string literal is assigned to a char array too small to hold it.
10674 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10675 height="14" align="left">
10677 <td valign="top" align="left" height="14" style=
10678 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10679 <p class="TextFontCX" align="center" style=
10680 'text-align:center;background:#CCCCCC'><span style=
10681 'font-size:10.0pt'>m:</span> <span class=
10682 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10683 <p class="TextFontCX"><span class="Flag"><span style=
10684 'font-size:10.0pt'>
10685 string-literal-too-no-room
10687 <p class="IndentText">
10688 A string literal is assigned to a char array that is not big enough to hold the null terminator.
10693 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10694 height="14" align="left">
10696 <td valign="top" align="left" height="14" style=
10697 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10698 <p class="TextFontCX" align="center" style=
10699 'text-align:center;background:#CCCCCC'><span style=
10700 'font-size:10.0pt'>m:</span> <span class=
10701 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10702 <p class="TextFontCX"><span class="Flag"><span style=
10703 'font-size:10.0pt'>
10704 string-literal-smaller
10706 <p class="IndentText">
10707 A string literal is assigned to a char array that smaller than the string literal needs.
10712 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10713 height="14" align="left">
10715 <td valign="top" align="left" height="14" style=
10716 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10717 <p class="TextFontCX" align="center" style=
10718 'text-align:center;background:#CCCCCC'><span style=
10719 'font-size:10.0pt'>m:</span> <span class=
10720 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10721 <p class="TextFontCX"><span class="Flag"><span style=
10722 'font-size:10.0pt'>
10725 <p class="IndentText">
10726 Type of initial values for enum members must be int.
10729 <p class="Heading10">Boolean Types <span class=
10730 "HeadingNote"><span style=
10731 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
10732 <span class="HeadingNote"><span style=
10733 'font-size:10.5pt;font-weight:normal;font-style: normal'>4.2</span></span><span class="HeadingNote">
10735 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
10736 <p class="TextFontCX">These flags control the type name used to
10737 represent Booleans, and whether the Boolean type is abstract.</p>
10738 <p class="TextFontCX"> </p>
10740 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10741 height="14" align="left">
10743 <td valign="top" align="left" height="14" style=
10744 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10745 <p class="TextFontCX" align="center" style=
10746 'text-align:center;background:#CCCCCC'><span style=
10747 'font-size:10.0pt'>P:</span> <span class=
10748 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10749 <p class="TextFontCX"><span class="Flag"><span style=
10750 'font-size:10.0pt'>bool</span></span></p>
10751 <p class="IndentText">Boolean type is an abstract type.</p>
10753 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10754 height="14" align="left">
10756 <td valign="top" align="left" height="14" style=
10757 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10758 <p class="TextFontCX" align="center" style=
10759 'text-align:center;background:#CCCCCC'><span style=
10760 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
10761 'font-size:10.0pt'>bool</span></span></p></td></tr></table></div>
10762 <p class="TextFontCX"><span class="Flag"><span style=
10763 'font-size:10.0pt'>booltype</span></span> <span class=
10764 "Flag"><span style=
10765 'font-size:10.0pt'><i><name></i></span></span></p>
10766 <p class="IndentText">Set name of Boolean type to
10767 <i><name></i>.</p>
10769 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10770 height="14" align="left">
10772 <td valign="top" align="left" height="14" style=
10773 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10774 <p class="TextFontCX" align="center" style=
10775 'text-align:center;background:#CCCCCC'><span style=
10776 'font-size:10.0pt'>P:</span><span class="Flag"><span style=
10777 'font-size:10.0pt'>FALSE</span></span></p></td></tr></table></div>
10778 <p class="TextFontCX"><span class="Flag"><span style=
10779 'font-size:10.0pt'>boolfalse</span></span> <span class=
10780 "Flag"><span style=
10781 'font-size:10.0pt'><i><name></i></span></span></p>
10782 <p class="IndentText">Set name of Boolean false to
10783 <i><name></i>.</p>
10785 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10786 height="14" align="left">
10788 <td valign="top" align="left" height="14" style=
10789 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10790 <p class="TextFontCX" align="center" style=
10791 'text-align:center;background:#CCCCCC'><span style=
10792 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
10793 'font-size:10.0pt'>TRUE</span></span></p></td></tr></table></div>
10794 <p class="TextFontCX"><span class="Flag"><span style=
10795 'font-size:10.0pt'>booltrue</span></span> <span class=
10796 "Flag"><span style=
10797 'font-size:10.0pt'><i><name></i></span></span></p>
10798 <p class="IndentText">Set name of Boolean true to
10799 <i><name></i>.</p>
10802 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10803 height="14" align="left">
10805 <td valign="top" align="left" height="14" style=
10806 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10807 <p class="TextFontCX" align="center" style=
10808 'text-align:center;background:#CCCCCC'><span style=
10809 'font-size:10.0pt'>P:</span> <span class=
10810 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10811 <p class="TextFontCX"><span class="Flag"><span style=
10812 'font-size:10.0pt'>
10815 <p class="IndentText">
10816 Splint has found a type which appears to be the boolean type. Use the -booltype, -boolfalse and -booltrue flags to change the name of the default boolean type.
10820 <p class="Heading10"><a name="_Ref344871224">Predicates</a></p>
10822 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10823 height="14" align="left">
10825 <td valign="top" align="left" height="14" style=
10826 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10827 <p class="TextFontCX" align="center" style=
10828 'text-align:center;background:#CCCCCC'><span style=
10829 'font-size:10.0pt'>m:</span><span class=
10830 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10831 <p class="TextFontCX"><span class="Flag"><span style=
10832 'font-size:10.0pt'>pred-bool-ptr</span></span></p>
10833 <p class="IndentText">Type of condition test is a pointer.</p>
10835 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10836 height="14" align="left">
10838 <td valign="top" align="left" height="14" style=
10839 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10840 <p class="TextFontCX" align="center" style=
10841 'text-align:center;background:#CCCCCC'><span style=
10842 'font-size:10.0pt'>m:</span><span class=
10843 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10844 <p class="TextFontCX"><span class="Flag"><span style=
10845 'font-size:10.0pt'>pred-bool-int</span></span></p>
10846 <p class="IndentText">Type of condition test is an integral
10849 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10850 height="14" align="left">
10852 <td valign="top" align="left" height="14" style=
10853 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10854 <p class="TextFontCX" align="center" style=
10855 'text-align:center;background:#CCCCCC'><span style=
10856 'font-size:10.0pt'>m:</span><span class=
10857 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
10858 <p class="TextFontCX"><span class="Flag"><span style=
10859 'font-size:10.0pt'>pred-bool-others</span></span></p>
10860 <p class="IndentText">Type of condition test is not a Boolean,
10861 pointer or integral type.</p>
10863 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10864 height="14" align="left">
10866 <td valign="top" align="left" height="14" style=
10867 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10868 <p class="TextFontCX" align="center" style=
10869 'text-align:center;background:#CCCCCC'><span style=
10870 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
10871 <p class="TextFontCX"><span class="Flag"><span style=
10872 'font-size:10.0pt'>pred-bool</span></span></p>
10873 <p class="IndentText">Sets <span class="Flag"><span style=
10874 'font-size:10.0pt'>predboolint</span></span>, <span class=
10875 "Flag"><span style='font-size:10.0pt'>predboolptr</span></span> and
10876 <span class="Flag"><span style=
10877 'font-size:10.0pt'>preboolothers</span></span>.</p>
10879 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10880 height="14" align="left">
10882 <td valign="top" align="left" height="14" style=
10883 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10884 <p class="TextFontCX" align="center" style=
10885 'text-align:center;background:#CCCCCC'><span style=
10886 'font-size:10.0pt'>P:</span> <span class=
10887 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10888 <p class="TextFontCX"><span class="Flag"><span style=
10889 'font-size:10.0pt'>pred-assign</span></span></p>
10890 <p class="IndentText">The condition test is an assignment
10891 expression. If an assignment is intended, add an extra parentheses
10892 nesting (e.g., <span class="CodeText"><span style=
10893 'font-size:10.0pt'>if ((a = b))</span></span> ...).</p>
10894 <p class="Heading10">Primitive Operations</p>
10896 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10897 height="14" align="left">
10899 <td valign="top" align="left" height="14" style=
10900 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10901 <p class="TextFontCX" align="center" style=
10902 'text-align:center;background:#CCCCCC'><span style=
10903 'font-size:10.0pt'>m:</span><span class=
10904 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
10905 <p class="TextFontCX"><span class="Flag"><span style=
10906 'font-size:10.0pt'>ptr-arith</span></span></p>
10907 <p class="IndentText">Arithmetic involving pointer and integer.</p>
10910 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10911 height="14" align="left">
10913 <td valign="top" align="left" height="14" style=
10914 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10915 <p class="TextFontCX" align="center" style=
10916 'text-align:center;background:#CCCCCC'><span style=
10917 'font-size:10.0pt'>m:</span> <span class=
10918 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10919 <p class="TextFontCX"><span class="Flag"><span style=
10920 'font-size:10.0pt'>
10923 <p class="IndentText">
10924 Pointer arithmetic using a possibly null pointer and integer.
10929 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10930 height="14" align="left">
10932 <td valign="top" align="left" height="14" style=
10933 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10934 <p class="TextFontCX" align="center" style=
10935 'text-align:center;background:#CCCCCC'><span style=
10936 'font-size:10.0pt'>m:</span> <span class=
10937 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
10938 <p class="TextFontCX"><span class="Flag"><span style=
10939 'font-size:10.0pt'>
10942 <p class="IndentText">
10943 The operand of a boolean operator is not a boolean. Use +ptrnegate to allow ! to be used on pointers.
10946 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10947 height="14" align="left">
10949 <td valign="top" align="left" height="14" style=
10950 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10951 <p class="TextFontCX" align="center" style=
10952 'text-align:center;background:#CCCCCC'><span style=
10953 'font-size:10.0pt'>m:</span><span class=
10954 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
10955 <p class="TextFontCX"><span class="Flag"><span style=
10956 'font-size:10.0pt'>ptr-negate</span></span></p>
10957 <p class="IndentText">Allow the operand of the <span class=
10958 "CodeText"><span style='font-size:10.0pt'>!</span></span> operator
10959 to be a pointer.</p>
10961 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10962 height="14" align="left">
10964 <td valign="top" align="left" height="14" style=
10965 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10966 <p class="TextFontCX" align="center" style=
10967 'text-align:center;background:#CCCCCC'><span style=
10968 'font-size:10.0pt'>m:</span><span class=
10969 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
10970 <p class="TextFontCX"><span class="Flag"><span style=
10971 'font-size:10.0pt'>bitwise-signed</span></span><span class=
10972 "Flag"><span style='font-size:10.0pt'> </span></span></p>
10973 <p class="IndentText">An operand to a bitwise operator is not an
10974 unsigned value. This may have unexpected results depending on the
10975 signed representations.</p>
10979 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10980 height="14" align="left">
10982 <td valign="top" align="left" height="14" style=
10983 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10984 <p class="TextFontCX" align="center" style=
10985 'text-align:center;background:#CCCCCC'><span style=
10986 'font-size:10.0pt'>m:</span> <span class=
10987 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
10988 <p class="TextFontCX"><span class="Flag"><span style=
10989 'font-size:10.0pt'>
10990 shiftimplementation
10992 <p class="IndentText">
10993 The left operand to a shift operator may be negative (behavior is implementation-defined).
10998 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10999 height="14" align="left">
11001 <td valign="top" align="left" height="14" style=
11002 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11003 <p class="TextFontCX" align="center" style=
11004 'text-align:center;background:#CCCCCC'><span style=
11005 'font-size:10.0pt'>m:</span> <span class=
11006 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11007 <p class="TextFontCX"><span class="Flag"><span style=
11008 'font-size:10.0pt'>
11011 <p class="IndentText">
11012 The right operand to a shift operator may be negative (behavior undefined).
11016 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11017 height="14" align="left">
11019 <td valign="top" align="left" height="14" style=
11020 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11021 <p class="TextFontCX" align="center" style=
11022 'text-align:center;background:#CCCCCC'><span style=
11023 'font-size:10.0pt'>m:</span><span class=
11024 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11025 <p class="TextFontCX"><span class="Flag"><span style=
11026 'font-size:10.0pt'>shift-signed</span></span></p>
11027 <p class="IndentText">The left operand to a shift operator is not
11028 an unsigned value.</p>
11030 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11031 height="14" align="left">
11033 <td valign="top" align="left" height="14" style=
11034 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11035 <p class="TextFontCX" align="center" style=
11036 'text-align:center;background:#CCCCCC'><span style=
11037 'font-size:10.0pt'>m:</span><span class=
11038 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11039 <p class="TextFontCX"><span class="Flag"><span style=
11040 'font-size:10.0pt'>strict-ops</span></span></p>
11041 <p class="IndentText">Primitive operation does not type check
11044 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11045 height="14" align="left">
11047 <td valign="top" align="left" height="14" style=
11048 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11049 <p class="TextFontCX" align="center" style=
11050 'text-align:center;background:#CCCCCC'><span style=
11051 'font-size:10.0pt'>m:</span><span class=
11052 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11053 <p class="TextFontCX"><span class="Flag"><span style=
11054 'font-size:10.0pt'>sizeof-type</span></span></p>
11055 <p class="IndentText">Operand of <span class=
11056 "CodeText"><span style='font-size:10.0pt'>sizeof</span></span>
11057 operator is a type. (Safer to use <span class=
11058 "CodeText"><span style='font-size:10.0pt'>int *x = sizeof
11059 (*x);</span></span> instead of <span class=
11060 "CodeText"><span style='font-size:10.0pt'>sizeof
11061 (int)</span></span>.)</p>
11062 <p class="Heading10">Array Formal Parameters</p>
11063 <p class="TextFontCX">These flags control reporting of common
11064 errors caused by confusion about the semantics of array formal
11066 <p class="TextFontCX"> </p>
11068 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11069 height="14" align="left">
11071 <td valign="top" align="left" height="14" style=
11072 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11073 <p class="TextFontCX" align="center" style=
11074 'text-align:center;background:#CCCCCC'><span style=
11075 'font-size:10.0pt'>P:</span> <span class=
11076 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11077 <p class="TextFontCX"><span class="Flag"><span style=
11078 'font-size:10.0pt'>sizeof-formal-array</span></span></p>
11079 <p class="IndentText">The <span class="CodeText"><span style=
11080 'font-size:10.0pt'>sizeof</span></span> operator is used on a
11081 parameter declared as an array. (In many instances this has
11082 unexpected behavior, since the result is the size of a pointer to
11083 the element type, not the number of elements in the array.)</p>
11084 <p class="IndentText"> </p>
11086 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11087 height="14" align="left">
11089 <td valign="top" align="left" height="14" style=
11090 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11091 <p class="TextFontCX" align="center" style=
11092 'text-align:center;background:#CCCCCC'><span style=
11093 'font-size:10.0pt'>P:</span> <span class=
11094 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11095 <p class="TextFontCX"><span class="Flag"><span style=
11096 'font-size:10.0pt'>fixed-formal-array</span></span></p>
11097 <p class="IndentText">An array formal parameter is declared with a
11098 fixed size (e.g., <span class="CodeText"><span style=
11099 'font-size:10.0pt'>int x[20]</span></span>). This is likely
11100 to be confusing, since the size is ignored.</p>
11102 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11103 height="14" align="left">
11105 <td valign="top" align="left" height="14" style=
11106 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11107 <p class="TextFontCX" align="center" style=
11108 'text-align:center;background:#CCCCCC'><span style=
11109 'font-size:10.0pt'>P:</span> <span class=
11110 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11111 <p class="TextFontCX"><span class="Flag"><span style=
11112 'font-size:10.0pt'>formal-array</span></span></p>
11113 <p class="IndentText">A formal parameter is declared as an
11114 array. This is probably not a problem, but can be confusing
11115 since it is treated as a pointer. </p>
11116 <p class="Heading10">Format Codes</p>
11118 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11119 height="14" align="left">
11121 <td valign="top" align="left" height="14" style=
11122 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11123 <p class="TextFontCX" align="center" style=
11124 'text-align:center;background:#CCCCCC'><span style=
11125 'font-size:10.0pt'>P:</span> <span class=
11126 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11127 <p class="TextFontCX"><span class="Flag"><span style=
11128 'font-size:10.0pt'>format-code</span></span></p>
11129 <p class="IndentText">Invalid format code in format string for
11130 <span class="Annot"><span style=
11131 'font-size:10.0pt'>printflike</span></span> or <span class=
11132 "Annot"><span style='font-size:10.0pt'>scanflike</span></span>
11135 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11136 height="14" align="left">
11138 <td valign="top" align="left" height="14" style=
11139 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11140 <p class="TextFontCX" align="center" style=
11141 'text-align:center;background:#CCCCCC'><span style=
11142 'font-size:10.0pt'>P:</span> <span class=
11143 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11144 <p class="TextFontCX"><span class="Flag"><span style=
11145 'font-size:10.0pt'>format-type</span></span></p>
11146 <p class="IndentText">Type-mismatch in parameter corresponding to
11147 format code in a <span class="Annot"><span style=
11148 'font-size:10.0pt'>printflike</span></span> or <span class=
11149 "Annot"><span style='font-size:10.0pt'>scanflike</span></span>
11153 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11154 height="14" align="left">
11156 <td valign="top" align="left" height="14" style=
11157 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11158 <p class="TextFontCX" align="center" style=
11159 'text-align:center;background:#CCCCCC'><span style=
11160 'font-size:10.0pt'>P:</span> <span class=
11161 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11162 <p class="TextFontCX"><span class="Flag"><span style=
11163 'font-size:10.0pt'>format-const</span></span></p>
11164 <p class="IndentText">Format parameter is not known at compile-time. This can lead to security vulnerabilities because the arguments cannot be type checked.</p>
11166 <p class="Heading10">Main</p>
11168 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11169 height="14" align="left">
11171 <td valign="top" align="left" height="14" style=
11172 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11173 <p class="TextFontCX" align="center" style=
11174 'text-align:center;background:#CCCCCC'><span style=
11175 'font-size:10.0pt'>P:</span> <span class=
11176 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11177 <p class="TextFontCX"><span class="Flag"><span style=
11178 'font-size:10.0pt'>main-type</span></span></p>
11179 <p class="IndentText">Type of <span class=
11180 "CodeText"><span style='font-size:10.0pt'>main</span></span>
11181 does not match expected type (function returning an
11182 <span class="CodeText"><span style=
11183 'font-size:10.0pt'>int</span></span>, taking no parameters or
11184 two parameters of type <span class="CodeText"><span style=
11185 'font-size:10.0pt'>int</span></span> and <span class=
11186 "CodeText"><span style='font-size:10.0pt'>char
11187 **</span></span>.)</p>
11188 <p class="Heading10">Comparisons</p>
11190 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11191 height="14" align="left">
11193 <td valign="top" align="left" height="14" style=
11194 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11195 <p class="TextFontCX" align="center" style=
11196 'text-align:center;background:#CCCCCC'><a name=
11197 "boolcompare"></a><a name="boolprose"><span style=
11198 'font-size:10.0pt'>m:</span></a><span class=
11199 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11200 <p class="TextFontCX"><span class="Flag"><span style=
11201 'font-size:10.0pt'>bool-compare</span></span></p>
11202 <p class="IndentText">Comparison between Boolean values. This
11203 is dangerous since there may be multiple true values as any
11204 non-zero value is interpreted as true.</p>
11206 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11207 height="14" align="left">
11209 <td valign="top" align="left" height="14" style=
11210 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11211 <p class="TextFontCX" align="center" style=
11212 'text-align:center;background:#CCCCCC'><span style=
11213 'font-size:10.0pt'>m:</span><span class=
11214 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11215 <p class="TextFontCX"><span class="Flag"><span style=
11216 'font-size:10.0pt'>real-compare</span></span></p>
11217 <p class="IndentText">Comparison involving <span class=
11218 "CodeText"><span style='font-size:10.0pt'>float</span></span> or
11219 <span class="CodeText"><span style=
11220 'font-size:10.0pt'>double</span></span> values. This is
11221 dangerous since it may produce unexpected results because floating
11222 point representations are inexact.</p>
11224 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11225 height="14" align="left">
11227 <td valign="top" align="left" height="14" style=
11228 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11229 <p class="TextFontCX" align="center" style=
11230 'text-align:center;background:#CCCCCC'><span style=
11231 'font-size:10.0pt'>m:</span><span class=
11232 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11233 <p class="TextFontCX"><span class="Flag"><span style=
11234 'font-size:10.0pt'>ptr-compare</span></span></p>
11235 <p class="IndentText">Comparison between pointer and number.</p>
11238 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11239 height="14" align="left">
11241 <td valign="top" align="left" height="14" style=
11242 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11243 <p class="TextFontCX" align="center" style=
11244 'text-align:center;background:#CCCCCC'><span style=
11245 'font-size:10.0pt'>m:</span><span class=
11246 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11247 <p class="TextFontCX"><span class="Flag"><span style=
11248 'font-size:10.0pt'>unsigned-compare</span></span></p>
11249 <p class="IndentText">
11250 An unsigned value is used in a comparison with zero in a way that is either a bug or confusing.
11253 <p class="Heading10">Type Equivalence</p>
11255 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11256 height="14" align="left">
11258 <td valign="top" align="left" height="14" style=
11259 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11260 <p class="TextFontCX" align="center" style=
11261 'text-align:center;background:#CCCCCC'><a name=
11262 "globs"></a><span style=
11263 'font-size:10.0pt'>m:</span><span class="Keyword"><span style='font-size: 10.0pt'>
11264 +---</span></span></p></td></tr></table></div>
11265 <p class="TextFontCX"><span class="Flag"><span style=
11266 'font-size:10.0pt'>void-abstract</span></span></p>
11267 <p class="IndentText">Allow <span class=
11268 "CodeText"><span style='font-size:10.0pt'>void
11269 *</span></span> to match pointers to abstract types.
11270 (Casting a pointer to an abstract type to a pointer to
11271 <span class="CodeText"><span style=
11272 'font-size:10.0pt'>void</span></span> is okay if <span class=
11273 "Flag"><span style=
11274 'font-size:10.0pt'>+void-abstract</span></span> is set.)</p>
11276 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11277 height="14" align="left">
11279 <td valign="top" align="left" height="14" style=
11280 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11281 <p class="TextFontCX" align="center" style=
11282 'text-align:center;background:#CCCCCC'><span style=
11283 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
11284 <p class="TextFontCX"><span class="Flag"><span style=
11285 'font-size:10.0pt'>cast-fcn-ptr</span></span></p>
11286 <p class="IndentText"> A pointer to a function is cast to (or
11287 used as) a pointer to void (or vice versa).</p>
11289 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11290 height="14" align="left">
11292 <td valign="top" align="left" height="14" style=
11293 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11294 <p class="TextFontCX" align="center" style=
11295 'text-align:center;background:#CCCCCC'><span style=
11296 'font-size:10.0pt'>m:</span><span class=
11297 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11298 <p class="TextFontCX"><span class="Flag"><span style=
11299 'font-size:10.0pt'>forward-decl</span></span></p>
11300 <p class="IndentText">Forward declarations of pointers to abstract
11301 representation match abstract type.</p>
11303 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11304 height="14" align="left">
11306 <td valign="top" align="left" height="14" style=
11307 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11308 <p class="TextFontCX" align="center" style=
11309 'text-align:center;background:#CCCCCC'><span style=
11310 'font-size:10.0pt'>m:</span><span class=
11311 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11312 <p class="TextFontCX"><span class="Flag"><span style=
11313 'font-size:10.0pt'>imp-type</span></span></p>
11314 <p class="IndentText">A variable declaration has no explicit
11315 type. The type is implicitly int.</p>
11317 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11318 height="14" align="left">
11320 <td valign="top" align="left" height="14" style=
11321 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11322 <p class="TextFontCX" align="center" style=
11323 'text-align:center;background:#CCCCCC'><span style=
11324 'font-size:10.0pt'>P:</span> <span class=
11325 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11326 <p class="TextFontCX"><span class="Flag"><span style=
11327 'font-size:10.0pt'>incomplete-type</span></span></p>
11328 <p class="IndentText">A formal parameter is declared with an
11329 incomplete type (e.g., <span class="Keyword"><span style=
11330 'font-size:10.0pt'>int[][]</span></span>).</p>
11332 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11333 height="14" align="left">
11335 <td valign="top" align="left" height="14" style=
11336 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11337 <p class="TextFontCX" align="center" style=
11338 'text-align:center;background:#CCCCCC'><span style=
11339 'font-size:10.0pt'>m:</span><span class=
11340 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11341 <p class="TextFontCX"><span class="Flag"><span style=
11342 'font-size:10.0pt'>char-index</span></span></p>
11343 <p class="IndentText">Allow <span class=
11344 "CodeText"><span style='font-size:10.0pt'>char</span></span>
11345 to index arrays.</p>
11347 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11348 height="14" align="left">
11350 <td valign="top" align="left" height="14" style=
11351 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11352 <p class="TextFontCX" align="center" style=
11353 'text-align:center;background:#CCCCCC'><span style=
11354 'font-size:10.0pt'>m:</span><span class=
11355 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
11356 <p class="TextFontCX"><span class="Flag"><span style=
11357 'font-size:10.0pt'>enum-index</span></span></p>
11358 <p class="IndentText">Allow members of <span class=
11359 "CodeText"><span style='font-size:10.0pt'>enum</span></span>type to
11362 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11363 height="14" align="left">
11365 <td valign="top" align="left" height="14" style=
11366 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11367 <p class="TextFontCX" align="center" style=
11368 'text-align:center;background:#CCCCCC'><span style=
11369 'font-size:10.0pt'>m:</span><span class=
11370 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11371 <p class="TextFontCX"><span class="Flag"><span style=
11372 'font-size:10.0pt'>bool-int</span></span></p>
11373 <p class="IndentText">Make <span class=
11374 "CodeText"><span style='font-size:10.0pt'>bool</span></span>
11375 and <span class="CodeText"><span style=
11376 'font-size:10.0pt'>int</span></span> are equivalent.
11377 (No type errors are reported when a Boolean is used where an
11378 integral type is expected and vice versa.)</p>
11380 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11381 height="14" align="left">
11383 <td valign="top" align="left" height="14" style=
11384 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11385 <p class="TextFontCX" align="center" style=
11386 'text-align:center;background:#CCCCCC'><span style=
11387 'font-size:10.0pt'>m:</span><span class=
11388 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11389 <p class="TextFontCX"><span class="Flag"><span style=
11390 'font-size:10.0pt'>char-int</span></span></p>
11391 <p class="IndentText">Make <span class=
11392 "CodeText"><span style='font-size:10.0pt'>char</span></span>
11393 and <span class="CodeText"><span style=
11394 'font-size:10.0pt'>int</span></span> types equivalent</p>
11397 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11398 height="14" align="left">
11400 <td valign="top" align="left" height="14" style=
11401 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11402 <p class="TextFontCX" align="center" style=
11403 'text-align:center;background:#CCCCCC'><span style=
11404 'font-size:10.0pt'>m:</span><span class=
11405 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11406 <p class="TextFontCX"><span class="Flag"><span style=
11407 'font-size:10.0pt'>charunsignedchar</span></span></p>
11408 <p class="IndentText">To allow <span class=
11409 "CodeText"><span style='font-size:10.0pt'>char</span></span>
11410 and <span class="CodeText"><span style=
11411 'font-size:10.0pt'>unsigned char</span></span> types to match use
11412 <span class="Flag"><span style=
11413 'font-size:10.0pt'>+charunsignedchar</span></span>
11417 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11418 height="14" align="left">
11420 <td valign="top" align="left" height="14" style=
11421 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11422 <p class="TextFontCX" align="center" style=
11423 'text-align:center;background:#CCCCCC'><span style=
11424 'font-size:10.0pt'>m:</span><span class=
11425 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
11426 <p class="TextFontCX"><span class="Flag"><span style=
11427 'font-size:10.0pt'>enum-int</span></span></p>
11428 <p class="IndentText">Make <span class=
11429 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
11430 and <span class="CodeText"><span style=
11431 'font-size:10.0pt'>int</span></span> types equivalent</p>
11433 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11434 height="14" align="left">
11436 <td valign="top" align="left" height="14" style=
11437 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11438 <p class="TextFontCX" align="center" style=
11439 'text-align:center;background:#CCCCCC'><span style=
11440 'font-size:10.0pt'>m:</span><span class=
11441 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11442 <p class="TextFontCX"><span class="Flag"><span style=
11443 'font-size:10.0pt'>float-double</span></span></p>
11444 <p class="IndentText">Make <span class=
11445 "CodeText"><span style='font-size:10.0pt'>float</span></span>
11446 and <span class="CodeText"><span style=
11447 'font-size:10.0pt'>double</span></span> types equivalent</p>
11449 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11450 height="14" align="left">
11452 <td valign="top" align="left" height="14" style=
11453 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11454 <p class="TextFontCX" align="center" style=
11455 'text-align:center;background:#CCCCCC'><span style=
11456 'font-size:10.0pt'>m:</span><span class=
11457 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
11458 <p class="TextFontCX"><span class="Flag"><span style=
11459 'font-size:10.0pt'>ignore-quals</span></span></p>
11460 <p class="IndentText">Ignore type qualifiers (<span class=
11461 "CodeText"><span style='font-size:10.0pt'>long</span></span>,
11462 <span class="CodeText"><span style=
11463 'font-size:10.0pt'>short</span></span>, <span class=
11464 "CodeText"><span style=
11465 'font-size:10.0pt'>unsigned</span></span>).</p>
11467 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11468 height="14" align="left">
11470 <td valign="top" align="left" height="14" style=
11471 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11472 <p class="TextFontCX" align="center" style=
11473 'text-align:center;background:#CCCCCC'><span style=
11474 'font-size:10.0pt'>m:</span><span class=
11475 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
11476 <p class="TextFontCX"><span class="Flag"><span style=
11477 'font-size:10.0pt'>relax-quals</span></span></p>
11478 <p class="IndentText">Report qualifier mismatches only if dangerous
11479 (information may be lost since a larger type is assigned to (or
11480 passed as) a smaller one or a comparison uses <span class=
11481 "CodeText"><span style='font-size:10.0pt'>signed</span></span> and
11482 <span class="CodeText"><span style=
11483 'font-size:10.0pt'>unsigned</span></span> values.)</p>
11485 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11486 height="14" align="left">
11488 <td valign="top" align="left" height="14" style=
11489 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11490 <p class="TextFontCX" align="center" style=
11491 'text-align:center;background:#CCCCCC'><span style=
11492 'font-size:10.0pt'>m:</span><span class=
11493 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
11494 <p class="TextFontCX"><span class="Flag"><span style=
11495 'font-size:10.0pt'>ignore-signs</span></span></p>
11496 <p class="IndentText">Ignore signs in type comparisons
11497 (<span class="CodeText"><span style=
11498 'font-size:10.0pt'>unsigned</span></span> matches
11499 <span class="CodeText"><span style=
11500 'font-size:10.0pt'>signed</span></span>).</p>
11501 <p class="IndentText"> </p>
11503 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11504 height="14" align="left">
11506 <td valign="top" align="left" height="14" style=
11507 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11508 <p class="TextFontCX" align="center" style=
11509 'text-align:center;background:#CCCCCC'><span style=
11510 'font-size:10.0pt'>P:</span> <span class=
11511 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11512 <p class="TextFontCX"><span class="Flag"><span style=
11513 'font-size:10.0pt'>long-integral</span></span></p>
11514 <p class="IndentText">Allow long type to match an arbitrary
11515 integral type (e.g., <span class="CodeText"><span style=
11516 'font-size:10.0pt'>dev_t</span></span>).</p>
11518 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11519 height="14" align="left">
11521 <td valign="top" align="left" height="14" style=
11522 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11523 <p class="TextFontCX" align="center" style=
11524 'text-align:center;background:#CCCCCC'><span style=
11525 'font-size:10.0pt'>m:</span><span class=
11526 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11527 <p class="TextFontCX"><span class="Flag"><span style=
11528 'font-size:10.0pt'>long-unsigned-integral</span></span></p>
11529 <p class="IndentText">Allow unsigned long type to match an
11530 arbitrary integral type (e.g., <span class=
11531 "CodeText"><span style='font-size:10.0pt'>dev_t</span></span>).</p>
11533 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11534 height="14" align="left">
11536 <td valign="top" align="left" height="14" style=
11537 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11538 <p class="TextFontCX" align="center" style=
11539 'text-align:center;background:#CCCCCC'><span style=
11540 'font-size:10.0pt'>P:</span> <span class=
11541 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11542 <p class="TextFontCX"><span class="Flag"><span style=
11543 'font-size:10.0pt'>match-any-integral</span></span></p>
11544 <p class="IndentText">Allow any integral type to match an
11547 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11548 height="14" align="left">
11550 <td valign="top" align="left" height="14" style=
11551 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11552 <p class="TextFontCX" align="center" style=
11553 'text-align:center;background:#CCCCCC'><span style=
11554 'font-size:10.0pt'>P:</span> <span class=
11555 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11556 <p class="TextFontCX"><span class="Flag"><span style=
11557 'font-size:10.0pt'>long-unsigned-unsigned-integral</span></span></p>
11558 <p class="IndentText">Allow unsigned long type to match an
11559 arbitrary unsigned integral type (e.g., <span class=
11560 "CodeText"><span style=
11561 'font-size:10.0pt'>size_t</span></span>).</p>
11563 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11564 height="14" align="left">
11566 <td valign="top" align="left" height="14" style=
11567 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11568 <p class="TextFontCX" align="center" style=
11569 'text-align:center;background:#CCCCCC'><span style=
11570 'font-size:10.0pt'>m:</span><span class=
11571 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11572 <p class="TextFontCX"><span class="Flag"><span style=
11573 'font-size:10.0pt'>long-signed-integral</span></span></p>
11574 <p class="IndentText">Allow long type to match an arbitrary signed
11575 integral type (e.g., <span class="CodeText"><span style=
11576 'font-size:10.0pt'>ssize_t</span></span>).</p>
11577 <p class="TextFontCX"><span class="Flag"><span style=
11578 'font-size:10.0pt'> </span></span></p>
11580 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11581 height="14" align="left">
11583 <td valign="top" align="left" height="14" style=
11584 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11585 <p class="TextFontCX" align="center" style=
11586 'text-align:center;background:#CCCCCC'><span style=
11587 'font-size:10.0pt'>P:</span> <span class=
11588 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11589 <p class="TextFontCX"><span class="Flag"><span style=
11590 'font-size:10.0pt'>num-literal</span></span></p>
11591 <p class="IndentText">Integer literals can be used as floats.</p>
11593 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11594 height="14" align="left">
11596 <td valign="top" align="left" height="14" style=
11597 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11598 <p class="TextFontCX" align="center" style=
11599 'text-align:center;background:#CCCCCC'><span style=
11600 'font-size:10.0pt'>P:</span> <span class=
11601 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11602 <p class="TextFontCX"><span class="Flag"><span style=
11603 'font-size:10.0pt'>char-int-literal</span></span></p>
11604 <p class="IndentText">A character constant may be used as an
11605 <span class="CodeText"><span style=
11606 'font-size:10.0pt'>int</span></span>.</p>
11608 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11609 height="14" align="left">
11611 <td valign="top" align="left" height="14" style=
11612 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11613 <p class="TextFontCX" align="center" style=
11614 'text-align:center;background:#CCCCCC'><span style=
11615 'font-size:10.0pt'>P:</span> <span class=
11616 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11617 <p class="TextFontCX"><span class="Flag"><span style=
11618 'font-size:10.0pt'>zero-ptr</span></span></p>
11619 <p class="IndentText">Literal <span class=
11620 "CodeText"><span style='font-size:10.0pt'>0</span></span> may
11621 be used as a pointer.</p>
11623 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11624 height="14" align="left">
11626 <td valign="top" align="left" height="14" style=
11627 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11628 <p class="TextFontCX" align="center" style=
11629 'text-align:center;background:#CCCCCC'><span style=
11630 'font-size:10.0pt'>P:</span> <span class=
11631 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11632 <p class="TextFontCX"><span class="Flag"><span style=
11633 'font-size:10.0pt'>zero-bool</span></span></p>
11634 <p class="IndentText">Treat <span class=
11635 "CodeText"><span style='font-size:10.0pt'>0</span></span> as a boolean.
11638 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11639 height="14" align="left">
11641 <td valign="top" align="left" height="14" style=
11642 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11643 <p class="TextFontCX" align="center" style=
11644 'text-align:center;background:#CCCCCC'><span style=
11645 'font-size:10.0pt'>P:</span> <span class=
11646 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11647 <p class="TextFontCX"><span class="Flag"><span style=
11648 'font-size:10.0pt'>relax-types</span></span></p>
11649 <p class="IndentText">Allow all numeric types to match.</p>
11650 <p class="Heading10"><a name="_Toc534975052">Abstract Types</a>
11651 <span class="TextFontCXChar"><span style=
11652 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
11653 <span class="TextFontCXChar"><span style=
11654 'font-size:11.0pt; font-weight:normal'>4.3</span></span><span class="TextFontCXChar">
11656 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
11658 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11659 height="14" align="left">
11661 <td valign="top" align="left" height="14" style=
11662 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11663 <p class="TextFontCX" align="center" style=
11664 'text-align:center;background:#CCCCCC'><span style=
11665 'font-size:10.0pt'>P:</span> <span class=
11666 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11667 <p class="TextFontCX"><span class="Flag"><span style=
11668 'font-size:10.0pt'>abstract</span></span></p>
11669 <p class="IndentText">A data abstraction barrier is violated</p>
11671 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11672 height="14" align="left">
11674 <td valign="top" align="left" height="14" style=
11675 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11676 <p class="TextFontCX" align="center" style=
11677 'text-align:center;background:#CCCCCC'><span style=
11678 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
11679 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11680 <p class="TextFontCX"><span class="Flag"><span style=
11681 'font-size:10.0pt'>imp-abstract</span></span></p>
11682 <p class="IndentText">Implicit <span class=
11683 "Annot"><span style='font-size:10.0pt'>abstract</span></span>
11684 annotation for type declarations that do not use <span class=
11685 "Annot"><span style=
11686 'font-size:10.0pt'>concrete</span></span>.</p>
11688 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11689 height="14" align="left">
11691 <td valign="top" align="left" height="14" style=
11692 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11693 <p class="TextFontCX" align="center" style=
11694 'text-align:center;background:#CCCCCC'><span style=
11695 'font-size:10.0pt'>m:</span><span class="Flag"><span style=
11696 'font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11697 <p class="TextFontCX"><span class="Flag"><span style=
11698 'font-size:10.0pt'>mut-rep</span></span></p>
11699 <p class="IndentText">Representation of mutable type has sharing
11701 <p class="Heading10">Access <span class=
11702 "TextFontCXChar"><span style=
11703 'font-size:11.0pt; font-weight:normal'>(Section
11704 4.3.1)</span></span></p>
11706 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11707 height="14" align="left">
11709 <td valign="top" align="left" height="14" style=
11710 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11711 <p class="TextFontCX" align="center" style=
11712 'text-align:center;background:#CCCCCC'><span style=
11713 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
11714 <p class="TextFontCX"><span class="Flag"><span style=
11715 'font-size:10.0pt'>access-module</span></span></p>
11716 <p class="IndentText">An abstract type defined in
11717 <span class="ProgramNameChar"><i>M</i></span><span class=
11718 "ProgramNameChar">.h</span> (or specified in <span class=
11719 "ProgramNameChar"><i>M</i></span><span class=
11720 "ProgramNameChar">.lcl</span>) is accessible in <span class=
11721 "ProgramNameChar"><i>M</i></span><span class=
11722 "ProgramNameChar">.c</span>.</p>
11724 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11725 height="14" align="left">
11727 <td valign="top" align="left" height="14" style=
11728 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11729 <p class="TextFontCX" align="center" style=
11730 'text-align:center;background:#CCCCCC'><span style=
11731 'font-size:10.0pt'>P:</span> <span class=
11732 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11733 <p class="TextFontCX"><span class="Flag"><span style=
11734 'font-size:10.0pt'>access-file</span></span></p>
11735 <p class="IndentText">An abstract type named <span class=
11736 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11737 is accessible in files named <span class=
11738 "ProgramNameChar"><i>type</i></span><span class=
11739 "ProgramNameChar">.*</span></p>
11741 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11742 height="14" align="left">
11744 <td valign="top" align="left" height="14" style=
11745 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11746 <p class="TextFontCX" align="center" style=
11747 'text-align:center;background:#CCCCCC'><span style=
11748 'font-size:10.0pt'>P:</span> <span class=
11749 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11750 <p class="MsoListBullet"><span class="Flag"><span style=
11751 'font-size:10.0pt'>access-czech</span></span></p>
11752 <p class="IndentText">An abstract type named <span class=
11753 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11754 may be accessible in a function named <span class=
11755 "CodeText"><i><span style=
11756 'font-size:10.0pt'>type_name</span></i></span>. (Section
11759 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11760 height="14" align="left">
11762 <td valign="top" align="left" height="14" style=
11763 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11764 <p class="TextFontCX" align="center" style=
11765 'text-align:center;background:#CCCCCC'><span style=
11766 'font-size:10.0pt'>P:</span> <span class=
11767 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11768 <p class="MsoListBullet"><span class="Flag"><span style=
11769 'font-size:10.0pt'>access-slovak</span></span></p>
11770 <p class="IndentText">An abstract type named <span class=
11771 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11772 may be accessible in a function named <span class=
11773 "CodeText"><i><span style=
11774 'font-size:10.0pt'>typeName</span></i></span>.
11775 (Section.12.1.2)</p>
11777 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11778 height="14" align="left">
11780 <td valign="top" align="left" height="14" style=
11781 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11782 <p class="TextFontCX" align="center" style=
11783 'text-align:center;background:#CCCCCC'><span style=
11784 'font-size:10.0pt'>P:</span> <span class=
11785 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11786 <p class="MsoListBullet"><span class="Flag"><span style=
11787 'font-size:10.0pt'>access-czechoslovak</span></span></p>
11788 <p class="IndentText">An abstract type named <span class=
11789 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11790 may be accessible in a function named <span class=
11791 "CodeText"><i><span style=
11792 'font-size:10.0pt'>type_name</span></i></span> or
11793 <span class="CodeText"><i><span style=
11794 'font-size:10.0pt'>typeName</span></i></span>. (Section
11797 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11798 height="14" align="left">
11800 <td valign="top" align="left" height="14" style=
11801 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11802 <p class="TextFontCX" align="center" style=
11803 'text-align:center;background:#CCCCCC'><span style=
11804 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
11805 <p class="TextFontCX"><span class="Flag"><span style=
11806 'font-size:10.0pt'>access-all</span></span></p>
11807 <p class="IndentText">Sets <span class="Flag"><span style=
11808 'font-size:10.0pt'>access-module</span></span>, <span class=
11809 "Flag"><span style='font-size:10.0pt'>access-file</span></span> and
11810 <span class="Flag"><span style=
11811 'font-size:10.0pt'>access-czech</span></span>.</p>
11812 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
11813 <a name="_Toc534975053">Memory Management</a> <span class=
11814 "TextFontCXChar"><span style=
11815 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
11816 <span class="TextFontCXChar"><span style=
11817 'font-size:11.0pt; font-weight:normal'>5</span></span><span class="TextFontCXChar">
11819 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
11820 <p class="TextFontCX">Reporting of memory management errors is
11821 controlled by flags setting checking and implicit annotations and
11822 code annotations. </p>
11823 <p class="Heading10">Deallocation Errors <span class=
11824 "TextFontCXChar"><span style=
11825 'font-size:11.0pt; font-weight:normal'>(Section
11826 5.2)</span></span></p>
11828 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11829 height="14" align="left">
11831 <td valign="top" align="left" height="14" style=
11832 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11833 <p class="TextFontCX" align="center" style=
11834 'text-align:center;background:#CCCCCC'><span style=
11835 'font-size:10.0pt'>m:</span><span class=
11836 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11837 <p class="TextFontCX"><span class="Flag"><span style=
11838 'font-size:10.0pt'>use-released</span></span></p>
11839 <p class="IndentText">Storage used after it may have been
11842 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11843 height="14" align="left">
11845 <td valign="top" align="left" height="14" style=
11846 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11847 <p class="TextFontCX" align="center" style=
11848 'text-align:center;background:#CCCCCC'><span style=
11849 'font-size:10.0pt'>m:</span><span class=
11850 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11851 <p class="TextFontCX"><span class="Flag"><span style=
11852 'font-size:10.0pt'>strict-use-released</span></span></p>
11853 <p class="IndentText">An array element used after it may have been
11855 <p class="Heading10">Inconsistent Branches</p>
11857 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11858 height="14" align="left">
11860 <td valign="top" align="left" height="14" style=
11861 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11862 <p class="TextFontCX" align="center" style=
11863 'text-align:center;background:#CCCCCC'><span style=
11864 'font-size:10.0pt'>m:</span><span class=
11865 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11866 <p class="TextFontCX"><span class="Flag"><span style=
11867 'font-size:10.0pt'>branch-state</span></span></p>
11868 <p class="IndentText">Storage has inconsistent states of alternate
11869 paths through a branch (e.g., it is released in the true branch of
11870 an if-statement, but there is no else branch.)</p>
11872 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11873 height="14" align="left">
11875 <td valign="top" align="left" height="14" style=
11876 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11877 <p class="TextFontCX" align="center" style=
11878 'text-align:center;background:#CCCCCC'><span style=
11879 'font-size:10.0pt'>m:</span><span class=
11880 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11881 <p class="TextFontCX"><span class="Flag"><span style=
11882 'font-size:10.0pt'>strict-branch-state</span></span></p>
11883 <p class="IndentText">Storage through array fetch has inconsistent
11884 states of alternate paths through a branch. Since array
11885 elements are not checked accurately, this may lead to spurious
11888 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11889 height="14" align="left">
11891 <td valign="top" align="left" height="14" style=
11892 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11893 <p class="TextFontCX" align="center" style=
11894 'text-align:center;background:#CCCCCC'><span style=
11895 'font-size:10.0pt'>m:</span><span class=
11896 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
11897 <p class="TextFontCX"><span class="Flag"><span style=
11898 'font-size:10.0pt'>dep-arrays</span></span></p>
11899 <p class="IndentText">Treat array elements as <span class=
11900 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
11901 storage. Checking of array elements cannot be done accurately
11902 by Splint. If <span class="Flag"><span style=
11903 'font-size:10.0pt'>dep-arrays</span></span> is not set, array
11904 elements are assumed to be independent, so code that releases the
11905 same element more than once will produce no error. If
11906 <span class="Flag"><span style=
11907 'font-size:10.0pt'>dep-arrays</span></span> is set, array elements
11908 are assumed to be dependent, so code that releases the same element
11909 more that once will produce an error, but code that releases
11910 different elements correctly will produce a spurious error.</p>
11911 <p class="Heading10">Memory Leaks</p>
11913 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11914 height="14" align="left">
11916 <td valign="top" align="left" height="14" style=
11917 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11918 <p class="TextFontCX" align="center" style=
11919 'text-align:center;background:#CCCCCC'><span style=
11920 'font-size:10.0pt'>m:</span><span class=
11921 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11922 <p class="TextFontCX"><span class="Flag"><span style=
11923 'font-size:10.0pt'>must-free</span></span></p>
11924 <p class="IndentText">Allocated storage was not released before
11925 return or scope exit. Errors are reported for
11926 <span class="Annot"><span style=
11927 'font-size:10.0pt'>only</span></span>, <span class=
11928 "Annot"><span style='font-size:10.0pt'>fresh</span></span> or
11929 <span class="Annot"><span style=
11930 'font-size:10.0pt'>owned</span></span> storage.</p>
11934 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11935 height="14" align="left">
11937 <td valign="top" align="left" height="14" style=
11938 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11939 <p class="TextFontCX" align="center" style=
11940 'text-align:center;background:#CCCCCC'><span style=
11941 'font-size:10.0pt'>m:</span><span class=
11942 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11943 <p class="TextFontCX"><span class="Flag"><span style=
11944 'font-size:10.0pt'>mustfreefresh</span></span></p>
11945 <p class="IndentText">
11946 Allocated storage was not released before return or scope exit. Errors are reported for
11947 <span class="Annot"><span style='font-size:10.0pt'>fresh</span></span> storage
11952 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11953 height="14" align="left">
11955 <td valign="top" align="left" height="14" style=
11956 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11957 <p class="TextFontCX" align="center" style=
11958 'text-align:center;background:#CCCCCC'><span style=
11959 'font-size:10.0pt'>m:</span><span class=
11960 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11961 <p class="TextFontCX"><span class="Flag"><span style=
11962 'font-size:10.0pt'>mustfreeonly</span></span></p>
11963 <p class="IndentText">
11964 Allocated storage was not released before return or scope exit. Errors are reported for
11965 <span class="Annot"><span style='font-size:10.0pt'>only</span></span> storage
11969 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11970 height="14" align="left">
11972 <td valign="top" align="left" height="14" style=
11973 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11974 <p class="TextFontCX" align="center" style=
11975 'text-align:center;background:#CCCCCC'><span style=
11976 'font-size:10.0pt'>shortcut</span><span class=
11977 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
11978 <p class="TextFontCX"><span class="Flag"><span style=
11979 'font-size:10.0pt'>memchecks</span></span></p>
11980 <p class="IndentText">
11981 Sets all dynamic memory checking flags
11983 "Flag"><span style='font-size:10.0pt'>memimplicit, mustfree, mustdefine, mustnotalias, null, memtrans</span> </span>).
11987 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11988 height="14" align="left">
11990 <td valign="top" align="left" height="14" style=
11991 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11992 <p class="TextFontCX" align="center" style=
11993 'text-align:center;background:#CCCCCC'><span style=
11994 'font-size:10.0pt'>m:</span><span class=
11995 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11996 <p class="TextFontCX"><span class="Flag"><span style=
11997 'font-size:10.0pt'>comp-destroy</span></span></p>
11998 <p class="IndentText">All only references derivable from
11999 <span class="Annot"><span style='font-size:10.0pt'>out
12000 only</span></span> parameter of type <span class=
12001 "CodeText"><span style='font-size:10.0pt'>void *</span></span> must
12002 be released. (This is the type of the parameter to
12003 <span class="CodeText"><span style=
12004 'font-size:10.0pt'>free</span></span>, but may also be used for
12005 user-defined deallocation functions.)</p>
12007 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12008 height="14" align="left">
12010 <td valign="top" align="left" height="14" style=
12011 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12012 <p class="TextFontCX" align="center" style=
12013 'text-align:center;background:#CCCCCC'><span style=
12014 'font-size:10.0pt'>m:</span><span class=
12015 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12016 <p class="TextFontCX"><span class="Flag"><span style=
12017 'font-size:10.0pt'>strict-destroy</span></span></p>
12018 <p class="IndentText">Report complete destruction errors for array
12019 elements that may have been released. (If <span class=
12020 "Flag"><span style='font-size:10.0pt'>strict-destroy</span></span>
12021 is not set, Splint will assume that if any array element was
12022 released, the entire array was correctly released.)</p>
12023 <p class="Heading10">Transfer Errors</p>
12024 <p class="beforelist">A transfer error is reported when storage is
12025 transferred (by an assignment, passing a parameter, or returning)
12026 in a way that is inconsistent.</p>
12028 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12029 height="14" align="left">
12031 <td valign="top" align="left" height="14" style=
12032 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12033 <p class="TextFontCX" align="center" style=
12034 'text-align:center;background:#CCCCCC'><span style=
12035 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12036 <p class="TextFontCX"><span class="Flag"><span style=
12037 'font-size:10.0pt'>mem-trans</span></span></p>
12038 <p class="IndentText">Sets all memory transfer errors flags.</p>
12040 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12041 height="14" align="left">
12043 <td valign="top" align="left" height="14" style=
12044 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12045 <p class="TextFontCX" align="center" style=
12046 'text-align:center;background:#CCCCCC'><span style=
12047 'font-size:10.0pt'>m:</span><span class=
12048 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12049 <p class="TextFontCX"><span class="Flag"><span style=
12050 'font-size:10.0pt'>only-trans</span></span></p>
12051 <p class="IndentText">Only storage transferred to non-only
12052 reference (memory leak).</p>
12054 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12055 height="14" align="left">
12057 <td valign="top" align="left" height="14" style=
12058 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12059 <p class="TextFontCX" align="center" style=
12060 'text-align:center;background:#CCCCCC'><span style=
12061 'font-size:10.0pt'>m:</span><span class=
12062 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12063 <p class="TextFontCX"><span class="Flag"><span style=
12064 'font-size:10.0pt'>ownedtrans</span></span></p>
12065 <p class="IndentText">Owned storage transferred to non-owned
12066 reference (memory leak).</p>
12068 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12069 height="14" align="left">
12071 <td valign="top" align="left" height="14" style=
12072 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12073 <p class="TextFontCX" align="center" style=
12074 'text-align:center;background:#CCCCCC'><span style=
12075 'font-size:10.0pt'>m:</span><span class=
12076 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12077 <p class="TextFontCX"><span class="Flag"><span style=
12078 'font-size:10.0pt'>fresh-trans</span></span></p>
12079 <p class="IndentText">Newly-allocated storage transferred to
12080 non-only reference (memory leak).</p>
12082 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12083 height="14" align="left">
12085 <td valign="top" align="left" height="14" style=
12086 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12087 <p class="TextFontCX" align="center" style=
12088 'text-align:center;background:#CCCCCC'><span style=
12089 'font-size:10.0pt'>m:</span><span class=
12090 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12091 <p class="TextFontCX"><span class="Flag"><span style=
12092 'font-size:10.0pt'>shared-trans</span></span></p>
12093 <p class="IndentText">Shared storage transferred to non-shared
12096 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12097 height="14" align="left">
12099 <td valign="top" align="left" height="14" style=
12100 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12101 <p class="TextFontCX" align="center" style=
12102 'text-align:center;background:#CCCCCC'><span style=
12103 'font-size:10.0pt'>m:</span><span class=
12104 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12105 <p class="TextFontCX"><span class="Flag"><span style=
12106 'font-size:10.0pt'>dependent-trans</span></span></p>
12107 <p class="IndentText">Inconsistent <span class=
12108 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
12109 transfer. Dependent storage is transferred to a non-dependent
12112 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12113 height="14" align="left">
12115 <td valign="top" align="left" height="14" style=
12116 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12117 <p class="TextFontCX" align="center" style=
12118 'text-align:center;background:#CCCCCC'><span style=
12119 'font-size:10.0pt'>m:</span><span class=
12120 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12121 <p class="TextFontCX"><span class="Flag"><span style=
12122 'font-size:10.0pt'>temp-trans</span></span></p>
12123 <p class="IndentText">Temporary storage (associated with a
12124 <span class="Annot"><span style=
12125 'font-size:10.0pt'>temp</span></span> formal parameter) is
12126 transferred to a non-temporary reference. The storage may be
12127 released or new aliases created.</p>
12129 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12130 height="14" align="left">
12132 <td valign="top" align="left" height="14" style=
12133 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12134 <p class="TextFontCX" align="center" style=
12135 'text-align:center;background:#CCCCCC'><span style=
12136 'font-size:10.0pt'>m:</span><span class=
12137 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12138 <p class="TextFontCX"><span class="Flag"><span style=
12139 'font-size:10.0pt'>kept-trans</span></span></p>
12140 <p class="IndentText">Kept storage (storage what was passed as
12141 <span class="Annot"><span style=
12142 'font-size:10.0pt'>keep</span></span>) transferred to non-temporary
12145 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12146 height="14" align="left">
12148 <td valign="top" align="left" height="14" style=
12149 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12150 <p class="TextFontCX" align="center" style=
12151 'text-align:center;background:#CCCCCC'><span style=
12152 'font-size:10.0pt'>m:</span><span class=
12153 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12154 <p class="TextFontCX"><span class="Flag"><span style=
12155 'font-size:10.0pt'>keep-trans</span></span></p>
12156 <p class="IndentText">Keep storage is transferred in a way that may
12157 add a new alias to it, or release it.</p>
12159 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12160 height="14" align="left">
12162 <td valign="top" align="left" height="14" style=
12163 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12164 <p class="TextFontCX" align="center" style=
12165 'text-align:center;background:#CCCCCC'><span style=
12166 'font-size:10.0pt'>m:</span><span class=
12167 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12168 <p class="TextFontCX"><span class="Flag"><span style=
12169 'font-size:10.0pt'>refcount-trans</span></span></p>
12170 <p class="IndentText">Reference counted storage is transferred in
12171 an inconsistent way.</p>
12173 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12174 height="14" align="left">
12176 <td valign="top" align="left" height="14" style=
12177 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12178 <p class="TextFontCX" align="center" style=
12179 'text-align:center;background:#CCCCCC'><span style=
12180 'font-size:10.0pt'>m:</span><span class=
12181 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12182 <p class="TextFontCX"><span class="Flag"><span style=
12183 'font-size:10.0pt'>newref-trans</span></span></p>
12184 <p class="IndentText">A new reference transferred to a reference
12185 counted reference (reference count is not set correctly).</p>
12187 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12188 height="14" align="left">
12190 <td valign="top" align="left" height="14" style=
12191 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12192 <p class="TextFontCX" align="center" style=
12193 'text-align:center;background:#CCCCCC'><span style=
12194 'font-size:10.0pt'>m:</span><span class=
12195 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12196 <p class="TextFontCX"><span class="Flag"><span style=
12197 'font-size:10.0pt'>immediate-trans</span></span></p>
12198 <p class="IndentText">An immediate address (result of
12199 <span class="CodeText"><span style=
12200 'font-size:10.0pt'>&</span></span>) is transferred
12201 inconsistently.</p>
12203 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12204 height="14" align="left">
12206 <td valign="top" align="left" height="14" style=
12207 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12208 <p class="TextFontCX" align="center" style=
12209 'text-align:center;background:#CCCCCC'><span style=
12210 'font-size:10.0pt'>m:</span><span class=
12211 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12212 <p class="TextFontCX"><span class="Flag"><span style=
12213 'font-size:10.0pt'>static-trans</span></span></p>
12214 <p class="IndentText">Static storage is transferred in an
12215 inconsistent way.</p>
12217 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12218 height="14" align="left">
12220 <td valign="top" align="left" height="14" style=
12221 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12222 <p class="TextFontCX" align="center" style=
12223 'text-align:center;background:#CCCCCC'><span style=
12224 'font-size:10.0pt'>m:</span><span class=
12225 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12226 <p class="TextFontCX"><span class="Flag"><span style=
12227 'font-size:10.0pt'>expose-trans</span></span></p>
12228 <p class="IndentText">Inconsistent exposure transfer. Exposed
12229 storage is transferred to a non-<span class=
12230 "Annot"><span style='font-size:10.0pt'>exposed</span></span>,
12231 non-<span class="Annot"><span style=
12232 'font-size:10.0pt'>observer</span></span> reference.</p>
12234 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12235 height="14" align="left">
12237 <td valign="top" align="left" height="14" style=
12238 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12239 <p class="TextFontCX" align="center" style=
12240 'text-align:center;background:#CCCCCC'><span style=
12241 'font-size:10.0pt'>m:</span><span class=
12242 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12243 <p class="TextFontCX"><span class="Flag"><span style=
12244 'font-size:10.0pt'>observer-trans</span></span></p>
12245 <p class="IndentText">Inconsistent <span class=
12246 "Annot"><span style='font-size:10.0pt'>observer</span></span>
12247 transfer. Observer storage is transferred to a non-observer
12250 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12251 height="14" align="left">
12253 <td valign="top" align="left" height="14" style=
12254 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12255 <p class="TextFontCX" align="center" style=
12256 'text-align:center;background:#CCCCCC'><span style=
12257 'font-size:10.0pt'>m:</span><span class=
12258 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12259 <p class="TextFontCX"><span class="Flag"><span style=
12260 'font-size:10.0pt'>unqualified-trans</span></span></p>
12261 <p class="IndentText">Unqualified storage is transferred in an
12262 inconsistent way.</p>
12263 <p class="Heading11">Initializers</p>
12265 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12266 height="14" align="left">
12268 <td valign="top" align="left" height="14" style=
12269 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12270 <p class="TextFontCX" align="center" style=
12271 'text-align:center;background:#CCCCCC'><span style=
12272 'font-size:10.0pt'>m:</span><span class=
12273 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12274 <p class="TextFontCX"><span class="Flag"><span style=
12275 'font-size:10.0pt'>only-unq-global-trans</span></span></p>
12276 <p class="IndentText">Only storage transferred to an unqualified
12277 global or static reference. This may lead to a memory leak, since
12278 the new reference is not necessarily released.</p>
12280 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12281 height="14" align="left">
12283 <td valign="top" align="left" height="14" style=
12284 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12285 <p class="TextFontCX" align="center" style=
12286 'text-align:center;background:#CCCCCC'><span style=
12287 'font-size:10.0pt'>m:</span><span class=
12288 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12289 <p class="TextFontCX"><span class="Flag"><span style=
12290 'font-size:10.0pt'>static-init-trans</span></span></p>
12291 <p class="IndentText">Static storage is used as an initial value in
12292 an inconsistent way.</p>
12294 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12295 height="14" align="left">
12297 <td valign="top" align="left" height="14" style=
12298 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12299 <p class="TextFontCX" align="center" style=
12300 'text-align:center;background:#CCCCCC'><span style=
12301 'font-size:10.0pt'>m:</span><span class=
12302 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12303 <p class="TextFontCX"><span class="Flag"><span style=
12304 'font-size:10.0pt'>unqualified-init-trans</span></span></p>
12305 <p class="IndentText">Unqualified storage is used as an initial
12306 value in an inconsistent way.</p>
12307 <p class="Heading11">Derived Storage</p>
12309 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12310 height="14" align="left">
12312 <td valign="top" align="left" height="14" style=
12313 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12314 <p class="TextFontCX" align="center" style=
12315 'text-align:center;background:#CCCCCC'><span style=
12316 'font-size:10.0pt'>m:</span><span class=
12317 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12318 <p class="TextFontCX"><span class="Flag"><span style=
12319 'font-size:10.0pt'>comp-mem-pass</span></span></p>
12320 <p class="IndentText">Storage derivable from a parameter does not
12321 match the alias kind expected for the formal parameter.</p>
12322 <p class="Heading11">Stack References</p>
12324 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12325 height="14" align="left">
12327 <td valign="top" align="left" height="14" style=
12328 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12329 <p class="TextFontCX" align="center" style=
12330 'text-align:center;background:#CCCCCC'><span style=
12331 'font-size:10.0pt'>m:</span><span class=
12332 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
12333 <p class="TextFontCX"><span class="Flag"><span style=
12334 'font-size:10.0pt'>stack-ref</span></span></p>
12335 <p class="IndentText">A stack reference is pointed to by an
12336 external reference when the function returns. Since the call
12337 frame will be destroyed when the function returns the return value
12338 will point to dead storage. (Section 5.2.6)</p>
12339 <p class="Heading10">Implicit Memory Annotations <span class=
12340 "HeadingNote"><span style=
12341 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
12342 <span class="HeadingNote"><span style=
12343 'font-size:10.5pt;font-weight:normal;font-style: normal'>5.3</span></span><span class="HeadingNote">
12345 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
12349 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12350 height="14" align="left">
12352 <td valign="top" align="left" height="14" style=
12353 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12354 <p class="TextFontCX" align="center" style=
12355 'text-align:center;background:#CCCCCC'><span style=
12356 'font-size:10.0pt'>shortcut</span> <span class=
12357 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
12358 <p class="TextFontCX"><span class="Flag"><span style=
12359 'font-size:10.0pt'>all-imp-only</span></span></p>
12360 <p class="IndentText">Sets
12361 <span class="Flag"><span style=
12362 'font-size:10.0pt'>
12363 glob-imp-only, ret-imp-only, struct-imp-only, specglobimponly, specretimponly
12366 <span class="Flag"><span style=
12367 'font-size:10.0pt'>
12374 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12375 height="14" align="left">
12377 <td valign="top" align="left" height="14" style=
12378 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12379 <p class="TextFontCX" align="center" style=
12380 'text-align:center;background:#CCCCCC'><span style=
12381 'font-size:10.0pt'>P:</span> <span class=
12382 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12383 <p class="TextFontCX"><span class="Flag"><span style=
12384 'font-size:10.0pt'>glob-imp-only</span></span></p>
12385 <p class="IndentText">Assume unannotated global storage is
12390 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12391 height="14" align="left">
12393 <td valign="top" align="left" height="14" style=
12394 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12395 <p class="TextFontCX" align="center" style=
12396 'text-align:center;background:#CCCCCC'><span style=
12397 'font-size:10.0pt'>P:</span> <span class=
12398 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12399 <p class="TextFontCX"><span class="Flag"><span style=
12400 'font-size:10.0pt'>param-imp-temp</span></span></p>
12401 <p class="IndentText">Assume unannotated parameter is
12402 <span class="Annot"><span style=
12403 'font-size:10.0pt'>temp</span></span>.</p>
12405 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12406 height="14" align="left">
12408 <td valign="top" align="left" height="14" style=
12409 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12410 <p class="TextFontCX" align="center" style=
12411 'text-align:center;background:#CCCCCC'><span style=
12412 'font-size:10.0pt'>P:</span> <span class=
12413 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12414 <p class="TextFontCX"><span class="Flag"><span style=
12415 'font-size:10.0pt'>ret-imp-only</span></span></p>
12416 <p class="IndentText">Assume unannotated returned storage is
12417 <span class="Annot"><span style=
12418 'font-size:10.0pt'>only</span></span>.</p>
12420 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12421 height="14" align="left">
12423 <td valign="top" align="left" height="14" style=
12424 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12425 <p class="TextFontCX" align="center" style=
12426 'text-align:center;background:#CCCCCC'><span style=
12427 'font-size:10.0pt'>P:</span> <span class=
12428 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12429 <p class="TextFontCX"><span class="Flag"><span style=
12430 'font-size:10.0pt'>struct-imp-only</span></span></p>
12431 <p class="IndentText">Assume unannotated structure or union field
12432 is <span class="Annot"><span style=
12433 'font-size:10.0pt'>only</span></span>.</p>
12435 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12436 height="14" align="left">
12438 <td valign="top" align="left" height="14" style=
12439 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12440 <p class="TextFontCX" align="center" style=
12441 'text-align:center;background:#CCCCCC'><span style=
12442 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12443 <p class="TextFontCX"><span class="Flag"><span style=
12444 'font-size:10.0pt'>code-imp-only</span></span></p>
12445 <p class="IndentText">Sets <span class="Flag"><span style=
12446 'font-size:10.0pt'>glob-imp-only</span></span>, <span class=
12447 "Flag"><span style='font-size:10.0pt'>ret-imp-only</span></span>
12448 and <span class="Flag"><span style=
12449 'font-size:10.0pt'>struct-imp-only</span></span>.</p>
12451 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12452 height="14" align="left">
12454 <td valign="top" align="left" height="14" style=
12455 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12456 <p class="TextFontCX" align="center" style=
12457 'text-align:center;background:#CCCCCC'><span style=
12458 'font-size:10.0pt'>m:</span><span class=
12459 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12460 <p class="TextFontCX"><span class="Flag"><span style=
12461 'font-size:10.0pt'>mem-imp</span></span></p>
12462 <p class="IndentText">Report memory errors for unqualified
12465 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12466 height="14" align="left">
12468 <td valign="top" align="left" height="14" style=
12469 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12470 <p class="TextFontCX" align="center" style=
12471 'text-align:center;background:#CCCCCC'><span style=
12472 'font-size:10.0pt'>m:</span><span class=
12473 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
12474 <p class="TextFontCX"><span class="Flag"><span style=
12475 'font-size:10.0pt'>pass-unknown</span></span></p>
12476 <p class="IndentText">Passing a value as an unannotated parameter
12477 clears its annotation. This will prevent many spurious errors
12478 from being report for unannotated programs, but eliminates the
12479 possibility of detecting many errors.</p>
12480 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
12481 <a name="_Toc534975054">Sharing</a> <span class=
12482 "TextFontCXChar"><span style=
12483 'font-size:11.0pt; font-weight:normal'>(Section
12484 6)</span></span></p>
12485 <p class="Heading10">Aliasing <span class=
12486 "TextFontCXChar"><span style=
12487 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
12488 <span class="TextFontCXChar"><span style=
12489 'font-size:11.0pt; font-weight:normal'>6.1</span></span><span class="TextFontCXChar">
12491 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
12493 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12494 height="14" align="left">
12496 <td valign="top" align="left" height="14" style=
12497 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12498 <p class="TextFontCX" align="center" style=
12499 'text-align:center;background:#CCCCCC'><span style=
12500 'font-size:10.0pt'>m:</span><span class=
12501 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12502 <p class="TextFontCX"><span class="Flag"><span style=
12503 'font-size:10.0pt'>alias-unique</span></span></p>
12504 <p class="IndentText">An actual parameter that is passed as a
12505 <span class="Annot"><span style=
12506 'font-size:10.0pt'>unique</span></span> formal parameter is aliased
12507 by another parameter or global variable.</p>
12509 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12510 height="14" align="left">
12512 <td valign="top" align="left" height="14" style=
12513 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12514 <p class="TextFontCX" align="center" style=
12515 'text-align:center;background:#CCCCCC'><span style=
12516 'font-size:10.0pt'>m:</span><span class=
12517 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12518 <p class="TextFontCX"><span class="Flag"><span style=
12519 'font-size:10.0pt'>may-alias-unique</span></span></p>
12520 <p class="IndentText">An actual parameter that is passed as a
12521 <span class="Annot"><span style=
12522 'font-size:10.0pt'>unique</span></span> formal parameter may be
12523 aliased by another parameter or global variable.</p>
12525 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12526 height="14" align="left">
12528 <td valign="top" align="left" height="14" style=
12529 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12530 <p class="TextFontCX" align="center" style=
12531 'text-align:center;background:#CCCCCC'><span style=
12532 'font-size:10.0pt'>m:</span><span class=
12533 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12534 <p class="TextFontCX"><span class="Flag"><span style=
12535 'font-size:10.0pt'>must-not-alias</span></span></p>
12536 <p class="IndentText">An alias has been added to a
12537 <span class="Annot"><span style=
12538 'font-size:10.0pt'>temp</span></span>-qualifier parameter
12539 or global that is visible externally when the function
12542 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12543 height="14" align="left">
12545 <td valign="top" align="left" height="14" style=
12546 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12547 <p class="TextFontCX" align="center" style=
12548 'text-align:center;background:#CCCCCC'><span style=
12549 'font-size:10.0pt'>m:</span><span class=
12550 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12551 <p class="TextFontCX"><span class="Flag"><span style=
12552 'font-size:10.0pt'>ret-alias</span></span></p>
12553 <p class="IndentText">A function returns an alias to parameter or
12555 <p class="Heading10">Exposure <span class=
12556 "HeadingNote"><span style='font-size: 10.5pt;font-weight:normal;font-style:normal'>
12557 (Section</span></span> <span class="HeadingNote"><span style=
12558 'font-size:10.5pt;font-weight:normal;font-style: normal'>6.2</span></span><span class="HeadingNote">
12560 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
12562 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12563 height="14" align="left">
12565 <td valign="top" align="left" height="14" style=
12566 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12567 <p class="TextFontCX" align="center" style=
12568 'text-align:center;background:#CCCCCC'><span style=
12569 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12570 <p class="TextFontCX"><span class="Flag"><span style=
12571 'font-size:10.0pt'>rep-expose</span></span></p>
12572 <p class="IndentText">The internal representation of an abstract
12573 type is visible to the caller. This means clients may have
12574 access to a pointer into the abstract representation. (Sets
12575 <span class="Flag"><span style=
12576 'font-size:10.0pt'>assign-expose</span></span>, <span class=
12577 "Flag"><span style='font-size:10.0pt'>ret-expose</span></span>, and
12578 <span class="Flag"><span style=
12579 'font-size:10.0pt'>cast-expose</span></span>.)</p>
12581 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12582 height="14" align="left">
12584 <td valign="top" align="left" height="14" style=
12585 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12586 <p class="TextFontCX" align="center" style=
12587 'text-align:center;background:#CCCCCC'><span style=
12588 'font-size:10.0pt'>m:</span><span class=
12589 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12590 <p class="TextFontCX"><span class="Flag"><span style=
12591 'font-size:10.0pt'>assign-expose</span></span></p>
12592 <p class="IndentText">Abstract representation is exposed by an
12593 assignment or passed parameter.</p>
12595 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12596 height="14" align="left">
12598 <td valign="top" align="left" height="14" style=
12599 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12600 <p class="TextFontCX" align="center" style=
12601 'text-align:center;background:#CCCCCC'><span style=
12602 'font-size:10.0pt'>m:</span><span class=
12603 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12604 <p class="TextFontCX"><span class="Flag"><span style=
12605 'font-size:10.0pt'>cast-expose</span></span></p>
12606 <p class="IndentText">Abstract representation is exposed through a
12609 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12610 height="14" align="left">
12612 <td valign="top" align="left" height="14" style=
12613 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12614 <p class="TextFontCX" align="center" style=
12615 'text-align:center;background:#CCCCCC'><span style=
12616 'font-size:10.0pt'>m:</span><span class=
12617 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12618 <p class="TextFontCX"><span class="Flag"><span style=
12619 'font-size:10.0pt'>ret-expose</span></span></p>
12620 <p class="IndentText">Abstract representation is exposed by a
12622 <p class="Heading11">Observer Modifications</p>
12624 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12625 height="14" align="left">
12627 <td valign="top" align="left" height="14" style=
12628 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12629 <p class="TextFontCX" align="center" style=
12630 'text-align:center;background:#CCCCCC'><span style=
12631 'font-size:10.0pt'>P:</span> <span class=
12632 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12633 <p class="TextFontCX"><span class="Flag"><span style=
12634 'font-size:10.0pt'>mod-observer</span></span></p>
12635 <p class="IndentText">Possible modification of observer
12638 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12639 height="14" align="left">
12641 <td valign="top" align="left" height="14" style=
12642 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12643 <p class="TextFontCX" align="center" style=
12644 'text-align:center;background:#CCCCCC'><span style=
12645 'font-size:10.0pt'>m:</span><span class=
12646 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12647 <p class="TextFontCX"><span class="Flag"><span style=
12648 'font-size:10.0pt'>mod-observer-uncon</span></span></p>
12649 <p class="IndentText">Storage declared with observer may be
12650 modified through a call to an unconstrained function.</p>
12651 <p class="Heading11">String Literals <span class=
12652 "TextFontCXChar"><span style=
12653 'font-weight: normal;font-style:normal'>(Section
12654 6.2.1)</span></span></p>
12656 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12657 height="14" align="left">
12659 <td valign="top" align="left" height="14" style=
12660 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12661 <p class="TextFontCX" align="center" style=
12662 'text-align:center;background:#CCCCCC'><span style=
12663 'font-size:10.0pt'>m:</span><span class=
12664 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12665 <p class="TextFontCX"><span class="Flag"><span style=
12666 'font-size:10.0pt'>read-only-trans</span></span></p>
12667 <p class="IndentText">Report memory transfer errors for
12668 initializations to read-only string literals</p>
12670 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12671 height="14" align="left">
12673 <td valign="top" align="left" height="14" style=
12674 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12675 <p class="TextFontCX" align="center" style=
12676 'text-align:center;background:#CCCCCC'><span style=
12677 'font-size:10.0pt'>m:</span><span class=
12678 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12679 <p class="TextFontCX"><span class="Flag"><span style=
12680 'font-size:10.0pt'>read-only-strings</span></span></p>
12681 <p class="IndentText">String literals are read-only (ISO
12682 semantics). An error is reported if a string literal may be
12683 modified or released.</p>
12684 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
12685 Function Interfaces <span class="TextFontCXChar"><span style=
12686 'font-size:11.0pt;font-weight:normal'>(Section</span></span>
12687 <span class="TextFontCXChar"><span style=
12688 'font-size:11.0pt; font-weight:normal'>7</span></span><span class="TextFontCXChar">
12690 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
12691 <p class="Heading10">Modification <span class=
12692 "TextFontCXChar"><span style=
12693 'font-size:11.0pt; font-weight:normal'>(Section
12694 7.1)</span></span></p>
12696 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12697 height="14" align="left">
12699 <td valign="top" align="left" height="14" style=
12700 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12701 <p class="TextFontCX" align="center" style=
12702 'text-align:center;background:#CCCCCC'><span style=
12703 'font-size:10.0pt'>P:</span> <span class=
12704 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12705 <p class="TextFontCX"><span class="Flag"><span style=
12706 'font-size:10.0pt'>modifies</span></span></p>
12707 <p class="IndentText">Undocumented modification of caller-visible
12708 state. Without <span class="Flag"><span style=
12709 'font-size:10.0pt'>+moduncon</span></span>, modification errors are
12710 only reported in the definitions of functions declared with a
12711 modifies clause (or specified).</p>
12713 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12714 height="14" align="left">
12716 <td valign="top" align="left" height="14" style=
12717 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12718 <p class="TextFontCX" align="center" style=
12719 'text-align:center;background:#CCCCCC'><span style=
12720 'font-size:10.0pt'>m:</span><span class=
12721 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12722 <p class="TextFontCX"><span class="Flag"><span style=
12723 'font-size:10.0pt'>must-mod</span></span></p>
12724 <p class="IndentText">Documented modification is not
12725 detected. An object listed in the modifies clause for a
12726 function, is not modified by the implementation.</p>
12728 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12729 height="14" align="left">
12731 <td valign="top" align="left" height="14" style=
12732 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12733 <p class="TextFontCX" align="center" style=
12734 'text-align:center;background:#CCCCCC'><span style=
12735 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12736 <p class="TextFontCX"><span class="Flag"><span style=
12737 'font-size:10.0pt'>mod-uncon</span></span></p>
12738 <p class="IndentText">Report modification errors in functions
12739 declared without a modifies clause.(Sets <span class=
12740 "Flag"><span style='font-size:10.0pt'>mod-nomods</span></span>,
12741 <span class="Flag"><span style=
12742 'font-size:10.0pt'>mod-globs-nomods</span></span> and
12743 <span class="Flag"><span style=
12744 'font-size:10.0pt'>mod-strict-globs-nomods</span></span>.)</p>
12746 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12747 height="14" align="left">
12749 <td valign="top" align="left" height="14" style=
12750 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12751 <p class="TextFontCX" align="center" style=
12752 'text-align:center;background:#CCCCCC'><span style=
12753 'font-size:10.0pt'>m:</span><span class=
12754 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12755 <p class="TextFontCX"><span class="Flag"><span style=
12756 'font-size:10.0pt'>mod-nomods</span></span></p>
12757 <p class="IndentText">Report modification errors (not involving
12758 global variables) in functions declared without a modifies
12761 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12762 height="14" align="left">
12764 <td valign="top" align="left" height="14" style=
12765 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12766 <p class="TextFontCX" align="center" style=
12767 'text-align:center;background:#CCCCCC'><span style=
12768 'font-size:10.0pt'>m:</span><span class=
12769 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12770 <p class="TextFontCX"><span class="Flag"><span style=
12771 'font-size:10.0pt'>mod-uncon-nomods</span></span></p>
12772 <p class="IndentText">An unconstrained function is called in a
12773 function body where modifications are checked. Since the
12774 unconstrained function may modify anything, there may be undetected
12775 modifications in the checked function.</p>
12777 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12778 height="14" align="left">
12780 <td valign="top" align="left" height="14" style=
12781 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12782 <p class="TextFontCX" align="center" style=
12783 'text-align:center;background:#CCCCCC'><span style=
12784 'font-size:10.0pt'>m:</span><span class=
12785 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12786 <p class="TextFontCX"><span class="Flag"><span style=
12787 'font-size:10.0pt'>mod-internal-strict</span></span></p>
12788 <p class="IndentText">A function that modifies <span class=
12789 "Annot"><span style='font-size:10.0pt'>internalState</span></span>
12790 is called from a function that does not list <span class=
12791 "Annot"><span style='font-size:10.0pt'>internalState</span></span>
12792 in its modifies clause.</p>
12794 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12795 height="14" align="left">
12797 <td valign="top" align="left" height="14" style=
12798 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12799 <p class="TextFontCX" align="center" style=
12800 'text-align:center;background:#CCCCCC'><span style=
12801 'font-size:10.0pt'>m:</span><span class=
12802 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12803 <p class="TextFontCX"><span class="Flag"><span style=
12804 'font-size:10.0pt'>mod-file-sys</span></span></p>
12805 <p class="IndentText">A function modifies the file system but does
12806 not list <span class="Annot"><span style=
12807 'font-size:10.0pt'>fileSystem</span></span> in its modifies
12809 <p class="Heading10">Global Variables <span class=
12810 "HeadingNote"><span style=
12811 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
12812 <span class="HeadingNote"><span style=
12813 'font-size:10.5pt;font-weight:normal;font-style: normal'>7.2</span></span><span class="HeadingNote">
12815 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
12816 <p class="beforelist"><a name="globflags"></a>Errors involving the
12817 use and modification of global and file static variables are
12818 reported depending on flag settings, annotations where the global
12819 variable is declared, and whether or not the function where the
12820 global is used was declared with a globals clause.</p>
12822 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12823 height="14" align="left">
12825 <td valign="top" align="left" height="14" style=
12826 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12827 <p class="TextFontCX" align="center" style=
12828 'text-align:center;background:#CCCCCC'><span style=
12829 'font-size:10.0pt'>P:</span> <span class=
12830 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12831 <p class="TextFontCX"><span class="Flag"><span style=
12832 'font-size:10.0pt'>globs</span></span></p>
12833 <p class="IndentText">Undocumented use of a checked global variable
12834 in a function with a globals list.</p>
12836 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12837 height="14" align="left">
12839 <td valign="top" align="left" height="14" style=
12840 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12841 <p class="TextFontCX" align="center" style=
12842 'text-align:center;background:#CCCCCC'><span style=
12843 'font-size:10.0pt'>m:</span><span class=
12844 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
12845 <p class="TextFontCX"><span class="Flag"><span style=
12846 'font-size:10.0pt'>glob-use</span></span></p>
12847 <p class="IndentText">A global listed in the globals list is not
12848 used in the implementation.</p>
12850 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12851 height="14" align="left">
12853 <td valign="top" align="left" height="14" style=
12854 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12855 <p class="TextFontCX" align="center" style=
12856 'text-align:center;background:#CCCCCC'><span style=
12857 'font-size:10.0pt'>m:</span><span class=
12858 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12859 <p class="TextFontCX"><span class="Flag"><span style=
12860 'font-size:10.0pt'>glob-noglobs</span></span></p>
12861 <p class="IndentText">Use of a checked global in a function with no
12864 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12865 height="14" align="left">
12867 <td valign="top" align="left" height="14" style=
12868 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12869 <p class="TextFontCX" align="center" style=
12870 'text-align:center;background:#CCCCCC'><span style=
12871 'font-size:10.0pt'>m:</span><span class=
12872 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12873 <p class="TextFontCX"><span class="Flag"><span style=
12874 'font-size:10.0pt'>internal-globs</span></span></p>
12875 <p class="IndentText">Undocumented use of internal state (should
12876 have <span class="Annot"><span style='font-size:10.0pt'>globals
12877 internalState</span></span>).</p>
12879 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12880 height="14" align="left">
12882 <td valign="top" align="left" height="14" style=
12883 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12884 <p class="TextFontCX" align="center" style=
12885 'text-align:center;background:#CCCCCC'><span style=
12886 'font-size:10.0pt'>m:</span><span class=
12887 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12888 <p class="TextFontCX"><span class="Flag"><span style=
12889 'font-size:10.0pt'>internal-globs-noglobs</span></span></p>
12890 <p class="TextFontCX">
12891 Use of internal state in function with no globals list.</p>
12893 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12894 height="14" align="left">
12896 <td valign="top" align="left" height="14" style=
12897 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12898 <p class="TextFontCX" align="center" style=
12899 'text-align:center;background:#CCCCCC'><span style=
12900 'font-size:10.0pt'>m:</span><span class=
12901 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12902 <p class="TextFontCX"><span class="Flag"><span style=
12903 'font-size:10.0pt'>glob-state</span></span></p>
12904 <p class="IndentText">A function returns with global in
12905 inconsistent state (null or undefined)</p>
12907 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12908 height="14" align="left">
12910 <td valign="top" align="left" height="14" style=
12911 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12912 <p class="TextFontCX" align="center" style=
12913 'text-align:center;background:#CCCCCC'><span style=
12914 'font-size:10.0pt'>m:</span><span class=
12915 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12916 <p class="TextFontCX"><span class="Flag"><span style=
12917 'font-size:10.0pt'>all-globs</span></span></p>
12918 <p class="IndentText">Report use and modification errors for
12919 globals not annotated with <span class="Annot"><span style=
12920 'font-size:10.0pt'>unchecked</span></span>.</p>
12922 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12923 height="14" align="left">
12925 <td valign="top" align="left" height="14" style=
12926 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12927 <p class="TextFontCX" align="center" style=
12928 'text-align:center;background:#CCCCCC'><span style=
12929 'font-size:10.0pt'>m:</span><span class=
12930 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
12931 <p class="TextFontCX"><span class="Flag"><span style=
12932 'font-size:10.0pt'>check-strict-globs</span></span></p>
12933 <p class="IndentText">Report use and modification errors for
12934 <span class="Annot"><span style=
12935 'font-size:10.0pt'>checkedstrict</span></span> globals.</p>
12936 <p class="Heading11">Modification of Global Variables</p>
12938 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12939 height="14" align="left">
12941 <td valign="top" align="left" height="14" style=
12942 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12943 <p class="TextFontCX" align="center" style=
12944 'text-align:center;background:#CCCCCC'><span style=
12945 'font-size:10.0pt'>m:</span><span class=
12946 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12947 <p class="TextFontCX"><span class="Flag"><span style=
12948 'font-size:10.0pt'>mod-globs</span></span></p>
12949 <p class="IndentText">Undocumented modification of a checked global
12952 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12953 height="14" align="left">
12955 <td valign="top" align="left" height="14" style=
12956 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12957 <p class="TextFontCX" align="center" style=
12958 'text-align:center;background:#CCCCCC'><span style=
12959 'font-size:10.0pt'>m:</span><span class=
12960 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12961 <p class="TextFontCX"><span class="Flag"><span style=
12962 'font-size:10.0pt'>mod-globs-unchecked</span></span></p>
12963 <p class="IndentText">Undocumented modification of an
12964 <span class="Annot"><span style=
12965 'font-size:10.0pt'>unchecked</span></span>
12966 global variable.</p>
12968 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12969 height="14" align="left">
12971 <td valign="top" align="left" height="14" style=
12972 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12973 <p class="TextFontCX" align="center" style=
12974 'text-align:center;background:#CCCCCC'><span style=
12975 'font-size:10.0pt'>m:</span><span class=
12976 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12977 <p class="TextFontCX"><span class="Flag"><span style=
12978 'font-size:10.0pt'>mod-globs-nomods</span></span></p>
12979 <p class="IndentText">Undocumented modification of a checked global
12980 variable in a function with no modifies clause.</p>
12982 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12983 height="14" align="left">
12985 <td valign="top" align="left" height="14" style=
12986 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12987 <p class="TextFontCX" align="center" style=
12988 'text-align:center;background:#CCCCCC'><span style=
12989 'font-size:10.0pt'>m:</span><span class=
12990 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12991 <p class="TextFontCX"><span class="Flag"><span style=
12992 'font-size:10.0pt'>mod-strict-globs-nomods</span></span></p>
12993 <p class="IndentText">Undocumented modification of a
12994 <span class="Annot"><span style=
12995 'font-size:10.0pt'>checkedstrict</span></span>
12996 global variable in a function declared with no modifies
12998 <p class="Heading11">Globals Lists and Modifies Clauses</p>
13000 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13001 height="14" align="left">
13003 <td valign="top" align="left" height="14" style=
13004 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13005 <p class="TextFontCX" align="center" style=
13006 'text-align:center;background:#CCCCCC'><span style=
13007 'font-size:10.0pt'>m:</span><span class=
13008 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13009 <p class="TextFontCX"><span class="Flag"><span style=
13010 'font-size:10.0pt'>warn-missing-globs</span></span></p>
13011 <p class="IndentText">Global variable used in modifies clause is
13012 not listed in globals list. (The global is added to the
13015 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13016 height="14" align="left">
13018 <td valign="top" align="left" height="14" style=
13019 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13020 <p class="TextFontCX" align="center" style=
13021 'text-align:center;background:#CCCCCC'><span style=
13022 'font-size:10.0pt'>m:</span><span class=
13023 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13024 <p class="TextFontCX"><span class="Flag"><span style=
13025 'font-size:10.0pt'>warn-missing-globs-noglobs</span></span></p>
13026 <p class="IndentText">Global variable used in modifies clause of a
13027 function with no globals list.</p>
13029 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13030 height="14" align="left">
13032 <td valign="top" align="left" height="14" style=
13033 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13034 <p class="TextFontCX" align="center" style=
13035 'text-align:center;background:#CCCCCC'><span style=
13036 'font-size:10.0pt'>m:</span><span class=
13037 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13038 <p class="TextFontCX"><span class="Flag"><span style=
13039 'font-size:10.0pt'>globs-imp-mods-nothing</span></span></p>
13040 <p class="IndentText">A function declared with a globals list but
13041 no modifies clause is assumed to modify nothing.</p>
13043 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13044 height="14" align="left">
13046 <td valign="top" align="left" height="14" style=
13047 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13048 <p class="TextFontCX" align="center" style=
13049 'text-align:center;background:#CCCCCC'><span style=
13050 'font-size:10.0pt'>m:</span><span class=
13051 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13052 <p class="TextFontCX"><span class="Flag"><span style=
13053 'font-size:10.0pt'>mods-imp-noglobs</span></span></p>
13054 <p class="IndentText">A function declared with a modifies clause
13055 but no globals list is assumed to use no globals.</p>
13056 <p class="Heading11">Implicit Checking Annotations</p>
13058 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13059 height="14" align="left">
13061 <td valign="top" align="left" height="14" style=
13062 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13063 <p class="TextFontCX" align="center" style=
13064 'text-align:center;background:#CCCCCC'><span style=
13065 'font-size:10.0pt'>m:</span><span class=
13066 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13067 <p class="TextFontCX"><span class="Flag"><span style=
13068 'font-size:10.0pt'>imp-checked-globs</span></span></p>
13069 <p class="IndentText">Implicit <span class=
13070 "Annot"><span style='font-size:10.0pt'>checked</span></span> annotation
13071 on global variables with no checking annotation.</p>
13073 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13074 height="14" align="left">
13076 <td valign="top" align="left" height="14" style=
13077 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13078 <p class="TextFontCX" align="center" style=
13079 'text-align:center;background:#CCCCCC'><span style=
13080 'font-size:10.0pt'>m:</span><span class=
13081 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13082 <p class="TextFontCX"><span class="Flag"><span style=
13083 'font-size:10.0pt'>imp-checked-statics</span></span></p>
13084 <p class="IndentText">Implicit <span class=
13085 "Annot"><span style='font-size:10.0pt'>checked</span></span> qualifier
13086 file static scope variables with no checking annotation.</p>
13088 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13089 height="14" align="left">
13091 <td valign="top" align="left" height="14" style=
13092 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13093 <p class="TextFontCX" align="center" style=
13094 'text-align:center;background:#CCCCCC'><span style=
13095 'font-size:10.0pt'>m:</span><span class=
13096 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13097 <p class="TextFontCX"><span class="Flag"><span style=
13098 'font-size:10.0pt'>imp-checkmod-globs</span></span></p>
13099 <p class="IndentText">Implicit <span class=
13100 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13101 qualifier on global variables with no checking
13103 <p class="IndentText"><span class="Flag"><span style=
13104 'font-size:10.0pt'> </span></span></p>
13106 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13107 height="14" align="left">
13109 <td valign="top" align="left" height="14" style=
13110 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13111 <p class="TextFontCX" align="center" style=
13112 'text-align:center;background:#CCCCCC'><span style=
13113 'font-size:10.0pt'>m:</span><span class=
13114 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13115 <p class="TextFontCX"><span class="Flag"><span style=
13116 'font-size:10.0pt'>imp-checkmod-statics</span></span></p>
13117 <p class="IndentText">Implicit <span class=
13118 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13119 qualifier file static scope variables with no checking
13122 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13123 height="14" align="left">
13125 <td valign="top" align="left" height="14" style=
13126 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13127 <p class="TextFontCX" align="center" style=
13128 'text-align:center;background:#CCCCCC'><span style=
13129 'font-size:10.0pt'>m:</span><span class=
13130 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13131 <p class="TextFontCX"><span class="Flag"><span style=
13132 'font-size:10.0pt'>imp-checkedstrict-globs</span></span></p>
13133 <p class="IndentText">Implicit <span class=
13134 "Annot"><span style='font-size:10.0pt'>checked</span></span>
13135 qualifier on global variables with no checking
13138 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13139 height="14" align="left">
13141 <td valign="top" align="left" height="14" style=
13142 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13143 <p class="TextFontCX" align="center" style=
13144 'text-align:center;background:#CCCCCC'><span style=
13145 'font-size:10.0pt'>m:</span><span class=
13146 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13147 <p class="TextFontCX"><span class="Flag"><span style=
13148 'font-size:10.0pt'>imp-checkedstrict-statics</span></span></p>
13149 <p class="IndentText">Implicit <span class=
13150 "Annot"><span style='font-size:10.0pt'>checked</span></span>
13151 qualifier file static scope variables with no checking
13154 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13155 height="14" align="left">
13157 <td valign="top" align="left" height="14" style=
13158 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13159 <p class="TextFontCX" align="center" style=
13160 'text-align:center;background:#CCCCCC'><span style=
13161 'font-size:10.0pt'>m:</span><span class=
13162 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13163 <p class="TextFontCX"><span class="Flag"><span style=
13164 'font-size:10.0pt'>imp-checkmod-internals</span></span></p>
13165 <p class="IndentText">Implicit <span class=
13166 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13167 qualifier on function scope static variables with no checking
13170 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13171 height="14" align="left">
13173 <td valign="top" align="left" height="14" style=
13174 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13175 <p class="TextFontCX" align="center" style=
13176 'text-align:center;background:#CCCCCC'><span style=
13177 'font-size:10.0pt'>m:</span><span class=
13178 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13179 <p class="IndentText" style='margin-left:0in'><span class=
13180 "Keyword"><span style='font-size:10.0pt'> </span></span></p>
13181 <p class="Heading11">Global Aliasing</p>
13183 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13184 height="14" align="left">
13186 <td valign="top" align="left" height="14" style=
13187 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13188 <p class="TextFontCX" align="center" style=
13189 'text-align:center;background:#CCCCCC'><span style=
13190 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13191 <p class="TextFontCX"><span class="Flag"><span style=
13192 'font-size:10.0pt'>glob-alias</span></span></p>
13193 <p class="IndentText">Function returns with global aliasing
13194 external state (sets <span class="Flag"><span style=
13195 'font-size:10.0pt'>checkstrict-glob-alias</span></span>,
13196 <span class="Flag"><span style=
13197 'font-size:10.0pt'>checked-glob-alias</span></span>,
13198 c<span class="Flag"><span style=
13199 'font-size:10.0pt'>heckmod-glob-alias</span></span> and
13200 <span class="Flag"><span style=
13201 'font-size:10.0pt'>unchecked-glob-alias</span></span>).</p>
13203 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13204 height="14" align="left">
13206 <td valign="top" align="left" height="14" style=
13207 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13208 <p class="TextFontCX" align="center" style=
13209 'text-align:center;background:#CCCCCC'><span style=
13210 'font-size:10.0pt'>m:</span><span class=
13211 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13212 <p class="TextFontCX"><span class="Flag"><span style=
13213 'font-size:10.0pt'>checkstrict-glob-alias</span></span></p>
13214 <p class="IndentText">Function returns with a <span class=
13215 "Annot"><span style='font-size:10.0pt'>checkedstrict</span></span>
13216 global aliasing external state.</p>
13218 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13219 height="14" align="left">
13221 <td valign="top" align="left" height="14" style=
13222 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13223 <p class="TextFontCX" align="center" style=
13224 'text-align:center;background:#CCCCCC'><span style=
13225 'font-size:10.0pt'>m:</span><span class=
13226 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13227 <p class="TextFontCX"><span class="Flag"><span style=
13228 'font-size:10.0pt'>checked-glob-alias</span></span></p>
13229 <p class="IndentText">Function returns with a <span class=
13230 "Annot"><span style='font-size:10.0pt'>checked</span></span>
13231 global aliasing external state.</p>
13233 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13234 height="14" align="left">
13236 <td valign="top" align="left" height="14" style=
13237 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13238 <p class="TextFontCX" align="center" style=
13239 'text-align:center;background:#CCCCCC'><span style=
13240 'font-size:10.0pt'>m:</span><span class=
13241 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13242 <p class="TextFontCX"><span class="Flag"><span style=
13243 'font-size:10.0pt'>checkmod-glob-alias</span></span></p>
13244 <p class="IndentText">Function returns with a <span class=
13245 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13246 global aliasing external state.</p>
13248 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13249 height="14" align="left">
13251 <td valign="top" align="left" height="14" style=
13252 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13253 <p class="TextFontCX" align="center" style=
13254 'text-align:center;background:#CCCCCC'><span style=
13255 'font-size:10.0pt'>m:</span><span class=
13256 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13257 <p class="TextFontCX"><span class="Flag"><span style=
13258 'font-size:10.0pt'>unchecked-glob-alias</span></span></p>
13259 <p class="IndentText">Function returns with an <span class=
13260 "Annot"><span style='font-size:10.0pt'>unchecked</span></span>
13261 global aliasing external state.</p>
13262 <p class="Heading10">Declaration Consistency <span style=
13263 'font-weight:normal'>(Section 7.3)</span></p>
13265 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13266 height="14" align="left">
13268 <td valign="top" align="left" height="14" style=
13269 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13270 <p class="TextFontCX" align="center" style=
13271 'text-align:center;background:#CCCCCC'><span style=
13272 'font-size:10.0pt'>m:</span><span class=
13273 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13274 <p class="TextFontCX"><span class="Flag"><span style=
13275 'font-size:10.0pt'>incon-defs</span></span></p>
13276 <p class="IndentText">Identifier redeclared or redefined with
13277 inconsistent type.</p>
13279 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13280 height="14" align="left">
13282 <td valign="top" align="left" height="14" style=
13283 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13284 <p class="TextFontCX" align="center" style=
13285 'text-align:center;background:#CCCCCC'><span style=
13286 'font-size:10.0pt'>m:</span><span class=
13287 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13288 <p class="TextFontCX"><span class="Flag"><span style=
13289 'font-size:10.0pt'>incon-defs-lib</span></span></p>
13290 <p class="IndentText">Identifier defined in a library is redefined
13291 with inconsistent type.</p>
13293 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13294 height="14" align="left">
13296 <td valign="top" align="left" height="14" style=
13297 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13298 <p class="TextFontCX" align="center" style=
13299 'text-align:center;background:#CCCCCC'><span style=
13300 'font-size:10.0pt'>m:</span><span class=
13301 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13302 <p class="TextFontCX"><span class="Flag"><span style=
13303 'font-size:10.0pt'>overload</span></span></p>
13304 <p class="IndentText">Standard library function overloaded.</p>
13306 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13307 height="14" align="left">
13309 <td valign="top" align="left" height="14" style=
13310 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13311 <p class="TextFontCX" align="center" style=
13312 'text-align:center;background:#CCCCCC'><span style=
13313 'font-size:10.0pt'>m:</span><span class=
13314 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13315 <p class="TextFontCX"><span class="Flag"><span style=
13316 'font-size:10.0pt'>match-fields</span></span></p>
13317 <p class="IndentText">A <span class="CodeText"><span style=
13318 'font-size:10.0pt'>struct</span></span> or <span class=
13319 "CodeText"><span style='font-size:10.0pt'>enum</span></span> type
13320 is redefined with inconsistent fields or members.</p>
13321 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
13322 <a name="_Toc534975057">Macros</a> <span class=
13323 "TextFontCXChar"><span style=
13324 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
13325 <span class="TextFontCXChar"><span style=
13326 'font-size:11.0pt; font-weight:normal'>11</span></span><span class="TextFontCXChar">
13328 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
13329 <p class="TextFontCX">These flags control expansion and checking of
13330 macro definitions and invocations.</p>
13331 <p class="Heading10">Macro Expansion</p>
13332 <p class="beforelist">These flags control which macros are checked
13333 as functions or constants, and which are expanded in the
13334 pre-processing phase. Macros preceded by <span class=
13335 "Annot"><span style=
13336 'font-size:10.0pt'>/*@notfunction@*/</span></span> are never
13337 expanded regardless of these flag settings. These flags may
13338 be used in source-file control comments.</p>
13340 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13341 height="14" align="left">
13343 <td valign="top" align="left" height="14" style=
13344 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13345 <p class="TextFontCX" align="center" style=
13346 'text-align:center;background:#CCCCCC'><span style=
13347 'font-size:10.0pt'>P:</span> <span class=
13348 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13349 <p class="TextFontCX"><span class="Flag"><span style=
13350 'font-size:10.0pt'>fcn-macros</span></span></p>
13351 <p class="IndentText">Macros defined with parameter lists are not
13352 expanded and are checked as functions.</p>
13354 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13355 height="14" align="left">
13357 <td valign="top" align="left" height="14" style=
13358 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13359 <p class="TextFontCX" align="center" style=
13360 'text-align:center;background:#CCCCCC'><span style=
13361 'font-size:10.0pt'>P:</span> <span class=
13362 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13363 <p class="TextFontCX"><span class="Flag"><span style=
13364 'font-size:10.0pt'>const-macros</span></span></p>
13365 <p class="IndentText">Macros defined without parameter lists are
13366 not expanded and are checked as constants.</p>
13368 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13369 height="14" align="left">
13371 <td valign="top" align="left" height="14" style=
13372 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13373 <p class="TextFontCX" align="center" style=
13374 'text-align:center;background:#CCCCCC'><span style=
13375 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13376 <p class="TextFontCX"><span class="Flag"><span style=
13377 'font-size:10.0pt'>all-macros</span></span></p>
13378 <p class="IndentText">Sets <span class="Flag"><span style=
13379 'font-size:10.0pt'>fcn-macros</span></span> and <span class=
13380 "Flag"><span style=
13381 'font-size:10.0pt'>const-macros</span></span>.</p>
13383 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13384 height="14" align="left">
13386 <td valign="top" align="left" height="14" style=
13387 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13388 <p class="TextFontCX" align="center" style=
13389 'text-align:center;background:#CCCCCC'><span style=
13390 'font-size:10.0pt'>P:</span> <span class=
13391 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13392 <p class="TextFontCX"><span class="Flag"><span style=
13393 'font-size:10.0pt'>lib-macros</span></span></p>
13394 <p class="IndentText">Macros defining identifiers declared in a
13395 loaded library are not expanded and are checked according to the
13396 library information.<span class="Flag"><span style=
13397 'font-size:10.0pt'> </span></span></p>
13398 <p class="Heading10">Macro Definitions</p>
13399 <p class="beforelist">These flags control what errors are reported
13400 in macro definitions.</p>
13402 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13403 height="14" align="left">
13405 <td valign="top" align="left" height="14" style=
13406 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13407 <p class="TextFontCX" align="center" style=
13408 'text-align:center;background:#CCCCCC'><span style=
13409 'font-size:10.0pt'>m:</span><span class=
13410 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13411 <p class="TextFontCX"><span class="Flag"><span style=
13412 'font-size:10.0pt'>macro-stmt</span></span></p>
13413 <p class="IndentText">Macro definition is not syntactically
13414 equivalent to function. This means if the macro is used as a
13415 statement (e.g., <span class="CodeText"><span style=
13416 'font-size:10.0pt'>if (test) macro();</span></span>) unexpected
13417 behavior may result. One fix is to surround the macro body
13418 with <span class="CodeText"><span style='font-size:10.0pt'>do {
13419 … } while (FALSE)</span></span>.</p>
13421 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13422 height="14" align="left">
13424 <td valign="top" align="left" height="14" style=
13425 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13426 <p class="TextFontCX" align="center" style=
13427 'text-align:center;background:#CCCCCC'><span style=
13428 'font-size:10.0pt'>m:</span><span class=
13429 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13430 <p class="TextFontCX"><span class="Flag"><span style=
13431 'font-size:10.0pt'>macro-return</span></span></p>
13432 <p class="IndentText">
13433 The body of a macro declared as a function uses a
13434 <span class="CodeText"><span style='font-size:10.0pt'>return</span></span>
13435 statement. This exhibits behavior that could not be implemented by a function.
13438 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13439 height="14" align="left">
13441 <td valign="top" align="left" height="14" style=
13442 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13443 <p class="TextFontCX" align="center" style=
13444 'text-align:center;background:#CCCCCC'><span style=
13445 'font-size:10.0pt'>m:</span><span class=
13446 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13447 <p class="TextFontCX"><span class="Flag"><span style=
13448 'font-size:10.0pt'>macro-assign</span></span></p>
13449 <p class="IndentText">A macro parameter is used as the left side of
13450 an assignment expression.</p>
13452 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13453 height="14" align="left">
13455 <td valign="top" align="left" height="14" style=
13456 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13457 <p class="TextFontCX" align="center" style=
13458 'text-align:center;background:#CCCCCC'><span style=
13459 'font-size:10.0pt'>m:</span><span class=
13460 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13461 <p class="TextFontCX"><span class="Flag"><span style=
13462 'font-size:10.0pt'>macro-parens</span></span></p>
13463 <p class="IndentText">A macro parameter is used without parentheses
13464 (in potentially dangerous context).</p>
13466 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13467 height="14" align="left">
13469 <td valign="top" align="left" height="14" style=
13470 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13471 <p class="TextFontCX" align="center" style=
13472 'text-align:center;background:#CCCCCC'><span style=
13473 'font-size:10.0pt'>m:</span><span class=
13474 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13475 <p class="TextFontCX"><span class="Flag"><span style=
13476 'font-size:10.0pt'>macro-empty</span></span></p>
13477 <p class="IndentText">Macro definition of a function is
13478 empty. </p>
13480 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13481 height="14" align="left">
13483 <td valign="top" align="left" height="14" style=
13484 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13485 <p class="TextFontCX" align="center" style=
13486 'text-align:center;background:#CCCCCC'><span style=
13487 'font-size:10.0pt'>m:</span><span class=
13488 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13489 <p class="TextFontCX"><span class="Flag"><span style=
13490 'font-size:10.0pt'>macro-redef</span></span></p>
13491 <p class="IndentText">Macro is redefined. There is another
13492 macro defined with the same name.</p>
13494 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13495 height="14" align="left">
13497 <td valign="top" align="left" height="14" style=
13498 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13499 <p class="TextFontCX" align="center" style=
13500 'text-align:center;background:#CCCCCC'><span style=
13501 'font-size:10.0pt'>m:</span><span class=
13502 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13503 <p class="TextFontCX"><span class="Flag"><span style=
13504 'font-size:10.0pt'>macro-unrecog</span></span> </p>
13505 <p class="IndentText">An unrecognized identifier appears in a macro
13506 definition. Since the identifier may be defined where the
13507 macro is used, this could be okay, but Splint will not be able to
13508 check the unrecognized identifier appropriately.</p>
13509 <p class="Heading11">Corresponding Declarations</p>
13511 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13512 height="14" align="left">
13514 <td valign="top" align="left" height="14" style=
13515 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13516 <p class="TextFontCX" align="center" style=
13517 'text-align:center;background:#CCCCCC'><span style=
13518 'font-size:10.0pt'>m:</span><span class=
13519 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
13520 <p class="TextFontCX"><span class="Flag"><span style=
13521 'font-size:10.0pt'>macro-match-name</span></span></p>
13522 <p class="IndentText">An <span class="Annot"><span style=
13523 'font-size:10.0pt'>iter</span></span> or <span class=
13524 "Annot"><span style=
13525 'font-size:10.0pt'>constant</span></span> macro is defined
13526 using a different name from the one used in the previous syntactic
13529 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13530 height="14" align="left">
13532 <td valign="top" align="left" height="14" style=
13533 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13534 <p class="TextFontCX" align="center" style=
13535 'text-align:center;background:#CCCCCC'><span style=
13536 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13537 <p class="TextFontCX"><span class="Flag"><span style=
13538 'font-size:10.0pt'>macro-decl</span></span></p>
13539 <p class="IndentText">A macro definition has no corresponding
13540 declaration. (Sets <span class="Flag"><span style=
13541 'font-size:10.0pt'>macrofcndecl</span></span> and
13542 <span class="Flag"><span style=
13543 'font-size:10.0pt'>macroconstdecl</span></span>.)</p>
13545 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13546 height="14" align="left">
13548 <td valign="top" align="left" height="14" style=
13549 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13550 <p class="TextFontCX" align="center" style=
13551 'text-align:center;background:#CCCCCC'><span style=
13552 'font-size:10.0pt'>m:</span><span class=
13553 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13554 <p class="TextFontCX"><span class="Flag"><span style=
13555 'font-size:10.0pt'>macro-fcn-decl</span></span></p>
13556 <p class="IndentText">Macro definition with parameter list has no
13557 corresponding function prototype. Without a prototype, the types of
13558 the macro result and parameters are unknown.</p>
13560 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13561 height="14" align="left">
13563 <td valign="top" align="left" height="14" style=
13564 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13565 <p class="TextFontCX" align="center" style=
13566 'text-align:center;background:#CCCCCC'><span style=
13567 'font-size:10.0pt'>m:</span><span class=
13568 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13569 <p class="TextFontCX"><span class="Flag"><span style=
13570 'font-size:10.0pt'>macro-const-decl</span></span></p>
13571 <p class="IndentText">A macro definition without parameter list has
13572 no corresponding constant declaration.<span class=
13573 "Flag"><span style=
13574 'font-size: 10.0pt'> </span></span></p>
13576 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13577 height="14" align="left">
13579 <td valign="top" align="left" height="14" style=
13580 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13581 <p class="TextFontCX" align="center" style=
13582 'text-align:center;background:#CCCCCC'><span style=
13583 'font-size:10.0pt'>P:</span> <span class=
13584 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13585 <p class="TextFontCX"><span class="Flag"><span style=
13586 'font-size:10.0pt'>next-line-macros</span></span></p>
13587 <p class="IndentText">A constant or iter declaration is not
13588 immediately followed by a macro definition.</p>
13589 <p class="Heading10">Side Effect Free Parameters <span class=
13590 "HeadingNote"><span style=
13591 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
13592 <span class="HeadingNote"><span style=
13593 'font-size:10.5pt;font-weight:normal;font-style: normal'>11.2.1</span></span><span class="HeadingNote">
13595 'font-size: 10.5pt;font-weight:normal;font-style:normal'>)</span></span></p>
13596 <p class="beforelist">These flags control error reporting for
13597 parameters with inconsistent side effects in invocations of checked
13598 function macros and function calls.</p>
13600 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13601 height="14" align="left">
13603 <td valign="top" align="left" height="14" style=
13604 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13605 <p class="TextFontCX" align="center" style=
13606 'text-align:center;background:#CCCCCC'><span style=
13607 'font-size:10.0pt'>m:</span><span class=
13608 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13609 <p class="TextFontCX"><span class="Flag"><span style=
13610 'font-size:10.0pt'>sef-params</span></span></p>
13611 <p class="IndentText">An actual parameter with side effects is
13612 passed as a formal parameter declared with <span class=
13613 "Annot"><span style='font-size:10.0pt'>sef</span></span>.</p>
13615 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13616 height="14" align="left">
13618 <td valign="top" align="left" height="14" style=
13619 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13620 <p class="TextFontCX" align="center" style=
13621 'text-align:center;background:#CCCCCC'><span style=
13622 'font-size:10.0pt'>m:</span><span class=
13623 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13624 <p class="TextFontCX"><span class="Flag"><span style=
13625 'font-size:10.0pt'>sef-uncon</span></span></p>
13626 <p class="IndentText">An actual parameter involving a call to an
13627 unconstrained function (declared without modifies clause) that may
13628 modify anything is passed as a <span class=
13629 "Annot"><span style='font-size:10.0pt'>sef</span></span>
13631 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
13632 <a name="_Toc534975058">Iterators</a></p>
13634 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13635 height="14" align="left">
13637 <td valign="top" align="left" height="14" style=
13638 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13639 <p class="TextFontCX" align="center" style=
13640 'text-align:center;background:#CCCCCC'><span style=
13641 'font-size:10.0pt'>P:</span> <span class=
13642 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13643 <p class="TextFontCX"><span class="Flag"><span style=
13644 'font-size:10.0pt'>iterbalance</span></span></p>
13645 <p class="IndentText">Iter is not balanced with end
13646 <span class="CodeText"><span style='font-size:10.0pt'> <iter></span></span>.
13650 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13651 height="14" align="left">
13653 <td valign="top" align="left" height="14" style=
13654 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13655 <p class="TextFontCX" align="center" style=
13656 'text-align:center;background:#CCCCCC'><span style=
13657 'font-size:10.0pt'>P:</span> <span class=
13658 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13659 <p class="TextFontCX"><span class="Flag"><span style=
13660 'font-size:10.0pt'>iteryield</span></span></p>
13661 <p class="IndentText">Iter yield parameter is inappropriate.
13665 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13666 height="14" align="left">
13668 <td valign="top" align="left" height="14" style=
13669 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13670 <p class="TextFontCX" align="center" style=
13671 'text-align:center;background:#CCCCCC'><span style=
13672 'font-size:10.0pt'>P:</span> <span class=
13673 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13674 <p class="TextFontCX"><span class="Flag"><span style=
13675 'font-size:10.0pt'>has-yield</span></span></p>
13676 <p class="IndentText">An iterator has been declared with no
13677 parameters annotated with <span class="Annot"><span style=
13678 'font-size:10.0pt'>yield</span></span>.</p>
13680 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
13681 <a name="_Toc534975059">Naming Conventions</a> <span class=
13682 "TextFontCXChar"><span style=
13683 'font-size:11.0pt; font-weight:normal'>(Section
13684 12)</span></span></p>
13686 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13687 height="14" align="left">
13689 <td valign="top" align="left" height="14" style=
13690 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13691 <p class="TextFontCX" align="center" style=
13692 'text-align:center;background:#CCCCCC'><span style=
13693 'font-size:10.0pt'>P:</span> <span class=
13694 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13695 <p class="TextFontCX"><span class="Flag"><span style=
13696 'font-size:10.0pt'>name-checks</span></span></p>
13697 <p class="IndentText">Turns all name checking on or off without
13698 changing other settings.</p>
13699 <p class="Heading10">Type-Based Naming Conventions
13700 <span style='font-size:10.5pt; font-weight:normal'>(Section
13702 <p class="Heading11">Czech Naming Convention</p>
13704 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13705 height="14" align="left">
13707 <td valign="top" align="left" height="14" style=
13708 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13709 <p class="TextFontCX" align="center" style=
13710 'text-align:center;background:#CCCCCC'><span style=
13711 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13712 <p class="TextFontCX"><span class="Flag"><span style=
13713 'font-size:10.0pt'>czech</span></span></p>
13714 <p class="IndentText">Selects complete Czech naming convention
13715 (sets <span class="Flag"><span style=
13716 'font-size:10.0pt'>access-czech</span></span>, <span class=
13717 "Flag"><span style='font-size:10.0pt'>czech-fcns</span></span>,
13718 <span class="Flag"><span style=
13719 'font-size:10.0pt'>czech-vars</span></span>, <span class=
13720 "Flag"><span style='font-size:10.0pt'>czech-consts</span></span>,
13721 <span class="Flag"><span style=
13722 'font-size:10.0pt'>czech-macros</span></span>, and
13723 <span class="Flag"><span style=
13724 'font-size:10.0pt'>czech-types</span></span>).</p>
13726 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13727 height="14" align="left">
13729 <td valign="top" align="left" height="14" style=
13730 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13731 <p class="TextFontCX" align="center" style=
13732 'text-align:center;background:#CCCCCC'><span style=
13733 'font-size:10.0pt'>P:</span> <span class=
13734 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13735 <p class="TextFontCX"><span class="Flag"><span style=
13736 'font-size:10.0pt'>access-czech</span></span></p>
13737 <p class="IndentText">Allow access to abstract types following
13738 Czech naming convention. The representation of an abstract
13739 type named <span class="CodeText"><i><span style=
13740 'font-size:10.0pt'>t</span></i></span> is accessible in the
13741 definition of a function or constant named <span class=
13742 "CodeText"><i><span style=
13743 'font-size:10.0pt'>t_name</span></i></span>.</p>
13745 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13746 height="14" align="left">
13748 <td valign="top" align="left" height="14" style=
13749 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13750 <p class="TextFontCX" align="center" style=
13751 'text-align:center;background:#CCCCCC'><span style=
13752 'font-size:10.0pt'>P:</span> <span class=
13753 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13754 <p class="TextFontCX"><span class="Flag"><span style=
13755 'font-size:10.0pt'>czech-fcns</span></span></p>
13756 <p class="IndentText">Function or iterator name is not consistent
13757 with Czech naming convention.</p>
13759 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13760 height="14" align="left">
13762 <td valign="top" align="left" height="14" style=
13763 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13764 <p class="TextFontCX" align="center" style=
13765 'text-align:center;background:#CCCCCC'><span style=
13766 'font-size:10.0pt'>P:</span> <span class=
13767 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13768 <p class="TextFontCX"><span class="Flag"><span style=
13769 'font-size:10.0pt'>czech-vars</span></span></p>
13770 <p class="IndentText"> Variable name is not consistent with
13771 Czech naming convention.</p>
13773 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13774 height="14" align="left">
13776 <td valign="top" align="left" height="14" style=
13777 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13778 <p class="TextFontCX" align="center" style=
13779 'text-align:center;background:#CCCCCC'><span style=
13780 'font-size:10.0pt'>P:</span> <span class=
13781 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13782 <p class="TextFontCX"><span class="Flag"><span style=
13783 'font-size:10.0pt'>czech-macros</span></span></p>
13784 <p class="IndentText"> Expanded macro name is not consistent
13785 with Czech naming convention.</p>
13787 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13788 height="14" align="left">
13790 <td valign="top" align="left" height="14" style=
13791 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13792 <p class="TextFontCX" align="center" style=
13793 'text-align:center;background:#CCCCCC'><span style=
13794 'font-size:10.0pt'>P:</span> <span class=
13795 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13796 <p class="TextFontCX"><span class="Flag"><span style=
13797 'font-size:10.0pt'>czech-consts</span></span></p>
13798 <p class="IndentText">Constant name is not consistent with Czech
13799 naming convention.</p>
13801 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13802 height="14" align="left">
13804 <td valign="top" align="left" height="14" style=
13805 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13806 <p class="TextFontCX" align="center" style=
13807 'text-align:center;background:#CCCCCC'><span style=
13808 'font-size:10.0pt'>P:</span> <span class=
13809 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13810 <p class="TextFontCX"><span class="Flag"><span style=
13811 'font-size:10.0pt'>czech-types</span></span></p>
13812 <p class="IndentText">Type name is not consistent with Czech naming
13813 convention. Czech type names must not use the underscore
13815 <p class="Heading11">Slovak Naming Convention</p>
13817 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13818 height="14" align="left">
13820 <td valign="top" align="left" height="14" style=
13821 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13822 <p class="TextFontCX" align="center" style=
13823 'text-align:center;background:#CCCCCC'><span style=
13824 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13825 <p class="TextFontCX"><span class="Flag"><span style=
13826 'font-size:10.0pt'>slovak</span></span></p>
13827 <p class="IndentText">Selects complete Slovak naming convention
13828 (sets <span class="Flag"><span style=
13829 'font-size:10.0pt'>access-slovak</span></span>, <span class=
13830 "Flag"><span style='font-size:10.0pt'>slovak-fcns</span></span>,
13831 <span class="Flag"><span style=
13832 'font-size:10.0pt'>slovak-vars</span></span>, <span class=
13833 "Flag"><span style='font-size:10.0pt'>slovak-consts</span></span>,
13834 <span class="Flag"><span style=
13835 'font-size:10.0pt'>slovak-macros</span></span>, and
13836 <span class="Flag"><span style=
13837 'font-size:10.0pt'>slovak-types</span></span>).</p>
13839 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13840 height="14" align="left">
13842 <td valign="top" align="left" height="14" style=
13843 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13844 <p class="TextFontCX" align="center" style=
13845 'text-align:center;background:#CCCCCC'><span style=
13846 'font-size:10.0pt'>P:</span> <span class=
13847 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13848 <p class="TextFontCX"><span class="Flag"><span style=
13849 'font-size:10.0pt'>access-slovak</span></span></p>
13850 <p class="IndentText">Allow access to abstract types following
13851 Slovak naming convention. The representation of an abstract type
13852 named <span class="CodeText"><i><span style=
13853 'font-size:10.0pt'>t</span></i></span> is accessible in the
13854 definition of a function or constant named <span class=
13855 "CodeText"><i><span style=
13856 'font-size:10.0pt'>tName</span></i></span>.</p>
13858 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13859 height="14" align="left">
13861 <td valign="top" align="left" height="14" style=
13862 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13863 <p class="TextFontCX" align="center" style=
13864 'text-align:center;background:#CCCCCC'><span style=
13865 'font-size:10.0pt'>P:</span> <span class=
13866 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13867 <p class="TextFontCX"><span class="Flag"><span style=
13868 'font-size:10.0pt'>slovak-fcns</span></span></p>
13869 <p class="IndentText">Function or iterator name is not consistent
13870 with Slovak naming convention.</p>
13872 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13873 height="14" align="left">
13875 <td valign="top" align="left" height="14" style=
13876 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13877 <p class="TextFontCX" align="center" style=
13878 'text-align:center;background:#CCCCCC'><span style=
13879 'font-size:10.0pt'>P:</span> <span class=
13880 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13881 <p class="TextFontCX"><span class="Flag"><span style=
13882 'font-size:10.0pt'>slovak-macros</span></span></p>
13883 <p class="IndentText">Expanded macro name is not consistent with
13884 Slovak naming convention.</p>
13886 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13887 height="14" align="left">
13889 <td valign="top" align="left" height="14" style=
13890 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13891 <p class="TextFontCX" align="center" style=
13892 'text-align:center;background:#CCCCCC'><span style=
13893 'font-size:10.0pt'>P:</span> <span class=
13894 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13895 <p class="TextFontCX"><span class="Flag"><span style=
13896 'font-size:10.0pt'>slovak-vars</span></span></p>
13897 <p class="IndentText"> Variable name is not consistent with
13898 Slovak naming convention.</p>
13900 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13901 height="14" align="left">
13903 <td valign="top" align="left" height="14" style=
13904 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13905 <p class="TextFontCX" align="center" style=
13906 'text-align:center;background:#CCCCCC'><span style=
13907 'font-size:10.0pt'>P:</span> <span class=
13908 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13909 <p class="TextFontCX"><span class="Flag"><span style=
13910 'font-size:10.0pt'>slovak-consts</span></span></p>
13911 <p class="IndentText"> Constant name is not consistent with
13912 Slovak naming convention.</p>
13914 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13915 height="14" align="left">
13917 <td valign="top" align="left" height="14" style=
13918 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13919 <p class="TextFontCX" align="center" style=
13920 'text-align:center;background:#CCCCCC'><span style=
13921 'font-size:10.0pt'>P:</span> <span class=
13922 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13923 <p class="TextFontCX"><span class="Flag"><span style=
13924 'font-size:10.0pt'>slovak-types</span></span></p>
13925 <p class="IndentText">Type name is not consistent with Slovak
13926 naming convention. Slovak type names may not include
13927 uppercase letters.</p>
13928 <p class="Heading11">Czechoslovak Naming Convention</p>
13930 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13931 height="14" align="left">
13933 <td valign="top" align="left" height="14" style=
13934 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13935 <p class="TextFontCX" align="center" style=
13936 'text-align:center;background:#CCCCCC'><span style=
13937 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13938 <p class="TextFontCX"><span class="Flag"><span style=
13939 'font-size:10.0pt'>czechoslovak</span></span></p>
13940 <p class="IndentText">Selects complete Czechoslovak naming
13941 convention (sets <span class="Flag"><span style=
13942 'font-size:10.0pt'>access-czechoslovak</span></span>,
13943 <span class="Flag"><span style=
13944 'font-size:10.0pt'>czechoslovak-fcns</span></span>,
13945 <span class="Flag"><span style=
13946 'font-size:10.0pt'>czechoslovak-vars</span></span>,
13947 <span class="Flag"><span style=
13948 'font-size:10.0pt'>czechoslovak-consts</span></span>,
13949 <span class="Flag"><span style=
13950 'font-size:10.0pt'>czechoslovak-macros</span></span>, and
13951 <span class="Flag"><span style=
13952 'font-size:10.0pt'>czechoslovak-types</span></span>).</p>
13954 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13955 height="14" align="left">
13957 <td valign="top" align="left" height="14" style=
13958 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13959 <p class="TextFontCX" align="center" style=
13960 'text-align:center;background:#CCCCCC'><span style=
13961 'font-size:10.0pt'>P:</span> <span class=
13962 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13963 <p class="TextFontCX"><span class="Flag"><span style=
13964 'font-size:10.0pt'>access-czechoslovak</span></span></p>
13965 <p class="IndentText">Allow access to abstract types by
13966 Czechoslovak naming convention. The representation of an abstract
13967 type named <span class="CodeText"><i><span style=
13968 'font-size:10.0pt'>t</span></i></span> is accessible in the
13969 definition of a function or constant named <span class=
13970 "CodeText"><i><span style=
13971 'font-size:10.0pt'>t_name</span></i></span> or <span class=
13972 "CodeText"><i><span style=
13973 'font-size:10.0pt'>tName</span></i></span>.</p>
13975 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13976 height="14" align="left">
13978 <td valign="top" align="left" height="14" style=
13979 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13980 <p class="TextFontCX" align="center" style=
13981 'text-align:center;background:#CCCCCC'><span style=
13982 'font-size:10.0pt'>P:</span> <span class=
13983 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13984 <p class="TextFontCX"><span class="Flag"><span style=
13985 'font-size:10.0pt'>czechoslovak-fcns</span></span></p>
13986 <p class="IndentText"> Function name is not consistent with
13987 Czechoslovak naming convention.</p>
13989 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13990 height="14" align="left">
13992 <td valign="top" align="left" height="14" style=
13993 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13994 <p class="TextFontCX" align="center" style=
13995 'text-align:center;background:#CCCCCC'><span style=
13996 'font-size:10.0pt'>P:</span> <span class=
13997 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13998 <p class="TextFontCX"><span class="Flag"><span style=
13999 'font-size:10.0pt'>czechoslovak-macros</span></span></p>
14000 <p class="IndentText">Expanded macro name is not consistent with
14001 Czechoslovak naming convention.</p>
14003 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14004 height="14" align="left">
14006 <td valign="top" align="left" height="14" style=
14007 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14008 <p class="TextFontCX" align="center" style=
14009 'text-align:center;background:#CCCCCC'><span style=
14010 'font-size:10.0pt'>P:</span> <span class=
14011 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14012 <p class="TextFontCX"><span class="Flag"><span style=
14013 'font-size:10.0pt'>czechoslovak-vars</span></span></p>
14014 <p class="IndentText">Variable name is not consistent with
14015 Czechoslovak naming convention.</p>
14017 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14018 height="14" align="left">
14020 <td valign="top" align="left" height="14" style=
14021 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14022 <p class="TextFontCX" align="center" style=
14023 'text-align:center;background:#CCCCCC'><span style=
14024 'font-size:10.0pt'>P:</span> <span class=
14025 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14026 <p class="TextFontCX"><span class="Flag"><span style=
14027 'font-size:10.0pt'>czechoslovak-consts</span></span></p>
14028 <p class="IndentText">Constant name is not consistent with
14029 Czechoslovak naming convention.</p>
14031 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14032 height="14" align="left">
14034 <td valign="top" align="left" height="14" style=
14035 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14036 <p class="TextFontCX" align="center" style=
14037 'text-align:center;background:#CCCCCC'><span style=
14038 'font-size:10.0pt'>P:</span> <span class=
14039 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14040 <p class="TextFontCX"><span class="Flag"><span style=
14041 'font-size:10.0pt'>czechoslovak-types</span></span></p>
14042 <p class="IndentText">Type name is not consistent with Czechoslovak
14043 naming convention. Czechoslovak type names may not include
14044 uppercase letters or the underscore character.</p>
14045 <p class="Heading10">Namespace Prefixes <span style=
14046 'font-size:10.5pt; font-weight:normal'>(Section 12.2)</span></p>
14047 <p class="TextFontCX"><span class="Flag"><span style=
14048 'font-size:10.0pt'>macro-var-prefix</span></span><span class=
14049 "Flag"><span style='font-size:10.0pt'> <i><prefix
14050 string></i></span></span></p>
14051 <p class="IndentText">Set namespace prefix for variables declared
14052 in a macro body. (Default is <span class=
14053 "CodeText"><span style='font-size:10.0pt'>m_</span></span>.)</p>
14055 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14056 height="14" align="left">
14058 <td valign="top" align="left" height="14" style=
14059 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14060 <p class="TextFontCX" align="center" style=
14061 'text-align:center;background:#CCCCCC'>P: <span class=
14062 "Keyword"><span style=
14063 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14064 <p class="TextFontCX"><span class="Flag"><span style=
14065 'font-size:10.0pt'>macro-var-prefix-exclude</span></span></p>
14066 <p class="IndentText">A variable declared outside a macro body
14067 starts with the <span class="Flag"><span style=
14068 'font-size:10.0pt'>macro-var-prefix</span></span>.</p>
14069 <p class="TextFontCX"><span class="Flag"><span style=
14070 'font-size:10.0pt'>tag-prefix</span></span><span class=
14071 "Flag"><span style='font-size:10.0pt'> <i><prefix
14072 string></i></span></span></p>
14073 <p class="IndentText">Set namespace prefix of <span class=
14074 "CodeText"><span style='font-size:10.0pt'>struct</span></span>,
14075 <span class="CodeText"><span style=
14076 'font-size:10.0pt'>union</span></span> or <span class=
14077 "CodeText"><span style='font-size:10.0pt'>enum</span></span> tag
14080 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14081 height="14" align="left">
14083 <td valign="top" align="left" height="14" style=
14084 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14085 <p class="TextFontCX" align="center" style=
14086 'text-align:center;background:#CCCCCC'><span style=
14087 'font-size:10.0pt'>P:</span> <span class=
14088 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14089 <p class="TextFontCX"><span class="Flag"><span style=
14090 'font-size:10.0pt'>tag-prefix-exclude</span></span></p>
14091 <p class="IndentText">An identifier that is not a tag starts with
14092 the <span class="Flag"><span style=
14093 'font-size:10.0pt'>tagprefix</span></span>.</p>
14094 <p class="TextFontCX"><span class="Flag"><span style=
14095 'font-size:10.0pt'>enum-prefix</span></span><span class=
14096 "Flag"><span style='font-size:10.0pt'> <i><prefix
14097 string></i></span></span></p>
14098 <p class="IndentText">Set namespace prefix for <span class=
14099 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
14102 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14103 height="14" align="left">
14105 <td valign="top" align="left" height="14" style=
14106 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14107 <p class="TextFontCX" align="center" style=
14108 'text-align:center;background:#CCCCCC'><span style=
14109 'font-size:10.0pt'>P:</span> <span class=
14110 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14111 <p class="TextFontCX"><span class="Flag"><span style=
14112 'font-size:10.0pt'>enum-prefix-exclude</span></span></p>
14113 <p class="IndentText">An identifier that is not an
14114 <span class="CodeText"><span style=
14115 'font-size:10.0pt'>enum</span></span> member starts with the
14116 <span class="Flag"><span style=
14117 'font-size:10.0pt'>enumprefix</span></span>.</p>
14118 <p class="TextFontCX"><span class="Flag"><span style=
14119 'font-size:10.0pt'>file-static-prefix</span></span><span class="Flag">
14120 <span style='font-size:10.0pt'> <i><prefix
14121 string></i></span></span></p>
14122 <p class="IndentText">Set namespace prefix for file
14123 <span class="CodeText"><span style=
14124 'font-size:10.0pt'>static</span></span> declarations.</p>
14126 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14127 height="14" align="left">
14129 <td valign="top" align="left" height="14" style=
14130 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14131 <p class="TextFontCX" align="center" style=
14132 'text-align:center;background:#CCCCCC'><span style=
14133 'font-size:10.0pt'>P:</span> <span class=
14134 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14135 <p class="TextFontCX"><span class="Flag"><span style=
14136 'font-size:10.0pt'>file-static-prefix-exclude</span></span></p>
14137 <p class="IndentText">An identifier that is not file static starts
14138 with the <span class="Flag"><span style=
14139 'font-size:10.0pt'>filestaticprefix</span></span>.</p>
14140 <p class="TextFontCX"><span class="Flag"><span style=
14141 'font-size:10.0pt'>global-prefix</span></span><span class=
14142 "Flag"><span style='font-size:10.0pt'> <i><prefix
14143 string></i></span></span></p>
14144 <p class="IndentText">Set namespace prefix for global
14147 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14148 height="14" align="left">
14150 <td valign="top" align="left" height="14" style=
14151 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14152 <p class="TextFontCX" align="center" style=
14153 'text-align:center;background:#CCCCCC'><span style=
14154 'font-size:10.0pt'>P:</span> <span class=
14155 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14156 <p class="TextFontCX"><span class="Flag"><span style=
14157 'font-size:10.0pt'>global-prefix-exclude</span></span></p>
14158 <p class="IndentText">An identifier that is not a global variable
14159 starts with the <span class="Flag"><span style=
14160 'font-size:10.0pt'>globalprefix</span></span>.</p>
14161 <p class="TextFontCX"><span class="Flag"><span style=
14162 'font-size:10.0pt'>type-prefix</span></span><span class=
14163 "Flag"><span style='font-size:10.0pt'> <i><prefix
14164 string></i></span></span></p>
14165 <p class="IndentText">Set namespace prefix for user-defined
14168 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14169 height="14" align="left">
14171 <td valign="top" align="left" height="14" style=
14172 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14173 <p class="TextFontCX" align="center" style=
14174 'text-align:center;background:#CCCCCC'><span style=
14175 'font-size:10.0pt'>P:</span> <span class=
14176 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14177 <p class="TextFontCX"><span class="Flag"><span style=
14178 'font-size:10.0pt'>type-prefix-exclude</span></span></p>
14179 <p class="IndentText">An identifier that is not a type name starts
14180 with the <span class="Flag"><span style=
14181 'font-size:10.0pt'>typeprefix</span></span>.</p>
14182 <p class="TextFontCX"><span class="Flag"><span style=
14183 'font-size:10.0pt'>external-prefix</span></span><span class=
14184 "Flag"><span style='font-size:10.0pt'> <i><prefix
14185 string></i></span></span></p>
14186 <p class="IndentText">Set namespace prefix for external
14189 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14190 height="14" align="left">
14192 <td valign="top" align="left" height="14" style=
14193 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14194 <p class="TextFontCX" align="center" style=
14195 'text-align:center;background:#CCCCCC'><span style=
14196 'font-size:10.0pt'>P:</span> <span class=
14197 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14198 <p class="TextFontCX"><span class="Flag"><span style=
14199 'font-size:10.0pt'>external-prefix-exclude</span></span></p>
14200 <p class="IndentText">An identifier that is not external starts
14201 with the <span class="Flag"><span style=
14202 'font-size:10.0pt'>externalprefix</span></span>.</p>
14203 <p class="TextFontCX"><span class="Flag"><span style=
14204 'font-size:10.0pt'>local-prefix</span></span><span class=
14205 "Flag"><span style='font-size:10.0pt'> <i><prefix
14206 string></i></span></span></p>
14207 <p class="IndentText">Set namespace prefix for local variables.</p>
14209 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14210 height="14" align="left">
14212 <td valign="top" align="left" height="14" style=
14213 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14214 <p class="TextFontCX" align="center" style=
14215 'text-align:center;background:#CCCCCC'><span style=
14216 'font-size:10.0pt'>P:</span> <span class=
14217 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14218 <p class="TextFontCX"><span class="Flag"><span style=
14219 'font-size:10.0pt'>local-prefix-exclude</span></span></p>
14220 <p class="IndentText"> An identifier that is not a local
14221 variable starts with the <span class="Flag"><span style=
14222 'font-size:10.0pt'>localprefix</span></span>.</p>
14223 <p class="TextFontCX"><span class="Flag"><span style=
14224 'font-size:10.0pt'>unchecked-macro-prefix</span></span><span class="Flag">
14225 <span style='font-size:10.0pt'> <i><prefix
14226 string></i></span></span></p>
14227 <p class="IndentText">Set namespace prefix for unchecked
14230 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14231 height="14" align="left">
14233 <td valign="top" align="left" height="14" style=
14234 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14235 <p class="TextFontCX" align="center" style=
14236 'text-align:center;background:#CCCCCC'><span style=
14237 'font-size:10.0pt'>P:</span> <span class=
14238 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14239 <p class="TextFontCX"><span class="Flag"><span style=
14240 'font-size:10.0pt'>unchecked-macro-prefix-exclude</span></span></p>
14241 <p class="IndentText">An identifier that is not the name of an
14242 unchecked macro starts with the <span class=
14243 "Flag"><span style='font-size:10.0pt'>uncheckedmacroprefix</span></span>.</p>
14244 <p class="TextFontCX"><span class="Flag"><span style=
14245 'font-size:10.0pt'>const-prefix</span></span><span class=
14246 "Flag"><span style='font-size:10.0pt'> <i><prefix
14247 string></i></span></span></p>
14248 <p class="IndentText">Set namespace prefix for constants.</p>
14250 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14251 height="14" align="left">
14253 <td valign="top" align="left" height="14" style=
14254 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14255 <p class="TextFontCX" align="center" style=
14256 'text-align:center;background:#CCCCCC'><span style=
14257 'font-size:10.0pt'>P:</span> <span class=
14258 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14259 <p class="TextFontCX"><span class="Flag"><span style=
14260 'font-size:10.0pt'>const-prefix-exclude</span></span></p>
14261 <p class="IndentText">An identifier that is not a constant starts
14262 with the <span class="Flag"><span style=
14263 'font-size:10.0pt'>constantprefix</span></span>.</p>
14264 <p class="TextFontCX"><span class="Flag"><span style=
14265 'font-size:10.0pt'>iter-prefix</span></span><span class=
14266 "Flag"><span style='font-size:10.0pt'> <i><prefix
14267 string></i></span></span></p>
14268 <p class="IndentText">Set namespace prefix for iterators.</p>
14270 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14271 height="14" align="left">
14273 <td valign="top" align="left" height="14" style=
14274 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14275 <p class="TextFontCX" align="center" style=
14276 'text-align:center;background:#CCCCCC'><span style=
14277 'font-size:10.0pt'>P:</span> <span class=
14278 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14279 <p class="TextFontCX"><span class="Flag"><span style=
14280 'font-size:10.0pt'>iter-prefix-exclude</span></span></p>
14281 <p class="IndentText">An identifier that is not an
14282 <span class="Flag"><span style=
14283 'font-size:10.0pt'>iter</span></span> starts with the
14284 <span class="Flag"><span style=
14285 'font-size:10.0pt'>iterprefix</span></span>.</p>
14286 <p class="TextFontCX"><span class="Flag"><span style=
14287 'font-size:10.0pt'>proto-param-prefix</span></span><span class="Flag">
14288 <span style='font-size:10.0pt'> <i><prefix
14289 string></i></span></span></p>
14290 <p class="IndentText">Set namespace prefix for parameters in
14291 function prototypes.</p>
14293 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14294 height="14" align="left">
14296 <td valign="top" align="left" height="14" style=
14297 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14298 <p class="TextFontCX" align="center" style=
14299 'text-align:center;background:#CCCCCC'><span style=
14300 'font-size:10.0pt'>P:</span> <span class=
14301 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14302 <p class="TextFontCX"><span class="Flag"><span style=
14303 'font-size:10.0pt'>proto-param-prefix-exclude</span></span></p>
14304 <p class="IndentText">An identifier that is not a parameter in a
14305 function prototype starts with the <span class=
14306 "Flag"><span style='font-size:10.0pt'>protoprarmprefix</span></span>.</p>
14308 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14309 height="14" align="left">
14311 <td valign="top" align="left" height="14" style=
14312 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14313 <p class="TextFontCX" align="center" style=
14314 'text-align:center;background:#CCCCCC'><span style=
14315 'font-size:10.0pt'>m:</span><span class=
14316 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14317 <p class="TextFontCX"><span class="Flag"><span style=
14318 'font-size:10.0pt'>proto-param-name</span></span></p>
14319 <p class="IndentText">A parameter in a function prototype has a
14320 name (can interfere with macro definitions).</p>
14322 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14323 height="14" align="left">
14325 <td valign="top" align="left" height="14" style=
14326 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14327 <p class="TextFontCX" align="center" style=
14328 'text-align:center;background:#CCCCCC'><span style=
14329 'font-size:10.0pt'>m:</span><span class=
14330 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14331 <p class="TextFontCX"><span class="Flag"><span style=
14332 'font-size:10.0pt'>proto-param-match</span></span></p>
14333 <p class="IndentText">The name of a parameter in a function
14334 definition does not match the corresponding name of the parameter
14335 in a function prototype (after removing the <span class=
14336 "Flag"><span style=
14337 'font-size:10.0pt'>protoparamprefix</span></span>).</p>
14338 <p class="Heading10">Naming Restrictions <span style=
14339 'font-size:10.5pt; font-weight:normal'>(Section 12.3)</span></p>
14341 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14342 height="14" align="left">
14344 <td valign="top" align="left" height="14" style=
14345 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14346 <p class="TextFontCX" align="center" style=
14347 'text-align:center;background:#CCCCCC'><span style=
14348 'font-size:10.0pt'>m:</span><span class=
14349 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14350 <p class="TextFontCX"><span class="Flag"><span style=
14351 'font-size:10.0pt'>shadow</span></span></p>
14352 <p class="IndentText">Declaration reuses name visible in outer
14354 <p class="Heading11">Reserved Names</p>
14356 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14357 height="14" align="left">
14359 <td valign="top" align="left" height="14" style=
14360 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14361 <p class="TextFontCX" align="center" style=
14362 'text-align:center;background:#CCCCCC'><span style=
14363 'font-size:10.0pt'>m:</span><span class=
14364 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14365 <p class="TextFontCX"><span class="Flag"><span style=
14366 'font-size:10.0pt'>ansi-reserved</span></span></p>
14367 <p class="IndentText">External name conflicts with name reserved
14368 for the compiler or standard library.</p>
14370 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14371 height="14" align="left">
14373 <td valign="top" align="left" height="14" style=
14374 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14375 <p class="TextFontCX" align="center" style=
14376 'text-align:center;background:#CCCCCC'><span style=
14377 'font-size:10.0pt'>m:</span><span class=
14378 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14379 <p class="TextFontCX"><span class="Flag"><span style=
14380 'font-size:10.0pt'>ansi-reserved-internal</span></span></p>
14381 <p class="IndentText"> Internal name conflicts with name
14382 reserved for the compiler or standard library.</p>
14385 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14386 height="14" align="left">
14388 <td valign="top" align="left" height="14" style=
14389 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14390 <p class="TextFontCX" align="center" style=
14391 'text-align:center;background:#CCCCCC'><span style=
14392 'font-size:10.0pt'>m:</span><span class=
14393 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14394 <p class="TextFontCX"><span class="Flag"><span style=
14395 'font-size:10.0pt'>iso-reserved</span></span></p>
14396 <p class="IndentText">
14397 External name is reserved for system use by ISO C99 standard.
14401 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14402 height="14" align="left">
14404 <td valign="top" align="left" height="14" style=
14405 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14406 <p class="TextFontCX" align="center" style=
14407 'text-align:center;background:#CCCCCC'><span style=
14408 'font-size:10.0pt'>m:</span><span class=
14409 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14410 <p class="TextFontCX"><span class="Flag"><span style=
14411 'font-size:10.0pt'>iso-reserved-internal</span></span></p>
14412 <p class="IndentText">
14413 Internal name is reserved for system in ISO C99 standard (this should not be necessary unless you are worried about C library implementations that violate the standard and use macros).
14417 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14418 height="14" align="left">
14420 <td valign="top" align="left" height="14" style=
14421 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14422 <p class="TextFontCX" align="center" style=
14423 'text-align:center;background:#CCCCCC'><span style=
14424 'font-size:10.0pt'>m:</span><span class=
14425 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14426 <p class="TextFontCX"><span class="Flag"><span style=
14427 'font-size:10.0pt'>cpp-names</span></span></p>
14428 <p class="IndentText">Internal or external name conflicts with a
14429 C++ reserved word. (Will cause problems if program is
14430 compiled with a C++ compiler.)</p>
14431 <p class="Heading11">Distinct External Names</p>
14433 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14434 height="14" align="left">
14436 <td valign="top" align="left" height="14" style=
14437 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14438 <p class="TextFontCX" align="center" style=
14439 'text-align:center;background:#CCCCCC'><span style=
14440 'font-size:10.0pt'>P:</span> <span class=
14441 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14442 <p class="TextFontCX"><span class="Flag"><span style=
14443 'font-size:10.0pt'>distinct-external-names</span></span></p>
14444 <p class="IndentText">An external name is not distinguishable from
14445 another external name using <span class="Flag"><span style=
14446 'font-size:10.0pt'>externalnamelen</span></span><i> </i>significant
14449 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14450 height="14" align="left">
14452 <td valign="top" align="left" height="14" style=
14453 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14454 <p class="TextFontCX" align="center" style=
14455 'text-align:center;background:#CCCCCC'><span style=
14456 'font-size:10.0pt'>P: 6</span></p></td></tr></table></div>
14457 <p class="TextFontCX"><span class="Flag"><span style=
14458 'font-size:10.0pt'>external-name-len</span></span><span class="Flag">
14460 'font-size:10.0pt'> <i><number></i></span></span></p>
14461 <p class="IndentText">Sets the number of significant characters in
14462 an external name (ANSI default minimum is 6). Sets
14463 <span class="Flag"><span style=
14464 'font-size:10.0pt'>+distinct-external-names</span></span>.</p>
14466 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14467 height="14" align="left">
14469 <td valign="top" align="left" height="14" style=
14470 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14471 <p class="TextFontCX" align="center" style=
14472 'text-align:center;background:#CCCCCC'><span style=
14473 'font-size:10.0pt'>P:</span> <span class=
14474 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14475 <p class="TextFontCX"><span class="Flag"><span style=
14476 'font-size:10.0pt'>external-name-case-insensitive</span></span></p>
14477 <p class="IndentText">Make alphabetic case insignificant in
14478 external names. According to ANSI standard, case need not be
14479 significant in an external name. If <span class=
14480 "Flag"><span style=
14481 'font-size:10.0pt'>+distinct-external-names</span></span> is
14482 not set, sets <span class="Flag"><span style=
14483 'font-size:10.0pt'>+distinct-external-names</span></span> with
14484 unlimited external name length.</p>
14485 <p class="Heading11">Distinct Internal Names</p>
14487 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14488 height="14" align="left">
14490 <td valign="top" align="left" height="14" style=
14491 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14492 <p class="TextFontCX" align="center" style=
14493 'text-align:center;background:#CCCCCC'><span style=
14494 'font-size:10.0pt'>m:</span><span class=
14495 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
14496 <p class="TextFontCX"><span class="Flag"><span style=
14497 'font-size:10.0pt'>distinct-internal-names</span></span></p>
14498 <p class="IndentText">An internal name is not distinguishable from
14499 another internal name using <span class="Flag"><span style=
14500 'font-size:10.0pt'>internalnamelen</span></span> significant
14501 characters. (Also effected by <span class=
14502 "Flag"><span style=
14503 'font-size:10.0pt'>internal-name-case-insensitive</span></span> and
14504 <span class="Flag"><span style=
14505 'font-size:10.0pt'>internal-name-lookalike</span></span>.)</p>
14507 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14508 height="14" align="left">
14510 <td valign="top" align="left" height="14" style=
14511 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14512 <p class="TextFontCX" align="center" style=
14513 'text-align:center;background:#CCCCCC'><span style=
14514 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
14515 'font-size:10.0pt'>31</span></span></p></td></tr></table></div>
14516 <p class="TextFontCX"><span class="Flag"><span style=
14517 'font-size:10.0pt'>internal-name-len</span></span><span class="Flag">
14519 'font-size:10.0pt'> <i><number></i></span></span></p>
14520 <p class="IndentText">Set the number of significant characters in
14521 an internal name. Sets <span class="Flag"><span style=
14522 'font-size:10.0pt'>+distinct-internal-names</span></span>.</p>
14524 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14525 height="14" align="left">
14527 <td valign="top" align="left" height="14" style=
14528 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14529 <p class="TextFontCX" align="center" style=
14530 'text-align:center;background:#CCCCCC'><span style=
14531 'font-size:10.0pt'>P:</span> <span class=
14532 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14533 <p class="TextFontCX"><span class="Flag"><span style=
14534 'font-size:10.0pt'>internal-name-case-insensitive</span></span></p>
14535 <p class="IndentText">Set whether case is significant an internal
14536 names (<span class="Flag"><span style=
14537 'font-size:10.0pt'>-internal-name-case-insensitive</span></span> means
14538 case is significant). If <span class=
14539 "Flag"><span style='font-size:10.0pt'>+distinct-internal-names</span></span> is
14540 not set, sets <span class="Flag"><span style=
14541 'font-size:10.0pt'>+distinct-internal-names</span></span>
14542 with unlimited internal name length.</p>
14544 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14545 height="14" align="left">
14547 <td valign="top" align="left" height="14" style=
14548 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14549 <p class="TextFontCX" align="center" style=
14550 'text-align:center;background:#CCCCCC'><span style=
14551 'font-size:10.0pt'>P:</span> <span class=
14552 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14553 <p class="TextFontCX"><span class="Flag"><span style=
14554 'font-size:10.0pt'>internal-name-lookalike</span></span></p>
14555 <p class="IndentText"> Set whether similar looking characters
14556 (e.g., “<span class="Keyword"><span style=
14557 'font-size:10.0pt'>1</span></span>” and
14558 “<span class="Keyword"><span style=
14559 'font-size:10.0pt'>l</span></span>”) match in internal
14561 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
14562 Control Flow <span class="TextFontCXChar"><span style=
14563 'font-size:11.0pt; font-weight:normal'>(Section
14564 8)</span></span></p>
14565 <p class="Heading10">Undefined Evaluation Order <span class=
14566 "HeadingNote"><span style=
14567 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
14568 <span class="HeadingNote"><span style=
14569 'font-size:10.5pt;font-weight:normal;font-style: normal'>8.2</span></span><span class="HeadingNote">
14571 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
14573 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14574 height="14" align="left">
14576 <td valign="top" align="left" height="14" style=
14577 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14578 <p class="TextFontCX" align="center" style=
14579 'text-align:center;background:#CCCCCC'><span style=
14580 'font-size:10.0pt'>m:</span><span class=
14581 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14582 <p class="Heading10" style='margin:0in;margin-bottom:.0001pt'>
14583 <span class="Flag"><span style=
14584 'font-size:10.0pt;font-weight:normal'>eval-order</span></span></p>
14585 <p class="IndentText">Behavior of an expression is unspecified or
14586 implementation-dependent because sub-expressions contain
14587 interfering side effects that may be evaluated in any order.</p>
14589 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14590 height="14" align="left">
14592 <td valign="top" align="left" height="14" style=
14593 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14594 <p class="TextFontCX" align="center" style=
14595 'text-align:center;background:#CCCCCC'><span style=
14596 'font-size:10.0pt'>m:</span><span class=
14597 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14598 <p class="TextFontCX"><span class="Flag"><span style=
14599 'font-size:10.0pt'>eval-order-uncon</span></span></p>
14600 <p class="IndentText">An expression may be undefined because a
14601 sub-expression contains a call to an unconstrained function (no
14602 modifies clause) that may modify something that may be modified or
14603 used by another sub-expression.</p>
14604 <p class="Heading10">Problematic Control Structures
14605 <span class="HeadingNote"><span style=
14606 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
14607 <span class="HeadingNote"><span style=
14608 'font-size:10.5pt;font-weight:normal;font-style: normal'>8.3</span></span><span class="HeadingNote">
14610 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
14612 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14613 height="14" align="left">
14615 <td valign="top" align="left" height="14" style=
14616 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14617 <p class="TextFontCX" align="center" style=
14618 'text-align:center;background:#CCCCCC'><span style=
14619 'font-size:10.0pt'>m:</span><span class=
14620 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14621 <p class="TextFontCX"><span class="Flag"><span style=
14622 'font-size:10.0pt'>inf-loops</span></span></p>
14623 <p class="IndentText">Likely infinite loop is detected (Section
14626 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14627 height="14" align="left">
14629 <td valign="top" align="left" height="14" style=
14630 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14631 <p class="TextFontCX" align="center" style=
14632 'text-align:center;background:#CCCCCC'><span style=
14633 'font-size:10.0pt'>m:</span><span class=
14634 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14635 <p class="TextFontCX"><span class="Flag"><span style=
14636 'font-size:10.0pt'>inf-loops-uncon</span></span></p>
14637 <p class="IndentText">Likely infinite loop is detected. Loop
14638 test or body calls an unconstrained function that may produce an
14639 undetected modification.</p>
14641 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14642 height="14" align="left">
14644 <td valign="top" align="left" height="14" style=
14645 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14646 <p class="TextFontCX" align="center" style=
14647 'text-align:center;background:#CCCCCC'><span style=
14648 'font-size:10.0pt'>m:</span><span class=
14649 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14650 <p class="TextFontCX"><span class="Flag"><span style=
14651 'font-size:10.0pt'>elseif-complete</span></span></p>
14652 <p class="IndentText">There is no finals else following an else if
14653 construct (Section 8.3.5).</p>
14656 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14657 height="14" align="left">
14659 <td valign="top" align="left" height="14" style=
14660 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14661 <p class="TextFontCX" align="center" style=
14662 'text-align:center;background:#CCCCCC'><span style=
14663 'font-size:10.0pt'>m:</span><span class=
14664 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14665 <p class="TextFontCX"><span class="Flag"><span style=
14666 'font-size:10.0pt'>case-break</span></span></p>
14667 <p class="IndentText">There is a non-empty case in a switch not
14668 followed by a <span class="CodeText"><span style=
14669 'font-size:10.0pt'>break</span></span><span class=
14670 "HeadingNote"><span style=
14671 'font-size:10.5pt;font-style:normal'>(Section</span></span>
14672 <span class="HeadingNote"><span style=
14673 'font-size:10.5pt;font-style:normal'>8.3.2</span></span><span class="HeadingNote">
14675 'font-size:10.5pt;font-style:normal'>).</span></span></p>
14679 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14680 height="14" align="left">
14682 <td valign="top" align="left" height="14" style=
14683 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14684 <p class="TextFontCX" align="center" style=
14685 'text-align:center;background:#CCCCCC'><span style=
14686 'font-size:10.0pt'>m:</span><span class=
14687 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14688 <p class="TextFontCX"><span class="Flag"><span style=
14689 'font-size:10.0pt'>first-case</span></span></p>
14690 <p class="IndentText">
14691 The first statement after a switch is not a case.
14696 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14697 height="14" align="left">
14699 <td valign="top" align="left" height="14" style=
14700 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14701 <p class="TextFontCX" align="center" style=
14702 'text-align:center;background:#CCCCCC'><span style=
14703 'font-size:10.0pt'>m:</span><span class=
14704 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14705 <p class="TextFontCX"><span class="Flag"><span style=
14706 'font-size:10.0pt'>Duplicate-case</span></span></p>
14707 <p class="IndentText">
14708 Duplicate cases in switch.
14712 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14713 height="14" align="left">
14715 <td valign="top" align="left" height="14" style=
14716 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14717 <p class="TextFontCX" align="center" style=
14718 'text-align:center;background:#CCCCCC'><span style=
14719 'font-size:10.0pt'>m:</span><span class=
14720 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14721 <p class="TextFontCX"><span class="Flag"><span style=
14722 'font-size:10.0pt'>miss-case</span></span></p>
14723 <p class="IndentText">A switch on an <span class=
14724 "CodeText"><span style='font-size: 10.0pt'>enum</span></span> type
14725 is missing a case for a member of the enumerator.</p>
14728 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14729 height="14" align="left">
14731 <td valign="top" align="left" height="14" style=
14732 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14733 <p class="TextFontCX" align="center" style=
14734 'text-align:center;background:#CCCCCC'><span style=
14735 'font-size:10.0pt'>P</span><span class=
14736 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14737 <p class="TextFontCX"><span class="Flag"><span style=
14738 'font-size:10.0pt'>emptyreturn
14740 <p class="IndentText">Empty return in function declared to return value.</p>
14743 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14744 height="14" align="left">
14746 <td valign="top" align="left" height="14" style=
14747 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14748 <p class="TextFontCX" align="center" style=
14749 'text-align:center;background:#CCCCCC'><span style=
14750 'font-size:10.0pt'>P</span><span class=
14751 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14752 <p class="TextFontCX"><span class="Flag"><span style=
14753 'font-size:10.0pt'>alwaysexits
14755 <p class="IndentText">
14756 Loop predicate always exits.
14760 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14761 height="14" align="left">
14763 <td valign="top" align="left" height="14" style=
14764 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14765 <p class="TextFontCX" align="center" style=
14766 'text-align:center;background:#CCCCCC'><span style=
14767 'font-size:10.0pt'>shortcut</span><span class=
14768 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
14769 <p class="TextFontCX"><span class="Flag"><span style=
14770 'font-size:10.0pt'>loop-exec</span></span></p>
14771 <p class="IndentText">Assume all loops execute at least once.
14772 This effects use-before-definition and memory checking.
14773 It should probably not be used globally, but may be used
14774 surrounding a particular loop that is known to always execute to
14775 prevent spurious messages.
14777 <span class="Flag"><span style=
14778 'font-size:10.0pt'>
14779 for-loop-exec, while-loop-exec and iter-loop-exec
14784 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14785 height="14" align="left">
14787 <td valign="top" align="left" height="14" style=
14788 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14789 <p class="TextFontCX" align="center" style=
14790 'text-align:center;background:#CCCCCC'><span style=
14791 'font-size:10.0pt'>P</span><span class=
14792 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14793 <p class="TextFontCX"><span class="Flag"><span style=
14794 'font-size:10.0pt'>for-loop-exec
14796 <p class="IndentText">
14797 Assume all<span class=
14798 "CodeText"><span style='font-size: 10.0pt'>
14801 loops execute at least once. This effects use-before-definition
14802 and memory checking. It should probably not be used globally, but may be used
14803 surrounding a particular loop that is known to always execute to prevent spurious messages.
14809 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14810 height="14" align="left">
14812 <td valign="top" align="left" height="14" style=
14813 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14814 <p class="TextFontCX" align="center" style=
14815 'text-align:center;background:#CCCCCC'><span style=
14816 'font-size:10.0pt'>P</span><span class=
14817 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14818 <p class="TextFontCX"><span class="Flag"><span style=
14819 'font-size:10.0pt'>while-loop-exec
14821 <p class="IndentText">
14822 Assume all<span class=
14823 "CodeText"><span style='font-size: 10.0pt'>
14826 loops execute at least once. This effects use-before-definition
14827 and memory checking. It should probably not be used globally, but may be used
14828 surrounding a particular loop that is known to always execute to prevent spurious messages.
14833 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14834 height="14" align="left">
14836 <td valign="top" align="left" height="14" style=
14837 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14838 <p class="TextFontCX" align="center" style=
14839 'text-align:center;background:#CCCCCC'><span style=
14840 'font-size:10.0pt'>P</span><span class=
14841 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14842 <p class="TextFontCX"><span class="Flag"><span style=
14843 'font-size:10.0pt'>iter-loop-exec
14845 <p class="IndentText">
14846 Assume all<span class=
14847 "CodeText"><span style='font-size: 10.0pt'>
14850 loops execute at least once. This effects use-before-definition
14851 and memory checking. It should probably not be used globally, but may be used
14852 surrounding a particular loop that is known to always execute to prevent spurious messages.
14858 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14859 height="14" align="left">
14861 <td valign="top" align="left" height="14" style=
14862 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14863 <p class="TextFontCX" align="center" style=
14864 'text-align:center;background:#CCCCCC'><span style=
14865 'font-size:10.0pt'>P</span><span class=
14866 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14867 <p class="TextFontCX"><span class="Flag"><span style=
14868 'font-size:10.0pt'>obvious-loop-exec
14870 <p class="IndentText">
14871 Assume loop that can be determined to always execute always does.
14874 <p class="Heading10">Deep Break <span class=
14875 "TextFontCXChar"><span style=
14876 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
14877 <span class="TextFontCXChar"><span style=
14878 'font-size:11.0pt; font-weight:normal'>8.3.3</span></span><span class="TextFontCXChar">
14880 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
14882 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14883 height="14" align="left">
14885 <td valign="top" align="left" height="14" style=
14886 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14887 <p class="TextFontCX" align="center" style=
14888 'text-align:center;background:#CCCCCC'><span style=
14889 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
14890 <p class="TextFontCX"><span class="Flag"><span style=
14891 'font-size:10.0pt'>deep-break</span></span></p>
14892 <p class="IndentText">Report errors for <span class=
14893 "CodeText"><span style='font-size:10.0pt'>break</span></span>
14894 statements inside a nested <span class=
14895 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14896 <span class="CodeText"><span style=
14897 'font-size:10.0pt'>for</span></span> or <span class=
14898 "CodeText"><span style=
14899 'font-size:10.0pt'>switch</span></span>. (Sets all
14900 nested break and continue flags.)</p>
14902 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14903 height="14" align="left">
14905 <td valign="top" align="left" height="14" style=
14906 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14907 <p class="TextFontCX" align="center" style=
14908 'text-align:center;background:#CCCCCC'><span style=
14909 'font-size:10.0pt'>m:</span><span class=
14910 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14911 <p class="MsoListBullet"><span class="Flag"><span style=
14912 'font-size:10.0pt'>loop-loop-break</span></span></p>
14913 <p class="IndentText"><span class="TextFontCXChar">There is
14914 a</span> <span class="CodeText"><span style=
14915 'font-size:10.0pt'>break</span></span> inside a <span class=
14916 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14917 <span class="CodeText"><span style=
14918 'font-size:10.0pt'>for</span></span> or iterator loop that is
14919 inside a <span class="CodeText"><span style=
14920 'font-size: 10.0pt'>while</span></span>, <span class=
14921 "CodeText"><span style='font-size:10.0pt'>for</span></span> or
14922 iterator loop. Mark with <span class="Annot"><span style=
14923 'font-size:10.0pt'>/*@innerbreak@*/</span></span> to suppress the
14926 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14927 height="14" align="left">
14929 <td valign="top" align="left" height="14" style=
14930 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14931 <p class="TextFontCX" align="center" style=
14932 'text-align:center;background:#CCCCCC'><span style=
14933 'font-size:10.0pt'>m:</span><span class=
14934 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14935 <p class="MsoListBullet"><span class="Flag"><span style=
14936 'font-size:10.0pt'>switch-loop-break</span></span></p>
14937 <p class="IndentText"><span class="TextFontCXChar">There is
14938 a</span><span class="CodeText"><span style=
14939 'font-size:10.0pt'>break</span></span> inside a <span class=
14940 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14941 <span class="CodeText"><span style=
14942 'font-size:10.0pt'>for</span></span> or iterator loop that is
14943 inside a <span class="CodeText"><span style=
14944 'font-size: 10.0pt'>switch</span></span> statement. Mark with
14945 <span class="Annot"><span style=
14946 'font-size:10.0pt'>/*@loopbreak@*/</span></span>.</p>
14948 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14949 height="14" align="left">
14951 <td valign="top" align="left" height="14" style=
14952 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14953 <p class="TextFontCX" align="center" style=
14954 'text-align:center;background:#CCCCCC'><span style=
14955 'font-size:10.0pt'>m:</span><span class=
14956 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14957 <p class="MsoListBullet"><span class="Flag"><span style=
14958 'font-size:10.0pt'>loop-switch-break</span></span></p>
14959 <p class="IndentText"><span class="TextFontCXChar">There is
14960 a</span><span class="CodeText"><span style=
14961 'font-size:10.0pt'>break</span></span> inside a <span class=
14962 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
14963 statement that is inside a <span class=
14964 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14965 <span class="CodeText"><span style=
14966 'font-size:10.0pt'>for</span></span> or iterator loop.
14967 Mark with /<span class="Annot"><span style=
14968 'font-size:10.0pt'>*@switchbreak@*/</span></span>.</p>
14970 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14971 height="14" align="left">
14973 <td valign="top" align="left" height="14" style=
14974 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14975 <p class="TextFontCX" align="center" style=
14976 'text-align:center;background:#CCCCCC'><span style=
14977 'font-size:10.0pt'>m:</span><span class=
14978 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14979 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
14980 <span class="Flag"><span style=
14981 'font-size:10.0pt'>switch-switch-break</span></span></p>
14982 <p class="IndentText"><span class="TextFontCXChar">There is
14983 a</span><span class="CodeText"><span style=
14984 'font-size:10.0pt'>break</span></span> inside a <span class=
14985 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
14986 statement that is inside another <span class=
14987 "CodeText"><span style='font-size: 10.0pt'>switch</span></span>
14988 statement. Mark with <span class="Annot"><span style=
14989 'font-size:10.0pt'>/*@innerbreak@*/</span></span>.</p>
14991 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14992 height="14" align="left">
14994 <td valign="top" align="left" height="14" style=
14995 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14996 <p class="TextFontCX" align="center" style=
14997 'text-align:center;background:#CCCCCC'><span style=
14998 'font-size:10.0pt'>m:</span><span class=
14999 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15000 <p class="TextFontCX"><span class="Flag"><span style=
15001 'font-size:10.0pt'>loop-loop-continue</span></span></p>
15002 <p class="IndentText">There is a <span class=
15003 "CodeText"><span style='font-size: 10.0pt'>continue</span></span>
15004 inside a while, for or iterator loop that is inside a while,
15005 for or iterator loop. Mark with <span class=
15006 "Annot"><span style=
15007 'font-size:10.0pt'>/*@innercontinue@*/</span></span>.</p>
15008 <p class="Heading10">Loop and if Bodies <span class=
15009 "TextFontCXChar"><span style=
15010 'font-size:11.0pt; font-weight:normal'>(Section
15011 8.3.4)</span></span></p>
15013 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15014 height="14" align="left">
15016 <td valign="top" align="left" height="14" style=
15017 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15018 <p class="TextFontCX" align="center" style=
15019 'text-align:center;background:#CCCCCC'><span style=
15020 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15021 <p class="TextFontCX"><span class="Flag"><span style=
15022 'font-size:10.0pt'>all-empty</span></span></p>
15023 <p class="IndentText">An if, while or for statement has no body
15024 (sets <span class="Flag"><span style=
15025 'font-size:10.0pt'>if-empty</span></span>, <span class=
15026 "Flag"><span style=
15027 'font-size:10.0pt'>while-empty</span></span> and
15028 <span class="Flag"><span style=
15029 'font-size:10.0pt'>for-empty</span></span>.)</p>
15031 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15032 height="14" align="left">
15034 <td valign="top" align="left" height="14" style=
15035 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15036 <p class="TextFontCX" align="center" style=
15037 'text-align:center;background:#CCCCCC'><span style=
15038 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15039 <p class="TextFontCX"><span class="Flag"><span style=
15040 'font-size:10.0pt'>all-block</span></span></p>
15041 <p class="IndentText">The body of an <span class=
15042 "CodeText"><span style='font-size: 10.0pt'>if</span></span>,
15043 <span class="CodeText"><span style=
15044 'font-size:10.0pt'>while</span></span> or <span class=
15045 "CodeText"><span style='font-size:10.0pt'>for</span></span>
15046 statement is not a block (sets <span class=
15047 "Flag"><span style='font-size:10.0pt'>if-block</span></span>,
15048 <span class="Flag"><span style=
15049 'font-size:10.0pt'>while-block</span></span> and
15050 <span class="Flag"><span style=
15051 'font-size:10.0pt'>for-block</span></span>.)</p>
15053 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15054 height="14" align="left">
15056 <td valign="top" align="left" height="14" style=
15057 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15058 <p class="TextFontCX" align="center" style=
15059 'text-align:center;background:#CCCCCC'><span style=
15060 'font-size:10.0pt'>m:</span><span class=
15061 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15062 <p class="TextFontCX"><span class="Flag"><span style=
15063 'font-size:10.0pt'>while-empty</span></span></p>
15064 <p class="IndentText">A while statement has no body.</p>
15066 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15067 height="14" align="left">
15069 <td valign="top" align="left" height="14" style=
15070 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15071 <p class="TextFontCX" align="center" style=
15072 'text-align:center;background:#CCCCCC'><span style=
15073 'font-size:10.0pt'>m:</span><span class=
15074 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15075 <p class="TextFontCX"><span class="Flag"><span style=
15076 'font-size:10.0pt'>while-block</span></span></p>
15077 <p class="IndentText"> The body of a <span class=
15078 "CodeText"><span style='font-size: 10.0pt'>while</span></span>
15079 statement is not a block</p>
15081 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15082 height="14" align="left">
15084 <td valign="top" align="left" height="14" style=
15085 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15086 <p class="TextFontCX" align="center" style=
15087 'text-align:center;background:#CCCCCC'><span style=
15088 'font-size:10.0pt'>m:</span><span class=
15089 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15090 <p class="TextFontCX"><span class="Flag"><span style=
15091 'font-size:10.0pt'>for-empty</span></span></p>
15092 <p class="IndentText">A <span class="CodeText"><span style=
15093 'font-size:10.0pt'>for</span></span> statement has no body.</p>
15095 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15096 height="14" align="left">
15098 <td valign="top" align="left" height="14" style=
15099 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15100 <p class="TextFontCX" align="center" style=
15101 'text-align:center;background:#CCCCCC'><span style=
15102 'font-size:10.0pt'>m:</span><span class=
15103 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15104 <p class="TextFontCX"><span class="Flag"><span style=
15105 'font-size:10.0pt'>for-block</span></span></p>
15106 <p class="IndentText">The body of a <span class=
15107 "CodeText"><span style='font-size: 10.0pt'>for</span></span>
15108 statement is not a block.</p>
15110 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15111 height="14" align="left">
15113 <td valign="top" align="left" height="14" style=
15114 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15115 <p class="TextFontCX" align="center" style=
15116 'text-align:center;background:#CCCCCC'><span style=
15117 'font-size:10.0pt'>m:</span><span class=
15118 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15119 <p class="TextFontCX"><span class="Flag"><span style=
15120 'font-size:10.0pt'>if-empty</span></span></p>
15121 <p class="IndentText">An <span class="CodeText"><span style=
15122 'font-size:10.0pt'>if</span></span> statement has no body.</p>
15124 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15125 height="14" align="left">
15127 <td valign="top" align="left" height="14" style=
15128 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15129 <p class="TextFontCX" align="center" style=
15130 'text-align:center;background:#CCCCCC'><span style=
15131 'font-size:10.0pt'>m:</span><span class=
15132 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15133 <p class="TextFontCX"><span class="Flag"><span style=
15134 'font-size:10.0pt'>ifblock</span></span></p>
15135 <p class="IndentText">The body of an <span class=
15136 "CodeText"><span style='font-size: 10.0pt'>if</span></span>
15137 statement is not a block.</p>
15138 <p class="Heading10">Suspicious Statements <span class=
15139 "TextFontCXChar"><span style=
15140 'font-size:11.0pt; font-weight:normal'>(Section
15141 8.4)</span></span></p>
15143 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15144 height="14" align="left">
15146 <td valign="top" align="left" height="14" style=
15147 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15148 <p class="TextFontCX" align="center" style=
15149 'text-align:center;background:#CCCCCC'><span style=
15150 'font-size:10.0pt'>m:</span><span class=
15151 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15152 <p class="TextFontCX"><span class="Flag"><span style=
15153 'font-size:10.0pt'>unreachable</span></span></p>
15154 <p class="IndentText">Code is not reached on any possible
15157 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15158 height="14" align="left">
15160 <td valign="top" align="left" height="14" style=
15161 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15162 <p class="TextFontCX" align="center" style=
15163 'text-align:center;background:#CCCCCC'><span style=
15164 'font-size:10.0pt'>m:</span><span class=
15165 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15166 <p class="TextFontCX"><span class="Flag"><span style=
15167 'font-size:10.0pt'>noeffect</span></span></p>
15168 <p class="IndentText">Statement has no effect.</p>
15170 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15171 height="14" align="left">
15173 <td valign="top" align="left" height="14" style=
15174 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15175 <p class="TextFontCX" align="center" style=
15176 'text-align:center;background:#CCCCCC'><span style=
15177 'font-size:10.0pt'>m:</span><span class=
15178 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15179 <p class="TextFontCX"><span class="Flag"><span style=
15180 'font-size:10.0pt'>noeffect-uncon</span></span></p>
15181 <p class="IndentText">Statement involving call to unconstrained
15182 function may have no effect.</p>
15184 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15185 height="14" align="left">
15187 <td valign="top" align="left" height="14" style=
15188 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15189 <p class="TextFontCX" align="center" style=
15190 'text-align:center;background:#CCCCCC'><span style=
15191 'font-size:10.0pt'>m:</span><span class=
15192 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15193 <p class="TextFontCX"><span class="Flag"><span style=
15194 'font-size:10.0pt'>noret</span></span></p>
15195 <p class="IndentText">There is a path with no <span class=
15196 "Keyword"><span style='font-size:10.0pt'>return</span></span> in a
15197 function declared to return a non-<span class=
15198 "Keyword"><span style='font-size:10.0pt'>void</span></span>
15200 <p class="Heading10">Ignored Return Values <span class=
15201 "TextFontCXChar"><span style=
15202 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
15203 <span class="TextFontCXChar"><span style=
15204 'font-size:11.0pt; font-weight:normal'>8.4.2</span></span><span class="TextFontCXChar">
15206 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
15207 <p class="beforelist">These flags control when errors are reported
15208 for function calls that do not use the return value. Casting
15209 the function call to <span class="CodeText"><span style=
15210 'font-size:10.0pt'>void</span></span> or declaring the called
15211 function to return <span class="Annot"><span style=
15212 'font-size:10.0pt'>/*@alt void@*/</span></span>.</p>
15214 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15215 height="14" align="left">
15217 <td valign="top" align="left" height="14" style=
15218 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15219 <p class="TextFontCX" align="center" style=
15220 'text-align:center;background:#CCCCCC'><span style=
15221 'font-size:10.0pt'>m:</span><span class=
15222 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15223 <p class="TextFontCX"><span class="Flag"><span style=
15224 'font-size:10.0pt'>ret-val-bool</span></span></p>
15225 <p class="IndentText">Return value of type <span class=
15226 "CodeText"><span style='font-size:10.0pt'>bool</span></span>
15229 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15230 height="14" align="left">
15232 <td valign="top" align="left" height="14" style=
15233 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15234 <p class="TextFontCX" align="center" style=
15235 'text-align:center;background:#CCCCCC'><span style=
15236 'font-size:10.0pt'>m:</span><span class=
15237 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15238 <p class="TextFontCX"><span class="Flag"><span style=
15239 'font-size:10.0pt'>ret-val-int</span></span></p>
15240 <p class="IndentText">Return value of type <span class=
15241 "CodeText"><span style='font-size:10.0pt'>int</span></span>
15244 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15245 height="14" align="left">
15247 <td valign="top" align="left" height="14" style=
15248 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15249 <p class="TextFontCX" align="center" style=
15250 'text-align:center;background:#CCCCCC'><span style=
15251 'font-size:10.0pt'>m:</span><span class=
15252 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15253 <p class="TextFontCX"><span class="Flag"><span style=
15254 'font-size:10.0pt'>ret-val-other</span></span></p>
15255 <p class="IndentText">Return value of type other than
15256 <span class="CodeText"><span style=
15257 'font-size:10.0pt'>bool</span></span> or <span class=
15258 "CodeText"><span style='font-size:10.0pt'>int</span></span>
15261 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15262 height="14" align="left">
15264 <td valign="top" align="left" height="14" style=
15265 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15266 <p class="TextFontCX" align="center" style=
15267 'text-align:center;background:#CCCCCC'><span style=
15268 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15269 <p class="TextFontCX"><span class="Flag"><span style=
15270 'font-size:10.0pt'>ret-val</span></span></p>
15271 <p class="IndentText">Return value ignored (Sets <span class=
15272 "Flag"><span style='font-size:10.0pt'>retvalbool</span></span>,
15273 <span class="Flag"><span style=
15274 'font-size:10.0pt'>retvalint</span></span>, <span class=
15275 "Flag"><span style=
15276 'font-size:10.0pt'>retvalother</span></span>.)</p>
15278 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
15279 Memory Bounds <span class="HeadingNote"><span style=
15280 'font-size:10.5pt;font-weight:normal;font-style: normal'>(Section</span></span>
15281 <span class="HeadingNote"><span style=
15282 'font-size:10.5pt;font-weight:normal;font-style: normal'>9</span></span>)
15285 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15286 height="14" align="left">
15288 <td valign="top" align="left" height="14" style=
15289 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15290 <p class="TextFontCX" align="center" style=
15291 'text-align:center;background:#CCCCCC'><span style=
15292 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15293 <p class="TextFontCX"><span class="Flag"><span style=
15294 'font-size:10.0pt'>bounds</span></span></p>
15295 <p class="IndentText">
15296 Memory read or write may be out of bounds of allocated storage
15298 "Flag"><span style='font-size:10.0pt'>boundsread</span></span>
15300 <span class="Flag"><span style=
15301 'font-size:10.0pt'>boundswrite</span></span>
15305 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15306 height="14" align="left">
15308 <td valign="top" align="left" height="14" style=
15309 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15310 <p class="TextFontCX" align="center" style=
15311 'text-align:center;background:#CCCCCC'><span style=
15312 'font-size:10.0pt'>m:</span><span class=
15313 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15314 <p class="TextFontCX"><span class="Flag"><span style=
15315 'font-size:10.0pt'>boundsread</span></span></p>
15316 <p class="IndentText">
15317 A memory read references memory beyond the allocated storage
15318 (also sets <span class=
15319 "Flag"><span style='font-size:10.0pt'>likelyboundsread</span></span>.
15323 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15324 height="14" align="left">
15326 <td valign="top" align="left" height="14" style=
15327 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15328 <p class="TextFontCX" align="center" style=
15329 'text-align:center;background:#CCCCCC'><span style=
15330 'font-size:10.0pt'>m:</span><span class=
15331 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15332 <p class="TextFontCX"><span class="Flag"><span style=
15333 'font-size:10.0pt'>boundswrite</span></span></p>
15334 <p class="IndentText">
15335 A memory write may write to an address beyond the allocated buffer
15336 (also sets <span class=
15337 "Flag"><span style='font-size:10.0pt'>likelyboundswrite</span></span>.
15341 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15342 height="14" align="left">
15344 <td valign="top" align="left" height="14" style=
15345 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15346 <p class="TextFontCX" align="center" style=
15347 'text-align:center;background:#CCCCCC'><span style=
15348 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15349 <p class="TextFontCX"><span class="Flag"><span style=
15350 'font-size:10.0pt'>likelybounds</span></span></p>
15351 <p class="IndentText">
15352 Likely memory read or write is likely to be out of bounds of allocated storage
15354 "Flag"><span style='font-size:10.0pt'>likelyboundsread</span></span>
15356 <span class="Flag"><span style=
15357 'font-size:10.0pt'>likelyboundswrite)</span></span>
15362 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15363 height="14" align="left">
15365 <td valign="top" align="left" height="14" style=
15366 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15367 <p class="TextFontCX" align="center" style=
15368 'text-align:center;background:#CCCCCC'><span style=
15369 'font-size:10.0pt'>m:</span><span class=
15370 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15371 <p class="TextFontCX"><span class="Flag"><span style=
15372 'font-size:10.0pt'>likelyboundsread</span></span></p>
15373 <p class="IndentText">
15374 A likely memory read references memory beyond the allocated storage
15375 (also sets <span class=
15376 "Flag"><span style='font-size:10.0pt'>likelyboundsread</span></span>.
15380 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15381 height="14" align="left">
15383 <td valign="top" align="left" height="14" style=
15384 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15385 <p class="TextFontCX" align="center" style=
15386 'text-align:center;background:#CCCCCC'><span style=
15387 'font-size:10.0pt'>m:</span><span class=
15388 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15389 <p class="TextFontCX"><span class="Flag"><span style=
15390 'font-size:10.0pt'>likelyboundswrite</span></span></p>
15391 <p class="IndentText">
15392 A memory write is likely to write to an address beyond the allocated buffer.
15396 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15397 height="14" align="left">
15399 <td valign="top" align="left" height="14" style=
15400 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15401 <p class="TextFontCX" align="center" style=
15402 'text-align:center;background:#CCCCCC'><span style=
15403 'font-size:10.0pt'>m:</span><span class=
15404 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15405 <p class="TextFontCX"><span class="Flag">fcnpost<span style=
15406 'font-size:10.0pt'></span></span></p>
15407 <p class="IndentText">
15408 Display function post conditions.
15413 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15414 height="14" align="left">
15416 <td valign="top" align="left" height="14" style=
15417 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15418 <p class="TextFontCX" align="center" style=
15419 'text-align:center;background:#CCCCCC'><span style=
15420 'font-size:10.0pt'>m:</span><span class=
15421 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15422 <p class="TextFontCX"><span class="Flag">redundantconstraints<span style=
15423 'font-size:10.0pt'></span></span></p>
15424 <p class="IndentText">
15425 Display seemingly redundant conditions.
15428 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15429 height="14" align="left">
15431 <td valign="top" align="left" height="14" style=
15432 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15433 <p class="TextFontCX" align="center" style=
15434 'text-align:center;background:#CCCCCC'><span style=
15435 'font-size:10.0pt'>m:</span><span class=
15436 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15437 <p class="TextFontCX"><span class="Flag">checkpost<span style=
15438 'font-size:10.0pt'></span></span></p>
15439 <p class="IndentText">
15440 The functions implementation may not satidfy a post condition given in an ensures clause.
15445 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15446 height="14" align="left">
15448 <td valign="top" align="left" height="14" style=
15449 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15450 <p class="TextFontCX" align="center" style=
15451 'text-align:center;background:#CCCCCC'><span style=
15452 'font-size:10.0pt'>P-</span><span class=
15453 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15454 <p class="TextFontCX"><span class="Flag">showconstraintparens<span style=
15455 'font-size:10.0pt'></span></span></p>
15456 <p class="IndentText">
15457 Display parentheses around constraint terms.
15460 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15461 height="14" align="left">
15463 <td valign="top" align="left" height="14" style=
15464 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15465 <p class="TextFontCX" align="center" style=
15466 'text-align:center;background:#CCCCCC'><span style=
15467 'font-size:10.0pt'>P+</span><span class=
15468 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15469 <p class="TextFontCX"><span class="Flag">showconstraintlocation<span style=
15470 'font-size:10.0pt'></span></span></p>
15471 <p class="IndentText">
15472 Display location for every constraint generated.
15475 <p class="beforelist">
15476 The following flags are mainly of interest to Splint developers. The default values are adequate in normal use. They are included for completeness.
15480 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15481 height="14" align="left">
15483 <td valign="top" align="left" height="14" style=
15484 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15485 <p class="TextFontCX" align="center" style=
15486 'text-align:center;background:#CCCCCC'><span style=
15487 'font-size:10.0pt'>P-</span><span class=
15488 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15489 <p class="TextFontCX"><span class="Flag">
15491 <span style='font-size:10.0pt'></span></span></p>
15492 <p class="IndentText">
15493 Perform buffer overflow checking even if the errors would be inhibited.
15499 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15500 height="14" align="left">
15502 <td valign="top" align="left" height="14" style=
15503 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15504 <p class="TextFontCX" align="center" style=
15505 'text-align:center;background:#CCCCCC'><span style=
15506 'font-size:10.0pt'>P-</span><span class=
15507 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15508 <p class="TextFontCX"><span class="Flag">
15510 <span style='font-size:10.0pt'></span></span></p>
15511 <p class="IndentText">
15512 Generate implicit constraints for functions. This is an experimental option.
15513 Currently this option reduces the number of bounds errors but causes real error to be missed.
15518 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15519 height="14" align="left">
15521 <td valign="top" align="left" height="14" style=
15522 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15523 <p class="TextFontCX" align="center" style=
15524 'text-align:center;background:#CCCCCC'><span style=
15525 'font-size:10.0pt'>P-</span><span class=
15526 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15527 <p class="TextFontCX"><span class="Flag">
15529 <span style='font-size:10.0pt'></span></span></p>
15530 <p class="IndentText">
15531 This flags affects the internal constraint resolution.  If set, the internal constraint resolution is more accurate.  The performance impact is minimal so there is little reason not to have this flag set.</p>
15533 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
15534 Extensible Checking <span class="HeadingNote"><span style=
15535 'font-size:10.5pt;font-weight:normal;font-style: normal'>(Section</span></span>
15536 <span class="HeadingNote"><span style=
15537 'font-size:10.5pt;font-weight:normal;font-style: normal'>13</span></span><span class="HeadingNote">
15539 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
15543 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15544 height="14" align="left">
15546 <td valign="top" align="left" height="14" style=
15547 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15548 <p class="TextFontCX" align="center" style=
15549 'text-align:center;background:#CCCCCC'><span style=
15550 'font-size:10.0pt'>P-</span><span class=
15551 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15552 <p class="TextFontCX"><span class="Flag">
15554 <span style='font-size:10.0pt'></span></span></p>
15555 <p class="IndentText">
15556 Load meta state declaration and corresponding xh file.
15561 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15562 height="14" align="left">
15564 <td valign="top" align="left" height="14" style=
15565 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15566 <p class="TextFontCX" align="center" style=
15567 'text-align:center;background:#CCCCCC'><span style=
15568 'font-size:10.0pt'>m:</span><span class=
15569 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15570 <p class="TextFontCX"><span class="Flag">
15572 <span style='font-size:10.0pt'></span></span></p>
15573 <p class="IndentText">
15574 Transfer violates user-defined state rules.
15579 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15580 height="14" align="left">
15582 <td valign="top" align="left" height="14" style=
15583 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15584 <p class="TextFontCX" align="center" style=
15585 'text-align:center;background:#CCCCCC'><span style=
15586 'font-size:10.0pt'>m:</span><span class=
15587 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15588 <p class="TextFontCX"><span class="Flag">
15590 <span style='font-size:10.0pt'></span></span></p>
15591 <p class="IndentText">
15592 Control path merge violates user-defined state merge rules.
15595 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
15596 Completeness <span class="HeadingNote"><span style=
15597 'font-size:10.5pt;font-weight:normal;font-style: normal'>(Section</span></span>
15598 <span class="HeadingNote"><span style=
15599 'font-size:10.5pt;font-weight:normal;font-style: normal'>13</span></span><span class="HeadingNote">
15601 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
15602 <p class="Heading10">Unused Declarations <span class=
15603 "HeadingNote"><span style=
15604 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
15605 <span class="HeadingNote"><span style=
15606 'font-size:10.5pt;font-weight:normal;font-style: normal'>13.1</span></span><span class="HeadingNote">
15608 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
15609 <p class="beforelist">These flags control when errors are reported
15610 for declarations that are never used. The <span class=
15611 "Annot"><span style='font-size:10.0pt'>unused</span></span>
15612 annotation can be used to prevent unused errors from being report
15613 for a particular declaration.</p>
15615 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15616 height="14" align="left">
15618 <td valign="top" align="left" height="14" style=
15619 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15620 <p class="TextFontCX" align="center" style=
15621 'text-align:center;background:#CCCCCC'><span style=
15622 'font-size:10.0pt'>m:</span><span class=
15623 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15624 <p class="TextFontCX"><span class="Flag"><span style=
15625 'font-size:10.0pt'>top-use</span></span></p>
15626 <p class="IndentText">An external declaration is not used in any
15629 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15630 height="14" align="left">
15632 <td valign="top" align="left" height="14" style=
15633 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15634 <p class="TextFontCX" align="center" style=
15635 'text-align:center;background:#CCCCCC'><span style=
15636 'font-size:10.0pt'>m:</span><span class=
15637 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15638 <p class="TextFontCX"><span class="Flag"><span style=
15639 'font-size:10.0pt'>const-use</span></span></p>
15640 <p class="IndentText">Constant never used.</p>
15642 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15643 height="14" align="left">
15645 <td valign="top" align="left" height="14" style=
15646 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15647 <p class="TextFontCX" align="center" style=
15648 'text-align:center;background:#CCCCCC'><span style=
15649 'font-size:10.0pt'>m:</span><span class=
15650 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15651 <p class="TextFontCX"><span class="Flag"><span style=
15652 'font-size:10.0pt'>enum-mem-use</span></span></p>
15653 <p class="IndentText">Member of enumerator never used.</p>
15655 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15656 height="14" align="left">
15658 <td valign="top" align="left" height="14" style=
15659 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15660 <p class="TextFontCX" align="center" style=
15661 'text-align:center;background:#CCCCCC'><span style=
15662 'font-size:10.0pt'>m:</span><span class=
15663 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15664 <p class="TextFontCX"><span class="Flag"><span style=
15665 'font-size:10.0pt'>var-use</span></span></p>
15666 <p class="IndentText">Variable never used.</p>
15668 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15669 height="14" align="left">
15671 <td valign="top" align="left" height="14" style=
15672 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15673 <p class="TextFontCX" align="center" style=
15674 'text-align:center;background:#CCCCCC'><span style=
15675 'font-size:10.0pt'>m:</span><span class=
15676 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15677 <p class="TextFontCX"><span class="Flag"><span style=
15678 'font-size:10.0pt'>param-use</span></span></p>
15679 <p class="IndentText">Function parameter never used.</p>
15681 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15682 height="14" align="left">
15684 <td valign="top" align="left" height="14" style=
15685 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15686 <p class="TextFontCX" align="center" style=
15687 'text-align:center;background:#CCCCCC'><span style=
15688 'font-size:10.0pt'>m:</span><span class=
15689 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15690 <p class="TextFontCX"><span class="Flag"><span style=
15691 'font-size:10.0pt'>fcn-use</span></span></p>
15692 <p class="IndentText">Function is never used.</p>
15694 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15695 height="14" align="left">
15697 <td valign="top" align="left" height="14" style=
15698 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15699 <p class="TextFontCX" align="center" style=
15700 'text-align:center;background:#CCCCCC'><span style=
15701 'font-size:10.0pt'>m:</span><span class=
15702 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15703 <p class="TextFontCX"><span class="Flag"><span style=
15704 'font-size:10.0pt'>type-use</span></span></p>
15705 <p class="IndentText">Defined type never used.</p>
15707 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15708 height="14" align="left">
15710 <td valign="top" align="left" height="14" style=
15711 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15712 <p class="TextFontCX" align="center" style=
15713 'text-align:center;background:#CCCCCC'><span style=
15714 'font-size:10.0pt'>m:</span><span class=
15715 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15716 <p class="TextFontCX"><span class="Flag"><span style=
15717 'font-size:10.0pt'>field-use</span></span></p>
15718 <p class="IndentText">Field of structure or union type is never
15721 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15722 height="14" align="left">
15724 <td valign="top" align="left" height="14" style=
15725 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15726 <p class="TextFontCX" align="center" style=
15727 'text-align:center;background:#CCCCCC'><span style=
15728 'font-size:10.0pt'>m:</span><span class=
15729 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15730 <p class="TextFontCX"><span class="Flag"><span style=
15731 'font-size:10.0pt'>unused-special</span></span></p>
15732 <p class="IndentText">Declaration in a special file (corresponding
15733 to <span class="ProgramNameChar">.l</span> or <span class=
15734 "ProgramNameChar">.y</span> file) is unused.</p>
15735 <p class="Heading10">Complete Programs <span class=
15736 "TextFontCXChar"><span style=
15737 'font-size:11.0pt; font-weight:normal'>(Section
15738 13.2)</span></span></p>
15740 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15741 height="14" align="left">
15743 <td valign="top" align="left" height="14" style=
15744 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15745 <p class="TextFontCX" align="center" style=
15746 'text-align:center;background:#CCCCCC'><span style=
15747 'font-size:10.0pt'>m:</span><span class=
15748 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15749 <p class="TextFontCX"><span class="Flag"><span style=
15750 'font-size:10.0pt'>decl-undef</span></span></p>
15751 <p class="IndentText">Function, variable, iterator or constant
15752 declared but never defined.</p>
15754 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15755 height="14" align="left">
15757 <td valign="top" align="left" height="14" style=
15758 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15759 <p class="TextFontCX" align="center" style=
15760 'text-align:center;background:#CCCCCC'><span style=
15761 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15762 <p class="TextFontCX"><span class="Flag"><span style=
15763 'font-size:10.0pt'>partial</span></span></p>
15764 <p class="IndentText">Check as partial system (sets
15765 <span class="Flag"><span style=
15766 'font-size:10.0pt'>-decl-undef</span></span>, <span class=
15767 "Flag"><span style=
15768 'font-size:10.0pt'>-export-local</span></span> and
15769 prevents checking of macros in headers without corresponding
15770 <span class="ProgramNameChar">.c</span> files.)</p>
15771 <p class="Heading10">Exports</p>
15773 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15774 height="14" align="left">
15776 <td valign="top" align="left" height="14" style=
15777 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15778 <p class="TextFontCX" align="center" style=
15779 'text-align:center;background:#CCCCCC'><span style=
15780 'font-size:10.0pt'>m:</span><span class=
15781 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15782 <p class="TextFontCX"><span class="Flag"><span style=
15783 'font-size:10.0pt'>export-local</span></span></p>
15784 <p class="IndentText">A declaration is exported but not used
15785 outside this module. (Declaration can use the
15786 <span class="CodeText"><span style=
15787 'font-size: 10.0pt'>static</span></span> qualifier.)</p>
15789 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15790 height="14" align="left">
15792 <td valign="top" align="left" height="14" style=
15793 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15794 <p class="TextFontCX" align="center" style=
15795 'text-align:center;background:#CCCCCC'><span style=
15796 'font-size:10.0pt'>m:</span><span class=
15797 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15798 <p class="TextFontCX"><span class="Flag"><span style=
15799 'font-size:10.0pt'>export-header</span></span></p>
15800 <p class="IndentText">A declaration (other than a variable) is
15801 exported but does not appear in a header file.</p>
15803 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15804 height="14" align="left">
15806 <td valign="top" align="left" height="14" style=
15807 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15808 <p class="TextFontCX" align="center" style=
15809 'text-align:center;background:#CCCCCC'><span style=
15810 'font-size:10.0pt'>m:</span><span class=
15811 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15812 <p class="TextFontCX"><span class="Flag"><span style=
15813 'font-size:10.0pt'>export-header-var</span></span></p>
15814 <p class="IndentText">A variable declaration is exported but does
15815 not appear in a header file.</p>
15816 <p class="Heading10">Unrecognized Identifiers</p>
15818 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15819 height="14" align="left">
15821 <td valign="top" align="left" height="14" style=
15822 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15823 <p class="TextFontCX" align="center" style=
15824 'text-align:center;background:#CCCCCC'><span style=
15825 'font-size:10.0pt'>P:</span> <span class=
15826 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15827 <p class="TextFontCX"><span class="Flag"><span style=
15828 'font-size:10.0pt'>unrecog</span></span></p>
15829 <p class="IndentText">An unrecognized identifier is used.</p>
15831 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15832 height="14" align="left">
15834 <td valign="top" align="left" height="14" style=
15835 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15836 <p class="TextFontCX" align="center" style=
15837 'text-align:center;background:#CCCCCC'><span style=
15838 'font-size:10.0pt'>P:</span> <span class=
15839 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15840 <p class="TextFontCX"><span class="Flag"><span style=
15841 'font-size:10.0pt'>sys-unrecog</span></span></p>
15842 <p class="IndentText">Report unrecognized identifiers that start
15843 with the system prefix, <span class="Keyword"><span style=
15844 'font-size:10.0pt'>__</span></span> (two underscores).</p>
15846 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15847 height="14" align="left">
15849 <td valign="top" align="left" height="14" style=
15850 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15851 <p class="TextFontCX" align="center" style=
15852 'text-align:center;background:#CCCCCC'><span style=
15853 'font-size:10.0pt'>P:</span> <span class=
15854 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
15855 <p class="TextFontCX"><span class="Flag"><span style=
15856 'font-size:10.0pt'>repeat-unrecog</span></span></p>
15857 <p class="IndentText">Report multiple messages for unrecognized
15858 identifiers. If <span class="Flag"><span style=
15859 'font-size:10.0pt'>repeatunrecog</span></span> is not set, an error
15860 is reported only the first time a particular unrecognized
15861 identifier appears in the file.</p>
15862 <p class="Heading10">Multiple Definition and Declarations</p>
15864 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15865 height="14" align="left">
15867 <td valign="top" align="left" height="14" style=
15868 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15869 <p class="TextFontCX" align="center" style=
15870 'text-align:center;background:#CCCCCC'><span style=
15871 'font-size:10.0pt'>P:</span> <span class=
15872 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15873 <p class="TextFontCX"><span class="Flag"><span style=
15874 'font-size:10.0pt'>redef</span></span></p>
15875 <p class="IndentText">A function or variable is defined more than
15878 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15879 height="14" align="left">
15881 <td valign="top" align="left" height="14" style=
15882 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15883 <p class="TextFontCX" align="center" style=
15884 'text-align:center;background:#CCCCCC'><span style=
15885 'font-size:10.0pt'>m:</span><span class=
15886 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15887 <p class="TextFontCX"><span class="Flag"><span style=
15888 'font-size:10.0pt'>redecl</span></span></p>
15889 <p class="IndentText">An identifier is declared more than once.</p>
15891 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15892 height="14" align="left">
15894 <td valign="top" align="left" height="14" style=
15895 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15896 <p class="TextFontCX" align="center" style=
15897 'text-align:center;background:#CCCCCC'><span style=
15898 'font-size:10.0pt'>m:</span><span class=
15899 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15900 <p class="TextFontCX"><span class="Flag"><span style=
15901 'font-size:10.0pt'>nested-extern</span></span></p>
15902 <p class="IndentText">An <span class="Keyword"><span style=
15903 'font-size:10.0pt'>extern</span></span> declaration is used inside
15904 a function body.</p>
15905 <p class="Heading10">ISO Conformance</p>
15907 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15908 height="14" align="left">
15910 <td valign="top" align="left" height="14" style=
15911 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15912 <p class="TextFontCX" align="center" style=
15913 'text-align:center;background:#CCCCCC'><span style=
15914 'font-size:10.0pt'>m:</span><span class=
15915 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15916 <p class="TextFontCX"><span class="Flag"><span style=
15917 'font-size:10.0pt'>noparams</span></span></p>
15918 <p class="IndentText">A function is declared without a parameter
15919 list prototype.</p>
15921 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15922 height="14" align="left">
15924 <td valign="top" align="left" height="14" style=
15925 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15926 <p class="TextFontCX" align="center" style=
15927 'text-align:center;background:#CCCCCC'><span style=
15928 'font-size:10.0pt'>m:</span><span class=
15929 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15930 <p class="TextFontCX"><span class="Flag"><span style=
15931 'font-size:10.0pt'>old-style</span></span></p>
15932 <p class="IndentText">Function definition is in old style
15933 syntax. Standard prototype syntax is preferred.</p>
15935 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15936 height="14" align="left">
15938 <td valign="top" align="left" height="14" style=
15939 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15940 <p class="TextFontCX" align="center" style=
15941 'text-align:center;background:#CCCCCC'><span style=
15942 'font-size:10.0pt'>m:</span><span class=
15943 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15944 <p class="TextFontCX"><span class="Flag"><span style=
15945 'font-size:10.0pt'>exit-arg</span></span></p>
15946 <p class="IndentText">Argument to <span class=
15947 "CodeText"><span style=
15948 'font-size: 10.0pt'>exit</span></span> has implementation
15949 defined behavior. The only valid arguments to
15950 <span class="CodeText"><span style=
15951 'font-size:10.0pt'>exit</span></span> are <span class=
15952 "CodeText"><span style=
15953 'font-size:10.0pt'>EXIT_SUCCESS</span></span>, <span class=
15954 "CodeText"><span style=
15955 'font-size:10.0pt'>EXIT_FAILURE</span></span> and
15956 <span class="CodeText"><span style=
15957 'font-size:10.0pt'>0</span></span>. An error is
15958 reported if Splint can determine statically that the argument
15959 to <span class="CodeText"><span style=
15960 'font-size:10.0pt'>exit</span></span> is not one of
15963 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15964 height="14" align="left">
15966 <td valign="top" align="left" height="14" style=
15967 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15968 <p class="TextFontCX" align="center" style=
15969 'text-align:center;background:#CCCCCC'><span style=
15970 'font-size:10.0pt'>P:</span> <span class=
15971 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15972 <p class="TextFontCX"><span class="Flag"><span style=
15973 'font-size:10.0pt'>use-varargs</span></span></p>
15974 <p class="IndentText">Report if <span class=
15975 "CodeText"><span style='font-size:10.0pt'><varargs.h></span></span>
15976 is used (should use <span class=
15977 "ProgramNameChar"><span style='font-size:10.0pt'>stdarg.h</span></span>).</p>
15978 <p class="Heading10">Limits</p>
15979 <p class="beforelist">The ANSI Standard includes limits on minimum
15980 numbers that a conforming compiler must support. Whether of
15981 not a particular compiler exceeds these limits, it is worth
15982 checking that a program does not exceed them so that other
15983 compilers may safely compile it. In addition, exceeding a
15984 limit may indicate a problem in the code (e.g., it is too complex
15985 if the control nest depth limit is exceeded) that should be fixed
15986 regardless of the compiler. Splint checks the following
15987 limits. For each limit, the maximum value may be set from the
15988 command line (or locally using a stylized comment). The
15989 minimum limits were increased for the ISO C99 specification.
15990 If the <span class="Flag"><span style=
15991 'font-size:10.0pt'>iso99-limits</span></span> flag is used, all
15992 limits are checked with the minimum values of an ISO C99 conforming
15993 compiler. If the <span class="Flag"><span style=
15994 'font-size:10.0pt'>ansi89-limits</span></span> flag is used, all
15995 limits are checked with the minimum values of an ANSI C89
15996 conforming compiler.</p>
15998 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15999 height="14" align="left">
16001 <td valign="top" align="left" height="14" style=
16002 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16003 <p class="TextFontCX" align="center" style=
16004 'text-align:center;background:#CCCCCC'><span style=
16005 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
16006 <p class="TextFontCX"><span class="Flag"><span style=
16007 'font-size:10.0pt'>ansi89-limits</span></span></p>
16008 <p class="IndentText">Check for violations of minimum limits
16009 prescribed by ANSI C89 standard (sets <span class=
16010 "Flag"><span style=
16011 'font-size:10.0pt'>control-nest-depth</span></span>,
16012 <span class="Flag"><span style=
16013 'font-size:10.0pt'>string-literal-len</span></span>,
16014 <span class="Flag"><span style=
16015 'font-size:10.0pt'>include-nest</span></span>, <span class=
16016 "Flag"><span style=
16017 'font-size:10.0pt'>num-struct-fields</span></span>, and
16018 <span class="Flag"><span style=
16019 'font-size:10.0pt'>num-enum-members</span></span>).</p>
16021 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16022 height="14" align="left">
16024 <td valign="top" align="left" height="14" style=
16025 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16026 <p class="TextFontCX" align="center" style=
16027 'text-align:center;background:#CCCCCC'><span style=
16028 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
16029 <p class="TextFontCX"><span class="Flag"><span style=
16030 'font-size:10.0pt'>iso99-limits</span></span></p>
16031 <p class="IndentText">Check for violations of minimum limits
16032 prescribed by ISO C99 standard (sets <span class=
16033 "Flag"><span style=
16034 'font-size:10.0pt'>control-nest-depth</span></span>,
16035 <span class="Flag"><span style=
16036 'font-size:10.0pt'>string-literal-len</span></span>,
16037 <span class="Flag"><span style=
16038 'font-size:10.0pt'>include-nest</span></span>, <span class=
16039 "Flag"><span style=
16040 'font-size:10.0pt'>num-struct-fields</span></span>, and
16041 <span class="Flag"><span style=
16042 'font-size:10.0pt'>num-enum-members</span></span>).</p>
16045 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16046 height="14" align="left">
16048 <td valign="top" align="left" height="14" style=
16049 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16050 <p class="TextFontCX" align="center" style=
16051 'text-align:center;background:#CCCCCC'><span style=
16052 'font-size:10.0pt'>m:</span><span class=
16053 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16054 <p class="TextFontCX"><span class="Flag"><span style=
16055 'font-size:10.0pt'>control-nest-depth</span></span><span class="Flag">
16057 'font-size:10.0pt'> <i><number></i></span></span></p>
16058 <p class="IndentText">Set maximum nesting depth of compound
16059 statements, iteration control structures, and selection control
16060 structures (ISO C99 minimum is 63; ANSI C89 minimum is 15).</p>
16062 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16063 height="14" align="left">
16065 <td valign="top" align="left" height="14" style=
16066 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16067 <p class="TextFontCX" align="center" style=
16068 'text-align:center;background:#CCCCCC'><span style=
16069 'font-size:10.0pt'>m:</span><span class=
16070 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16071 <p class="TextFontCX"><span class="Flag"><span style=
16072 'font-size:10.0pt'>string-literal-len</span></span><span class="Flag">
16074 'font-size:10.0pt'> <i><number></i></span></span></p>
16075 <p class="IndentText">Set maximum length of string literals (ISO
16076 C99 minimum is 4095; ANSI C89 minimum is 509).</p>
16078 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16079 height="14" align="left">
16081 <td valign="top" align="left" height="14" style=
16082 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16083 <p class="TextFontCX" align="center" style=
16084 'text-align:center;background:#CCCCCC'><span style=
16085 'font-size:10.0pt'>m:</span><span class=
16086 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16087 <p class="TextFontCX"><span class="Flag"><span style=
16088 'font-size:10.0pt'>num-struct-fields</span></span><span class="Flag">
16090 'font-size:10.0pt'> <i><number></i></span></span></p>
16091 <p class="IndentText">Set maximum number of fields in a
16092 <span class="CodeText"><span style=
16093 'font-size:10.0pt'>struct</span></span> or <span class=
16094 "CodeText"><span style='font-size:10.0pt'>union</span></span>
16095 (ISO C99 minimum is 1023; ANSI minimum is 127).</p>
16097 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16098 height="14" align="left">
16100 <td valign="top" align="left" height="14" style=
16101 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16102 <p class="TextFontCX" align="center" style=
16103 'text-align:center;background:#CCCCCC'><span style=
16104 'font-size:10.0pt'>m:</span><span class=
16105 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16106 <p class="TextFontCX"><span class="Flag"><span style=
16107 'font-size:10.0pt'>num-enum-members</span></span><span class=
16108 "Flag"><span style=
16109 'font-size:10.0pt'> <i><number></i></span></span></p>
16110 <p class="IndentText">Set maximum number of members of an
16111 <span class="CodeText"><span style=
16112 'font-size:10.0pt'>enum</span></span> type (ISO C99 minimum is
16113 1023; ANSI minimum is 127).</p>
16115 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16116 height="14" align="left">
16118 <td valign="top" align="left" height="14" style=
16119 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16120 <p class="TextFontCX" align="center" style=
16121 'text-align:center;background:#CCCCCC'><span style=
16122 'font-size:10.0pt'>m:</span><span class=
16123 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
16124 <p class="TextFontCX"><span class="Flag"><span style=
16125 'font-size:10.0pt'>include-nest</span></span><span class=
16126 "Flag"><span style=
16127 'font-size:10.0pt'> <i><number></i></span></span></p>
16128 <p class="IndentText">Set maximum number of nested
16129 <span class="CodeText"><span style=
16130 'font-size:10.0pt'>#include</span></span> files (ISO C99
16131 minimum is 63; ANSI minimum is 8).</p>
16132 <p class="Heading10">Header Inclusion <a name=
16133 "_Ref344793948"><span class="TextFontCXChar"><span style=
16134 'font-size:11.0pt; font-weight:normal'>(Section</span></span></a>
16135 <span class="TextFontCXChar"><span style=
16136 'font-size:11.0pt; font-weight:normal'>14.3</span></span><span class="TextFontCXChar">
16138 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
16140 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16141 height="14" align="left">
16143 <td valign="top" align="left" height="14" style=
16144 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16145 <p class="TextFontCX" align="center" style=
16146 'text-align:center;background:#CCCCCC'><span style=
16147 'font-size:10.0pt'>P:</span> <span class=
16148 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16149 <p class="TextFontCX"><span class="Flag"><span style=
16150 'font-size:10.0pt'>skip-ansi-headers</span></span></p>
16151 <p class="IndentText">Prevent inclusion of header files in a system
16152 directory with names that match standard ANSI headers. The
16153 symbolic information in the standard library is used instead.
16154 Flag in effect only if a library that includes the standard library is
16155 used. The ANSI headers are: <span class=
16156 "CodeText"><span style='font-size:10.0pt'>assert</span></span>,
16158 "CodeText"><span style='font-size:10.0pt'>ctype</span></span>,
16159 <span class="CodeText"><span style=
16160 'font-size:10.0pt'>errno</span></span>,
16161 <span class="CodeText"><span style=
16162 'font-size:10.0pt'>float</span></span>,
16164 "CodeText"><span style='font-size:10.0pt'>limits</span></span>,
16165 <span class="CodeText"><span style=
16166 'font-size:10.0pt'>locale</span></span>, <span class=
16167 "CodeText"><span style='font-size:10.0pt'>math</span></span>,
16168 <span class="CodeText"><span style=
16169 'font-size:10.0pt'>setjmp</span></span>, <span class=
16170 "CodeText"><span style='font-size:10.0pt'>signal</span></span>,
16171 <span class="CodeText"><span style=
16172 'font-size:10.0pt'>stdarg</span></span>,
16173 <span class="CodeText"><span style=
16174 'font-size:10.0pt'>stddef</span></span>, <span class=
16175 "CodeText"><span style='font-size:10.0pt'>stdio</span></span>,
16176 <span class="CodeText"><span style=
16177 'font-size:10.0pt'>stdlib</span></span>,
16179 "CodeText"><span style='font-size:10.0pt'>strings</span></span>,
16181 "CodeText"><span style='font-size:10.0pt'>string</span></span>,
16183 "CodeText"><span style='font-size:10.0pt'>time</span></span>,
16184 and <span class="CodeText"><span style=
16185 'font-size:10.0pt'>wchar</span></span>.
16189 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16190 height="14" align="left">
16192 <td valign="top" align="left" height="14" style=
16193 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16194 <p class="TextFontCX" align="center" style=
16195 'text-align:center;background:#CCCCCC'><span style=
16196 'font-size:10.0pt'>P:</span> <span class=
16197 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16198 <p class="TextFontCX"><span class="Flag"><span style=
16199 'font-size:10.0pt'>skip-iso-headers</span></span></p>
16200 <p class="IndentText">Prevent inclusion of header files in a system
16201 directory with names that match standard ISO C99 headers. The
16202 symbolic information in the standard library is used instead.
16203 In effect only if a library that includes the standard library is
16204 used. The ISO C99 headers are: <span class=
16205 "CodeText"><span style='font-size:10.0pt'>assert</span></span>,
16206 <span class="CodeText"><span style=
16207 'font-size:10.0pt'>complex</span></span>, <span class=
16208 "CodeText"><span style='font-size:10.0pt'>ctype</span></span>,
16209 <span class="CodeText"><span style=
16210 'font-size:10.0pt'>errno</span></span>, <span class=
16211 "CodeText"><span style='font-size:10.0pt'>fenv</span></span>,
16212 <span class="CodeText"><span style=
16213 'font-size:10.0pt'>float</span></span>, <span class=
16214 "CodeText"><span style='font-size:10.0pt'>inttypes</span></span>,
16215 <span class="CodeText"><span style=
16216 'font-size:10.0pt'>iso646</span></span>, <span class=
16217 "CodeText"><span style='font-size:10.0pt'>limits</span></span>,
16218 <span class="CodeText"><span style=
16219 'font-size:10.0pt'>locale</span></span>, <span class=
16220 "CodeText"><span style='font-size:10.0pt'>math</span></span>,
16221 <span class="CodeText"><span style=
16222 'font-size:10.0pt'>setjmp</span></span>, <span class=
16223 "CodeText"><span style='font-size:10.0pt'>signal</span></span>,
16224 <span class="CodeText"><span style=
16225 'font-size:10.0pt'>stdarg</span></span>, <span class=
16226 "CodeText"><span style='font-size:10.0pt'>stdbool</span></span>,
16227 <span class="CodeText"><span style=
16228 'font-size:10.0pt'>stddef</span></span>, <span class=
16229 "CodeText"><span style='font-size:10.0pt'>stdio</span></span>,
16230 <span class="CodeText"><span style=
16231 'font-size:10.0pt'>stdlib</span></span>, <span class=
16232 "CodeText"><span style='font-size:10.0pt'>string</span></span>,
16233 <span class="CodeText"><span style=
16234 'font-size:10.0pt'>tgmath</span></span>, <span class=
16235 "CodeText"><span style='font-size:10.0pt'>time</span></span>,
16236 <span class="CodeText"><span style=
16237 'font-size:10.0pt'>wchar</span></span>, and <span class=
16238 "CodeText"><span style='font-size:10.0pt'>wctype</span></span>.</p>
16242 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16243 height="14" align="left">
16245 <td valign="top" align="left" height="14" style=
16246 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16247 <p class="TextFontCX" align="center" style=
16248 'text-align:center;background:#CCCCCC'><span style=
16249 'font-size:10.0pt'>P:</span> <span class=
16250 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16251 <p class="TextFontCX"><span class="Flag"><span style=
16252 'font-size:10.0pt'>skip-posix-headers</span></span></p>
16253 <p class="IndentText">Prevent inclusion of header files in a system
16254 directory with names that match standard POSIX headers. The
16255 symbolic information in the standard library is used instead.
16256 In effect only if a library that includes the POSIX library is
16257 used. The skipped POSIX headers are: <span class=
16258 "CodeText"><span style='font-size:10.0pt'>dirent</span></span>,
16259 <span class="CodeText"><span style=
16260 'font-size:10.0pt'>fcntl</span></span>, <span class=
16261 "CodeText"><span style='font-size:10.0pt'>grp</span></span>,
16262 <span class="CodeText"><span style=
16263 'font-size:10.0pt'>pwd</span></span>, <span class=
16264 "CodeText"><span style='font-size:10.0pt'>termios</span></span>,
16265 <span class="CodeText"><span style=
16266 'font-size:10.0pt'>sys/stat</span></span>, <span class=
16267 "CodeText"><span style='font-size:10.0pt'>sys/times</span></span>,
16268 <span class="CodeText"><span style=
16269 'font-size:10.0pt'>sys/types</span></span>, <span class=
16270 "CodeText"><span style=
16271 'font-size:10.0pt'>sys/utsname</span></span>, <span class=
16272 "CodeText"><span style='font-size:10.0pt'>sys/wait</span></span>,
16273 <span class="CodeText"><span style=
16274 'font-size:10.0pt'>unistd</span></span>, and <span class=
16275 "CodeText"><span style='font-size:10.0pt'>utime</span></span>.</p>
16278 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16279 height="14" align="left">
16281 <td valign="top" align="left" height="14" style=
16282 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16283 <p class="TextFontCX" align="center" style=
16284 'text-align:center;background:#CCCCCC'><span style=
16285 'font-size:10.0pt'>P:</span> <span class=
16286 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16287 <p class="TextFontCX"><span class="Flag"><span style=
16288 'font-size:10.0pt'>warn-posix-headers</span></span></p>
16289 <p class="IndentText">Report use of a POSIX header when checking a
16290 program with a non-POSIX library.</p>
16291 <p class="IndentText"> </p>
16294 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16295 height="14" align="left">
16297 <td valign="top" align="left" height="14" style=
16298 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16299 <p class="TextFontCX" align="center" style=
16300 'text-align:center;background:#CCCCCC'><span style=
16301 'font-size:10.0pt'>P:</span> <span class=
16302 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16303 <p class="TextFontCX"><span class="Flag"><span style=
16304 'font-size:10.0pt'>warn-unix-headers</span></span></p>
16305 <p class="IndentText">
16306 Warn the user that the unix library may not be compatible with all platforms.
16310 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16311 height="14" align="left">
16313 <td valign="top" align="left" height="14" style=
16314 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16315 <p class="TextFontCX" align="center" style=
16316 'text-align:center;background:#CCCCCC'><span style=
16317 'font-size:10.0pt'>P:</span> <span class=
16318 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16319 <p class="TextFontCX"><span class="Flag"><span style=
16320 'font-size:10.0pt'>skip-sys-headers</span></span></p>
16321 <p class="IndentText">Prevent inclusion of all header files in
16322 system directories.</p>
16324 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16325 height="14" align="left">
16327 <td valign="top" align="left" height="14" style=
16328 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16329 <p class="TextFontCX" align="center" style=
16330 'text-align:center;background:#CCCCCC'><span style=
16331 'font-size:10.0pt'>P:</span> <span class=
16332 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16333 <p class="TextFontCX"><span class="Flag"><span style=
16334 'font-size:10.0pt'>sys-dir-expand-macros</span></span></p>
16335 <p class="IndentText">Expand macros in system directories
16336 regardless of other settings, except for macros corresponding to
16337 names defined in a load library.</p>
16339 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16340 height="14" align="left">
16342 <td valign="top" align="left" height="14" style=
16343 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16344 <p class="TextFontCX" align="center" style=
16345 'text-align:center;background:#CCCCCC'><span style=
16346 'font-size:10.0pt'>m:</span><span class=
16347 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16348 <p class="TextFontCX"><span class="Flag"><span style=
16349 'font-size:10.0pt'>sys-dir-errors</span></span></p>
16350 <p class="IndentText">Report errors in files in system directories
16351 (set by <span class="Flag"><span style=
16352 'font-size:10.0pt'>-sys-dirs</span></span>). </p>
16353 <p class="IndentText"><span class="HeadingNote"><span style=
16354 'font-size:10.5pt; font-style:normal'> </span></span></p>
16357 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16358 height="14" align="left">
16360 <td valign="top" align="left" height="14" style=
16361 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16362 <p class="TextFontCX" align="center" style=
16363 'text-align:center;background:#CCCCCC'><span style=
16364 'font-size:10.0pt'>P:</span><span class=
16365 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16366 <p class="TextFontCX"><span class="Flag"><span style=
16367 'font-size:10.0pt'>
16370 <p class="IndentText">
16371 Warn when a system file was listed as a command line file but Splint
16372 is not set to report errors for system files. This prevents accidentally missing warnings
16373 in system files when Splint is run in a system directory.
16377 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16378 height="14" align="left">
16380 <td valign="top" align="left" height="14" style=
16381 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16382 <p class="TextFontCX" align="center" style=
16383 'text-align:center;background:#CCCCCC'><span style=
16384 'font-size:10.0pt'>global:</span> <span class=
16385 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16386 <p class="TextFontCX"><span class="Flag"><span style=
16387 'font-size:10.0pt'>single-include</span></span></p>
16388 <p class="IndentText">Optimize header inclusion to only include
16389 each header file once.</p>
16391 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16392 height="14" align="left">
16394 <td valign="top" align="left" height="14" style=
16395 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16396 <p class="TextFontCX" align="center" style=
16397 'text-align:center;background:#CCCCCC'><span style=
16398 'font-size:10.0pt'>global:</span> <span class=
16399 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16400 <p class="TextFontCX"><span class="Flag"><span style=
16401 'font-size:10.0pt'>never-include</span></span></p>
16402 <p class="IndentText">Use library information instead of including
16404 <p class="Heading10">Comments</p>
16405 <p class="beforelist">These flags control how syntactic comments
16406 are interpreted.</p>
16408 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16409 height="14" align="left">
16411 <td valign="top" align="left" height="14" style=
16412 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16413 <p class="TextFontCX" align="center" style=
16414 'text-align:center;background:#CCCCCC'><span style=
16415 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
16416 'font-size:10.0pt'>@</span></span></p></td></tr></table></div>
16417 <p class="TextFontCX"><span class="Flag"><span style=
16418 'font-size:10.0pt'>comment-char</span></span> <span class=
16419 "Flag"><i><span style=
16420 'font-size:10.0pt'><char></span></i></span></p>
16421 <p class="IndentText">Set the marker character for syntactic
16422 comments. Comments beginning with <span class=
16423 "CodeText"><span style=
16424 'font-size:10.0pt'>/*</span></span><span class=
16425 "Flag"><i><span style=
16426 'font-size:10.0pt'><char></span></i></span> are interpreted
16429 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16430 height="14" align="left">
16432 <td valign="top" align="left" height="14" style=
16433 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16434 <p class="TextFontCX" align="center" style=
16435 'text-align:center;background:#CCCCCC'><span style=
16436 'font-size:10.0pt'>P:</span> <span class=
16437 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16438 <p class="TextFontCX"><span class="Flag"><span style=
16439 'font-size:10.0pt'>noaccess</span></span></p>
16440 <p class="IndentText">Ignore access comments.</p>
16442 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16443 height="14" align="left">
16445 <td valign="top" align="left" height="14" style=
16446 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16447 <p class="TextFontCX" align="center" style=
16448 'text-align:center;background:#CCCCCC'><span style=
16449 'font-size:10.0pt'>P:</span> <span class=
16450 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16451 <p class="TextFontCX"><span class="Flag"><span style=
16452 'font-size:10.0pt'>nocomments</span></span></p>
16453 <p class="IndentText">Ignore all stylized comments.</p>
16455 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16456 height="14" align="left">
16458 <td valign="top" align="left" height="14" style=
16459 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16460 <p class="TextFontCX" align="center" style=
16461 'text-align:center;background:#CCCCCC'><span style=
16462 'font-size:10.0pt'>P:</span> <span class=
16463 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16464 <p class="TextFontCX"><span class="Flag"><span style=
16465 'font-size:10.0pt'>sup-counts</span></span></p>
16466 <p class="IndentText">Actual number of errors does not match number
16467 in <span class="Annot"><span style=
16468 'font-size:10.0pt'>/*@i</span></span><span class=
16469 "Annot"><span style=
16470 'font-size:10.0pt'><n>@*/</span></span></p>
16472 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16473 height="14" align="left">
16475 <td valign="top" align="left" height="14" style=
16476 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16477 <p class="TextFontCX" align="center" style=
16478 'text-align:center;background:#CCCCCC'><span style=
16479 'font-size:10.0pt'>P:</span> <span class=
16480 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16481 <p class="TextFontCX"><span class="Flag"><span style=
16482 'font-size:10.0pt'>lint-comments</span></span></p>
16483 <p class="IndentText">Interpret traditional lint comments
16484 (<span class="CodeText"><span style=
16485 'font-size:10.0pt'>/*FALLTHROUGH*/</span></span>,
16486 <span class="CodeText"><span style=
16487 'font-size:10.0pt'>/*NOTREACHED*/</span></span>, <span class=
16488 "CodeText"><span style=
16489 'font-size:10.0pt'>/*PRINTFLIKE*/</span></span>).</p>
16491 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16492 height="14" align="left">
16494 <td valign="top" align="left" height="14" style=
16495 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16496 <p class="TextFontCX" align="center" style=
16497 'text-align:center;background:#CCCCCC'><span style=
16498 'font-size:10.0pt'>m:</span><span class=
16499 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
16500 <p class="TextFontCX"><span class="Flag"><span style=
16501 'font-size:10.0pt'>warn-lint-comments</span></span></p>
16502 <p class="IndentText">Print a warning and suggest an alternative
16503 when a traditional lint comment is used. </p>
16505 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16506 height="14" align="left">
16508 <td valign="top" align="left" height="14" style=
16509 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16510 <p class="TextFontCX" align="center" style=
16511 'text-align:center;background:#CCCCCC'><span style=
16512 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16513 <p class="TextFontCX"><span class="Flag"><span style=
16514 'font-size:10.0pt'>unrecog-comments</span></span></p>
16515 <p class="IndentText">Stylized comment is unrecognized.</p>
16518 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16519 height="14" align="left">
16521 <td valign="top" align="left" height="14" style=
16522 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16523 <p class="TextFontCX" align="center" style=
16524 'text-align:center;background:#CCCCCC'><span style=
16525 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16526 <p class="TextFontCX"><span class="Flag"><span style=
16527 'font-size:10.0pt'>annotationerror
16529 <p class="IndentText">
16530 A declaration uses an invalid annotation.
16535 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16536 height="14" align="left">
16538 <td valign="top" align="left" height="14" style=
16539 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16540 <p class="TextFontCX" align="center" style=
16541 'text-align:center;background:#CCCCCC'><span style=
16542 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16543 <p class="TextFontCX"><span class="Flag"><span style=
16544 'font-size:10.0pt'>commenterror
16546 <p class="IndentText">
16547 A syntactic comment is used inconsistently.
16550 <p class="Heading10">Parsing</p>
16552 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16553 height="14" align="left">
16555 <td valign="top" align="left" height="14" style=
16556 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16557 <p class="TextFontCX" align="center" style=
16558 'text-align:center;background:#CCCCCC'><span style=
16559 'font-size:10.0pt'>P:</span> <span class=
16560 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16561 <p class="TextFontCX"><span class="Flag"><span style=
16562 'font-size:10.0pt'>continue-comment</span></span></p>
16563 <p class="IndentText">A line continuation marker
16564 (<span class="CodeText"><span style=
16565 'font-size:10.0pt'>\</span></span>) appears inside a comment
16566 on the same line as the comment close. Preprocessors should
16567 handle this correctly, but it causes problems for some
16570 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16571 height="14" align="left">
16573 <td valign="top" align="left" height="14" style=
16574 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16575 <p class="TextFontCX" align="center" style=
16576 'text-align:center;background:#CCCCCC'><span style=
16577 'font-size:10.0pt'>P:</span> <span class=
16578 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16579 <p class="TextFontCX"><span class="Flag"><span style=
16580 'font-size:10.0pt'>nest-comment</span></span></p>
16581 <p class="IndentText">A comment open sequence (<span class=
16582 "CodeText"><span style='font-size:10.0pt'>/*</span></span>) appears
16583 inside a comment. This usually indicates that an earlier
16584 comment was not closed.</p>
16587 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16588 height="14" align="left">
16590 <td valign="top" align="left" height="14" style=
16591 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16592 <p class="TextFontCX" align="center" style=
16593 'text-align:center;background:#CCCCCC'><span style=
16594 'font-size:10.0pt'>P:</span> <span class=
16595 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16596 <p class="TextFontCX"><span class="Flag"><span style=
16597 'font-size:10.0pt'>slashslashcomment</span></span></p>
16598 <p class="IndentText">A
16600 "CodeText"><span style='font-size:10.0pt'>//</span></span>
16601 comment is used.  ISO C99 allows
16603 "CodeText"><span style='font-size:10.0pt'>//</span></span>
16604 comments, but earlier standards did not.
16608 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16609 height="14" align="left">
16611 <td valign="top" align="left" height="14" style=
16612 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16613 <p class="TextFontCX" align="center" style=
16614 'text-align:center;background:#CCCCCC'><span style=
16615 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16616 <p class="TextFontCX"><span class="Flag"><span style=
16617 'font-size:10.0pt'>duplicate-quals</span></span></p>
16618 <p class="IndentText">Report duplicate type qualifiers (e.g.,
16619 <span class="CodeText"><span style='font-size:10.0pt'>unsigned
16620 unsigned</span></span>).</p>
16622 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16623 height="14" align="left">
16625 <td valign="top" align="left" height="14" style=
16626 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16627 <p class="TextFontCX" align="center" style=
16628 'text-align:center;background:#CCCCCC'><span style=
16629 'font-size:10.0pt'>P:</span> <span class=
16630 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16631 <p class="TextFontCX"><span class="Flag"><span style=
16632 'font-size:10.0pt'>gnu-extensions</span></span></p>
16633 <p class="IndentText">Support some GNU and Microsoft language
16637 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16638 height="14" align="left">
16640 <td valign="top" align="left" height="14" style=
16641 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16642 <p class="TextFontCX" align="center" style=
16643 'text-align:center;background:#CCCCCC'><span style=
16644 'font-size:10.0pt'>P:</span> <span class=
16645 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16646 <p class="TextFontCX"><span class="Flag"><span style=
16647 'font-size:10.0pt'>syntax</span></span></p>
16648 <p class="IndentText">Parse error.</p>
16651 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16652 height="14" align="left">
16654 <td valign="top" align="left" height="14" style=
16655 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16656 <p class="TextFontCX" align="center" style=
16657 'text-align:center;background:#CCCCCC'><span style=
16658 'font-size:10.0pt'>P:</span> <span class=
16659 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16660 <p class="TextFontCX"><span class="Flag"><span style=
16661 'font-size:10.0pt'>try-to-recover</span></span></p>
16662 <p class="IndentText">Try to recover from a parse error. If
16663 <span class="Flag"><span style=
16664 'font-size:10.0pt'>trytorecover</span></span> is not set, Splint
16665 will abort checking after a parse error is detected. If it is
16666 set, Splint will attempt to recover, but Splint does performs only
16667 minimal error recovery. It is likely that trying to recover
16668 after a parse error will lead to an internal assertion failing.</p>
16671 <p class="Heading10">Warn use</p>
16674 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16675 height="14" align="left">
16677 <td valign="top" align="left" height="14" style=
16678 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16679 <p class="TextFontCX" align="center" style=
16680 'text-align:center;background:#CCCCCC'><span style=
16681 'font-size:10.0pt'>m:</span> <span class=
16682 "Keyword"><span style='font-size:10.0pt'>-+++
16683 </span></span></p></td></tr></table></div>
16684 <p class="TextFontCX"><span class="Flag"><span style=
16685 'font-size:10.0pt'>
16688 <p class="IndentText">
16689 Use of function that may lead to buffer overflow.
16693 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16694 height="14" align="left">
16696 <td valign="top" align="left" height="14" style=
16697 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16698 <p class="TextFontCX" align="center" style=
16699 'text-align:center;background:#CCCCCC'><span style=
16700 'font-size:10.0pt'>m:</span> <span class=
16701 "Keyword"><span style='font-size:10.0pt'>++++
16702 </span></span></p></td></tr></table></div>
16703 <p class="TextFontCX"><span class="Flag"><span style=
16704 'font-size:10.0pt'>
16707 <p class="IndentText">
16708 Use of function that may lead to buffer overflow.
16714 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16715 height="14" align="left">
16717 <td valign="top" align="left" height="14" style=
16718 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16719 <p class="TextFontCX" align="center" style=
16720 'text-align:center;background:#CCCCCC'><span style=
16721 'font-size:10.0pt'>m:</span> <span class=
16722 "Keyword"><span style='font-size:10.0pt'>--++
16723 </span></span></p></td></tr></table></div>
16724 <p class="TextFontCX"><span class="Flag"><span style=
16725 'font-size:10.0pt'>
16726 implementationoptional
16728 <p class="IndentText">
16729 Use of a declarator that is implementation optional, not required by ISO99.
16734 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16735 height="14" align="left">
16737 <td valign="top" align="left" height="14" style=
16738 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16739 <p class="TextFontCX" align="center" style=
16740 'text-align:center;background:#CCCCCC'><span style=
16741 'font-size:10.0pt'>m:</span> <span class=
16742 "Keyword"><span style='font-size:10.0pt'>--++
16743 </span></span></p></td></tr></table></div>
16744 <p class="TextFontCX"><span class="Flag"><span style=
16745 'font-size:10.0pt'>
16748 <p class="IndentText">
16749 Non-reentrant function should not be used in multithreaded code.
16753 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16754 height="14" align="left">
16756 <td valign="top" align="left" height="14" style=
16757 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16758 <p class="TextFontCX" align="center" style=
16759 'text-align:center;background:#CCCCCC'><span style=
16760 'font-size:10.0pt'>m:</span> <span class=
16761 "Keyword"><span style='font-size:10.0pt'>--++
16762 </span></span></p></td></tr></table></div>
16763 <p class="TextFontCX"><span class="Flag"><span style=
16764 'font-size:10.0pt'>
16767 <p class="IndentText">
16768 Use of function that may have implementation-dependent behavior.
16773 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16774 height="14" align="left">
16776 <td valign="top" align="left" height="14" style=
16777 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16778 <p class="TextFontCX" align="center" style=
16779 'text-align:center;background:#CCCCCC'><span style=
16780 'font-size:10.0pt'>m:</span> <span class=
16781 "Keyword"><span style='font-size:10.0pt'>--++
16782 </span></span></p></td></tr></table></div>
16783 <p class="TextFontCX"><span class="Flag"><span style=
16784 'font-size:10.0pt'>
16787 <p class="IndentText">
16788 Call to function restricted to superusers.
16793 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16794 height="14" align="left">
16796 <td valign="top" align="left" height="14" style=
16797 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16798 <p class="TextFontCX" align="center" style=
16799 'text-align:center;background:#CCCCCC'><span style=
16800 'font-size:10.0pt'>m:</span> <span class=
16801 "Keyword"><span style='font-size:10.0pt'>---+
16802 </span></span></p></td></tr></table></div>
16803 <p class="TextFontCX"><span class="Flag"><span style=
16804 'font-size:10.0pt'>
16807 <p class="IndentText">
16808 Possible time of check, time of use vulnerability.
16814 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16815 height="14" align="left">
16817 <td valign="top" align="left" height="14" style=
16818 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16819 <p class="TextFontCX" align="center" style=
16820 'text-align:center;background:#CCCCCC'><span style=
16821 'font-size:10.0pt'>m:</span> <span class=
16822 "Keyword"><span style='font-size:10.0pt'>----
16823 </span></span></p></td></tr></table></div>
16824 <p class="TextFontCX"><span class="Flag"><span style=
16825 'font-size:10.0pt'>
16828 <p class="IndentText">
16829 Use of function that need not be provided by UNIX implementations
16832 <p class="Heading10">ITS4 compatibility flags</p>
16836 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16837 height="14" align="left">
16839 <td valign="top" align="left" height="14" style=
16840 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16841 <p class="TextFontCX" align="center" style=
16842 'text-align:center;background:#CCCCCC'><span style=
16843 'font-size:10.0pt'>P:</span> <span class=
16844 "Keyword"><span style='font-size:10.0pt'>-
16845 </span></span></p></td></tr></table></div>
16846 <p class="TextFontCX"><span class="Flag"><span style=
16847 'font-size:10.0pt'>
16850 <p class="IndentText">
16851 Security vulnerability classified as most risky in its4 database.
16855 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16856 height="14" align="left">
16858 <td valign="top" align="left" height="14" style=
16859 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16860 <p class="TextFontCX" align="center" style=
16861 'text-align:center;background:#CCCCCC'><span style=
16862 'font-size:10.0pt'>P:</span> <span class=
16863 "Keyword"><span style='font-size:10.0pt'>-
16864 </span></span></p></td></tr></table></div>
16865 <p class="TextFontCX"><span class="Flag"><span style=
16866 'font-size:10.0pt'>
16869 <p class="IndentText">
16870 Security vulnerability classified as very risky in its4 database.
16875 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16876 height="14" align="left">
16878 <td valign="top" align="left" height="14" style=
16879 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16880 <p class="TextFontCX" align="center" style=
16881 'text-align:center;background:#CCCCCC'><span style=
16882 'font-size:10.0pt'>P:</span> <span class=
16883 "Keyword"><span style='font-size:10.0pt'>-
16884 </span></span></p></td></tr></table></div>
16885 <p class="TextFontCX"><span class="Flag"><span style=
16886 'font-size:10.0pt'>
16889 <p class="IndentText">
16890 Security vulnerability classified as risky in its4 database.
16895 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16896 height="14" align="left">
16898 <td valign="top" align="left" height="14" style=
16899 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16900 <p class="TextFontCX" align="center" style=
16901 'text-align:center;background:#CCCCCC'><span style=
16902 'font-size:10.0pt'>P:</span> <span class=
16903 "Keyword"><span style='font-size:10.0pt'>-
16904 </span></span></p></td></tr></table></div>
16905 <p class="TextFontCX"><span class="Flag"><span style=
16906 'font-size:10.0pt'>
16909 <p class="IndentText">
16910 Security vulnerability classified as moderate risk in its4 database.
16916 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16917 height="14" align="left">
16919 <td valign="top" align="left" height="14" style=
16920 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16921 <p class="TextFontCX" align="center" style=
16922 'text-align:center;background:#CCCCCC'><span style=
16923 'font-size:10.0pt'>P:</span> <span class=
16924 "Keyword"><span style='font-size:10.0pt'>-
16925 </span></span></p></td></tr></table></div>
16926 <p class="TextFontCX"><span class="Flag"><span style=
16927 'font-size:10.0pt'>
16930 <p class="IndentText">
16931 Security vulnerability classified as risky in its4 database.
16934 <p class="Heading10">Debug flags</p>
16937 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16938 height="14" align="left">
16940 <td valign="top" align="left" height="14" style=
16941 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16942 <p class="TextFontCX" align="center" style=
16943 'text-align:center;background:#CCCCCC'><span style=
16944 'font-size:10.0pt'>P:</span> <span class=
16945 "Keyword"><span style='font-size:10.0pt'>3
16946 </span></span></p></td></tr></table></div>
16947 <p class="TextFontCX"><span class="Flag"><span style=
16948 'font-size:10.0pt'>
16951 <p class="IndentText">
16952 Set maximum number of bugs detected before giving up.
16957 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16958 height="14" align="left">
16960 <td valign="top" align="left" height="14" style=
16961 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16962 <p class="TextFontCX" align="center" style=
16963 'text-align:center;background:#CCCCCC'><span style=
16964 'font-size:10.0pt'>m:</span> <span class=
16965 "Keyword"><span style='font-size:10.0pt'>----
16966 </span></span></p></td></tr></table></div>
16967 <p class="TextFontCX"><span class="Flag"><span style=
16968 'font-size:10.0pt'>
16971 <p class="IndentText">
16972 Perform buffer overflow checking even if the errors would be surpressed.
16978 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16979 height="14" align="left">
16981 <td valign="top" align="left" height="14" style=
16982 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16983 <p class="TextFontCX" align="center" style=
16984 'text-align:center;background:#CCCCCC'><span style=
16985 'font-size:10.0pt'>P:</span> <span class=
16986 "Keyword"><span style='font-size:10.0pt'>-
16987 </span></span></p></td></tr></table></div>
16988 <p class="TextFontCX"><span class="Flag"><span style=
16989 'font-size:10.0pt'>
16992 <p class="IndentText">
16993 Debug parsing. Prints bison generated debuging information.
16999 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
17000 height="14" align="left">
17002 <td valign="top" align="left" height="14" style=
17003 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
17004 <p class="TextFontCX" align="center" style=
17005 'text-align:center;background:#CCCCCC'><span style=
17006 'font-size:10.0pt'>P:</span> <span class=
17007 "Keyword"><span style='font-size:10.0pt'>-
17008 </span></span></p></td></tr></table></div>
17009 <p class="TextFontCX"><span class="Flag"><span style=
17010 'font-size:10.0pt'>
17013 <p class="IndentText">
17014 Do not delete temporary files.
17019 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
17020 height="14" align="left">
17022 <td valign="top" align="left" height="14" style=
17023 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
17024 <p class="TextFontCX" align="center" style=
17025 'text-align:center;background:#CCCCCC'><span style=
17026 'font-size:10.0pt'>P:</span> <span class=
17027 "Keyword"><span style='font-size:10.0pt'>-
17028 </span></span></p></td></tr></table></div>
17029 <p class="TextFontCX"><span class="Flag"><span style=
17030 'font-size:10.0pt'>
17033 <p class="IndentText">
17034 Do not pre-process input files.
17039 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
17040 height="14" align="left">
17042 <td valign="top" align="left" height="14" style=
17043 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
17044 <p class="TextFontCX" align="center" style=
17045 'text-align:center;background:#CCCCCC'><span style=
17046 'font-size:10.0pt'>P:</span> <span class=
17047 "Keyword"><span style='font-size:10.0pt'>-
17048 </span></span></p></td></tr></table></div>
17049 <p class="TextFontCX"><span class="Flag"><span style=
17050 'font-size:10.0pt'>
17053 <p class="IndentText">
17054 Display the source code location where a warning is produced.
17060 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
17061 <a name="_Toc534975062"></a><a name="_Ref348845752">Appendix
17063 'font:7.0pt "Times New Roman"'> </span>
17064 <a id="annotations" name="annotations">
17065 Annotations</a></a></p>
17066 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17067 <a name="_Toc534975063"></a><a name="_Ref348010146">Suppressin</a>g
17069 <p class="beforelist">Several annotations are provided for
17070 suppressing messages. In general, it is usually better to use
17071 specific flags to suppress a particular error permanently, but the
17072 general error suppression flags may be more convenient for quickly
17073 suppressing messages for code that will be corrected or documented
17075 <p class="TextFontCX"><span class="Flag"><span style=
17076 'font-size:10.0pt'>ignore</span></span></p>
17077 <p class="TextFontCX"><span class="Flag"><span style=
17078 'font-size:10.0pt'>end</span></span></p>
17079 <p class="IndentText">No errors will be reported in code regions
17080 between <span class="Annot"><span style=
17081 'font-size:10.0pt'>/*@ignore@*/</span></span> and
17082 <span class="Annot"><span style=
17083 'font-size:10.0pt'>/*@end@*/</span></span>. These
17084 comments can be used to easily suppress an unlimited number
17085 of messages, but are dangerous since if real errors are
17086 introduced in the <span class="Flag"><span style=
17087 'font-size:10.0pt'>ignore</span></span>…<span class=
17088 "Flag"><span style='font-size:10.0pt'>end</span></span>
17089 region they will not be reported. The <span class=
17090 "Annot"><span style='font-size:10.0pt'>ignore</span></span>
17091 and <span class="Annot"><span style=
17092 'font-size:10.0pt'>end</span></span> comments must be matched
17093 — a warning is printed if the file ends in an ignore
17094 region or if <span class="Flag"><span style=
17095 'font-size:10.0pt'>ignore</span></span> is used inside ignore
17097 <p class="TextFontCX"><span class="Flag"><span style=
17098 'font-size:10.0pt'>i</span></span></p>
17099 <p class="IndentText">No errors will be reported from an
17100 <span class="Annot"><span style=
17101 'font-size:10.0pt'>/*@i@*/</span></span> comment to the end of the
17103 <p class="TextFontCX"><span class="Flag"><span style=
17104 'font-size:10.0pt'>i</span></span><span class=
17105 "Flag"><span style='font-size:10.0pt'><i><n></i></span></span></p>
17106 <p class="IndentText">No errors will be reported from an
17107 <span class="Annot"><span style=
17108 'font-size:10.0pt'>/*@i<i><n></i>@*/</span></span> (e.g.,
17109 <span class="Annot"><span style=
17110 'font-size:10.0pt'>/*@i3@*/</span></span>) comment to the end of
17111 the line. If there are not exactly <i>n</i> errors suppressed
17112 from the comment point to the end of the line, Splint will report
17113 an error. This is more robust than <span class=
17114 "Annot"><span style='font-size:10.0pt'>i</span></span> or
17115 <span class="Annot"><span style=
17116 'font-size:10.0pt'>ignore</span></span> since a message is
17117 generated if the expected number errors is not present. Since
17118 errors are not necessarily detected until after this file is
17119 processed (for example, and unused variable error), suppress count
17120 errors are reported after all files have been processed. The
17121 <span class="Flag"><span style=
17122 'font-size: 10.0pt'>‑supcounts</span></span> flag may be used
17123 to suppress these errors. This is useful when a system if
17124 being rechecked with different flag settings.</p>
17125 <p class="TextFontCX"><span class="Annot"><span style=
17126 'font-size:10.0pt'>t</span></span></p>
17127 <p class="TextFontCX"><span class="Flag"><span style=
17128 'font-size:10.0pt'>t<i><n></i></span></span></p>
17129 <p class="IndentText">Like <span class="Annot"><span style=
17130 'font-size:10.0pt'>i</span></span> and <span class=
17131 "Annot"><span style=
17132 'font-size:10.0pt'>i<i><n></i></span></span>, except
17133 controlled by <span class="Flag"><span style=
17134 'font-size:10.0pt'>+tmpcomments</span></span> flag. These can
17135 be used to temporarily suppress certain errors. Then,
17136 <span class="Flag"><span style=
17137 'font-size:10.0pt'>-tmpcomments</span></span> can be set to find
17139 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
17140 <a name="_Toc534975064">Syntactic Annotations</a></p>
17141 <p class="TextFontCX">The grammar below is the C syntax from
17142 [K&R,A13] modified to show the syntax of syntactic
17143 comments. Only productions effected by Splint annotations are
17144 shown. In the annotations, the <span class=
17145 "Annot"><span style='font-size:10.0pt'>@</span></span> represents
17146 the comment marker char, set by <span class=
17147 "Flag"><span style='font-size:10.0pt'>-commentchar</span></span> (default
17148 is <span class="Annot"><span style=
17149 'font-size:10.0pt'>@</span></span>).</p>
17150 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17151 <a name="_Toc534975065">Functions</a></p>
17152 <p class="TextFontCX"><i>direct-declarator</i> <span style=
17153 'font-family:Symbol'>Þ</span></p>
17154 <p class="TextFontCX" style='text-indent:.5in'><i>
17155 direct-declarator</i> <span class="Annot"><span style=
17156 'font-size:10.0pt'>(</span></span><i>parameter-type-list<sub>opt</sub></i>
17157 <span class="Annot"><span style='font-size: 10.0pt'>)</span></span>
17158 <i>stateClause*<sub>opt</sub> globals<sub>opt</sub>
17159 modifies<sub>opt</sub></i></p>
17160 <p class="TextFontCX" style='text-indent:.5in'><i>|
17161 direct-declarator</i> <span class="Annot"><span style=
17162 'font-size:10.0pt'>(</span></span><i>identifier-list<sub>opt</sub></i>
17163 <span class="Annot"><span style='font-size: 10.0pt'>)</span></span>
17164 <i>stateClause*<sub>opt</sub> globals<sub>opt</sub>
17165 modifies<sub>opt</sub></i></p>
17166 <p class="TextFontCX"><i> </i></p>
17167 <p class="TextFontCX"><i>stateClause</i> <span style=
17168 'font-family:Symbol'>Þ</span> <span class=
17169 "Annot"><span style='font-size:10.0pt'>/*@</span></span> (
17170 <span class="Annot"><span style=
17171 'font-size:10.0pt'>uses</span></span> <i>|</i> <span class=
17172 "Annot"><span style='font-size:10.0pt'>sets</span></span>
17173 <i>|</i> <span class="Annot"><span style=
17174 'font-size:10.0pt'>defines</span></span> <i>|</i>
17175 <span class="Annot"><span style=
17176 'font-size:10.0pt'>allocates</span></span> <i>|</i>
17177 <span class="Annot"><span style=
17178 'font-size:10.0pt'>releases</span></span>)
17179 <i>reference,<sup>+</sup></i> <span class=
17180 "Annot"><span style='font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>
17181 <span class="Annot"><span style=
17182 'font-size:10.0pt'>@*/</span></span></p>
17183 <p class="TextFontCX" align="right" style='text-align: right'>
17184 <i>
17185 |</i> <span class="Annot"><span style=
17186 'font-size:10.0pt'>/*@</span></span> ( <span class=
17187 "Annot"><span style='font-size:10.0pt'>ensures</span></span> |
17188 <span class="Annot"><span style=
17189 'font-size:10.0pt'>requires</span></span> ) <i>stateTag</i>
17190 <i>reference,<sup>+</sup></i> <span class=
17191 "Annot"><span style='font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>
17192 <span class="Annot"><span style=
17193 'font-size:10.0pt'>@*/ </span></span>
17195 <p class="TextFontCX"><i> </i></p>
17196 <p class="TextFontCX"><i>stateTag</i> <span style=
17197 'font-family:Symbol'>Þ</span> <span class=
17198 "Annot"><span style='font-size: 10.0pt'>only</span></span>
17199 <i>|</i> <span class="Annot"><span style=
17200 'font-size: 10.0pt'>shared</span></span> <i>|</i>
17201 <span class="Annot"><span style=
17202 'font-size: 10.0pt'>owned</span></span> <i>|</i> <span class=
17203 "Annot"><span style=
17204 'font-size: 10.0pt'>dependent</span></span> <i>|</i>
17205 <span class="Annot"><span style=
17206 'font-size:10.0pt'>observer</span></span> <i>|</i>
17207 <span class="Annot"><span style=
17208 'font-size:10.0pt'>exposed</span></span> <i>|</i>
17209 <span class="Annot"><span style=
17210 'font-size:10.0pt'>isnull</span></span> <i>|</i> <span class=
17211 "Annot"><span style=
17212 'font-size:10.0pt'>notnull</span></span></p>
17213 <p class="TextFontCX" align="right" style=
17214 'text-align: right;text-indent:.5in'><i> |
17215 identifier </i>
17216 (Annotation defined by metastate definition, Section 10)</p>
17217 <p class="TextFontCX" style='text-indent:.5in'>
17218 <i> </i></p>
17219 <p class="TextFontCX"><i>globals</i> <span style=
17220 'font-family:Symbol'>Þ</span> <span class=
17221 "Annot"><span style='font-size: 10.0pt'>/*@globals</span></span>
17222 <i>globitem,<sup>+</sup></i> <span class="Annot"><span style=
17223 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>
17224 <span class="Annot"><span style=
17225 'font-size:10.0pt'>@*/</span></span> <i>|</i> <span class=
17226 "Annot"><span style=
17227 'font-size:10.0pt'>/*@globals</span></span><i>declaration-list<sub>opt </sub></i>
17228 <span class="Annot"><span style=
17229 'font-size: 10.0pt'>;</span></span><i><sub>opt</sub></i><span class="Annot">
17230 <span style='font-size:10.0pt'>@*/</span></span><span class=
17231 "Keyword"><span style='font-size:10.0pt'> </span></span></p>
17232 <p class="TextFontCX"><i>globitem</i> <span style=
17233 'font-family:Symbol'>Þ</span> [ ( <span class=
17234 "Annot"><span style='font-size:10.0pt'>undef</span></span> |
17235 <span class="Annot"><span style=
17236 'font-size:10.0pt'>killed</span></span> )* ] <span class=
17237 "Keyword"><i><sub><span style=
17238 'font-size:10.5pt;font-family:"Times New Roman"'> </span></sub></i></span><i>
17239 identifier | </i> <span class="Annot"><span style=
17240 'font-size:10.0pt'>internalState</span></span><i>| </i>
17241 <span class="Annot"><span style=
17242 'font-size:10.0pt'>fileSystem</span></span></p>
17243 <p class="TextFontCX"><i> </i></p>
17244 <p class="TextFontCX"><i>modifies</i> <span style=
17245 'font-family:Symbol'>Þ</span> <span class=
17246 "Annot"><span style='font-size:10.0pt'>/*@modifies</span></span>
17247 (<span class="Annot"><span style=
17248 'font-size:10.0pt'>nothing</span></span> <i>|</i>
17249 (<i>expression</i> | <span class="Annot"><span style=
17250 'font-size:10.0pt'>internalState</span></span> | <span class=
17251 "Annot"><span style=
17252 'font-size:10.0pt'>fileSystem</span></span>)<i><sup>+</sup></i><span class="Annot">
17254 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>)
17255 <span class="Annot"><span style=
17256 'font-size:10.0pt'>@*/</span></span><span class=
17257 "Keyword"><span style=
17258 'font-size:10.0pt'> </span></span></p>
17259 <p class="TextFontCX" align="right" style='text-align: right'>
17260 <span class="Keyword"><span style=
17261 'font-size:10.0pt'> </span></span> <i>|</i>
17262 <span class="Annot"><span style=
17263 'font-size:10.0pt'>/*@*/</span></span><span class=
17264 "Keyword"><span style='font-size:10.0pt'>
17265
17266 </span></span>(Abbreviation for
17267 no globals and modifies nothing.)</p>
17268 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17269 <a name="_Toc534975066">Iterators</a> <span class=
17270 "TextFontCXChar"><span style=
17271 'font-size:11.0pt; font-weight:normal'>(Section
17272 11.4)</span></span></p>
17273 <p class="beforelist">The globals and modifies clauses for an
17274 iterator are the same as those for a function, except they are not
17275 enclosed by a comment, since the iterator is already a comment.</p>
17276 <p class="TextFontCX"><i>direct-declarator</i></p>
17277 <p class="TextFontCX" style='text-indent:.5in'><span style=
17278 'font-family:Symbol'>Þ</span> <span class=
17279 "Annot"><span style='font-size: 10.0pt'>/*@iter</span></span>
17280 <i>identifier</i> <span class="Annot"><span style=
17281 'font-size:10.0pt'>(</span></span><i>parameter-type-list<sub>opt</sub></i>
17282 <span class="Annot"><span style=
17283 'font-size:10.0pt'>)</span></span>
17284 <i>iterGlobals<sub>opt</sub> iterModifies<sub>opt</sub></i>
17285 <span class="Annot"><span style=
17286 'font-size:10.0pt'>@*/</span></span></p>
17287 <p class="TextFontCX"><i> </i></p>
17288 <p class="TextFontCX"><i>iter-globals</i> <span style=
17289 'font-family:Symbol'>Þ</span> <span class=
17290 "Annot"><span style='font-size: 10.0pt'>globals</span></span>
17291 <i>declaration-list<sub>opt</sub></i> <span class=
17292 "Annot"><span style=
17293 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i></p>
17294 <p class="TextFontCX"><i>iter-modifies</i> <span style=
17295 'font-family:Symbol'>Þ</span> <span class=
17296 "Annot"><span style='font-size: 10.0pt'>modifies</span></span><i>
17297 moditem,+</i><span class="Annot"><span style=
17298 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i><i>|</i>
17299 <span class="Annot"><span style=
17300 'font-size:10.0pt'> modifies
17301 nothing</span></span><span class="Annot"><span style=
17302 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i></p>
17303 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17304 <a name="_Toc534975067">Constants</a> <span class=
17305 "TextFontCXChar"><span style=
17306 'font-size:11.0pt; font-weight:normal'>(Section
17307 11.1)</span></span></p>
17308 <p class="TextFontCX"><i>external-declaration</i>
17309 <span style='font-family:Symbol'>Þ</span> <span class=
17310 "Annot"><span style=
17311 'font-size: 10.0pt'>/*@constant</span></span> <i>declaration
17312 <sub> </sub></i><span class="Annot"><span style=
17313 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i><span class="Annot">
17314 <span style='font-size:10.0pt'>@*/</span></span></p>
17315 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17316 <a name="_Toc534975068"></a><a name="_Ref344807420">Alternate
17317 Types</a> <span class="TextFontCXChar"><span style=
17318 'font-size:11.0pt; font-weight:normal'>(Section
17319 4.4)</span></span></p>
17320 <p class="beforelist">Alternate types may be used in the type
17321 specification of parameters and return values.</p>
17322 <p class="TextFontCX" align="left" style='text-align: left'>
17323 <i>extended-type</i><span style='font-family:Symbol'>Þ</span>
17324 <i>type-specifier alt-type <sub>opt</sub></i></p>
17325 <p class="TextFontCX"><i>alt-type</i> <span style=
17326 'font-family:Symbol'>Þ</span> <span class=
17327 "Annot"><span style='font-size: 10.0pt'>/*@alt</span></span>
17328 <i>basic-type,<sup>+</sup></i> <span class=
17329 "Annot"><span style='font-size:10.0pt'>@*/</span></span></p>
17330 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17331 <a name="_Toc534975069">Declarator Annotations</a></p>
17332 <p class="TextFontCX">General annotations appear after
17333 <i>storage-class-specifier</i>s and before
17334 <i>type-specifier</i>s. Multiple annotations may be used in
17335 any order. Here, annotations are without the surrounding
17336 comment. In a declaration, the annotation would be surrounded
17337 by <span class="Annot"><span style=
17338 'font-size:10.0pt'>/*@</span></span> and <span class=
17339 "Annot"><span style='font-size:10.0pt'>@*/</span></span>. In
17340 a globals or modifies clause or iterator or constant declaration,
17341 no surrounding comments would be used since they are within a
17343 <p class="Heading10" align="left" style='text-align:left'>Type
17344 Definitions <span class="TextFontCXChar"><span style=
17345 'font-size:11.0pt; font-weight:normal'>(Section
17346 4.3)</span></span></p>
17347 <p class="beforelist">A type definition may use any either
17348 <span class="Annot"><span style=
17349 'font-size:10.0pt'>abstract</span></span> or <span class=
17350 "Annot"><span style='font-size:10.0pt'>concrete</span></span>,
17351 either <span class="Annot"><span style=
17352 'font-size:10.0pt'>mutable</span></span> or <span class=
17353 "Annot"><span style='font-size:10.0pt'>immutable</span></span>, and
17354 <span class="Annot"><span style=
17355 'font-size:10.0pt'>refcounted</span></span>. Only a pointer
17356 to a <span class="Annot"><span style=
17357 'font-size:10.0pt'>struct</span></span> may be declared with
17358 <span class="Annot"><span style=
17359 'font-size:10.0pt'>refcounted</span></span>. Mutability
17360 annotations may not be used with concrete types since concrete
17361 types inherit their mutability from the actual type.</p>
17362 <p class="TextFontCX"><span class="Annot"><span style=
17363 'font-size:10.0pt'>abstract</span></span></p>
17364 <p class="MsoNormal" style='margin-left:13.5pt'>Type is abstraction
17365 (representation is hidden from clients.)</p>
17366 <p class="TextFontCX"><span class="Annot"><span style=
17367 'font-size:10.0pt'>concrete</span></span></p>
17368 <p class="MsoNormal" style='margin-left:13.5pt'>Type is concrete
17369 (representation is visible to clients.)</p>
17370 <p class="TextFontCX"><span class="Annot"><span style=
17371 'font-size:10.0pt'>immutable</span></span></p>
17372 <p class="MsoNormal" style='margin-left:13.5pt'>Instances of the
17373 type cannot change value.</p>
17374 <p class="TextFontCX"><span class="Annot"><span style=
17375 'font-size:10.0pt'>mutable</span></span></p>
17376 <p class="MsoNormal" style='margin-left:13.5pt'>Instances of the
17377 type can change value.</p>
17378 <p class="TextFontCX"><span class="Annot"><span style=
17379 'font-size:10.0pt'>refcounted</span></span></p>
17380 <p class="IndentText">Reference counted (Section 5.4).</p>
17381 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17382 <a name="_Toc534975070">Type Access</a></p>
17383 <p class="TextFontCX">Control comments may also be used to override
17384 type access settings.</p>
17385 <p class="TextFontCX"><span class="Annot"><span style=
17386 'font-size:10.0pt'> </span></span></p>
17387 <p class="TextFontCX"><span class="Annot"><span style=
17388 'font-size:10.0pt'>/*@access
17389 <i><type></i>,<sup>+</sup>@*/</span></span><span class=
17390 "Annot"><span style='font-size:10.0pt'> </span></span></p>
17391 <p class="IndentText">Allows the following code to access the
17392 representation of <span class="Annot"><i><span style=
17393 'font-size:10.0pt'><type></span></i></span>. Type
17394 access applies from the point of the comment to the end of the file
17395 or the next access control comment for this type.</p>
17396 <p class="TextFontCX"><span class="Annot"><span style=
17397 'font-size:10.0pt'>/*@noaccess</span></span> <span class=
17398 "Annot"><span style=
17399 'font-size:10.0pt'><i><type></i>,<sup>+</sup>@*/</span></span></p>
17400 <p class="IndentText">Restricts access to the representation of
17401 <span class="Annot"><i><span style=
17402 'font-size:10.0pt'><type></span></i></span>. The type
17403 in a <span class="Annot"><span style=
17404 'font-size:10.0pt'>noaccess</span></span> comment must have been
17405 declared as an abstract type. </p>
17406 <p class="Heading10">Global Variables <span class=
17407 "HeadingNote"><span style=
17408 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17409 <span class="HeadingNote"><span style=
17410 'font-size:10.5pt;font-weight:normal;font-style: normal'>7.2</span></span><span class="HeadingNote">
17412 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
17413 <p class="beforelist">One check annotation may be used on a global
17414 or file-static variable declaration.</p>
17415 <p class="TextFontCX"><span class="Annot"><span style=
17416 'font-size:10.0pt'>unchecked</span></span></p>
17417 <p class="IndentText"><span class="Annot"><span style=
17418 'font-size:10.0pt;font-family: "Times New Roman"'>Weakest checking
17419 for global use.</span></span></p>
17420 <p class="TextFontCX"><span class="Annot"><span style=
17421 'font-size:10.0pt'>checkmod</span></span></p>
17422 <p class="IndentText"><span class="Annot"><span style=
17423 'font-size:10.0pt;font-family: "Times New Roman"'>Check
17424 modification by not use of global.</span></span></p>
17425 <p class="TextFontCX"><span class="Annot"><span style=
17426 'font-size:10.0pt'>checked</span></span></p>
17427 <p class="IndentText"><span class="Annot"><span style=
17428 'font-size:10.0pt;font-family: "Times New Roman"'>Check use and
17429 modification of global.</span></span></p>
17430 <p class="TextFontCX"><span class="Annot"><span style=
17431 'font-size:10.0pt'>checkedstrict</span></span></p>
17432 <p class="IndentText"><span class="Annot"><span style=
17433 'font-size:10.0pt;font-family: "Times New Roman"'>Check use of
17434 global, even in functions with no global list.</span></span></p>
17435 <p class="Heading10">Memory Management <span class=
17436 "HeadingNote"><span style=
17437 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17438 <span class="HeadingNote"><span style=
17439 'font-size:10.5pt;font-weight:normal;font-style: normal'>3</span></span><span class="HeadingNote">
17441 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17442 <p class="TextFontCX"><span class="Annot"><span style=
17443 'font-size:10.0pt'>dependent</span></span></p>
17444 <p class="IndentText"><span class="Annot"><span style=
17445 'font-size:10.0pt;font-family: "Times New Roman"'>A reference to
17446 externally-owned storage. (Section</span></span>
17447 <span class="Annot"><span style=
17448 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.2</span></span><span class="Annot">
17450 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17451 <p class="TextFontCX"><span class="Annot"><span style=
17452 'font-size:10.0pt'>keep</span></span></p>
17453 <p class="IndentText"><span class="Annot"><span style=
17454 'font-size:10.0pt;font-family: "Times New Roman"'>A parameter that
17455 is kept by the called function. The caller may use the
17456 storage after the call, but the called function is responsible for
17457 making sure it is deallocated. (Section</span></span>
17458 <span class="Annot"><span style=
17459 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.4</span></span><span class="Annot">
17461 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17462 <p class="TextFontCX"><span class="Annot"><span style=
17463 'font-size:10.0pt'>killref</span></span></p>
17464 <p class="IndentText">A <span class="Annot"><span style=
17465 'font-size:10.0pt'>refcounted</span></span> parameter. This
17466 reference is killed by the call. (Section 5.4)</p>
17467 <p class="TextFontCX"><span class="Annot"><span style=
17468 'font-size:10.0pt'>only</span></span></p>
17469 <p class="IndentText"><span class="Annot"><span style=
17470 'font-size:10.0pt;font-family: "Times New Roman"'>An unshared
17471 reference. Associated memory must be released before
17472 reference is lost.
17473 (Section </span></span><span class="Annot"><span style=
17474 'font-size:10.0pt;font-family:"Times New Roman"'>5.2</span></span><span class="Annot">
17476 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17477 <p class="TextFontCX"><span class="Annot"><span style=
17478 'font-size:10.0pt'>owned</span></span></p>
17479 <p class="IndentText"><span class="Annot"><span style=
17480 'font-size:10.0pt;font-family: "Times New Roman"'>Storage may be
17481 shared by dependent references, but associated memory must be
17482 released before this reference is lost.
17483 (Section</span></span> <span class="Annot"><span style=
17484 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.2</span></span><span class="Annot">
17486 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17487 <p class="TextFontCX"><span class="Annot"><span style=
17488 'font-size:10.0pt'>shared</span></span></p>
17489 <p class="IndentText"><span class="Annot"><span style=
17490 'font-size:10.0pt;font-family: "Times New Roman"'>Shared reference
17491 that is never deallocated. (Section</span></span>
17492 <span class="Annot"><span style=
17493 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.5</span></span><span class="Annot">
17495 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17496 <p class="TextFontCX"><span class="Annot"><span style=
17497 'font-size:10.0pt'>temp</span></span></p>
17498 <p class="IndentText">A temporary parameter. May not be
17499 released, and new aliases to it may not be created. (Section
17501 <p class="Heading10">Aliasing <span class=
17502 "HeadingNote"><span style=
17503 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17504 <span class="HeadingNote"><span style=
17505 'font-size:10.5pt;font-weight:normal;font-style: normal'>6</span></span><span class="HeadingNote">
17507 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17508 <p class="beforelist">Both alias annotations may be used on a
17509 parameter declaration.</p>
17510 <p class="TextFontCX"><span class="Annot"><span style=
17511 'font-size:10.0pt'>unique</span></span></p>
17512 <p class="IndentText"><span class="Annot"><span style=
17513 'font-size:10.0pt;font-family: "Times New Roman"'>Parameter that
17514 may not be aliased by any other reference visible to the function.
17515 (Section </span></span><span class="Annot"><span style=
17516 'font-size:10.0pt;font-family:"Times New Roman"'>6.1.1</span></span><span class="Annot">
17518 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17519 <p class="TextFontCX"><span class="Annot"><span style=
17520 'font-size:10.0pt'>returned</span></span></p>
17521 <p class="IndentText"><span class="Annot"><span style=
17522 'font-size:10.0pt;font-family: "Times New Roman"'>Parameter that
17523 may be aliased by the return value. (Section</span></span>
17524 <span class="Annot"><span style=
17525 'font-size:10.0pt;font-family:"Times New Roman"'>6.1.2</span></span><span class="Annot">
17527 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17528 <p class="Heading10">Exposure <span class=
17529 "HeadingNote"><span style=
17530 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17531 <span class="HeadingNote"><span style=
17532 'font-size:10.5pt;font-weight:normal;font-style: normal'>6.2</span></span><span class="HeadingNote">
17534 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17535 <p class="TextFontCX"><span class="Annot"><span style=
17536 'font-size:10.0pt'>observer</span></span></p>
17537 <p class="IndentText"><span class="Annot"><span style=
17538 'font-size:10.0pt;font-family: "Times New Roman"'>Reference that
17539 cannot be modified. (Section</span></span> <span class=
17540 "Annot"><span style=
17541 'font-size:10.0pt;font-family:"Times New Roman"'>6.2.1</span></span><span class="Annot">
17543 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17544 <p class="TextFontCX"><span class="Annot"><span style=
17545 'font-size:10.0pt'>exposed</span></span></p>
17546 <p class="IndentText"><span class="Annot"><span style=
17547 'font-size:10.0pt;font-family: "Times New Roman"'>Exposed reference
17548 to storage in another object. (Section</span></span>
17549 <span class="Annot"><span style=
17550 'font-size:10.0pt;font-family:"Times New Roman"'>6.2</span></span><span class="Annot">
17552 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17553 <p class="Heading10">Definition State <span class=
17554 "HeadingNote"><span style=
17555 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17556 <span class="HeadingNote"><span style=
17557 'font-size:10.5pt;font-weight:normal;font-style: normal'>3</span></span><span class="HeadingNote">
17559 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
17560 <p class="TextFontCX"><span class="Annot"><span style=
17561 'font-size:10.0pt'>out</span></span></p>
17562 <p class="IndentText"><span class="Annot"><span style=
17563 'font-size:10.0pt;font-family: "Times New Roman"'>Storage reachable
17564 from reference need not be defined.</span></span></p>
17565 <p class="TextFontCX"><span class="Annot"><span style=
17566 'font-size:10.0pt'>in</span></span></p>
17567 <p class="IndentText"><span class="Annot"><span style=
17568 'font-size:10.0pt;font-family: "Times New Roman"'>All storage
17569 reachable from reference must be defined.</span></span></p>
17570 <p class="TextFontCX"><span class="Annot"><span style=
17571 'font-size:10.0pt'>partial</span></span></p>
17572 <p class="IndentText"><span class="Annot"><span style=
17573 'font-size:10.0pt;font-family: "Times New Roman"'>Partially
17574 defined. A structure may have undefined fields. No
17575 errors reported when fields are used.</span></span></p>
17576 <p class="TextFontCX"><span class="Annot"><span style=
17577 'font-size:10.0pt'>reldef</span></span></p>
17578 <p class="IndentText"><span class="Annot"><span style=
17579 'font-size:10.0pt;font-family: "Times New Roman"'>Relax definition
17580 checking. No errors when reference is not defined, or when it
17581 is used.</span></span></p>
17582 <p class="Heading10">Global State <span class=
17583 "TextFontCXChar"><span style=
17584 'font-size:11.0pt; font-weight:normal'>(Section
17585 7.2.2)</span></span></p>
17586 <p class="TextFontCX">These annotations may only be used in globals
17587 lists. Both annotations may be used for the same variable, to
17588 mean the variable is undefined before and after the call.</p>
17589 <p class="TextFontCX"> </p>
17590 <p class="TextFontCX"><span class="Annot"><span style=
17591 'font-size:10.0pt'>undef</span></span></p>
17592 <p class="IndentText"><span class="Annot"><span style=
17593 'font-size:10.0pt;font-family: "Times New Roman"'>Variable is
17594 undefined before the call.</span></span></p>
17595 <p class="TextFontCX"><span class="Annot"><span style=
17596 'font-size:10.0pt'>killed</span></span></p>
17597 <p class="IndentText"><span class="Annot"><span style=
17598 'font-size:10.0pt;font-family: "Times New Roman"'>Variable is
17599 undefined after the call.</span></span></p>
17600 <p class="Heading10">Null State <span class=
17601 "HeadingNote"><span style=
17602 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17603 <span class="HeadingNote"><span style=
17604 'font-size:10.5pt;font-weight:normal;font-style: normal'>2</span></span><span class="HeadingNote">
17606 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
17607 <p class="TextFontCX"><span class="Annot"><span style=
17608 'font-size:10.0pt'>null</span></span></p>
17609 <p class="IndentText"><span class="Annot"><span style=
17610 'font-size:10.0pt;font-family: "Times New Roman"'>Possibly null
17611 pointer.</span></span></p>
17612 <p class="TextFontCX"><span class="Annot"><span style=
17613 'font-size:10.0pt'>notnull</span></span><span class=
17614 "Annot"><span style=
17615 'font-size:10.0pt'> </span></span></p>
17616 <p class="IndentText"><span class="Annot"><span style=
17617 'font-size:10.0pt;font-family: "Times New Roman"'>Non-null
17618 pointer.</span></span></p>
17619 <p class="TextFontCX"><span class="Annot"><span style=
17620 'font-size:10.0pt'>relnull</span></span></p>
17621 <p class="IndentText"><span class="Annot"><span style=
17622 'font-size:10.0pt;font-family: "Times New Roman"'>Relax null
17623 checking. No errors when</span></span> <span class=
17624 "CodeText"><span style=
17625 'font-size:10.0pt'>NULL</span></span><span class=
17626 "Annot"><span style=
17627 'font-size:10.0pt;font-family:"Times New Roman"'>is assigned to it,
17628 or when it is used as a non-null pointer.</span></span></p>
17629 <p class="Heading10">Null Predicates <span class=
17630 "HeadingNote"><span style=
17631 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17632 <span class="HeadingNote"><span style=
17633 'font-size:10.5pt;font-weight:normal;font-style: normal'>2.1.1</span></span><span class="HeadingNote">
17635 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17636 <p class="beforelist">A null predicate annotation may be used of
17637 the return value of a function returning a Boolean type, taking a
17638 possibly-null pointer for its first argument.</p>
17639 <p class="TextFontCX"><span class="Annot"><span style=
17640 'font-size:10.0pt'>nullwhentrue</span></span></p>
17641 <p class="IndentText"><span class="Annot"><span style=
17642 'font-size:10.0pt;font-family: "Times New Roman"'>If result is
17643 true, first parameter is</span></span> <span class=
17644 "CodeText"><span style=
17645 'font-size:10.0pt'>NULL</span></span><span class=
17646 "Annot"><span style=
17647 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17648 <p class="TextFontCX"><span class="Annot"><span style=
17649 'font-size:10.0pt'>falsewhennull</span></span></p>
17650 <p class="IndentText"><span class="Annot"><span style=
17651 'font-size:10.0pt;font-family: "Times New Roman"'>If result
17652 is</span></span> <span class="CodeText"><span style=
17653 'font-size:10.0pt'>TRUE</span></span><span class=
17654 "Annot"><span style=
17655 'font-size:10.0pt;font-family:"Times New Roman"'>, first parameter
17656 is not</span></span> <span class="CodeText"><span style=
17657 'font-size:10.0pt'>NULL</span></span><span class=
17658 "Annot"><span style=
17659 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17660 <p class="Heading10">Execution <span class=
17661 "HeadingNote"><span style=
17662 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17663 <span class="HeadingNote"><span style=
17664 'font-size:10.5pt;font-weight:normal;font-style: normal'>8.1</span></span><span class="HeadingNote">
17666 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17667 <p class="beforelist">The <span class="Annot"><span style=
17668 'font-size:10.0pt'>noreturn</span></span>, <span class=
17669 "Annot"><span style='font-size:10.0pt'>maynotreturn</span></span>
17670 and <span class="Annot"><span style=
17671 'font-size:10.0pt'>alwaysreturn</span></span> annotations may be
17672 used on any function. The <span class=
17673 "Annot"><span style='font-size:10.0pt'>noreturnwhentrue</span></span>
17674 and <span class="Annot"><span style=
17675 'font-size:10.0pt'>noreturnwhenfalse</span></span>
17676 annotations may only be used on functions whose first
17677 argument is a Boolean. </p>
17678 <p class="TextFontCX"><span class="Annot"><span style=
17679 'font-size:10.0pt'>noreturn</span></span><span class=
17680 "Annot"><span style=
17681 'font-size:10.0pt'> </span></span></p>
17682 <p class="IndentText"><span class="Annot"><span style=
17683 'font-size:10.0pt;font-family: "Times New Roman"'>Function never
17684 returns.</span></span></p>
17685 <p class="TextFontCX"><span class="Annot"><span style=
17686 'font-size:10.0pt'>maynotreturn</span></span></p>
17687 <p class="IndentText"><span class="Annot"><span style=
17688 'font-size:10.0pt;font-family: "Times New Roman"'>Function may or
17689 may not return.</span></span></p>
17690 <p class="TextFontCX"><span class="Annot"><span style=
17691 'font-size:10.0pt'>noreturnwhentrue</span></span></p>
17692 <p class="IndentText"><span class="Annot"><span style=
17693 'font-size:10.0pt;font-family: "Times New Roman"'>Function does not
17694 return if first parameter is</span></span> <span class=
17695 "Keyword"><span style=
17696 'font-size:10.0pt'>TRUE</span></span><span class=
17697 "Annot"><span style=
17698 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17699 <p class="TextFontCX"><span class="Annot"><span style=
17700 'font-size:10.0pt'>noreturnwhenfalse</span></span></p>
17701 <p class="IndentText"><span class="Annot"><span style=
17702 'font-size:10.0pt;font-family: "Times New Roman"'>Function does not
17703 return if first parameter if</span></span> <span class=
17704 "Keyword"><span style=
17705 'font-size:10.0pt'>FALSE</span></span><span class=
17706 "Annot"><span style=
17707 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17708 <p class="TextFontCX"><span class="Annot"><span style=
17709 'font-size:10.0pt'>alwaysreturn</span></span></p>
17710 <p class="IndentText"><span class="Annot"><span style=
17711 'font-size:10.0pt;font-family: "Times New Roman"'>Function always
17712 returns.</span></span></p>
17713 <p class="Heading10">Side Effects <span style=
17714 'font-size:10.5pt;font-weight: normal'>(Section 11.2.1)</span></p>
17715 <p class="TextFontCX"><span class="Annot"><span style=
17716 'font-size:10.0pt'>sef</span></span></p>
17717 <p class="IndentText"><span class="Annot"><span style=
17718 'font-size:10.0pt;font-family:"Times New Roman"'>Corresponding
17719 actual parameter has no side effects.</span></span></p>
17720 <p class="Heading10">Declarations</p>
17721 <p class="beforelist">These annotations can be used on a
17722 declaration to control unused or undefined error reporting.</p>
17723 <p class="TextFontCX"><span class="Annot"><span style=
17724 'font-size:10.0pt'>unused</span></span></p>
17725 <p class="IndentText"><span class="Annot"><span style=
17726 'font-size:10.0pt;font-family: "Times New Roman"'>Identifier need
17727 not be used (no unused errors reported.)
17728 (Section</span></span> <span class="Annot"><span style=
17729 'font-size:10.0pt;font-family:"Times New Roman"'>13.1</span></span><span class="Annot">
17731 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17732 <p class="TextFontCX"><span class="Annot"><span style=
17733 'font-size:10.0pt'>external</span></span></p>
17734 <p class="IndentText"><span class="Annot"><span style=
17735 'font-size:10.0pt;font-family: "Times New Roman"'>Identifier is
17736 defined externally (no undefined error reported.)
17737 (Section</span></span> <span class="Annot"><span style=
17738 'font-size:10.0pt;font-family:"Times New Roman"'>13.2</span></span><span class="Annot">
17740 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17741 <p class="Heading10">Switch Statements</p>
17742 <p class="TextFontCX"><span class="Annot"><span style=
17743 'font-size:10.0pt'>fallthrough</span></span></p>
17744 <p class="IndentText"><span class="Annot"><span style=
17745 'font-size:10.0pt;font-family:"Times New Roman"'>Fall through
17746 case. No message is reported if the previous case may fall
17747 through into the one immediately after the</span></span>
17748 <span class="Annot"><span style=
17749 'font-size:10.0pt'>fallthrough</span></span><span class=
17750 "Annot"><span style=
17751 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17752 <p class="Heading10">Break and Continue Statements
17753 <span class="TextFontCXChar"><span style=
17754 'font-size:11.0pt; font-weight:normal'>(Section
17755 8.3.3)</span></span></p>
17756 <p class="beforelist">These annotations are used before a
17757 <span class="CodeText"><span style=
17758 'font-size:10.0pt'>break</span></span> or <span class=
17759 "CodeText"><span style='font-size:10.0pt'>continue</span></span>
17761 <p class="TextFontCX"><span class="Annot"><span style=
17762 'font-size:10.0pt'>innerbreak</span></span></p>
17763 <p class="IndentText"><span class="Annot"><span style=
17764 'font-size:10.0pt;font-family: "Times New Roman"'>Break is breaking
17765 an inner loop or switch.</span></span></p>
17766 <p class="TextFontCX"><span class="Annot"><span style=
17767 'font-size:10.0pt'>loopbreak</span></span></p>
17768 <p class="IndentText"><span class="Annot"><span style=
17769 'font-size:10.0pt;font-family: "Times New Roman"'>Break is breaking
17770 a loop.</span></span></p>
17771 <p class="TextFontCX"><span class="Annot"><span style=
17772 'font-size:10.0pt'>switchbreak</span></span></p>
17773 <p class="IndentText"><span class="Annot"><span style=
17774 'font-size:10.0pt;font-family: "Times New Roman"'>Break is breaking
17775 a switch.</span></span></p>
17776 <p class="TextFontCX"><span class="Annot"><span style=
17777 'font-size:10.0pt'>innercontinue</span></span><span class=
17778 "Annot"><span style=
17779 'font-size:10.0pt'><i> </i></span></span></p>
17780 <p class="IndentText"><span class="Annot"><span style=
17781 'font-size:10.0pt;font-family: "Times New Roman"'>Continue is
17782 continuing an inner loop.</span></span></p>
17783 <p class="Heading10">Unreachable Code</p>
17784 <p class="beforelist">This annotation is used before a statement to
17785 prevent unreachable code errors.</p>
17786 <p class="TextFontCX"><span class="Annot"><span style=
17787 'font-size:10.0pt'>notreached</span></span></p>
17788 <p class="IndentText"><span class="Annot"><span style=
17789 'font-size:10.0pt;font-family: "Times New Roman"'>Statement may be
17790 unreachable.</span></span></p>
17791 <p class="Heading10">Format String Arguments </p>
17792 <p class="beforelist">These annotations are used immediately before
17793 a function declaration.</p>
17794 <p class="TextFontCX"><span class="Annot"><span style=
17795 'font-size:10.0pt'>printflike</span></span></p>
17796 <p class="IndentText"><span class="Annot"><span style=
17797 'font-size:10.0pt;font-family: "Times New Roman"'>Check variable
17798 arguments like</span></span> <span class=
17799 "CodeText"><span style='font-size:10.0pt'>printf</span></span><span class="Annot">
17801 'font-size:10.0pt;font-family:"Times New Roman"'>library
17802 function. </span></span></p>
17803 <p class="TextFontCX"><span class="Annot"><span style=
17804 'font-size:10.0pt'>scanflike</span></span></p>
17805 <p class="IndentText"><span class="Annot"><span style=
17806 'font-size:10.0pt;font-family: "Times New Roman"'>Check variable
17807 arguments like</span></span> <span class=
17808 "CodeText"><span style='font-size:10.0pt'>scanf</span></span><a name="_Toc344355453">
17809 </a><a name="_Ref343091002"></a><a name=
17810 "_Ref343065628"><span class="Annot"><span style=
17811 'font-size:10.0pt;font-family:"Times New Roman"'>library
17812 function.</span></span></a></p>
17813 <p class="Heading10"><a name="_Ref348789839">Use Warnings</a></p>
17814 <p class="beforelist">These annotations are used immediately before
17815 a function, variable or type declaration.</p>
17816 <p class="TextFontCX"><span class="Annot"><span style=
17817 'font-size:10.0pt'>warn <i><flag-specifier></i>
17818 <i><message></i></span></span></p>
17819 <p class="IndentText">Issue a warning (controlled by
17820 <span class="Flag"><span style=
17821 'font-size:10.0pt'>flag-specifier</span></span>) where this
17822 declarator is used.</p>
17823 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17824 <a name="_Toc534975071">Macro Expansion</a></p>
17825 <p class="TextFontCX"><a href=
17826 "mailto:/*@notfunction@*/"><span class="Annot"><span style=
17827 'font-size:10.0pt'>/*@notfunction@*/</span></span></a></p>
17828 <p class="IndentText">The next macro definition is not intended to
17829 be a function, and should be expanded in line instead of checked as
17830 a macro function definition.</p>
17831 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17832 <a name="_Toc534975072">Arbitrary Integral Types</a></p>
17833 <p class="TextFontCX">These annotations are used to represent
17834 arbitrary integral types. Syntactically, they replace the
17835 implicit <span class="Flag"><span style=
17836 'font-size:10.0pt'>int</span></span> type.</p>
17837 <p class="TextFontCX"> </p>
17838 <p class="TextFontCX"><span class="Annot"><span style=
17839 'font-size:10.0pt'>/*@integraltype@*/</span></span></p>
17840 <p class="IndentText">An arbitrary integral type. The actual
17841 type may be any one of <span class="CodeText"><span style=
17842 'font-size:10.0pt'>short</span></span>, <span class=
17843 "CodeText"><span style='font-size:10.0pt'>int</span></span>,
17844 <span class="CodeText"><span style=
17845 'font-size:10.0pt'>long</span></span>, <span class=
17846 "CodeText"><span style='font-size:10.0pt'>unsigned
17847 short</span></span>, <span class="CodeText"><span style=
17848 'font-size:10.0pt'>unsigned</span></span>, or <span class=
17849 "CodeText"><span style='font-size:10.0pt'>unsigned
17850 long</span></span>.</p>
17851 <p class="TextFontCX"><span class="Annot"><span style=
17852 'font-size:10.0pt'>/*@unsignedintegraltype@*/</span></span></p>
17853 <p class="IndentText">An arbitrary unsigned integral type.
17854 The actual type may be any one of <span class=
17855 "CodeText"><span style='font-size:10.0pt'>unsigned
17856 short</span></span>, <span class="CodeText"><span style=
17857 'font-size:10.0pt'>unsigned</span></span>, or <span class=
17858 "CodeText"><span style='font-size:10.0pt'>unsigned
17859 long</span></span>.</p>
17860 <p class="TextFontCX"><span class="Annot"><span style=
17861 'font-size:10.0pt'>/*@signedintegraltype@*/</span></span></p>
17862 <p class="IndentText">An arbitrary signed integral type. The
17863 actual type may be any one of <span class=
17864 "CodeText"><span style='font-size:10.0pt'>short</span></span>,
17865 <span class="CodeText"><span style=
17866 'font-size:10.0pt'>int</span></span>, or <span class=
17867 "CodeText"><span style=
17868 'font-size:10.0pt'>long</span></span>.</p>
17869 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17870 <a name="_Toc534975073"></a><a name="_Ref347471625">Traditional
17871 Lint Comments</a></p>
17872 <p class="TextFontCX">Some of the control comments supported by
17873 most standard UNIX lints are supported by Splint so legacy systems
17874 can be checked more easily. These comments are not lexically
17875 consistent with Splint comments, and their meanings are less
17876 precise (and may vary between different lint programs), so we
17877 recommend that Splint comments are used instead except for checking
17878 legacy systems already containing standard lint comments.</p>
17879 <p class="TextFontCX"> </p>
17880 <p class="beforelist">These standard lint comments supported by
17882 <p class="TextFontCX"><span class="Annot"><span style=
17883 'font-size:10.0pt'>/*FALLTHROUGH*/</span></span> (alternate
17884 misspelling, <span class="Annot"><span style=
17885 'font-size:10.0pt'>/*FALLTHRU*/</span></span>)</p>
17886 <p class="IndentText">Prevents errors for fall through cases.
17887 Same meaning as <span class="Annot"><span style=
17888 'font-size:10.0pt'>/*@fallthrough@*/</span></span>.</p>
17889 <p class="MsoListBullet"><span class="Annot"><span style=
17890 'font-size:10.0pt'>/*NOTREACHED*/</span></span></p>
17891 <p class="IndentText">Prevents errors about unreachable code (until
17892 the end of the function). Same meaning as <span class=
17893 "Annot"><span style=
17894 'font-size:10.0pt'>/*@notreached@*/</span></span>. </p>
17895 <p class="MsoListBullet"><span class="Annot"><span style=
17896 'font-size:10.0pt'>/*PRINTFLIKE*/</span></span></p>
17897 <p class="indentbefore">Arguments similar to the <span class=
17898 "CodeText"><span style='font-size:10.0pt'>printf</span></span>
17899 library function (there didn’t seem to be much of a consensus
17900 among standard lints as to exactly what this means). Splint
17902 <p class="IndentText"><span class="Annot"><span style=
17903 'font-size:10.0pt'>/*@printflike@*/</span></span></p>
17904 <p class="IndentText" style='margin-left:.5in'>Function takes zero
17905 or more arguments of any type, an unmodified <span class=
17906 "CodeText"><span style='font-size:10.0pt'>char *</span></span>
17907 format string argument and zero of more arguments of type and
17908 number dictated by the format string. Format codes are
17909 interpreted identically to the <span class=
17910 "CodeText"><span style='font-size:10.0pt'>printf</span></span>
17911 standard library function. May return a result of any
17912 type. (Splint interprets <span class=
17913 "Annot"><span style=
17914 'font-size:10.0pt'>/*PRINTFLIKE*/</span></span> as
17915 <span class="Annot"><span style=
17916 'font-size:10.0pt'>/*@printflike@*/</span></span>.)</p>
17917 <p class="IndentText"><span class="Annot"><span style=
17918 'font-size:10.0pt'>/*@scanflike@*/</span></span></p>
17919 <p class="IndentText" style='margin-left:.5in'>Like
17920 <span class="Annot"><span style=
17921 'font-size:10.0pt'>printflike</span></span>, except format
17922 codes are interpreted as in the <span class=
17923 "CodeText"><span style='font-size:10.0pt'>scanf</span></span>
17924 library function.</p>
17925 <p class="IndentText"> </p>
17926 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
17927 <span class="Annot"><span style=
17928 'font-size:10.0pt'>/*ARGSUSED*/</span></span></p>
17929 <p class="IndentText">Turns off unused parameter messages for this
17930 function. The control comment, <span class=
17931 "Annot"><span style=
17932 'font-size:10.0pt'>/*@‑paramuse</span></span><span class="Annot">
17933 <span style='font-size:10.0pt'>@*/</span></span> can be used to the
17934 same effect, or <span class="Annot"><span style=
17935 'font-size:10.0pt'>/*@unused@*/</span></span> can be used in
17936 individual parameter declarations.</p>
17937 <p class="IndentText"> </p>
17938 <p class="TextFontCX">Splint will ignore standard lint comments if
17939 <span class="Flag"><span style=
17940 'font-size:10.0pt'>-lint-comments</span></span> is used. If
17941 <span class="Flag"><span style=
17942 'font-size:10.0pt'>+warn-lint-comments</span></span> is used,
17943 Splint generates a message for standard lint comments and suggest
17944 replacements<a name="_Ref348801565">.</a></p>
17945 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
17946 <a name="_Toc534975074">Metastate Definitions</a></p>
17947 <p class="TextFontCX">The grammar for <span class=
17948 "ProgramNameChar">.mts</span> files is shown below.</p>
17949 <p class="MsoNormal"> </p>
17950 <p class="TextFontCX" align="left" style=
17951 'margin-left: .25in;text-align:left'><i><span lang=
17952 "FR">metastate</span></i> <span lang="FR"> </span>
17953 <span style='font-family:Symbol'>Þ</span> <span lang=
17954 "FR">[</span> <span class="Annot"><span style=
17955 'font-size:10.0pt'>global</span></span> <span lang="FR">]</span>
17956 <span class="Annot"><span style=
17957 'font-size:10.0pt'>attribute</span></span> <i><span lang=
17958 "FR">identifier clause*</span></i> <span class=
17959 "Annot"><span style='font-size: 10.0pt'>end</span></span></p>
17960 <p class="TextFontCX" align="left" style=
17961 'margin-left: .25in;text-align:left'><i><span lang=
17962 "FR">clause</span></i> <span lang=
17963 "FR"> </span> <span style=
17964 'font-family:Symbol'>Þ</span> <i><span lang=
17965 "FR">contextClause</span></i> <span lang="FR">| <i>valuesClause</i>
17966 | <i>defaultClause | defaultsClause</i></span></p>
17967 <p class="TextFontCX" align="left" style=
17968 'margin-left: .75in;text-align:left;text-indent:.25in'>
17969 <i><span lang="FR"> </span></i>
17970 <span lang="FR">| <i>annotationsClause</i> | <i>mergeClause |
17971 transfersClause | loserefClause</i></span></p>
17972 <p class="TextFontCX" align="left" style=
17973 'margin-left: 1.25in;text-align:left'><i><span lang="FR">|
17974 preconditionsClause | postconditionsClause</span></i></p>
17975 <p class="TextFontCX" align="left" style=
17976 'margin-left: .25in;text-align:left'><i><span lang=
17977 "FR">contextClause</span></i><span style=
17978 'font-family:Symbol'>Þ</span> <span class=
17979 "Annot"><span style='font-size: 10.0pt'>context</span></span>
17980 <i><span lang="FR">contextSelector</span></i></p>
17981 <p class="TextFontCX" align="left" style=
17982 'margin-left: .25in;text-align:left'><i><span lang=
17983 "FR">contextSelector</span></i> <span style=
17984 'font-family:Symbol'>Þ</span> <span lang="FR">(</span>
17985 <span class="Annot"><span style=
17986 'font-size:10.0pt'>parameter</span></span> <span lang="FR">|</span>
17987 <span class="Annot"><span style=
17988 'font-size:10.0pt'>reference</span></span> <span lang="FR">|</span>
17989 <span class="Annot"><span style=
17990 'font-size:10.0pt'>result</span></span> <span lang="FR">|</span>
17991 <span class="Annot"><span style=
17992 'font-size:10.0pt'>clause</span></span> <span lang="FR">|</span>
17993 <span class="Annot"><span style=
17994 'font-size:10.0pt'>literal</span></span> <span lang="FR">|</span>
17995 <span class="Annot"><span style=
17996 'font-size:10.0pt'>null</span></span> <span lang="FR">) [
17997 <i>type</i> ]</span></p>
17998 <p class="TextFontCX" align="left" style=
17999 'margin-left: .25in;text-align:left'><i><span lang=
18000 "FR">valuesClause</span></i><span style=
18001 'font-family:Symbol'>Þ</span> <span class=
18002 "Annot"><span style='font-size: 10.0pt'>oneof</span></span>
18003 <i>valueChoice</i>,*</p>
18004 <p class="TextFontCX" align="left" style=
18005 'margin-left: .25in;text-align:left'> </p>
18006 <p class="TextFontCX" align="left" style=
18007 'margin-left: .25in;text-align:left'><i><span lang=
18008 "FR">defaultClause</span></i> <span style=
18009 'font-family:Symbol'>Þ</span> <span class=
18010 "Annot"><span style='font-size: 10.0pt'>default</span></span>
18011 <i>valueChoide</i></p>
18012 <p class="TextFontCX" align="left" style=
18013 'margin-left: .25in;text-align:left'><i><span lang=
18014 "FR">defaultsClause</span></i><span style=
18015 'font-family:Symbol'>Þ</span> <span class=
18016 "Annot"><span style='font-size: 10.0pt'>defaults</span></span>
18017 <span lang="FR">( <i>contextSelector</i></span> <span class=
18018 "Annot"><span style='font-size:10.0pt'>==></span></span>
18019 <i>valueChoice</i> <span lang="FR">)*</span></p>
18020 <p class="TextFontCX" align="left" style=
18021 'margin-left: .25in;text-align:left'><i><span lang=
18022 "FR"> </span></i></p>
18023 <p class="TextFontCX" align="left" style=
18024 'margin-left: .25in;text-align:left'><i><span lang=
18025 "FR">annotationsClause</span></i><span style=
18026 'font-family:Symbol'>Þ</span> <span class=
18027 "Annot"><span style='font-size: 10.0pt'>annotations</span></span>
18028 ( <i>identifier</i> [ <i><span lang=
18029 "FR">contextSelector</span></i> <span lang="FR">]</span>
18030 <span class="Annot"><span style=
18031 'font-size: 10.0pt'>==></span></span> <i>valueChoice</i>
18032 )<i><span lang="FR">*</span></i></p>
18033 <p class="TextFontCX" align="left" style=
18034 'margin-left: .25in;text-align:left'><i><span lang=
18035 "FR"> </span></i></p>
18036 <p class="TextFontCX" align="left" style=
18037 'margin-left: .25in;text-align:left'><i><span lang=
18038 "FR">mergeClause</span></i><span style=
18039 'font-family:Symbol'>Þ</span> <span class=
18040 "Annot"><span style='font-size: 10.0pt'>merge</span></span> (
18041 <i>mergeItem</i> <span class="Annot"><span style=
18042 'font-size:10.0pt'>+</span></span> <i>mergeItem</i>
18043 <span class="Annot"><span style=
18044 'font-size:10.0pt'>==></span></span> <i>transferAction</i>
18045 )<i><span lang="FR">*</span></i></p>
18046 <p class="TextFontCX" align="left" style=
18047 'margin-left: .25in;text-align:left'><i><span lang=
18048 "FR">mergeItem</span></i><span style=
18049 'font-family:Symbol'>Þ</span> <i>valueChoice |</i>
18050 <span class="Annot"><span style=
18051 'font-size:10.0pt'>*</span></span></p>
18052 <p class="TextFontCX" align="left" style=
18053 'margin-left: .25in;text-align:left'><i><span lang=
18054 "FR"> </span></i></p>
18055 <p class="TextFontCX" align="left" style=
18056 'margin-left: .25in;text-align:left'><i><span lang=
18057 "FR">transfersClause</span></i><span style=
18058 'font-family:Symbol'>Þ</span> <span class=
18059 "Annot"><span style='font-size: 10.0pt'>transfers</span></span>
18060 ( <i>valueChoice</i> <span class="Annot"><span style=
18061 'font-size:10.0pt'>as</span></span>
18062 <i>valueChoice</i><span class="Annot"><span style=
18063 'font-size:10.0pt'>==></span></span> <i>transferAction</i>
18064 )<i><span lang="FR">*</span></i></p>
18065 <p class="TextFontCX" align="left" style=
18066 'margin-left: .25in;text-align:left'><i><span lang=
18067 "FR">loserefClause</span></i><span style=
18068 'font-family:Symbol'>Þ</span> <span class=
18069 "Annot"><span style='font-size: 10.0pt'>losereference</span></span>
18070 ( <i>valueChoice</i> <span class="Annot"><span style=
18071 'font-size:10.0pt'>==></span></span> <i>errorAction</i>
18072 )<i><span lang="FR">*</span></i></p>
18073 <p class="TextFontCX" align="left" style=
18074 'margin-left: .25in;text-align:left'><i><span lang=
18075 "FR"> </span></i></p>
18076 <p class="TextFontCX" align="left" style=
18077 'margin-left: .25in;text-align:left'><i><span lang=
18078 "FR">transferAction</span></i><span style=
18079 'font-family:Symbol'>Þ</span> <i>valueChoice |
18080 errorAction</i></p>
18081 <p class="TextFontCX" align="left" style=
18082 'margin-left: .25in;text-align:left'>
18083 <i>errorAction</i><span style='font-family:Symbol'>Þ</span>
18084 <span class="Annot"><span style=
18085 'font-size:10.0pt'>error</span></span> [ <i>stringLiteral</i>
18087 <p class="TextFontCX" align="left" style=
18088 'margin-left: .25in;text-align:left'><i><span lang=
18089 "FR"> </span></i></p>
18090 <p class="TextFontCX" align="left" style=
18091 'margin-left: .25in;text-align:left'><i><span lang=
18092 "FR">valueChoice</span></i><span style=
18093 'font-family:Symbol'>Þ</span>
18094 <i>identifier</i> </p>
18095 <p class="TextFontCX"> </p>
18096 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
18097 <a name="_Toc534975075"></a><a name="_Ref397875216"></a><a name=
18098 "_Ref350066976"></a><a name="_Ref348788300">Appendix
18099 D<span style='font:7.0pt "Times New Roman"'> </span>
18100 <a id="specifications" name="specifications">
18104 <p class="TextFontCX">Another way of providing more information
18105 about programs is to use formal specifications. Although this
18106 document has largely ignored specifications, Splint was originally
18107 designed to use the information in LCL specifications instead of
18108 source-code annotations. This document focuses on annotations
18109 since it takes less effort to add annotations to source code than
18110 to maintain an additional specification file. Annotations can
18111 express everything that can be expressed in LCL specifications that
18112 is relevant to Splint checking. However, LCL specifications
18113 can provide more precise documentation on program interfaces than
18114 is possible with Splint annotations. This appendix (extracted
18115 from [Evans94]) is a very brief introduction to LCL
18116 Specifications. For more information, consult
18117 [GH93]. </p>
18118 <p class="TextFontCX"> </p>
18119 <p class="TextFontCX">The Larch family of languages is a two-tiered
18120 approach to formal specification. A specification is built using
18121 two languages — the <i>Larch Shared Language</i> (LSL), which
18122 is independent of the implementation language, and a <i>Larch
18123 Interface Language</i> designed for the specific implementation
18124 language. An LSL specification defines <i>sorts</i>,
18125 analogous to abstract types in a programming language, and
18126 <i>operators</i>, analogous to procedures. It expresses the
18127 underlying semantics of an abstraction.</p>
18128 <p class="TextFontCX"> </p>
18129 <p class="TextFontCX">The interface language specifies an interface
18130 to an abstraction in a particular programming language. It
18131 captures the details of the interface needed by a client using the
18132 abstraction and places constraints on both correct implementations
18133 and uses of the module. The semantics of the interface are
18134 described using primitives and sorts and operators defined in LSL
18135 specifications. Interface languages have been designed for
18136 several programming languages.</p>
18137 <p class="TextFontCX"> </p>
18138 <p class="TextFontCX">LCL [GH93, Tan95] is a Larch interface
18139 language for Standard C. LCL uses a C-like syntax.
18140 Traditionally, a C module <span class=
18141 "Keyword"><i><span style='font-size:10.0pt;font-family:Arial; color:windowtext'>
18142 M</span></i></span> consists of a source file, <span class=
18143 "Keyword"><i><span style=
18144 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18146 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>,
18147 and a header file, <span class="Keyword"><i><span style=
18148 'font-size:10.0pt; font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18150 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.
18151 The header file contains prototype declarations for functions,
18152 variables and constants exported by <span class=
18153 "Keyword"><i><span style=
18154 'font-size:10.0pt; font-family:Arial;color:windowtext'>M</span></i></span>,
18155 as well as those macro definitions that implement exported
18156 functions or constants, and definitions of exported types. When
18157 using LCL, a module includes two additional files —
18158 <span class="Keyword"><i><span style=
18159 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18161 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>,
18162 a formal specification of <span class=
18163 "Keyword"><i><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18164 M</span></i></span>, and <span class=
18165 "Keyword"><i><span style='font-size:10.0pt;font-family:Arial;color:windowtext'>
18166 M</span></i></span><span class="Keyword"><span style=
18167 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>,
18168 which is derived by Splint (if the <span class=
18169 "Flag"><span style='font-size:10.0pt'>lh</span></span> flag
18170 is on) from <span class="Keyword"><i><span style=
18171 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18173 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>.
18174 Clients use <span class="Keyword"><i><span style=
18175 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18177 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>
18178 for documentation, and should not need to look at any
18179 implementation file. The derived file, <span class=
18180 "Keyword"><i><span style=
18181 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18183 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>,
18184 contains include directives (if <span class=
18185 "Keyword"><i><span style=
18186 'font-size: 10.0pt;font-family:Arial;color:windowtext'>M</span></i></span>
18187 depends on other specified modules), prototypes of functions and
18188 declarations of variables as specified in <span class=
18189 "Keyword"><i><span style=
18190 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18192 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>.
18193 The file <span class="Keyword"><i><span style=
18194 'font-size:10.0pt;font-family:Arial; color:windowtext'>M</span></i></span><span class="Keyword">
18196 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
18197 should include <span class="Keyword"><i><span style=
18198 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18200 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>
18201 and retain the implementation aspects of the old <span class=
18202 "Keyword"><i><span style=
18203 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18205 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>,
18206 but is no longer used for c<a name="_Ref348845779">lient
18207 documentation.</a></p>
18208 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
18209 <a name="_Toc534975076">Specification Flags</a></p>
18210 <p class="TextFontCX">These flags are relevant only when Splint is
18211 used with LCL specifications.</p>
18212 <p class="Heading10">Global Flags</p>
18213 <p class="TextFontCX"><span class="Flag"><span style=
18214 'font-size:10.0pt'>lcs</span></span></p>
18215 <p class="IndentText">Generate <span class=
18216 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18217 .lcs</span></span> files containing symbolic state of
18218 <span class="Keyword"><span style=
18219 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>
18220 files (used for imports). By default <span class=
18221 "Keyword"><span style=
18222 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcs</span></span>
18223 files are generated for each <span class=
18224 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18225 .lcl</span></span> file processed. Use <span class=
18226 "Flag"><span style='font-size:10.0pt'>-lcs</span></span> to prevent
18227 generation of <span class="Keyword"><span style=
18228 'font-size:10.0pt;font-family: Arial;color:windowtext'>.lcs</span></span>
18230 <p class="TextFontCX"><span class="Flag"><span style=
18231 'font-size:10.0pt'>lh</span></span></p>
18232 <p class="IndentText">Generate <span class=
18233 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18234 .lh</span></span> files. By default, <span class=
18235 "Flag"><span style='font-size:10.0pt'>-lh</span></span> is set and
18236 no <span class="Keyword"><span style=
18237 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>
18238 files are generated. Use <span class=
18239 "Flag"><span style='font-size:10.0pt'>+lh</span></span> to
18240 enable <span class="Flag"><span style=
18241 'font-size:10.0pt'>.lh</span></span> file
18242 generation. </p>
18243 <p class="TextFontCX"><span class="Flag"><span style=
18244 'font-size:10.0pt'>i</span></span> <span class=
18245 "Flag"><span style='font-size:10.0pt'><file></span></span></p>
18246 <p class="IndentText">Set LCL initialization file to
18247 <span class="Flag"><i><span style=
18248 'font-size:10.0pt'><file></span></i></span>. The
18249 LCL initialization file is read if any <span class=
18250 "Keyword"><span style=
18251 'font-size: 10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>
18252 files are listed on the command line. The default file
18253 is <span class="Keyword"><span style=
18254 'font-size:10.0pt;font-family:Arial;color:windowtext'>lclinit.lci</span></span>,
18255 found on the <span class="Keyword"><span style=
18256 'font-size:10.0pt;font-family: Arial;color:windowtext'>LARCH_PATH</span></span>.</p>
18257 <p class="TextFontCX"><span class="Flag"><span style=
18258 'font-size:10.0pt'>lclexpect</span></span> <span class=
18259 "Flag"><span style=
18260 'font-size:10.0pt'><i><number></i></span></span></p>
18261 <p class="IndentText">Exactly <span class=
18262 "Flag"><i><span style='font-size:10.0pt'><number></span></i></span>
18263 specification errors are expected. Specification errors
18264 are errors detected when checking the specifications.
18265 They do not depend on the source code.</p>
18266 <p class="Heading10">Implicit Globals Checking Qualifiers</p>
18268 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18269 height="14" align="left">
18271 <td valign="top" align="left" height="14" style=
18272 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18273 <p class="TextFontCX" align="center" style=
18274 'text-align:center;background:#CCCCCC'><span style=
18275 'font-size:10.0pt'>m:</span><span class=
18276 "Keyword"><span style='font-size:10.0pt'>-++-</span></span></p></td></tr></table></div>
18277 <p class="TextFontCX"><span class="Flag"><span style=
18278 'font-size:10.0pt'>imp-checked-spec-globs</span></span></p>
18279 <p class="IndentText">Implicit <span class=
18280 "Annot"><span style='font-size:10.0pt'>checked</span></span>
18281 qualifier on global variables specified in an LCL file with
18282 no checking annotation.</p>
18284 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18285 height="14" align="left">
18287 <td valign="top" align="left" height="14" style=
18288 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18289 <p class="TextFontCX" align="center" style=
18290 'text-align:center;background:#CCCCCC'><span style=
18291 'font-size:10.0pt'>m:</span><span class=
18292 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
18293 <p class="TextFontCX"><span class="Flag"><span style=
18294 'font-size:10.0pt'>imp-checkmod-spec-globs</span></span></p>
18296 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18297 height="14" align="left">
18299 <td valign="top" align="left" height="14" style=
18300 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18301 <p class="TextFontCX" align="center" style=
18302 'text-align:center;background:#CCCCCC'><span style=
18303 'font-size:10.0pt'>m:</span><span class=
18304 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18305 <p class="IndentText">Implicit <span class=
18306 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
18307 qualifier on global variables specified in an LCL file with
18308 no checking annotation.</p>
18309 <p class="TextFontCX"><span class="Flag"><span style=
18310 'font-size:10.0pt'>imp-checkedstrict-spec-globs</span></span></p>
18311 <p class="IndentText">Implicit <span class=
18312 "Annot"><span style='font-size:10.0pt'>checked</span></span>
18313 qualifier on global variables specified in an LCL file with
18314 no checking annotation.</p>
18316 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18317 height="14" align="left">
18319 <td valign="top" align="left" height="14" style=
18320 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18321 <p class="TextFontCX" align="center" style=
18322 'text-align:center;background:#CCCCCC'><span style=
18323 'font-size:10.0pt'>P:</span> <span class=
18324 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18325 <p class="Heading10">Implicit Annotations</p>
18326 <p class="TextFontCX"><span class="Flag"><span style=
18327 'font-size:10.0pt'>spec-glob-imp-only</span></span></p>
18328 <p class="IndentText">Implicit <span class=
18329 "Annot"><span style='font-size:10.0pt'>only</span></span>
18330 annotation on global variable declaration in an LCL file with
18331 no allocation annotation.</p>
18333 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18334 height="14" align="left">
18336 <td valign="top" align="left" height="14" style=
18337 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18338 <p class="TextFontCX" align="center" style=
18339 'text-align:center;background:#CCCCCC'><span style=
18340 'font-size:10.0pt'>P:</span> <span class=
18341 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18342 <p class="TextFontCX"><span class="Flag"><span style=
18343 'font-size:10.0pt'>spec-ret-imp-only</span></span></p>
18344 <p class="IndentText">Implicit <span class=
18345 "Annot"><span style='font-size:10.0pt'>only</span></span>
18346 annotation on return value declaration in an LCL file with no
18347 allocation annotation.</p>
18349 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18350 height="14" align="left">
18352 <td valign="top" align="left" height="14" style=
18353 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18354 <p class="TextFontCX" align="center" style=
18355 'text-align:center;background:#CCCCCC'><span style=
18356 'font-size:10.0pt'>P:</span> <span class=
18357 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18358 <p class="TextFontCX"><span class="Flag"><span style=
18359 'font-size:10.0pt'>spec-struct-imp-only</span></span></p>
18360 <p class="IndentText">Implicit <span class=
18361 "Annot"><span style='font-size:10.0pt'>only</span></span>
18362 annotation on structure field declarations in an LCL file
18363 with no allocation annotation.</p>
18365 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18366 height="14" align="left">
18368 <td valign="top" align="left" height="14" style=
18369 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18370 <p class="TextFontCX" align="center" style=
18371 'text-align:center;background:#CCCCCC'><span style=
18372 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
18373 <p class="TextFontCX"><span class="Flag"><span style=
18374 'font-size:10.0pt'>spec-imp-only</span></span></p>
18375 <p class="IndentText">Sets <span class="Flag"><span style=
18376 'font-size:10.0pt'>spec-glob-imp-only</span></span>,
18377 <span class="Flag"><span style=
18378 'font-size:10.0pt'>spec-ret-imp-only</span></span> and
18379 <span class="Flag"><span style=
18380 'font-size:10.0pt'>spec-struct-imp-only</span></span>.</p>
18381 <p class="Heading10">Macro Expansion</p>
18383 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18384 height="14" align="left">
18386 <td valign="top" align="left" height="14" style=
18387 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18388 <p class="TextFontCX" align="center" style=
18389 'text-align:center;background:#CCCCCC'><span style=
18390 'font-size:10.0pt'>P:</span> <span class=
18391 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
18392 <p class="TextFontCX"><span class="Flag"><span style=
18393 'font-size:10.0pt'>spec-macros</span></span></p>
18394 <p class="IndentText">Macros defining specified identifiers are not
18395 expanded and are checked according to the
18396 specification.<span class="Flag"><span style=
18397 'font-size:10.0pt'> </span></span></p>
18399 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18400 height="14" align="left">
18402 <td valign="top" align="left" height="14" style=
18403 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18404 <p class="TextFontCX" align="center" style=
18405 'text-align:center;background:#CCCCCC'><span style=
18406 'font-size:10.0pt'>m:</span><span class=
18407 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
18408 <p class="Heading10">Complete Programs and Specifications</p>
18409 <p class="TextFontCX"><span class="Flag"><span style=
18410 'font-size:10.0pt'>spec-undef</span></span></p>
18411 <p class="IndentText">Function, variable, iterator or constant
18412 specified but never defined.</p>
18414 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18415 height="14" align="left">
18417 <td valign="top" align="left" height="14" style=
18418 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18419 <p class="TextFontCX" align="center" style=
18420 'text-align:center;background:#CCCCCC'><span style=
18421 'font-size:10.0pt'>P:</span> <span class=
18422 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18423 <p class="TextFontCX"><span class="Flag"><span style=
18424 'font-size:10.0pt'>spec-undecl</span></span></p>
18425 <p class="IndentText">Function, variable, iterator or constant
18426 specified but never declared.</p>
18428 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18429 height="14" align="left">
18431 <td valign="top" align="left" height="14" style=
18432 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18433 <p class="TextFontCX" align="center" style=
18434 'text-align:center;background:#CCCCCC'><span style=
18435 'font-size:10.0pt'>P:</span> <span class=
18436 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18437 <p class="TextFontCX"><span class="Flag"><span style=
18438 'font-size:10.0pt'>need-spec</span></span></p>
18440 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18441 height="14" align="left">
18443 <td valign="top" align="left" height="14" style=
18444 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18445 <p class="TextFontCX" align="center" style=
18446 'text-align:center;background:#CCCCCC'><span style=
18447 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
18448 <p class="IndentText">There is information in the specification
18449 that is not duplicated in syntactic comments. Normally, this
18450 is not an error, but it may be useful to detect it to make sure
18451 checking incomplete systems without the specifications will still
18452 use this information.</p>
18453 <p class="TextFontCX"><span class="Flag"><span style=
18454 'font-size:10.0pt'>export-any</span></span></p>
18456 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18457 height="14" align="left">
18459 <td valign="top" align="left" height="14" style=
18460 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18461 <p class="TextFontCX" align="center" style=
18462 'text-align:center;background:#CCCCCC'><span style=
18463 'font-size:10.0pt'>m:</span><span class=
18464 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18465 <p class="IndentText">An error is reported for any identifier that
18466 is exported but not specified. (Sets all export flags
18468 <p class="TextFontCX"><span class="Flag"><span style=
18469 'font-size:10.0pt'>export-const</span></span></p>
18470 <p class="IndentText">Constant exported but not specified.</p>
18472 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18473 height="14" align="left">
18475 <td valign="top" align="left" height="14" style=
18476 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18477 <p class="TextFontCX" align="center" style=
18478 'text-align:center;background:#CCCCCC'><span style=
18479 'font-size:10.0pt'>m:</span><span class=
18480 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18481 <p class="TextFontCX"><span class="Flag"><span style=
18482 'font-size:10.0pt'>export-var</span></span></p>
18483 <p class="IndentText">Variable exported but not specified.</p>
18485 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18486 height="14" align="left">
18488 <td valign="top" align="left" height="14" style=
18489 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18490 <p class="TextFontCX" align="center" style=
18491 'text-align:center;background:#CCCCCC'><span style=
18492 'font-size:10.0pt'>m:</span><span class=
18493 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18494 <p class="TextFontCX"><span class="Flag"><span style=
18495 'font-size:10.0pt'>export-fcn</span></span></p>
18496 <p class="IndentText">Function exported but not specified.</p>
18498 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18499 height="14" align="left">
18501 <td valign="top" align="left" height="14" style=
18502 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18503 <p class="TextFontCX" align="center" style=
18504 'text-align:center;background:#CCCCCC'><span style=
18505 'font-size:10.0pt'>m:</span><span class=
18506 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18507 <p class="TextFontCX"><span class="Flag"><span style=
18508 'font-size:10.0pt'>export-iter</span></span></p>
18509 <p class="IndentText">Iterator exported but not specified.</p>
18511 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18512 height="14" align="left">
18514 <td valign="top" align="left" height="14" style=
18515 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18516 <p class="TextFontCX" align="center" style=
18517 'text-align:center;background:#CCCCCC'><span style=
18518 'font-size:10.0pt'>m:</span><span class=
18519 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18520 <p class="TextFontCX"><span class="Flag"><span style=
18521 'font-size:10.0pt'>export-macro</span></span></p>
18522 <p class="IndentText">An expanded macro exported but not
18525 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18526 height="14" align="left">
18528 <td valign="top" align="left" height="14" style=
18529 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18530 <p class="TextFontCX" align="center" style=
18531 'text-align:center;background:#CCCCCC'><span style=
18532 'font-size:10.0pt'>m:</span><span class=
18533 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18534 <p class="TextFontCX"><span class="Flag"><span style=
18535 'font-size:10.0pt'>export-type</span></span></p>
18536 <p class="IndentText">Type definition exported but not
18538 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
18539 <a name="_Toc534975077"></a><a name="_Ref534642451"></a><a name=
18540 "_Toc344355450">Appendix E<span style=
18541 'font:7.0pt "Times New Roman"'> </span>
18542 <a id="annotated" name="annotated">
18543 Annotated Bibliography</a></a></p>
18544 <h4 style='margin-left:0in;text-indent:0in'>Splint</h4>
18545 <p class="TextFontCX">All of these papers are available at
18546 <span style='font-size:10.0pt;font-family:Arial'><a href=
18547 "http://www.splint.org/publications/">http://www.splint.org/publications/</a></span>. </p>
18548 <p class="TextFontCX"> </p>
18549 <p class="TextFontCX" align="left" style='text-align: left'>
18550 [Barker01] Chris Barker. <i>Static Error Checking of C Applications
18551 Ported from UNIX to WIN32 Systems Using LCLint</i>. Senior Thesis,
18552 University of Virginia Deptartment of Computer Science. May
18554 <p class="TextFontCX" align="left" style='text-align: left'>
18556 <p class="IndentText">Describes annotations and checks useful for
18557 porting applications.</p>
18558 <p class="TextFontCX" align="left" style='text-align: left'>
18560 <p class="TextFontCX" align="left" style='text-align: left'>
18561 [Evans94] David Evans. <i>Using specifications to check source
18562 code</i>. MIT/LCS/TR 628, Laboratory for Computer Science,
18563 MIT, June 1994.</p>
18564 <p class="TextFontCX" align="left" style='text-align: left'>
18566 <p class="IndentText">MIT SM Thesis. Describes research
18567 behind Splint, focusing on how specifications can be exploited to
18568 do lightweight checking. Includes case studies using
18570 <p class="TextFontCX" align="left" style='text-align: left'>
18572 <p class="TextFontCX" align="left" style='text-align: left'>
18573 [EGHT94] David Evans, John Guttag, Jim Horning and Yang Meng
18574 Tan. <i>LCL</i><i>int: A tool for using specifications to
18575 check code</i>. SIGSOFT Symposium on the Foundations of
18576 Software Engineering, December 1994.</p>
18577 <p class="TextFontCX" align="left" style='text-align: left'>
18579 <p class="IndentText">Somewhat obsolete introduction to
18580 LCLint. Shows how LCLint is used to find errors in a sample
18582 <p class="TextFontCX" align="left" style='text-align: left'>
18584 <p class="TextFontCX" align="left" style='text-align: left'>
18585 [Evans96] David Evans. <i>Static Detection of Dynamic Memory
18586 Errors</i>. SIGPLAN Conference on Programming Language Design
18587 and Implementation (PLDI ’96), Philadelphia, PA., May
18589 <p class="TextFontCX" align="left" style='text-align: left'>
18591 <p class="IndentText">Describes approach for exploiting annotations
18592 added to code to detect a wide class of errors. Focuses on
18593 memory management checks described in Section 5 of this
18595 <p class="TextFontCX" align="left" style='text-align: left'>
18597 <p class="TextFontCX" align="left" style='text-align: left'>
18598 [Evans00] David Evans. <i>Annotation-Assisted Lightweight
18599 Static Checking. </i> First International Workshop on
18600 Automated Program Analysis, Testing and Verification.
18601 February, 2000.</p>
18602 <p class="IndentText"> </p>
18603 <p class="IndentText">Short position paper describing research
18604 agenda behind Splint.</p>
18605 <p class="IndentText" style='margin-left:0in'> </p>
18606 <p class="IndentText" style='margin-left:0in'>[Evans02] David Evans
18607 and David Larochelle. <i>Improving Security Using Extensible
18608 Lightweight Static Analysis</i>. IEEE Software, Jan/Feb
18610 <p class="IndentText" style='margin-left:0in'> </p>
18611 <p class="IndentText">Most security attacks exploit instances of
18612 well-known classes of implementations flaws. This article
18613 describes how Splint can be used to detect common security
18614 vulnerabilities (including buffer overflows and format string
18615 vulnerabilities).</p>
18616 <p class="IndentText"> </p>
18617 <p class="IndentText" style='margin-left:0in'>[Larochelle01] David
18618 Larochelle and David Evans. Statically Detecting Likely
18619 Buffer Overflow Vulnerabilities. 2001 USENIX Security
18620 Symposium, Washington, D. C., August 13-17, 2001. </p>
18621 <p class="IndentText"> </p>
18622 <p class="IndentText">Buffer overflow attacks may be today's single
18623 most important security threat. This paper describes how Splint can
18624 be used to detect likely vulnerabilities through an analysis of the
18625 program source code and presents experience using our approach to
18626 detect buffer overflow vulnerabilities in two security-sensitive
18628 <p class="IndentText"> </p>
18629 <h4 style='margin-left:0in;text-indent:0in'>C</h4>
18630 <p class="TextFontCX" align="left" style='text-align: left'>[ISO99]
18631 International Standard ISO/IEC 9899. <i>Programming languages
18632 – C.</i> Second edition. December 1999.</p>
18633 <p class="IndentText"> </p>
18634 <p class="IndentText">International standard specification for C
18635 programming language. Approved by ANSI May 2000.</p>
18636 <p class="TextFontCX" align="left" style='text-align: left'>
18638 <p class="TextFontCX" align="left" style='text-align: left'>[KR88]
18639 Brian W. Kernighan and Dennis M. Ritchie. <i>The C
18640 Programming Language</i>, second edition. Prentice Hall, New
18642 <p class="TextFontCX" align="left" style='text-align: left'>
18644 <p class="IndentText">Standard reference for ANSI C. If you
18645 haven’t heard of this one, you probably didn’t get this
18646 far (unless you started at the back).</p>
18647 <p class="TextFontCX" align="left" style='text-align: left'>
18649 <p class="TextFontCX" align="left" style='text-align: left'>[vdL94]
18650 Peter van der Linden. <i>Expert C Programming: Deep C
18651 Secrets</i>. SunSoft Press, Prentice Hall, New Jersey,
18653 <p class="TextFontCX" align="left" style='text-align: left'>
18655 <p class="IndentText">Filled with useful information on the darker
18656 corners of C, as well as lots of industry anecdotes and
18657 humor. Splint’s reserved name checking is loosely based
18658 on the list of reserved names in this book.</p>
18659 <h4 style='margin-left:0in;text-indent:0in'>Methodology</h4>
18660 <p class="TextFontCX" align="left" style='text-align: left'>[GH93]
18661 John Guttag and James Horning with Stephen J. Garland, Kevin D.
18662 Jones, Andrés Modet, and Jeannette M. Wing. <i>Larch:
18663 Languages and Tools for Formal Specification</i>. Springer-Verlag,
18664 Texts and Monographs in Computer Science, 1993.</p>
18665 <p class="IndentText"> </p>
18666 <p class="IndentText">Overview of the Larch family of specification
18667 languages and related tools. Includes a chapter on LCL, the
18668 Larch C interface language, on which Splint is based.</p>
18669 <p class="IndentText" style='margin-left:0in'> </p>
18670 <p class="TextFontCX" align="left" style='text-align: left'>[LG86]
18671 Barbara Liskov and John Guttag. <i>Abstraction and
18672 Specification in Program Development</i>, MIT Press, Cambridge, MA,
18674 <p class="IndentText"> </p>
18675 <p class="IndentText">Describes a programming methodology using
18676 abstract types and specified interfaces. Much of the
18677 methodology upon which Splint is based comes from this book.
18678 Uses the CLU programming language. </p>
18679 <p class="IndentText"> </p>
18680 <p class="TextFontCX" align="left" style='text-align: left'>
18681 [Liskov01] Barbara Liskov with John Guttag. <i>Program
18682 Development in Java</i>, Addison Wesley, 2001.</p>
18683 <p class="IndentText"> </p>
18684 <p class="IndentText">An updated version of [LG86] for the Java
18685 programming language. </p>
18686 <p class="IndentText"> </p>
18687 <p class="TextFontCX" align="left" style='text-align: left'>[Tan95]
18688 Yang Meng Tan. <i>Formal Specification Techniques for
18689 Engineering Modular C</i>. Kluwer International Series in
18690 Software Engineering, Volume 1, Kluwer Academic Publishers, Boston,
18692 <p class="MsoNormal" align="left" style='text-align:left'>
18694 <p class="IndentText">Modified and updated version of MIT Ph D
18695 thesis, previously published as MIT/LCS/TR-619, 1994.
18696 Includes presentation of the semantics of LCL and a case study
18698 <p class="IndentText" style='margin-left:0in'> </p>
18699 <h4 style='margin-left:0in;text-indent:0in'>Secure Programming</h4>
18700 <p class="TextFontCX" align="left" style='text-align: left'>[Hat95]
18701 Les Hatton. <i>Safer C: Developing Software for
18702 High-integrity and Safety-critical Systems</i>. McGraw-Hill
18703 International Series in Software Engineering, 1995.</p>
18704 <p class="TextFontCX" align="left" style='text-align: left'>
18706 <p class="IndentText">A broad work on all aspects of developing
18707 safety-critical software, focusing on the C language.
18708 Provides good justification for the use of C in safety-critical
18709 systems, and the necessity of tool-supported programming
18710 standards. Splint users will be interested to see how many of
18711 the errors listed as only being dynamically detectable can be
18712 detected statically by Splint.</p>
18713 <p class="IndentText" style='margin-left:0in'> </p>
18714 <p class="IndentText" style='margin-left:0in'>[VM02] John Viega and
18715 Gary McGraw. <i>Building Secure Software: How to Avoid
18716 Security Problems the</i> <i>Right Way</i><i>.</i>
18717 Addison-Wesley, 2002.</p>
18718 <p class="IndentText">A comprehensive survey of techniques and
18719 principles for building secure programs.</p>
18720 <p class="IndentText" style='margin-left:0in'> </p>
18721 <p class="IndentText" style='margin-left:0in'>See also [Evans02]
18723 [Larochelle01].</p></center></center></center></center></center></center></center></center></center></center></center></div>
18725 'font-size:11.0pt;font-family:"Times New Roman"'><br clear="all"
18726 style='page-break-before:right'></span>
18729 'font-size:11.0pt;font-family:"Times New Roman"'><br clear="all"
18730 style='page-break-before:auto'></span>
18731 <div class="Section8">
18732 <p class="IndentText"> </p></div>
18733 <div><br clear="all">
18735 <hr align="left" size="1" width="33%">
18737 <p class="MsoFootnoteText"><a href="#_ftnref1" name="_ftn1"
18738 title=""><span class="MsoFootnoteReference"><span class=
18739 "MsoFootnoteReference"><span style=
18740 'font-size:10.0pt;font-family:"Times New Roman"'>[1]</span></span></span></a>
18741 Lint is a common programming tool for detecting anomalies in C
18742 programs. S. C. Johnson developed the original lint in the
18743 late seventies, mainly because early versions of C did not
18744 support function prototypes. Splint was originally named
18745 LCLint because it was originally intended to check for
18746 inconsistencies between LCL specifications and C
18747 implementations. To reflect divergence from LCL and
18748 increased focus on detecting security vulnerabilities, the name
18749 was changed to Splint, short for “Specification
18750 Lint” and “Secure Programming Lint”.</p></div>
18752 <p class="MsoFootnoteText"><a href="#_ftnref2" name="_ftn2"
18753 title=""><span class="MsoFootnoteReference"><span class=
18754 "MsoFootnoteReference"><span style=
18755 'font-size:10.0pt;font-family:"Times New Roman"'>[2]</span></span></span></a>
18756 The meta-notation, <span class="Annot">item,<sup>+</sup></span>
18757 is used to denote a comma separated list of items. For
18759
18760 <span class="Annot">/*@access mstring, intSet@*/</span></p>
18761 <p class="MsoFootnoteText">allows access to the representations of
18762 both <span class="CodeText">mstring</span> and <span class=
18763 "CodeText">intSet</span>.) </p></div>
18765 <p class="MsoFootnoteText"><a href="#_ftnref3" name="_ftn3"
18766 title=""><span class="MsoFootnoteReference"><span class=
18767 "MsoFootnoteReference"><span style=
18768 'font-size:10.0pt;font-family:"Times New Roman"'>[3]</span></span></span></a>
18769 This section is largely based on [Evans96]. It
18770 semi-formally defines some of the terms needed to describe
18771 memory management checking; if you are satisfied with an
18772 intuitive understanding of these terms, this section may be
18775 <p class="MsoFootnoteText"><a href="#_ftnref4" name="_ftn4"
18776 title=""><span class="MsoFootnoteReference"><span class=
18777 "MsoFootnoteReference"><span style=
18778 'font-size:10.0pt;font-family:"Times New Roman"'>[4]</span></span></span></a>
18779 This is similar to the LISP storage model, except that objects
18780 are typed.</p></div>
18782 <p class="TextFontCX"><a href="#_ftnref5" name="_ftn5" title=
18783 ""><span class="MsoFootnoteReference"><span class=
18784 "MsoFootnoteReference"><span style=
18785 'font-size:11.0pt;font-family:"Times New Roman"'>[5]</span></span></span></a>
18786 <span style='font-size:10.0pt'>Except</span> <span class=
18787 "CodeText"><span style=
18788 'font-size:10.0pt'>sizeof</span></span><span style=
18789 'font-size:10.0pt'>, which does not need the value of its
18790 argument.</span></p></div>
18792 <p class="TextFontCX"><a href="#_ftnref6" name="_ftn6" title=
18793 ""><span class="MsoFootnoteReference"><span class=
18794 "MsoFootnoteReference"><span style=
18795 'font-size:11.0pt;font-family:"Times New Roman"'>[6]</span></span></span></a>
18796 If the storage is not assigned to a reference, an internal
18797 reference is created to track the storage.</p></div>
18799 <p class="MsoFootnoteText"><a href="#_ftnref7" name="_ftn7"
18800 title=""><span class="MsoFootnoteReference"><span class=
18801 "MsoFootnoteReference"><span style=
18802 'font-size:10.0pt;font-family:"Times New Roman"'>[7]</span></span></span></a>
18803 The declaration of <span class="CodeText">free</span> has a
18804 <span class="Annot">null</span> annotation on the parameter
18805 to indicate that the argument may be <span class=
18806 "CodeText">NULL</span>. According to [ISO, 7.20.3.2],
18807 <span class="CodeText">NULL</span> may be passed to
18808 <span class="CodeText">free</span> without no action.
18809 On some UNIX platforms, passing <span class=
18810 "CodeText">NULL</span> to free causes a program crash so the
18811 UNIX version of the standard library specifies <span class=
18812 "CodeText">free</span> without the <span class=
18813 "Annot">null</span> annotation on its parameter. To check
18814 that allocated objects are completely destroyed (e.g., all
18815 unshared objects inside a structure are deallocated before
18816 the structure is deallocated), Splint checks that any
18817 parameter passed as an <span class="CodeText">out only void
18818 *</span> does not contain references to live, unshared
18819 objects. This makes sense, since such a parameter could
18820 not be used sensibly in any way other than deallocating its
18823 <p class="MsoFootnoteText"><a href="#_ftnref8" name="_ftn8"
18824 title=""><span class="MsoFootnoteReference"><span class=
18825 "MsoFootnoteReference"><span style=
18826 'font-size:10.0pt;font-family:"Times New Roman"'>[8]</span></span></span></a>
18827 In versions of Splint before 3.0, the <span class=
18828 "Annot">noreturn</span> annotation was named <span class=
18829 "Annot">exits</span>. The <span class=
18830 "Annot">noreturn</span> annotation means the same thing, but is
18831 a more appropriate name. For legacy code, Splint still
18832 supports the <span class="Annot">exits</span> annotations.
18833 Similarly, <span class="Annot">maynotreturn</span> replaces
18834 <span class="Annot">mayexit</span>, <span class=
18835 "Annot">noreturnwhentrue</span> replaces <span class=
18836 "Annot">truexit</span> and <span class=
18837 "Annot">noreturnwhenfalse</span> replaces <span class=
18838 "Annot">falseexit</span>.</p></div>
18840 <p class="MsoFootnoteText"><a href="#_ftnref9" name="_ftn9"
18841 title=""><span class="MsoFootnoteReference"><span class=
18842 "MsoFootnoteReference"><span style=
18843 'font-size:10.0pt;font-family:"Times New Roman"'>[9]</span></span></span></a>The
18844 <span class="Annot">sef</span> annotation denotes a parameter as
18845 side effect free (see Section 11.2.1). We use
18846 <span class="CodeText">bool /*@alt int@*/</span> as the type
18847 of the parameter, to indicate that it may be either a Boolean
18848 or an integer.</p></div>
18850 <p class="MsoFootnoteText"><a href="#_ftnref10" name="_ftn10"
18851 title=""><span class="MsoFootnoteReference"><span class=
18852 "MsoFootnoteReference"><span style=
18853 'font-size:10.0pt;font-family:"Times New Roman"'>[10]</span></span></span></a>
18854 Peter van der Linden estimates that default fall through is the
18855 wrong behavior 97% of the time. [vdL95, p. 37]</p></div>
18857 <p class="MsoFootnoteText"><a href="#_ftnref11" name="_ftn11"
18858 title=""><span class="MsoFootnoteReference"><span class=
18859 "MsoFootnoteReference"><span style=
18860 'font-size:10.0pt;font-family:"Times New Roman"'>[11]</span></span></span></a>
18861 “Software Glitch Cripples AT&T Network”,
18862 Telephony, 22 January 1990.</p></div>
18864 <p class="MsoFootnoteText"><a href="#_ftnref12" name="_ftn12"
18865 title=""><span class="MsoFootnoteReference"><span class=
18866 "MsoFootnoteReference"><span style=
18867 'font-size:10.0pt;font-family:"Times New Roman"'>[12]</span></span></span></a>
18868 See [Larochelle01] for information on internal aspects of the
18869 checking.</p></div>
18871 <p class="MsoFootnoteText"><a href="#_ftnref13" name="_ftn13"
18872 title=""><span class="MsoFootnoteReference"><span class=
18873 "MsoFootnoteReference"><span style=
18874 'font-size:10.0pt;font-family:"Times New Roman"'>[13]</span></span></span></a>
18875 This section is largely based on [Evans02].</p></div>
18877 <p class="MsoFootnoteText"><a href="#_ftnref14" name="_ftn14"
18878 title=""><span class="MsoFootnoteReference"><span class=
18879 "MsoFootnoteReference"><span style=
18880 'font-size:10.0pt;font-family:"Times New Roman"'>[14]</span></span></span></a>
18881 C. Cowan et al., <i>FormatGuard: Automatic Protection from
18882 printf Format String Vulnerabilities</i>. 10th Usenix
18883 Security Symposium, 2001.</p></div>
18885 <p class="MsoFootnoteText"><a href="#_ftnref15" name="_ftn15"
18886 title=""><span class="MsoFootnoteReference"><span class=
18887 "MsoFootnoteReference"><span style=
18888 'font-size:10.0pt;font-family:"Times New Roman"'>[15]</span></span></span></a>
18889 To be completely correct, all the macro parameters should be
18890 evaluated before the macro has any side effects. Splint
18891 does not check this.</p></div>
18893 <p class="MsoFootnoteText"><a href="#_ftnref16" name="_ftn16"
18894 title=""><span class="MsoFootnoteReference"><span class=
18895 "MsoFootnoteReference"><span style=
18896 'font-size:10.0pt;font-family:"Times New Roman"'>[16]</span></span></span></a>
18897 Functions that do not produce to the same result each time they
18898 are called with the same arguments should be declared to modify
18899 <span class="Annot">internalState</span> so they will lead to
18900 errors if they are passed as <span class="Annot">sef</span>
18901 parameters.</p></div>
18903 <p class="MsoFootnoteText"><a href="#_ftnref17" name="_ftn17"
18904 title=""><span class="MsoFootnoteReference"><span class=
18905 "MsoFootnoteReference"><span style=
18906 'font-size:10.0pt;font-family:"Times New Roman"'>[17]</span></span></span></a>
18907 The most renowned C naming convention is the Hungarian naming
18908 convention, introduced by Charles Simonyi [Simonyi, Charles, and
18909 Martin Heller. “The Hungarian
18910 Revolution.” <i>BYTE</i>, August 1991, p.
18911 131-38]. The names for Splint naming conventions follow
18912 the tradition of using Central European nationalities as
18913 mnemonics for naming conventions. The Splint conventions
18914 are similar to the Hungarian naming convention in that they
18915 encode type information in names, except that the Splint
18916 conventions encode the names of accessible abstract
18917 types instead of the type of the declaration of return
18918 value. Prefixes used in the Hungarian naming convention
18919 are not supported by Splint.</p>
18920 <p class="MsoFootnoteText"> </p></div>
18922 <p class="MsoFootnoteText"><a href="#_ftnref18" name="_ftn18"
18923 title=""><span class="MsoFootnoteReference"><span class=
18924 "MsoFootnoteReference"><span style=
18925 'font-size:10.0pt;font-family:"Times New Roman"'>[18]</span></span></span></a>
18926 Of course, namespace prefixes should really be described by
18927 regular expressions. If there is sufficient interest (that
18928 is, someone volunteers to program it), regular expressions will
18929 be supported in a future version of Splint.</p></div>
18931 <p class="MsoFootnoteText"><a href="#_ftnref19" name="_ftn19"
18932 title=""><span class="MsoFootnoteReference"><span class=
18933 "MsoFootnoteReference"><span style=
18934 'font-size:10.0pt;font-family:"Times New Roman"'>[19]</span></span></span></a>
18935 POSIX library was contributed by Jens
18936 Schweikhardt.</p></div></div>
18937 <!--#include virtual="footer.html"-->
andersk / splint.git / blob