4 "HTML Tidy for Solaris (vers 1st March 2003), see www.w3.org"
6 <link rel="stylesheet" type="text/css" href=
7 "../manual.css" title="style1">
8 <title>Splint Manual</title>
9 <style type="text/css">
11 /* Font Definitions */
13 {font-family:Helvetica;
14 panose-1:2 11 5 4 2 2 2 2 2 4;}
17 panose-1:2 7 4 9 2 2 5 2 4 4;}
19 {font-family:"Tms Rmn";
20 panose-1:2 2 6 3 4 5 5 2 3 4;}
23 panose-1:2 11 6 4 2 2 2 3 2 4;}
25 {font-family:"New York";
26 panose-1:2 4 5 3 6 5 6 2 3 4;}
29 panose-1:0 0 0 0 0 0 0 0 0 0;}
31 {font-family:Wingdings;
32 panose-1:5 0 0 0 0 0 0 0 0 0;}
34 {font-family:"MS Mincho";
35 panose-1:2 2 6 9 4 2 5 8 3 4;}
38 panose-1:2 3 6 0 0 1 1 1 1 1;}
41 panose-1:2 1 6 0 3 1 1 1 1 1;}
43 {font-family:PMingLiU;
44 panose-1:2 1 6 1 0 1 1 1 1 1;}
46 {font-family:"MS Gothic";
47 panose-1:2 11 6 9 7 2 5 8 2 4;}
50 panose-1:2 11 6 0 0 1 1 1 1 1;}
53 panose-1:2 1 6 0 3 1 1 1 1 1;}
56 panose-1:2 1 6 9 0 1 1 1 1 1;}
59 panose-1:2 2 6 9 4 3 5 8 3 5;}
62 panose-1:2 11 6 0 0 1 1 1 1 1;}
65 panose-1:2 4 6 3 5 7 5 2 3 3;}
67 {font-family:"Angsana New";
68 panose-1:2 2 6 3 5 4 5 2 3 4;}
70 {font-family:"Cordia New";
71 panose-1:2 11 3 4 2 2 2 2 2 4;}
74 panose-1:0 0 4 0 0 0 0 0 0 0;}
77 panose-1:0 0 4 0 0 0 0 0 0 0;}
80 panose-1:1 10 5 2 5 3 6 3 3 3;}
83 panose-1:0 0 4 0 0 0 0 0 0 0;}
86 panose-1:0 0 4 0 0 0 0 0 0 0;}
89 panose-1:0 0 4 0 0 0 0 0 0 0;}
92 panose-1:0 0 4 0 0 0 0 0 0 0;}
95 panose-1:0 0 4 0 0 0 0 0 0 0;}
98 panose-1:0 0 4 0 0 0 0 0 0 0;}
100 {font-family:"Estrangella Edessa";
101 panose-1:0 0 0 0 0 0 0 0 0 0;}
103 {font-family:"Arial Unicode MS";
104 panose-1:0 0 0 0 0 0 0 0 0 0;}
107 panose-1:2 11 6 4 3 5 4 4 2 4;}
109 {font-family:"Book Antiqua";
110 panose-1:2 4 6 2 5 3 5 3 3 4;}
112 {font-family:"Arial Narrow";
113 panose-1:2 11 5 6 2 2 2 3 2 4;}
116 panose-1:0 0 0 0 0 0 0 0 0 0;}
118 {font-family:Marlett;
119 panose-1:0 0 0 0 0 0 0 0 0 0;}
121 {font-family:"News Gothic MT";
122 panose-1:2 11 5 4 2 2 3 2 2 4;}
124 {font-family:"Lucida Sans Unicode";
125 panose-1:2 11 6 2 3 5 4 2 2 4;}
127 {font-family:"Century Gothic";
128 panose-1:2 11 5 2 2 2 2 2 2 4;}
130 {font-family:"Abadi MT Condensed Light";
131 panose-1:2 11 3 6 3 1 1 1 1 3;}
133 {font-family:"Matisse ITC";
134 panose-1:4 4 4 3 3 13 2 2 7 4;}
136 {font-family:Westminster;
137 panose-1:4 4 5 6 3 15 2 2 7 2;}
139 {font-family:"Lucida Console";
140 panose-1:2 11 6 9 4 5 4 2 2 4;}
142 {font-family:"Arial Black";
143 panose-1:2 11 10 4 2 1 2 2 2 4;}
145 {font-family:"Comic Sans MS";
146 panose-1:3 15 7 2 3 3 2 2 2 4;}
148 {font-family:Verdana;
149 panose-1:2 11 6 4 3 5 4 4 2 4;}
151 {font-family:Webdings;
152 panose-1:5 3 1 2 1 5 9 6 7 3;}
154 {font-family:"Verdana Ref";
155 panose-1:2 11 6 4 3 5 4 4 2 4;}
157 {font-family:"Georgia Ref";
158 panose-1:2 4 5 2 5 4 5 2 3 3;}
160 {font-family:RefSpecialty;
161 panose-1:2 0 5 0 0 0 0 0 0 0;}
163 {font-family:"MS Reference 1";
164 panose-1:5 0 0 0 0 0 0 0 0 0;}
166 {font-family:"MS Reference 2";
167 panose-1:0 0 0 0 0 0 0 0 0 0;}
170 panose-1:0 0 4 0 0 0 0 0 0 0;}
172 {font-family:"Mediascape OSD Icon";
173 panose-1:2 11 6 3 5 3 2 2 2 4;}
176 panose-1:2 11 7 3 3 0 0 0 0 7;}
178 {font-family:"Agency FB";
179 panose-1:0 1 6 6 4 0 0 4 0 3;}
181 {font-family:Algerian;
182 panose-1:4 2 7 5 4 10 2 6 7 2;}
184 {font-family:"Arial Rounded MT Bold";
185 panose-1:2 15 7 4 3 5 4 3 2 4;}
187 {font-family:"Baskerville Old Face";
188 panose-1:2 2 6 2 8 5 5 2 3 3;}
190 {font-family:"Bauhaus 93";
191 panose-1:4 3 9 5 2 11 2 2 12 2;}
193 {font-family:"Bell MT";
194 panose-1:2 2 5 3 6 3 5 2 3 3;}
196 {font-family:"Berlin Sans FB";
197 panose-1:2 14 6 2 2 5 2 2 3 6;}
199 {font-family:"Bernard MT Condensed";
200 panose-1:2 5 8 6 6 9 5 2 4 4;}
202 {font-family:"Blackadder ITC";
203 panose-1:4 2 5 5 5 16 7 2 13 2;}
205 {font-family:"Bookman Old Style";
206 panose-1:2 5 6 4 5 5 5 2 2 4;}
208 {font-family:"Bradley Hand ITC";
209 panose-1:3 7 4 2 5 3 2 3 2 3;}
211 {font-family:"Britannic Bold";
212 panose-1:2 11 9 3 6 7 3 2 2 4;}
214 {font-family:Broadway;
215 panose-1:4 4 9 5 8 11 2 2 5 2;}
217 {font-family:"Brush Script MT";
218 panose-1:3 6 8 2 4 4 6 7 3 4;}
220 {font-family:"Californian FB";
221 panose-1:2 7 4 3 6 8 11 3 2 4;}
223 {font-family:"Calisto MT";
224 panose-1:2 4 6 3 5 5 5 3 3 4;}
226 {font-family:Castellar;
227 panose-1:2 10 4 2 6 4 6 1 3 1;}
229 {font-family:Centaur;
230 panose-1:2 3 5 4 5 2 5 2 3 4;}
232 {font-family:"Century Schoolbook";
233 panose-1:2 4 6 4 5 5 5 2 3 4;}
235 {font-family:Chiller;
236 panose-1:4 2 4 4 3 16 7 2 6 2;}
238 {font-family:"Colonna MT";
239 panose-1:4 2 8 5 6 2 2 3 2 3;}
241 {font-family:"Cooper Black";
242 panose-1:2 8 9 4 4 3 11 2 4 4;}
244 {font-family:"Copperplate Gothic Bold";
245 panose-1:2 14 7 5 2 2 6 2 4 4;}
247 {font-family:"Copperplate Gothic Light";
248 panose-1:2 14 5 7 2 2 6 2 4 4;}
250 {font-family:"Curlz MT";
251 panose-1:4 4 4 4 5 7 2 2 2 2;}
253 {font-family:"Edwardian Script ITC";
254 panose-1:3 3 3 2 4 7 7 13 8 4;}
256 {font-family:Elephant;
257 panose-1:2 2 9 4 9 5 5 2 3 3;}
259 {font-family:"Engravers MT";
260 panose-1:2 9 7 7 8 5 5 2 3 4;}
262 {font-family:"Eras Bold ITC";
263 panose-1:2 11 9 7 3 5 4 2 2 4;}
265 {font-family:"Eras Demi ITC";
266 panose-1:2 11 8 5 3 5 4 2 8 4;}
268 {font-family:"Eras Light ITC";
269 panose-1:2 11 4 2 3 5 4 2 8 4;}
271 {font-family:"Eras Medium ITC";
272 panose-1:2 11 6 2 3 5 4 2 8 4;}
274 {font-family:"Felix Titling";
275 panose-1:4 6 5 5 6 2 2 2 10 4;}
277 {font-family:"Footlight MT Light";
278 panose-1:2 4 6 2 6 3 10 2 3 4;}
281 panose-1:3 6 9 2 4 5 2 7 2 3;}
283 {font-family:"Franklin Gothic Book";
284 panose-1:2 11 5 3 2 1 2 2 2 4;}
286 {font-family:"Franklin Gothic Demi";
287 panose-1:2 11 7 3 2 1 2 2 2 4;}
289 {font-family:"Franklin Gothic Demi Cond";
290 panose-1:2 11 7 6 3 4 2 2 2 4;}
292 {font-family:"Franklin Gothic Heavy";
293 panose-1:2 11 9 3 2 1 2 2 2 4;}
295 {font-family:"Franklin Gothic Medium";
296 panose-1:2 11 6 3 2 1 2 2 2 4;}
298 {font-family:"Franklin Gothic Medium Cond";
299 panose-1:2 11 6 6 3 4 2 2 2 4;}
301 {font-family:"Freestyle Script";
302 panose-1:3 8 4 2 3 2 5 11 4 4;}
304 {font-family:"French Script MT";
305 panose-1:3 2 4 2 4 6 7 4 6 5;}
307 {font-family:Garamond;
308 panose-1:2 2 4 4 3 3 1 1 8 3;}
311 panose-1:4 4 5 4 6 16 7 2 13 2;}
313 {font-family:"Gill Sans MT";
314 panose-1:2 11 5 2 2 1 4 2 2 3;}
316 {font-family:"Gill Sans MT Condensed";
317 panose-1:2 11 5 6 2 1 4 2 2 3;}
319 {font-family:"Gill Sans Ultra Bold";
320 panose-1:2 11 10 2 2 1 4 2 2 3;}
322 {font-family:"Gill Sans Ultra Bold Condensed";
323 panose-1:2 11 10 6 2 1 4 2 2 3;}
325 {font-family:"Gill Sans MT Ext Condensed Bold";
326 panose-1:2 11 9 2 2 1 4 2 2 3;}
328 {font-family:"Gloucester MT Extra Condensed";
329 panose-1:2 3 8 8 2 6 1 1 1 1;}
331 {font-family:"Goudy Old Style";
332 panose-1:2 2 5 2 5 3 5 2 3 3;}
334 {font-family:"Goudy Stout";
335 panose-1:2 2 9 4 7 3 11 2 4 1;}
337 {font-family:Haettenschweiler;
338 panose-1:2 11 7 6 4 9 2 6 2 4;}
340 {font-family:"Harlow Solid Italic";
341 panose-1:4 3 6 4 2 15 2 2 13 2;}
343 {font-family:Harrington;
344 panose-1:4 4 5 5 5 10 2 2 7 2;}
346 {font-family:"High Tower Text";
347 panose-1:2 4 5 2 5 5 6 3 3 3;}
349 {font-family:"Imprint MT Shadow";
350 panose-1:4 2 6 5 6 3 3 3 2 2;}
352 {font-family:Jokerman;
353 panose-1:4 9 6 5 6 13 6 2 7 2;}
355 {font-family:"Juice ITC";
356 panose-1:4 4 4 3 4 10 2 2 2 2;}
358 {font-family:"Kristen ITC";
359 panose-1:3 5 5 2 4 2 2 3 2 2;}
361 {font-family:"Kunstler Script";
362 panose-1:3 3 4 2 2 6 7 13 13 6;}
364 {font-family:"Lucida Bright";
365 panose-1:2 4 6 2 5 5 5 2 3 4;}
367 {font-family:"Lucida Calligraphy";
368 panose-1:3 1 1 1 1 1 1 1 1 1;}
370 {font-family:"Lucida Fax";
371 panose-1:2 6 6 2 5 5 5 2 2 4;}
373 {font-family:"Lucida Handwriting";
374 panose-1:3 1 1 1 1 1 1 1 1 1;}
376 {font-family:"Lucida Sans";
377 panose-1:2 11 6 2 3 5 4 2 2 4;}
379 {font-family:"Lucida Sans Typewriter";
380 panose-1:2 11 5 9 3 5 4 3 2 4;}
382 {font-family:Magneto;
383 panose-1:4 3 8 5 5 8 2 2 13 2;}
385 {font-family:"Maiandra GD";
386 panose-1:2 14 5 2 3 3 8 2 2 4;}
388 {font-family:"Matura MT Script Capitals";
389 panose-1:3 2 8 2 6 6 2 7 2 2;}
391 {font-family:Mistral;
392 panose-1:3 9 7 2 3 4 7 2 4 3;}
394 {font-family:"Modern No\. 20";
395 panose-1:2 7 7 4 7 5 5 2 3 3;}
397 {font-family:"Niagara Engraved";
398 panose-1:4 2 5 2 7 7 3 3 2 2;}
400 {font-family:"Niagara Solid";
401 panose-1:4 2 5 2 7 7 2 2 2 2;}
403 {font-family:"OCR A Extended";
404 panose-1:2 1 5 9 2 1 2 1 3 3;}
406 {font-family:"Old English Text MT";
407 panose-1:3 4 9 2 4 5 8 3 8 6;}
410 panose-1:4 5 6 2 8 7 2 2 2 3;}
412 {font-family:"Palace Script MT";
413 panose-1:3 3 3 2 2 6 7 12 11 5;}
415 {font-family:Papyrus;
416 panose-1:3 7 5 2 6 5 2 3 2 5;}
418 {font-family:Parchment;
419 panose-1:3 4 6 2 4 7 8 4 8 4;}
421 {font-family:Perpetua;
422 panose-1:2 2 5 2 6 4 1 2 3 3;}
424 {font-family:"Perpetua Titling MT";
425 panose-1:2 2 5 2 6 5 5 2 8 4;}
427 {font-family:Playbill;
428 panose-1:4 5 6 3 10 6 2 2 2 2;}
430 {font-family:"Poor Richard";
431 panose-1:2 8 5 2 5 5 5 2 7 2;}
433 {font-family:Pristina;
434 panose-1:3 6 4 2 4 4 6 8 2 4;}
436 {font-family:"Rage Italic";
437 panose-1:3 7 5 2 4 5 7 7 3 4;}
440 panose-1:4 4 8 5 5 8 9 2 6 2;}
442 {font-family:Rockwell;
443 panose-1:2 6 6 3 2 2 5 2 4 3;}
445 {font-family:"Rockwell Condensed";
446 panose-1:2 6 6 3 5 4 5 2 1 4;}
448 {font-family:"Rockwell Extra Bold";
449 panose-1:2 6 9 3 4 5 5 2 4 3;}
451 {font-family:"Informal Roman";
452 panose-1:3 6 4 2 3 4 6 11 2 4;}
454 {font-family:"Script MT Bold";
455 panose-1:3 4 6 2 4 6 7 8 9 4;}
457 {font-family:"Showcard Gothic";
458 panose-1:4 2 9 4 2 1 2 2 6 4;}
460 {font-family:"Snap ITC";
461 panose-1:4 4 10 7 6 10 2 2 2 2;}
463 {font-family:Stencil;
464 panose-1:4 4 9 5 13 8 2 2 4 4;}
466 {font-family:"Tempus Sans ITC";
467 panose-1:4 2 4 4 3 13 7 2 2 2;}
469 {font-family:"Trebuchet MS";
470 panose-1:2 11 6 3 2 2 2 2 2 4;}
472 {font-family:"Tw Cen MT";
473 panose-1:2 11 6 2 2 1 4 2 6 3;}
475 {font-family:"Tw Cen MT Condensed";
476 panose-1:2 11 6 6 2 1 4 2 2 3;}
478 {font-family:"Viner Hand ITC";
479 panose-1:3 7 5 2 3 5 2 2 2 3;}
481 {font-family:Vivaldi;
482 panose-1:3 2 6 2 5 5 6 9 8 4;}
484 {font-family:"Vladimir Script";
485 panose-1:3 5 4 2 4 4 7 7 3 5;}
487 {font-family:"Wide Latin";
488 panose-1:2 10 10 7 5 5 5 2 4 4;}
490 {font-family:"Wingdings 2";
491 panose-1:5 2 1 2 1 5 7 7 7 7;}
493 {font-family:"Wingdings 3";
494 panose-1:5 4 1 2 1 8 7 7 7 7;}
496 {font-family:"Berlin Sans FB Demi";
497 panose-1:2 14 8 2 2 5 2 2 3 6;}
499 {font-family:"Tw Cen MT Condensed Extra Bold";
500 panose-1:2 11 8 3 2 0 0 0 0 4;}
502 {font-family:"Almanac MT";
503 panose-1:5 1 1 1 1 1 1 1 1 1;}
505 {font-family:"Beesknees ITC";
506 panose-1:4 4 10 5 5 13 2 2 5 2;}
508 {font-family:"Holidays MT";
509 panose-1:5 1 1 1 1 1 1 1 1 1;}
511 {font-family:"Monotype Sorts";
512 panose-1:1 1 6 1 1 1 1 1 1 1;}
514 {font-family:"Monotype Sorts 2";
515 panose-1:5 2 1 2 1 2 8 2 8 8;}
517 {font-family:"Pepita MT";
518 panose-1:3 6 4 2 4 5 2 7 8 4;}
520 {font-family:"Vacation MT";
521 panose-1:5 1 1 1 1 1 1 1 1 1;}
523 {font-family:"Map Symbols";
524 panose-1:0 5 1 2 1 7 6 2 5 7;}
526 {font-family:"Bookshelf Symbol 3";
527 panose-1:5 5 1 2 1 7 6 2 5 7;}
529 {font-family:Georgia;
530 panose-1:2 4 5 2 5 4 5 2 3 3;}
532 {font-family:"MS Outlook";
533 panose-1:5 0 0 0 0 0 0 0 0 0;}
535 {font-family:"Berling Antiqua";
536 panose-1:2 2 6 2 6 4 5 3 4 2;}
538 {font-family:Bookdings;
539 panose-1:5 0 0 0 0 0 0 0 0 0;}
541 {font-family:"Frutiger Linotype";
542 panose-1:2 11 6 4 3 5 4 4 2 4;}
544 {font-family:"Andale Mono";
545 panose-1:2 11 5 9 0 0 0 0 0 4;}
548 panose-1:2 11 8 6 3 9 2 5 2 4;}
550 {font-family:"Monotype Corsiva";
551 panose-1:3 1 1 1 1 2 1 1 1 1;}
553 {font-family:"MT Extra";
554 panose-1:5 5 1 2 1 2 5 2 2 2;}
556 {font-family:ProgramTwo;
557 panose-1:0 0 0 0 0 0 0 0 0 0;}
558 /* Style Definitions */
559 p.MsoNormal, li.MsoNormal, div.MsoNormal
561 margin-bottom:.0001pt;
564 font-family:"Times New Roman";}
572 page-break-before:always;
573 page-break-after:avoid;
575 font-family:"Times New Roman";}
583 page-break-after:avoid;
585 font-family:"Times New Roman";}
593 page-break-after:avoid;
595 font-family:"Times New Roman";}
603 page-break-after:avoid;
605 font-family:"Times New Roman";}
614 font-family:"Times New Roman";
624 font-family:"Times New Roman";
627 p.MsoHeading7, li.MsoHeading7, div.MsoHeading7
634 page-break-before:always;
635 page-break-after:avoid;
637 font-family:"Times New Roman";
639 p.MsoHeading8, li.MsoHeading8, div.MsoHeading8
646 page-break-after:avoid;
648 font-family:"Times New Roman";
650 p.MsoHeading9, li.MsoHeading9, div.MsoHeading9
657 page-break-after:avoid;
659 font-family:"Times New Roman";
661 p.MsoIndex1, li.MsoIndex1, div.MsoIndex1
666 margin-bottom:.0001pt;
670 font-family:"Times New Roman";}
671 p.MsoIndex2, li.MsoIndex2, div.MsoIndex2
676 margin-bottom:.0001pt;
680 font-family:"Times New Roman";}
681 p.MsoIndex3, li.MsoIndex3, div.MsoIndex3
686 margin-bottom:.0001pt;
690 font-family:"Times New Roman";}
691 p.MsoIndex4, li.MsoIndex4, div.MsoIndex4
696 margin-bottom:.0001pt;
700 font-family:"Times New Roman";}
701 p.MsoIndex5, li.MsoIndex5, div.MsoIndex5
706 margin-bottom:.0001pt;
710 font-family:"Times New Roman";}
711 p.MsoIndex6, li.MsoIndex6, div.MsoIndex6
716 margin-bottom:.0001pt;
720 font-family:"Times New Roman";}
721 p.MsoIndex7, li.MsoIndex7, div.MsoIndex7
726 margin-bottom:.0001pt;
730 font-family:"Times New Roman";}
731 p.MsoIndex8, li.MsoIndex8, div.MsoIndex8
736 margin-bottom:.0001pt;
740 font-family:"Times New Roman";}
741 p.MsoIndex9, li.MsoIndex9, div.MsoIndex9
746 margin-bottom:.0001pt;
750 font-family:"Times New Roman";}
751 p.MsoToc1, li.MsoToc1, div.MsoToc1
758 font-family:"Times New Roman";
760 p.MsoToc2, li.MsoToc2, div.MsoToc2
765 margin-bottom:.0001pt;
768 font-family:"Times New Roman";}
769 p.MsoToc3, li.MsoToc3, div.MsoToc3
774 margin-bottom:.0001pt;
777 font-family:"Times New Roman";}
778 p.MsoToc4, li.MsoToc4, div.MsoToc4
783 margin-bottom:.0001pt;
786 font-family:"Times New Roman";}
787 p.MsoToc5, li.MsoToc5, div.MsoToc5
792 margin-bottom:.0001pt;
795 font-family:"Times New Roman";}
796 p.MsoToc6, li.MsoToc6, div.MsoToc6
801 margin-bottom:.0001pt;
804 font-family:"Times New Roman";}
805 p.MsoToc7, li.MsoToc7, div.MsoToc7
810 margin-bottom:.0001pt;
813 font-family:"Times New Roman";}
814 p.MsoToc8, li.MsoToc8, div.MsoToc8
819 margin-bottom:.0001pt;
822 font-family:"Times New Roman";}
823 p.MsoToc9, li.MsoToc9, div.MsoToc9
828 margin-bottom:.0001pt;
831 font-family:"Times New Roman";}
832 p.MsoFootnoteText, li.MsoFootnoteText, div.MsoFootnoteText
834 margin-bottom:.0001pt;
837 font-family:"Times New Roman";}
838 p.MsoCommentText, li.MsoCommentText, div.MsoCommentText
840 margin-bottom:.0001pt;
843 font-family:"Times New Roman";}
844 p.MsoHeader, li.MsoHeader, div.MsoHeader
846 margin-bottom:.0001pt;
849 font-family:"Times New Roman";
852 p.MsoFooter, li.MsoFooter, div.MsoFooter
854 margin-bottom:.0001pt;
857 font-family:"Times New Roman";}
858 p.MsoIndexHeading, li.MsoIndexHeading, div.MsoIndexHeading
860 margin-bottom:.0001pt;
863 font-family:"Times New Roman";}
864 p.MsoCaption, li.MsoCaption, div.MsoCaption
871 font-family:"Times New Roman";
873 p.MsoTof, li.MsoTof, div.MsoTof
878 margin-bottom:.0001pt;
882 font-family:"Times New Roman";}
883 span.MsoFootnoteReference
884 {vertical-align:super;}
886 {vertical-align:baseline;}
887 p.MsoListBullet, li.MsoListBullet, div.MsoListBullet
892 margin-bottom:.0001pt;
894 text-indent:-12.95pt;
896 font-family:"Times New Roman";}
897 p.MsoTitle, li.MsoTitle, div.MsoTitle
906 p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
914 p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
916 margin-bottom:.0001pt;
919 font-family:"Times New Roman";}
922 margin-bottom:.0001pt;
924 font-family:"Courier New";}
925 p.TextFontCX, li.TextFontCX, div.TextFontCX
927 margin-bottom:.0001pt;
930 font-family:"Times New Roman";}
931 p.Appendix, li.Appendix, div.Appendix
937 page-break-after:avoid;
939 font-family:"Times New Roman";
941 p.Heading10, li.Heading10, div.Heading10
947 page-break-after:avoid;
949 font-family:"Times New Roman";
950 letter-spacing:-.4pt;
952 p.Heading11, li.Heading11, div.Heading11
958 page-break-after:avoid;
960 font-family:"Times New Roman";
961 letter-spacing:-.4pt;
971 {font-family:"Courier New";}
973 {font-family:"Courier New";
979 {font-family:"Courier New";
983 {font-family:"Times New Roman";
985 p.Author, li.Author, div.Author
994 p.Verbatim, li.Verbatim, div.Verbatim
996 margin-bottom:.0001pt;
998 font-family:"Courier New";
1000 p.lclintrun, li.lclintrun, div.lclintrun
1002 margin-bottom:.0001pt;
1004 font-family:"Arial Narrow";}
1005 p.IndentText, li.IndentText, div.IndentText
1010 margin-bottom:.0001pt;
1013 font-family:"Times New Roman";}
1014 p.beforelist, li.beforelist, div.beforelist
1017 margin-bottom:6.0pt;
1021 font-family:"Times New Roman";}
1022 p.example, li.example, div.example
1025 margin-bottom:6.0pt;
1028 font-family:"Courier New";
1030 p.skiplist, li.skiplist, div.skiplist
1035 margin-bottom:.0001pt;
1038 font-family:"Times New Roman";}
1039 p.afterlist, li.afterlist, div.afterlist
1044 margin-bottom:.0001pt;
1047 font-family:"Times New Roman";}
1048 p.betweenlists, li.betweenlists, div.betweenlists
1051 margin-bottom:6.0pt;
1055 font-family:"Times New Roman";}
1056 p.indentbefore, li.indentbefore, div.indentbefore
1059 margin-bottom:6.0pt;
1063 font-family:"Times New Roman";}
1064 p.indentbefore0, li.indentbefore0, div.indentbefore0
1067 margin-bottom:6.0pt;
1071 font-family:"Times New Roman";}
1075 p.Sidebar, li.Sidebar, div.Sidebar
1077 margin-bottom:.0001pt;
1079 font-family:"Times New Roman";}
1080 p.URL, li.URL, div.URL
1082 margin-bottom:.0001pt;
1086 span.StyleKeywordBold
1087 {font-family:"Courier New";
1090 p.ProgramName, li.ProgramName, div.ProgramName
1092 margin-bottom:.0001pt;
1097 {font-family:"Courier New";}
1098 span.ProgramNameChar
1099 {font-family:Arial;}
1101 {font-family:ProgramTwo;
1103 p.fileName, li.fileName, div.fileName
1108 margin-bottom:.0001pt;
1111 p.FileName0, li.FileName0, div.FileName0
1116 margin-bottom:.0001pt;
1120 {font-family:Arial;}
1122 {text-decoration:none;}
1124 {text-decoration:underline;}
1126 {text-decoration:line-through;
1128 /* Page Definitions */
1131 margin:1.0in 1.25in .75in 1.25in;}
1136 margin:1.0in 1.25in 1.0in 99.35pt;}
1141 margin:1.0in 1.25in 1.0in 99.35pt;}
1146 margin:1.0in 1.25in 1.0in 99.0pt;}
1151 margin:1.0in 1.25in 1.0in 1.25in;}
1156 margin:1.0in 1.25in 1.0in 1.25in;}
1161 margin:1.0in 1.25in 1.0in 1.25in;}
1166 margin:1.0in 1.25in 1.0in 1.25in;}
1169 /* List Definitions */
1171 {margin-bottom:0in;}
1173 {margin-bottom:0in;}
1178 <!--#include virtual="header.html"-->
1179 <div class="Section1">
1180 <p class="MsoTitle"><img width="189" height="219" src=
1181 "manual-301_files/image001.jpg" hspace="12"><a name=
1182 "_Ref533872469"></a></p>
1183 <p class="MsoTitle"><a name="_Ref483663680"></a><span class=
1184 "MsoCommentReference"><span style=
1185 'font-size:20.0pt'> </span></span></p>
1186 <p class="MsoTitle"><span class=
1187 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1188 </span></span></p>
1189 <p class="MsoTitle"><span class=
1190 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1191 </span></span></p>
1192 <p class="MsoTitle"><span class=
1193 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1194 </span></span></p>
1195 <p class="MsoTitle"><span class=
1196 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1197 Splint Manual</span></span></p>
1198 <p class="MsoTitle"><span class=
1199 "MsoCommentReference"><span style='font-size:26.0pt; font-family:"Book Antiqua"'>
1200 </span></span></p>
1201 <p class="MsoSubtitle"><span class=
1202 "MsoCommentReference"><span style=
1203 'font-size: 18.0pt;font-family:"Book Antiqua"'>Version
1204 3.1.0</span></span></p>
1205 <p class="MsoSubtitle"><span class=
1206 "MsoCommentReference"><span style=
1207 'font-size: 18.0pt;font-family:"Book Antiqua"'>12 April 2003
1209 <p class="MsoSubtitle"><span class=
1210 "MsoCommentReference"><span style=
1211 'font-size: 15.5pt'> </span></span></p>
1212 <p class="MsoSubtitle"><span class=
1213 "MsoCommentReference"><span style=
1214 'font-size: 15.5pt'> </span></span></p>
1215 <p class="MsoSubtitle"><span class=
1216 "MsoCommentReference"><span style=
1217 'font-size: 15.5pt'> </span></span></p>
1218 <p class="MsoNormal"><span class=
1219 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1220 </span></span></p>
1221 <p class="MsoNormal"><span class=
1222 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1223 </span></span></p>
1224 <p class="MsoNormal"><span class=
1225 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1226 </span></span></p>
1227 <p class="MsoNormal"><span class=
1228 "MsoCommentReference"><span style='font-size:14.0pt; font-family:"Book Antiqua"'>
1229 </span></span></p>
1230 <p class="TextFontCX"><span class=
1231 "MsoCommentReference"><span style='font-size:15.5pt'> </span></span></p>
1232 <p class="TextFontCX" align="right" style=
1233 'margin-right: -58.5pt;text-align:right'><img width="364"
1234 height="181" src="manual-301_files/image002.gif" align="left"
1235 hspace="12" alt="Text Box:
1236 Secure Programming Group
1237 University of Virginia
1238 Department of Computer Science
1241 <p class="TextFontCX" style=
1242 'margin-left:28.35pt; text-indent:-14.15pt'><span class=
1243 "MsoCommentReference"><span style=
1244 'font-size: 15.5pt'> </span></span></p>
1245 <p class="TextFontCX" align="right" style=
1246 'margin-right: 9.0pt;text-align:right'><span class=
1247 "MsoCommentReference"><i><span style=
1248 'font-size:14.0pt'> </span></i></span></p></div>
1249 <span class="MsoCommentReference"><b><i><span style=
1250 'font-size:14.0pt;font-family: Arial'><br clear="all" style=
1251 'page-break-before:auto'></span></i></b></span>
1252 <div class="Section2"><span class=
1253 "MsoCommentReference"><span style='font-size: 15.5pt;font-family:"Times New Roman"'>
1254 <br clear="all" style='page-break-before: always'></span></span>
1255 <p class="TextFontCX"><span class=
1256 "MsoCommentReference"><b><span style=
1257 'font-size:14.0pt;font-family:Arial'> </span></b></span></p>
1258 <h4 style='margin-left:0in;text-indent:0in'><span class=
1259 "MsoCommentReference"><span style=
1260 'font-size:14.0pt'>Authors</span></span></h4>
1261 <p class="TextFontCX">This manual was written by David Evans,
1262 except for Section 9 and Appendix B which were written by David
1263 Larochelle and David Evans.</p>
1264 <h4 style='margin-left:0in;text-indent:0in'><span class=
1265 "MsoCommentReference"><span style=
1266 'font-size:14.0pt'>Credits</span></span></h4>
1267 <p class="TextFontCX">Splint is developed and maintained by the
1268 Secure Programming Group at the University of Virginia Department
1269 of Computer Science. David Evans is the project leader and
1270 the primary developer of Splint. David Larochelle developed
1271 the memory bounds checking. University of Virginia students
1272 Chris Barker, David Friedman, Mike Lanouette and Hien Phan all
1273 contributed significantly to the development of Splint.</p>
1274 <p class="TextFontCX"> </p>
1275 <p class="TextFontCX">Splint is the successor to LCLint, a tool
1276 originally developed as a joint research project between the
1277 Massachusetts Institute of Technology and Digital Equipment
1278 Corporation’s System Research Center. David Evans was
1279 the primary designed and developer of LCLint. John Guttag and
1280 Jim Horning had the original idea for a static checking tool for
1281 detecting inconsistencies between LCL specifications and their C
1282 implementations. They provided valuable advice on its
1283 functionality and design and were instrumental in its
1284 development. </p>
1285 <p class="TextFontCX"> </p>
1286 <p class="TextFontCX">Splint incorporates the original LCL checker
1287 developed by Yang Meng Tan. This was built on the DECspec
1288 Project (Joe Wild, Gary Feldman, Steve Garland, and Bill
1289 McKeeman). The LSL checker used by LCLint was developed by
1290 Steve Garland. The original C grammar for LCLint was provided
1291 by Nate Osgood. This work has also benefited greatly from
1292 discussions with Mike Burrows, David Friedman, Stephen Garland,
1293 Colin Godfrey, Steve Harrison, Yanlin Huang, Daniel Jackson, John
1294 Knight, David Larochelle, Angelika Leeb, Ulana Legedza, Gary
1295 McGraw, Anya Pogosyants, Avneesh Saxena, Seejo Sebastine, Navneet
1296 Singh, Raymie Stata, Yang Meng Tan, and Mark Vandevoorde. I
1297 especially thank Angelika Leeb for many constructive comments on
1298 improving an early version of this document, Raymie Stata and Mark
1299 Vandevoorde for technical assistance, and Dorothy Curtis, Paco
1300 Hope, Scott Ruffner, Christina Jackson, David Ladd, and Jessica
1301 Greer for systems assistance.</p>
1302 <p class="TextFontCX"> </p>
1303 <p class="TextFontCX">Much of Splint’s development has been
1304 driven by feedback from users in academia and industry. Many
1305 more people than I can mention here have made contributions by
1306 suggesting improvements, reporting bugs, porting early versions of
1307 Splint to other platforms. Particularly heroic contributions
1308 have been made by Nelson Beebe, Eric Bloodworth, Jutta Degener,
1309 Rick Farnbach, Chris Flatters, Huver Hu, Alexander Mai, John Gerard
1310 Malecki, Thomas G. McWilliams, Michael Meskes, Richard
1311 O’Keefe, Jens Schweikhardt, Albert L. Ting and Jim Zelenka.
1312 Martin “Herbert” Dietze and Mike Smith performed
1313 valiantly in producing the original Win32 and OS2 ports. Tim
1314 Van Holder produced the <span class="Keyword"><span style=
1315 'font-size:10.0pt;font-family:Arial;color:windowtext'>automake</span></span>
1316 and <span class="Keyword"><span style=
1317 'font-size:10.0pt;font-family:Arial; color:windowtext'>autoconf</span></span>
1318 distribution. </p>
1319 <p class="TextFontCX"> </p>
1320 <p class="TextFontCX">
1321 Splint research at the University of Virginia is currently funded in part by an NSF CAREER Award and an NSF CCLI Award for using analysis to teach software engineering. Splint has been previously supported by a grant from NASA and David Larochelle was funded by a USENIX student research grant.
1322 <span style='font-size:20.0pt'> </span></p></div>
1323 <span class="MsoCommentReference"><span style=
1324 'font-size:15.5pt;font-family:"Times New Roman"'><br clear="all"
1325 style='page-break-before:right'></span></span>
1326 <div class="Section3">
1327 <p class="MsoToc1" align="center" style='text-align:center'>
1328 <span class="MsoCommentReference"><span style=
1329 'font-size:15.5pt'>Contents</span></span></p>
1330 <p class="MsoToc1">1<span style=
1331 'font-size:12.0pt;font-weight:normal'> </span>
1332 <a href=#operation>Operation</a>................................................................................................................
1334 <p class="MsoToc2">1.1<span style=
1335 'font-size:12.0pt'> </span>
1336 Warnings.............................................................................................................
1338 <p class="MsoToc2">1.2<span style=
1339 'font-size:12.0pt'> </span>
1340 Flags....................................................................................................................
1342 <p class="MsoToc2">1.3<span style=
1343 'font-size:12.0pt'> </span> Stylized
1344 Comments...............................................................................................
1346 <p class="MsoToc3">1.3.1<span style=
1347 'font-size:12.0pt'> </span>
1348 Annotations...................................................................................................
1350 <p class="MsoToc3">1.3.2<span style=
1351 'font-size:12.0pt'> </span> Setting
1352 Flags..................................................................................................
1354 <p class="MsoToc1">2<span style=
1355 'font-size:12.0pt;font-weight:normal'> </span>
1357 Dereferences</a>...................................................................................................
1359 <p class="MsoToc3">2.1.1<span style=
1360 'font-size:12.0pt'> </span> Predicate
1361 Functions........................................................................................
1363 <p class="MsoToc3">2.1.2<span style=
1364 'font-size:12.0pt'> </span> Notnull
1365 Annotations........................................................................................
1367 <p class="MsoToc3">2.1.3<span style=
1368 'font-size:12.0pt'> </span> Relaxing Null
1369 Checking..................................................................................
1371 <p class="MsoToc1">3<span style=
1372 'font-size:12.0pt;font-weight:normal'> </span>
1375 Values</a>....................................................................................................
1377 <p class="MsoToc3">3.1.1<span style=
1378 'font-size:12.0pt'> </span> Undefined
1379 Parameters...................................................................................
1381 <p class="MsoToc3">3.1.2<span style=
1382 'font-size:12.0pt'> </span> Relaxing
1383 Checking.........................................................................................
1385 <p class="MsoToc3">3.1.3<span style=
1386 'font-size:12.0pt'> </span> Partially
1388 Structures............................................................................
1390 <p class="MsoToc1">4<span style=
1391 'font-size:12.0pt;font-weight:normal'> </span>
1393 Types</a>.......................................................................................................................
1395 <p class="MsoToc2">4.1<span style=
1396 'font-size:12.0pt'> </span> Built in C
1397 Types....................................................................................................
1399 <p class="MsoToc3">4.1.1<span style=
1400 'font-size:12.0pt'> </span>
1401 Characters....................................................................................................
1403 <p class="MsoToc3">4.1.2<span style=
1404 'font-size:12.0pt'> </span>
1405 Enumerators..................................................................................................
1407 <p class="MsoToc3">4.1.3<span style=
1408 'font-size:12.0pt'> </span> Numeric
1409 Types..............................................................................................
1411 <p class="MsoToc3">4.1.4<span style=
1412 'font-size:12.0pt'> </span> Arbitrary
1414 Types.................................................................................
1416 <p class="MsoToc2">4.2<span style=
1417 'font-size:12.0pt'> </span> Boolean
1418 Types.....................................................................................................
1420 <p class="MsoToc2">4.3<span style=
1421 'font-size:12.0pt'> </span> Abstract
1422 Types.....................................................................................................
1424 <p class="MsoToc3">4.3.1<span style=
1425 'font-size:12.0pt'> </span> Controlling
1426 Access.........................................................................................
1428 <p class="MsoToc3">4.3.2<span style=
1429 'font-size:12.0pt'> </span>
1430 Mutability......................................................................................................
1432 <p class="MsoToc2">4.4<span style=
1433 'font-size:12.0pt'> </span>
1434 Polymorphism.......................................................................................................
1436 <p class="MsoToc1">5<span style=
1437 'font-size:12.0pt;font-weight:normal'> </span>
1440 Management</a>............................................................................................
1442 <p class="MsoToc2">5.1<span style=
1443 'font-size:12.0pt'> </span> Storage
1444 Model......................................................................................................
1446 <p class="MsoToc2">5.2<span style=
1447 'font-size:12.0pt'> </span> Deallocation
1448 Errors...............................................................................................
1450 <p class="MsoToc3">5.2.1<span style=
1451 'font-size:12.0pt'> </span> Unshared
1452 References....................................................................................
1454 <p class="MsoToc3">5.2.2<span style=
1455 'font-size:12.0pt'> </span> Temporary
1456 Parameters..................................................................................
1458 <p class="MsoToc3">5.2.3<span style=
1459 'font-size:12.0pt'> </span> Owned and
1461 References.................................................................
1463 <p class="MsoToc3">5.2.4<span style=
1464 'font-size:12.0pt'> </span> Keep
1465 Parameters...........................................................................................
1467 <p class="MsoToc3">5.2.5<span style=
1468 'font-size:12.0pt'> </span> Shared
1469 References........................................................................................
1471 <p class="MsoToc3">5.2.6<span style=
1472 'font-size:12.0pt'> </span> Stack
1473 References..........................................................................................
1475 <p class="MsoToc3">5.2.7<span style=
1476 'font-size:12.0pt'> </span> Inner
1477 Storage.................................................................................................
1479 <p class="MsoToc2">5.3<span style=
1480 'font-size:12.0pt'> </span> Implicit Memory
1481 Annotations.................................................................................
1483 <p class="MsoToc2">5.4<span style=
1484 'font-size:12.0pt'> </span> Reference
1485 Counting..............................................................................................
1487 <p class="MsoToc1">6<span style=
1488 'font-size:12.0pt;font-weight:normal'> </span>
1490 Sharing</a>....................................................................................................................
1492 <p class="MsoToc2">6.1<span style=
1493 'font-size:12.0pt'> </span>
1494 Aliasing................................................................................................................
1496 <p class="MsoToc3">6.1.1<span style=
1497 'font-size:12.0pt'> </span> Unique
1498 Parameters........................................................................................
1500 <p class="MsoToc3">6.1.2<span style=
1501 'font-size:12.0pt'> </span> Returned
1502 Parameters.....................................................................................
1504 <p class="MsoToc2">6.2<span style=
1505 'font-size:12.0pt'> </span>
1506 Exposure..............................................................................................................
1508 <p class="MsoToc3">6.2.1<span style=
1509 'font-size:12.0pt'> </span> Read-Only
1510 Storage........................................................................................
1512 <p class="MsoToc3">6.2.2<span style=
1513 'font-size:12.0pt'> </span> Exposed
1514 Storage............................................................................................
1516 <p class="MsoToc1">7<span style=
1517 'font-size:12.0pt;font-weight:normal'> </span>
1520 Interfaces</a>.................................................................................................
1522 <p class="MsoToc2">7.1<span style=
1523 'font-size:12.0pt'> </span>
1524 Modifications........................................................................................................
1526 <p class="MsoToc3">7.1.1<span style=
1527 'font-size:12.0pt'> </span> State
1528 Modifications........................................................................................
1530 <p class="MsoToc3">7.1.2<span style=
1531 'font-size:12.0pt'> </span> Missing Modifies
1532 Clauses...............................................................................
1534 <p class="MsoToc2">7.2<span style=
1535 'font-size:12.0pt'> </span> Global
1536 Variables...................................................................................................
1538 <p class="MsoToc3">7.2.1<span style=
1539 'font-size:12.0pt'> </span> Controlling
1541 Checking..........................................................................
1543 <p class="MsoToc3">7.2.2<span style=
1544 'font-size:12.0pt'> </span> Definition
1545 State..............................................................................................
1547 <p class="MsoToc2">7.3<span style=
1548 'font-size:12.0pt'> </span> Declaration
1549 Consistency........................................................................................
1551 <p class="MsoToc2">7.4<span style=
1552 'font-size:12.0pt'> </span> State
1553 Clauses.......................................................................................................
1555 <p class="MsoToc2">7.5<span style=
1556 'font-size:12.0pt'> </span> Requires and
1558 Clauses...............................................................................
1560 <p class="MsoToc1">8<span style=
1561 'font-size:12.0pt;font-weight:normal'> </span>
1564 Flow</a>...........................................................................................................
1566 <p class="MsoToc2">8.1<span style=
1567 'font-size:12.0pt'> </span>
1568 Execution.............................................................................................................
1570 <p class="MsoToc2">8.2<span style=
1571 'font-size:12.0pt'> </span> Undefined
1572 Behavior..............................................................................................
1574 <p class="MsoToc2">8.3<span style=
1575 'font-size:12.0pt'> </span> Problematic
1577 Structures..............................................................................
1579 <p class="MsoToc3">8.3.1<span style=
1580 'font-size:12.0pt'> </span> Likely Infinite
1581 Loops......................................................................................
1583 <p class="MsoToc3">8.3.2<span style=
1584 'font-size:12.0pt'> </span>
1585 Switches.......................................................................................................
1587 <p class="MsoToc3">8.3.3<span style=
1588 'font-size:12.0pt'> </span> Deep
1589 Breaks.................................................................................................
1591 <p class="MsoToc3">8.3.4<span style=
1592 'font-size:12.0pt'> </span> Loop and If
1593 Bodies........................................................................................
1595 <p class="MsoToc3">8.3.5<span style=
1596 'font-size:12.0pt'> </span> Complete
1597 Logic.............................................................................................
1599 <p class="MsoToc2">8.4<span style=
1600 'font-size:12.0pt'> </span> Suspicious
1601 Statements...........................................................................................
1603 <p class="MsoToc3">8.4.1<span style=
1604 'font-size:12.0pt'> </span> Statements with
1606 Effects............................................................................
1608 <p class="MsoToc3">8.4.2<span style=
1609 'font-size:12.0pt'> </span> Ignored Return
1610 Values...................................................................................
1612 <p class="MsoToc1">9<span style=
1613 'font-size:12.0pt;font-weight:normal'> </span>
1616 Sizes</a>.............................................................................................................
1618 <p class="MsoToc2">9.1<span style=
1619 'font-size:12.0pt'> </span> Checking
1620 Accesses..............................................................................................
1622 <p class="MsoToc2">9.2<span style=
1623 'font-size:12.0pt'> </span> Annotating
1625 Sizes........................................................................................
1627 <p class="MsoToc2">9.3<span style=
1628 'font-size:12.0pt'> </span>
1629 Warnings.............................................................................................................
1631 <p class="MsoToc1">10<span style=
1632 'font-size:12.0pt;font-weight:normal'> </span>
1633 <a href=#extensible>
1635 Checking</a>............................................................................................
1637 <p class="MsoToc2">10.1<span style=
1638 'font-size:12.0pt'> </span>
1640 Attributes............................................................................................
1642 <p class="MsoToc2">10.2<span style=
1643 'font-size:12.0pt'> </span>
1644 Annotations......................................................................................................
1646 <p class="MsoToc2">10.3<span style=
1647 'font-size:12.0pt'> </span>
1648 Example...........................................................................................................
1650 <p class="MsoToc1">11<span style=
1651 'font-size:12.0pt;font-weight:normal'> </span>
1653 Macros</a>..................................................................................................................
1655 <p class="MsoToc2">11.1<span style=
1656 'font-size:12.0pt'> </span>
1658 Macros...............................................................................................
1660 <p class="MsoToc2">11.2<span style=
1661 'font-size:12.0pt'> </span>
1663 Macros.........................................................................................
1665 <p class="MsoToc3">11.2.1<span style=
1666 'font-size:12.0pt'> </span> Side
1668 Parameters.......................................................................
1670 <p class="MsoToc2">11.3<span style=
1671 'font-size:12.0pt'> </span>
1673 Checking...............................................................................
1675 <p class="MsoToc2">11.4<span style=
1676 'font-size:12.0pt'> </span>
1677 Iterators...........................................................................................................
1679 <p class="MsoToc3">11.4.1<span style=
1680 'font-size:12.0pt'> </span>
1682 Iterators.......................................................................................
1684 <p class="MsoToc3">11.4.2<span style=
1685 'font-size:12.0pt'> </span>
1687 Iterators...........................................................................................
1689 <p class="MsoToc1">12<span style=
1690 'font-size:12.0pt;font-weight:normal'> </span>
1693 Conventions</a>............................................................................................
1695 <p class="MsoToc2">12.1<span style=
1696 'font-size:12.0pt'> </span>
1698 Conventions......................................................................
1700 <p class="MsoToc3">12.1.1<span style=
1701 'font-size:12.0pt'> </span>
1703 Names.............................................................................................
1705 <p class="MsoToc3">12.1.2<span style=
1706 'font-size:12.0pt'> </span>
1708 Names............................................................................................
1710 <p class="MsoToc3">12.1.3<span style=
1711 'font-size:12.0pt'> </span>
1713 Names..................................................................................
1715 <p class="MsoToc2">12.2<span style=
1716 'font-size:12.0pt'> </span>
1718 Prefixes.........................................................................................
1720 <p class="MsoToc2">12.3<span style=
1721 'font-size:12.0pt'> </span>
1723 Restrictions..........................................................................................
1725 <p class="MsoToc3">12.3.1<span style=
1726 'font-size:12.0pt'> </span>
1728 Names........................................................................................
1730 <p class="MsoToc3">12.3.2<span style=
1731 'font-size:12.0pt'> </span>
1733 Names...........................................................................................
1735 <p class="MsoToc1">13<span style=
1736 'font-size:12.0pt;font-weight:normal'> </span>
1737 <a href=#completeness>
1738 Completeness</a>.......................................................................................................
1740 <p class="MsoToc2">13.1<span style=
1741 'font-size:12.0pt'> </span>
1743 Declarations.........................................................................................
1745 <p class="MsoToc2">13.2<span style=
1746 'font-size:12.0pt'> </span>
1748 Programs...........................................................................................
1750 <p class="MsoToc3">13.2.1<span style=
1751 'font-size:12.0pt'> </span>
1752 Unnecessarily External
1753 Names....................................................................
1755 <p class="MsoToc3">13.2.2<span style=
1756 'font-size:12.0pt'> </span>
1757 Declarations Missing from
1758 Headers.............................................................
1760 <p class="MsoToc1">14<span style=
1761 'font-size:12.0pt;font-weight:normal'> </span>
1763 Libraries and Header File
1764 Inclusion</a>....................................................................
1766 <p class="MsoToc2">14.1<span style=
1767 'font-size:12.0pt'> </span>
1769 Libraries.............................................................................................
1771 <p class="MsoToc3">14.1.1<span style=
1772 'font-size:12.0pt'> </span> ISO
1774 Library..................................................................................
1776 <p class="MsoToc3">14.1.2<span style=
1777 'font-size:12.0pt'> </span>
1779 Library...........................................................................................
1781 <p class="MsoToc3">14.1.3<span style=
1782 'font-size:12.0pt'> </span> UNIX
1783 Library............................................................................................
1785 <p class="MsoToc3">14.1.4<span style=
1786 'font-size:12.0pt'> </span>
1788 Libraries............................................................................................
1790 <p class="MsoToc2">14.2<span style=
1791 'font-size:12.0pt'> </span>
1793 Libraries..........................................................................................
1795 <p class="MsoToc3">14.2.1<span style=
1796 'font-size:12.0pt'> </span>
1797 Generating the Standard
1798 Libraries................................................................
1800 <p class="MsoToc2">14.3<span style=
1801 'font-size:12.0pt'> </span>
1803 Inclusion.........................................................................................
1805 <p class="MsoToc3">14.3.1<span style=
1806 'font-size:12.0pt'> </span>
1808 Constants.............................................................................
1810 <p class="MsoToc1">Appendix A<span style=
1811 'font-size:12.0pt;font-weight:normal'> </span>
1812 <a href=#availability>
1813 Availability</a>...............................................................................................
1815 <p class="MsoToc1">Appendix B<span style=
1816 'font-size:12.0pt;font-weight:normal'> </span>
1818 Flags</a>........................................................................................................
1820 <p class="MsoToc2">Global
1821 Flags...................................................................................................................
1824 Help..........................................................................................................................
1827 Initialization................................................................................................................
1830 Pre-processor............................................................................................................
1833 Libraries....................................................................................................................
1836 Output.......................................................................................................................
1838 <p class="MsoToc3">Expected
1839 Errors.........................................................................................................
1841 <p class="MsoToc2">Message
1842 Format............................................................................................................
1844 <p class="MsoToc2">Mode Selector
1845 Flags.......................................................................................................
1847 <p class="MsoToc2">Checking
1848 Flags...............................................................................................................
1851 Key...........................................................................................................................
1854 Types........................................................................................................................
1856 <p class="MsoToc3">Function
1857 Interfaces.....................................................................................................
1859 <p class="MsoToc3">Memory
1860 Management................................................................................................
1863 Sharing......................................................................................................................
1865 <p class="MsoToc3">Use Before Definition <i>(Section
1866 3)</i>...............................................................................
1868 <p class="MsoToc3">Null Dereferences <i>(Section
1869 2)</i>....................................................................................
1871 <p class="MsoToc3">Macros <i>(Section
1872 7)</i>....................................................................................................
1875 Iterators.....................................................................................................................
1877 <p class="MsoToc3">Naming
1878 Conventions...................................................................................................
1880 <p class="MsoToc3">Other
1881 Checks.............................................................................................................
1883 <p class="MsoToc2">Flag Name
1884 Abbreviations................................................................................................
1886 <p class="MsoToc1">Appendix C<span style=
1887 'font-size:12.0pt;font-weight:normal'> </span>
1888 <a href=#annotations>
1889 Annotations</a>.............................................................................................
1891 <p class="MsoToc3">Suppressing
1892 Warnings.................................................................................................
1894 <p class="MsoToc2">Syntactic
1895 Annotations.....................................................................................................
1898 Functions...................................................................................................................
1900 <p class="MsoToc3">Iterators (Section
1901 11.4)...............................................................................................
1903 <p class="MsoToc3">Constants (Section
1904 11.1).............................................................................................
1906 <p class="MsoToc3">Alternate Types (Section
1907 4.4)......................................................................................
1909 <p class="MsoToc3">Declarator
1910 Annotations...............................................................................................
1912 <p class="MsoToc3">Type
1913 Access..............................................................................................................
1915 <p class="MsoToc3">Macro
1916 Expansion......................................................................................................
1918 <p class="MsoToc3">Arbitrary Integral
1919 Types............................................................................................
1921 <p class="MsoToc3">Traditional Lint
1922 Comments........................................................................................
1924 <p class="MsoToc2">Metastate
1925 Definitions....................................................................................................
1927 <p class="MsoToc1">Appendix D<span style=
1928 'font-size:12.0pt;font-weight:normal'> </span>
1929 <a href=#specifications>
1930 Specifications<a/>.........................................................................................
1932 <p class="MsoToc3">Specification
1933 Flags....................................................................................................
1936 Appendix E<span style=
1937 'font-size:12.0pt;font-weight:normal'> </span>
1940 Bibliography</a>........................................................................
1943 <p class="TextFontCX"> </p></div>
1944 <span class="MsoCommentReference"><b><i><span style=
1945 'font-size:15.5pt;font-family: "Times New Roman";text-transform:uppercase'>
1946 <br clear="all" style=
1947 'page-break-before: right'></span></i></b></span>
1948 <div class="Section4">
1949 <p class="TextFontCX"><span style=
1950 'font-size:16.0pt'> </span></p>
1951 <p class="MsoNormal" align="center" style='text-align:center'>
1952 <b><span style='font-size:16.0pt'>Splint User’s
1953 Manual</span></b></p>
1954 <p class="MsoNormal" align="center" style='text-align:center'>
1956 <p class="MsoNormal" align="center" style='text-align:center'>
1958 <p class="MsoNormal" align="center" style='text-align:center'>7
1960 <p class="TextFontCX"> </p>
1961 <p class="TextFontCX">Splint<a href="#_ftn1" name="_ftnref1"
1962 title=""><span class="MsoFootnoteReference"><span class=
1963 "MsoFootnoteReference"><span style=
1964 'font-size:11.0pt;font-family:"Times New Roman"'>[1]</span></span></span></a>
1965 is a tool for statically checking C programs for security
1966 vulnerabilities and programming mistakes. Splint does many
1967 of the traditional lint checks including unused declarations,
1968 type inconsistencies, use before definition, unreachable code,
1969 ignored return values, execution paths with no return, likely
1970 infinite loops, and fall through cases. More powerful
1971 checks are made possible by additional information given in
1972 source code annotations. Annotations are stylized
1973 comments that document assumptions about functions, variables,
1974 parameters and types. In addition to the checks
1975 specifically enabled by annotations, many of the traditional
1976 lint checks are improved by exploiting this additional
1978 <p class="TextFontCX"> </p>
1979 <p class="TextFontCX">As more effort is put into annotating
1980 programs, better checking results. A representational
1981 effort-benefit curve for using Splint is shown in Figure 1.
1982 Splint is designed to be flexible and allow programmers to select
1983 appropriate points on the effort-benefit curve for particular
1984 projects. As different checks are turned on and more
1985 information is given in code annotations the number of bugs that
1986 can be detected increases dramatically.</p>
1987 <p class="TextFontCX"> </p>
1988 <p class="beforelist">Problems detected by Splint include:</p>
1989 <p class="TextFontCX" style=
1990 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
1991 'font-family:Symbol'>·<span style=
1992 'font:7.0pt "Times New Roman"'> </span></span>
1993 Dereferencing a possibly null pointer (Section 2);</p>
1994 <p class="TextFontCX" style=
1995 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
1996 'font-family:Symbol'>·<span style=
1997 'font:7.0pt "Times New Roman"'> </span></span>
1998 Using possibly undefined storage or returning storage that is not
1999 properly defined (Section 3);</p>
2000 <p class="MsoListBullet"><span style=
2001 'font-family:Symbol'>·<span style=
2002 'font:7.0pt "Times New Roman"'> </span></span>
2003 Type mismatches, with greater precision and flexibility than
2004 provided by C compilers (Section 4.1–4.2);</p>
2005 <p class="MsoListBullet"><span style=
2006 'font-family:Symbol'>·<span style=
2007 'font:7.0pt "Times New Roman"'> </span></span>
2008 Violations of information hiding (Section 4.3);</p>
2009 <p class="TextFontCX" style=
2010 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2011 'font-family:Symbol'>·<span style=
2012 'font:7.0pt "Times New Roman"'> </span></span>
2013 Memory management errors including uses of dangling references and
2014 memory leaks (Section 5);</p>
2015 <p class="TextFontCX" style=
2016 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2017 'font-family:Symbol'>·<span style=
2018 'font:7.0pt "Times New Roman"'> </span></span>
2019 Dangerous aliasing (Section 6);</p>
2020 <p class="TextFontCX" style=
2021 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2022 'font-family:Symbol'>·<span style=
2023 'font:7.0pt "Times New Roman"'> </span></span>
2024 Modifications and global variable uses that are inconsistent with
2025 specified interfaces (Section 7);</p>
2026 <p class="TextFontCX" style=
2027 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2028 'font-family:Symbol'>·<span style=
2029 'font:7.0pt "Times New Roman"'> </span></span>
2030 Problematic control flow such as likely infinite loops (Section
2031 8.3.1), fall through cases or incomplete switches (Section 8.3.2),
2032 and suspicious statements (Section 8.4);</p>
2033 <p class="TextFontCX" style=
2034 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2035 'font-family:Symbol'>·<span style=
2036 'font:7.0pt "Times New Roman"'> </span></span>
2037 Buffer overflow vulnerabilities (Section 9);</p>
2038 <p class="TextFontCX" style=
2039 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2040 'font-family:Symbol'>·<span style=
2041 'font:7.0pt "Times New Roman"'> </span></span>
2042 Dangerous macro implementations or invocations (Section 11);
2044 <p class="TextFontCX" style=
2045 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
2046 'font-family:Symbol'>·<span style=
2047 'font:7.0pt "Times New Roman"'> </span></span>
2048 Violations of customized naming conventions. (Section
2050 <p class="TextFontCX"> </p>
2051 <p class="MsoCaption"> </p>
2052 <center><img width="572" height="350" src=
2053 "manual-301_files/image003.gif">
2057 <p class="MsoCaption"><a name="_Toc534824605"></a><a name=
2058 "_Ref534821281">Figure</a> 1. Typical Effort-Benefit
2060 <p class="TextFontCX"> </p>
2061 <p class="TextFontCX">Splint checking can be customized to select
2062 what classes of errors are reported using command line flags and
2063 stylized comments in the code. In addition, users can define
2064 new annotations and associated checks to extend Splint’s
2065 checking or to enforce application specific properties (Section
2067 <p class="TextFontCX"><a name="_Ref343085763"></a><a name=
2068 "_Ref343065516"> </a></p>
2069 <p class="TextFontCX"><b>About This Document</b></p>
2070 <p class="TextFontCX">This document is a guide to using
2071 Splint. Section 1 explains how to run Splint, interpret
2072 messages and control checking. Sections 2–13 describe
2073 particular checks done by Splint. There are some minor
2074 dependencies between sections, but in general they can be read in
2075 any order. Section 14 covers issues involving libraries and
2076 header file inclusion important for running Splint on large
2078 <p class="TextFontCX"> </p>
2079 <p class="TextFontCX">This document does not describe technical
2080 details of the checking. For technical background and
2081 analysis of Splint’s effectiveness in practice, see the
2082 papers available at <a href=
2083 "http://www.splint.org/"><span style='font-size:10.0pt;font-family:Arial'>
2084 http://www.splint.org</span></a>. </p>
2086 <table cellspacing="0" cellpadding="0" hspace="0" width="80%"
2087 style="border-collapse: collapse" bordercolor="#111111">
2089 <td valign="top" align="left" style=
2090 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
2091 <p class="TextFontCX" align="right" style='text-align:right'>
2092 <a name="_Ref349497354"></a><a name=
2093 "_Ref348079997"><i><span style='font-size:9.0pt'>Since human
2094 beings themselves are not fully debugged yet, there will be
2095 bugs in your code no matter what you do.</span></i></a></p>
2096 <p class="TextFontCX" align="right" style=
2097 'margin-left:4.5pt;text-align:right'><span style=
2098 'font-size:9.0pt'>Chris Mason,</span><i><span style=
2099 'font-size:9.0pt'>Zero-defects memo</span></i>
2100 <span style='font-size:9.0pt'>(quoted in <i>Microsoft
2101 Secrets</i>, Cusumano and
2102 Selby)</span></p></td></tr></table></center>
2103 <h1 style='margin-left:0in;text-indent:0in'><a name=
2104 "Section1"></a><a name="_Toc534974932"></a><a name=
2105 "_Ref348785755">1<span style=
2106 'font:7.0pt "Times New Roman"'> </span>
2107 <a id="operation" name="operation"> Operation</a></h1>
2108 <p class="TextFontCX">Splint is invoked by listing files to be
2109 checked. Initialization files, command line flags, and
2110 stylized comments may be used to customize checking globally and
2112 <p class="TextFontCX"> </p>
2113 <p class="TextFontCX">The best way to learn to use Splint, of
2114 course, is to actually use it (if you don’t already have
2115 Splint installed on your system, see Appendix A). Before you
2116 read much further in this document, I recommend finding a small C
2117 program. Then, try running:</p>
2118 <p class="example" align="left">splint *.c</p>
2121 <p class="TextFontCX">For the most C programs, this will produce a
2122 large number of warnings. To turn off reporting for some of
2123 the warnings, try:<a name="_Ref347468509"></a><a name=
2124 "_Ref345591726"></a><a name="_Ref345568136"></a><a name=
2125 "_Ref345515100"></a><a name="_Ref345497041"></a><a name=
2126 "_Ref345435155"></a><a name="_Ref345257971"></a><a name=
2127 "_Ref344916723"></a><a name="_Ref344907348"></a><a name=
2128 "_Ref344891202"></a><a name="_Toc344355397"></a></p>
2129 <p class="example" align="left">splint -weak *.c</p>
2132 <p class="TextFontCX">The <span class="Flag"><span style=
2133 'font-size:10.0pt'>-weak</span></span> flag is a mode flag that
2134 sets many checking parameters to select weaker checking than is
2135 done in the default mode. Other Splint flags will be
2136 introduced in the following sections; a complete list is given in
2138 <h2 style='margin-left:0in;text-indent:0in'><a name=
2139 "_Toc534974933"></a><a name="_Toc344355435">1.1<span style=
2140 'font:7.0pt "Times New Roman"'> </span>
2142 <p class="beforelist">A typical warning message is:</p>
2143 <p class="IndentText" align="left" style="margin-bottom: 0.0003pt">
2144 <span style='font-size:10.0pt;font-family:Arial'>sample.c: (in
2145 function faucet)</span></p>
2146 <p class="IndentText" align="left"><span style=
2147 'font-size:10.0pt;font-family:Arial'>sample.c:11:12</span><span style='font-size:10.0pt; font-family:Arial'>
2148 : Fresh storage x not released before return</span></p>
2149 <p class="IndentText" align="left"><span style=
2150 'font-size:10.0pt;font-family:Arial'> A memory leak has been
2151 detected. Storage allocated locally is not released</span></p>
2152 <p class="IndentText" align="left"><span style=
2153 'font-size:10.0pt;font-family:Arial'> before the last
2154 reference to it is lost. (Use -mustfreefresh to inhibit</span></p>
2155 <p class="IndentText" align="left"><span style=
2156 'font-size:10.0pt;font-family:Arial'> warning)</span></p>
2157 <p class="IndentText" align="left"><span style=
2158 'font-size:10.0pt;font-family:Arial'> sample.c:5:47:
2159 Fresh storage x allocated</span></p>
2162 <p class="afterlist">The first line gives the name of the function
2163 in which the error is found. This is printed before the first
2164 message reported for a function. The second line is the text
2165 of the message. This message reports a memory
2166 leak—storage allocated in a function is not deallocated
2167 before the function returns. The file name, line and column
2168 number where the error is located precedes the text. </p>
2169 <p class="TextFontCX"> </p>
2170 <p class="TextFontCX">The next line is a hint giving more
2171 information about the suspected error, including information on how
2172 the warning message may be suppressed. For this message,
2173 using the <span class="Flag"><span style=
2174 'font-size:10.0pt'>‑mustfreefresh</span></span> flag
2175 would prevent this warning from being reported. This flag can
2176 be set at the command line, or more precisely just around the code
2177 point in question by using annotations (see Section 1.3.2).</p>
2178 <p class="TextFontCX"> </p>
2179 <p class="TextFontCX">The final line of the message gives
2180 additional location information. For this message, it tells
2181 where the leaking storage was allocated.</p>
2182 <p class="TextFontCX"> </p>
2183 <p class="beforelist">The generic message format is (parts enclosed
2184 in square brackets are optional):</p>
2185 <p class="Verbatim" align="left"><span style=
2186 'font-family:Arial'> [<file>:<line> (in
2187 <context>)]</span></p>
2188 <p class="Verbatim" align="left"><span style=
2189 'font-family:Arial'>
2190 <file>:<line>[,<column>]:
2191 <i>message</i></span></p>
2192 <p class="Verbatim" align="left"><span style=
2193 'font-family:Arial'>
2194 [<i>hint</i>]</span></p>
2195 <p class="Verbatim" align="left"><span style=
2196 'font-family:Arial'>
2197 <file>:<line>,<column>: <i>extra location
2198 information, if appropriate</i></span></p>
2201 <p class="afterlist">Users can customize the format and content of
2202 messages printed by Splint. The function context is not
2203 printed if <span class="Flag"><span style=
2204 'font-size:10.0pt'>-showfunc</span></span> is used.
2205 Column numbers are not printed if <span class=
2206 "Flag"><span style='font-size:10.0pt'>‑showcol</span></span> is
2207 used. The <span class="Flag"><span style=
2208 'font-size:10.0pt'>+parenfileformat</span></span> flag
2209 can be used to generate file locations in the format
2210 recognized by Microsoft Visual Studio. If <span class=
2212 'font-size:10.0pt'>+parenfileformat</span></span> is set, the
2213 line number follows the file name in parentheses (e.g.,
2214 <span class="PlainText"><span style=
2215 'font-size:10.0pt;font-family:Arial'>sample.c(11)</span></span>.)
2216 Messages are split into lines of length less than the
2217 value set using <span class="Flag"><span style=
2218 'font-size:10.0pt'>-linelen
2219 <i><number></i></span></span>. The default line
2220 length is 80 characters. Splint attempts to split lines
2221 in a sensible place as near to the line length limit as
2223 <p class="afterlist" style='margin-top:0in'> </p>
2224 <p class="afterlist" style='margin-top:0in'>The <span class=
2226 'font-size:10.0pt'>‑hints</span></span> prevents any
2227 hints from being printed. Normally, a hint is given only the
2228 first time a class of error is reported. To have Splint print
2229 a hint for every message regardless, use <span class=
2231 'font-size:10.0pt'>+forcehints</span></span>.</p>
2232 <h2 style='margin-left:0in;text-indent:0in'><a name=
2233 "_Toc534974934"></a><a name="_Ref348343333"></a><a name=
2234 "_Ref348343330"></a><a name="_Ref348092990"></a><a name=
2235 "_Ref344882148"></a><a name="_Ref344870278"></a><a name=
2236 "_Toc344355436">1.2<span style=
2237 'font:7.0pt "Times New Roman"'> </span>
2239 <p class="TextFontCX">So that many programming styles can be
2240 supported, Splint provides several hundred flags for controlling
2241 checking and message reporting. Some of the flags are
2242 introduced in the body of this document. Appendix B describes
2243 every flag. Modes and shortcut flags are provided for setting
2244 many flags at once. Individual flags can override the mode
2246 <p class="TextFontCX"> </p>
2247 <p class="TextFontCX">Flags are preceded by <span class=
2248 "Flag"><span style='font-size:10.0pt'>+</span></span> or
2249 <span class="Flag"><span style=
2250 'font-size:10.0pt'>-</span></span>. When a flag is preceded
2251 by <span class="Flag"><span style=
2252 'font-size:10.0pt'>+</span></span> we say it is <i>on</i>; when it
2253 is preceded by <span class="Flag"><span style=
2254 'font-size:10.0pt'>-</span></span> it is <i>off</i>. The precise
2255 meaning of on and off depends on the type of flag. </p>
2256 <p class="TextFontCX"> </p>
2257 <p class="TextFontCX">The <span class="Flag"><span style=
2258 'font-size:10.0pt'>+</span></span>/<span class=
2259 "Flag"><span style='font-size:10.0pt'>-</span></span> flag
2260 settings are used for consistency and clarity, but contradict
2261 standard UNIX usage and it is easy to accidentally use the
2262 wrong one. To reduce the likelihood of using the wrong
2263 flag, Splint issues warnings when a flag is set in an unusual
2264 way. Warnings are issued when a flag is redundantly set
2265 to the value it already had (these errors are not reported if
2266 the flag is set using a stylized comment), if a mode flag or
2267 special flag is set after a more specific flag that will be
2268 set by the general flag was already set, if value flags are
2269 given unreasonable values, of if flags are set in an
2270 inconsistent way. The <span class="Flag"><span style=
2271 'font-size: 10.0pt'>-warnflags</span></span> flag
2272 suppresses these warnings.</p>
2273 <p class="TextFontCX"> </p>
2274 <p class="TextFontCX">Default flag settings will be read from
2275 <span class="Keyword"><span style=
2276 'font-size:10.0pt;font-family: Arial;color:windowtext'>~/.splintrc</span></span> if
2277 it is readable. If there is a <span class=
2278 "Keyword"><span style=
2279 'font-size:10.0pt;font-family:Arial;color:windowtext'>.splintrc</span></span> file
2280 in the working directory, settings in this file will be read next
2281 and its settings will override those in <span class=
2282 "Keyword"><span style=
2283 'font-size:10.0pt;font-family:Arial; color:windowtext'>~/.splintrc</span></span>.
2284 Command-line flags override settings in either file. The
2285 syntax of the <span class="Keyword"><span style=
2286 'font-size:10.0pt;font-family:Arial;color:windowtext'>.splintrc</span></span> file
2287 is the same as that of command-line flags, except that flags may be
2288 on separate lines and the <span class="CodeText"><span style=
2289 'font-size:10.0pt'>#</span></span> character may be used to
2290 indicate that the remainder of the line is a comment. The
2291 <span class="Flag"><span style=
2292 'font-size:10.0pt'>-nof</span></span> flag prevents the
2293 <span class="Keyword"><span style=
2294 'font-size:10.0pt;font-family: Arial;color:windowtext'>~/.splintrc</span></span> file
2295 from being loaded. The <span class="Flag"><span style=
2296 'font-size:10.0pt'>-f</span></span> <span class=
2298 'font-size:10.0pt'><i><filename></i></span></span> flag
2299 loads options from <i>filename</i>.</p>
2300 <p class="TextFontCX"> </p>
2301 <p class="TextFontCX">To make flag names more readable, hyphens
2302 (<span class="Flag"><span style=
2303 'font-size:10.0pt'>-</span></span>), underscores
2304 (<span class="Flag"><span style=
2305 'font-size:10.0pt'>_</span></span>) and spaces in flags at
2306 the command line are ignored. Hence, <span class=
2308 'font-size:10.0pt'>warnflags</span></span>, <span class=
2310 'font-size:10.0pt'>warn-flags</span></span> and <span class=
2312 'font-size:10.0pt'>warn_flags</span></span> all select the
2313 <span class="Flag"><span style=
2314 'font-size:10.0pt'>warnflags</span></span> option.</p>
2315 <h2 style='margin-left:0in;text-indent:0in'><a name=
2316 "_Toc534974935"></a><a name="_Toc344355442"></a><a name=
2317 "_Ref343086686">1.3<span style=
2318 'font:7.0pt "Times New Roman"'> </span>
2319 Stylized Comments</a></h2>
2320 <p class="TextFontCX">Stylized comments are used to provide extra
2321 information about a type, variable or function interface to improve
2322 checking, or to control flag settings locally.</p>
2323 <p class="TextFontCX"> </p>
2324 <p class="TextFontCX">All stylized comments begin with
2325 <span class="CodeText"><span style=
2326 'font-size:10.0pt'>/*@</span></span> and are closed by the
2327 end of the comment. The role of the <span class=
2328 "CodeText"><span style=
2329 'font-size:10.0pt'>@</span></span> may be played by any
2330 printable character. Use <span class=
2331 "Flag"><span style='font-size:10.0pt'>-commentchar</span></span><span class="Flag">
2333 'font-size:10.0pt'> <i><char></i></span></span> to
2334 select a different stylized comment marker.</p>
2335 <h3 style='margin-left:0in;text-indent:0in'><a name=
2336 "_Toc534974936">1.3.1<span style=
2337 'font:7.0pt "Times New Roman"'> </span>
2338 Annotations</a></h3>
2339 <p class="TextFontCX">Annotations are stylized comments that follow
2340 a definite syntax. Although they are comments, they may only
2341 be used in fixed grammatical contexts (e.g., like a type
2343 <p class="TextFontCX"> </p>
2344 <p class="TextFontCX">Sections 2–6­ describe
2345 annotations for expressing assumptions about variables,
2346 parameters, return values, structure fields and
2347 type definitions. For example, <span class=
2348 "Annot"><span style='font-size:10.0pt'>/*@null@*/</span></span> is
2349 used to express an assumption that a parameter may be NULL.
2350 Section 7 describes annotations for describing function
2351 interfaces. Other annotations are described in later sections
2352 and Section 10 describes mechanisms users can employ to define new
2353 annotations. A summary of annotations is found in Appendix
2355 <p class="TextFontCX"> </p>
2356 <p class="TextFontCX">Some annotations, known as control comments,
2357 may appear between any two tokens in a C program (unlike regular C
2358 comments, control comments should not be used within a single token
2359 as they introduce new separators in the code). Syntactically,
2360 they are no different from standard comments. Control
2361 comments are used to provide source-level control of Splint
2362 checking. They may be used to suppress spurious messages, set
2363 flags, and control checking locally in other ways.</p>
2364 <h3 style='margin-left:0in;text-indent:0in'><a name=
2365 "_Toc534974937"></a><a name="_Ref534648584">1.3.2<span style=
2366 'font:7.0pt "Times New Roman"'> </span>
2367 Setting Flags</a></h3>
2368 <p class="TextFontCX">Most flags (all except those characterized as
2369 “global” in Appendix B) can be set locally using
2370 control comments. A control comment can set flags locally to
2371 override the command line settings. The original flag
2372 settings are restored before processing the next file. The syntax
2373 for setting flags in control comments is the same as that of the
2374 command line, except that flags may also be preceded by
2375 <span class="CodeText"><span style=
2376 'font-size:10.0pt'>=</span></span> to restore their setting
2377 to the original command-line value. For instance,</p>
2378 <p class="example"><span class="Annot"><span style=
2379 'font-size:10.0pt'>/*@+charint</span></span> <span class=
2380 "Annot"><span style=
2381 'font-size:10.0pt'>-modifies</span></span><span class=
2382 "Annot"><span style=
2383 'font-size:10.0pt'>=showfunc</span></span><span class=
2384 "Annot"><span style='font-size:10.0pt'>@*/</span></span></p>
2385 <p class="TextFontCX">sets <span class="Flag"><span style=
2386 'font-size:10.0pt'>charint</span></span> on (this makes
2387 <span class="CodeText"><span style=
2388 'font-size:10.0pt'>char</span></span> and <span class=
2389 "CodeText"><span style='font-size:10.0pt'>int</span></span>
2390 indistinguishable types), sets <span class=
2391 "Flag"><span style='font-size:10.0pt'>modifies</span></span>
2392 off (this prevents reporting of modification errors), and
2393 sets <span class="Flag"><span style=
2394 'font-size:10.0pt'>showfunc</span></span> to its
2395 original setting (this controls whether or not the name
2396 of a function <a name="_Toc344355449">is displayed before a
2397 message).</a><a name="_Ref348845205"></a><a name=
2398 "_Ref348845200"></a> <a name="_Ref348785779"></a></p>
2399 <h1 style='margin-left:0in;text-indent:0in'><a name=
2400 "_Toc534974938"></a><a name="_Ref534641443"></a><a name=
2401 "_Ref534093860"></a><a name="_Ref534050017"></a><a name=
2402 "_Ref534008843">2<span style=
2403 'font:7.0pt "Times New Roman"'> </span>
2404 <a id="null" name="null">Null Dereferences</a></a></h1>
2405 <p class="TextFontCX">A common cause of program failures is when a
2406 null pointer is dereferenced. Splint detects these
2407 errors by distinguishing possibly <span class=
2408 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>
2409 pointers at interface boundaries.</p>
2410 <p class="TextFontCX"> </p>
2411 <p class="TextFontCX">The <span class="Annot"><span style=
2412 'font-size:10.0pt'>null</span></span> annotation is used to
2413 indicate that a pointer value may be <span class=
2414 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>.
2415 A pointer declared with no <span class="Annot"><span style=
2416 'font-size:10.0pt'>null</span></span> annotation, may not be
2417 <span class="CodeText"><span style=
2418 'font-size:10.0pt'>NULL</span></span>. If null checking is
2419 turned on (controlled by <span class="Flag"><span style=
2420 'font-size:10.0pt'>null</span></span>), Splint will report an error
2421 when a possibly null pointer is passed as a parameter, returned as
2422 a result, or assigned to an external reference with no
2423 <span class="Annot"><span style=
2424 'font-size:10.0pt'>null</span></span> qualifier.</p>
2425 <p class="TextFontCX"> </p>
2426 <p class="TextFontCX">If a pointer is declared with the
2427 <span class="Annot"><span style=
2428 'font-size:10.0pt'>null</span></span> annotation, the code
2429 must check that it is not <span class="CodeText"><span style=
2430 'font-size:10.0pt'>NULL</span></span> on all paths leading to
2431 a dereference of the pointer (or the pointer being returned
2432 or passed as a value with no <span class="Annot"><span style=
2433 'font-size:10.0pt'>null</span></span> annotation).
2434 Dereferences of possibly null pointers may be protected by
2435 conditional statements or <span class="CodeText"><span style=
2436 'font-size:10.0pt'>assert</span></span>ions (to see how
2437 <span class="CodeText"><span style=
2438 'font-size:10.0pt'>assert</span></span> is declared see
2439 Section 8.1) that check the pointer is not <span class=
2440 "CodeText"><span style=
2441 'font-size:10.0pt'>NULL</span></span>.</p>
2442 <p class="TextFontCX"> </p>
2443 <p class="TextFontCX">Consider two implementations of
2444 <span class="CodeText"><span style=
2445 'font-size:10.0pt'>firstChar</span></span> in Figure 2. For
2446 <span class="CodeText"><span style=
2447 'font-size:10.0pt'>firstChar1</span></span>, Splint reports
2448 an error since the pointer that is dereferenced is declared
2449 with a <span class="Annot"><span style=
2450 'font-size:10.0pt'>null</span></span> annotation.
2451 For <span class="CodeText"><span style=
2452 'font-size:10.0pt'>firstChar2</span></span>, no error is
2453 reported since the true branch of the <span class=
2454 "CodeText"><span style='font-size:10.0pt'>s ==
2455 NULL</span></span> if statement returns, so the dereference
2456 of <span class="CodeText"><span style=
2457 'font-size:10.0pt'>s</span></span> is only reached if
2458 <span class="CodeText"><span style=
2459 'font-size:10.0pt'>s</span></span> is not <span class=
2460 "CodeText"><span style=
2461 'font-size:10.0pt'>NULL</span></span>.</p>
2463 <table class="MsoNormalTable" border="0" cellspacing="0"
2464 cellpadding="0" style=
2465 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
2467 <td valign="top" style=
2468 'width:207.0pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
2469 <p class="TextFontCX" align="center" style='text-align:center'>
2470 <span class="Keyword"><b><span style=
2471 'font-size:10.0pt; color:white'>null.c</span></b></span></p></td>
2472 <td valign="top" style=
2473 'width:220.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
2474 <p class="TextFontCX" align="center" style='text-align:center'>
2475 <b><span style='color:white'>Running
2476 Splint</span></b></p></td></tr>
2478 <td valign="top" style=
2479 'width:207.0pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
2480 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
2481 <p class="Verbatim"><span style='font-size:9.0pt'>char firstChar1
2482 (/*@null@*/ char *s)</span></p>
2483 <p class="Verbatim"><span style='font-size:9.0pt'>{<br></span>
2484 <span class="Line"><span style=
2485 'font-size:8.0pt'>3</span></span><span style=
2486 'font-size:9.0pt'> return *s;</span></p>
2487 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p>
2488 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
2489 <p class="Verbatim"><span style='font-size:9.0pt'>char firstChar2
2490 (/*@null@*/ char *s)</span></p>
2491 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
2492 <p class="Verbatim"><span style='font-size:9.0pt'> if
2493 (s == NULL) return ‘\0’;<br></span> <span class=
2495 'font-size:8.0pt'>9</span></span><span style='font-size:9.0pt'>
2496 return *s;</span></p>
2497 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p></td>
2498 <td valign="top" style=
2499 'width:220.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
2500 <p class="lclintrun">> splint null.c</p>
2501 <p class="lclintrun">Splint 3.0.1</p>
2502 <p class="lclintrun"> </p>
2503 <p class="lclintrun">null.c: (in function firstChar1)</p>
2504 <p class="lclintrun">null.c:3:11: Dereference of possibly null
2506 <p class="lclintrun"> null.c:1:35: Storage s may become
2508 <p class="lclintrun"> </p>
2509 <p class="lclintrun">Finished checking --- 1 code warning found</p>
2510 <p class="TextFontCX"> </p></td></tr></table>
2511 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
2512 style="border-collapse: collapse" bordercolor="#111111">
2514 <td valign="top" align="left" style=
2515 'padding-top:6.5pt;padding-right: 9.35pt;padding-bottom:6.5pt;padding-left:9.35pt'>
2516 <p class="MsoCaption"><a name="_Ref534981289"></a><a name=
2517 "_Toc534824606"></a><a name="_Ref534981293">Figure 2</a>.
2519 <p class="MsoNormal" align="left" style=
2520 'margin-top:0in;margin-right:26.55pt; margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;text-align:left; background:white'>
2521 <span style='font-size:10.0pt'>Output from running Splint is
2522 displayed in</span> <span style=
2523 'font-size:10.0pt;font-family:"Arial Narrow"'>sans-serif</span>
2524 <span style='font-size:10.0pt'>font. The command line is
2525 preceded by</span> <span style=
2526 'font-size:10.0pt;font-family:Arial'>></span><span style=
2527 'font-size: 10.0pt'>, the rest is output from Splint.
2528 Explanations added to the code or splint output are shown in
2529 <i>italics</i>. Code shown in the figures in this document is
2530 available from the splint web site,</span> <span style=
2531 'font-size:10.0pt;font-family:Arial'>http://www.splint.org</span><span style='font-size:10.0pt'>
2532 . No error is reported for line 9, since the dereference is
2533 reached only if</span> <span class="CodeText"><span style=
2534 'font-size:10.0pt'>s</span></span> <span style=
2535 'font-size:10.0pt'>is non-null. For most of the figures, the
2536 options</span> <span class="Flag"><span style=
2537 'font-size:9.0pt'>-linelen 55 -hints –showcol</span></span>
2538 <span style='font-size:10.0pt'>were used to produce condensed
2539 output, and</span> <span class="Flag"><span style=
2540 'font-size:9.0pt'>–exportlocal</span></span>
2541 <span style='font-size:10.0pt'>to inhibit warnings about
2543 declarations. </span></p></td></tr></table></center>
2544 <h3 style='margin-left:0in;text-indent:0in'><a name=
2545 "_Toc534974939"></a><a name="_Ref344185475">2.1.1<span style=
2546 'font:7.0pt "Times New Roman"'> </span>
2547 Predicate Functions</a></h3>
2548 <p class="TextFontCX">Another way to protect null dereference, is
2549 to declare a function using <span class="Annot"><span style=
2550 'font-size:10.0pt'>nullwhentrue</span></span> or <span class=
2551 "Annot"><span style=
2552 'font-size:10.0pt'>falsewhennull</span></span>(these annotations
2553 where originally <span class="Annot"><span style=
2554 'font-size:10.0pt'>falsenull</span></span> and <span class=
2555 "Annot"><span style='font-size:10.0pt'>truenull</span></span>, but
2556 were renamed to clarify the logical asymmetry; <span class=
2557 "Annot"><span style='font-size:10.0pt'>falsenull</span></span> and
2558 <span class="Annot"><span style=
2559 'font-size:10.0pt'>truenull</span></span> may still be used) and
2560 call the function in a conditional statement before the
2561 <span class="Annot"><span style=
2562 'font-size:10.0pt'>null</span></span>-annotated pointer is
2563 dereferenced. </p>
2564 <p class="TextFontCX"> </p>
2565 <p class="TextFontCX">If a function annotated with
2566 <span class="Annot"><span style=
2567 'font-size:10.0pt'>nullwhentrue</span></span> returns true it
2568 means its first passed parameter is <span class=
2569 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>.
2570 If it returns false, the parameter is not <span class=
2571 "CodeText"><span style=
2572 'font-size:10.0pt'>NULL</span></span>. Note that it may
2573 return true for a parameter that is not <span class=
2574 "CodeText"><span style=
2575 'font-size:10.0pt'>NULL</span></span>. A more
2576 descriptive name for <span class="Annot"><span style=
2577 'font-size:10.0pt'>nullwhentrue</span></span> would be
2578 “if the result is false, the parameter was not
2579 null”. For example, if <span class=
2580 "CodeText"><span style=
2581 'font-size:10.0pt'>isNull</span></span> is declared as,</p>
2582 <p class="example"> /*@nullwhentrue@*/ bool isNull
2583 (/*@null@*/ char *x);</p>
2584 <p class="beforelist">we could write <span class=
2585 "CodeText"><span style=
2586 'font-size: 10.0pt'>firstChar2</span></span>:</p>
2587 <p class="Verbatim"> char firstChar2 (/*@null@*/ char
2589 <p class="Verbatim"> {</p>
2590 <p class="Verbatim" style='margin-left:.5in'>if (isNull (s)) return
2593 <p class="Verbatim"> }</p>
2594 <p class="afterlist">No error is reported since the dereference of
2595 <span class="CodeText"><span style=
2596 'font-size:10.0pt'>s</span></span> is only reached if
2597 <span class="CodeText"><span style=
2598 'font-size:10.0pt'>isNull(s)</span></span> is false, and
2599 since <span class="CodeText"><span style=
2600 'font-size:10.0pt'>isNull</span></span> is declared with the
2601 <span class="Annot"><span style=
2602 'font-size:10.0pt'>nullwhentrue</span></span> annotation this
2603 means <span class="CodeText"><span style=
2604 'font-size:10.0pt'>s</span></span> must not be null.</p>
2605 <p class="TextFontCX"> </p>
2606 <p class="TextFontCX">The <span class="Annot"><span style=
2607 'font-size:10.0pt'>falsewhennull</span></span> annotation is not
2608 quite the logical opposite of <span class=
2609 "Annot"><span style='font-size:10.0pt'>nullwhentrue</span></span>.
2610 If a function declared with <span class="Annot"><span style=
2611 'font-size:10.0pt'>falsewhennull</span></span> returns true,
2612 it means its parameter is definitely not <span class=
2613 "CodeText"><span style=
2614 'font-size:10.0pt'>NULL</span></span>. If it returns
2615 false, the parameter may or may not be <span class=
2616 "CodeText"><span style=
2617 'font-size:10.0pt'>NULL</span></span>. That is a
2618 <span class="Annot"><span style=
2619 'font-size:10.0pt'>falsewhennull</span></span> always returns
2620 false when passed a <span class="CodeText"><span style=
2621 'font-size: 10.0pt'>NULL</span></span> parameter; it may
2622 sometimes return false when passed a non-<span class=
2623 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>
2625 <p class="TextFontCX"> </p>
2626 <p class="beforelist">For example, we could define
2627 <span class="CodeText"><span style=
2628 'font-size:10.0pt'>isNonEmpty</span></span> to return true if
2629 its parameter is not <span class="CodeText"><span style=
2630 'font-size:10.0pt'>NULL</span></span> and has least one
2631 character before the <span class="CodeText"><span style=
2632 'font-size:10.0pt'>NUL</span></span> terminator:</p>
2633 <p class="Verbatim"> /*@falsewhennull@*/ bool
2634 isNonEmpty (/*@null@*/ char *x)</p>
2635 <p class="Verbatim"> {</p>
2636 <p class="Verbatim"> return (x != NULL
2637 && *x != ‘\0’);</p>
2638 <p class="Verbatim"> }</p>
2639 <p class="afterlist">Splint does not check that the implementation
2640 of a function declared with <span class="Annot"><span style=
2641 'font-size:10.0pt'>nullwhentrue</span></span> or <span class=
2642 "Annot"><span style='font-size:10.0pt'>falsewhennull</span></span>
2643 is consistent with its annotation, but assumes the annotation is
2644 correct when code that calls the function is checked.</p>
2645 <h3 style='margin-left:0in;text-indent:0in'><a name=
2646 "_Toc534974940">2.1.2<span style=
2647 'font:7.0pt "Times New Roman"'> </span>
2648 Notnull Annotations</a></h3>
2649 <p class="TextFontCX">The <span class="Annot"><span style=
2650 'font-size:10.0pt'>notnull</span></span> annotation specifies that
2651 a declarator is definitely not <span class=
2652 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>.
2653 By default, this is assumed, but it may be necessary to use
2654 <span class="Annot"><span style=
2655 'font-size:10.0pt'>notnull</span></span> to override a
2656 <span class="Annot"><span style=
2657 'font-size:10.0pt'>null</span></span> in a type
2658 definition. The <span class="Annot"><span style=
2659 'font-size:10.0pt'>null</span></span> annotation may be used
2660 in a type definition to indicate that all instances of the
2661 type may be <span class="CodeText"><span style=
2662 'font-size:10.0pt'>NULL</span></span>. For declarations
2663 of a type declared using <span class="Annot"><span style=
2664 'font-size:10.0pt'>null</span></span>, the <span class=
2665 "Annot"><span style='font-size:10.0pt'>null</span></span>
2666 annotation in the type definition may be overridden with
2667 <span class="Annot"><span style=
2668 'font-size:10.0pt'>notnull</span></span>. This is
2669 particularly useful for parameters to hidden <span class=
2670 "CodeText"><span style=
2671 'font-size:10.0pt'>static</span></span> operations of
2672 abstract types (see Section 4.3) where the null test has
2673 already been done before the function is called, or function
2674 results known to never be <span class="CodeText"><span style=
2675 'font-size:10.0pt'>NULL</span></span>. For an abstract
2676 type, <span class="Flag"><span style=
2677 'font-size:10.0pt'>notnull</span></span> may not be used for
2678 parameters to external functions, since clients should not be
2679 aware of when the concrete representation may by <span class=
2680 "CodeText"><span style=
2681 'font-size:10.0pt'>NULL</span></span>. Parameters to
2682 static functions in the implementation module, however, may
2683 be declared using <span class="Annot"><span style=
2684 'font-size:10.0pt'>notnull</span></span>, since they may only
2685 be called from places where the representation is
2686 accessible. Return values for <span class=
2687 "CodeText"><span style=
2688 'font-size:10.0pt'>static</span></span> or external functions
2689 may be declared using <span class="Annot"><span style=
2690 'font-size:10.0pt'>notnull</span></span>. </p>
2691 <h3 style='margin-left:0in;text-indent:0in'><a name=
2692 "_Toc534974941"></a><a name="_Ref347853058">2.1.3<span style=
2693 'font:7.0pt "Times New Roman"'> </span>
2694 Relaxing Null Checking</a></h3>
2695 <p class="TextFontCX">An additional annotation, <span class=
2696 "Annot"><span style='font-size:10.0pt'>relnull</span></span> may be
2697 used to relax null checking. No error is reported when a
2698 <span class="Annot"><span style=
2699 'font-size:10.0pt'>relnull</span></span> value is dereferenced, or
2700 when a possibly null value is assigned to an identifier declared
2701 using <span class="Annot"><span style=
2702 'font-size:10.0pt'>relnull</span></span>.</p>
2703 <p class="TextFontCX"> </p>
2704 <p class="TextFontCX">This is generally used for structure fields
2705 that may or may not be null depending on some other
2706 constraint. Splint does not report and error when
2707 <span class="CodeText"><span style=
2708 'font-size:10.0pt'>NULL</span></span> is assigned to a
2709 <span class="Annot"><span style=
2710 'font-size:10.0pt'>relnull</span></span> reference, or when a
2711 <span class="Annot"><span style=
2712 'font-size:10.0pt'>relnull</span></span> reference is
2713 dereferenced. It is up to the programmer to ensure that
2714 this constraint is satisfied before the pointer is
2716 <h1 style='margin-left:0in;text-indent:0in'><a name=
2717 "_Ref348845237"></a><a name="_Ref347254431"></a><a name=
2718 "_Ref347169350"></a><a name="_Ref344916590"></a><a name=
2719 "_Ref344907893"></a><a name="_Toc344355407"></a><a name=
2720 "_Toc534974942"></a><a name="_Ref534641444"></a><a name=
2721 "_Ref534093775"></a><a name="_Ref534093769"></a><a name=
2722 "_Ref534049950">3<span style=
2723 'font:7.0pt "Times New Roman"'> </span>
2724 <a id="undefined" name="undefined">Undefined Values</a></a></h1>
2725 <p class="TextFontCX">Like many static checkers, Splint detects
2726 instances where the value of a location is used before it is
2727 defined. This analysis is done at the procedural level.
2728 If there is a path through the procedure that uses a local variable
2729 before it is defined, a use before definition error is
2730 reported. The <span class="Flag"><span style=
2731 'font-size:10.0pt'>usedef</span></span> flag controls use before
2732 definition checking.</p>
2733 <p class="TextFontCX"> </p>
2734 <p class="TextFontCX">Splint can do more checking than standard
2735 checkers though, because the annotations can be used to describe
2736 what storage must be defined and what storage may be undefined at
2737 interface points. Unannotated references are expected to be
2738 completely defined at interface points. This means all
2739 storage reachable from a global variable, parameter to a function,
2740 or function return value is defined before and after a function
2742 <h3 style='margin-left:0in;text-indent:0in'><a name=
2743 "_Toc534974943"></a><a name="_Ref347811030"></a><a name=
2744 "_Ref347204458">3.1.1<span style=
2745 'font:7.0pt "Times New Roman"'> </span>
2746 Undefined Parameters</a></h3>
2747 <p class="TextFontCX">Sometimes, function parameters or return
2748 values are expected to reference undefined or partially defined
2749 storage. For example, a pointer parameter may be intended
2750 only as an address to store a result, or a memory allocator may
2751 return allocated but undefined storage. The
2752 <span class="Annot"><span style=
2753 'font-size:10.0pt'>out</span></span> annotation denotes
2754 a pointer to storage that may be undefined.</p>
2755 <p class="TextFontCX"> </p>
2756 <p class="TextFontCX">Splint does not report an error when a
2757 pointer to allocated but undefined storage is passed as an
2758 <span class="Annot"><span style=
2759 'font-size:10.0pt'>out</span></span> parameter. Within the
2760 body of a function, Splint will assume an <span class=
2761 "Annot"><span style='font-size:10.0pt'>out</span></span> parameter
2762 is allocated but not necessarily bound to a value, so an error is
2763 reported if its value is used before it is defined. </p>
2764 <p class="TextFontCX"> </p>
2765 <p class="TextFontCX">Splint reports an error if storage reachable
2766 by the caller after the call is not defined when the function
2767 returns. This can be suppressed by <span class=
2769 'font-size: 10.0pt'>-must-define</span></span>. After a call
2770 returns, an actual parameter corresponding to an <span class=
2771 "Annot"><span style='font-size:10.0pt'>out</span></span> parameter
2772 is assumed to be completely defined.</p>
2773 <p class="TextFontCX"> </p>
2774 <p class="TextFontCX">When checking unannotated programs, many
2775 spurious use before definition errors may be reported
2776 If <span class="Flag"><span style=
2777 'font-size:10.0pt'>impouts</span></span> is on, no error is
2778 reported when an incompletely-defined parameter is passed to a
2779 formal parameter with no definition annotation, and the actual
2780 parameter is assumed to be defined after the call. The
2781 <span class="Annot"><span style=
2782 'font-size:10.0pt'>/*@in@*/</span></span> annotation can be
2783 used to denote a parameter that must be completely defined, even if
2784 <span class="Flag"><span style=
2785 'font-size:10.0pt'>imp-outs</span></span> is on. If
2786 <span class="Flag"><span style=
2787 'font-size:10.0pt'>imp-outs</span></span> is off, there is an
2788 implicit <span class="Annot"><span style=
2789 'font-size:10.0pt'>in</span></span> annotation on every parameter
2790 with no definition annotation.</p>
2791 <p class="TextFontCX"> </p>
2792 <table class="MsoNormalTable" border="0" cellspacing="0"
2793 cellpadding="0" style='margin-left:.9pt;border-collapse:collapse'>
2795 <td width="40%" valign="top" style=
2796 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
2797 <p class="TextFontCX" align="center" style='text-align:center'>
2798 <span class="Keyword"><b><span style=
2799 'font-size:10.0pt; color:white'>usedef.c</span></b></span></p></td>
2800 <td valign="top" style=
2801 'border-top:1.5pt solid black; border-left:medium none;border-bottom:medium none;border-right:1.5pt solid black; background:black;padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
2802 <p class="TextFontCX" align="center" style='text-align:center'>
2803 <b><span style='color:white'>Running
2804 Splint</span></b></p></td></tr>
2806 <td valign="top" style=
2807 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
2808 <p class="MsoNormal"><span class="Keyword"><span style=
2809 'font-size:10.0pt; color:windowtext'>extern void</span></span></p>
2810 <p class="MsoNormal"><span class="Keyword"><span style=
2811 'font-size:10.0pt; color:windowtext'> setVal (/*@out@*/ int
2812 *x);</span></span></p>
2813 <p class="MsoNormal"><span class="Keyword"><span style=
2814 'font-size:10.0pt; color:windowtext'>extern int</span></span></p>
2815 <p class="MsoNormal"><span class="Keyword"><span style=
2816 'font-size:10.0pt; color:windowtext'> getVal (/*@in@*/ int
2817 *x);</span></span></p>
2818 <p class="MsoNormal"><span class="Keyword"><span style=
2819 'font-size:10.0pt; color:windowtext'>extern int
2820 mysteryVal</span></span></p>
2821 <p class="MsoNormal"><span class="Keyword"><span style=
2822 'font-size:10.0pt; color:windowtext'> (int
2823 *x);</span></span></p>
2824 <p class="MsoNormal"><span class="Keyword"><span style=
2825 'font-size:10.0pt; color:windowtext'> </span></span></p>
2826 <p class="MsoNormal" align="left" style='text-align:left'>
2827 <span class="Keyword"><span style=
2828 'font-size:10.0pt;color:windowtext'>int dumbfunc</span></span></p>
2829 <p class="MsoNormal" align="left" style='text-align:left'>
2830 <span class="Keyword"><span style=
2831 'font-size:10.0pt;color:windowtext'> (/*@out@*/ int *x,
2832 int i)</span></span></p>
2833 <p class="MsoNormal"><span class="Keyword"><span style=
2834 'font-size:10.0pt; color:windowtext'>{</span></span></p>
2835 <p class="MsoNormal"><span class="Keyword"><span style=
2836 'font-size:10.0pt; color:windowtext'> if (i >
2837 3)</span></span></p>
2838 <p class="MsoNormal"><span class="Line"><span style=
2839 'font-size:8.0pt'>11</span></span><span class=
2840 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2841 return *x;</span></span></p>
2842 <p class="MsoNormal"><span class="Keyword"><span style=
2843 'font-size:10.0pt; color:windowtext'> else if (i >
2844 1)</span></span></p>
2845 <p class="MsoNormal"><span class="Line"><span style=
2846 'font-size:8.0pt'>13</span></span><span class=
2847 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2848 return getVal (x);</span></span></p>
2849 <p class="MsoNormal"><span class="Keyword"><span style=
2850 'font-size:10.0pt; color:windowtext'> else if (i ==
2851 0)</span></span></p>
2852 <p class="MsoNormal"><span class="Line"><span style=
2853 'font-size:8.0pt'>15</span></span><span class=
2854 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2855 return mysteryVal (x);</span></span></p>
2856 <p class="MsoNormal"><span class="Keyword"><span style=
2857 'font-size:10.0pt; color:windowtext'> else</span></span></p>
2858 <p class="MsoNormal"><span class="Keyword"><span style=
2859 'font-size:10.0pt; color:windowtext'>
2861 <p class="MsoNormal"><span class="Line"><span style=
2862 'font-size:8.0pt'>18</span></span><span class=
2863 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2864 setVal (x);</span></span></p>
2865 <p class="MsoNormal"><span class="Line"><span style=
2866 'font-size:8.0pt'>19</span></span><span class=
2867 "Keyword"><span style='font-size:10.0pt;color:windowtext'>
2868 return *x;</span></span></p>
2869 <p class="MsoNormal"><span class="Keyword"><span style=
2870 'font-size:10.0pt; color:windowtext'>
2872 <p class="Verbatim"><span class="Keyword"><span style=
2873 'color:windowtext'>}</span></span></p></td>
2874 <td valign="top" style=
2875 'border-top:medium none;border-left:medium none; border-bottom:1.5pt solid black;border-right:1.5pt solid black;padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
2876 <p class="lclintrun">> splint usedef.c</p>
2877 <p class="lclintrun">usedef.c:11: Value *x used before
2879 <p class="lclintrun">usedef.c:13: Passed storage x not completely
2881 <p class="lclintrun">
2882
2883 (*x is undefined): getVal (x)</p>
2884 <p class="lclintrun">usedef.c:15: Passed storage x not completely
2886 <p class="lclintrun">
2887
2888 (*x is undefined): mysteryVal (x)</p>
2889 <p class="lclintrun"> </p>
2890 <p class="lclintrun">Finished checking --- 3 code warnings</p>
2891 <p class="TextFontCX"><i> </i></p>
2892 <p class="IndentText" style=
2893 'margin-top:0in;margin-right:.85pt;margin-bottom: 0in;margin-left:0in;margin-bottom:.0001pt;page-break-after:avoid'>
2894 <i>No error is reported for line 18, since the incompletely defined
2895 storage</i> <span class="CodeText"><span style=
2896 'font-size:10.0pt'>x</span></span> <i>is passed as an</i>
2897 <span class="CodeText"><span style=
2898 'font-size:10.0pt'>out</span></span> <i>parameter. After the
2899 call,</i> <span class="CodeText"><span style=
2900 'font-size: 10.0pt'>x</span></span> <i>may be dereferenced,
2901 since</i> <span class="Annot"><span style=
2902 'font-size:10.0pt'>setVal</span></span> <i>is assumed to completely
2903 define its</i> <span class="Annot"><span style=
2904 'font-size:10.0pt'>out</span></span> <i>parameter. The
2905 warning for line 15 would not appear if</i> <span class=
2906 "Flag"><span style='font-size:10.0pt'>+impouts</span></span>
2907 <i>were used since there is no</i> <span class=
2908 "Annot"><span style='font-size:10.0pt'>in</span></span>
2909 <i>annotation on the parameter to</i> <span class=
2911 'font-size: 10.0pt'>mysteryVal</span></span><i>.</i></p></td></tr></table>
2913 <div align="center">
2915 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
2916 style="border-collapse: collapse" bordercolor="#111111">
2918 <td valign="top" align="left" style=
2919 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
2920 <p class="MsoCaption"><a name="_Ref347764461"></a><a name=
2921 "_Ref347853047"></a><a name="_Toc534824607">Figure 3. Use
2922 before Definition</a></p></td></tr></table></center></div></div>
2925 <h3 style='margin-left:0in;text-indent:0in'><a name=
2926 "_Toc534974944">3.1.2<span style=
2927 'font:7.0pt "Times New Roman"'> </span>
2928 Relaxing Checking</a></h3>
2929 <p class="TextFontCX">The <span class="Annot"><span style=
2930 'font-size:10.0pt'>reldef</span></span> annotation relaxes
2931 definition checking for a particular declaration. Storage
2932 declared with a <span class="Annot"><span style=
2933 'font-size:10.0pt'>reldef</span></span> annotation is assumed to be
2934 defined when it is used, but no error is reported if it is not
2935 defined before it is returned or passed as a parameter.</p>
2936 <p class="TextFontCX"> </p>
2937 <p class="TextFontCX">It is up to the programmer to check
2938 <span class="Annot"><span style=
2939 'font-size:10.0pt'>reldef</span></span> fields are used
2940 correctly. They should be avoided in most cases, but
2941 may be useful for fields of structures that may or may not be
2942 defined depending on other constraints. </p>
2943 <h3 style='margin-left:0in;text-indent:0in'><a name=
2944 "_Toc534974945"></a><a name="_Ref347853043">3.1.3<span style=
2945 'font:7.0pt "Times New Roman"'> </span>
2946 Partially Defined Structures</a></h3>
2947 <p class="TextFontCX">The <span class="Annot"><span style=
2948 'font-size:10.0pt'>partial</span></span> annotation can be used to
2949 relax checking of structure fields. A structure with
2950 undefined fields may be passed as a <span class=
2951 "Annot"><span style='font-size: 10.0pt'>partial</span></span>
2952 parameter or returned as a <span class="Annot"><span style=
2953 'font-size:10.0pt'>partial</span></span> result. Inside
2954 a function body, no error is reported when the field of a
2955 <span class="Annot"><span style=
2956 'font-size:10.0pt'>partial</span></span> structure is
2957 used. After a call, all fields of a structure that is
2958 passed as a <span class="Annot"><span style=
2959 'font-size:10.0pt'>partial</span></span> parameter are
2960 assumed to be completely defined.</p>
2961 <h1 style='margin-left:0in;text-indent:0in'><a name=
2962 "_Ref534977413"></a><a name="_Toc534974946">4<span style=
2963 'font:7.0pt "Times New Roman"'> </span>
2964 <a id="types" name="types">
2966 <p class="TextFontCX">Strong type checking often reveals
2967 programming errors. Splint can check primitive C types more
2968 strictly and flexibly than typical compilers (4.1) and provides
2969 support a Boolean type (4.2). In addition, users can define
2970 abstract types that provide information hiding (0).</p>
2971 <h2 style='margin-left:0in;text-indent:0in'><a name=
2972 "_Toc534974947"></a><a name="_Ref534642132"></a><a name=
2973 "_Ref533964147"></a><a name="_Toc344355401">4.1<span style=
2974 'font:7.0pt "Times New Roman"'> </span>
2975 Built in C Types</a></h2>
2976 <p align="right"><span style='font-size:9.0pt'><i>Two types
2977 have</i> compatible <i>type if their types are the
2978 same.</i></span></p>
2979 <p class="TextFontCX" align="right" style='text-align:right'>
2980 <span style='font-size:9.0pt'><span style='font-size:9.0pt'>ANSI C,
2981 3.1.2.6.</span></span></p>
2982 <p class="Sidebar"> </p>
2986 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
2987 Splint supports stricter checking of built in C types. The
2988 <span class="CodeText"><span style=
2989 'font-size:10.0pt'>char</span></span> and <span class=
2990 "CodeText"><span style='font-size:10.0pt'>enum</span></span> types
2991 can be checked as distinct types, and the different numeric types
2992 can be type-checked strictly.</p>
2993 <h3 style='margin-left:0in;text-indent:0in'><a name=
2994 "_Toc534974948">4.1.1<span style=
2995 'font:7.0pt "Times New Roman"'> </span>
2997 <p class="TextFontCX">The primitive <span class=
2998 "CodeText"><span style='font-size:10.0pt'>char</span></span> type
2999 can be type-checked as a distinct type. If <span class=
3000 "CodeText"><span style='font-size:10.0pt'>char</span></span> is
3001 used as a distinct type, common errors involving assigning
3002 <span class="CodeText"><span style=
3003 'font-size:10.0pt'>int</span></span>s to <span class=
3004 "CodeText"><span style='font-size:10.0pt'>char</span></span>s are
3006 <p class="TextFontCX"> </p>
3007 <p class="TextFontCX">The <span class="Flag"><span style=
3008 'font-size:10.0pt'>+charint</span></span> flag can be used for
3009 checking legacy programs where <span class=
3010 "CodeText"><span style='font-size:10.0pt'>char</span></span>
3011 and <span class="CodeText"><span style=
3012 'font-size:10.0pt'>int</span></span> are used
3013 interchangeably. If <span class="Flag"><span style=
3014 'font-size:10.0pt'>charint</span></span> is on, <span class=
3015 "CodeText"><span style='font-size:10.0pt'>char</span></span>
3016 types indistinguishable from <span class=
3017 "CodeText"><span style=
3018 'font-size:10.0pt'>int</span></span>s. To keep
3019 <span class="CodeText"><span style=
3020 'font-size:10.0pt'>char</span></span> and <span class=
3021 "Keyword"><span style='font-size:10.0pt'>int</span></span> as
3022 distinct types, but allow chars to be used to index arrays,
3023 use <span class="Flag"><span style=
3024 'font-size:10.0pt'>+charindex</span></span>.</p>
3025 <h3 style='margin-left:0in;text-indent:0in'><a name=
3026 "_Toc534974949">4.1.2<span style=
3027 'font:7.0pt "Times New Roman"'> </span>
3028 Enumerators</a></h3>
3029 <p class="TextFontCX">Standard C treats user-declared
3030 <span class="CodeText"><span style=
3031 'font-size:10.0pt'>enum</span></span> types just like
3032 integers. An arbitrary integral value may be assigned
3033 to an <span class="CodeText"><span style=
3034 'font-size:10.0pt'>enum</span></span> type, whether or not it
3035 was listed as an enumerator member. Splint checks each
3036 user-defined <span class="CodeText"><span style=
3037 'font-size:10.0pt'>enum</span></span> type as distinct
3038 type. An error is reported if a value that is not an
3039 enumerator member is assigned to the <span class=
3040 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
3041 type, or if an <span class="CodeText"><span style=
3042 'font-size:10.0pt'>enum</span></span> type is used as an
3043 operand to an arithmetic operator. If the <span class=
3044 "Flag"><span style='font-size:10.0pt'>enumint</span></span>
3045 flag is on, <span class="CodeText"><span style=
3046 'font-size:10.0pt'>enum</span></span> and <span class=
3047 "CodeText"><span style='font-size:10.0pt'>int</span></span>
3048 types may be used interchangeably. Like <span class=
3050 'font-size:10.0pt'>charindex</span></span>, if the
3051 <span class="Flag"><span style=
3052 'font-size:10.0pt'>enumindex</span></span> flag is on,
3053 <span class="CodeText"><span style=
3054 'font-size:10.0pt'>enum</span></span> types may be used to
3056 <h3 style='margin-left:0in;text-indent:0in'><a name=
3057 "_Toc534974950">4.1.3<span style=
3058 'font:7.0pt "Times New Roman"'> </span>
3059 Numeric Types</a></h3>
3060 <p class="TextFontCX">Splint reports where numeric types are
3061 used in dangerous or inconsistent ways. With the strictest
3062 checking, Splint will report an error anytime numeric types do not
3063 match exactly. If the <span class="Flag"><span style=
3064 'font-size:10.0pt'>relax-quals</span></span> flag is on, only those
3065 inconsistencies that may corrupt values are reported. For
3066 example, if an <span class="CodeText"><span style=
3067 'font-size:10.0pt'>int</span></span> is assigned to a variable of
3068 type <span class="CodeText"><span style=
3069 'font-size: 10.0pt'>long</span></span> (or passed as a
3070 <span class="CodeText"><span style=
3071 'font-size:10.0pt'>long</span></span> formal parameter),
3072 Splint will not report an error if <span class=
3074 'font-size:10.0pt'>relax-quals</span></span> is on since a
3075 <span class="CodeText"><span style=
3076 'font-size:10.0pt'>long</span></span> must have at least
3077 enough bits to store an <span class="CodeText"><span style=
3078 'font-size:10.0pt'>int</span></span> without data loss.
3079 On the other hand, an error would be reported if the
3080 <span class="CodeText"><span style=
3081 'font-size:10.0pt'>long</span></span> were assigned to an
3082 <span class="CodeText"><span style=
3083 'font-size:10.0pt'>int</span></span>, since the <span class=
3084 "CodeText"><span style='font-size:10.0pt'>int</span></span>
3085 type may not have enough bits to store the <span class=
3086 "CodeText"><span style='font-size:10.0pt'>long</span></span>
3088 <p class="TextFontCX"> </p>
3089 <p class="TextFontCX">Similarly, if a <span class=
3090 "CodeText"><span style='font-size:10.0pt'>signed</span></span>
3091 value is assigned to an <span class="CodeText"><span style=
3092 'font-size:10.0pt'>unsigned</span></span>, Splint will report an
3093 error since an <span class="CodeText"><span style=
3094 'font-size:10.0pt'>unsigned</span></span> type cannot represent all
3095 <span class="CodeText"><span style=
3096 'font-size:10.0pt'>signed</span></span> values correctly. If
3097 the <span class="Flag"><span style=
3098 'font-size:10.0pt'>+ignore-signs</span></span> flag is on, checking
3099 is relaxed to ignore all sign qualifiers in type comparisons (this
3100 is not recommended, since it will suppress reporting of real bugs,
3101 but may be necessary for quickly checking certain legacy
3103 <h3 style='margin-left:0in;text-indent:0in'><a name=
3104 "_Toc534974951">4.1.4<span style=
3105 'font:7.0pt "Times New Roman"'> </span>
3106 Arbitrary Integral Types</a></h3>
3107 <p class="TextFontCX">Some types are declared to be integral types,
3108 but the concrete type may be implementation dependent. For
3109 example, the standard library declares the types <span class=
3110 "CodeText"><span style='font-size:10.0pt'>size_t</span></span>,
3111 <span class="CodeText"><span style=
3112 'font-size:10.0pt'>ptr_diff</span></span> and <span class=
3113 "CodeText"><span style='font-size:10.0pt'>wchar_t</span></span>,
3114 but does not constrain their types other than limiting them to
3115 integral types. Programs may rely on them being integral
3116 types (e.g., can use <span class="CodeText"><span style=
3117 'font-size:10.0pt'>+</span></span> operator on two
3118 <span class="CodeText"><span style=
3119 'font-size:10.0pt'>size_t</span></span> operands), but should
3120 not rely on a particular representation (e.g., <span class=
3121 "CodeText"><span style='font-size: 10.0pt'>long
3122 unsigned</span></span>). </p>
3123 <p class="TextFontCX"> </p>
3124 <p class="TextFontCX">Splint supports three different kinds of
3125 arbitrary integral types:</p>
3126 <p class="TextFontCX"> </p>
3127 <p class="TextFontCX"><span class="Annot"><span style=
3128 'font-size:10.0pt'>/*@integraltype@*/</span></span></p>
3129 <p class="TextFontCX"><span class="Annot"><font size=
3130 "2"> </font></span> An arbitrary integral
3131 type. The actual type may be any one of <span class=
3132 "CodeText"><span style='font-size:10.0pt'>short</span></span>,
3133 <span class="CodeText"><span style=
3134 'font-size:10.0pt'>int</span></span>, <span class=
3135 "CodeText"><span style='font-size:10.0pt'>long</span></span>,
3136 <span class="CodeText"><span style='font-size:10.0pt'>unsigned
3137 short</span></span>, <span class="CodeText"><span style=
3138 'font-size:10.0pt'>unsigned</span></span>, or <span class=
3139 "CodeText"><span style='font-size:10.0pt'>unsigned
3140 long</span></span>.</p>
3141 <p class="TextFontCX"><span class="Annot"><span style=
3142 'font-size:10.0pt'>/*@unsignedintegraltype@*/</span></span></p>
3143 <p class="TextFontCX"><span class="Annot"><font size=
3144 "2"> </font></span> An arbitrary unsigned integral
3145 type. The actual type may be any one of <span class=
3146 "CodeText"><span style='font-size:10.0pt'>unsigned
3147 short</span></span>, <span class="CodeText"><span style=
3148 'font-size:10.0pt'>unsigned</span></span>, or <span class=
3149 "CodeText"><span style='font-size:10.0pt'>unsigned
3150 long</span></span>.</p>
3151 <p class="TextFontCX"><span class="Annot"><span style=
3152 'font-size:10.0pt'>/*@signedintegraltype@*/</span></span></p>
3153 <p class="TextFontCX"><span class="Annot"><font size=
3154 "2"> </font></span> An arbitrary signed integral
3155 type. The actual type may be any one of <span class=
3156 "CodeText"><span style='font-size:10.0pt'>short</span></span>,
3157 <span class="CodeText"><span style=
3158 'font-size:10.0pt'>int</span></span>, or <span class=
3159 "CodeText"><span style='font-size:10.0pt'>long</span></span>.</p>
3160 <p class="TextFontCX"> </p>
3161 <p class="TextFontCX">Splint reports an error if the code depends
3162 on the actual representation of a type declared as an arbitrary
3163 integral. The <span class="Flag"><span style=
3164 'font-size:10.0pt'>match-any-integral</span></span> flag
3165 relaxes checking and allows an arbitrary integral type is allowed
3166 to match any integral type.</p>
3167 <p class="TextFontCX"> </p>
3168 <p class="TextFontCX">Other flags set the arbitrary integral types
3169 to a concrete type. These should only be used if portability
3170 to platforms that may use different representations is not
3171 important. The <span class="Flag"><span style=
3172 'font-size:10.0pt'>long-integral</span></span> and
3173 <span class="Flag"><span style=
3174 'font-size:10.0pt'>long-unsigned-integral</span></span> flags
3175 set the type corresponding to <span class=
3176 "Annot"><span style='font-size: 10.0pt'>/*@integraltype@*/</span></span> to
3177 be <span class="CodeText"><span style=
3178 'font-size:10.0pt'>unsigned long</span></span> and
3179 <span class="CodeText"><span style=
3180 'font-size:10.0pt'>long</span></span> respectively. The
3181 <span class="Flag"><span style=
3182 'font-size:10.0pt'>long-unsigned-unsigned-integral</span></span> flag
3183 sets the type corresponding to <span class=
3184 "Annot"><span style=
3185 'font-size: 10.0pt'>/*@unsignedintegraltype@*/</span></span>
3186 to be <span class="CodeText"><span style=
3187 'font-size:10.0pt'>unsigned long</span></span>. The
3188 <span class="Flag"><span style=
3189 'font-size:10.0pt'>long-signed-integral</span></span> flag
3190 sets the type corresponding to <span class=
3191 "Annot"><span style=
3192 'font-size:10.0pt'>/*@signedintegraltype@*/</span></span> to
3193 be <span class="CodeText"><span style=
3194 'font-size:10.0pt'>long</span></span>.</p>
3195 <h2 style='margin-left:0in;text-indent:0in'><a name=
3196 "_Toc534974952"></a><a name="_Ref534642133"></a><a name=
3197 "_Ref533964143"></a><a name="_Ref344892413"></a><a name=
3198 "_Toc344355400">4.2<span style=
3199 'font:7.0pt "Times New Roman"'> </span>
3200 Boolean Types</a></h2>
3201 <p class="TextFontCX">Pre-ISO99 C had no Boolean representation
3202 – the result of a comparison operator was an integer, and no
3203 type checking is done for test expressions. C99 introduced a
3204 Boolean type (<span class="CodeText"><span style=
3205 'font-size:10.0pt'>_Bool</span></span> and <span class=
3206 "CodeText"><span style='font-size:10.0pt'>bool</span></span>,
3207 <span class="CodeText"><span style=
3208 'font-size:10.0pt'>true</span></span> and <span class=
3209 "CodeText"><span style='font-size:10.0pt'>false</span></span>
3210 macros in <span style=
3211 'font-size:10.0pt;font-family:Arial'>stdbool.h</span>), but did not
3212 strengthen the type checking. Splint supports a Boolean type
3213 that can be checked distinctly from integral types. Many
3214 common errors can be detected by introducing a distinct Boolean
3215 type and stronger type checking.</p>
3216 <p class="TextFontCX"> </p>
3217 <p class="TextFontCX">Splint checks that the test expression in an
3218 <span class="CodeText"><span style=
3219 'font-size:10.0pt'>if</span></span>, <span class=
3220 "CodeText"><span style='font-size:10.0pt'>while</span></span>, or
3221 <span class="CodeText"><span style=
3222 'font-size:10.0pt'>for</span></span> statement or an operand of a
3223 <span class="CodeText"><span style=
3224 'font-size:10.0pt'>&&</span></span>, <span class=
3225 "CodeText"><span style='font-size:10.0pt'>||</span></span> or
3226 <span class="CodeText"><span style=
3227 'font-size:10.0pt'>!</span></span>operator is a Boolean. If
3228 the type of a test expression is not a Boolean, Splint will produce
3229 a warning depending on the type of the test expression and flag
3230 settings. If the test expression has pointer type, the
3231 warning is inhibited by <span class="Flag"><span style=
3232 'font-size:10.0pt'>–predboolptr</span></span> (this can be
3233 used to prevent messages for the idiom of testing if a pointer is
3234 not null without a comparison). If it is type
3235 <span class="CodeText"><span style=
3236 'font-size:10.0pt'>int</span></span>, the warnings is
3237 inhibited by <span class="Flag"><span style=
3238 'font-size:10.0pt'>-pred-bool-int</span></span>. For
3239 all other types, Splint warns unless <span class=
3241 'font-size: 10.0pt'>-pred-bool-others</span></span> is
3242 set. Relations, comparisons and certain standard
3243 library functions are declared to return Booleans.</p>
3244 <p class="TextFontCX"> </p>
3245 <p class="TextFontCX">Since using <span class=
3246 "CodeText"><span style='font-size:10.0pt'>=</span></span> instead
3247 of <span class="CodeText"><span style=
3248 'font-size:10.0pt'>==</span></span> is such a common bug, reporting
3249 of test expressions that are assignments is controlled by the
3250 separate <span class="Flag"><span style=
3251 'font-size:10.0pt'>pred-assign</span></span> flag. The
3252 message can be suppressed by adding extra parentheses around the
3253 test expression.</p>
3254 <p class="TextFontCX"> </p>
3255 <p class="TextFontCX">Use the <span class="Flag"><span style=
3256 'font-size:10.0pt'>–booltype
3257 <name></span></span> flag to select the type name is
3258 used to represent Boolean values. There is no default Boolean
3259 type, although <span class="CodeText"><span style=
3260 'font-size: 10.0pt'>bool</span></span> is used by convention.
3261 The names <span class="CodeText"><span style=
3262 'font-size:10.0pt'>TRUE</span></span> and <span class=
3263 "CodeText"><span style='font-size:10.0pt'>FALSE</span></span> are
3264 assumed to represent true and false Boolean values. To change
3265 the names of true and false, use <span class=
3266 "Flag"><span style='font-size:10.0pt'>-booltrue</span></span>
3267 and <span class="Flag"><span style=
3268 'font-size:10.0pt'>-boolfalse</span></span>. (The
3269 Splint distribution includes an implementation of
3270 <span class="CodeText"><span style=
3271 'font-size:10.0pt'>bool</span></span>, in <span class=
3272 "CodeText"><span style=
3273 'font-size:10.0pt;color:windowtext'>lib/bool.h</span></span>.
3274 However, it isn’t necessary to use this implementation
3275 to get the benefits of Boolean checking.)</p>
3276 <p class="TextFontCX"> </p>
3277 <p class="TextFontCX">Figure 4 illustrates some of the Boolean
3278 checking done by Splint. </p>
3279 <p class="TextFontCX"> </p>
3281 <table class="MsoNormalTable" border="0" cellspacing="0"
3282 cellpadding="0" style=
3283 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
3284 <tr style='height:13.3pt'>
3285 <td valign="top" style=
3286 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.3pt'>
3287 <p class="TextFontCX" align="center" style='text-align:center'>
3288 <span class="Keyword"><b><span style=
3289 'font-size:10.0pt; color:white'>bool.c</span></b></span></p></td>
3290 <td valign="top" style=
3291 'border-top:1.5pt solid black; border-left:medium none;border-bottom:medium none;border-right:1.5pt solid black; background:black;padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
3292 <p class="TextFontCX" align="center" style='text-align:center'>
3293 <b><span style='color:white'>Running
3294 Splint</span></b></p></td></tr>
3296 <td valign="top" style=
3297 'width:2.0in;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:156.15pt'>
3298 <p class="Verbatim"># include "bool.h"</p>
3299 <p class="Verbatim">int f (int i, char *s,</p>
3300 <p class="Verbatim"> bool b1, bool b2)</p>
3301 <p class="Verbatim">{</p>
3302 <p class="Verbatim"><span class="Line"><span style=
3303 'font-size:8.0pt'> 6</span></span> if (i = 3)</p>
3304 <p class="Verbatim"><span class="Line"><span style=
3305 'font-size:8.0pt'> 7</span></span> return
3307 <p class="Verbatim"><span class="Line"><span style=
3308 'font-size:8.0pt'> 8</span></span> if (!i || s)</p>
3309 <p class="Verbatim"><span class="Line"><span style=
3310 'font-size:8.0pt'> 9</span></span> return
3312 <p class="Verbatim"><span class="Line"><span style=
3313 'font-size:8.0pt'>10</span></span> if (s)</p>
3314 <p class="Verbatim"><span class="Line"><span style=
3315 'font-size:8.0pt'>11</span></span> return 7;</p>
3316 <p class="Verbatim"><span class="Line"><span style=
3317 'font-size:8.0pt'>12</span></span> if (b1 == b2)</p>
3318 <p class="Verbatim"><span class="Line"><span style=
3319 'font-size:8.0pt'>13</span></span> return 3;</p>
3320 <p class="Verbatim"><span class="Line"><span style=
3321 'font-size:8.0pt'>14</span></span> return 2;</p>
3322 <p class="Verbatim">}</p></td>
3323 <td valign="top" style=
3324 'border-top:medium none;border-left: medium none;border-bottom:1.5pt solid black;border-right:1.5pt solid black; padding-left:5.4pt; padding-right:5.4pt; padding-top:0in; padding-bottom:0in'>
3325 <p class="lclintrun">> splint bool.c +predboolptr
3326 –booltype bool</p>
3327 <p class="lclintrun"> </p>
3328 <p class="lclintrun">bool.c:6: Test expression for if is assignment
3329 expression: i = 3</p>
3330 <p class="lclintrun">bool.c:6: Test expression for if not bool,
3332 <p class="lclintrun">bool.c:7: Return value type bool does not
3333 match declared type int: b1</p>
3334 <p class="lclintrun">bool.c:8: Operand of ! is non-boolean (int):
3336 <p class="lclintrun">bool.c:8: Right operand of || is non-boolean
3337 (char *): !i || s</p>
3338 <p class="lclintrun">bool.c:10: Test expression for if not bool,
3340 <p class="lclintrun">bool.c:12: Use of == with bool variables
3341 (risks inconsistency because</p>
3342 <p class="lclintrun">
3343
3344 of multiple true values): b1 == b2</p>
3345 <p class="lclintrun"> </p>
3346 <p class="lclintrun" style='page-break-after:avoid'>Finished
3347 checking --- 7 code warnings found</p></td></tr></table>
3348 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
3350 <td valign="top" align="left" style=
3351 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
3352 <p class="MsoCaption"><a name="_Ref533964137"></a><a name=
3353 "_Toc534824608"></a><a name="_Ref534821769">Figure 4</a>.
3354 Boolean Checking</p></td></tr></table></center>
3355 <h2 style='margin-left:0in;text-indent:0in'><a name=
3356 "_Toc534974953"></a><a name="_Ref534970776">4.3<span style=
3357 'font:7.0pt "Times New Roman"'> </span>
3358 Abstract Types</a></h2>
3359 <p class="TextFontCX">Information hiding is a technique for
3360 handling complexity. By hiding implementation details,
3361 programs can be understood and developed in distinct modules and
3362 the effects of a change can be localized. One technique for
3363 information hiding is data abstraction. An
3364 abstract type is used to represent some natural program
3365 abstraction. It provides functions for manipulating instances
3366 of the type. The module that implements these functions is
3367 called the <i>implementation</i> module. We call the
3368 functions that are part of the implementation of an abstract type
3369 the <i>operations</i> of the type. Other modules that use the
3370 abstract type are called <i>clients</i>.</p>
3371 <p class="TextFontCX"> </p>
3372 <p class="TextFontCX">Clients may use the type name and operations,
3373 but should not manipulate or rely on the actual representation of
3374 the type. Only the implementation module may manipulate the
3375 representation of an abstract type. This hides information,
3376 since implementers and maintainers of client modules should not
3377 need to know anything about how the abstract type is implemented.
3378 It provides modularity, since the representation of an abstract
3379 type can be changed without having to change any client code.</p>
3380 <p class="TextFontCX"> </p>
3381 <p class="TextFontCX">Splint supports abstract types by detecting
3382 places where client code depends on the concrete representation of
3383 an abstract type. Some examples of abstraction violations
3384 detected by Splint are shown in Figure 5.</p>
3385 <p class="beforelist"> </p>
3386 <p class="beforelist">To declare an abstract type, the
3387 <span class="Annot"><span style=
3388 'font-size:10.0pt'>abstract</span></span> annotation is
3389 added to a <span class="CodeText"><span style=
3390 'font-size:10.0pt'>typedef</span></span>. For example
3391 (in <span class="Keyword"><span style=
3392 'font-size:10.0pt;font-family: Arial;color:windowtext'>mstring.h</span></span>),</p>
3393 <p class="example">typedef /*@abstract@*/ char *mstring;</p>
3394 <p class="TextFontCX">declares <span class=
3395 "CodeText"><span style='font-size:10.0pt'>mstring</span></span>
3396 as an abstract type. It is implemented using a
3397 <span class="CodeText"><span style='font-size:10.0pt'>char
3398 *</span></span>, but clients of the type should not depend on
3399 or need to be aware of this. If it later becomes
3400 apparent that a better representation such as a string table
3401 should be used, we should be able to change the
3402 implementation of <span class="CodeText"><span style=
3403 'font-size: 10.0pt'>mstring</span></span> without having to
3404 change or inspect any client code.</p>
3405 <p class="TextFontCX"> </p>
3406 <p class="TextFontCX">In a client module, abstract types are
3407 checked by name, not structure. Splint reports an error if an
3408 instance of <span class="CodeText"><span style=
3409 'font-size:10.0pt'>mstring</span></span> is passed as a
3410 <span class="CodeText"><span style='font-size:10.0pt'>char
3411 *</span></span> (for instance, as an argument to <span class=
3412 "CodeText"><span style=
3413 'font-size: 10.0pt'>strlen</span></span>), since the
3414 correctness of this call depends on the representation of the
3415 abstract type. Splint also reports errors if any C
3416 operator except assignment (<span class=
3417 "CodeText"><span style='font-size:10.0pt'>=</span></span>) or
3418 <span class="CodeText"><span style=
3419 'font-size:10.0pt'>sizeof</span></span> is used on an
3420 abstract type. The assignment operator is allowed since
3421 its semantics do not depend on the representation of the type
3422 (for abstract types whose instances can change value, a
3423 client does need to know if assignment has copy or sharing
3424 semantics as discussed in Section 4.3.2). The use of
3425 <span class="CodeText"><span style=
3426 'font-size:10.0pt'>sizeof</span></span> is also
3427 permitted, since this is the only way for clients to allocate
3428 pointers to the abstract type. Type casting objects to
3429 or from abstract types in a client module is an abstraction
3430 violation and will generate a warning message.</p>
3431 <p class="TextFontCX"> </p>
3432 <p class="TextFontCX">Normally, Splint will assume a type
3433 definition is not abstract unless the <span class=
3434 "Annot"><span style='font-size:10.0pt'>/*@abstract@*/</span></span>
3435 qualifier is used. If instead you want all user-defined types
3436 to be abstract types unless they are marked as <span class=
3437 "Annot"><span style='font-size:10.0pt'>concrete</span></span>, the
3438 <span class="Flag"><span style=
3439 'font-size:10.0pt'>+imp-abstract</span></span> flag can be
3440 used. This adds an implicit <span class=
3441 "Annot"><span style='font-size:10.0pt'>abstract</span></span>
3442 annotation to any <span class="CodeText"><span style=
3443 'font-size:10.0pt'>typedef</span></span> that is not marked
3444 with <span class="Annot"><span style=
3445 'font-size:10.0pt'>/*@concrete@*/</span></span>.</p>
3446 <p class="TextFontCX"> </p>
3448 <table class="MsoNormalTable" border="0" cellspacing="0"
3449 cellpadding="0" style=
3450 'width:418.5pt;margin-left:.9pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
3451 <tr style='height:13.45pt'>
3452 <td valign="top" style=
3453 'width:211.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
3454 <p class="TextFontCX" align="center" style='text-align:center'>
3455 <span class="Keyword"><b><span style=
3456 'font-size:10.0pt; color:white'>palindrome.c</span></b></span></p></td>
3457 <td valign="top" style=
3458 'width:207.0pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
3459 <p class="TextFontCX" align="center" style='text-align:center'>
3460 <b><span style='color:white'>Running
3461 Splint</span></b></p></td></tr>
3462 <tr style='height:196.2pt'>
3463 <td valign="top" style=
3464 'width:211.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:196.2pt'>
3465 <p class="Verbatim"><span style='font-size:9.0pt'># include
3467 <p class="Verbatim"><span style='font-size:9.0pt'># include
3468 "mstring.h"</span></p>
3469 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
3470 <p class="Verbatim"><span style='font-size:9.0pt'>bool isPalindrome
3471 (mstring s)</span></p>
3472 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
3473 <p class="Verbatim"><span class="Line"><span style=
3474 'font-size:8.0pt'> 6</span></span> <span style=
3475 'font-size:9.0pt'>char *current = (char *) s;</span></p>
3476 <p class="Verbatim"><span class="Line"><span style=
3477 'font-size:8.0pt'> 7</span></span> <span style=
3478 'font-size:9.0pt'>int i, len = (int) strlen (s);</span></p>
3479 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
3480 <p class="Verbatim"><span style='font-size:9.0pt'> for (i =
3481 0; i <= (len+1) / 2; i++)</span></p>
3482 <p class="Verbatim"><span style=
3483 'font-size:9.0pt'> {</span></p>
3484 <p class="Verbatim"><span class="Line"><span style=
3485 'font-size:8.0pt'>11</span></span><span style=
3486 'font-size:9.0pt'> if (current[i] !=
3487 s[len-i-1])</span></p>
3488 <p class="Verbatim"><span style=
3489 'font-size:9.0pt'> return
3491 <p class="Verbatim"><span style=
3492 'font-size:9.0pt'> }</span></p>
3493 <p class="Verbatim"><span style='font-size:9.0pt'> return
3495 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p>
3496 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
3497 <p class="Verbatim"><span style='font-size:9.0pt'>bool callPal
3499 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
3500 <p class="Verbatim"><span class="Line"><span style=
3501 'font-size:8.0pt'>19</span></span><i><span style=
3502 'font-size:9.0pt;font-family:Arial'> </span></i>
3503 <span style='font-size:9.0pt'>return (isPalindrome
3504 ("bob"));</span></p>
3505 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p></td>
3506 <td valign="top" style=
3507 'width:207.0pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:196.2pt'>
3508 <p class="lclintrun">> splint palindrome.c</p>
3509 <p class="lclintrun"> </p>
3510 <p class="lclintrun">palindrome.c:6: Cast from underlying</p>
3511 <p class="lclintrun"> abstract type mstring:
3513 <p class="lclintrun">palindrome.c:7: Function strlen expects
3515 <p class="lclintrun"> 1 to be char * gets
3517 <p class="lclintrun">palindrome.c:11: Array fetch from
3519 <p class="lclintrun"> (mstring): s[len - i -
3521 <p class="lclintrun">palindrome.c:19: Function isPalindrome</p>
3522 <p class="lclintrun"> expects arg 1 to be mstring
3524 <p class="lclintrun"> "bob"</p>
3525 <p class="TextFontCX"> </p>
3526 <p class="lclintrun">Finished checking --- 4 code warnings</p>
3527 <p class="TextFontCX"><span style=
3528 'font-size: 9.0pt;font-family:Times'> </span></p></td></tr></table>
3529 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
3531 <td valign="top" style=
3532 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
3533 <p class="MsoCaption"><a name="_Toc534824609"></a><a name=
3534 "_Toc347255385"></a><a name="_Ref344908730"></a><a name=
3535 "_Ref344908735">Figure 5</a>. Information Hiding
3536 Violations</p></td></tr></table></center>
3537 <p align="right"><i><span style=
3538 'font-size:9.0pt'> Traditionally, programming books wax
3539 mathematical when they arrive at the topic of abstract data
3541 Such books make it seem as if you’d never actually use an
3542 abstract data type except as a sleep aid.</span></i></p>
3544 <p class="TextFontCX" align="right" style='text-align:right'>
3546 'font-size:9.0pt'> </span></i>
3547 <span style='font-size:9.0pt'> Steve
3548 McConnell</span></p>
3549 <p class="TextFontCX"><i> </i></p>
3550 <h3 style='margin-left:0in;text-indent:0in'><a name=
3551 "_Toc534974954"></a><a name="_Ref344892422"></a><a name=
3552 "_Ref344870884"></a><a name="_Toc344355398">4.3.1<span style=
3553 'font:7.0pt "Times New Roman"'> </span>
3554 Controlling Access</a></h3>
3555 <p class="TextFontCX">Where code may manipulate the representation
3556 of an abstract type, we say the code has <i>access</i> to that
3557 type. If code has access to an abstract type, the
3558 representation of the type and the abstract type are
3559 indistinguishable. Usually, a single program module that is
3560 the only code that has access to the type representation implements
3561 an abstract type. Sometimes, more complicated access control
3562 is desired if the implementation of an abstract type is split
3563 across program files, or particular client code needs to access the
3565 <p class="TextFontCX"> </p>
3566 <p class="beforelist">There are a several ways of selecting what
3567 code has access the representation of an abstract type:</p>
3568 <p class="TextFontCX" style=
3569 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
3570 'font-family:Symbol'>·<span style=
3571 'font:7.0pt "Times New Roman"'> </span></span>
3572 Modules. An abstract type defined in <i><span style=
3573 'font-size: 10.0pt;font-family:Arial'>M</span></i><span class="Keyword">
3575 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
3576 is accessible in <i><span style=
3577 'font-size:10.0pt;font-family:Arial'>M</span></i><span class=
3578 "Keyword"><span style=
3579 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>.
3580 Controlled by the <span class="Flag"><span style=
3581 'font-size:10.0pt'>accessmodule</span></span> flag. This
3582 means when <span class="Flag"><span style=
3583 'font-size:10.0pt'>accessmodule</span></span> is on, as it is by
3584 default, the module access rule is in effect. If
3585 <span class="Flag"><span style=
3586 'font-size:10.0pt'>accessmodule</span></span> is off (when
3587 <span class="Flag"><span style=
3588 'font-size:10.0pt'>-access-module</span></span> is used), the
3589 module access rule is not in effect and an abstract type
3590 defined in <i><span style=
3591 'font-size:10.0pt;font-family:Arial'>M</span></i><span class=
3592 "Keyword"><span style=
3593 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
3594 is not necessarily accessible in <i><span style=
3595 'font-size:10.0pt;font-family: Arial'>M</span></i><span class="Keyword">
3597 'font-size:10.0pt; font-family:Arial;color:windowtext'>.c</span></span>.</p>
3598 <p class="TextFontCX" style=
3599 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
3600 'font-family:Symbol'>·<span style=
3601 'font:7.0pt "Times New Roman"'> </span></span>
3602 File names. An abstract type named <span class=
3603 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
3604 is accessible in files named <span class=
3605 "CodeText"><i><span style='font-size:10.0pt'>type.<extension></span></i></span>.
3606 For example, the representation of <span class=
3607 "CodeText"><span style=
3608 'font-size: 10.0pt'>mstring</span></span> is accessible in
3609 <span class="CodeText"><span style=
3610 'font-size:10.0pt'>mstring.h</span></span> and <span class=
3611 "CodeText"><span style=
3612 'font-size:10.0pt'>mstring.c</span></span>. Controlled
3613 by the <span class="Flag"><span style=
3614 'font-size:10.0pt'>access-file</span></span> flag.</p>
3615 <p class="MsoListBullet"><span style=
3616 'font-family:Symbol'>·<span style=
3617 'font:7.0pt "Times New Roman"'> </span></span>
3618 Function names. An abstract type named <span class=
3619 "CodeText"><i><span style=
3620 'font-size: 10.0pt'>type</span></i></span> may be accessible in a
3621 function named <span class="CodeText"><i><span style=
3622 'font-size:10.0pt'>type_name</span></i></span> or
3623 <span class="CodeText"><i><span style=
3624 'font-size:10.0pt'>typeName</span></i></span>. For
3625 example, <span class="CodeText"><span style=
3626 'font-size:10.0pt'>mstring_length</span></span> and
3627 <span class="CodeText"><span style=
3628 'font-size:10.0pt'>mstringLength</span></span> would have
3629 access to the <span class="CodeText"><span style=
3630 'font-size:10.0pt'>mstring</span></span> abstract type.
3631 Controlled by <span class="Flag"><span style=
3632 'font-size:10.0pt'>accessfunction</span></span> and the
3633 naming convention (see Section 12).</p>
3634 <p class="TextFontCX" style=
3635 'margin-left:12.95pt; text-indent:-12.95pt'><span style=
3636 'font-family:Symbol'>·<span style=
3637 'font:7.0pt "Times New Roman"'> </span></span>
3638 Access control comments. The syntax <span class=
3639 "Annot"><span style='font-size:10.0pt'>/*@access
3640 <i>type</i>,<sup>+</sup>@*/</span></span><a href="#_ftn2"
3641 name="_ftnref2" title=""><span class=
3642 "MsoFootnoteReference"><span class=
3643 "MsoFootnoteReference"><span style=
3644 'font-size:11.0pt;font-family:"Times New Roman"'>[2]</span></span></span></a>
3645 allows the following code to access the representation of
3646 <span class="CodeText"><i><span style=
3647 'font-size:10.0pt'>type</span></i></span>. Similarly,
3648 <span class="Annot"><span style=
3649 'font-size:10.0pt'>/*@noaccess</span></span> <span class=
3650 "Annot"><span style=
3651 'font-size:10.0pt'><i>type</i>,<sup>+</sup>@*/</span></span>
3652 restricts access to the representation of <span class=
3653 "CodeText"><i><span style=
3654 'font-size: 10.0pt'>type</span></i></span>. The type in
3655 a <span class="Annot"><span style=
3656 'font-size:10.0pt'>noaccess</span></span> comment must have
3657 been declared as an abstract type.</p>
3658 <h3 style='margin-left:0in;text-indent:0in'><a name=
3659 "_Toc534974955"></a><a name="_Toc344355399"></a><a name=
3660 "_Ref343240525"></a><a name="_Ref343240518">4.3.2<span style=
3661 'font:7.0pt "Times New Roman"'> </span>
3663 <p class="TextFontCX">We can view types as being <i>mutable</i> or
3664 <i>immutable</i>. A type is mutable if passing it as a
3665 parameter to a function call can change the value of an instance of
3666 the type. For example, the primitive type <span class=
3667 "CodeText"><span style='font-size:10.0pt'>int</span></span> is
3668 immutable. If <span class="CodeText"><span style=
3669 'font-size:10.0pt'>i</span></span> is a local variable of type
3670 <span class="CodeText"><span style=
3671 'font-size:10.0pt'>int</span></span> and no variables point to the
3672 location where <span class="CodeText"><span style=
3673 'font-size:10.0pt'>i</span></span> is stored, the value of
3674 <span class="CodeText"><span style=
3675 'font-size:10.0pt'>i</span></span> must be the same before and
3676 after the call <span class="CodeText"><span style=
3677 'font-size:10.0pt'>f (i)</span></span>. Structure and union
3678 types are also immutable, since they are copied when they are
3679 passed as arguments. On the other hand, pointer types are
3680 mutable. If <span class="CodeText"><span style=
3681 'font-size:10.0pt'>x</span></span> is a local variable of type
3682 <span class="CodeText"><span style='font-size:10.0pt'>int
3683 *</span></span>, the value of <span class=
3684 "CodeText"><span style='font-size:10.0pt'>*x</span></span>
3685 (and hence, the value of the object <span class=
3686 "CodeText"><span style='font-size:10.0pt'>x</span></span>)
3687 can be changed by the function call <span class=
3688 "CodeText"><span style=
3689 'font-size:10.0pt'>g(x)</span></span>. </p>
3690 <p class="TextFontCX"> </p>
3691 <p class="TextFontCX">The mutability of a concrete type is
3692 determined by its type definition. For abstract types, mutability
3693 does not depend on the type representation but on what operations
3694 the type provides. If an abstract type has operations that may
3695 change the value of instances of the type, the type is
3696 mutable. If not, it is immutable. The value of an
3697 instance of an immutable type never changes. Since object
3698 sharing is noticeable only for mutable types, they are checked
3699 differently from immutable types.</p>
3700 <p class="TextFontCX"> </p>
3701 <p class="beforelist">The <span class="Annot"><span style=
3702 'font-size:10.0pt'>/*@mutable@*/</span></span> and
3703 <span class="Annot"><span style=
3704 'font-size:10.0pt'>/*@immutable@*/</span></span> annotations
3705 are used to declare an abstract type as mutable or
3706 immutable. (If neither is used, the abstract type is
3707 assumed to be mutable.) For example,</p>
3708 <p class="Verbatim"> typedef /*@abstract@*/
3709 /*@mutable@*/ char *mstring;</p>
3710 <p class="Verbatim"> typedef /*@abstract@*/
3711 /*@immutable@*/ int weekDay;</p>
3712 <p class="afterlist">declares <span class=
3713 "CodeText"><span style='font-size:10.0pt'>mstring</span></span>
3714 as a mutable abstract type and <span class=
3715 "CodeText"><span style=
3716 'font-size: 10.0pt'>weekDay</span></span> as an immutable
3718 <p class="TextFontCX"> </p>
3719 <p class="TextFontCX">Clients of a mutable abstract type need to
3720 know the semantics of assignment. After the assignment
3721 expression <span class="CodeText"><span style='font-size:10.0pt'>s
3722 = t</span></span>, do <span class="CodeText"><span style=
3723 'font-size:10.0pt'>s</span></span> and <span class=
3724 "CodeText"><span style='font-size:10.0pt'>t</span></span> refer to
3725 the same object (that is, will changes to the value of
3726 <span class="CodeText"><span style=
3727 'font-size:10.0pt'>s</span></span> also change the value of
3728 <span class="CodeText"><span style=
3729 'font-size:10.0pt'>t</span></span>).</p>
3730 <p class="TextFontCX"> </p>
3731 <p class="TextFontCX">Splint prescribes that all abstract types
3732 have sharing semantics, so <span class=
3733 "CodeText"><span style='font-size:10.0pt'>s</span></span> and
3734 <span class="CodeText"><span style=
3735 'font-size:10.0pt'>t</span></span> would indeed be the same
3736 object. Splint will produce a warning if a mutable type
3737 is implemented with a representation (e.g., a <span class=
3738 "CodeText"><span style=
3739 'font-size:10.0pt'>struct</span></span>) that does not
3740 provide sharing semantics (controlled by <span class=
3742 'font-size:10.0pt'>mutrep</span></span> flag). </p>
3743 <p class="TextFontCX"> </p>
3744 <p class="TextFontCX">The mutability of an abstract type is not
3745 necessarily the same as the mutability of its representation. We
3746 could use the immutable concrete type <span class=
3747 "CodeText"><span style='font-size:10.0pt'>int</span></span> to
3748 represent mutable strings using an index into a string table, or
3749 declare <span class="CodeText"><span style=
3750 'font-size:10.0pt'>mstring</span></span> as immutable as long as no
3751 operations are provided that modify the value of an
3752 <span class="CodeText"><span style=
3753 'font-size:10.0pt'>mstring</span></span>.</p>
3756 <h2 style='margin-left:0in;text-indent:0in'><a name=
3757 "_Toc534974956"></a><a name="_Toc344355422"></a><a name=
3758 "_Ref343109614">4.3.3<span style=
3759 'font:7.0pt "Times New Roman"'> </span>
3760 Semi-Abstract Types</a></h2>
3762 Sometimes it is useful to have a type that is abstract in some ways, but can be used with the standard numerical operators. Splint supports numabstract types for this purpose. The /*@numabstract@*/ annotation denotes a numabstract type. Splint will report warnings when numabstract types are used inconsistently, but allow binary numeric operators to operate on two values of the same numabstract type.
3764 <h2 style='margin-left:0in;text-indent:0in'><a name=
3765 "_Toc534974956"></a><a name="_Toc344355422"></a><a name=
3766 "_Ref343109614">4.4<span style=
3767 'font:7.0pt "Times New Roman"'> </span>
3768 Polymorphism</a></h2>
3769 <p class="TextFontCX">In C, all declarators must be declared to
3770 have exactly one type. This makes it impossible to write
3771 functions that operate on more than one type of parameter –
3772 for example, we cannot use the same square function for
3773 <span class="CodeText"><span style=
3774 'font-size:10.0pt'>int</span></span>s and <span class=
3775 "CodeText"><span style=
3776 'font-size:10.0pt'>float</span></span>s. Because of the
3777 stricter type checking made possible by Splint, it is often
3778 useful to declare a parameter that has more than one possible
3780 <p class="TextFontCX"> </p>
3781 <p class="TextFontCX">Splint provides alternate types to indicate
3782 that a declaration may be one of several possible types. The
3783 <span class="Annot"><span style='font-size:10.0pt'>/*@alt
3784 <i>type</i>,<sup>+</sup>@*/</span></span> annotation creates a
3785 union type. For example, <span class=
3786 "CodeText"><span style='font-size:10.0pt'>int</span></span>
3787 <a href="mailto:/*@alt"><span class="Annot"><span style=
3788 'font-size:10.0pt'>/*@alt</span></span></a><span class=
3789 "Annot"><span style='font-size:10.0pt'>char,
3790 unsigned</span></span> <a href="mailto:char@*/"><span class=
3791 "Annot"><span style=
3792 'font-size:10.0pt'>char@*/</span></span></a><span class=
3793 "CodeText"><span style='font-size:10.0pt'>c</span></span>
3794 declares <span class="CodeText"><span style=
3795 'font-size:10.0pt'>c</span></span> such that either an
3796 <span class="CodeText"><span style=
3797 'font-size:10.0pt'>int</span></span>, <span class=
3798 "CodeText"><span style='font-size:10.0pt'>char</span></span>
3799 or <span class="CodeText"><span style=
3800 'font-size:10.0pt'>unsigned char</span></span> value may be
3801 assigned to it without warning.</p>
3802 <p class="TextFontCX"> </p>
3803 <p class="TextFontCX">One use of alternate types is to specify the
3804 type of a macro that operates on multiple types of operands (see
3805 Section 11.2.1). Alternate types are also useful for
3806 declaring functions for which the return value may be safely
3807 ignored (see Section 8.4.2). A function can be declared to
3808 return <span class="CodeText"><i><span style=
3809 'font-size:10.0pt'>t</span></i></span> <a href=
3810 "mailto:/*@alt"><span class="Annot"><span style=
3811 'font-size:10.0pt'>/*@alt</span></span></a><a href=
3812 "mailto:void@*/"><span class="Annot"><span style=
3813 'font-size:10.0pt'>void@*/</span></span></a> to indicate that it
3814 returns a value of type <span class=
3815 "CodeText"><i><span style='font-size:10.0pt'>t</span></i></span>,
3816 but there should be not warning if that value is ignored.</p>
3817 <h1 style='margin-left:0in;text-indent:0in'><a name=
3818 "_Toc534974957"></a><a name="_Ref534008388">5<span style=
3819 'font:7.0pt "Times New Roman"'> </span>
3820 <a id="memory" name="memory">
3821 Memory Management</a>
3823 <p class="TextFontCX">About half the bugs in typical C programs can
3824 be attributed to memory management problems. Memory
3825 management bugs are notoriously difficult to detect through
3826 traditional techniques. Often, the symptom of the bug is far
3827 removed from its actual source. Memory management bugs often
3828 only appear sporadically and some bugs may only be apparent when
3829 compiler optimizations are turned on or the code is compiled on a
3830 different platform. Run-time tools offer some help, but are
3831 cumbersome to use and limited to detecting errors that occur when
3832 test cases are run. By detecting these errors statically, we
3833 can be confident that certain types of errors will never occur and
3834 provide verified documentation on the memory management behavior of
3835 a program. </p>
3836 <p class="TextFontCX"> </p>
3837 <p class="beforelist">Splint can detect many memory management
3838 errors at compile time including using storage that may have been
3839 deallocated (Section 5.2), memory leaks (Section 5.2), or
3840 returning a pointer to stack-allocated storage (Section
3842 <p align="right"><i><span style='font-size:9.0pt'>Yea, from the
3843 table of my memory I'll wipe away all trivial fond records, all
3845 all forms, all pressures past, that youth and observation copied
3846 there.</span></i><br>
3847 <span style='font-size:9.0pt'>Hamlet prefers
3848 garbage collection (Shakespeare, Hamlet. Act I, Scene
3850 <p class="afterlist">Most of these checks depend on annotations
3851 added to programs to document assumptions related to memory
3852 management and pointer values. By documenting these
3853 assumptions for function interfaces, variables, type definitions
3854 and structure fields, memory management bugs can be detected at
3855 their source — where an assumption is violated. In
3856 addition, precise documentation about memory management decisions
3857 makes it easier to change code.</p>
3858 <h2 style='margin-left:0in;text-indent:0in'><a name=
3859 "_Toc534974958"></a><a name="_Toc344355408">5.1<span style=
3860 'font:7.0pt "Times New Roman"'> </span>
3861 Storage Model</a></h2>
3862 <p class="TextFontCX">This section describes execution-time
3863 concepts for describing the state of storage more precisely than
3864 can be done using standard C terminology. Certain uses of
3865 storage are likely to indicate program bugs, and are reported as
3866 anomalies.<a href="#_ftn3" name="_ftnref3" title=
3867 ""><span class="MsoFootnoteReference"><b><span class=
3868 "MsoFootnoteReference"><b><span style=
3869 'font-size:11.0pt;font-family:"Times New Roman"'>[3]</span></b></span></b></span></a></p>
3870 <p class="TextFontCX"> </p>
3871 <p class="TextFontCX">Splint assumes a CLU-like object storage
3872 model.<a href="#_ftn4" name="_ftnref4" title=""><span class=
3873 "MsoFootnoteReference"><span class=
3874 "MsoFootnoteReference"><span style=
3875 'font-size:11.0pt;font-family:"Times New Roman"'>[4]</span></span></span></a>
3876 An <i>object</i> is a typed region of storage. Some objects
3877 use a fixed amount of storage that is allocated and deallocated
3878 automatically by the compiler. Other objects use dynamic
3879 storage that must be managed by the program.</p>
3880 <p class="TextFontCX"> </p>
3881 <p class="TextFontCX">Storage is <i>undefined</i> if it has not
3882 been assigned a value, and <i>defined</i> after it has been
3883 assigned a value. An object is <i>completely defined</i> if
3884 all storage that may be reached from it is defined. What
3885 storage is reachable from an object depends on the type and value
3886 of the object. For example, if <span class=
3887 "CodeText"><span style='font-size:10.0pt'>p</span></span> is a
3888 pointer to a structure, <span class="CodeText"><span style=
3889 'font-size:10.0pt'>p</span></span> is completely defined if the
3890 value of <span class="CodeText"><span style=
3891 'font-size:10.0pt'>p</span></span> is <span class=
3892 "CodeText"><span style='font-size:10.0pt'>NULL</span></span>, or if
3893 every field of the structure <span class=
3894 "CodeText"><span style='font-size:10.0pt'>p</span></span>
3895 points to is completely defined.</p>
3896 <p class="TextFontCX"> </p>
3897 <p class="TextFontCX">When an expression is used as the left side
3898 of an assignment expression we say it is <i>used as an
3899 lvalue</i>. Its location in memory is used, but not its
3900 value. Undefined storage may be used as an lvalue since only
3901 its location is needed. When storage is used in any other
3902 way, such as on the right side of an assignment, as an operand to a
3903 primitive operator (including the indirection operator,
3904 <span class="CodeText"><span style=
3905 'font-size:10.0pt'>*</span></span>),<a href="#_ftn5" name=
3906 "_ftnref5" title=""><span class=
3907 "MsoFootnoteReference"><span class=
3908 "MsoFootnoteReference"><span style=
3909 'font-size:11.0pt;font-family:"Times New Roman"'>[5]</span></span></span></a>
3910 or as a function parameter, we say it is <i>used as an
3911 rvalue</i>. It is an anomaly to use undefined storage
3913 <p class="TextFontCX"> </p>
3914 <p class="TextFontCX">A <i>pointer</i> is a typed memory
3915 address. A pointer is either <i>live</i> or
3916 <i>dead</i>. A live pointer is either <span class=
3917 "CodeText"><span style='font-size:10.0pt'>NULL</span></span> or an
3918 address within allocated storage. A pointer that points to an
3919 object is an <i>object</i> pointer. A pointer that points
3920 inside an object (e.g., to the third element of an allocated block)
3921 is an <i>offset</i> pointer. A pointer that points to
3922 allocated storage that is not defined is an <i>allocated</i>
3923 pointer. The result of dereferencing an allocated pointer is
3924 undefined storage. Hence, it is an anomaly to use it as an
3925 rvalue. A dead (or “dangling”) pointer does not
3926 point to allocated storage. A pointer becomes dead if the
3927 storage it points to is deallocated (e.g., the pointer is passed to
3928 the <span class="CodeText"><span style=
3929 'font-size:10.0pt'>free</span></span> library function.) It
3930 is an anomaly to use a dead pointer as an rvalue.</p>
3931 <p class="TextFontCX"> </p>
3932 <p class="TextFontCX">There is a special object <i>null</i>
3933 corresponding to the <span class="CodeText"><span style=
3934 'font-size:10.0pt'>NULL</span></span>pointer in a C program.
3935 A pointer that may have the value <span class=
3936 "CodeText"><span style='font-size:10.0pt'>NULL</span></span> is a
3937 <i>possibly-null</i> pointer. It is an anomaly to use a
3938 possibly-null pointer where a non-null pointer is expected (e.g.,
3939 certain function arguments or the indirection operator).</p>
3940 <h2 style='margin-left:0in;text-indent:0in'><a name=
3941 "_Toc534974959"></a><a name="_Ref347476065"></a><a name=
3942 "_Ref347469133"></a><a name="_Ref347465595"></a><a name=
3943 "_Ref344893840"></a><a name="_Toc344355409">5.2<span style=
3944 'font:7.0pt "Times New Roman"'> </span>
3945 Deallocation Errors</a></h2>
3946 <p class="TextFontCX">There are two kinds of deallocation errors
3947 with which we are concerned: deallocating storage when there
3948 are other live references to the same storage, or failing to
3949 deallocate storage before the last reference to it is lost.
3950 To handle these deallocation errors, we introduce a concept of an
3951 obligation to release storage. Every time storage is
3952 allocated, it creates an obligation to release the storage.
3953 This obligation is attached to the reference to which the storage
3954 is assigned.<a href="#_ftn6" name="_ftnref6" title=
3955 ""><span class="MsoFootnoteReference"><span class=
3956 "MsoFootnoteReference"><span style=
3957 'font-size:11.0pt;font-family:"Times New Roman"'>[6]</span></span></span></a>
3958 Before the scope of the reference is exited or it is assigned
3959 to a new value, the storage to which it points must be
3960 released. Annotations can be used to indicate that
3961 this obligation is transferred through a return value,
3962 function parameter or assignment to an external
3964 <p align="right"><i><span style='font-size:9.0pt'>‘Tis in my
3965 memory lock’d, and you yourself shall keep the key of
3967 <span style='font-size:9.0pt'>Ophelia prefers explicit
3968 deallocation (Hamlet. Act I, Scene iii)</span></p>
3969 <h3 style='margin-left:0in;text-indent:0in'><a name=
3970 "_Toc534974960">5.2.1<span style=
3971 'font:7.0pt "Times New Roman"'> </span>
3972 Unshared References</a></h3>
3973 <p class="TextFontCX">The <span class="Annot"><span style=
3974 'font-size:10.0pt'>only</span></span> annotation is used to
3975 indicate a reference is the only pointer to the object it points
3976 to. We can view the reference as having an obligation to
3977 release this storage. This obligation is satisfied by
3978 transferring it to some other reference in one of three ways:</p>
3979 <p class="MsoListBullet"><span style=
3980 'font-family:Symbol'>·<span style=
3981 'font:7.0pt "Times New Roman"'> </span></span>
3982 pass it as an actual parameter corresponding to a formal parameter
3983 declared with an <span class="Annot"><span style=
3984 'font-size:10.0pt'>only</span></span>
3985 annotation </p>
3986 <p class="MsoListBullet"><span style=
3987 'font-family:Symbol'>·<span style=
3988 'font:7.0pt "Times New Roman"'> </span></span>
3989 assign it to an external reference declared with an
3990 <span class="Annot"><span style=
3991 'font-size:10.0pt'>only</span></span> annotation</p>
3992 <p class="MsoListBullet"><span style=
3993 'font-family:Symbol'>·<span style=
3994 'font:7.0pt "Times New Roman"'> </span></span>
3995 return it as a result declared with an <span class=
3996 "Annot"><span style='font-size:10.0pt'>only</span></span>
3998 <p class="afterlist">After the release obligation is transferred,
3999 the original reference is a dead pointer and the storage it points
4000 to may not be used.</p>
4001 <p class="TextFontCX"> </p>
4002 <p class="TextFontCX">All obligations to release storage stem from
4003 primitive allocation routines (e.g., <span class=
4004 "CodeText"><span style='font-size:10.0pt'>malloc</span></span>),
4005 and are ultimately satisfied by calls to <span class=
4006 "CodeText"><span style='font-size:10.0pt'>free</span></span>.
4007 The standard library declared the primitive allocation and
4008 deallocation routines.</p>
4009 <p class="TextFontCX"> </p>
4010 <p class="TextFontCX">The basic memory allocator,
4011 <span class="CodeText"><span style=
4012 'font-size:10.0pt'>malloc</span></span>, is declared:</p>
4013 <p class="example"><a href="mailto:/*@only@*/">/*@only@*/</a>
4014 /*@null@*/ void *malloc (size_t size);</p>
4015 <p class="TextFontCX">It returns an object that is referenced only
4016 by the function return value. </p>
4017 <p class="TextFontCX"> </p>
4018 <p class="TextFontCX">The deallocator, <span class=
4019 "CodeText"><span style='font-size:10.0pt'>free</span></span>, is
4020 declared:<a href="#_ftn7" name="_ftnref7" title=
4021 ""><span class="MsoFootnoteReference"><span class=
4022 "MsoFootnoteReference"><span style=
4023 'font-size:11.0pt;font-family:"Times New Roman"'>[7]</span></span></span></a></p>
4024 <p class="example">void free (/*@only@*/ <a href=
4025 "mailto:/*@out@*/">/*@out@*/</a> <a href=
4026 "mailto:/*@null@*/">/*@null@*/</a> void *ptr);</p>
4028 <table class="MsoNormalTable" border="0" cellspacing="0"
4029 cellpadding="0" style=
4030 'margin-left:5.4pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
4032 <td valign="top" style=
4033 'width:193.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4034 <p class="TextFontCX" align="center" style='text-align:center'>
4035 <a name="_Ref344990094"><span class="Keyword"><b><span style=
4036 'font-size:10.0pt;color:white'>only.c</span></b></span></a></p></td>
4037 <td valign="top" style=
4038 'width:225.0pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4039 <p class="TextFontCX" align="center" style='text-align:center'>
4040 <b><span style='color:white'>Running
4041 Splint</span></b></p></td></tr>
4043 <td valign="top" style=
4044 'width:193.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4045 <p class="Verbatim"><i><span style=
4046 'font-size:8.0pt;font-family:Arial'>1 </span></i>
4047 <span style='font-size:9.5pt'>extern /*@only@*/ int
4049 <p class="Verbatim"><span style='font-size:9.5pt'> </span></p>
4050 <p class="Verbatim"><span style='font-size:9.5pt'>/*@only@*/ int
4052 <p class="Verbatim"><span style='font-size:9.5pt'>f (/*@only@*/ int
4053 *x, int *y,</span></p>
4054 <p class="Verbatim"><span style='font-size:9.5pt'> int
4056 <p class="Verbatim"><span style='font-size:9.5pt'> /*@globals
4058 <p class="Verbatim"><span style='font-size:9.5pt'>{</span></p>
4059 <p class="Verbatim"><i><span style=
4060 'font-size:8.0pt;font-family:Arial'> 8</span></i>
4061 <span style='font-size:9.5pt'>int *m = (int *)</span></p>
4062 <p class="Verbatim"><i><span style=
4063 'font-size:8.0pt;font-family:Arial'> 9</span></i><span style='font-size:9.5pt'>
4064 malloc (sizeof (int));</span></p>
4065 <p class="Verbatim"><span style='font-size:9.5pt'> </span></p>
4066 <p class="Verbatim"><i><span style=
4067 'font-size:8.0pt;font-family:Arial'>11</span></i>
4068 <span style='font-size:9.5pt'>glob =
4069 y; </span> <i><span style=
4070 'font-size:9.5pt; font-family:"Times New Roman"'>Memory
4072 <p class="Verbatim"><i><span style=
4073 'font-size:8.0pt;font-family:Arial'>12</span></i>
4074 <span style='font-size:9.5pt'>free (x);</span></p>
4075 <p class="Verbatim"><i><span style=
4076 'font-size:8.0pt;font-family:Arial'>13</span></i>
4077 <span style='font-size:9.5pt'>*m =
4078 *x; </span> <i><span style=
4079 'font-size:9.5pt; font-family:"Times New Roman"'>Use after
4081 <p class="Verbatim"><i><span style=
4082 'font-size:8.0pt;font-family:Arial'>14</span></i>
4083 <span style='font-size:9.5pt'>return
4084 z; </span> <i><span style=
4085 'font-size:9.5pt; font-family:"Times New Roman"'>Memory leak
4086 detected</span></i><i><span style=
4087 'font-size:9.5pt;font-family:Arial'> </span></i></p>
4088 <p class="TextFontCX"><span style=
4089 'font-size: 9.5pt'>}</span></p></td>
4090 <td valign="top" style=
4091 'width:225.0pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4092 <p class="lclintrun">> splint only.c</p>
4093 <p class="lclintrun">only.c:11: Only storage glob (type int *) not
4095 <p class="lclintrun">
4096
4097 before assignment: glob = y</p>
4098 <p class="lclintrun"> only.c:1: Storage glob becomes
4100 <p class="lclintrun">only.c:11: Implicitly temp storage y assigned
4102 <p class="lclintrun">
4103
4105 <p class="lclintrun">only.c:13: Dereference of possibly null
4107 <p class="lclintrun"> only.c:8: Storage m may become
4109 <p class="lclintrun">only.c:13: Variable x used after being
4111 <p class="lclintrun"> only.c:12: Storage x released</p>
4112 <p class="lclintrun">only.c:14: Implicitly temp storage z returned
4114 <p class="lclintrun">only.c:14: Fresh storage m not released before
4116 <p class="lclintrun" style='page-break-after:avoid'>
4117 only.c:9: Fresh storage m
4118 allocated </p></td></tr></table>
4119 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4121 <td valign="top" align="left" style=
4122 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
4123 <p class="MsoCaption"><a name="_Toc534824610">Figure 6.
4124 Memory Management</a></p></td></tr></table>
4125 <p class="TextFontCX">The parameter to <span class=
4126 "CodeText"><span style='font-size:10.0pt'>free</span></span> must
4127 reference an unshared object. Since the parameter is declared
4128 using <span class="Annot"><span style=
4129 'font-size:10.0pt'>only</span></span>, the caller may not use the
4130 referenced object after the call, and may not pass in a reference
4131 to a shared object. There is nothing special about
4132 <span class="CodeText"><span style=
4133 'font-size:10.0pt'>malloc</span></span> and <span class=
4134 "CodeText"><span style='font-size:10.0pt'>free</span></span>
4135 — their behavior can be described entirely in terms of the
4136 provided annotations.</p>
4137 <h3 style='margin-left:0in;text-indent:0in'><a name=
4138 "_Ref347468963"></a><a name="_Toc534974961"></a><a name=
4139 "_Ref347469360">5.2.2<span style=
4140 'font:7.0pt "Times New Roman"'> </span>
4141 Temporary Parameters</a></h3>
4142 <p class="TextFontCX">The <span class="Annot"><span style=
4143 'font-size:10.0pt'>temp</span></span> annotation is used to
4144 declare a function parameter that is used temporarily by the
4145 function. An error is reported if the function releases the
4146 storage associated with a <span class="Annot"><span style=
4147 'font-size:10.0pt'>temp</span></span> formal parameter or creates
4148 new aliases to it that are visible after the function
4149 returns. Any storage may be passed as a <span class=
4150 "Annot"><span style='font-size:10.0pt'>temp</span></span>
4151 parameter, and it satisfies its original memory constraints after
4152 the function returns.</p>
4153 <h3 style='margin-left:0in;text-indent:0in'><a name=
4154 "_Toc534974962">5.2.3<span style=
4155 'font:7.0pt "Times New Roman"'> </span>
4156 Owned and Dependent References</a></h3>
4157 <p class="TextFontCX">In real programs it is sometimes necessary to
4158 have storage that is shared between several possibly
4159 references. The <span class="Annot"><span style=
4160 'font-size:10.0pt'>owned</span></span> and <span class=
4161 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
4162 annotations provide a more flexible way of managing storage, at the
4163 cost of less checking. The <span class=
4164 "Annot"><span style='font-size:10.0pt'>owned</span></span>
4165 annotation denotes a reference with an obligation to release
4166 storage. Unlike <span class="Annot"><span style=
4167 'font-size:10.0pt'>only</span></span>, however, other
4168 external references marked with <span class=
4169 "Annot"><span style=
4170 'font-size:10.0pt'>dependent</span></span> annotations may
4171 share this object. It is up to the programmer to ensure
4172 that the lifetime of a <span class="Annot"><span style=
4173 'font-size:10.0pt'>dependent</span></span> reference is
4174 contained within the lifetime of the corresponding
4175 <span class="Annot"><span style=
4176 'font-size:10.0pt'>owned</span></span> reference.</p>
4177 <h3 style='margin-left:0in;text-indent:0in'><a name=
4178 "_Toc534974963"></a><a name="_Ref347805800">5.2.4<span style=
4179 'font:7.0pt "Times New Roman"'> </span>
4180 Keep Parameters</a></h3>
4181 <p class="TextFontCX">The <span class="Annot"><span style=
4182 'font-size:10.0pt'>keep</span></span> annotation is similar to
4183 <span class="Annot"><span style=
4184 'font-size:10.0pt'>only</span></span>, except the caller may use
4185 the reference after the call. The called function must assign
4186 the <span class="Annot"><span style=
4187 'font-size:10.0pt'>keep</span></span> parameter to an
4188 <span class="Annot"><span style=
4189 'font-size:10.0pt'>only</span></span> reference, or pass it
4190 as a <span class="Annot"><span style=
4191 'font-size:10.0pt'>keep</span></span> parameter to another
4192 function. It is up to the programmer to make sure that
4193 the calling function does not use this reference after it is
4194 released. The <span class="Annot"><span style=
4195 'font-size:10.0pt'>keep</span></span> annotation is useful
4196 for adding an object to a collection (e.g., a symbol table),
4197 where it is known that it will not be deallocated until the
4199 <h3 style='margin-left:0in;text-indent:0in'><a name=
4200 "_Toc534974964"></a><a name="_Ref347469304">5.2.5<span style=
4201 'font:7.0pt "Times New Roman"'> </span>
4202 Shared References</a></h3>
4203 <p class="TextFontCX">If Splint is used to check a program designed
4204 to be used in a garbage-collected environment, there may be storage
4205 that is shared by one or more references and never explicitly
4206 released. The <span class="Annot"><span style=
4207 'font-size:10.0pt'>shared</span></span> annotation declares storage
4208 that may be shared arbitrarily, but never released.</p>
4209 <h3 style='margin-left:0in;text-indent:0in'><a name=
4210 "_Toc534974965"></a><a name="_Ref348341639">5.2.6<span style=
4211 'font:7.0pt "Times New Roman"'> </span>
4212 Stack References</a></h3>
4213 <p class="TextFontCX">Local variables that are not allocated
4214 dynamically are stored on a call stack. When a function
4215 returns, its stack frame is deallocated, destroying the storage
4216 associated with the function’s local variables. A
4217 memory error occurs if a pointer into this storage is live after
4218 the function returns. Splint detects errors involving stack
4219 references exported from a function through return values or
4220 assignments to references reachable from global variables or actual
4221 parameters. No annotations are needed to detect stack
4222 reference errors, since it is clear from a declaration if storage
4223 is allocated on the function stack. Figure 7 gives and
4224 example of errors reported involving stack-allocated storage.</p>
4226 <table class="MsoNormalTable" border="0" cellspacing="0"
4227 cellpadding="0" style=
4228 'margin-left:5.4pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
4230 <td valign="top" style=
4231 'width:2.25in;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4232 <p class="TextFontCX" align="center" style='text-align:center'>
4233 <span class="Keyword"><b><span style=
4234 'font-size:10.0pt; color:white'>stack.c</span></b></span></p></td>
4235 <td valign="top" style=
4236 'width:256.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4237 <p class="TextFontCX" align="center" style='text-align:center'>
4238 <b><span style='color:white'>Running
4239 Splint</span></b></p></td></tr>
4241 <td valign="top" style=
4242 'width:2.25in;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4243 <p class="Verbatim">int *glob;</p>
4244 <p class="Verbatim"> </p>
4245 <p class="Verbatim">/*@dependent@*/ int *</p>
4246 <p class="Verbatim"> f (int **x)</p>
4247 <p class="Verbatim">{</p>
4248 <p class="Verbatim"> int sa[2] = { 0, 1 };</p>
4249 <p class="Verbatim"> int loc = 3;</p>
4250 <p class="Verbatim"> </p>
4251 <p class="Verbatim"><span class="Line"><span style=
4252 'font-size:8.0pt'> 9</span></span> glob = &loc;</p>
4253 <p class="Verbatim"><span class="Line"><span style=
4254 'font-size:8.0pt'>10</span></span> *x = &sa[0];</p>
4255 <p class="Verbatim"> </p>
4256 <p class="Verbatim"><span class="Line"><span style=
4257 'font-size:8.0pt'>12</span></span> return &loc;</p>
4258 <p class="Verbatim">} </p></td>
4259 <td valign="top" style=
4260 'width:256.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4261 <p class="lclintrun">> splint stack.c</p>
4262 <p class="lclintrun">stack.c:12: Stack-allocated storage &loc
4264 <p class="lclintrun">
4265
4266 from return value: &loc</p>
4267 <p class="lclintrun">stack.c:12: Stack-allocated storage *x
4269 <p class="lclintrun">
4270
4272 <p class="lclintrun"> stack.c:10: Storage *x becomes
4274 <p class="lclintrun">stack.c:12: Stack-allocated storage glob
4276 <p class="lclintrun">
4277
4278 from global glob</p>
4279 <p class="lclintrun"> stack.c:9: Storage glob becomes
4281 <p class="lclintrun"> </p>
4282 <p class="TextFontCX" align="left" style=
4283 'text-align:left;page-break-after:avoid'><i>A</i>
4284 <span class="Annot"><span style=
4285 'font-size:10.0pt'>dependent</span></span> <i>annotation is
4286 used on the return value. Without this, other warnings
4287 would be reported, since the result would have an
4288 implicit</i> <span class="Annot"><span style=
4289 'font-size: 10.0pt'>only</span></span>
4290 <i>annotation.</i></p></td></tr></table>
4291 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4293 <td valign="top" style=
4294 'padding-top:5.05pt;padding-right: 9.35pt;padding-bottom:5.05pt;padding-left:9.35pt'>
4295 <p class="MsoCaption"><a name="_Toc534824611"></a><a name=
4296 "_Ref534821941">Figure 7</a>. Stack-Allocated
4297 Storage</p></td></tr></table></center>
4298 <h3 style='margin-left:0in;text-indent:0in'><a name=
4299 "_Toc534974966">5.2.7<span style=
4300 'font:7.0pt "Times New Roman"'> </span>
4301 Inner Storage</a></h3>
4302 <p class="TextFontCX">An annotation always applies to the outermost
4303 level of storage. For example,</p>
4304 <p class="example">/*@only@*/ int **x;</p>
4305 <p class="beforelist">declares <span class=
4306 "CodeText"><span style='font-size:10.0pt'>x</span></span> as
4307 an unshared pointer to a pointer to an <span class=
4308 "CodeText"><span style=
4309 'font-size:10.0pt'>int</span></span>. The <span class=
4310 "Flag"><span style='font-size:10.0pt'>only</span></span>
4311 annotation applies to <span class="CodeText"><span style=
4312 'font-size:10.0pt'>x</span></span>, but not to <span class=
4313 "CodeText"><span style=
4314 'font-size:10.0pt'>*x</span></span>. To apply
4315 annotations to inner storage a type definition may be
4317 <p class="Verbatim"> typedef /*@only@*/ int *oip;</p>
4318 <p class="Verbatim"> /*@only@*/ oip *x;</p>
4319 <p class="afterlist">Now, x is an <span class=
4320 "Annot"><span style='font-size:10.0pt'>only</span></span>
4321 pointer to an <span class="Annot"><span style=
4322 'font-size:10.0pt'>oip</span></span>, which is an
4323 <span class="Annot"><span style=
4324 'font-size:10.0pt'>only</span></span> pointer to an
4325 <span class="Annot"><span style=
4326 'font-size:10.0pt'>int</span></span>.</p>
4327 <p class="afterlist">When annotations are used in type definitions,
4328 they may be overridden in instance declarations. For
4330 <p class="example">/*@dependent@*/ oip x;</p>
4331 <p class="TextFontCX">makes <span class=
4332 "CodeText"><span style='font-size:10.0pt'>x</span></span> a
4333 <span class="Annot"><span style=
4334 'font-size:10.0pt'>dependent</span></span> pointer to an
4335 <span class="CodeText"><span style=
4336 'font-size:10.0pt'>int</span></span>. Another way to
4337 apply annotations to inner storage is to use a state clause
4338 (see Section 7.4).</p>
4339 <h2 style='margin-left:0in;text-indent:0in'><a name=
4340 "_Toc534974967"></a><a name="_Ref347812243"></a><a name=
4341 "_Ref344893978"></a><a name="_Toc344355410">5.3<span style=
4342 'font:7.0pt "Times New Roman"'> </span>
4343 Implicit Memory Annotations</a></h2>
4344 <p class="TextFontCX">Since it is important that Splint can check
4345 unannotated programs effectively, the meaning of declarations with
4346 no memory annotations is chosen to minimize the number of
4347 annotations needed to get useful checking on an unannotated
4349 <p class="TextFontCX"> </p>
4350 <p class="TextFontCX">An implicit memory management annotation may
4351 be assumed for declarations with no explicit memory management
4352 annotation. Implicit annotations are checked identically to
4353 the corresponding explicit annotation, except error messages
4354 indicate that they result from an implicit annotation. Figure
4355 8 illustrates some implicit annotations.</p>
4356 <p class="TextFontCX"> </p>
4357 <p class="TextFontCX">Unannotated function parameters are assumed
4358 to be <span class="Annot"><span style=
4359 'font-size:10.0pt'>temp</span></span>. This means if memory
4360 checking is turned on for an unannotated program, all functions
4361 that release storage referenced by a parameter or assign a global
4362 variable to alias the storage will produce error messages.
4363 (Controlled by <span class="Flag"><span style=
4364 'font-size:10.0pt'>paramimptemp</span></span>.)</p>
4365 <p class="TextFontCX"> </p>
4367 <table class="MsoNormalTable" border="0" cellspacing="0"
4368 cellpadding="0" style=
4369 'width:423.0pt;margin-left:.9pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
4370 <tr style='page-break-inside:avoid'>
4371 <td colspan="2" valign="top" style=
4372 'width:423.0pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4373 <p class="TextFontCX" align="center" style='text-align:center'>
4374 <span class="Keyword"><b><span style=
4375 'font-size:10.0pt; color:white'>implicit.c</span></b></span></p></td></tr>
4377 <td valign="top" style=
4378 'width:207.0pt;border-top:none;border-left: solid black 1.5pt;border-bottom:solid black 1.5pt;border-right:none; padding:0in 5.4pt 0in 5.4pt'>
4379 <p class="Verbatim">typedef struct {</p>
4380 <p class="Verbatim"> <span class=
4381 "implicit"><b>only</b></span> char *name;</p>
4382 <p class="Verbatim"> int val;</p>
4383 <p class="Verbatim">} *rec;</p>
4384 <p class="Verbatim"> </p>
4385 <p class="Verbatim">extern <span class=
4386 "implicit"><b>only</b></span> rec rec_last ;</p>
4387 <p class="Verbatim"> </p>
4388 <p class="Verbatim">extern <span class=
4389 "implicit"><b>only</b></span> rec</p>
4390 <p class="Verbatim"> rec_create (<span class=
4391 "implicit"><b>temp</b></span> char *name,</p>
4392 <p class="Verbatim">
4393
4395 <p class="TextFontCX"><i>Annotations in</i> <span class=
4396 "Keyword"><b><i><span style=
4397 'font-size:10.0pt;color:windowtext'>italics</span></i></b></span>
4398 <i>are not present in the code, but may be implied depending on
4399 flag settings.</i></p></td>
4400 <td valign="top" style=
4401 'width:3.0in;border-top:none;border-left:none; border-bottom:solid black 1.5pt;border-right:solid black 1.5pt;padding:0in 5.4pt 0in 5.4pt'>
4402 <p class="TextFontCX"> </p>
4403 <p class="TextFontCX" align="left" style='text-align:left'>
4404 <i>Implicit</i> <span class="Annot"><i><span style=
4405 'font-size:10.0pt'>only</span></i></span> <i>annotation on mutable
4406 structure field if</i> <span class="Flag"><span style=
4407 'font-size:10.0pt'>structimponly</span></span> <i>is on.</i></p>
4408 <p class="lclintrun"><i> </i></p>
4409 <p class="TextFontCX" align="left" style='text-align:left'>
4410 <i>Implicit</i> <span class="Annot"><span style=
4411 'font-size:10.0pt'>only</span></span> <i>annotation on mutable
4412 global variables if</i> <span class="Flag"><span style=
4413 'font-size:10.0pt'>globimponly</span></span> <i>is on.</i></p>
4414 <p class="TextFontCX" align="left" style='text-align:left'>
4416 <p class="TextFontCX" align="left" style=
4417 'text-align:left;page-break-after:avoid'><i>Implicit</i>
4418 <span class="Annot"><span style=
4419 'font-size:10.0pt'>only</span></span> <i>annotation on mutable
4420 function result if</i> <span class="Flag"><span style=
4421 'font-size: 10.0pt'>retimponly</span></span> <i>is set.
4422 Implicit</i> <span class="Annot"><span style=
4423 'font-size:10.0pt'>temp</span></span> <i>annotation on mutable
4424 parameter if</i> <span class="Flag"><span style=
4425 'font-size:10.0pt'>paramimptemp</span></span> <i>is
4426 set.</i></p></td></tr></table>
4427 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4429 <td valign="top" align="left" style=
4430 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
4431 <p class="MsoCaption"><a name="_Toc534824612"></a><a name=
4432 "_Ref534822006">Figure 8</a>. Implicit
4433 Annotations</p></td></tr></table></center>
4434 <p class="TextFontCX">Unannotated return values, structure fields
4435 and global variables are assumed to be <span class=
4436 "Annot"><span style='font-size:10.0pt'>only</span></span>.
4437 With implicit annotations (on by default), turning on memory
4438 checking for an unannotated program will produce errors for any
4439 function that does not return unshared storage or assignment of
4440 shared storage to a global variable or structure field. If an
4441 exposure qualifier is used (see Section 6.2), the implied
4442 <span class="Annot"><span style=
4443 'font-size: 10.0pt'>dependent</span></span> annotation is used
4444 instead of the more generally implied <span class=
4445 "Annot"><span style='font-size:10.0pt'>only</span></span>
4446 annotation. (Controlled by <span class=
4447 "Flag"><span style='font-size:10.0pt'>retimponly</span></span>,
4448 <span class="Flag"><span style=
4449 'font-size:10.0pt'>structimponly</span></span> and
4450 <span class="Flag"><span style=
4451 'font-size:10.0pt'>globimponly</span></span>. The
4452 <span class="Flag"><span style=
4453 'font-size:10.0pt'>allimponly</span></span> flag sets
4454 all of the implicit only flags.) </p>
4455 <h2 style='margin-left:0in;text-indent:0in'><a name=
4456 "_Toc534974968"></a><a name="_Ref534970957"></a><a name=
4457 "_Ref347469058"></a><a name="_Ref344907383"></a><a name=
4458 "_Toc344355411">5.4<span style=
4459 'font:7.0pt "Times New Roman"'> </span>
4460 Reference Counting</a></h2>
4461 <p class="TextFontCX">Another approach to memory management is to
4462 add a field to a type to explicitly keep track of the number of
4463 references to that storage. Every time a reference is added
4464 or lost the reference count is adjusted accordingly; if it would
4465 become zero, the storage is released. Reference counting it
4466 difficult to do without automatic checking since it is easy to
4467 forget to increment or decrement the reference count, and
4468 exceedingly difficult to track down these errors.</p>
4469 <p class="TextFontCX"> </p>
4470 <p class="TextFontCX">Splint supports reference counting by using
4471 annotations to constrain the use of reference counted storage in a
4472 manner similar to other memory management annotations.</p>
4473 <p class="TextFontCX"> </p>
4474 <p class="TextFontCX">A reference counted type is declared using
4475 the <span class="Annot"><span style=
4476 'font-size:10.0pt'>refcounted</span></span> annotation. Only
4477 pointer to <span class="CodeText"><span style=
4478 'font-size:10.0pt'>struct</span></span> types may be declared as
4479 <span class="Annot"><span style=
4480 'font-size:10.0pt'>refcounted</span></span>, since reference
4481 counted storage must have a field to count the references.
4482 One field in the structure (or integral type) is preceded by the
4483 <span class="Annot"><span style=
4484 'font-size:10.0pt'>refs</span></span> annotation to indicate that
4485 the value of this field is the number of live references to the
4486 structure. For example (in <span class="Keyword"><span style=
4487 'font-size:10.0pt;font-family:Arial; color:windowtext'>rstring.h</span></span>),</p>
4488 <p class="Verbatim" style='margin-top:6.0pt'>
4489 typedef /*@abstract@*/
4490 /*@refcounted@*/ struct {</p>
4491 <p class="Verbatim">
4492 /*@refs@*/ int refs;</p>
4493 <p class="Verbatim"> char
4495 <p class="Verbatim"> } *rstring;</p>
4496 <p class="afterlist">declares <span class=
4497 "CodeText"><span style='font-size:10.0pt'>rstring</span></span>
4498 as an abstract, reference-counted type. The
4499 <span class="CodeText"><span style=
4500 'font-size:10.0pt'>refs</span></span> field counts the number
4501 of references and the <span class="CodeText"><span style=
4502 'font-size:10.0pt'>contents</span></span> field holds the
4503 contents of a string.</p>
4504 <p class="TextFontCX"> </p>
4506 <table class="MsoNormalTable" border="0" cellspacing="0"
4507 cellpadding="0" style=
4508 'width:425.5pt;margin-left:.2in;border-collapse:collapse'>
4510 <td valign="top" style=
4511 'width:267.05pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4512 <p class="TextFontCX" align="center" style='text-align:center'>
4513 <span class="Keyword"><b><span style=
4514 'font-size:10.0pt; color:white'>rstring.c</span></b></span></p></td>
4515 <td valign="top" style=
4516 'width:158.45pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4517 <p class="TextFontCX" align="center" style='text-align:center'>
4518 <b><span style='color:white'>Running
4519 Splint</span></b></p></td></tr>
4521 <td valign="top" style=
4522 'width:267.05pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4523 <p class="Verbatim"><span style='font-size:9.0pt'># include
4524 "rstring.h"</span></p>
4525 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
4526 <p class="Verbatim"><span style='font-size:9.0pt'>static rstring
4527 rstring_ref (rstring r)</span></p>
4528 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
4529 <p class="Verbatim"><span style='font-size:9.0pt'>
4530 r->refs++;</span></p>
4531 <p class="Verbatim"><span class="Line"><span style=
4532 'font-size:8.0pt'>6</span></span> <span style=
4533 'font-size:9.0pt'>return r;</span></p>
4534 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p>
4535 <p class="Verbatim"><span style='font-size:9.0pt'> </span></p>
4536 <p class="Verbatim"><span style='font-size:9.0pt'>rstring
4537 rstring_first (rstring r1, rstring r2)</span></p>
4538 <p class="Verbatim"><span style='font-size:9.0pt'>{</span></p>
4539 <p class="Verbatim"><span style='font-size:9.0pt'> if (strcmp
4540 (r1->contents, r2->contents) < 0)</span></p>
4541 <p class="Verbatim"><span class="Line"><span style=
4542 'font-size:8.0pt'>12</span></span><span style=
4543 'font-size:9.0pt'> return r1;</span></p>
4544 <p class="Verbatim"><span style='font-size:9.0pt'>
4546 <p class="Verbatim"><span class="Line"><span style=
4547 'font-size:8.0pt'>14</span></span><span style=
4548 'font-size:9.0pt'> return rstring_ref
4550 <p class="Verbatim"><span style='font-size:9.0pt'>}</span></p></td>
4551 <td valign="top" style=
4552 'width:158.45pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4553 <p class="lclintrun">> splint rstring.c</p>
4554 <p class="lclintrun">rstring.c:12: Reference counted </p>
4555 <p class="lclintrun"> storage returned without
4557 <p class="lclintrun"> reference count: r1</p>
4558 <p class="lclintrun"><i> </i></p>
4559 <p class="TextFontCX" align="left" style='text-align:left'>
4560 <i><span style='font-size:10.0pt'>No error is reported for line 6
4561 since the reference count was incremented. No error is
4562 reported for line 14, since</span></i> <span class=
4563 "CodeText"><i><span style=
4564 'font-size:10.0pt'>rstring_ref</span></i></span><i><span style='font-size:10.0pt'>
4565 returns a new reference.</span></i></p>
4566 <p class="TextFontCX" align="left" style=
4567 'text-align:left;page-break-after:avoid'><span style=
4568 'font-size:10.0pt'> </span></p></td></tr></table>
4569 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
4572 <td valign="top" align="left" style=
4573 'padding-top:.1in;padding-right: 0in;padding-bottom:.1in;padding-left:0in'>
4574 <p class="MsoCaption"><a name="_Toc534824613"></a><a name=
4575 "_Ref534822069">Figure 9</a>. Reference
4576 Counting</p></td></tr></table></center>
4579 <p class="TextFontCX">All functions that return <span class=
4580 "Annot"><span style='font-size:10.0pt'>refcounted</span></span>
4581 storage must increase the reference count before returning.
4582 Splint cannot determine if the reference count was increased, so
4583 any function that directly returns a reference to
4584 <span class="Annot"><span style=
4585 'font-size:10.0pt'>refcounted</span></span> storage will
4586 produce an error. This is avoided, by using a function
4587 to return a new reference (e.g., <span class=
4588 "CodeText"><span style=
4589 'font-size:10.0pt'>rstring_ref</span></span> in Figure
4591 <p class="TextFontCX"> </p>
4592 <p class="TextFontCX">A reference counted type may be passed as a
4593 <span class="Annot"><span style=
4594 'font-size:10.0pt'>temp</span></span> or <span class=
4595 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
4596 parameter. It may not be passed as an <span class=
4597 "Annot"><span style='font-size:10.0pt'>only</span></span>
4598 parameter. Instead, the <span class=
4599 "Annot"><span style='font-size:10.0pt'>killref</span></span>
4600 annotation is used to denote a parameter whose reference is
4601 eliminated by the function call. Like <span class=
4602 "Annot"><span style='font-size:10.0pt'>only</span></span>
4603 parameters, an actual parameter corresponding to a
4604 <span class="Annot"><span style=
4605 'font-size:10.0pt'>killref</span></span> formal parameter may
4606 not be used in the calling function after the call.
4607 Splint checks that the implementation of a function releases
4608 all <span class="Annot"><span style=
4609 'font-size:10.0pt'>killref</span></span> parameters, either
4610 by passing them as <span class="Annot"><span style=
4611 'font-size: 10.0pt'>killref</span></span> parameters, or
4612 assigning or returning them without increasing the reference
4614 <h1 style='margin-left:0in;text-indent:0in'><a name=
4615 "_Ref348845247"></a><a name="_Ref348796245"></a><a name=
4616 "_Toc344355413"></a><a name="_Ref344355210"></a><a name=
4617 "_Ref343064238"></a><a name="_Ref343064188"></a><a name=
4618 "_Toc534974969"></a><a name="_Ref534642796"></a><a name=
4619 "_Ref534642146">6<span style=
4620 'font:7.0pt "Times New Roman"'> </span>
4621 <a id="sharing" name="sharing">
4622 Sharing</a></a></h1>
4623 <p class="TextFontCX">Errors involving unexpected sharing of
4624 storage can cause serious problems. Undocumented sharing may
4625 lead to unpredictable modifications, and some library calls (e.g.,
4626 <span class="CodeText"><span style=
4627 'font-size:10.0pt'>strcpy</span></span>) have undefined behavior if
4628 parameters share storage. Another class of sharing errors
4629 occurs when clients of an abstract type may obtain a reference to
4630 mutable storage that is part of the abstract representation.
4631 This exposes the representation of the abstract type, since clients
4632 may modify an instance of the abstract type indirectly through this
4634 <h2 style='margin-left:0in;text-indent:0in'><a name=
4635 "_Ref534977801"></a><a name="_Toc534974970">6.1<span style=
4636 'font:7.0pt "Times New Roman"'> </span>
4638 <p class="TextFontCX">Splint detects errors involving dangerous
4639 aliasing of parameters. Some of these errors are already
4640 detected through the standard memory annotations (e.g.,
4641 <span class="Annot"><span style=
4642 'font-size:10.0pt'>only</span></span> parameters may not
4643 be aliases.) Two additional annotations are
4644 provided for constraining aliasing of parameters and return
4646 <h3 style='margin-left:0in;text-indent:0in'><a name=
4647 "_Toc534974971"></a><a name="_Ref347469444">6.1.1<span style=
4648 'font:7.0pt "Times New Roman"'> </span>
4649 Unique Parameters</a></h3>
4650 <p class="TextFontCX">The <span class="Annot"><span style=
4651 'font-size:10.0pt'>unique</span></span> annotation denotes a
4652 parameter that may not be aliased by any other storage reachable
4653 from the function implementation — that is, any storage
4654 reachable through the other parameters or global variables used by
4655 the function. The <span class="Annot"><span style=
4656 'font-size:10.0pt'>unique</span></span> annotation places similar
4657 constraints on function parameters as the <span class=
4658 "Annot"><span style='font-size:10.0pt'>only</span></span>
4659 annotation, but it does not transfer the obligation to release
4660 storage. Splint will report an error if a <span class=
4661 "Annot"><span style='font-size:10.0pt'>unique</span></span>
4662 parameter may be aliased by another parameter or global
4664 <p class="TextFontCX"> </p>
4665 <p class="TextFontCX">Splint reports an error if a function returns
4666 a reference to storage reachable from one of its parameters (if
4667 <span class="Flag"><span style=
4668 'font-size:10.0pt'>retalias</span></span> is on) since this may
4669 introduce unexpected aliases in the body of the calling function
4670 when the result is assigned.</p>
4671 <p class="TextFontCX"> </p>
4672 <p class="TextFontCX">Figure 10 illustrated sharing checks.
4673 An error is reported since the first parameter to the library
4674 function <span class="CodeText"><span style=
4675 'font-size:10.0pt'>strcpy</span></span> is declared with
4676 unique. If a <span class="CodeText"><span style=
4677 'font-size:10.0pt'>unique</span></span> qualifier were added to the
4678 parameter declaration for <span class="CodeText"><span style=
4679 'font-size:10.0pt'>s</span></span> or <span class=
4680 "CodeText"><span style='font-size:10.0pt'>t</span></span>, no error
4681 would be reported. </p>
4683 <table class="MsoNormalTable" border="0" cellspacing="0"
4684 cellpadding="0" style=
4685 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
4687 <td valign="top" style=
4688 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4689 <p class="TextFontCX" align="center" style='text-align:center'>
4690 <span class="Keyword"><b><span style=
4691 'font-size:10.0pt; color:white'>unique.c</span></b></span></p></td>
4692 <td valign="top" style=
4693 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4694 <p class="TextFontCX" align="center" style='text-align:center'>
4695 <b><span style='color:white'>Running
4696 Splint</span></b></p></td></tr>
4698 <td valign="top" style=
4699 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4700 <p class="Verbatim"># include <string.h></p>
4701 <p class="Verbatim"> </p>
4702 <p class="Verbatim">void </p>
4703 <p class="Verbatim">capitalize (/*@out@*/ char *s,</p>
4704 <p class="Verbatim">
4705 char *t)</p>
4706 <p class="Verbatim">{</p>
4707 <p class="Verbatim"><span class="Line"><span style=
4708 'font-size:8.0pt'> 7</span></span> strcpy (s, t);</p>
4709 <p class="Verbatim"> *s = toupper (*s);</p>
4710 <p class="Verbatim">}</p></td>
4711 <td valign="top" style=
4712 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
4713 <p class="lclintrun">> splint unique.c</p>
4714 <p class="lclintrun"> </p>
4715 <p class="lclintrun">unique.c: (in function capitalize)</p>
4716 <p class="lclintrun">unique.c:7: Parameter 1 (s) to function strcpy
4718 <p class="lclintrun"> declared unique but may be
4719 aliased externally by</p>
4720 <p class="lclintrun"> parameter 2 (t)</p>
4721 <p class="lclintrun"> </p></td></tr></table>
4722 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4724 <td valign="top" align="left" style=
4725 'padding-top:6.5pt;padding-right: 9.35pt;padding-bottom:6.5pt;padding-left:9.35pt'>
4726 <p class="MsoCaption"><a name="_Toc534824614"></a><a name=
4727 "_Ref534822167">Figure 10</a>. Unique
4728 parameters</p></td></tr></table></center>
4729 <h3 style='margin-left:0in;text-indent:0in'><a name=
4730 "_Toc534974972"></a><a name="_Ref347469448">6.1.2<span style=
4731 'font:7.0pt "Times New Roman"'> </span>
4732 Returned Parameters</a></h3>
4733 <p class="TextFontCX">The <span class="Annot"><span style=
4734 'font-size:10.0pt'>returned</span></span> annotation denotes a
4735 parameter that may be aliased by the return value. Splint
4736 checks the call assuming the result may be an alias to the
4737 <span class="Annot"><span style=
4738 'font-size:10.0pt'>returned</span></span> parameter.</p>
4739 <p class="TextFontCX"> </p>
4740 <p class="TextFontCX">Consider the following code excerpt:</p>
4741 <p class="TextFontCX"> </p>
4742 <p class="Verbatim">extern intSet intSet_insert (/*@returned@*/
4743 intSet s, int x);</p>
4744 <p class="Verbatim"> </p>
4745 <p class="Verbatim">intSet intSet_singleton (int x)</p>
4746 <p class="Verbatim">{</p>
4747 <p class="Verbatim"><span class="Line"><span style=
4748 'font-size:8.0pt'>7</span></span> return (intSet_insert
4749 (intSet_new (), x));</p>
4750 <p class="TextFontCX">}</p>
4751 <p class="TextFontCX"> </p>
4752 <p class="TextFontCX">Without the <span class=
4753 "Annot"><span style='font-size:10.0pt'>returned</span></span>
4754 qualifier on the parameter to <span class=
4755 "CodeText"><span style=
4756 'font-size:10.0pt'>intSet_insert</span></span>, a memory leak
4757 error would be reported for line 7, since the <span class=
4758 "Annot"><span style='font-size:10.0pt'>only</span></span>
4759 storage returned by <span class="CodeText"><span style=
4760 'font-size:10.0pt'>intSet_new</span></span> is not
4761 released. Because of the <span class=
4762 "Annot"><span style='font-size:10.0pt'>returned</span></span>
4763 qualifier, Splint assumes the result of <span class=
4764 "CodeText"><span style=
4765 'font-size:10.0pt'>intSet_insert</span></span> is the same
4766 storage as its first parameter, in this case the storage
4767 returned by <span class="CodeText"><span style=
4768 'font-size:10.0pt'>intSet_new</span></span>. No error
4769 is reported, since the only storage is then transferred
4770 through the return value (which has an implicit only
4771 annotation, see Section 5.3).</p>
4772 <h2 style='margin-left:0in;text-indent:0in'><a name=
4773 "_Ref344907981"></a><a name="_Ref344894258"></a><a name=
4774 "_Ref344809320"></a><a name="_Toc344355414"></a><a name=
4775 "_Toc534974973"></a><a name="_Ref345591408"></a><a name=
4776 "_Ref345591053">6.2<span style=
4777 'font:7.0pt "Times New Roman"'> </span>
4779 <p class="TextFontCX">Splint detects places where the
4780 representation of an abstract type is exposed. This occurs if
4781 a client has a pointer to storage that is part of the
4782 representation of an instance of the abstract type. The
4783 client can then modify or examine the storage this points to, and
4784 manipulate the value of the abstract type instance without using
4786 <p class="TextFontCX"> </p>
4787 <p class="TextFontCX">There are three ways a representation may be
4789 <p class="TextFontCX" style=
4790 'margin-left:.25in; text-indent:-.25in'>1.<span style=
4791 'font:7.0pt "Times New Roman"'> </span>
4792 Returning (or assigning to a global variable) an object that
4793 includes a pointer to a mutable component of an abstract
4794 type representation. (Controlled by <span class=
4796 'font-size:10.0pt'>ret-expose</span></span>).</p>
4797 <p class="TextFontCX" style=
4798 'margin-left:.25in; text-indent:-.25in'>2.<span style=
4799 'font:7.0pt "Times New Roman"'> </span>
4800 Assigning a mutable component of an abstract object to storage
4801 reachable from an actual parameter or a global variable that may be
4802 used after the call. This means the client may
4803 manipulate the abstract object using the actual parameter after the
4804 call. Note that if the corresponding formal parameter is
4805 declared <span class="Annot"><span style=
4806 'font-size:10.0pt'>only</span></span>, the caller may not use the
4807 actual parameter after the call so the representation is not
4808 exposed. (Controlled by <span class="Flag"><span style=
4809 'font-size:10.0pt'>assign-expose</span></span>).</p>
4810 <p class="TextFontCX" style=
4811 'margin-left:.25in; text-indent:-.25in'>3.<span style=
4812 'font:7.0pt "Times New Roman"'> </span>
4813 Casting mutable storage to or from an abstract type.
4814 (Controlled by <span class="Flag"><span style=
4815 'font-size:10.0pt'>cast-expose</span></span>).</p>
4816 <p class="afterlist">Annotations may be used to allow exposed
4817 storage to be returned safely by restricting how the caller may use
4818 the returned storage.</p>
4819 <h3 style='margin-left:0in;text-indent:0in'><a name=
4820 "_Toc534974974"></a><a name="_Ref347469553">6.2.1<span style=
4821 'font:7.0pt "Times New Roman"'> </span>
4822 Read-Only Storage</a></h3>
4823 <p class="beforelist">It is often useful for a function to return a
4824 pointer to internal storage (or an instance of a mutable abstract
4825 type) that is intended only as an <i>observer</i>. The caller
4826 may use the result, but should not modify the storage it points
4827 to. For example, consider a naïve implementation of the
4828 <span class="CodeText"><span style=
4829 'font-size:10.0pt'>employee_getName</span></span> operation for the
4830 abstract <span class="CodeText"><span style=
4831 'font-size:10.0pt'>employee</span></span> type:</p>
4832 <p class="Verbatim"> typedef /*@abstract@*/ struct
4834 <p class="Verbatim"> char *name;</p>
4835 <p class="Verbatim"> int id;</p>
4836 <p class="Verbatim"> } *employee;</p>
4837 <p class="Verbatim"> …</p>
4838 <p class="Verbatim"> char *employee_getName (employee
4839 e) { return e->name; }</p>
4840 <p class="afterlist">Splint produces a message to indicate that the
4841 return value exposes the representation. One solution would
4842 be to return a fresh copy of <span class=
4843 "CodeText"><span style='font-size:10.0pt'>e->name</span></span>.
4844 This is expensive, though, especially if we expect
4845 <span class="CodeText"><span style=
4846 'font-size:10.0pt'>employee_getName</span></span> is used
4847 mainly just to get a string for searching or printing.
4848 Instead, we could change the declaration of <span class=
4849 "CodeText"><span style=
4850 'font-size:10.0pt'>employee_getName</span></span> to:</p>
4851 <p class="example">extern /*@observer@*/ char *employee_getName
4853 <p class="TextFontCX">Now, the original implementation is
4854 correct. The declaration indicates that the caller may not
4855 modify the result, so it is acceptable to return shared
4856 storage. (The program must also not use the returned observer
4857 storage after any other calls to the abstract type module using the
4858 same parameter. Splint does not attempt to check this, and in
4859 practice it is rarely a problem.) Splint checks that the
4860 caller does not modify the return value. An error is reported
4861 if observer storage is modified directly, passed as a function
4862 parameter that may be modified, assigned to a global variable or
4863 reference derivable from a global variable that is not declared
4864 with an <span class="Annot"><span style=
4865 'font-size: 10.0pt'>observer</span></span> annotation , or returned
4866 as a function result or a reference derivable from the function
4867 result that is not annotation with an <span class=
4868 "Annot"><span style='font-size:10.0pt'>observer</span></span>
4870 <h4 style='margin-left:0in;text-indent:0in'><a name=
4871 "_Ref347469563"></a><a name="_Ref348017065">String
4873 <p class="TextFontCX">A program that attempts to modify a
4874 string literal has undefined behavior [ISO, 6.4.5]. This is
4875 not enforced by most C compilers, and can lead to particularly
4876 pernicious bugs that only appear when optimizations are turned on
4877 and the compiler attempts to minimize storage for string
4878 literals. Splint can be used to check that string literals
4879 are not modified, by treating them as -<span class=
4880 "Annot"><span style=
4881 'font-size:10.0pt'>observer</span></span> storage. If
4882 <span class="Flag"><span style=
4883 'font-size:10.0pt'>+read-only-strings</span></span> is set (default
4884 in standard mode), Splint will report an error if a string literal
4886 <h3 style='margin-left:0in;text-indent:0in'><a name=
4887 "_Toc534974975">6.2.2<span style=
4888 'font:7.0pt "Times New Roman"'> </span>
4889 Exposed Storage</a></h3>
4890 <p class="TextFontCX">Sometimes it is necessary to expose the
4891 representation of an abstract type. This may be evidence of a
4892 design flaw, but in some cases is justified for efficiency
4893 reasons. The <span class="Annot"><span style=
4894 'font-size:10.0pt'>exposed</span></span> annotation denotes
4895 storage that is exposed. It may be used on a return value for
4896 results that reference storage internal to an abstract
4897 representation, on a parameter value to indicate a parameter that
4898 may be assigned directly to part of an abstract representation
4899 (note that if the parameter is annotated with <span class=
4900 "Annot"><span style='font-size:10.0pt'>only</span></span>, it is
4901 not an error to assign it to part of an abstract representation,
4902 since the caller may not use the storage after the call returns),
4903 or on a field of an abstract representation to indicate that
4904 external references to the storage may exist. <a name=
4905 "_Toc344355415"></a><a name="_Ref343064165"></a><a name=
4906 "_Ref347254440"></a><a name="_Ref347169365">An error is reported
4907 if</a> <span class="Annot"><span style=
4908 'font-size:10.0pt'>exposed</span></span> storage is released, but
4909 unlike an <span class="Annot"><span style=
4910 'font-size:10.0pt'>observer</span></span>, no error is reported if
4911 it is modified. Figure 11 shows examples of exposure problems
4912 detected by Splint.</p>
4913 <p class="TextFontCX"> </p>
4915 <table class="MsoNormalTable" border="0" cellspacing="0"
4916 cellpadding="0" style=
4917 'margin-left:6.75pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
4919 <td width="45%" valign="top" style=
4920 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
4921 <p class="TextFontCX" align="center" style='text-align:center'>
4922 <span class="Keyword"><b><span style=
4923 'font-size:10.0pt; color:white'>exposure.c</span></b></span></p></td>
4924 <td valign="top" style=
4925 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
4926 <p class="TextFontCX" align="center" style='text-align:center'>
4927 <b><span style='color:white'>Running
4928 Splint</span></b></p></td></tr>
4930 <td valign="top" style=
4931 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
4932 <p class="Verbatim"># include "employee.h"</p>
4933 <p class="Verbatim"> </p>
4934 <p class="Verbatim">char *</p>
4935 <p class="Verbatim">employee_getName (employee e)</p>
4936 <p class="Verbatim">{</p>
4937 <p class="Verbatim"><span class="Line"><span style=
4938 'font-size:8.0pt'>6</span></span> return e->name;</p>
4939 <p class="Verbatim">}</p>
4940 <p class="Verbatim"> </p>
4941 <p class="Verbatim">/*@observer@*/ char *</p>
4942 <p class="Verbatim">employee_obsName (employee e)</p>
4943 <p class="Verbatim">{ return e->name; }</p>
4944 <p class="Verbatim"> </p>
4945 <p class="Verbatim">/*@exposed@*/ char *</p>
4946 <p class="Verbatim">employee_exposeName (employee e)</p>
4947 <p class="Verbatim">{ return e->name; }</p>
4948 <p class="Verbatim"> </p>
4949 <p class="Verbatim">void</p>
4950 <p class="Verbatim">employee_capName (employee e)</p>
4951 <p class="Verbatim">{</p>
4952 <p class="Verbatim"> char *name;</p>
4953 <p class="Verbatim"> </p>
4954 <p class="Verbatim"> name = employee_obsName (e);</p>
4955 <p class="Verbatim"><span class="Line"><span style=
4956 'font-size:8.0pt'>23</span></span> *name = toupper (*name);</p>
4957 <p class="Verbatim">}</p></td>
4958 <td valign="top" style=
4959 'border-top:none;border-left:none; border-bottom:solid black 1.5pt;border-right:solid black 1.5pt;padding:0in 5.4pt 0in 5.4pt'>
4960 <p class="lclintrun">> splint exposure.c +checks</p>
4961 <p class="lclintrun"> </p>
4962 <p class="lclintrun">exposure.c:6: Function returns reference
4964 <p class="lclintrun">
4965
4966 parameter e: e->name</p>
4967 <p class="lclintrun">exposure.c:6: Return value exposes rep of</p>
4968 <p class="lclintrun">
4969
4970 employee: e->name</p>
4971 <p class="lclintrun">exposure.c:6: Released storage e->name
4973 <p class="lclintrun">
4974
4975 from parameter at return point</p>
4976 <p class="lclintrun"> exposure.c:6: Storage e->name
4978 <p class="lclintrun">exposure.c:23: Suspect modification of
4980 <p class="lclintrun">
4981
4982 name: *name = toupper(*name)</p>
4983 <p class="TextFontCX" style='page-break-after: avoid'> </p>
4984 <p class="TextFontCX" align="left" style=
4985 'text-align:left;page-break-after:avoid'><i><span style=
4986 'font-size: 10.0pt'>Three messages are reported for line 6 where a
4987 mutable field of an abstract type is returned with no sharing
4988 qualifier (without</span></i> <span class="Flag"><span style=
4989 'font-size:10.0pt'>+checks</span></span><i><span style=
4990 'font-size:10.0pt'>only the third one would be reported.) The
4991 error for line 23 reports a modification of an observer. If
4992 the call in line 22 were changed to call</span></i>
4993 <span class="CodeText"><span style=
4994 'font-size: 10.0pt'>employee_exposeName</span></span><i><span style='font-size:10.0pt'>
4995 , no error would be reported.</span></i></p></td></tr></table>
4996 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
4998 <td valign="top" style=
4999 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
5000 <p class="MsoCaption"><a name="_Toc534824615">Figure 11.
5001 Exposure</a></p></td></tr></table></center>
5002 <p class="TextFontCX"> </p>
5003 <h1 style='margin-left:0in;text-indent:0in'><a name=
5004 "_Ref361649198"></a><a name="_Ref361649165"></a><a name=
5005 "_Ref354415790"></a><a name="_Ref350062908"></a><a name=
5006 "_Ref348845273"></a><a name="_Ref345591297"></a><a name=
5007 "_Ref344916609"></a><a name="_Ref344894369"></a><a name=
5008 "_Ref344891459"></a><a name="_Ref344798185"></a><a name=
5009 "_Toc344355418"></a><a name="_Toc534974976"></a><a name=
5010 "_Ref534014913"></a><a name="_Ref534014715"></a><a name=
5011 "_Ref348871484">7<span style=
5012 'font:7.0pt "Times New Roman"'> </span>
5013 <a id="function" name="function">
5014 Function Interfaces</a></a></h1>
5015 <p class="TextFontCX">Functions communicate with their calling
5016 environment through an interface. The caller communicates the
5017 values of actual parameters and global variables to the function,
5018 and the function communicates to the caller through the return
5019 value, global variables and storage reachable from the actual
5020 parameters. By keeping interfaces narrow (restricting the
5021 amount of information visible across a function interface), we can
5022 understand and implement functions independently. </p>
5023 <p class="TextFontCX"> </p>
5024 <p class="TextFontCX">A function prototype documents the interface
5025 to a function. It serves as a contract between the function
5026 and its caller. In early versions of C, the function
5027 “prototype” was very limited. It described the
5028 type returned by the function but nothing about its
5029 parameters. ANSI C (1989) provided function prototypes with
5030 the ability to add information on the number and types of parameter
5031 to a function. Splint provides the means to express much more
5032 about a function interface such as what global variable the
5033 function may use and what values visible to the caller it may
5035 <p class="TextFontCX"> </p>
5036 <p class="TextFontCX">The extra interface information places
5037 constraints on both how the function may be called and how it may
5038 be implemented. Splint reports places where these constraints
5039 are not satisfied. Typically, these indicate bugs in the code
5040 or errors in the interface documentation.</p>
5041 <p class="TextFontCX"> </p>
5042 <p class="TextFontCX">This section describes annotations that may
5043 be added to a function declaration to document what global
5044 variables the function implementation may use and what values
5045 visible to its caller it may modify.</p>
5046 <h2 style='margin-left:0in;text-indent:0in'><a name=
5047 "_Toc534974977"></a><a name="_Ref348845225"></a><a name=
5048 "_Ref344908335"></a><a name="_Ref344892358"></a><a name=
5049 "_Toc344355403">7.1<span style=
5050 'font:7.0pt "Times New Roman"'> </span>
5051 Modifications</a></h2>
5052 <p class="TextFontCX">The modifies clause lists what values visible
5053 to the caller may be modified by a function. Modifies clauses
5054 limit what values a function may modify, but they do not require
5055 that listed values are always modified. The declaration,</p>
5056 <p class="example">int f (int *p, int *q) /*@modifies *p@*/;</p>
5057 <p class="TextFontCX">declares a function <span class=
5058 "CodeText"><span style='font-size:10.0pt'>f</span></span> that may
5059 modify the value pointed to by its first argument but may not
5060 modify the value of its second argument or any global state.</p>
5061 <p class="TextFontCX"> </p>
5062 <p class="TextFontCX">Splint checks that a function does not modify
5063 any caller-visible value not encompassed by its modifies clause and
5064 does modify all values listed in its modifies clause on some
5065 possible execution of the function. Figure 12 shows an
5066 example of modifies checking done by Splint.</p>
5067 <p class="TextFontCX"> </p>
5069 <table class="MsoNormalTable" border="0" cellspacing="0"
5070 cellpadding="0" style='margin-left:5.4pt;border-collapse:collapse'
5073 <td width="40%" valign="top" style=
5074 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.5pt'>
5075 <p class="TextFontCX" align="center" style='text-align:center'>
5076 <a name="_Ref344908343"><span class="Keyword"><b><span style=
5077 'font-size:10.0pt;color:white'>modify.c</span></b></span></a></p></td>
5078 <td width="60%" valign="top" style=
5079 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.5pt'>
5080 <p class="TextFontCX" align="center" style='text-align:center'>
5081 <b><span style='color:white'>Running
5082 Splint</span></b></p></td></tr>
5083 <tr style='height:120.9pt'>
5084 <td valign="top" style=
5085 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:120.9pt'>
5086 <p class="Verbatim">void setx (int *x, int *y)</p>
5087 <p class="Verbatim"> /*@modifies *x@*/</p>
5088 <p class="Verbatim">{</p>
5089 <p class="Verbatim"><span class="Line"><span style=
5090 'font-size:8.0pt'>4</span></span> *y = *x;</p>
5091 <p class="Verbatim">}</p>
5092 <p class="Verbatim"> </p>
5093 <p class="Verbatim">void sety (int *x, int *y)</p>
5094 <p class="Verbatim"> /*@modifies *y@*/</p>
5095 <p class="Verbatim">{</p>
5096 <p class="Verbatim"> setx (y, x);</p>
5097 <p class="Verbatim">}</p></td>
5098 <td width="60%" valign="top" style=
5099 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:120.9pt'>
5100 <p class="lclintrun">> splint modify.c +checks</p>
5101 <p class="lclintrun">modify.c:4: Undocumented modification of *y:
5103 <p class="lclintrun">modify.c:5: Suspect object listed in modifies
5105 <p class="lclintrun">
5106
5107 not modified: *x</p>
5108 <p class="lclintrun"> modify.c:1: Declaration of
5110 <p class="TextFontCX"><i><span style=
5111 'font-size: 10.0pt'> </span></i></p>
5112 <p class="TextFontCX" style='page-break-after: avoid'>
5113 <i><span style='font-size:10.0pt'>There are
5114 n</span></i><i><span style='font-size:10.0pt'>o errors
5115 for</span></i> <span class="CodeText"><span style=
5116 'font-size:10.0pt'>sety</span></span><i><span style=
5117 'font-size:10.0pt'>– the call to</span></i>
5118 <span class="CodeText"><span style=
5119 'font-size:10.0pt'>setx</span></span><i><span style=
5120 'font-size:10.0pt'>modifies the value<br>
5121 pointed to by its first parameter (</span></i><span class=
5122 "CodeText"><span style=
5123 'font-size:10.0pt'>y</span></span><i><span style=
5124 'font-size:10.0pt'>) as documented by the<br>
5125 modifies clause. The</span></i> <span class=
5127 'font-size:10.0pt'>checks</span></span><i><span style=
5128 'font-size:10.0pt'>mode turns on</span></i> <span class=
5130 'font-size:10.0pt'>mustmod</span></span><i><span style=
5131 'font-size:10.0pt'>checking,<br>
5132 so the second error concerning missing documented<br>
5133 modifications is reported.</span></i></p></td></tr>
5135 <td style='border:none'></td>
5136 <td style='border:none'></td></tr></table>
5137 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5139 <td valign="top" style=
5140 'padding-top:4.3pt;padding-right: .3in;padding-bottom:4.3pt;padding-left:.3in'>
5141 <p class="MsoCaption"><a name="_Toc534824616"></a><a name=
5142 "_Ref534822865">Figure 12</a>.
5143 Modification</p></td></tr></table></center>
5146 <h3 style='margin-left:0in;text-indent:0in'><a name=
5147 "_Toc534974978">7.1.1<span style=
5148 'font:7.0pt "Times New Roman"'> </span>
5149 State Modifications</a></h3>
5150 <p class="beforelist">A few special names are provided for
5151 describing function modifications that effect state not
5152 identifiable through parameters or global variables:</p>
5153 <p class="TextFontCX"><span class="Annot"><span style=
5154 'font-size:10.0pt'>internalState</span></span></p>
5155 <p class="IndentText">The function modifies some internal state
5156 (that is, the value of a <span class="CodeText"><span style=
5157 'font-size:10.0pt'>static</span></span> variable). Even
5158 though a client cannot access the internal state directly, it is
5159 important to know that something may be modified by the function
5160 call both for clear documentation and for checking undefined order
5161 of evaluation (Section 8.2) and side effect free parameters
5162 (Section 11.2.1).</p>
5163 <p class="TextFontCX"><span class="Annot"><span style=
5164 'font-size:10.0pt'>fileSystem</span></span></p>
5165 <p class="IndentText">The function modifies the file system.
5166 Any modification that may change the system state is considered a
5167 file system modification. All functions that modify an object
5168 of type pointer to <span class="CodeText"><span style=
5169 'font-size:10.0pt'>FILE</span></span> also modify the file
5170 system. In addition, functions that do not modify a
5171 <span class="CodeText"><span style=
5172 'font-size:10.0pt'>FILE</span></span> pointer but modify some state
5173 that is visible outside this process also modify the file system
5174 (e.g., <span class="CodeText"><span style=
5175 'font-size:10.0pt'>rename</span></span>). The flag
5176 <span class="Flag"><span style=
5177 'font-size:10.0pt'>mod-file-system</span></span> controls reporting
5178 of undocumented file system modifications.</p>
5179 <p class="MsoListBullet"><span class="Annot"><span style=
5180 'font-size:10.0pt'>nothing</span></span></p>
5181 <p class="IndentText">The function modifies nothing (i.e., it is
5182 side effect free).</p>
5183 <p class="TextFontCX" style='margin-left:.5in'> </p>
5184 <p class="TextFontCX">The annotation, <span class=
5185 "Annot"><span style='font-size:10.0pt'>/*@*/</span></span> in a
5186 function declaration or definition (after the parameter list,
5187 before the semi-colon or function body) denotes a function that
5188 modifies nothing and does not use any global variables (see Section
5190 <h3 style='margin-left:0in;text-indent:0in'><a name=
5191 "_Toc534974979"></a><a name="_Ref345591515">7.1.2<span style=
5192 'font:7.0pt "Times New Roman"'> </span>
5193 Missing Modifies Clauses</a></h3>
5194 <p class="TextFontCX">Splint is designed so programs with many
5195 functions that are declared without modifies clauses can be checked
5196 effectively. Unless <span class="Flag"><span style=
5197 'font-size:10.0pt'>modnomods</span></span> is in on, no
5198 modification errors are reported checking a function declared with
5199 no modifies clause. </p>
5200 <p class="TextFontCX"> </p>
5201 <p class="TextFontCX">A function with no modifies clause is an
5202 <i>unconstrained</i> function since there are no documented
5203 constraints on what it may modify. When an unconstrained
5204 function is called, it is checked differently from a function
5205 declared with a modifies clause. To prevent spurious errors,
5206 no modification error is reported at the call site unless the
5207 <span class="Flag"><span style=
5208 'font-size:10.0pt'>mod-uncon</span></span> flag is on.
5209 Flags control whether errors involving unconstrained functions are
5210 reported for other checks that depend on modifications (side effect
5211 free macro parameters (Section 11.2.1), undefined evaluation
5212 order (Section 8.2), and likely infinite loops (Section
5214 <h2 style='margin-left:0in;text-indent:0in'><a name=
5215 "_Ref534980042"></a><a name="_Toc534974980"></a><a name=
5216 "_Ref534972121"></a><a name="_Ref348845219"></a><a name=
5217 "_Ref347475720"></a><a name="_Ref347171487"></a><a name=
5218 "_Ref344908307"></a><a name="_Ref344893725"></a><a name=
5219 "_Toc344355404">7.2<span style=
5220 'font:7.0pt "Times New Roman"'> </span>
5221 Global Variables</a></h2>
5222 <p class="TextFontCX">Another aspect of a function’s
5223 interface, is the global variables it uses. A globals list in
5224 a function declaration lists external variables that may be used in
5225 the function body. Splint checks that global variables used
5226 in a procedure match those listed in its globals list. A global is
5227 used in a function if it appears in the body directly, or it is in
5228 the globals list of a function called in the body. Splint reports
5229 if a global that is used in a procedure is not listed in its
5230 globals list, and if a listed global is not used in the function
5231 implementation. Figure 13 shows an example function
5232 definition with a globals list and associated checking done by
5235 <table class="MsoNormalTable" border="0" cellspacing="0"
5236 cellpadding="0" style=
5237 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
5238 <tr style='height:13.25pt'>
5239 <td valign="top" style=
5240 'width:202.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.25pt'>
5241 <p class="TextFontCX" align="center" style='text-align:center'>
5242 <span class="Keyword"><b><span style=
5243 'font-size:10.0pt; color:white'>globals.c</span></b></span></p></td>
5244 <td valign="top" style=
5245 'width:220.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.25pt'>
5246 <p class="TextFontCX" align="center" style='text-align:center'>
5247 <b><span style='color:white'>Running
5248 Splint</span></b></p></td></tr>
5249 <tr style='height:70.65pt'>
5250 <td valign="top" style=
5251 'width:202.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:70.65pt'>
5252 <p class="Verbatim"><span style='font-size:9.5pt'>int glob1,
5254 <p class="Verbatim"><span style='font-size:9.5pt'> </span></p>
5255 <p class="Verbatim"><span class="Line"><span style=
5256 'font-size:8.0pt'>3</span></span> <span style='font-size:9.5pt'>int
5257 f (void) /*@globals glob1;@*/</span></p>
5258 <p class="Verbatim"><span style='font-size:9.5pt'>{</span></p>
5259 <p class="Verbatim"><span class="Line"><span style=
5260 'font-size:8.0pt'>5 </span></span> <span style=
5261 'font-size:9.5pt'>return glob2;</span></p>
5262 <p class="Verbatim"><span style='font-size:9.5pt'>}</span></p></td>
5263 <td valign="top" style=
5264 'width:220.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:70.65pt'>
5265 <p class="lclintrun">> splint globals.c +checks</p>
5266 <p class="lclintrun"> </p>
5267 <p class="lclintrun">globals.c:5: Undocumented use of global
5269 <p class="lclintrun">globals.c:3: Global glob1 listed but not
5271 <p class="lclintrun"> </p>
5272 <p class="lclintrun" style='page-break-after:avoid'>
5273 </p></td></tr></table>
5274 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5276 <td valign="top" align="left" style=
5277 'padding-top:8.65pt;padding-right: 9.35pt;padding-bottom:8.65pt;padding-left:9.35pt'>
5278 <p class="MsoCaption"><a name="_Ref349498221"></a><a name=
5279 "_Ref349498215"></a><a name="_Ref347468808"></a><a name=
5280 "_Ref347468791"></a><a name="_Ref344908072"></a><a name=
5281 "_Ref344908069"></a><a name="_Ref344893745"></a><a name=
5282 "_Toc344355405"></a><a name="_Toc534824617"></a><a name=
5283 "_Ref534822988">Figure 13</a>. Global
5284 Variables</p></td></tr></table></center>
5285 <h3 style='margin-left:0in;text-indent:0in'><a name=
5286 "_Toc534974981">7.2.1<span style=
5287 'font:7.0pt "Times New Roman"'> </span>
5288 Controlling Globals Checking</a></h3>
5289 <p class="TextFontCX">Whether on not an error is reported for a use
5290 of a global variable in a given function depends on the scope of
5291 the variable (file <span class="CodeText"><span style=
5292 'font-size:10.0pt'>static</span></span> or external), the checking
5293 annotation used in the variable declaration or the implicit
5294 annotation if no checking annotation is used, whether or not the
5295 function is declared with a globals list, and flag settings.</p>
5296 <p class="TextFontCX"> </p>
5297 <p class="beforelist">A global or file static variable declaration
5298 may be preceded by an annotation to indicate how the variable
5299 should be checked. In order of decreasing checks, the
5300 annotations are:</p>
5301 <p class="TextFontCX"><span class="Annot"><span style=
5302 'font-size:10.0pt'>/*@checkedstrict@*/</span></span></p>
5303 <p class="IndentText">Strictest checking. Undocumented uses
5304 and modifications of the variable are reported in all functions
5305 whether or not they have a globals list (unless <span class=
5307 'font-size:10.0pt'>check-strict-globs</span></span> is off).</p>
5308 <p class="TextFontCX"><span class="Annot"><span style=
5309 'font-size:10.0pt'>/*@checked@*/</span></span></p>
5310 <p class="IndentText">Undocumented use of the variable is reported
5311 in a function with a globals list, but not in a function declared
5312 with no globals (unless <span class="Flag"><span style=
5313 'font-size:10.0pt'>glob-noglobs</span></span> is on).<a name=
5315 <p class="TextFontCX"><span class="Annot"><span style=
5316 'font-size:10.0pt'>/*@checkmod@*/</span></span></p>
5317 <p class="IndentText">Undocumented uses of the variable are not
5318 reported, but undocumented modifications are reported.
5319 (If <span class="Flag"><span style=
5320 'font-size:10.0pt'>mod-globs-nomods</span></span> is on, errors are
5321 reported even in functions declared with no modifies clause or
5323 <p class="TextFontCX"><span class="Annot"><span style=
5324 'font-size:10.0pt'>/*@unchecked@*/</span></span></p>
5325 <p class="IndentText">No messages are reported for undocumented use
5326 or modification of this global variable.</p>
5327 <p class="afterlist">If a variable has none of these annotations,
5328 an implicit annotation is determined by the flag
5330 <p class="TextFontCX"> </p>
5331 <p class="TextFontCX">Different flags control the implicit
5332 annotation for variables declared with global scope and variables
5333 declared with file scope (i.e., using the <span class=
5334 "CodeText"><span style='font-size:10.0pt'>static</span></span>
5335 storage qualifier). To set the implicit annotation for global
5336 variables declared in <span class="Flag"><i><span style=
5337 'font-size:10.0pt'>context</span></i></span> (<span class=
5338 "Flag"><span style='font-size:10.0pt'>globs</span></span> for
5339 external variables or <span class="Flag"><span style=
5340 'font-size:10.0pt'>statics</span></span> for file static variable)
5341 to be <span class="Flag"><i><span style=
5342 'font-size:10.0pt'>annotation</span></i></span> (<span class=
5343 "Flag"><span style='font-size:10.0pt'>checked</span></span>,
5344 <span class="Flag"><span style=
5345 'font-size:10.0pt'>checkmod</span></span>, <span class=
5346 "Flag"><span style='font-size:10.0pt'>checkedstrict</span></span>)
5347 use <span class="Flag"><span style=
5348 'font-size:10.0pt'>imp<i><annotation>
5349 <context></i></span></span>. For example,
5350 <span class="Flag"><span style=
5351 'font-size:10.0pt'>+imp-checked-strict-statics</span></span>
5352 makes the implicit checking on unqualified file static
5353 variables <span class="Flag"><span style=
5354 'font-size:10.0pt'>checkedstrict</span></span>. See
5355 Appendix B for a complete list of globals checking flags.</p>
5356 <h3 style='margin-left:0in;text-indent:0in'><a name=
5357 "_Toc534974982"></a><a name="_Ref534971010">7.2.2<span style=
5358 'font:7.0pt "Times New Roman"'> </span></a>
5359 Definition State</h3>
5360 <p class="TextFontCX">Annotations can be used in the globals list
5361 of a function declaration to describe the states of global
5362 variables before and after the call. If a global is preceded
5363 by <span class="Annot"><span style=
5364 'font-size:10.0pt'>undef</span></span>, it is assumed to be
5365 undefined before the call. Thus, no error is reported if the global
5366 is not defined when the function is called, but an error is
5367 reported if the global is used in the function body before it is
5368 defined. The <span class="Annot"><span style=
5369 'font-size:10.0pt'>killed</span></span> annotation denotes a
5370 global variable that may be undefined when the call
5371 returns. For globals that contain dynamically allocated
5372 storage, a <span class="Annot"><span style=
5373 'font-size:10.0pt'>killed</span></span> global variable is similar
5374 to an <span class="Annot"><span style=
5375 'font-size:10.0pt'>only</span></span> parameter (Section
5376 5.2). An error is reported if it contains the only reference
5377 to storage that is not released before the call returns.
5378 Figure 14 illustrated <span class="Annot"><span style=
5379 'font-size:10.0pt'>killed</span></span> and <span class=
5380 "Annot"><span style='font-size:10.0pt'>undef</span></span>
5383 <table class="MsoNormalTable" border="0" cellspacing="0"
5384 cellpadding="0" style=
5385 'margin-left:.9pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
5387 <td valign="top" style=
5388 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5389 <p class="TextFontCX" align="center" style='text-align:center'>
5390
5391 <span class="Keyword"><b><span style=
5392 'font-size:10.0pt;color:white'>annotglobs.c</span></b></span></p></td>
5393 <td valign="top" style=
5394 'width:198.8pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5395 <p class="TextFontCX" align="center" style='text-align:center'>
5396 <b><span style='color:white'>Running
5397 Splint</span></b></p></td></tr>
5399 <td valign="top" style=
5400 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:236.7pt'>
5401 <p class="Verbatim">int globnum;</p>
5402 <p class="Verbatim"> </p>
5403 <p class="Verbatim">struct {</p>
5404 <p class="Verbatim"> char *firstname, *lastname;</p>
5405 <p class="Verbatim"> int id;</p>
5406 <p class="Verbatim">} globname;</p>
5407 <p class="Verbatim"> </p>
5408 <p class="Verbatim">void</p>
5409 <p class="Verbatim">initialize (/*@only@*/ char *name)</p>
5410 <p class="Verbatim"> /*@globals undef globnum,</p>
5411 <p class="Verbatim">
5412
5413 undef globname @*/</p>
5414 <p class="Verbatim">{</p>
5415 <p class="Verbatim"><span class="Line"><span style=
5416 'font-size:8.0pt'>13</span></span> globname.id = globnum;</p>
5417 <p class="Verbatim"> globname.lastname = name;</p>
5418 <p class="Verbatim"><span class="Line"><span style=
5419 'font-size:8.0pt'>15</span></span>}</p>
5420 <p class="Verbatim"> </p>
5421 <p class="Verbatim">void finalize (void)</p>
5422 <p class="Verbatim"> /*@globals killed globname@*/</p>
5423 <p class="Verbatim">{</p>
5424 <p class="Verbatim"> free (globname.lastname);</p>
5425 <p class="Verbatim"><span class="Line"><span style=
5426 'font-size:8.0pt'>21</span></span> }</p></td>
5427 <td valign="top" style=
5428 'width:198.8pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:236.7pt'>
5429 <p class="lclintrun">> splint annotglobs.c</p>
5430 <p class="lclintrun"> </p>
5431 <p class="lclintrun">annotglobs.c:13: Undef global globnum used</p>
5432 <p class="lclintrun">
5433
5434 before definition</p>
5435 <p class="lclintrun">annotglobs.c:15: Global storage globname</p>
5436 <p class="lclintrun"> contains 1 undefined field
5438 <p class="lclintrun"> returns: firstname</p>
5439 <p class="lclintrun">annotglobs.c:21: Only storage</p>
5440 <p class="lclintrun"> globname.firstname (type
5442 <p class="lclintrun"> from killed global is not
5444 <p class="lclintrun" style='page-break-after:avoid'>
5445 (memory leak)</p></td></tr></table>
5446 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5448 <td valign="top" align="left" style=
5449 'padding-top:10.1pt;padding-right: 9.35pt;padding-bottom:10.1pt;padding-left:9.35pt'>
5450 <p class="MsoCaption"><a name="_Toc534824618"></a><a name=
5451 "_Ref534823055">Figure 14</a>. Annotated Globals
5452 Lists</p></td></tr></table></center>
5453 <h2 style='margin-left:0in;text-indent:0in'><a name=
5454 "_Toc534974983"></a><a name="_Ref344894947"></a><a name=
5455 "_Toc344355406">7.3<span style=
5456 'font:7.0pt "Times New Roman"'> </span>
5457 Declaration Consistency</a></h2>
5458 <p class="TextFontCX">Splint checks that function declarations and
5459 definitions are consistent. The general rule is that the
5460 <i>first</i> declaration of a function implies all later
5461 declarations and definitions. If a function is declared in a
5462 header file, the first declaration processed is its first
5463 declaration (if it is declared in more than one header file an
5464 error is reported if <span class="Flag"><span style=
5465 'font-size:10.0pt'>redecl</span></span> is set)
5466 <span style='display:none'>(if the same function is declared
5467 in more than one header file ???)</span>. Otherwise,
5468 the first declaration in the file defining the function is
5469 its first declaration.</p>
5470 <p class="TextFontCX"> </p>
5471 <p class="TextFontCX">Later declarations may not include variables
5472 in the globals list that were not included in the first
5473 declaration. The exception to this is when the first
5474 declaration is in a header file and the later declaration or
5475 definition includes file static variables. Since these are
5476 not visible in the header file, they can not be included in the
5477 header file declaration. Similarly, the modifies clause of a
5478 later declaration may not include objects that are not modifiable
5479 in the first declaration. The later declaration may be more
5480 specific. For example, if the header declaration is:</p>
5481 <p class="example" style='text-indent:.3in'>extern void setName
5482 (employee e, char *s) /*@modifies e@*/;</p>
5483 <p class="TextFontCX">the later declaration could be,</p>
5484 <p class="example"> void setName (employee e, char *)
5485 /*@modifies e->name@*/;</p>
5486 <p class="TextFontCX">If <span class="CodeText"><span style=
5487 'font-size:10.0pt'>employee</span></span> is an abstract type, the
5488 declaration in the header should not refer to a particular
5489 implementation (i.e., it shouldn’t rely on there being a
5490 <span class="CodeText"><span style=
5491 'font-size:10.0pt'>name</span></span> field), but the
5492 implementation declaration can be more specific. </p>
5493 <p class="TextFontCX"> </p>
5494 <p class="TextFontCX">This rule also applies to file static
5495 variables. The header declaration for a function that
5496 modifies a file static variable should use <span class=
5497 "Annot"><span style='font-size:10.0pt'>modifies
5498 internalState</span></span> since file static variables are not
5499 visible to clients. The implementation declaration should
5500 list the actual file static variables that may be modified.</p>
5501 <h2 style='margin-left:0in;text-indent:0in'><a name=
5502 "_Toc534974984"></a><a name="_Ref354411787">7.4<span style=
5503 'font:7.0pt "Times New Roman"'> </span>
5504 State Clauses</a></h2>
5505 <p class="TextFontCX">Sometimes it is necessary to specify function
5506 interfaces at a lower level than is possible with the standard
5507 annotations. For example, if a function defines some fields
5508 of a returned structure but does not define all the fields.
5509 The <span class="Annot"><span style=
5510 'font-size:10.0pt'>/*@special@*/</span></span> annotation is used
5511 to mark a parameter, global variable, or return value that is
5512 described using state clauses. </p>
5513 <p class="TextFontCX"> </p>
5514 <p class="TextFontCX">State clauses may be used to constrain the
5515 state of a parameter or return value before or after a call.
5516 One or more state clauses may appear in a function declaration,
5517 before the modifies or globals clauses. State clauses may be
5518 listed in any order, but the same state clause should not be used
5519 more than once. In a state clause list, <span class=
5520 "CodeText"><span style='font-size:10.0pt'>result</span></span> is
5521 used to refer to the return value of the function. </p>
5522 <p class="TextFontCX"> </p>
5523 <p class="TextFontCX" style='margin-bottom:6.0pt'>The following
5524 state clauses are used to describe the definition state or
5525 parameters before and after the function is called and the return
5526 value after the function returns:</p>
5527 <p class="TextFontCX"><span class="Annot"><span style=
5528 'font-size:10.0pt'>/*@uses
5529 <i><references></i>@*/</span></span></p>
5530 <p class="indentbefore0">References in a <span class=
5531 "Annot"><span style='font-size:10.0pt'>uses</span></span> clause
5532 must be completely defined before the function is called.
5533 They are assumed to be defined at function entrance when the
5534 function is checked.</p>
5535 <p class="TextFontCX"><span class="Annot"><span style=
5536 'font-size:10.0pt'>/*@sets
5537 <i><references></i>@*/</span></span></p>
5538 <p class="indentbefore0">References in a <span class=
5539 "Annot"><span style='font-size:10.0pt'>sets</span></span> clause
5540 must be allocated before the function is called. They are
5541 completely defined after the function returns. They are assumed to
5542 be allocated but undefined storage at function entrance and an
5543 error is reported if there is a path on which they are not defined
5544 before the function returns.</p>
5545 <p class="TextFontCX"><span class="Annot"><span style=
5546 'font-size:10.0pt'>/*@defines
5547 <i><references></i>@*/</span></span></p>
5548 <p class="indentbefore0">References in a <span class=
5549 "Annot"><span style='font-size:10.0pt'>defines</span></span> clause
5550 must not refer to unshared, allocated storage before the function
5551 is called. They are completely defined after the function
5552 returns. When the function is checked, they are assumed to be
5553 undefined at function entrance and an error is reported if there is
5554 a path on which they are not defined before the function
5556 <p class="TextFontCX"><span class="Annot"><span style=
5557 'font-size:10.0pt'>/*@allocates
5558 <i><references></i>@*/</span></span></p>
5559 <p class="indentbefore0">References in an <span class=
5560 "Annot"><span style='font-size:10.0pt'>allocates</span></span>
5561 clause must be unallocated before the function is called.
5562 They are allocated but not necessarily defined after the function
5563 returns. An error is reported if there is a path through the
5564 function on which they are not allocated before the function
5566 <p class="TextFontCX"><span class="Annot"><span style=
5567 'font-size:10.0pt'>/*@releases
5568 <references>@*/</span></span></p>
5569 <p class="IndentText">References in the <span class=
5570 "Annot"><span style='font-size:10.0pt'>releases</span></span>
5571 clause are deallocated by the function. They must be storage
5572 that could be passed as an <span class="Annot"><span style=
5573 'font-size:10.0pt'>only</span></span> parameter before the
5574 function is called, and are dead pointers after the function
5575 returns. They are assumed to be defined at function entrance
5576 and an error is reported if they refer to live, allocated storage
5577 at any return point.</p>
5578 <p class="TextFontCX"> </p>
5579 <p class="TextFontCX">Some examples of state clauses are shown in
5580 Figure 15. The <span class="Annot"><span style=
5581 'font-size: 10.0pt'>defines</span></span> clause for
5582 <span class="CodeText"><span style=
5583 'font-size:10.0pt'>record_new</span></span> indicates that
5584 the <span class="CodeText"><span style=
5585 'font-size:10.0pt'>id</span></span> field of the structure
5586 pointed to by the result is defined, but the <span class=
5587 "CodeText"><span style='font-size:10.0pt'>name</span></span>
5588 field is not. So, <span class="CodeText"><span style=
5589 'font-size:10.0pt'>record_create</span></span> needs to call
5590 <span class="CodeText"><span style=
5591 'font-size:10.0pt'>record_setName</span></span> to define the
5592 name field. Similarly, the <span class=
5593 "Annot"><span style='font-size:10.0pt'>releases</span></span>
5594 clause for <span class="CodeText"><span style=
5595 'font-size:10.0pt'>record_clearName</span></span> indicates
5596 that no storage is associated with the <span class=
5597 "CodeText"><span style='font-size:10.0pt'>name</span></span>
5598 field of its parameter after the return, so no failure to
5599 deallocate storage message is produced for the call to
5600 <span class="CodeText"><span style=
5601 'font-size:10.0pt'>free</span></span> in <span class=
5602 "CodeText"><span style=
5603 'font-size:10.0pt'>record_free</span></span>. The
5604 <span class="Annot"><span style='font-size:10.0pt'>ensures
5605 isnull</span></span> clause is described in the next
5608 <table class="MsoNormalTable" border="0" cellspacing="0"
5609 cellpadding="0" style=
5610 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
5612 <td valign="top" style=
5613 'width:423.0pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
5614 <p class="TextFontCX" align="center" style='text-align:center'>
5615 <span class="Keyword"><b><span style=
5616 'font-size:10.0pt; color:white'>clauses.c</span></b></span></p></td></tr>
5618 <td valign="top" style=
5619 'width:423.0pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
5620 <p class="Verbatim">typedef struct</p>
5621 <p class="Verbatim">{</p>
5622 <p class="Verbatim"> int id;</p>
5623 <p class="Verbatim"> /*@only@*/ char *name;</p>
5624 <p class="Verbatim">} *record;</p>
5625 <p class="Verbatim"> </p>
5626 <p class="Verbatim">static /*@special@*/ record record_new
5628 <p class="Verbatim"> /*@defines result->id@*/</p>
5629 <p class="Verbatim">{</p>
5630 <p class="Verbatim"> record r = (record) malloc (sizeof
5632 <p class="Verbatim"> </p>
5633 <p class="Verbatim"> assert (r != NULL);</p>
5634 <p class="Verbatim"> r->id = 3;</p>
5635 <p class="Verbatim"> return r;</p>
5636 <p class="Verbatim">}</p>
5637 <p class="Verbatim"> </p>
5638 <p class="Verbatim">static void</p>
5639 <p class="Verbatim"> record_setName (/*@special@*/
5640 record r, /*@only@*/ char *name)</p>
5641 <p class="Verbatim"> /*@defines r->name@*/</p>
5642 <p class="Verbatim">{</p>
5643 <p class="Verbatim"> r->name = name;</p>
5644 <p class="Verbatim">}</p>
5645 <p class="Verbatim"> </p>
5646 <p class="Verbatim">record record_create (/*@only@*/ char
5648 <p class="Verbatim">{</p>
5649 <p class="Verbatim"> record r = record_new ();</p>
5650 <p class="Verbatim"> record_setName (r, name);</p>
5651 <p class="Verbatim"> return r;</p>
5652 <p class="Verbatim">}</p>
5653 <p class="Verbatim"> </p>
5654 <p class="Verbatim">void record_clearName (/*@special@*/ record
5656 <p class="Verbatim"> /*@releases r->name@*/</p>
5657 <p class="Verbatim"> /*@ensures isnull
5659 <p class="Verbatim">{</p>
5660 <p class="Verbatim"> free (r->name);</p>
5661 <p class="Verbatim"> r->name = NULL;</p>
5662 <p class="Verbatim">}</p>
5663 <p class="Verbatim"> </p>
5664 <p class="Verbatim">void record_free (/*@only@*/ record r)</p>
5665 <p class="Verbatim">{</p>
5666 <p class="Verbatim"> record_clearName (r);</p>
5667 <p class="Verbatim"> free (r);</p>
5668 <p class="Verbatim">}</p>
5669 <p class="Verbatim" style='page-break-after:avoid'>
5670 </p></td></tr></table>
5671 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
5673 <td valign="top" style=
5674 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
5675 <p class="MsoCaption"><a name="_Toc534824619"></a><a name=
5676 "_Ref354412972">Figure 15</a>. State
5677 Clauses</p></td></tr></table></center>
5678 <p class="TextFontCX"><span class="Keyword"><span style=
5679 'font-size:10.0pt'> </span></span></p>
5680 <h2 style='margin-left:0in;text-indent:0in'><a name=
5681 "_Toc534974985"></a><a name="_Ref534888798">7.5<span style=
5682 'font:7.0pt "Times New Roman"'> </span>
5683 Requires and Ensures Clauses</a></h2>
5684 <p class="TextFontCX">More general assumptions about state of
5685 parameters and globals before and after a function is called can be
5686 described using <span class="Annot"><i><span style=
5687 'font-size:10.0pt'>requires</span></i></span> and
5688 <span class="Annot"><i><span style=
5689 'font-size:10.0pt'>ensures</span></i></span> clauses. A
5690 <span class="Annot"><span style=
5691 'font-size:10.0pt'>requires</span></span> clause specifies a
5692 predicate that must be true at a call site; when checking a
5693 function implementation Splint assumes the constraints given
5694 in its <span class="Annot"><span style=
5695 'font-size:10.0pt'>requires</span></span> clauses are true at
5696 function entry. An <span class="Annot"><span style=
5697 'font-size:10.0pt'>ensures</span></span> clause specifies a
5698 predicate that is true at a call site after the call returns;
5699 when checking a function implementation Splint warns if there
5700 is an execution path that does not return with a state that
5701 satifies the constraints given in its <span class=
5702 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
5703 clauses. A function declaration can have many
5704 <span class="Annot"><span style=
5705 'font-size:10.0pt'>requires</span></span> and <span class=
5706 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
5707 clauses as long as their meanings are not contradictory.</p>
5708 <p class="TextFontCX"> </p>
5709 <p class="TextFontCX">The following constraints can be stated using
5710 <span class="Annot"><span style=
5711 'font-size:10.0pt'>requires</span></span> and <span class=
5712 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
5714 <h6 style='margin-left:0in;text-indent:0in'><b>Aliasing
5715 Annotations</b></h6>
5716 <p class="TextFontCX"><span class="Annot"><span style=
5717 'font-size:10.0pt'>/*@requires
5718 only<i><references></i>@*/</span></span>; <span class=
5719 "Annot"><span style='font-size:10.0pt'>/*@ensures
5720 only<i><references></i>@*/</span></span></p>
5721 <p class="TextFontCX"><span class="Annot"><span style=
5722 'font-size:10.0pt'>/*@requires
5723 shared<i><references></i>@*/</span></span>;
5724 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5725 shared<i><references></i>@*/</span></span></p>
5726 <p class="TextFontCX"><span class="Annot"><span style=
5727 'font-size:10.0pt'>/*@requires
5728 owned<i><references></i>@*/</span></span>; <span class=
5729 "Annot"><span style='font-size:10.0pt'>/*@ensures
5730 owned<i><references></i>@*/</span></span></p>
5731 <p class="TextFontCX"><span class="Annot"><span style=
5732 'font-size:10.0pt'>/*@requires
5733 dependent<i><references></i>@*/</span></span>;
5734 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5735 dependent<i><references></i>@*/</span></span></p>
5736 <p class="IndentText">References refer to <span class=
5737 "Annot"><span style='font-size:10.0pt'>only</span></span>,
5738 <span class="Annot"><span style=
5739 'font-size:10.0pt'>shared</span></span>, <span class=
5740 "Annot"><span style='font-size:10.0pt'>owned</span></span> or
5741 <span class="Annot"><span style=
5742 'font-size:10.0pt'>dependent</span></span> storage before
5743 (<span class="Annot"><span style=
5744 'font-size:10.0pt'>requires</span></span>) or after
5745 (<span class="Annot"><span style=
5746 'font-size:10.0pt'>ensures</span></span>) the call.</p>
5747 <h6 style='margin-left:0in;text-indent:0in'><b>Exposure
5748 Annotations</b></h6>
5749 <p class="TextFontCX"><span class="Annot"><span style=
5750 'font-size:10.0pt'>/*@requires
5751 observer<i><references></i>@*/</span></span>;
5752 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5753 observer<i><references></i>@*/</span></span></p>
5754 <p class="TextFontCX"><span class="Annot"><span style=
5755 'font-size:10.0pt'>/*@requires
5756 exposed<i><references></i>@*/</span></span>;
5757 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5758 exposed <i><references></i>@*/</span></span></p>
5759 <p class="IndentText">References refer to <span class=
5760 "Annot"><span style='font-size:10.0pt'>observer</span></span> or
5761 <span class="Annot"><span style=
5762 'font-size:10.0pt'>exposed</span></span> storage before
5763 (<span class="Annot"><span style=
5764 'font-size:10.0pt'>requires</span></span>) or after
5765 (<span class="Annot"><span style=
5766 'font-size:10.0pt'>ensures</span></span>) the call.</p>
5767 <h6 style='margin-left:0in;text-indent:0in'><b>Null</b>
5768 <b>State</b><b>Annotations</b></h6>
5769 <p class="TextFontCX"><span class="Annot"><span style=
5770 'font-size:10.0pt'>/*@requires
5771 isnull<i><references></i>@*/</span></span>;
5772 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5773 isnull<i><references></i>@*/</span></span></p>
5774 <p class="IndentText">References have the value <span class=
5775 "CodeText"><span style='font-size:10.0pt'>NULL</span></span> before
5776 (<span class="Annot"><span style=
5777 'font-size:10.0pt'>requires</span></span>) or after
5778 (<span class="Annot"><span style=
5779 'font-size:10.0pt'>ensures</span></span>) the call.
5780 Note, this is not the same name or meaning as the
5781 <span class="Annot"><span style=
5782 'font-size:10.0pt'>null</span></span> annotation (which means
5783 the value may or may not be <span class="Annot"><span style=
5784 'font-size:10.0pt'>NULL</span></span>.)</p>
5785 <p class="TextFontCX"><span class="Annot"><span style=
5786 'font-size:10.0pt'>/*@requires
5787 notnull<i><references></i>@*/</span></span>;
5788 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
5789 notnull<i><references></i>@*/</span></span></p>
5790 <p class="IndentText">References do not have the value
5791 <span class="CodeText"><span style=
5792 'font-size:10.0pt'>NULL</span></span> before (<span class=
5793 "Annot"><span style=
5794 'font-size:10.0pt'>requires</span></span>) or after
5795 (<span class="Annot"><span style=
5796 'font-size:10.0pt'>ensures</span></span>) the call.</p>
5797 <p class="TextFontCX"> </p>
5798 <h1 style='margin-left:0in;text-indent:0in'><a name=
5799 "_Toc534974986"></a><a name="_Ref534642886"></a><a name=
5800 "_Ref483663682">8<span style=
5801 'font:7.0pt "Times New Roman"'> </span>
5802 <a id="control" name="control">
5803 Control Flow</a></a></h1>
5804 <p class="TextFontCX">The section describes checking done by Splint
5805 related to control flow. Many of these checks are
5806 significantly improved because of the extra information that is
5807 known about the program when annotations are provided.</p>
5808 <h2 style='margin-left:0in;text-indent:0in'><a name=
5809 "_Toc534974987"></a><a name="_Ref345859337"></a><a name=
5810 "_Ref344907653"></a><a name="_Ref344894343"></a><a name=
5811 "_Ref344873752"></a><a name="_Toc344355417">8.1<span style=
5812 'font:7.0pt "Times New Roman"'> </span>
5814 <p class="TextFontCX">To detect certain errors and avoid spurious
5815 errors, it is important to know something about the control flow
5816 behavior of called functions. Without additional information,
5817 Splint assumes that all functions eventually return and execution
5818 continues normally at the call site. </p>
5819 <p class="TextFontCX"> </p>
5820 <p class="TextFontCX">The <span class="Annot"><span style=
5821 'font-size:10.0pt'>noreturn</span></span> annotation is used
5822 to denote a function that never returns<a href="#_ftn8" name=
5823 "_ftnref8" title=""><span class=
5824 "MsoFootnoteReference"><span class="MsoFootnoteReference"><span style='font-size:11.0pt;font-family:"Times New Roman"'>
5825 [8]</span></span></span></a>. For example,</p>
5826 <p class="example"><span class="Annot"><span style=
5827 'font-size:10.0pt'>extern /*@noreturn@*/ void fatalerror
5828 (/*@observer@*/ char *s);</span></span></p>
5829 <p class="beforelist">declares <span class=
5830 "CodeText"><span style='font-size:10.0pt'>fatalerror</span></span>
5831 to never return. This enables Splint to correctly
5832 analyze code like,</p>
5833 <p class="TextFontCX"><span class="Keyword"><span style=
5834 'font-size:10.0pt'> if (x == NULL) fatalerror
5835 ("Yikes!");</span></span></p>
5836 <p class="TextFontCX"><span class="Keyword"><span style=
5837 'font-size:10.0pt'> *x = 3;</span></span></p>
5838 <p class="afterlist">Other functions may return, but sometimes (or
5839 usually) return normally. The <span class=
5840 "Annot"><span style='font-size:10.0pt'>maynotreturn</span></span>
5841 annotation denotes a function that may or may not
5842 return. This may be useful for documentation, but does
5843 not help checking much, since Splint must assume that a
5844 function declared with <span class="Annot"><span style=
5845 'font-size:10.0pt'>maynotreturn</span></span> returns
5846 normally when checking the code. The <span class=
5847 "Annot"><span style=
5848 'font-size:10.0pt'>alwaysreturns</span></span> annotation
5849 denotes a function that always returns (but Splint does no
5850 checking to verify this).</p>
5851 <p class="TextFontCX"> </p>
5852 <p class="TextFontCX">To describe non-returning functions more
5853 precisely, the <span class="Annot"><span style=
5854 'font-size:10.0pt'>noreturnwhentrue</span></span> and
5855 <span class="Annot"><span style=
5856 'font-size:10.0pt'>noreturnwhenfalse</span></span> annotations
5857 may be used. Similar to <span class=
5858 "Annot"><span style='font-size: 10.0pt'>nullwhentrue</span></span>
5859 and <span class="Annot"><span style=
5860 'font-size:10.0pt'>falsewhennull</span></span> (see Section
5861 2.1.1), <span class="Annot"><span style=
5862 'font-size:10.0pt'>noreturnwhentrue</span></span> and
5863 <span class="Annot"><span style=
5864 'font-size:10.0pt'>noreturnwhenfalse</span></span> mean that
5865 a function never returns if the value of its first argument
5866 is true (<span class="Annot"><span style=
5867 'font-size:10.0pt'>noreturnwhentrue</span></span>) or false
5868 (<span class="Annot"><span style=
5869 'font-size:10.0pt'>noreturnwhenfalse</span></span>).
5870 They may be used only on functions whose first argument is a
5871 Boolean. </p>
5872 <p class="TextFontCX"> </p>
5873 <p class="TextFontCX" style='margin-bottom:6.0pt'>Hence, a function
5874 declared with <span class="Annot"><span style=
5875 'font-size:10.0pt'>noreturnwhenwfalse</span></span> must not return
5876 if the value of its argument is false. For example, the
5877 standard library declares <span class="Keyword"><span style=
5878 'font-size:10.0pt'>assert</span></span> as<a href="#_ftn9"
5879 name="_ftnref9" title=""><span class=
5880 "MsoFootnoteReference"><span class=
5881 "MsoFootnoteReference"><span style=
5882 'font-size:11.0pt;font-family:"Times New Roman"'>[9]</span></span></span></a>:</p>
5883 <p class="example" style=
5884 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:0in;margin-bottom:.0001pt;text-indent:.5in'>
5885 /*@noreturnwhenfalse@*/ void</p>
5886 <p class="example" style=
5887 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:0in;margin-bottom:.0001pt;text-indent:.5in'>
5888 assert (/*@sef@*/ bool /*@alt int@*/ pred);</p>
5889 <p class="beforelist" style='margin-top:6.0pt'>This way, code
5891 <p class="Verbatim"> assert (x != NULL);</p>
5892 <p class="Verbatim"> *x = 3;</p>
5893 <p class="TextFontCX">is checked without reporting a false warning,
5894 since the <span class="Annot"><span style=
5895 'font-size:10.0pt'>noreturnwhenwfalse</span></span> annotation on
5896 <span class="CodeText"><span style=
5897 'font-size:10.0pt'>assert</span></span> means the deference of
5898 <span class="CodeText"><span style=
5899 'font-size:10.0pt'>x</span></span> is not reached is
5900 <span class="CodeText"><span style='font-size:10.0pt'>x !=
5901 NULL</span></span> is false.</p>
5902 <h2 style='margin-left:0in;text-indent:0in'><a name=
5903 "_Toc534974988"></a><a name="_Ref350066608">8.2<span style=
5904 'font:7.0pt "Times New Roman"'> </span>
5905 Undefined</a> Behavior</h2>
5906 <p class="TextFontCX">The order in which side effects take place in
5907 a C program is not entirely defined by the code. Certain
5908 execution points are known as <i>sequence points</i> — a
5909 function call (after the arguments have been evaluated), the end of
5910 a full expression (an initializer, expression in an expression
5911 statement, the control expression of an <span class=
5912 "CodeText"><span style='font-size:10.0pt'>if</span></span>,
5913 <span class="CodeText"><span style=
5914 'font-size:10.0pt'>switch</span></span>, <span class=
5915 "CodeText"><span style='font-size:10.0pt'>while</span></span> or
5916 <span class="CodeText"><span style=
5917 'font-size:10.0pt'>do</span></span> statement, each expression of a
5918 <span class="CodeText"><span style=
5919 'font-size:10.0pt'>for</span></span> statement, and the expression
5920 in a <span class="CodeText"><span style=
5921 'font-size: 10.0pt'>return</span></span> statement), and after the
5922 first operand or a <span class="CodeText"><span style=
5923 'font-size:10.0pt'>&&</span></span>, <span class=
5924 "CodeText"><span style='font-size:10.0pt'>||</span></span>,
5925 <span class="CodeText"><span style=
5926 'font-size:10.0pt'>?</span></span> or <span class=
5927 "CodeText"><span style='font-size:10.0pt'>,</span></span>
5929 <p class="TextFontCX"> </p>
5930 <p class="TextFontCX">All side effects before a sequence point must
5931 be complete before the sequence point, and no evaluations after the
5932 sequence point shall have taken place. Between sequence
5933 points, side effects and evaluations may take place in any
5934 order. Hence, the order in which expressions or arguments are
5935 evaluated is not specified. Compilers are free to evaluate
5936 function arguments and parts of expressions (that do not contain
5937 sequence points) in any order. The behavior of code is
5938 undefined if it uses a value that is modified by another expression
5939 that is not required to be evaluated before or after the other
5941 <p class="TextFontCX"> </p>
5942 <p class="TextFontCX">Splint detects instances where undetermined
5943 order of evaluation produces undefined behavior. If
5944 modifies clauses and globals lists are used, this checking is
5945 enabled in expressions involving function calls. Evaluation order
5946 checking is controlled by the <span class="Flag"><span style=
5947 'font-size:10.0pt'>eval-order</span></span> flag.</p>
5949 <table class="MsoNormalTable" border="0" cellspacing="0"
5950 cellpadding="0" style=
5951 'margin-left:13.05pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
5953 <td valign="top" style=
5954 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5955 <p class="TextFontCX" align="center" style='text-align:center'>
5956
5957 <span class="Keyword"><b><span style=
5958 'font-size:10.0pt;color:white'>order.c</span></b></span></p></td>
5959 <td valign="top" style=
5960 'width:198.8pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:13.45pt'>
5961 <p class="TextFontCX" align="center" style='text-align:center'>
5962 <b><span style='color:white'>Running
5963 Splint</span></b></p></td></tr>
5965 <td valign="top" style=
5966 'width:148.95pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
5967 <p class="Verbatim">extern int glob;</p>
5968 <p class="Verbatim"> </p>
5969 <p class="Verbatim">extern int mystery (void);</p>
5970 <p class="Verbatim"> </p>
5971 <p class="Verbatim">extern int modglob (void)</p>
5972 <p class="Verbatim"> /*@globals glob@*/</p>
5973 <p class="Verbatim"> /*@modifies glob@*/;</p>
5974 <p class="Verbatim"> </p>
5975 <p class="Verbatim">int f (int x, int y[])</p>
5976 <p class="Verbatim">{</p>
5977 <p class="Verbatim"><span class="Line"><span style=
5978 'font-size:8.0pt'>11</span></span> int i = x++ * x;</p>
5979 <p class="Verbatim"> </p>
5980 <p class="Verbatim"><span class="Line"><span style=
5981 'font-size:8.0pt'>13</span></span> y[i] = i++;</p>
5982 <p class="Verbatim"><span class="Line"><span style=
5983 'font-size:8.0pt'>14</span></span> i += modglob() * glob;</p>
5984 <p class="Verbatim"><span class="Line"><span style=
5985 'font-size:8.0pt'>15</span></span> i += mystery() * glob;</p>
5986 <p class="Verbatim"><span class="Line"><span style=
5987 'font-size:8.0pt'>16</span></span> return i;</p>
5988 <p class="Verbatim">}</p></td>
5989 <td valign="top" style=
5990 'width:275.4pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
5991 <p class="lclintrun">> splint order.c +evalorderuncon</p>
5992 <p class="lclintrun">order.c:11: Expression has undefined behavior
5994 <p class="lclintrun"> right operand modified by
5995 left operand): x++ * x</p>
5996 <p class="lclintrun">order.c:13: Expression has undefined behavior
5998 <p class="lclintrun"> uses i, modified by right
5999 operand): y[i] = i++</p>
6000 <p class="lclintrun">order.c:14: Expression has undefined behavior
6002 <p class="lclintrun"> right operand modified by
6004 <p class="lclintrun"> modglob() * glob</p>
6005 <p class="lclintrun">order.c:15: Expression has undefined
6007 <p class="lclintrun"> (unconstrained function
6008 mystery used in left operand</p>
6009 <p class="lclintrun"> may set global variable
6010 glob used in right operand):</p>
6011 <p class="lclintrun"> mystery() * glob</p>
6012 <p class="TextFontCX" align="left" style='text-align:left'>
6014 <p class="TextFontCX" align="left" style=
6015 'text-align:left;page-break-after:avoid'><i>The warning for line 14
6016 is reported because the modifies clause of</i> <span class=
6017 "CodeText"><span style='font-size:10.0pt'>modglob</span></span>
6018 <i>indicated that it may modify</i> <span class=
6019 "CodeText"><span style=
6020 'font-size:10.0pt'>glob</span></span><i>. The behavior is
6021 undefined since we don’t know if</i> <span class=
6022 "CodeText"><span style='font-size:10.0pt'>glob</span></span> <i>is
6023 evaluated before, after or during the</i> <i>modification.
6024 The line 15 warning would not be reported without</i>
6025 <span class="Flag"><span style=
6026 'font-size:10.0pt'>+evalorderuncon</span></span><i>.</i></p></td></tr></table>
6027 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6029 <td valign="top" style=
6030 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
6031 <p class="MsoCaption"><a name="_Toc534824620"></a><a name=
6032 "_Ref534823183">Figure 16</a>. Evaluation
6033 Order</p></td></tr></table></center>
6034 <p class="TextFontCX"> </p>
6035 <p class="TextFontCX">When checking systems without modifies and
6036 globals information (see Section 7), evaluation order checking may
6037 report errors when unconstrained functions are called in procedure
6038 arguments. Since Splint has no annotations to constrain what
6039 these functions may modify, it cannot be guaranteed that the
6040 evaluation order is defined if another argument calls an
6041 unconstrained function or uses a global variable or storage
6042 reachable from a parameter to the unconstrained function. Its
6043 best to add modifies and globals clauses to constrain the
6044 unconstrained functions in ways that eliminate the possibility of
6045 undefined behavior. For large legacy systems, this may
6046 require too much effort. Instead, the <span class=
6048 'font-size:10.0pt'>‑eval-order-uncon</span></span> flag may
6049 be used to prevent reporting of undefined behavior due to the order
6050 of evaluation of unconstrained functions. Figure 16
6051 illustrates detection of undefined behavior.</p>
6053 <table class="MsoNormalTable" border="0" cellspacing="0"
6054 cellpadding="0" style=
6055 'margin-left:18.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
6057 <td valign="top" style=
6058 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6059 <p class="TextFontCX" align="center" style='text-align:center'>
6060 <span class="Keyword"><b><span style=
6061 'font-size:10.0pt; color:white'>loop.c</span></b></span></p></td>
6062 <td valign="top" style=
6063 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6064 <p class="TextFontCX" align="center" style='text-align:center'>
6065 <b><span style='color:white'>Running
6066 Splint</span></b></p></td></tr>
6067 <tr style='height:143.1pt'>
6068 <td valign="top" style=
6069 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt;height:143.1pt'>
6070 <p class="Verbatim">extern int glob1, glob2;</p>
6071 <p class="Verbatim">extern int f (void)</p>
6072 <p class="Verbatim"> /*@globals glob1@*/</p>
6073 <p class="Verbatim"> /*@modifies nothing@*/;</p>
6074 <p class="Verbatim">extern void g (void)</p>
6075 <p class="Verbatim"> /*@modifies glob2@*/ ;</p>
6076 <p class="Verbatim">extern void h (void) ;</p>
6077 <p class="Verbatim"> </p>
6078 <p class="Verbatim">void upto (int x)</p>
6079 <p class="Verbatim">{</p>
6080 <p class="Verbatim"><span class="Line"><span style=
6081 'font-size:8.0pt'>14</span></span> while (x > f ())
6083 <p class="Verbatim"><span class="Line"><span style=
6084 'font-size:8.0pt'>15</span></span> while (f () < 3)
6086 <p class="Verbatim">}</p></td>
6087 <td valign="top" style=
6088 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt;height:143.1pt'>
6089 <p class="lclintrun">> splint loop.c +infloopsuncon</p>
6090 <p class="lclintrun">loop.c:14: Suspected infinite loop. No
6092 <p class="lclintrun"> loop test (x, glob1) is
6093 modified by test or loop</p>
6094 <p class="lclintrun"> body.</p>
6095 <p class="lclintrun">loop.c:15: Suspected infinite loop. No
6097 <p class="lclintrun"> values modified.
6098 Modification possible through</p>
6099 <p class="lclintrun"> unconstrained calls: h</p>
6100 <p class="TextFontCX" style='page-break-after: avoid'><i>An error
6101 is reported for line 14 since the only value modified by<br>
6102 the loop test or body if</i> <span class=
6103 "CodeText"><span style='font-size: 10.0pt'>glob2</span></span>
6104 <i>and the value of the loop test<br>
6105 does not depend on</i> <span class="CodeText"><span style=
6106 'font-size:10.0pt'>glob2</span></span><i>. The error for line
6108 reported without</i> <span class="Flag"><span style=
6109 'font-size:10.0pt'>+infloopsuncon</span></span><i>.</i></p></td></tr></table>
6110 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6112 <td valign="top" style=
6113 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
6114 <p class="MsoCaption"><a name="_Toc534824621"></a><a name=
6115 "_Ref534823256">Figure 17</a>. Infinite
6116 Loops</p></td></tr></table></center>
6117 <h2 style='margin-left:0in;text-indent:0in'><a name=
6118 "_Toc534974989"></a><a name="_Ref344892701"></a><a name=
6119 "_Toc344355430">8.3<span style=
6120 'font:7.0pt "Times New Roman"'> </span>
6121 Problematic Control Structures</a></h2>
6122 <p class="TextFontCX">A number of control structures that are
6123 syntactically legal may indicate likely bugs in programs.
6124 Splint can detect errors involving likely infinite
6125 loops (Section 8.3.1), fall through cases and missing cases in
6126 <span class="CodeText"><span style=
6127 'font-size:10.0pt'>switch</span></span> statements (Section
6128 8.3.2), <span class="CodeText"><span style=
6129 'font-size:10.0pt'>break</span></span> statements within deeply
6130 nested loops or switches (Section 8.3.3), clauses of
6131 <span class="CodeText"><span style=
6132 'font-size:10.0pt'>if</span></span>, <span class=
6133 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6134 or <span class="CodeText"><span style=
6135 'font-size:10.0pt'>for</span></span> statements that are
6136 empty statements or unblocked single statements (Section
6137 8.3.4) and incomplete if-else logic (Section 8.3.5).
6138 Although any of these may appear in a correct program,
6139 depending on the programming style used they may indicate
6140 likely bugs or style violations that should be detected and
6142 <h3 style='margin-left:0in;text-indent:0in'><a name=
6143 "_Toc534974990"></a><a name="_Ref344810086">8.3.1<span style=
6144 'font:7.0pt "Times New Roman"'> </span>
6145 Likely Infinite Loops</a></h3>
6146 <p class="TextFontCX">Splint reports an error if it detects a loop
6147 that appears to be infinite. An error is reported for a loop
6148 that does not modify any value used in its condition test inside
6149 the body of the loop or in the condition test itself. This
6150 checking is enhanced by modifies clauses and globals lists (see
6151 Section 7) since they <a name="_Ref344818734">provide more
6152 information about what global variable may be used in the condition
6153 test and what values may be modified by function calls in the loop
6155 <p class="TextFontCX"> </p>
6156 <p class="TextFontCX">Figure 17 shows examples of infinite
6157 loops detected by Splint. An error is reported for the loop in
6158 line 14, since neither of the values used in the loop condition
6159 (<span class="CodeText"><span style=
6160 'font-size:10.0pt'>x</span></span> directly and <span class=
6161 "CodeText"><span style='font-size:10.0pt'>glob1</span></span>
6162 through the call to <span class="CodeText"><span style=
6163 'font-size:10.0pt'>f</span></span>) is modified by the body of the
6164 loop. If the declaration of <span class=
6165 "CodeText"><span style='font-size:10.0pt'>g</span></span> is
6166 changed to include <span class="CodeText"><span style=
6167 'font-size:10.0pt'>glob1</span></span> in the modifies clause no
6168 error is reported. (In this example, if we assume the
6169 annotations are correct, then the programmer has probably called
6170 the wrong function in the loop body. This isn’t
6171 surprising, given the horrible choices of function and variable
6173 <p class="TextFontCX"> </p>
6174 <p class="TextFontCX">If an unconstrained function is called within
6175 the loop body, Splint will assume that it modifies a value used in
6176 the condition test and not report an infinite loop error, unless
6177 <span class="Flag"><span style=
6178 'font-size:10.0pt'>infloopsuncon</span></span> is on. If
6179 <span class="Flag"><span style=
6180 'font-size:10.0pt'>infloopsuncon</span></span> is on, Splint will
6181 report infinite loop errors for loops where there is no explicit
6182 modification of a value used in the condition test, but where they
6183 may be an undetected modification through a call to an
6184 unconstrained function (e.g., line 12 in Figure 17).</p>
6185 <p class="TextFontCX"> </p>
6186 <p class="TextFontCX"> </p>
6187 <p class="TextFontCX" align="center" style='text-align:center'>
6188 <span style='font-size:10.0pt'> </span></p>
6189 <h3 style='margin-left:0in;text-indent:0in'><a name=
6190 "_Toc534974991"></a><a name="_Ref349899747"></a><a name=
6191 "_Ref345591205">8.3.2<span style=
6192 'font:7.0pt "Times New Roman"'> </span>
6194 <p class="TextFontCX">The automatic fall through of C switch
6195 statements is almost never the intended behavior.<a href="#_ftn10"
6196 name="_ftnref10" title=""><span class=
6197 "MsoFootnoteReference"><span class=
6198 "MsoFootnoteReference"><span style=
6199 'font-size:11.0pt;font-family:"Times New Roman"'>[10]</span></span></span></a>
6200 Splint detects <span class="CodeText"><span style=
6201 'font-size:10.0pt'>case</span></span> statements with code that may
6202 fall through to the next <span class="CodeText"><span style=
6203 'font-size:10.0pt'>case</span></span>. The <span class=
6204 "Flag"><span style='font-size:10.0pt'>casebreak</span></span> flag
6205 controls reporting of fall through cases. A single fall
6206 through case may be marked by preceding the <span class=
6207 "CodeText"><span style='font-size:10.0pt'>case</span></span>
6208 keyword with <span class="Annot"><span style=
6209 'font-size:10.0pt'>/*@fallthrough@*/</span></span> to indicate
6210 explicitly that execution falls through to this case. See
6211 Figure 18 for an example.</p>
6212 <p class="TextFontCX"> </p>
6213 <p class="TextFontCX">For switches on <span class=
6214 "CodeText"><span style='font-size:10.0pt'>enum</span></span> types,
6215 Splint reports an error if a member of the enumerator does not
6216 appear as a case in the switch body (and there is no
6217 <span class="CodeText"><span style=
6218 'font-size:10.0pt'>default</span></span> case).
6219 (Controlled by <span class="Flag"><span style=
6220 'font-size:10.0pt'>misscase</span></span>.)</p>
6222 <table class="MsoNormalTable" border="0" cellspacing="0"
6223 cellpadding="0" style=
6224 'margin-left:.2in;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
6226 <td valign="top" style=
6227 'width:3.0in;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6228 <p class="TextFontCX" align="center" style='text-align:center'>
6229 <span class="Keyword"><b><span style=
6230 'font-size:10.0pt; color:white'>switch.c</span></b></span></p></td>
6231 <td valign="top" style=
6232 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6233 <p class="TextFontCX" align="center" style='text-align:center'>
6234 <b><span style='color:white'>Running
6235 Splint</span></b></p></td></tr>
6237 <td valign="top" style=
6238 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
6239 <p class="Verbatim">typedef enum {</p>
6240 <p class="Verbatim"> YES, NO, DEFINITELY,</p>
6241 <p class="Verbatim"> PROBABLY, MAYBE } ynm;</p>
6242 <p class="Verbatim">void decide (ynm y)</p>
6243 <p class="Verbatim">{</p>
6244 <p class="Verbatim"> switch (y)</p>
6245 <p class="Verbatim"> {</p>
6246 <p class="Verbatim"> case PROBABLY:</p>
6247 <p class="Verbatim"> case NO: printf ("No!");</p>
6248 <p class="Verbatim"><span class="Line"><span style=
6249 'font-size:8.0pt'>10</span></span> case MAYBE: printf
6251 <p class="Verbatim">
6252
6253 /*@fallthrough@*/</p>
6254 <p class="Verbatim"> case YES: printf
6256 <p class="Verbatim"><span class="Line"><span style=
6257 'font-size:8.0pt'>13</span></span> }</p>
6258 <p class="Verbatim">}</p></td>
6259 <td valign="top" style=
6260 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
6261 <p class="lclintrun">> splint switch.c</p>
6262 <p class="lclintrun">switch.c:10: Fall through case (no preceding
6264 <p class="lclintrun">switch.c:13: Missing case in switch:
6266 <p class="TextFontCX"> </p>
6267 <p class="MsoCaption" align="left" style='text-align:left'>
6268 <i><span style='font-weight:normal'>No fall through error is
6269 reported for the</span></i> <span class=
6270 "CodeText"><span style='font-weight:normal'>NO</span></span><i><span style='font-weight:normal'>
6272 since there are no statements associated with the<br>
6273 previous case. </span></i></p>
6274 <p class="TextFontCX" style='page-break-after: avoid'><i>The</i>
6275 <span class="Annot"><span style=
6276 'font-size:10.0pt'>/*@fallthrough@*/</span></span> <i>comment
6278 a message from being produced for the<br></i> <span class=
6279 "Annot"><span style='font-size:10.0pt'>YES</span></span>
6280 <i>case.</i></p></td></tr></table>
6281 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6283 <td valign="top" style=
6284 'padding-top:0in;padding-right: 9.0pt;padding-bottom:0in;padding-left:9.0pt'>
6285 <p class="MsoCaption"><a name="_Toc344355431"></a><a name=
6286 "_Ref344881581"></a><a name="_Toc534824622"></a><a name=
6287 "_Ref534823308">Figure 18</a>. Switch
6288 Cases</p></td></tr></table></center>
6289 <h3 style='margin-left:0in;text-indent:0in'><a name=
6290 "_Toc534974992"></a><a name="_Ref534971227">8.3.3<span style=
6291 'font:7.0pt "Times New Roman"'> </span>
6292 Deep Breaks</a></h3>
6293 <p class="TextFontCX">There is no syntax provided by C (other than
6294 <span class="CodeText"><span style=
6295 'font-size:10.0pt'>goto</span></span>) for breaking out of a nested
6296 loop. All <span class="CodeText"><span style=
6297 'font-size:10.0pt'>break</span></span> and <span class=
6298 "CodeText"><span style='font-size:10.0pt'>continue</span></span>
6299 statements act only on the innermost surrounding loop or
6300 switch. This can lead to serious problems<a href="#_ftn11"
6301 name="_ftnref11" title=""><span class=
6302 "MsoFootnoteReference"><span class=
6303 "MsoFootnoteReference"><span style=
6304 'font-size:11.0pt;font-family:"Times New Roman"'>[11]</span></span></span></a>
6305 when a programmer intends to break the outer loop or switch
6306 instead. Splint optionally reports warnings for
6307 <span class="CodeText"><span style=
6308 'font-size: 10.0pt'>break</span></span> and <span class=
6309 "CodeText"><span style=
6310 'font-size: 10.0pt'>continue</span></span> statements in
6311 nested contexts.</p>
6312 <p class="beforelist"> </p>
6313 <p class="beforelist">Four types of <span class=
6314 "CodeText"><span style='font-size: 10.0pt'>break</span></span>
6315 warnings are reported:</p>
6316 <p class="MsoListBullet"><span style=
6317 'font-family:Symbol'>·<span style=
6318 'font:7.0pt "Times New Roman"'> </span></span>
6319 <span class="CodeText"><span style=
6320 'font-size:10.0pt'>break</span></span> inside a loop
6321 (<span class="CodeText"><span style=
6322 'font-size:10.0pt'>while</span></span> or <span class=
6323 "CodeText"><span style='font-size:10.0pt'>for</span></span>)
6324 that is inside a loop. Controlled by <span class=
6326 'font-size:10.0pt'>looploopbreak</span></span>. To
6327 indicate that a <span class="CodeText"><span style=
6328 'font-size:10.0pt'>break</span></span> is inside an inner
6329 loop, precede the <span class="CodeText"><span style=
6330 'font-size:10.0pt'>break</span></span> by <a href=
6331 "mailto:/*@innerbreak@*/"><span class="Annot"><span style=
6332 'font-size: 10.0pt'>/*@innerbreak@*/</span></span></a>.</p>
6333 <p class="MsoListBullet"><span style=
6334 'font-family:Symbol'>·<span style=
6335 'font:7.0pt "Times New Roman"'> </span></span>
6336 <span class="CodeText"><span style=
6337 'font-size:10.0pt'>break</span></span> inside a loop that is inside
6338 a <span class="CodeText"><span style=
6339 'font-size:10.0pt'>switch</span></span> statement. Controlled
6340 by <span class="Flag"><span style=
6341 'font-size:10.0pt'>switchloopbreak</span></span>. To mark the
6342 <span class="CodeText"><span style=
6343 'font-size:10.0pt'>break</span></span> as a loop break, precede the
6344 <span class="CodeText"><span style=
6345 'font-size:10.0pt'>break</span></span> by <span class=
6346 "Annot"><span style=
6347 'font-size:10.0pt'>/*@loopbreak@*/</span></span>.</p>
6348 <p class="MsoListBullet"><span style=
6349 'font-family:Symbol'>·<span style=
6350 'font:7.0pt "Times New Roman"'> </span></span>
6351 <span class="CodeText"><span style=
6352 'font-size:10.0pt'>break</span></span> inside a <span class=
6353 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
6354 statement that is inside a loop. Controlled by
6355 <span class="Flag"><span style=
6356 'font-size:10.0pt'>loopswitchbreak</span></span>. To
6357 mark the <span class="CodeText"><span style=
6358 'font-size:10.0pt'>break</span></span> as a switch break,
6359 precede the <span class="CodeText"><span style=
6360 'font-size:10.0pt'>break</span></span> by <span class=
6361 "Annot"><span style=
6362 'font-size:10.0pt'>/*@switchbreak@*/</span></span>.</p>
6363 <p class="MsoListBullet"><span style=
6364 'font-family:Symbol'>·<span style=
6365 'font:7.0pt "Times New Roman"'> </span></span>
6366 <span class="CodeText"><span style=
6367 'font-size:10.0pt'>break</span></span> inside a <span class=
6368 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
6369 inside another <span class="CodeText"><span style=
6370 'font-size:10.0pt'>switch</span></span>. Controlled by
6371 <span class="Flag"><span style=
6372 'font-size:10.0pt'>switchswitchbreak</span></span>. To
6373 indicate that the <span class="CodeText"><span style=
6374 'font-size:10.0pt'>break</span></span> is for the inner switch, use
6375 <span class="Annot"><span style=
6376 'font-size:10.0pt'>/*@innerbreak@*/</span></span>.</p>
6377 <p class="afterlist">Since <span class=
6378 "CodeText"><span style='font-size:10.0pt'>continue</span></span>
6379 only makes sense within loops, a warning (Controlled by <span class=
6381 'font-size: 10.0pt'>looploopcontinue</span></span>.)
6382 is reported only for
6383 <span class="CodeText"><span style=
6384 'font-size:10.0pt'>continue</span></span> statements within
6385 nested loops. A
6386 safe inner <span class="CodeText"><span style=
6387 'font-size:10.0pt'>continue</span></span> may be preceded by
6388 <span class="Annot"><span style=
6389 'font-size:10.0pt'>/*@innercontinue@*/</span></span> to
6390 suppress error messages locally. The <span class=
6391 "Flag"><span style='font-size:10.0pt'>deepbreak</span></span>
6392 flag sets all nested break and continue checking flags.</p>
6393 <p class="TextFontCX"> </p>
6394 <p class="TextFontCX">Splint warns if the marker preceding a
6395 <span class="CodeText"><span style=
6396 'font-size:10.0pt'>break</span></span> is not consistent with its
6397 placement. A warning results if <span class=
6398 "Annot"><span style='font-size:10.0pt'>innerbreak</span></span>
6399 precedes a <span class="CodeText"><span style=
6400 'font-size:10.0pt'>break</span></span> that is not breaking an
6401 inner loop, <span class="Annot"><span style=
6402 'font-size:10.0pt'>switchbreak</span></span> precedes a
6403 <span class="CodeText"><span style=
6404 'font-size:10.0pt'>break</span></span> that is not breaking a
6405 switch, or <span class="Annot"><span style=
6406 'font-size: 10.0pt'>loopbreak</span></span> precedes a
6407 <span class="CodeText"><span style=
6408 'font-size:10.0pt'>break</span></span> that is not breaking a
6410 <h3 style='margin-left:0in;text-indent:0in'><a name=
6411 "_Toc534974993"></a><a name="_Ref347246280">8.3.4<span style=
6412 'font:7.0pt "Times New Roman"'> </span></a>
6413 Loop and If Bodies</h3>
6414 <p class="beforelist">An empty statement after an
6415 <span class="CodeText"><span style=
6416 'font-size:10.0pt'>if</span></span>, <span class=
6417 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6418 or <span class="CodeText"><span style=
6419 'font-size:10.0pt'>for</span></span> often indicates a
6420 potential bug. A single statement (i.e., not a compound
6421 block) after an <span class="CodeText"><span style=
6422 'font-size:10.0pt'>if</span></span>, <span class=
6423 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6424 or <span class="CodeText"><span style=
6425 'font-size:10.0pt'>for</span></span> is not likely to
6426 indicate a bug, but make the code harder to read and
6427 edit. Splint can report errors for if or loop
6428 statements with empty bodies or bodies that are not compound
6429 statements. Separate flags control checking for
6430 statements following an <span class="CodeText"><span style=
6431 'font-size:10.0pt'>if</span></span>, <span class=
6432 "CodeText"><span style='font-size:10.0pt'>while</span></span>
6433 or <span class="CodeText"><span style=
6434 'font-size:10.0pt'>for</span></span>:</p>
6435 <p class="MsoListBullet"><span style=
6436 'font-family:Symbol'>·<span style=
6437 'font:7.0pt "Times New Roman"'> </span></span>
6438 <span class="Flag"><span style=
6439 'font-size:10.0pt'>[if</span></span>,<span class=
6440 "Flag"><span style='font-size:10.0pt'>while</span></span>,<span class="Flag">
6441 <span style='font-size:10.0pt'>for]empty</span></span> —
6442 report errors for empty bodies (e.g., <span class=
6443 "CodeText"><span style='font-size:10.0pt'>if (x > 3)
6444 ;</span></span> )</p>
6445 <p class="MsoListBullet"><span style=
6446 'font-family:Symbol'>·<span style=
6447 'font:7.0pt "Times New Roman"'> </span></span>
6448 <span class="Flag"><span style=
6449 'font-size:10.0pt'>[if</span></span>,<span class=
6450 "Flag"><span style='font-size:10.0pt'>while</span></span>,<span class="Flag">
6451 <span style='font-size:10.0pt'>for]block</span></span> —
6452 report errors for non-block bodies (e.g., <span class=
6453 "CodeText"><span style='font-size:10.0pt'>if (x > 3)
6454 x++;</span></span>)</p>
6455 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
6456 <span class="Keyword"><span style=
6457 'font-size:10.0pt'> </span></span></p>
6458 <p class="afterlist">The <span class="CodeText"><span style=
6459 'font-size:10.0pt'>if</span></span> statement checks also apply to
6460 the body of the <span class="CodeText"><span style=
6461 'font-size:10.0pt'>else</span></span> clause. No
6462 <span class="Flag"><span style=
6463 'font-size:10.0pt'>ifblock</span></span> warning is reported
6464 if the body of the <span class="CodeText"><span style=
6465 'font-size:10.0pt'>else</span></span> clause is an
6466 <span class="CodeText"><span style=
6467 'font-size:10.0pt'>if</span></span> statement, to allow
6468 conventional <span class="CodeText"><span style=
6469 'font-size: 10.0pt'>else if</span></span> chains. </p>
6470 <h3 style='margin-left:0in;text-indent:0in'><a name=
6471 "_Toc534974994"></a><a name="_Ref347246283">8.3.5<span style=
6472 'font:7.0pt "Times New Roman"'> </span>
6473 Complete Logic</a></h3>
6474 <p class="beforelist">Although it may be perfectly reasonable in
6475 many contexts, an <span class="CodeText"><span style=
6476 'font-size:10.0pt'>if</span></span>-<span class=
6477 "CodeText"><span style='font-size:10.0pt'>else</span></span> chain
6478 with no final <span class="CodeText"><span style=
6479 'font-size:10.0pt'>else</span></span> may indicate missing logic or
6480 forgetting to check error cases. If <span class=
6481 "Flag"><span style='font-size:10.0pt'>elseif-complete</span></span>
6482 is on, Splint warns when an <span class=
6483 "CodeText"><span style='font-size:10.0pt'>if</span></span>
6484 statement that is the body of an <span class=
6485 "CodeText"><span style='font-size: 10.0pt'>else</span></span>
6486 clause does not have a matching <span class=
6487 "CodeText"><span style='font-size:10.0pt'>else</span></span>
6488 clause. For example, the code,</p>
6489 <p class="Verbatim"> if (x == 0) { return "nil"; }</p>
6490 <p class="Verbatim"> else if (x == 1) { return "many";
6492 <p class="afterlist">results in a warning since the second
6493 <span class="CodeText"><span style=
6494 'font-size:10.0pt'>if</span></span> has no matching
6495 <span class="CodeText"><span style=
6496 'font-size:10.0pt'>else</span></span> branch.</p>
6497 <h2 style='margin-left:0in;text-indent:0in'><a name=
6498 "_Toc534974995"></a><a name="_Ref344892802">8.4<span style=
6499 'font:7.0pt "Times New Roman"'> </span>
6500 Suspicious Statements</a></h2>
6501 <p class="TextFontCX">Splint detects errors involving statements
6502 with no apparent effects (Section 8.4.1) and statements that ignore
6503 the result of a called function (Section 8.4.2).</p>
6504 <h3 style='margin-left:0in;text-indent:0in'><a name=
6505 "_Toc534974996"></a><a name="_Ref347247824">8.4.1<span style=
6506 'font:7.0pt "Times New Roman"'> </span>
6507 Statements with No Effects</a></h3>
6508 <p class="TextFontCX">Splint can report errors for statements that
6509 have no effect. (Controlled by <span class=
6510 "Flag"><span style='font-size:10.0pt'>no-effect</span></span>.)
6511 Because of modifies clauses, Splint can detect more errors
6512 than traditional checkers. Unless the <span class=
6514 'font-size:10.0pt'>no-effect-uncon</span></span> flag is
6515 on, errors are not reported for statements that involve calls
6516 to unconstrained functions since the unconstrained function
6517 may cause a modification. Figure 19 shows examples of
6518 Splint’s no effect checking.</p>
6520 <table class="MsoNormalTable" border="0" cellspacing="0"
6521 cellpadding="0" style=
6522 'margin-left:5.4pt;border-collapse:collapse; margin-left:-2.25pt;margin-right:-2.25pt'>
6524 <td valign="top" style=
6525 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6526 <p class="TextFontCX" align="center" style='text-align:center'>
6527 <a name="_Ref344893305"></a><a name=
6528 "_Ref344874935"><span class="StyleKeywordBold"><span style=
6529 'font-size:10.0pt'>noeffect.c</span></span></a></p></td>
6530 <td valign="top" style=
6531 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6532 <p class="TextFontCX" align="center" style='text-align:center'>
6533 <b><span style='color:white'>Running
6534 Splint</span></b></p></td></tr>
6536 <td valign="top" style=
6537 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
6538 <p class="Verbatim">extern void</p>
6539 <p class="Verbatim"> nomodcall (int *x) /*@*/;</p>
6540 <p class="IndentText"><i>Recall /*@*/ is shorthand for<br>
6541 modifies nothing and use<br>
6543 <p class="Verbatim">extern void mysterycall (int *x);</p>
6544 <p class="Verbatim"> </p>
6545 <p class="Verbatim">int noeffect (int *x, int y)</p>
6546 <p class="Verbatim">{</p>
6547 <p class="Verbatim"> y == *x;</p>
6548 <p class="Verbatim"> nomodcall (x);</p>
6549 <p class="Verbatim"> mysterycall (x);</p>
6550 <p class="Verbatim"> return *x;</p>
6551 <p class="Verbatim">}</p></td>
6552 <td valign="top" style=
6553 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
6554 <p class="lclintrun">> splint noeffect.c +noeffectuncon</p>
6555 <p class="lclintrun">noeffect.c:6: Statement has no effect: y ==
6557 <p class="lclintrun">noeffect.c:7: Statement has no effect:
6559 <p class="lclintrun">noeffect.c:8: Statement has no effect
6561 <p class="lclintrun"> undetected modification
6563 <p class="lclintrun"> unconstrained function
6565 <p class="lclintrun"> mysterycall(x)</p>
6566 <p class="IndentText"><i> </i></p>
6567 <p class="IndentText" style='page-break-after:avoid'><i>The warning
6568 for line 8 would not be<br>
6569 reported without</i> <span class="Flag"><span style=
6570 'font-size: 10.0pt'>+noeffectuncon</span></span>.</p></td></tr></table>
6571 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6573 <td valign="top" style=
6574 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
6575 <p class="MsoCaption"><a name="_Ref534813977"></a><a name=
6576 "_Toc534824623"></a><a name="_Ref534823396">Figure 19</a>.
6577 Statements with No Effect</p></td></tr></table></center>
6578 <h3 style='margin-left:0in;text-indent:0in'><a name=
6579 "_Ref534978820"></a><a name="_Toc534974997">8.4.2<span style=
6580 'font:7.0pt "Times New Roman"'> </span>
6581 Ignored Return Values</a></h3>
6582 <p class="TextFontCX">Splint reports an error when a return value
6583 is ignored. Checking may be controlled based on the type of
6584 the return value: <span class="Flag"><span style=
6585 'font-size:10.0pt'>ret-val-int</span></span> controls reporting of
6586 ignored return values of type <span class=
6587 "Keyword"><span style='font-size:10.0pt'>int</span></span>,
6588 and <span class="Flag"><span style=
6589 'font-size:10.0pt'>ret-val-bool</span></span> for return
6590 values of type <span class="Keyword"><span style=
6591 'font-size:10.0pt'>bool</span></span>, and <span class=
6593 'font-size:10.0pt'>ret-val-others</span></span> for all
6594 other types. A function statement may be cast to
6595 <span class="Keyword"><span style=
6596 'font-size:10.0pt'>void</span></span> to prevent this error
6597 from being reported.</p>
6598 <p class="TextFontCX"> </p>
6599 <p class="TextFontCX">Alternate types (Section 4.4) can be
6600 used to declare functions that return values that may safely be
6601 ignored by declaring the result type to alternately be
6602 <span class="Keyword"><span style=
6603 'font-size:10.0pt'>void</span></span>. Several
6604 functions in the standard library are specified to
6605 alternately return <span class="Keyword"><span style=
6606 'font-size:10.0pt'>void</span></span> to prevent ignored
6607 return value errors for standard library functions (e.g.,
6608 <span class="Keyword"><span style=
6609 'font-size:10.0pt'>strcpy</span></span>) where the result may
6610 be safely ignored (see Section 14.1). Figure 20 shows
6611 examples of ignored return value errors reported by
6613 <p class="MsoNormal" align="left" style=
6614 'text-align:left;background:white'><span style=
6615 'font-size:10.0pt'> </span></p>
6617 <table class="MsoNormalTable" border="0" cellspacing="0"
6618 cellpadding="0" style='margin-left:9.9pt;border-collapse:collapse'>
6620 <td valign="top" style=
6621 'border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
6622 <p class="TextFontCX" align="center" style='text-align:center'>
6623 <span class="Keyword"><b><span style=
6624 'font-size:10.0pt; color:white'>ignore.c</span></b></span></p></td>
6625 <td valign="top" style=
6626 'border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
6627 <p class="TextFontCX" align="center" style='text-align:center'>
6628 <b><span style='color:white'>Running
6629 Splint</span></b></p></td></tr>
6631 <td valign="top" style=
6632 'border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
6633 <p class="Verbatim"># include “bool.h”</p>
6634 <p class="Verbatim">extern int fi (void);</p>
6635 <p class="Verbatim">extern bool fb (void);</p>
6636 <p class="Verbatim">extern int /*@alt void@*/</p>
6637 <p class="Verbatim"> fv (void);</p>
6638 <p class="Verbatim"> </p>
6639 <p class="Verbatim">int ignore (void)</p>
6640 <p class="Verbatim">{</p>
6641 <p class="Verbatim"><span class="Line"><span style=
6642 'font-size:8.0pt'> 8</span></span> fi ();</p>
6643 <p class="Verbatim"><span class="Line"><span style=
6644 'font-size:8.0pt'> 9</span></span> (void) fi ();</p>
6645 <p class="Verbatim"><span class="Line"><span style=
6646 'font-size:8.0pt'>10</span></span> fb ();</p>
6647 <p class="Verbatim"><span class="Line"><span style=
6648 'font-size:8.0pt'>11</span></span> fv ();</p>
6649 <p class="Verbatim"><span class="Line"><span style=
6650 'font-size:8.0pt'>12</span></span> return fv ();</p>
6651 <p class="Verbatim">}</p></td>
6652 <td valign="top" style=
6653 'border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
6654 <p class="lclintrun">> splint ignore.c</p>
6655 <p class="lclintrun"> </p>
6656 <p class="lclintrun">ignore.c:8: Return value (type int) ignored:
6658 <p class="lclintrun">ignore.c:10: Return value (type bool) ignored:
6660 <p class="lclintrun"> </p>
6661 <p class="MsoNormal" style='background:white'><i><span style=
6662 'font-size:10.0pt'>The message for line 8 would not be reported
6663 if</span></i> <span class="Flag"><span style=
6664 'font-size:10.0pt'>‑retvalint</span></span><i><span style='font-size:10.0pt'>
6666 for line 10, if</span></i> <span class="Flag"><span style=
6667 'font-size:10.0pt'>‑retvalbool</span></span><i><span style='font-size:10.0pt'>
6668 is set.</span></i></p>
6669 <p class="MsoNormal" style='background:white'><i><span style=
6670 'font-size:10.0pt'> </span></i></p>
6671 <p class="MsoNormal" style='background:white'><i><span style=
6672 'font-size:10.0pt'> No message is reported for line 9 because
6673 the result is cast to</span></i> <span class=
6674 "CodeText"><span style='font-size:10.0pt'>void</span></span><i><span style='font-size:10.0pt'>
6676 and no message is reported for line 11 because</span></i>
6677 <span class="CodeText"><span style=
6678 'font-size:10.0pt'>fv</span></span><i><span style=
6679 'font-size:10.0pt'>is declared<br>
6680 to alternately return</span></i> <span class=
6681 "CodeText"><span style=
6682 'font-size:10.0pt'>void</span></span><i><span style=
6683 'font-size:10.0pt'>.</span></i></p>
6684 <p class="TextFontCX" style='page-break-after: avoid'>
6685 </p></td></tr></table>
6687 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
6689 <td valign="top" style=
6690 'padding-top:0in;padding-right: 9.0pt;padding-bottom:0in;padding-left:9.0pt'>
6691 <p class="MsoCaption"><a name="_Toc534824624"></a><a name=
6692 "_Ref534823436">Figure 20</a>. Ignored Return
6693 Values</p></td></tr></table></div></center>
6694 <p class="MsoNormal" align="left" style=
6695 'text-align:left;background:white'><span style=
6696 'font-size:10.0pt'> </span></p>
6698 'font-size:16.0pt;font-family:"Times New Roman"'><br clear="all"
6699 style='page-break-before:always'></span></b>
6700 <h1 style='margin-left:0in;text-indent:0in;page-break-before:auto'>
6701 <a name="_Toc534974998"></a><a name="_Ref534963019"></a><a name=
6702 "_Ref534962975">9<span style=
6703 'font:7.0pt "Times New Roman"'> </span>
6704 <a id="buffer" name="buffer">
6705 Buffer Sizes</a></a></h1>
6706 <p class="TextFontCX">Buffer overflow errors are a particularly
6707 dangerous type of bug in C programs. They are directly
6708 responsible for about half of all security attacks
6709 [Larochelle01]. For performance reasons, C does not perform
6710 run time bounds checking. Referencing storage outside
6711 allocated regions can cause memory corruption and lead to strange
6712 behavior. Moreover, buffer overflow bugs are particularly
6713 insidious because they can go undetected in testing or normal use,
6714 but usually result in security critical bugs. Reads beyond
6715 the end of a buffer can cause the program to leak
6716 information. Writes beyond the end a buffer (buffer
6717 overflows) can usually be exploited make the program run arbitrary
6718 code. Attackers can exploit these programming bugs to replace
6719 the return address on the stack and place arbitrary code in memory
6720 thereby gaining full access to the machine. Splint is able to
6721 detect many memory bounds errors. <a href="#_ftn12" name=
6722 "_ftnref12" title=""><span style=
6723 'font-size:11.0pt; font-family:"Times New Roman"'>[12]</span></a> </p>
6724 <h2 style='margin-left:0in;text-indent:0in'><a name=
6725 "_Toc534974999">9.1<span style=
6726 'font:7.0pt "Times New Roman"'> </span>
6727 Checking Accesses</a></h2>
6728 <p class="TextFontCX">Splint models blocks of contiguous memory
6729 using two properties: <span class="Annot"><span style=
6730 'font-size:10.0pt'>maxSet</span></span> and <span class=
6731 "Annot"><span style='font-size:10.0pt'>maxRead</span></span>.
6732 Given a buffer <span class="CodeText"><i><span style=
6733 'font-size:10.0pt'>b</span></i></span>, <span class=
6734 "Annot"><span style=
6735 'font-size:10.0pt'>maxSet(<i>b</i>)</span></span> denotes the
6736 highest address beyond <span class="CodeText"><i><span style=
6737 'font-size:10.0pt'>b</span></i></span> that can be safely used as
6738 an lvalue. For the declaration <span class=
6739 "CodeText"><span style='font-size:10.0pt'>char
6740 buf[MAXSIZE]</span></span> we have <span class=
6741 "Annot"><span style='font-size: 10.0pt'>maxSet(buf)</span></span>
6742 <span class="CodeText"><span style='font-size: 10.0pt'>=
6743 MAXSIZE - 1</span></span>. Similarly, <span class=
6744 "Annot"><span style='font-size:10.0pt'>maxRead</span></span>
6745 denotes the highest index of a buffer that can be safely used
6746 an rvalue. It is inappropriate to read an uninitialized
6747 element or beyond the <span class="CodeText"><span style=
6748 'font-size:10.0pt'>NUL</span></span> terminator of a null
6749 terminated buffer.</p>
6750 <p class="TextFontCX"> </p>
6751 <p class="TextFontCX">When a buffer is accessed as an lvalue,
6752 Splint generates a precondition constraint involving the
6753 <span class="Annot"><span style=
6754 'font-size:10.0pt'>maxSet</span></span> property. When a
6755 buffer is accessed as an rvalue, Splint generates a precondition
6756 constraint involving the <span class="Annot"><span style=
6757 'font-size:10.0pt'>maxRead</span></span> property. For the
6758 expression <span class="CodeText"><span style=
6759 'font-size:10.0pt'>*<i>ptr</i></span></span>, Splint generates the
6760 constraints <span class="Annot"><span style=
6761 'font-size:10.0pt'>maxSet(<i>ptr</i>)</span></span>
6762 <span class="CodeText"><span style='font-size:10.0pt'>>=
6763 0</span></span> or <span class="Annot"><span style=
6764 'font-size:10.0pt'>maxRead(<i>ptr</i>)</span></span>
6765 <span class="CodeText"><span style='font-size:10.0pt'>>=
6766 0</span></span> depending on whether <span class=
6767 "CodeText"><i><span style=
6768 'font-size:10.0pt'>ptr</span></i></span> is used as an lvalue
6769 or rvalue. Similarly, for accesses of the form
6770 <span class="CodeText"><span style=
6771 'font-size:10.0pt'>ptr[i]</span></span>, splint generates the
6772 constraints <span class="Annot"><span style=
6773 'font-size:10.0pt'>maxSet(<i>ptr</i>)</span></span>
6774 <span class="CodeText"><span style='font-size:10.0pt'>>=
6775 i</span></span> or <span class="Annot"><span style=
6776 'font-size:10.0pt'>maxRead(<i>ptr</i>)</span></span>
6777 <span class="CodeText"><span style='font-size:10.0pt'>>=
6778 i</span></span>. If <span class="Flag"><span style=
6779 'font-size:10.0pt'>+boundswrite</span></span> is set, Splint
6780 warns if it is unable to resolve a constraint involving
6781 <span class="Annot"><span style=
6782 'font-size:10.0pt'>maxSet</span></span>. If <span class=
6784 'font-size:10.0pt'>+boundsread</span></span> is set, Splint
6785 warns about unresolved <span class="Annot"><span style=
6786 'font-size:10.0pt'>maxRead</span></span> constraints
6788 <p class="TextFontCX"> </p>
6789 <p class="TextFontCX">Splint generates postconditions for
6790 statements to help resolve precondition constraints. When a
6791 buffer is written to we know that an element of a buffer is
6792 initialized and is safe to read. We generate the
6793 postcondition <span class="Annot"><span style=
6794 'font-size:10.0pt'>maxRead(<i>ptr</i>)</span></span>
6795 <span class="CodeText"><span style='font-size:10.0pt'>>=
6796 0</span></span> if the buffer is accessed using <span class=
6797 "CodeText"><span style='font-size:10.0pt'>*ptr</span></span>
6798 or <span class="Annot"><span style=
6799 'font-size:10.0pt'>maxRead(ptr)</span></span> <span class=
6800 "CodeText"><span style='font-size:10.0pt'>>=
6801 i</span></span> if the buffer is accessed using <span class=
6802 "CodeText"><i><span style=
6803 'font-size:10.0pt'>ptr</span></i></span><span class=
6804 "CodeText"><span style=
6805 'font-size:10.0pt'>[<i>i</i>]</span></span>. Splint
6806 generates additional postconditions for a variety of C
6807 constructs. For assignment statements, Splint generates
6808 a postcondition equating the two operands. Splint also
6809 generates post condition constraints for the <span class=
6810 "Annot"><span style='font-size:10.0pt'>maxSet</span></span>
6811 value of fixed sized arrays.</p>
6812 <h2 style='margin-left:0in;text-indent:0in'><a name=
6813 "_Toc534975000">9.2<span style=
6814 'font:7.0pt "Times New Roman"'> </span>
6815 Annotating Buffer Sizes</a></h2>
6816 <p class="TextFontCX">Function declarations may include
6817 <span class="Annot"><span style=
6818 'font-size:10.0pt'>requires</span></span> and <span class=
6819 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
6820 clauses that specify assumptions about buffer sizes for
6821 function preconditions. They are interpreted like
6822 <span class="Annot"><span style=
6823 'font-size:10.0pt'>requires</span></span> and <span class=
6824 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
6825 clauses for simple memory states (see Section 7.5) but can be
6826 more expressive. When a function with a <span class=
6827 "Annot"><span style='font-size:10.0pt'>requires</span></span>
6828 clause is called, the call site must be checked to satisfy
6829 the constraints implied by the <span class=
6830 "Annot"><span style='font-size:10.0pt'>requires</span></span>
6831 clause. Similarly, an <span class="Annot"><span style=
6832 'font-size:10.0pt'>ensures</span></span> clause can be used
6833 to specify function post conditions. If the
6834 <span class="Flag"><span style=
6835 'font-size:10.0pt'>+checkpost</span></span> flag is set,
6836 Splint warns if it cannot verify that a function
6837 implementation satisfies its declared postconditions.</p>
6838 <p class="TextFontCX"> </p>
6839 <p class="TextFontCX">Constraints can contain function parameters
6840 as well as global variables and integer constants. The unary
6841 operators, <span class="Annot"><span style=
6842 'font-size:10.0pt'>maxSet</span></span> and <span class=
6843 "Annot"><span style='font-size:10.0pt'>maxRead</span></span> which
6844 correspond to the properties described above are also supported.
6845 Multiple predicates may be conjoined using <span class=
6846 "CodeText"><span style=
6847 'font-size: 10.0pt'>/\</span></span>. </p>
6848 <p class="TextFontCX"> </p>
6849 <p class="TextFontCX">For example, the standard library annotates
6850 <span class="CodeText"><span style=
6851 'font-size:10.0pt'>strcpy</span></span>:</p>
6852 <p class="MsoPlainText" style='line-height:normal'> </p>
6853 <p class="Verbatim" style='margin-left:22.5pt'>void /*@alt char *
6855 <p class="Verbatim" style='margin-left:22.5pt;text-indent:13.5pt'>
6856 (/*@unique@*/ /*@out@*/ /*@returned@*/ char *s1, char *s2)</p>
6857 <p class="Verbatim" style='margin-left:.5in'>/*@modifies *s1@*/</p>
6858 <p class="Verbatim" style='margin-left:.5in'>/*@requires maxSet(s1)
6859 >= maxRead(s2) @*/</p>
6860 <p class="Verbatim"> /*@ensures
6861 maxRead(s1) == maxRead (s2) @*/; </p>
6862 <p class="MsoPlainText" style=
6863 'margin-left:.5in;line-height:normal'><b> </b></p>
6864 <p class="MsoPlainText" style=
6865 'text-align:justify;line-height:normal'>The <span class=
6866 "Annot"><span style='font-size:10.0pt'>requires</span></span>
6867 clause indicates that the buffer passed as <span class=
6868 "CodeText"><span style='font-size:10.0pt'>s1</span></span> must be
6869 large enough to hold the string passed as <span class=
6870 "CodeText"><span style='font-size:10.0pt'>s2</span></span>.
6871 The <span class="Annot"><span style=
6872 'font-size:10.0pt'>ensures</span></span> clause specifies that
6873 <span class="Annot"><span style=
6874 'font-size:10.0pt'>maxRead</span></span> of <span class=
6875 "CodeText"><span style='font-size:10.0pt'>s1</span></span> after
6876 the call is equal to <span class="Annot"><span style=
6877 'font-size:10.0pt'>maxRead</span></span> of <span class=
6878 "CodeText"><span style='font-size:10.0pt'>s2</span></span>.
6879 In cases where the size of <span class=
6880 "CodeText"><span style='font-size:10.0pt'>s2</span></span> is
6881 unknown, programs should use <span class=
6882 "CodeText"><span style=
6883 'font-size: 10.0pt'>strncpy</span></span>, annotated as:</p>
6884 <p class="Verbatim"> </p>
6885 <p class="Verbatim" style='margin-left:22.5pt'>void /*@alt char *
6887 <p class="Verbatim" style='margin-left:22.5pt'>
6888 (/*@unique@*/ /*@out@*/ /*@returned@*/ char *s1, char *s2,</p>
6889 <p class="Verbatim" style='margin-left:22.5pt;text-indent:13.5pt'>
6890 size_t n)</p>
6891 <p class="Verbatim" style='margin-left:22.5pt'>
6892 /*@modifies *s1@*/ </p>
6893 <p class="Verbatim" style='margin-left:22.5pt'> /*@requires
6894 maxSet(s1) >= ( n - 1 ); @*/</p>
6895 <p class="Verbatim" style='margin-left:22.5pt'> /*@ensures
6896 maxRead (s2) >= maxRead(s1) /\ maxRead (s1) <= n;@*/;</p>
6897 <p class="TextFontCX"> </p>
6898 <p class="TextFontCX">The syntax for buffer size constraint clauses
6900 <p class="TextFontCX"> </p>
6901 <p class="TextFontCX" align="left" style=
6902 'margin-left: 22.5pt;text-align:left'><i><span lang=
6903 "FR">constraint</span></i> <span lang="FR"> </span>
6904 <span style='font-family:Symbol'>Þ</span> <span lang=
6905 "FR">(</span><span class="Annot"><span style=
6906 'font-size:10.0pt'>requires</span></span> <span lang="FR">|</span>
6907 <span class="Annot"><span style=
6908 'font-size:10.0pt'>ensures</span></span><span lang="FR">)
6909 <i>consExpr relOp consExpr</i></span></p>
6910 <p class="TextFontCX" align="left" style=
6911 'margin-left: 22.5pt;text-align:left'><i><span lang=
6912 "FR">relOp</span></i> <span lang=
6913 "FR"> </span> <span style=
6914 'font-family:Symbol'>Þ</span> <span class=
6915 "Annot"><span style='font-size: 10.0pt'>==</span></span>
6916 <span lang="FR">|</span> <span class="Annot"><span style=
6917 'font-size:10.0pt'>></span></span> <span lang=
6918 "FR">|</span> <span class="Annot"><span style=
6919 'font-size:10.0pt'>>=</span></span> <span lang=
6920 "FR">|</span> <span class="Annot"><span style=
6921 'font-size:10.0pt'><</span></span> <span lang=
6922 "FR">|</span> <span class="Annot"><span style=
6923 'font-size:10.0pt'><=</span></span></p>
6924 <p class="TextFontCX" align="left" style=
6925 'margin-left: 22.5pt;text-align:left'><i><span lang=
6926 "FR">consExpr </span></i> <span style=
6927 'font-family:Symbol'>Þ</span> <i><span lang=
6928 "FR">consExpression binOp consExpr</span></i> | <i>unaryOp</i>
6929 <span class="Annot"><span style=
6930 'font-size:10.0pt'>(</span></span><i>consExpr</i>
6931 <span class="Annot"><span style=
6932 'font-size:10.0pt'>)</span></span> | <i>term</i></p>
6933 <p class="TextFontCX" align="left" style=
6934 'margin-left: 22.5pt;text-align:left'><i>binOp</i>
6935 <span style=
6936 'font-family:Symbol'>Þ</span> <span class=
6937 "Annot"><span style='font-size:10.0pt'>+</span></span> |
6938 <span class="Annot"><span style=
6939 'font-size:10.0pt'>-</span></span></p>
6940 <p class="TextFontCX" align="left" style=
6941 'margin-left: 22.5pt;text-align:left'><i>unaryOp</i>
6942 <span style='font-family:Symbol'>Þ</span> <span class=
6943 "Annot"><span style='font-size:10.0pt'>maxSet</span></span> |
6944 <span class="Annot"><span style=
6945 'font-size:10.0pt'>maxRead</span></span></p>
6946 <p class="TextFontCX" align="left" style=
6947 'margin-left: 22.5pt;text-align:left'><i>term</i>
6948 <span style=
6949 'font-family:Symbol'>Þ</span> <i>identifier</i> |
6950 <i>literal</i> | <span class="Annot"><span style=
6951 'font-size: 10.0pt'>result</span></span></p>
6952 <h2 style='margin-left:0in;text-indent:0in'><a name=
6953 "_Toc534975001">9.3<span style=
6954 'font:7.0pt "Times New Roman"'> </span>
6955 Less Stringent Checking</a></h2>
6956 For some programs, Splint's standard bounds checking produces an
6957 unacceptably high number of warnings. Because of this, Splint now
6958 prioritizes warnings using a simple heuristic. The flags
6959 <span class="Flag"><span style=
6960 'font-size:10.0pt'>likely-bounds</span></span>, <span class=
6962 'font-size:10.0pt'>likely-bounds-writes</span></span>, and
6963 <span class="Flag"><span style=
6964 'font-size:10.0pt'>likely-bounds-read</span></span> are similar to
6965 <span class="Flag"><span style=
6966 'font-size:10.0pt'>bounds</span></span>,<span class=
6967 "Flag"><span style='font-size:10.0pt'>bounds-write</span></span>,
6968 and <span class="Flag"><span style=
6969 'font-size:10.0pt'>bounds-read</span></span>, but they only cause
6970 Splint to produce warnings for what it determines are likely bounds
6971 errors. Splint classifies an unresolved constraint as a likely
6972 bounds error if it can reduce the constraint to a numerical
6973 inconsistency such as <span class="Verbatim">5 >= 10</span>.
6974 Warnings for these constraints are more likely to be legitimate --
6975 indicating real bugs or the lack of annotations. Additionally, when
6976 these warnings are false positives, it is easier for humans to
6977 recognize them as spurious. These flags generate significantly
6978 fewer errors (an order of magnitude in some cases), and the errors
6979 generated are easier to understand. However, this does not come
6980 without cost. The checking is significantly less precise and is
6981 likely to miss real errors.
6982 <h2 style='margin-left:0in;text-indent:0in'><a name=
6983 "_Toc534975001">9.4<span style=
6984 'font:7.0pt "Times New Roman"'> </span>
6986 <p class="TextFontCX">Since bounds checking is more complex than
6987 other checks done by Splint, memory bounds warnings contain
6988 extensive information about the unresolved constraint.
6989 Warning messages for unresolved constraints contain both the
6990 original constraints and the simplified form of the constraint
6991 which cannot be resolved. If the constraint was derived from
6992 a function precondition, the original precondition is included in
6993 the error message. If the <span class=
6994 "Flag"><span style='font-size:10.0pt'>+showconstraintlocation</span></span>
6995 flag is set, the message includes the expression that the
6996 constraint is derived from. The <span class=
6998 'font-size:10.0pt'>+showconstraintparens</span></span> flag
6999 directs Splint to display fully parenthesized constraints in
7000 warnings to remove ambiguity.</p>
7001 <p class="TextFontCX"> </p>
7002 <p class="TextFontCX">Consider the code excerpt below containing a
7003 trivial out-of-bounds write:</p>
7004 <p class="Verbatim"> </p>
7005 <p class="Verbatim" style='text-indent:.5in'>int buf[10];</p>
7006 <p class="Verbatim" style='text-indent:.5in'>buf[10] = 3;</p>
7007 <p class="TextFontCX"> </p>
7008 <p class="TextFontCX" style='margin-bottom:6.0pt'>Splint warns:</p>
7009 <p align="left" class="lclintrun" style='margin-left:.5in'>
7010 setChar.c:5:4: Likely out-of-bounds store:<br>
7011 buf[10] = 3</p>
7012 <p class="lclintrun" align="left" style='margin-left:.5in'>
7013 Unable to resolve constraint: requires 9 >=
7015 <p class="lclintrun" align="left" style=
7016 'margin-top:0in;margin-right:0in;margin-bottom:6.0pt; margin-left:.5in'>
7017 needed to satisfy precondition: requires
7018 maxSet(buf @ setChar.c:5:4) >= 10</p>
7019 <p class="TextFontCX">Splint has simplified the constraint from the
7020 <span class="Annot"><span style=
7021 'font-size:10.0pt'>requires</span></span> clause to
7022 <span class="CodeText"><span style='font-size:10.0pt'>9 >=
7023 10</span></span> by substituting for the known value of
7024 <span class="Annot"><span style=
7025 'font-size:10.0pt'>maxSet(buf)</span></span> and generated a
7026 warning because 9(the highest index of <span class=
7027 "CodeText"><span style='font-size:10.0pt'>buf</span></span>
7028 that may be safely written to) is not greater than or equal
7030 <p class="TextFontCX"> </p>
7031 <p class="TextFontCX">A more realistic example is shown Figure
7032 21. The function <span class="CodeText"><span style=
7033 'font-size:10.0pt'>updateEnv</span></span> is a naïve
7034 implementation of a function to copy an environmental
7035 variable. There is no standard restriction on the length of
7036 the return value of <span class="CodeText"><span style=
7037 'font-size:10.0pt'>getenv</span></span> so this can cause a buffer
7038 overflow. A safe version of <span class=
7039 "CodeText"><span style='font-size:10.0pt'>updateEnv</span></span>
7040 (such as <span class="CodeText"><span style=
7041 'font-size:10.0pt'>updateEnvSafe</span></span> in Figure 21) would
7042 ensure that the buffer is large enough to hold the environment
7043 variable string before copying.</p>
7044 <p class="TextFontCX"> </p>
7045 <p class="TextFontCX"> </p>
7046 <p class="TextFontCX">The <span class="Annot"><span style=
7047 'font-size:10.0pt'>requires</span></span> clause means Splint will
7048 report a warning if a call to <span class=
7049 "CodeText"><span style='font-size:10.0pt'>updateEnvSafe</span></span>
7050 passed in a buffer as <span class="CodeText"><span style=
7051 'font-size:10.0pt'>str</span></span> that is not big enough
7052 to hold the value passed as <span class=
7053 "CodeText"><span style=
7054 'font-size:10.0pt'>strSize</span></span> characters.</p>
7055 <p class="TextFontCX"> </p>
7056 <p class="TextFontCX">In many cases, functions will have multiple
7057 unresolved constraints which are similar. For example, if a
7058 subsequence statement writes to the next element of a buffer.
7059 Usually all these constraints represent all real problems or are
7060 all spurious. If the <span class="Flag"><span style=
7061 'font-size:10.0pt'>+redundantconstraints</span></span> flag is set,
7062 Splint reports even apparently redundant warning messages.
7063 Otherwise, if satisfying one unresolved constraint would imply
7064 satisfying another, Splint only prints a warning message for the
7065 stronger constraint.</p>
7066 <p class="TextFontCX"> </p>
7068 <table class="MsoNormalTable" border="0" cellspacing="0"
7069 cellpadding="0" style='margin-left:9.9pt;border-collapse:collapse'>
7071 <td valign="top" style=
7072 'width:202.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt;height:12.15pt'>
7073 <p class="TextFontCX" align="center" style='text-align:center'>
7074 <span class="Keyword"><b><span style=
7075 'font-size:10.0pt; color:white'>bounds.c</span></b></span></p></td>
7076 <td valign="top" style=
7077 'width:3.0in;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt;height:12.15pt'>
7078 <p class="TextFontCX" align="center" style='text-align:center'>
7079 <b><span style='color:white'>Running
7080 Splint</span></b></p></td></tr>
7082 <td valign="top" style=
7083 'width:202.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
7084 <p class="Verbatim"><span style=
7085 'font-family:Courier'> </span></p>
7086 <p class="Verbatim"><span style='font-family:Courier'>void
7087 updateEnv(char * str)</span></p>
7088 <p class="Verbatim"><span style='font-family:Courier'>{</span></p>
7089 <p class="Verbatim"><span style='font-family:Courier'>
7090 char * tmp;</span></p>
7091 <p class="Verbatim"><i><span style=
7092 'font-size:9.0pt;font-family:Courier'>7</span></i><span style='font-family:Courier'>
7093 tmp = getenv(“MYENV”);</span></p>
7094 <p class="Verbatim"><span style='font-family:Courier'>
7095 if (tmp != NULL)</span></p>
7096 <p class="Verbatim"><i><span style=
7097 'font-size:9.0pt;font-family:Courier'>9</span></i><span style='font-family:Courier'>
7098 strcpy (str, tmp);</span></p>
7099 <p class="Verbatim"><span style='font-family:Courier'>}</span></p>
7100 <p class="Verbatim"><span style=
7101 'font-family:Courier'> </span></p>
7102 <p class="Verbatim"><span style='font-family:Courier'>void
7103 updateEnvSafe (char * str,</span></p>
7104 <p class="Verbatim"><span style=
7105 'font-family:Courier'>
7106 size_t strSize)</span></p>
7107 <p class="Verbatim"><span style='font-family:Courier'> </span>
7108 <a href="mailto:/*@requires"><span style=
7109 'font-family:Courier'>/*@requires</span></a> <span style=
7110 'font-family:Courier'>maxSet(str)</span></p>
7111 <p class="Verbatim"><span style=
7112 'font-family:Courier'>
7113 >= strSize –1@*/</span></p>
7114 <p class="Verbatim"><span style='font-family:Courier'>{</span></p>
7115 <p class="Verbatim"><span style='font-family:Courier'>
7116 char * tmp;</span></p>
7117 <p class="Verbatim"><span style='font-family:Courier'>
7118 tmp = getenv(“MYENV”);</span></p>
7119 <p class="Verbatim"><span style='font-family:Courier'>
7120 if (tmp != NULL)</span></p>
7121 <p class="Verbatim"><span style='font-family:Courier'>
7123 <p class="Verbatim"><span style=
7124 'font-family:Courier'> strncpy (str,
7126 <p class="Verbatim"><span style=
7127 'font-family:Courier'>
7128 strSize -1);</span></p>
7129 <p class="Verbatim"><span style=
7130 'font-family:Courier'> str[strSize
7131 -1] = ‘/0’;</span></p>
7132 <p class="Verbatim"><span style='font-family:Courier'>
7134 <p class="Verbatim"><span style=
7135 'font-family:Courier'>}</span></p></td>
7136 <td valign="top" style=
7137 'width:3.0in;border-top:none;border-left:none; border-bottom:solid black 1.5pt;border-right:solid black 1.5pt;padding:0in 5.4pt 0in 5.4pt'>
7138 <p class="lclintrun">> splint bounds.c +bounds
7139 +showconstraintlocation</p>
7140 <p class="lclintrun"> </p>
7141 <p class="lclintrun">bounds.c:9: Possible out-of-bounds store:</p>
7142 <p class="lclintrun"> strcpy(str, tmp)</p>
7143 <p class="lclintrun"> Unable to resolve
7145 <p class="lclintrun"> requires maxSet(str @
7146 bounds.c:9) >=</p>
7147 <p class="lclintrun"> maxRead(getenv("MYENV") @
7149 <p class="lclintrun"> needed to satisfy
7151 <p class="lclintrun"> requires maxSet(str @
7152 bounds.c:9) >=</p>
7153 <p class="lclintrun"> maxRead(tmp @
7155 <p class="lclintrun"> derived from strcpy
7156 precondition: requires</p>
7157 <p class="lclintrun"> maxSet(<parameter 1>)
7159 <p class="lclintrun"> maxRead(<parameter
7160 2>)</p></td></tr></table>
7161 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
7163 <td valign="top" style=
7164 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
7165 <p class="MsoCaption"><a name="_Ref534909813"></a><a name=
7166 "_Ref534909817">Figure 21</a>. Memory
7167 Bounds</p></td></tr></table></center>
7170 <p class="TextFontCX">The <span class="Flag"><span style=
7171 'font-size:10.0pt'>+functionpost</span></span> flag is useful for
7172 determining if array bounds warnings are spurious. If this
7173 flag is set, Splint will print the constraints that it established
7174 at the end of the function. If the warnings are spurious,
7175 localized control comments can be used to suppress them.</p>
7176 <p class="TextFontCX"> </p>
7177 <p class="TextFontCX"> </p>
7178 <p class="TextFontCX"> </p>
7179 <h1 style='margin-left:0in;text-indent:0in'><a name=
7180 "_Toc534975002"></a><a name="_Ref534642928"></a><a name=
7181 "_Ref534642285">10<span style=
7182 'font:7.0pt "Times New Roman"'> </span>
7183 <a id="extensible" name="extensible">
7184 Extensible Checking</a></a></h1>
7185 <p class="TextFontCX">Splint provides mechanisms for defining new
7186 checks and annotations using metastate definitions.
7187 User-defined checks can be used to check and document properties
7188 not supported by the provided checks.<a href="#_ftn13" name=
7189 "_ftnref13" title=""><span class=
7190 "MsoFootnoteReference"><span class="MsoFootnoteReference"><span style='font-size:11.0pt;font-family:"Times New Roman"'>
7191 [13]</span></span></span></a></p>
7192 <p class="TextFontCX"> </p>
7193 <p class="TextFontCX">A large class of useful checks can be
7194 described as constraints on attributes associated with program
7195 objects or the global execution state. Unlike types, however, the
7196 values of these attributes can change along an execution
7197 path. Splint provides a general language that lets users
7198 define attributes associated with different kinds of program
7199 objects as well as rules that both constrain attributes’
7200 values at interface points and specify how attributes
7202 <p class="TextFontCX"> </p>
7203 <p class="TextFontCX">Because user-defined attribute checking is
7204 integrated with normal checking, Splint’s analysis of
7205 user-defined attributes can take advantage of other analyses, such
7206 as alias and nullness analysis.</p>
7207 <h2 style='margin-left:0in;text-indent:0in'><a name=
7208 "_Toc534975003">10.1<span style=
7209 'font:7.0pt "Times New Roman"'> </span>
7210 Defining Attributes</a></h2>
7211 <p class="TextFontCX">To define an attribute, create a metastate
7212 file (<span class="ProgramNameChar"><span style=
7213 'font-size: 10.0pt'>.mts</span></span>) that defined the possible
7214 values and transfer rules of the attribute. Attributes can
7215 either be associated with a particular kind of program object (for
7216 example, all <span class="CodeText"><span style=
7217 'font-size:10.0pt'>char *</span></span>’s) or with the global
7218 state (whether or not the network has been initialized). The
7219 <span class="Flag"><span style='font-size:10.0pt'>–mts
7220 <i><file></i></span></span> flag is used to direct Splint to
7221 read a metastate file (which will be found on the
7222 <span class="CodeText"><span style=
7223 'font-size:10.0pt'>LARCH_PATH</span></span> with default
7224 extension <span class="ProgramNameChar"><span style=
7225 'font-size:10.0pt'>.mts</span></span>).</p>
7226 <p class="TextFontCX"> </p>
7227 <p class="TextFontCX">An example attribute definition is shown in
7228 Figure 22. It defines the <span class=
7229 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7230 attribute for recording whether or not a <span class=
7231 "CodeText"><span style='font-size: 10.0pt'>char
7232 *</span></span> came from a possibly untrustworthy
7233 source. Knowing whether a value is possibly hostile is
7234 useful for preventing several security vulnerabilities
7235 including format string bugs.<a href="#_ftn14" name=
7236 "_ftnref14" title=""><span class=
7237 "MsoFootnoteReference"><span class=
7238 "MsoFootnoteReference"><span style=
7239 'font-size:11.0pt;font-family:"Times New Roman"'>[14]</span></span></span></a>
7240 (A simpler way to detect format vulnerabilities is to warn
7241 for any format string that is unknown at compile time. Splint
7242 provides this checking, issuing a warning if the <span class=
7244 'font-size:10.0pt'>+formatconst</span></span> flag is set and
7245 finds any unknown format strings at compile time. This can
7246 produce spurious messages, however, because there might be
7247 unknown format strings that are not vulnerable to hostile
7249 <p class="TextFontCX"> </p>
7250 <p class="TextFontCX">The first three lines of the attribute
7251 definition define the <span class="Annot"><span style=
7252 'font-size:10.0pt'>taintedness</span></span> attribute associated
7253 with <span class="CodeText"><span style='font-size:10.0pt'>char
7254 *</span></span> objects, which can be in one of two states:
7255 <span class="Annot"><span style=
7256 'font-size:10.0pt'>untainted</span></span> or <span class=
7257 "Annot"><span style='font-size:10.0pt'>tainted</span></span>.
7258 The <span class="Annot"><span style=
7259 'font-size:10.0pt'>context</span></span> clause gives a context
7260 selector for which objects have the attribute. In this
7261 case, <span class="Annot"><span style='font-size:10.0pt'>reference
7262 char *</span></span> means that every reference that is a
7263 <span class="CodeText"><span style='font-size:10.0pt'>char
7264 *</span></span> has an associated <span class=
7265 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7266 attribute. Other contexts include <span class=
7267 "Annot"><span style=
7268 'font-size: 10.0pt'>parameter</span></span> (only parameter
7269 declarations), <span class="Annot"><span style=
7270 'font-size:10.0pt'>literal</span></span> (only string or
7271 number literals), and <span class="Annot"><span style=
7272 'font-size:10.0pt'>null</span></span> (only known
7273 <span class="CodeText"><span style=
7274 'font-size:10.0pt'>NULL</span></span> values).
7275 Attribute can also be defined that are not associated with
7276 any particular object, but instead are associated with the
7277 global state of a program execution. The <span class=
7278 "Annot"><span style='font-size:10.0pt'>global</span></span>
7279 keyword is used before <span class="Annot"><span style=
7280 'font-size:10.0pt'>attribute</span></span> to define a global
7282 <p class="TextFontCX"> </p>
7283 <p class="TextFontCX">The <span class="Annot"><span style=
7284 'font-size:10.0pt'>oneof</span></span> clause introduces two
7285 identifiers for representing the <span class=
7286 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7287 value: <span class="Annot"><span style=
7288 'font-size:10.0pt'>untainted</span></span> for references
7289 that are not derived from untrustworthy input, and
7290 <span class="Annot"><span style=
7291 'font-size:10.0pt'>tainted</span></span> for references that
7292 may contain hostile data. </p>
7293 <p class="TextFontCX"> </p>
7294 <p class="TextFontCX">The <span class="Annot"><span style=
7295 'font-size:10.0pt'>annotations</span></span> clause defines two new
7296 annotations that may be used to describe <span class=
7297 "Annot"><span style='font-size:10.0pt'>taintedness</span></span>
7298 assumptions. In this case, the annotations match the names of
7299 the value choices, but they may be any identifier. The clause
7300 <span class="Annot"><span style='font-size:10.0pt'>tainted
7301 <b>reference ==></b> tainted</span></span> defines the
7302 <span class="Annot"><span style=
7303 'font-size:10.0pt'>tainted</span></span> annotation that may be
7304 used on a reference to indicate that it has <span class=
7305 "Annot"><span style='font-size: 10.0pt'>tainted</span></span>
7308 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
7310 <td valign="top" align="left" height="264" style=
7311 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
7312 <p class="Verbatim"><span class="Annot"><b>attribute</b></span>
7313 <span class="Annot">taintedness</span></p>
7314 <p class="Verbatim"><span class="Annot"> <b>context</b>
7315 <b>reference</b> char *</span></p>
7316 <p class="Verbatim"><span class="Annot"> <b>oneof</b>
7317 untainted, tainted</span></p>
7318 <p class="Verbatim"><span class="Annot">
7319 <b>annotations</b></span></p>
7320 <p class="Verbatim"><span class="Annot">
7321 tainted <b>reference ==></b> tainted</span></p>
7322 <p class="Verbatim"><span class="Annot">
7323 untainted <b>reference ==></b> untainted</span></p>
7324 <p class="Verbatim"><span class="Annot">
7325 <b>transfers</b></span></p>
7326 <p class="Verbatim"><span class="Annot">
7327 tainted <b>as</b> untainted <b>==> error</b> "Possibly tainted
7328 storage used where untainted required."</span></p>
7329 <p class="Verbatim"><span class="Annot">
7330 <b>merge</b></span></p>
7331 <p class="Verbatim"><span class=
7332 "Annot"> tainted <b>+</b> untainted
7333 <b>==></b> tainted</span></p>
7334 <p class="Verbatim"><span class="Annot">
7335 <b>defaults</b></span></p>
7336 <p class="Verbatim"><span class=
7337 "Annot"> reference <b>==></b>
7339 <p class="Verbatim"><span class="Annot">
7340 literal <b>==></b> untainted</span></p>
7341 <p class="Verbatim"><span class=
7342 "Annot"> null <b>==></b>
7343 untainted</span></p>
7344 <p class="Verbatim"><span class="Annot"><b>end</b></span></p>
7345 <p class="MsoCaption"><a name="_Ref534921559">Figure 22</a>.
7346 Taintedness Attribute</p></td></tr></table></center>
7349 <p class="TextFontCX"> </p>
7350 <p class="TextFontCX">The <span class="Annot"><span style=
7351 'font-size:10.0pt'>transfers</span></span> clause defines rules for
7352 state changes and warning when objects are passed as parameters,
7353 returned, or assigned to externally visible references. The
7354 rule, <span class="Annot"><span style='font-size:10.0pt'>tainted
7355 <b>as</b> untainted <b>==> error</b> "Possibly tainted storage
7356 used where untainted required."</span></span>, means it is an error
7357 to pass a <span class="Annot"><span style=
7358 'font-size:10.0pt'>tainted</span></span> value as a parameter that
7359 has <span class="Annot"><span style=
7360 'font-size:10.0pt'>untainted</span></span> taintedness. All
7361 other transfers are implicitly permitted, and leave the passed
7362 storage in the same state as before the transfer. We may also
7363 use a <span class="Annot"><span style=
7364 'font-size:10.0pt'>transfers</span></span> clause to indicate that
7365 the reference changes state after a transfer. A
7366 <span class="Annot"><span style=
7367 'font-size:10.0pt'>losereference</span></span> clause (not
7368 used in taintedness) is similar to a <span class=
7369 "Annot"><span style=
7370 'font-size:10.0pt'>transfers</span></span> clause, except it
7371 is used to provide rules for when a reference to storage is
7372 lost, either by leaving the scope in which it was declared,
7373 returning from a function, or assigning it to a new
7375 <p class="TextFontCX"> </p>
7376 <p class="TextFontCX">The <span class="Annot"><span style=
7377 'font-size:10.0pt'>merge</span></span> clause defined rules for
7378 combining state along paths. The clause<span class=
7379 "Annot"><span style='font-size:10.0pt'>merge tainted + untainted
7380 ==> tainted</span></span> indicates that combining
7381 <span class="Annot"><span style=
7382 'font-size:10.0pt'>tainted</span></span> and <span class=
7383 "Annot"><span style=
7384 'font-size:10.0pt'>untainted</span></span> objects produces a
7385 <span class="Annot"><span style=
7386 'font-size:10.0pt'>tainted</span></span> object. Thus, if a
7387 reference is <span class="Annot"><span style=
7388 'font-size:10.0pt'>tainted</span></span> along one control
7389 path and <span class="Annot"><span style=
7390 'font-size:10.0pt'>untainted</span></span> along another
7391 control path, checking assumes that it is <span class=
7392 "Annot"><span style=
7393 'font-size:10.0pt'>tainted</span></span>after the two
7394 branches merge. It is also used to merge taintedness states
7395 in function specifications (see the <span class=
7396 "CodeText"><span style=
7397 'font-size:10.0pt'>strcat</span></span> example in the next
7398 section). We can also define error combinations so that
7399 a warning is reported if the states on different paths are
7401 <p class="TextFontCX"> </p>
7402 <p class="TextFontCX">The <span class="Annot"><span style=
7403 'font-size:10.0pt'>defaults</span></span> clause specifies default
7404 values used for declarators without explicit attribute annotations.
7405 We choose default values to make it easy to start checking an
7406 unannotated program. Here we assume unannotated references are
7407 <span class="Annot"><span style=
7408 'font-size:10.0pt'>tainted</span></span> and Splint will report a
7409 warning where unannotated references are passed to functions that
7410 require untainted parameters. The warnings indicate either a format
7411 bug in the code or a place where an <span class=
7412 "Annot"><span style='font-size:10.0pt'>untainted</span></span>
7413 annotation should be added. Running Splint again after adding
7414 the annotation will propagate the newly documented assumption
7415 through the program.</p>
7416 <p class="TextFontCX"> </p>
7417 <p class="TextFontCX" style='margin-bottom:6.0pt'>The full grammar
7418 for metastate definitions is given in Appendix C.</p>
7419 <h2 style='margin-left:0in;text-indent:0in'><a name=
7420 "_Toc534975004">10.2<span style=
7421 'font:7.0pt "Times New Roman"'> </span>
7422 Annotations</a></h2>
7423 <p class="TextFontCX">The annotations defined by metastate
7424 definitions can be used like normal annotations. The context
7425 specifier for an annotation indicates where it may be used.
7426 For the taintedness example, we can use <span class=
7427 "Annot"><span style='font-size:10.0pt'>tainted</span></span> and
7428 <span class="Annot"><span style=
7429 'font-size:10.0pt'>untainted</span></span> as annotations wherever
7430 <span class="Annot"><span style=
7431 'font-size:10.0pt'>only</span></span> could be used. This
7432 includes <span class="Annot"><span style=
7433 'font-size:10.0pt'>ensures</span></span> and <span class=
7434 "Annot"><span style='font-size:10.0pt'>requires</span></span>
7435 clauses, which allows us to specify functions that modify state
7436 associated with metastate definitions. The syntax
7437 <span class="Annot"><i><span style=
7438 'font-size: 10.0pt'><expr></span></i></span><span class="Annot">
7440 'font-size: 10.0pt'>:<i><attribute></i></span></span> is used
7441 to refer to the value of the user-defined attribute for expression
7442 <span class="Annot"><i><span style=
7443 'font-size:10.0pt'><expr></span></i></span>. </p>
7444 <p class="TextFontCX"> </p>
7445 <p class="TextFontCX">It is often necessary to extend the library
7446 specifications with metastate annotations. We don’t
7447 want to have different versions of the library for different
7448 metastate annotations, so instead Splint provides a mechanism for
7449 adding annotations separately using an <span class=
7450 "ProgramNameChar"><span style='font-size:10.0pt'>.xh</span></span>
7451 file. For the taintedness example, we do this by providing
7452 annotated declarations in the <span class=
7453 "ProgramNameChar"><span style=
7454 'font-size:10.0pt'>tainted.xh</span></span> file. Example
7455 specifications in this file include:</p>
7456 <p class="TextFontCX"> </p>
7457 <p class="Verbatim">int printf (/*@untainted@*/ char *fmt,
7459 <p class="Verbatim"> </p>
7460 <p class="Verbatim">char *fgets (char *s, int n, FILE *stream)
7461 /*@ensures tainted s@*/ ;</p>
7462 <p class="Verbatim"> </p>
7463 <p class="Verbatim">char *strcat (/*@returned@*/ char *s1,
7465 <p class="Verbatim"> /*@ensures s1:taintedness =
7466 s1:taintedness | s2:taintedness @*/</p>
7467 <p class="TextFontCX"> </p>
7468 <p class="TextFontCX">The <span class="CodeText"><span style=
7469 'font-size:10.0pt'>strcat</span></span> specification uses
7470 <span class="Annot"><span style='font-size:10.0pt'>/*@ensures
7471 s1:taintedness = s1:taintedness | s2:taintedness @*/</span></span>
7472 to indicate that the taintedness of <span class=
7473 "CodeText"><span style='font-size:10.0pt'>s1</span></span> after
7474 <span class="CodeText"><span style=
7475 'font-size:10.0pt'>strcat</span></span> returns is the result of
7476 merging the taintedness of <span class=
7477 "CodeText"><span style='font-size:10.0pt'>s1</span></span>
7478 and <span class="CodeText"><span style=
7479 'font-size:10.0pt'>s2</span></span> before the call.
7480 Because the parameters lack annotations, they are implicitly
7481 tainted according to the default rules and either untainted
7482 or tainted references can be passed as parameters to
7483 <span class="CodeText"><span style=
7484 'font-size:10.0pt'>strcat</span></span>. The <span class=
7485 "Annot"><span style='font-size:10.0pt'>ensures</span></span>
7486 clause means that after <span class="CodeText"><span style=
7487 'font-size:10.0pt'>strcat</span></span> returns the first
7488 parameter (and the result, because of the returned annotation
7489 on <span class="CodeText"><span style=
7490 'font-size:10.0pt'>s1</span></span>) will be tainted if
7491 either passed object was tainted. Splint merges the two
7492 taintedness states using the attribute definition
7493 rules—hence, if the <span class="CodeText"><span style=
7494 'font-size:10.0pt'>s1</span></span> parameter is untainted
7495 and the <span class="CodeText"><span style=
7496 'font-size:10.0pt'>s2</span></span> parameter is tainted, the
7497 result and first parameter will be tainted after <span class=
7498 "CodeText"><span style=
7499 'font-size:10.0pt'>strcat</span></span> returns.</p>
7500 <p class="TextFontCX"> </p>
7501 <h1 style='margin-left:0in;text-indent:0in'><a name=
7502 "_Toc534975006"></a><a name="_Ref534642895"></a><a name=
7503 "_Ref534642215">11<span style=
7504 'font:7.0pt "Times New Roman"'> </span>
7505 <a id="macros" name="macros">
7507 <p class="TextFontCX">Macros are commonly used in C programs to
7508 implement constants or to mimic functions without the overhead of a
7509 function call. Macros that are used to implement functions
7510 are a persistent source of bugs in C programs, since they may not
7511 behave like the intended function when they are invoked with
7512 certain parameters or used in certain syntactic contexts. </p>
7513 <p class="TextFontCX"> </p>
7514 <p class="TextFontCX">Splint eliminates most of the potential
7515 problems by detecting macros with dangerous implementations and
7516 dangerous macro invocations. Whether or not a macro
7517 definition is checked or expanded normally depends on flag settings
7518 and control comments (see Section 11.3). Stylized macros can
7519 also be used to define control structures for iterating through
7520 many values (see Section 11.4).</p>
7521 <h2 style='margin-left:0in;text-indent:0in'><a name=
7522 "_Toc534975007"></a><a name="_Ref361651263"></a><a name=
7523 "_Ref344916524"></a><a name="_Ref344908437"></a><a name=
7524 "_Toc344355419">11.1<span style=
7525 'font:7.0pt "Times New Roman"'> </span>
7526 Constant Macros</a></h2>
7527 <p class="TextFontCX">Macros may be used to implement
7528 constants. To get type-checking for constant macros, use the
7529 <span class="Annot"><span style=
7530 'font-size:10.0pt'>constant</span></span> annotation. For
7532 <p class="example">/*@constant null char *mstring_undefined@*/</p>
7533 <p class="TextFontCX">Declared constants are not expanded and are
7534 checked according to the declaration. A constant with a
7535 <span class="Annot"><span style=
7536 'font-size:10.0pt'>null</span></span> annotation may be used as
7537 <span class="Annot"><span style=
7538 'font-size:10.0pt'>only</span></span> storage.</p>
7539 <h2 style='margin-left:0in;text-indent:0in'><a name=
7540 "_Toc534975008"></a><a name="_Toc344355420"></a><a name=
7541 "_Ref343363760">11.2<span style=
7542 'font:7.0pt "Times New Roman"'> </span>
7543 Function-like Macros</a></h2>
7544 <p class="TextFontCX">Using macros to imitate functions is
7545 notoriously dangerous. Consider this broken macro for
7546 squaring a number:</p>
7547 <p class="example"># define square(x) x * x</p>
7548 <p class="TextFontCX">This works fine for a simple invocation like
7549 <span class="CodeText"><span style=
7550 'font-size:10.0pt'>square(i)</span></span>. It behaves
7551 unexpectedly, though, if it is instantiated with a parameter that
7552 has a side effect. For example, <span class=
7553 "CodeText"><span style=
7554 'font-size: 10.0pt'>square(i++)</span></span> expands to
7555 <span class="CodeText"><span style='font-size:10.0pt'>i++ *
7556 i++</span></span>. Not only does this give the incorrect
7557 result, it has undefined behavior since the order in which the
7558 operands are evaluated is not defined. (See Section 8.2 for
7559 more information on how expressions exhibiting undefined evaluation
7560 order behavior are detected by Splint.) To correct the
7561 problem we either need to rewrite the macro so that its parameter
7562 is evaluated exactly once, or prevent clients from invoking the
7563 macro with a parameter that has a side effect. </p>
7564 <p class="TextFontCX"> </p>
7565 <p class="TextFontCX">Another possible problem with macros is that
7566 they may produce unexpected results because of operator precedence
7567 rules. The instantiation, <span class=
7568 "CodeText"><span style='font-size:10.0pt'>square(i+1)</span></span>
7569 expands to <span class="CodeText"><span style=
7570 'font-size:10.0pt'>i+1*i+1</span></span>, which evaluates to
7571 <span class="CodeText"><span style=
7572 'font-size:10.0pt'>i+i+1</span></span> instead of the square
7573 of <span class="CodeText"><span style=
7574 'font-size:10.0pt'>i+1</span></span>. To ensure the
7575 expected behavior, the macro parameter should be enclosed in
7576 parentheses where it is used in the macro body.</p>
7577 <p class="TextFontCX"> </p>
7578 <p class="TextFontCX">Macros may also behave unexpectedly if they
7579 are not syntactically equivalent to an expression. Consider
7580 the macro definition,</p>
7581 <p class="example"># define incCounts() ntotal++;
7583 <p class="TextFontCX">This works fine, unless it is used as a
7584 statement. For example,</p>
7585 <p class="example">if (x < 3) incCounts();</p>
7586 <p class="TextFontCX">increments <span class=
7587 "CodeText"><span style='font-size:10.0pt'>ntotal</span></span>
7588 if <span class="CodeText"><span style='font-size:10.0pt'>x
7589 < 3</span></span> but always increments <span class=
7590 "CodeText"><span style=
7591 'font-size:10.0pt'>ncurrent</span></span>.</p>
7592 <p class="TextFontCX"> </p>
7593 <p class="TextFontCX">One solution is to use the comma operator to
7594 define the macro:</p>
7595 <p class="example"># define incCounts() (ntotal++,
7597 <p class="beforelist">More complicated macros can be written using
7598 a <span class="CodeText"><span style='font-size:10.0pt'>do …
7599 while</span></span> construction:</p>
7600 <p class="Verbatim"> # define incCounts() \</p>
7601 <p class="Verbatim"> do { ntotal++;
7602 ncurrent++; } while (FALSE)</p>
7603 <p class="afterlist">Splint detects these pitfalls in macro
7604 definitions, and checks that a macro behaves as much like a
7605 function as possible. A client should only be able to tell
7606 that a function was implemented by a macro if it attempts to use
7607 the macro as a pointer to a function.</p>
7608 <p class="MsoListBullet"> </p>
7609 <p class="beforelist">Splint does these checks on a macro
7610 definition corresponding to a function:</p>
7611 <p class="MsoListBullet"><span style=
7612 'font-family:Symbol'>·<span style=
7613 'font:7.0pt "Times New Roman"'> </span></span>
7614 Each parameter to a macro (except those declared to be side effect
7615 free, see Section 11.2.1) must be used exactly once in all possible
7616 executions of the macro, so side effecting arguments behave as
7617 expected.<a href="#_ftn15" name="_ftnref15" title=
7618 ""><span class="MsoFootnoteReference"><span class=
7619 "MsoFootnoteReference"><span style=
7620 'font-size:11.0pt;font-family:"Times New Roman"'>[15]</span></span></span></a>
7621 (Controlled by <span class="Flag"><span style=
7622 'font-size:10.0pt'>macroparams</span></span>.)</p>
7623 <p class="MsoListBullet"><span style=
7624 'font-family:Symbol'>·<span style=
7625 'font:7.0pt "Times New Roman"'> </span></span>
7626 A parameter to a macro may not be used as the left-hand side of an
7627 assignment expression or as the operand of an increment or
7628 decrement operator in the macro text, since this produces
7629 non-functional behavior. (Controlled by <span class=
7631 'font-size:10.0pt'>macroassign</span></span>.)</p>
7632 <p class="MsoListBullet"><span style=
7633 'font-family:Symbol'>·<span style=
7634 'font:7.0pt "Times New Roman"'> </span></span>
7635 Macro parameters must be enclosed in parentheses when they are used
7636 in potentially dangerous contexts. (Controlled by
7637 <span class="Flag"><span style=
7638 'font-size: 10.0pt'>macroparens</span></span>.)</p>
7639 <p class="MsoListBullet"><span style=
7640 'font-family:Symbol'>·<span style=
7641 'font:7.0pt "Times New Roman"'> </span></span>
7642 A macro definition must be syntactically equivalent to a statement
7643 when it is invoked followed by a semicolon. (Controlled by
7644 <span class="Flag"><span style=
7645 'font-size:10.0pt'>macrostmt</span></span>.)</p>
7646 <p class="MsoListBullet"><span style=
7647 'font-family:Symbol'>·<span style=
7648 'font:7.0pt "Times New Roman"'> </span></span>
7649 The type of the macro body must match the return type of the
7650 corresponding function. If the macro is declared with type
7651 <span class="CodeText"><span style=
7652 'font-size:10.0pt'>void</span></span>, its body may have any type
7653 but the macro value may not be used.</p>
7654 <p class="MsoListBullet"><span style=
7655 'font-family:Symbol'>·<span style=
7656 'font:7.0pt "Times New Roman"'> </span></span>
7657 All variables declared in the body of a macro definition must be in
7658 the macro variable namespace, so they do not conflict with
7659 variables in the scope where the macro is invoked (which may be
7660 used in the macro parameters). By default, the macro
7661 namespace is all names prefixed by <span class=
7662 "CodeText"><span style='font-size:10.0pt'>m_</span></span>.
7663 (See Section 12.2 for information on controlling namespaces.)</p>
7664 <p class="afterlist">At the call site, a macro is checked like any
7665 other function call.</p>
7666 <h3 style='margin-left:0in;text-indent:0in'><a name=
7667 "_Toc534975009"></a><a name="_Toc344355421"></a><a name=
7668 "_Ref343109609">11.2.1<span style=
7669 'font:7.0pt "Times New Roman"'> </span> Side
7670 Effect Free Parameters</a></h3>
7671 <p class="beforelist">Suppose we really do want to implement
7672 <span class="CodeText"><span style=
7673 'font-size:10.0pt'>square</span></span> as a macro, but want do so
7674 in a safe way. One way to do this is to require that it is
7675 never invoked with a parameter that has a side effect. Splint
7676 will check that this constraint holds, if the parameter is
7677 annotated to be side effect free. That is, the expression
7678 corresponding to this parameter must not modify any state, so it
7679 does not matter how many times it is evaluated. The
7680 <span class="Annot"><span style=
7681 'font-size:10.0pt'>sef</span></span> annotation is used to denote a
7682 parameter that may not have any side effects:</p>
7683 <p class="Verbatim"><span style='font-size:9.5pt'>
7684 extern int square (/*@sef@*/ int x);</span></p>
7685 <p class="Verbatim"><span style='font-size:9.5pt'> #
7686 define square(x) ((x) *(x))</span></p>
7687 <p class="afterlist">Now, Splint will not report an error checking
7688 the definition of <span class="CodeText"><span style=
7689 'font-size:10.0pt'>square</span></span> even though
7690 <span class="CodeText"><span style=
7691 'font-size:10.0pt'>x</span></span> is used more than
7693 <p class="TextFontCX"> </p>
7694 <p class="TextFontCX">A message will be reported, however, if
7695 <span class="CodeText"><span style=
7696 'font-size:10.0pt'>square</span></span> is invoked with a parameter
7697 that has a side effect. For the code fragment,</p>
7698 <p class="example">square (i++)</p>
7699 <p class="beforelist">Splint produces the message:</p>
7700 <p class="Verbatim"> <span style=
7701 'font-family:Arial'>Parameter 1 to square is declared sef,</span>
7702 <span style='font-family:Arial'>but the argument may modify:
7704 <p class="betweenlists">It is also an error to pass a macro
7705 parameter that is not annotated with <span class=
7706 "Annot"><span style='font-size:10.0pt'>sef</span></span> as a
7707 <span class="Annot"><span style=
7708 'font-size:10.0pt'>sef</span></span> macro parameter in the body of
7709 a macro definition. For example,</p>
7710 <p class="Verbatim"><span style='font-size:9.5pt'>
7711 extern int sumsquares (int x, int y);</span></p>
7712 <p class="Verbatim"><span style='font-size:9.5pt'> #
7713 define sumsquares(x,y) (square(x) + square(y))</span></p>
7714 <p class="afterlist">Although <span class=
7715 "CodeText"><span style='font-size:10.0pt'>x</span></span>
7716 only appears once in the definition of <span class=
7717 "CodeText"><span style=
7718 'font-size:10.0pt'>sumsquares</span></span> it will be
7719 evaluated twice since <span class="CodeText"><span style=
7720 'font-size:10.0pt'>square</span></span> is expanded.</p>
7721 <p class="TextFontCX"> </p>
7722 <p class="TextFontCX">A parameter may be passed as a
7723 <span class="Annot"><span style=
7724 'font-size:10.0pt'>sef</span></span> parameter without an
7725 error being reported, if Splint can determine that evaluating
7726 the parameter has no side effects. For function calls,
7727 the modifies clause is used to determine if a side effect is
7728 possible.<a href="#_ftn16" name="_ftnref16" title=
7729 ""><span class="MsoFootnoteReference"><span class=
7730 "MsoFootnoteReference"><span style=
7731 'font-size:11.0pt;font-family:"Times New Roman"'>[16]</span></span></span></a>
7732 To prevent many spurious errors, if the called function has
7733 no modifies clause, Splint will report an error only if
7734 <span class="Flag"><span style=
7735 'font-size: 10.0pt'>sef-uncon</span></span> is on.
7736 Justifiably paranoid programmers will insist on setting
7737 <span class="Flag"><span style=
7738 'font-size:10.0pt'>sef-uncon</span></span> on, and will add
7739 modifies clauses to unconstrained functions that are used in
7740 <span class="Annot"><span style=
7741 'font-size:10.0pt'>sef</span></span> macro arguments.</p>
7742 <p class="TextFontCX"> </p>
7743 <p class="beforelist">One common application of macros is to get
7744 around the lack of polymorphism in C. We can use the
7745 <span class="Annot"><span style='font-size: 10.0pt'>/*@alt
7746 <type>,<sup>+</sup>@></span></span> syntax (see
7747 Section 4.4) to indicate that an alternate type may be used.
7749 <p class="Verbatim"><span style='font-size:9.5pt'> extern int
7750 /*@alt float@*/ square (/*@sef@*/ int /*@alt float@*/
7752 <p class="Verbatim"><span style='font-size:9.5pt'> # define
7753 square(x) ((x) *(x))</span></p>
7754 <p class="afterlist">declares <span class=
7755 "CodeText"><span style='font-size:10.0pt'>square</span></span>
7756 for both <span class="CodeText"><span style=
7757 'font-size:10.0pt'>int</span></span>s and <span class=
7758 "CodeText"><span style=
7759 'font-size:10.0pt'>float</span></span>s. Note however,
7760 that the return type is either <span class=
7761 "CodeText"><span style='font-size:10.0pt'>int</span></span>
7762 or <span class="CodeText"><span style=
7763 'font-size:10.0pt'>float</span></span>, regardless of the
7764 actual parameter type. This is weaker than what is
7765 actually known about the return type.</p>
7766 <h2 style='margin-left:0in;text-indent:0in'><a name=
7767 "_Toc534975010"></a><a name="_Ref347227227">11.3<span style=
7768 'font:7.0pt "Times New Roman"'> </span>
7769 Controlling Macro Checking</a></h2>
7770 <p class="TextFontCX">By default, Splint expands macros normally
7771 and checks the resulting code after macros have been
7772 expanded. Flags and control comments may be used to control
7773 which macros are expanded and which are checked as functions or
7775 <p class="TextFontCX"> </p>
7776 <p class="TextFontCX">If the <span class="Flag"><span style=
7777 'font-size:10.0pt'>fcn-macros</span></span> flag is on, Splint
7778 assumes all macros defined with parameter lists implement functions
7779 and checks them accordingly. Parameterized macros are not
7780 expanded and are checked as functions with unknown result and
7781 parameter types (or using the types in the prototype, if one is
7782 given). The analogous flag for macros that define constants
7783 is <span class="Flag"><span style=
7784 'font-size:10.0pt'>const-macros</span></span>. If it is on,
7785 macros with no parameter lists are assumed to be constants, and
7786 checked accordingly. The <span class=
7787 "Flag"><span style='font-size:10.0pt'>all-macros</span></span>
7788 flag sets both <span class="Flag"><span style=
7789 'font-size:10.0pt'>fcn-macros</span></span> and <span class=
7791 'font-size:10.0pt'>const-macros</span></span>. If the
7792 <span class="Flag"><span style=
7793 'font-size:10.0pt'>macro-fcn-decl</span></span> flag is
7794 set, a message reports parameterized macros with no
7795 corresponding function prototype. If the <span class=
7797 'font-size:10.0pt'>macro-const-decl</span></span> flag
7798 is set, a similar message reports macros with no parameters
7799 that have no corresponding constant declaration.</p>
7800 <p class="TextFontCX"> </p>
7801 <p class="beforelist">The macro checks described in the previous
7802 sections make sense only for macros that are intended to replace
7803 functions or constants. When <span class=
7804 "Flag"><span style='font-size:10.0pt'>fcnmacros</span></span>
7805 or <span class="Flag"><span style=
7806 'font-size:10.0pt'>constmacros</span></span> is on, more
7807 general macros need to be marked so they will not be checked
7808 as functions or constants, and will be expanded
7809 normally. Macros that are not meant to behave like
7810 functions should be preceded by the /<span class=
7811 "Annot"><span style=
7812 'font-size:10.0pt'>*@notfunction@*/</span></span>comment.
7814 <p class="Verbatim"><span style='font-size:9.5pt'>
7815 /*@notfunction@*/</span></p>
7816 <p class="Verbatim"><span style='font-size:9.5pt'> #
7817 define forever for(;;)</span></p>
7818 <p class="afterlist">Macros preceded by <span class=
7819 "Annot"><span style='font-size: 10.0pt'>notfunction</span></span>
7820 are expanded normally before regular checking is done. If a
7821 macro that is not syntactically equivalent to a statement without a
7822 semi-colon (e.g., a macro which enters a new scope) is not preceded
7823 by <span class="Annot"><span style=
7824 'font-size:10.0pt'>notfunction</span></span>, parse errors may
7825 result when <span class="Flag"><span style=
7826 'font-size:10.0pt'>fcn-macros</span></span> or
7827 <span class="Flag"><span style=
7828 'font-size:10.0pt'>const-macros</span></span> is on.</p>
7829 <h2 style='margin-left:0in;text-indent:0in'><a name=
7830 "_Ref345771875"></a><a name="_Ref345489124"></a><a name=
7831 "_Toc344355423"></a><a name="_Toc534975011"></a><a name=
7832 "_Ref361651257"></a><a name="_Ref349897909"></a><a name=
7833 "_Ref344916532"></a><a name="_Ref344908410"></a><a name=
7834 "_Toc344355424">11.4<span style=
7835 'font:7.0pt "Times New Roman"'> </span>
7837 <p class="TextFontCX">It is often useful to be able to execute the
7838 same code for many different values. For example, we may want
7839 to sum all elements in an <span class="CodeText"><span style=
7840 'font-size:10.0pt'>intSet</span></span> that represents a set of
7841 integers. If <span class="CodeText"><span style=
7842 'font-size:10.0pt'>intSet</span></span> is an abstract type, there
7843 is no easy way of doing this in a client module without depending
7844 on the concrete representation of the type. Instead, we could
7845 provide such a mechanism as part of the type’s
7846 implementation. We call a mechanism for looping through many
7847 values an <i>iterator</i>.</p>
7848 <p class="TextFontCX"> </p>
7849 <p class="TextFontCX">The C language provides no mechanism for
7850 creating user-defined iterators. Splint supports a stylized
7851 form of iterators declared using syntactic comments and defined
7853 <p class="TextFontCX"> </p>
7854 <p class="TextFontCX">Iterator declarations are similar to function
7855 declarations except instead of returning a value, they assign
7856 values to their <span class="Annot"><span style=
7857 'font-size:10.0pt'>yield</span></span> parameters in each
7858 iteration. For example, we could add this iterator
7859 declaration to <span class="Keyword"><span style=
7860 'font-size:10.0pt;font-family: Arial;color:windowtext'>intSet.h</span></span>:</p>
7861 <p class="example">/*@iter intSet_elements (intSet s, yield int
7863 <p class="TextFontCX">The <span class="Annot"><span style=
7864 'font-size:10.0pt'>yield</span></span> annotation means that the
7865 variable passed as the second actual argument is declared as a
7866 local variable of type <span class="CodeText"><span style=
7867 'font-size:10.0pt'>int</span></span> and assigned a value in each
7869 <h3 style='margin-left:0in;text-indent:0in'><a name=
7870 "_Toc534975012">11.4.1<span style=
7871 'font:7.0pt "Times New Roman"'> </span> Defining
7873 <p class="beforelist">An iterator is defined using a macro.
7874 Here’s one (not particularly efficient) way of defining
7875 <span class="CodeText"><span style=
7876 'font-size:10.0pt'>intSet_elements</span></span>:</p>
7877 <p class="Verbatim"> typedef /*@abstract@*/ struct
7879 <p class="Verbatim"> int
7881 <p class="Verbatim"> int
7883 <p class="Verbatim"> } intSet;</p>
7884 <p class="Verbatim"> …</p>
7885 <p class="Verbatim"> # define intSet_elements(s,m_el)
7887 <p class="Verbatim"> { int m_i; \</p>
7888 <p class="Verbatim"> for (m_i =
7889 (0); m_i <= ((s)->nelements); m_i++) { \</p>
7890 <p class="Verbatim">
7891 int
7892 m_el = (s)->elements[(m_i)];</p>
7893 <p class="Verbatim"> </p>
7894 <p class="Verbatim"> # define end_intSet_elements
7896 <p class="afterlist">Each time through the loop, the yield
7897 parameter <span class="CodeText"><span style=
7898 'font-size:10.0pt'>m_el</span></span> is assigned to the next
7899 value. After each value has been assigned to
7900 <span class="CodeText"><span style=
7901 'font-size:10.0pt'>m_el</span></span> for one iteration, the
7902 loop terminates. Variables declared by the iterator
7903 macro (including the <span class="Annot"><span style=
7904 'font-size:10.0pt'>yield</span></span> parameter) are
7905 preceded by the macro variable namespace prefix <span class=
7906 "CodeText"><span style='font-size:10.0pt'>m_</span></span>
7907 (see Section 11.2) to avoid conflicts with variables defined
7908 in the scope where the iterator is used.</p>
7909 <h3 style='margin-left:0in;text-indent:0in'><a name=
7910 "_Toc534975013">11.4.2<span style=
7911 'font:7.0pt "Times New Roman"'> </span> Using
7913 <p class="TextFontCX">The general structure for using an iterator
7915 <p class="example"><i>iter</i> (<i><params></i>) stmt;
7917 <p class="beforelist">For example, a client could use
7918 <span class="CodeText"><span style=
7919 'font-size:10.0pt'>intSet_elements</span></span> to sum the
7920 elements of an <span class="CodeText"><span style=
7921 'font-size:10.0pt'>intSet</span></span>:</p>
7922 <p class="Verbatim"> intSet s;</p>
7923 <p class="Verbatim"> int sum = 0;</p>
7924 <p class="Verbatim"> ...</p>
7925 <p class="Verbatim"> intSet_elements (s, el) {</p>
7926 <p class="Verbatim" style='text-indent:.5in'>sum += el;</p>
7927 <p class="Verbatim"> } end_intSet_elements;</p>
7928 <p class="afterlist">The actual parameter corresponding to a yield
7929 parameter, <span class="CodeText"><span style=
7930 'font-size:10.0pt'>el</span></span>, is not declared in the
7931 function scope. Instead, it is declared by the iterator and
7932 assigned to an appropriate value for each iteration.</p>
7933 <p class="TextFontCX"> </p>
7934 <p class="beforelist">Splint will do the following checks for uses
7935 of stylized iterators:</p>
7936 <p class="MsoListBullet"><span style=
7937 'font-family:Symbol'>·<span style=
7938 'font:7.0pt "Times New Roman"'> </span></span>
7939 An invocation of the iterator <span class=
7940 "CodeText"><i><span style='font-size:10.0pt'>iter</span></i></span>
7941 must be balanced by a corresponding end, named <span class=
7942 "CodeText"><span style=
7943 'font-size:10.0pt'>end_<i>iter</i></span></span>.</p>
7944 <p class="MsoListBullet"><span style=
7945 'font-family:Symbol'>·<span style=
7946 'font:7.0pt "Times New Roman"'> </span></span>
7947 All actual parameters must be defined, except those corresponding
7948 to yield parameters.</p>
7949 <p class="MsoListBullet"><span style=
7950 'font-family:Symbol'>·<span style=
7951 'font:7.0pt "Times New Roman"'> </span></span>
7952 Yield parameters must be new identifiers, not declared in the
7953 current scope or any enclosing scope.</p>
7954 <p class="afterlist">Iterators are a bit awkward to implement, but
7955 they enable compact, easily understood client code. For
7956 abstract collection types, an iterator can be used to enable
7957 clients to operate on elements of the collection without breaking
7958 data abstraction.<a name="_Ref348845281"></a><a name=
7959 "_Toc344355425"></a><a name="_Ref343247905"></a></p>
7960 <h1 style='margin-left:0in;text-indent:0in'><a name=
7961 "_Toc534975014"></a><a name="_Ref483663681"></a><a name=
7962 "_Ref350065611">12<span style=
7963 'font:7.0pt "Times New Roman"'> </span>
7964 <a id="naming" name="naming">
7965 Naming Conventions</a></a></h1>
7966 <p class="TextFontCX">Naming conventions tend to be a religious
7967 issue. Generally, it doesn't matter too much what naming convention
7968 is followed as long as one is chosen and followed
7969 religiously. There are two kinds of naming conventions
7970 supported by Splint. Type-based naming conventions (Section
7971 12.1) constrain identifier names according to the abstract
7972 types that are accessible where the identifier is
7973 defined. Prefix naming conventions (Section 12.2) constrain
7974 the initial characters of identifier names according to what is
7975 being declared and its scope. Naming conventions may be
7976 combined or different conventions may be selected for different
7977 kinds of identifiers. In addition, Splint supports checking
7978 that names do not conflict with names reserved for the standard
7979 library or implementation (Section 12.3) and are sufficiently
7980 distinguishable from other names.</p>
7981 <h2 style='margin-left:0in;text-indent:0in'><a name=
7982 "_Toc534975015"></a><a name="_Ref348079373"></a><a name=
7983 "_Ref347240654"></a><a name="_Toc344355426">12.1<span style=
7984 'font:7.0pt "Times New Roman"'> </span>
7985 Type-Based Naming Conventions</a></h2>
7986 <p class="TextFontCX">Generic naming conventions constrain valid
7987 names of identifiers. By limiting valid names, namespaces may
7988 be preserved and programs may be more easily understood since the
7989 name gives clues as to how and where the name is defined and how it
7991 <p class="TextFontCX"> </p>
7992 <p class="TextFontCX">Names may be constrained by the scope of the
7993 name (external, file static, internal), the file in which the
7994 identifier is defined, the type of the identifier, and global
7996 <h3 style='margin-left:0in;text-indent:0in'><a name=
7997 "_Toc534975016"></a><a name=
7998 "_Ref347994687">12.1.1<span style='font:7.0pt "Times New Roman"'> </span>
7999 Czech Names</a></h3>
8000 <p class="TextFontCX">Czech<a href="#_ftn17" name="_ftnref17"
8001 title=""><span class="MsoFootnoteReference"><span class=
8002 "MsoFootnoteReference"><span style=
8003 'font-size:11.0pt;font-family:"Times New Roman"'>[17]</span></span></span></a>
8004 names denote operations and variables of abstract types by
8005 preceding the names by <span class="CodeText"><i><span style=
8006 'font-size:10.0pt'><type></span></i></span><span class=
8007 "CodeText"><span style='font-size:10.0pt'>_</span></span>.
8008 The remainder of the name should begin with a lowercase
8009 character, but may use any other character besides the
8010 underscore. Types may be named using any non-underscore
8012 <p class="TextFontCX"> </p>
8013 <p class="TextFontCX" style='margin-bottom:6.0pt'>The Czech naming
8014 convention is selected by the <span class="Flag"><span style=
8015 'font-size:10.0pt'>czech</span></span> flag. If
8016 <span class="Flag"><span style=
8017 'font-size:10.0pt'>access-czech</span></span> is on, a function,
8018 variable, constant or iterator named <span class=
8019 "CodeText"><i><span style=
8020 'font-size:10.0pt'><type></span></i></span><span class=
8021 "CodeText"><span style=
8022 'font-size:10.0pt'>_<i><name></i></span></span> has access to
8023 the abstract type <span class="CodeText"><i><span style=
8024 'font-size:10.0pt'><type></span></i></span>. Reporting
8025 of violations of the Czech naming convention is controlled by
8026 different flags depending on what is being declared:</p>
8027 <p class="TextFontCX"><span class="Flag"><span style=
8028 'font-size:10.0pt'>czech-fcns</span></span></p>
8029 <p class="TextFontCX" style='margin-left:13.5pt'>Functions and
8030 iterators. An error is reported for a function name of the
8031 form <span class="CodeText"><i><span style=
8032 'font-size:10.0pt'><prefix></span></i></span><span class="CodeText">
8033 <span style='font-size:10.0pt'>_<i><name></i></span></span>
8034 where <span class="CodeText"><i><span style=
8035 'font-size:10.0pt'><prefix></span></i></span> is not the name
8036 of an accessible type. Note that if <span class=
8037 "Flag"><span style='font-size:10.0pt'>accessczech</span></span> is
8038 on, a type named <span class="CodeText"><i><span style=
8039 'font-size:10.0pt'><prefix></span></i></span> would be
8040 accessible in a function beginning with <span class=
8041 "CodeText"><i><span style=
8042 'font-size:10.0pt'><prefix></span></i></span><span class="CodeText">
8043 <span style='font-size:10.0pt'>_</span></span>. If
8044 <span class="Flag"><span style=
8045 'font-size:10.0pt'>access-czech</span></span> is off, an error is
8046 reported instead. An error is reported for a function name
8047 that does not have an underscore if any abstract types are
8048 accessible where the function is defined.</p>
8049 <p class="TextFontCX"><span class="Flag"><span style=
8050 'font-size:10.0pt'>czech-vars</span></span></p>
8051 <p class="TextFontCX"><span class="Flag"><span style=
8052 'font-size:10.0pt'>czech-constants</span></span></p>
8053 <p class="TextFontCX"><span class="Flag"><span style=
8054 'font-size:10.0pt'>czech-macros</span></span></p>
8055 <p class="IndentText">Variables, constants and expanded macros.
8056 An error is reported if the identifier name starts with
8057 <span class="CodeText"><i><span style=
8058 'font-size:10.0pt'><prefix></span></i></span><span class="CodeText">
8059 <span style='font-size:10.0pt'>_</span></span>and
8060 <span class="CodeText"><i><span style=
8061 'font-size:10.0pt'>prefix</span></i></span> is not the name
8062 of an accessible abstract type, or if an abstract type is
8063 accessible and the identifier name does not begin with
8064 <span class="CodeText"><i><span style=
8065 'font-size:10.0pt'><type></span></i></span><span class=
8066 "CodeText"><span style='font-size:10.0pt'>_</span></span>
8067 where <span class="CodeText"><i><span style=
8068 'font-size:10.0pt'>type</span></i></span> is the name of an
8069 accessible abstract type. If <span class=
8071 'font-size:10.0pt'>access-czech</span></span> is on, the
8072 representation of the type is visible in the constant or
8073 variable definition.</p>
8074 <p class="TextFontCX"><span class="Flag"><span style=
8075 'font-size:10.0pt'>czech-types</span></span></p>
8076 <p class="TextFontCX" style='margin-left:13.5pt'>User-defined
8077 types. An error is reported if a type name includes an
8078 underscore character.</p>
8079 <p class="Sidebar" align="right">Of course, this is a complete
8080 jumble to the uninitiated, and that’s the joke.</p>
8081 <p class="Sidebar" align="right" style='text-align:right'>
8082 <i>Charles Simonyi, on the Hungarian naming convention</i></p>
8083 <h3 style='margin-left:0in;text-indent:0in'><a name=
8084 "_Toc534975017"></a><a name=
8085 "_Ref344878566">12.1.2<span style='font:7.0pt "Times New Roman"'> </span>
8086 Slovak Names</a></h3>
8087 <p class="TextFontCX">Slovak names are similar to Czech names,
8088 except they are spelled differently. A Slovak name is of the
8089 form <span class="CodeText"><i><span style=
8090 'font-size:10.0pt'><type><Name></span></i></span>.
8091 The type prefix may not use uppercase characters. The
8092 remainder of the name starts with the first uppercase
8094 <p class="TextFontCX"> </p>
8095 <p class="TextFontCX">The <span class="Flag"><span style=
8096 'font-size:10.0pt'>slovak</span></span> flag selects the
8097 Slovak naming convention. Like Czech names, it may be used
8098 with <span class="Flag"><span style=
8099 'font-size:10.0pt'>access-slovak</span></span> to control
8100 access to abstract representations. The <span class=
8101 "Flag"><span style='font-size:10.0pt'>slovak-fcns</span></span>,
8102 <span class="Flag"><span style=
8103 'font-size:10.0pt'>slovak-vars</span></span>, <span class=
8105 'font-size:10.0pt'>slovak-constants</span></span>, and
8106 <span class="Flag"><span style=
8107 'font-size:10.0pt'>slovak-macros</span></span> flags are
8108 analogous to the similar Czech flags. If <span class=
8110 'font-size:10.0pt'>slovak-type</span></span> is on, an error
8111 is reported if a type name includes an uppercase letter.</p>
8112 <h3 style='margin-left:0in;text-indent:0in'><a name=
8113 "_Toc534975018"></a><a name=
8114 "_Ref347994743">12.1.3<span style='font:7.0pt "Times New Roman"'> </span>
8115 Czechoslovak Names</a></h3>
8116 <p class="TextFontCX">Czechoslovak names are a combination of Czech
8117 names and Slovak names. Operations may be named either
8118 <span class="CodeText"><i><span style=
8119 'font-size:10.0pt'><type></span></i></span><span class=
8120 "CodeText"><span style='font-size:10.0pt'>_</span></span> followed
8121 by any sequence of non-underscore characters, or <span class=
8122 "CodeText"><i><span style=
8123 'font-size:10.0pt'><type></span></i></span> followed by an
8124 uppercase letter and any sequence of characters. Czechoslovak
8125 names have been out of favor since 1993, but may be necessary for
8126 checking legacy code. The <span class="Flag"><span style=
8127 'font-size:10.0pt'>czechoslovak-fcns</span></span>,
8128 <span class="Flag"><span style=
8129 'font-size:10.0pt'>czechoslovak-vars</span></span>,
8130 <span class="Flag"><span style=
8131 'font-size:10.0pt'>czechoslovak-macros</span></span>, and
8132 <span class="Flag"><span style=
8133 'font-size:10.0pt'>czechoslovak-constants</span></span>
8134 flags are analogous to the similar Czech flags. If
8135 <span class="Flag"><span style=
8136 'font-size:10.0pt'>czechoslovak-type</span></span> is
8137 on, an error is reported if a type name contains either an
8138 uppercase letter or an underscore character.</p>
8139 <h2 style='margin-left:0in;text-indent:0in'><a name=
8140 "_Toc534975019"></a><a name="_Ref347240687"></a><a name=
8141 "_Ref347222192">12.2<span style=
8142 'font:7.0pt "Times New Roman"'> </span>
8143 Namespace Prefixes</a></h2>
8144 <p class="TextFontCX">Another way to restrict names is to constrain
8145 the leading character sequences of various kinds of
8146 identifiers. For example, the names of all user-defined types
8147 might begin with <span class="CodeText"><span style=
8148 'font-size:10.0pt'>T</span></span> followed by an uppercase letter
8149 and all file static names begin with an uppercase letter.
8150 This may be useful for enforcing a namespace (e.g., all names
8151 exported by the X-windows library should begin with
8152 <span class="CodeText"><span style=
8153 'font-size:10.0pt'>X</span></span>) or just making programs
8154 easier to understand by establishing an enforced
8155 convention. Splint can be used to constrain identifiers
8156 in this way to detect identifiers inconsistent with
8158 <p class="TextFontCX"> </p>
8159 <p class="TextFontCX">All namespace flags are of the form,
8160 <span class="Flag"><span style=
8161 'font-size:10.0pt'>-<i><context></i>prefix
8162 <i><string></i></span></span>. For example, the macro
8163 variable namespace restricting identifiers declared in macro bodies
8164 to be preceded by <span class="CodeText"><span style=
8165 'font-size:10.0pt'>m_</span></span> would be selected by
8166 <span class="Flag"><span style=
8167 'font-size:10.0pt'>-macrovarprefix</span></span> <span class=
8168 "Flag"><span style='font-size:10.0pt'>"m_"</span></span>. The
8169 string may contain regular characters that may appear in a C
8170 identifier. These must match the initial characters of the
8171 identifier name. In addition, special characters (shown in
8172 Figure 23) can be used to denote a class of characters.<a href=
8173 "#_ftn18" name="_ftnref18" title=""><span class=
8174 "MsoFootnoteReference"><span class=
8175 "MsoFootnoteReference"><span style=
8176 'font-size:11.0pt;font-family:"Times New Roman"'>[18]</span></span></span></a>
8177 The <span class="CodeText"><span style=
8178 'font-size:10.0pt'>*</span></span> character may be used at the end
8179 of a prefix string to specify the rest of the identifier is zero or
8180 more characters matching the character immediately before the
8181 <span class="CodeText"><span style=
8182 'font-size:10.0pt'>*</span></span>. For example, the prefix
8183 string <span class="CodeText"><span style=
8184 'font-size:10.0pt'>T&*</span></span> matches <span class=
8185 "CodeText"><span style='font-size:10.0pt'>T</span></span> or
8186 <span class="CodeText"><span style=
8187 'font-size:10.0pt'>TWINDOW</span></span> but not <span class=
8188 "CodeText"><span style='font-size:10.0pt'>Twin</span></span>.</p>
8189 <p class="beforelist"> </p>
8190 <p class="beforelist">Different prefixes can be selected for the
8191 following identifier contexts:</p>
8192 <table class="MsoNormalTable" border="0" cellspacing="0"
8193 cellpadding="0" style='margin-left:.45in;border-collapse:collapse'>
8195 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8196 <p class="TextFontCX"><span class="Flag"><span style=
8197 'font-size:10.0pt'>macro-var-prefix</span></span></p></td>
8198 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8199 <p class="TextFontCX">Any variable declared inside a macro
8202 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8203 <p class="TextFontCX"><span class="Flag"><span style=
8204 'font-size:10.0pt'>unchecked-macro-prefix</span></span></p></td>
8205 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8206 <p class="TextFontCX">Any macro that is not checked as a function
8207 or constant (see Section 11.4)</p></td></tr>
8209 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8210 <p class="TextFontCX"><span class="Flag"><span style=
8211 'font-size:10.0pt'>tag-prefix</span></span></p></td>
8212 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8213 <p class="TextFontCX">Tags for <span class=
8214 "CodeText"><span style='font-size:10.0pt'>struct</span></span>,
8215 <span class="CodeText"><span style=
8216 'font-size:10.0pt'>union</span></span> and <span class=
8217 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
8218 declarations</p></td></tr>
8220 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8221 <p class="TextFontCX"><span class="Flag"><span style=
8222 'font-size:10.0pt'>enum-prefix</span></span></p></td>
8223 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8224 <p class="TextFontCX">Members of <span class=
8225 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
8228 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8229 <p class="TextFontCX"><span class="Flag"><span style=
8230 'font-size:10.0pt'>type-prefix</span></span></p></td>
8231 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8232 <p class="TextFontCX">Name of a user-defined type</p></td></tr>
8234 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8235 <p class="TextFontCX"><span class="Flag"><span style=
8236 'font-size:10.0pt'>file-static-prefix</span></span></p></td>
8237 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8238 <p class="TextFontCX">Any identifier with file static
8241 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8242 <p class="TextFontCX"><span class="Flag"><span style=
8243 'font-size:10.0pt'>glob-var-prefix</span></span></p></td>
8244 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8245 <p class="TextFontCX">Any variable (not of function type) with
8246 global scope</p></td></tr>
8248 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8249 <p class="TextFontCX"><span class="Flag"><span style=
8250 'font-size:10.0pt'>const-prefix</span></span></p></td>
8251 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8252 <p class="TextFontCX">Any constant (see Section 11.1)</p></td></tr>
8254 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8255 <p class="TextFontCX"><span class="Flag"><span style=
8256 'font-size:10.0pt'>iter-prefix</span></span></p></td>
8257 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8258 <p class="TextFontCX">An iterator (see Section 11.4)</p></td></tr>
8260 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8261 <p class="TextFontCX"><span class="Flag"><span style=
8262 'font-size:10.0pt'>proto-param-prefix</span></span></p></td>
8263 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8264 <p class="TextFontCX">A parameter in a function declaration
8265 prototype</p></td></tr>
8267 <td valign="top" style='width:2.0in;padding:0in 5.4pt 0in 5.4pt'>
8268 <p class="TextFontCX"><span class="Flag"><span style=
8269 'font-size:10.0pt'>external-prefix</span></span></p></td>
8270 <td valign="top" style='width:247.5pt;padding:0in 5.4pt 0in 5.4pt'>
8271 <p class="TextFontCX">Any exported identifier</p></td></tr></table>
8272 <p class="afterlist">If an identifier is in more than one of the
8273 namespace contexts, the most specific defined namespace prefix is
8274 used (e.g., a global variable is also an exported identifier,
8275 so if <span class="Flag"><span style=
8276 'font-size:10.0pt'>global-var-prefix</span></span> is set, it is
8277 checked against the variable name; if not, the identifier is
8278 checked against the <span class="Flag"><span style=
8279 'font-size:10.0pt'>external-prefix</span></span>.)</p>
8280 <p class="TextFontCX"> </p>
8281 <p class="TextFontCX">For each prefix flag, a corresponding flag
8282 named <span class="Flag"><i><span style=
8283 'font-size:10.0pt'><prefixname></span></i></span><span class="Flag">
8284 <span style='font-size:10.0pt'>exclude</span></span> controls
8285 whether errors are reported if identifiers in a different namespace
8286 match the namespace prefix. For example, if
8287 <span class="Flag"><span style=
8288 'font-size: 10.0pt'>macro-var-prefix-exclude</span></span> is
8289 on, Splint checks that no identifier that is not a variable
8290 declared inside a macro body uses the macro variable
8292 <p class="TextFontCX"> </p>
8293 <p class="beforelist">Here is a (somewhat draconian) sample naming
8295 <table class="MsoNormalTable" border="0" cellspacing="0"
8296 cellpadding="0" style='margin-left:5.4pt;border-collapse:collapse'>
8298 <td valign="top" style=
8299 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8300 <p class="TextFontCX"><span class="Flag"><span style=
8301 'font-size:10.0pt'>-unchecked-macro-prefix</span></span>
8302 <span class="Flag"><span style=
8303 'font-size:10.0pt'>"~*"</span></span></p></td>
8304 <td valign="top" style=
8305 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8306 <p class="TextFontCX">Unchecked macros have no lowercase
8307 letters.</p></td></tr>
8309 <td valign="top" style=
8310 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8311 <p class="TextFontCX"><span class="Flag"><span style=
8312 'font-size:10.0pt'>-type-prefix</span></span> <span class=
8314 'font-size:10.0pt'>"T^&*"</span></span></p></td>
8315 <td valign="top" style=
8316 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8317 <p class="TextFontCX">All type names begin with <span class=
8318 "CodeText"><span style='font-size:10.0pt'>T</span></span> followed
8319 by an uppercase letter. The rest of the name is all lowercase
8320 letters.</p></td></tr>
8322 <td valign="top" style=
8323 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8324 <p class="TextFontCX"><span class="Flag"><span style=
8325 'font-size:10.0pt'>+type-prefix-exclude</span></span></p></td>
8326 <td valign="top" style=
8327 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8328 <p class="TextFontCX">No identifier that does not name a
8329 user-defined type name begins with the type name
8330 prefix.</p></td></tr>
8332 <td valign="top" style=
8333 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8334 <p class="TextFontCX"><span class="Flag"><span style=
8335 'font-size:10.0pt'>-file-static-prefix</span></span>
8336 <span class="Flag"><span style=
8337 'font-size:10.0pt'>"^&&&"</span></span></p></td>
8338 <td valign="top" style=
8339 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8340 <p class="TextFontCX">File static scope variables begin with an
8341 uppercase letter and three lowercase letters.</p></td></tr>
8343 <td valign="top" style=
8344 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8345 <p class="TextFontCX"><span class="Flag"><span style=
8346 'font-size:10.0pt'>-proto-param-prefix "p_"</span></span></p></td>
8347 <td valign="top" style=
8348 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8349 <p class="TextFontCX">All parameters in prototypes must begin with
8350 <span class="CodeText"><span style=
8351 'font-size:10.0pt'>p_</span></span>.</p></td></tr>
8353 <td valign="top" style=
8354 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8355 <p class="TextFontCX"><span class="Flag"><span style=
8356 'font-size:10.0pt'>-glob-var-prefix "G"</span></span></p></td>
8357 <td valign="top" style=
8358 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8359 <p class="TextFontCX">All global variables start with
8360 <span class="CodeText"><span style=
8361 'font-size:10.0pt'>G</span></span>.</p></td></tr>
8363 <td valign="top" style=
8364 'width:189.35pt;padding:0in 5.4pt 0in 5.4pt'>
8365 <p class="TextFontCX"><span class="Flag"><span style=
8366 'font-size:10.0pt'>+glob-var-prefix-exclude</span></span></p></td>
8367 <td valign="top" style=
8368 'width:238.15pt;padding:0in 5.4pt 0in 5.4pt'>
8369 <p class="TextFontCX">No identifier that is not a
8370 global variable starts with <span class=
8371 "CodeText"><span style='font-size:10.0pt'>G</span></span>.</p></td></tr></table>
8372 <p class="beforelist"> </p>
8373 <p class="beforelist">The prefix for parameters in function
8374 prototypes is useful for making sure parameter names are not in
8375 conflict with macros defined before the function prototype.
8376 In most cases, it may be preferable to not name prototype
8377 parameters. If the <span class="Flag"><span style=
8378 'font-size:10.0pt'>proto-param-name</span></span> flag is set,
8379 an error is reported for any named parameter in a prototype
8380 declaration. If a <span class="Flag"><span style=
8381 'font-size:10.0pt'>proto-param-prefix</span></span> is set, no
8382 error is reported for unnamed parameters.</p>
8383 <p class="TextFontCX">It may also be useful to check the names of
8384 prototype parameters correspond to the names in definitions.
8385 While using header files as documentation is not generally
8386 recommended, it is common enough practice that it makes sense to
8387 check that parameter names are consistent. A discrepancy may
8388 indicate an error in the parameter order in the function
8389 prototype. If <span class="Flag"><span style=
8390 'font-size:10.0pt'>proto-param-match</span></span> is set,
8391 Splint will report an error if the name of a definition parameter
8392 does not match the corresponding prototype parameter (after
8393 removing the <span class="Flag"><span style=
8394 'font-size:10.0pt'>protoparamprefix</span></span>).</p>
8396 <table class="MsoNormalTable" border="0" cellspacing="0"
8397 cellpadding="0" style=
8398 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
8400 <td valign="top" style=
8401 'width:22.0pt;border-top:solid black 1.5pt; border-left:solid black 1.5pt;border-bottom:none;border-right:none; padding:0in 5.4pt 0in 5.4pt'>
8402 <p class="TextFontCX"><span class="CodeText"><span style=
8403 'font-size:10.0pt'>^</span></span></p></td>
8404 <td valign="top" style=
8405 'width:401.55pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8406 <p class="TextFontCX">Any uppercase letter, <span class=
8407 "CodeText"><span style=
8408 'font-size:10.0pt'>A</span></span>-<span class=
8409 "CodeText"><span style=
8410 'font-size:10.0pt'>Z</span></span></p></td></tr>
8412 <td valign="top" style=
8413 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8414 <p class="TextFontCX"><span class="CodeText"><span style=
8415 'font-size:10.0pt'>&</span></span></p></td>
8416 <td valign="top" style=
8417 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8418 <p class="TextFontCX">Any lowercase letter, <span class=
8419 "CodeText"><span style=
8420 'font-size:10.0pt'>a</span></span>-<span class=
8421 "CodeText"><span style=
8422 'font-size:10.0pt'>z</span></span></p></td></tr>
8424 <td valign="top" style=
8425 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8426 <p class="TextFontCX"><span class="CodeText"><span style=
8427 'font-size:10.0pt'>%</span></span></p></td>
8428 <td valign="top" style=
8429 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8430 <p class="TextFontCX">Any character that is not an uppercase letter
8431 (allows lowercase letters, digits and underscore)</p></td></tr>
8433 <td valign="top" style=
8434 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8435 <p class="TextFontCX"><span class="CodeText"><span style=
8436 'font-size:10.0pt'>~</span></span></p></td>
8437 <td valign="top" style=
8438 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8439 <p class="TextFontCX">Any character that is not a lowercase letter
8440 (allows uppercase letters, digits and underscore)</p></td></tr>
8442 <td valign="top" style=
8443 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8444 <p class="TextFontCX"><span class="CodeText"><span style=
8445 'font-size:10.0pt'>$</span></span></p></td>
8446 <td valign="top" style=
8447 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8448 <p class="TextFontCX">Any letter (<span class=
8449 "CodeText"><span style=
8450 'font-size:10.0pt'>a</span></span>-<span class=
8451 "CodeText"><span style='font-size:10.0pt'>z</span></span>,
8452 <span class="CodeText"><span style=
8453 'font-size:10.0pt'>A</span></span>-<span class=
8454 "CodeText"><span style=
8455 'font-size:10.0pt'>Z</span></span>)</p></td></tr>
8457 <td valign="top" style=
8458 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8459 <p class="TextFontCX"><span class="CodeText"><span style=
8460 'font-size:10.0pt'>/</span></span></p></td>
8461 <td valign="top" style=
8462 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8463 <p class="TextFontCX">Any letter or digit (<span class=
8464 "CodeText"><span style=
8465 'font-size:10.0pt'>A</span></span>-<span class=
8466 "CodeText"><span style='font-size:10.0pt'>Z</span></span>,
8467 <span class="CodeText"><span style=
8468 'font-size:10.0pt'>a</span></span>-<span class=
8469 "CodeText"><span style='font-size:10.0pt'>z</span></span>,
8470 <span class="CodeText"><span style=
8471 'font-size:10.0pt'>0</span></span>-<span class=
8472 "CodeText"><span style=
8473 'font-size:10.0pt'>9</span></span>)</p></td></tr>
8475 <td valign="top" style=
8476 'width:22.0pt;border:none;border-left:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8477 <p class="TextFontCX"><span class="CodeText"><span style=
8478 'font-size:10.0pt'>?</span></span></p></td>
8479 <td valign="top" style=
8480 'width:401.55pt;border:none;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8481 <p class="TextFontCX">Any character valid in a C
8482 identifier</p></td></tr>
8484 <td valign="top" style=
8485 'width:22.0pt;border-top:none;border-left:solid black 1.5pt; border-bottom:solid black 1.5pt;border-right:none;padding:0in 5.4pt 0in 5.4pt'>
8486 <p class="TextFontCX"><span class="CodeText"><span style=
8487 'font-size:10.0pt'>#</span></span></p></td>
8488 <td valign="top" style=
8489 'width:401.55pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8490 <p class="TextFontCX" style='page-break-after: avoid'>Any digit,
8491 <span class="CodeText"><span style=
8492 'font-size:10.0pt'>0</span></span>-<span class=
8493 "CodeText"><span style=
8494 'font-size:10.0pt'>9</span></span></p></td></tr></table>
8495 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
8497 <td valign="top" style=
8498 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
8499 <p class="MsoCaption"><a name="_Toc534824625"></a><a name=
8500 "_Ref347220245"></a><a name="_Ref347220226"></a><a name=
8501 "_Toc347255399"></a><a name="_Ref347222037"></a><a name=
8502 "_Ref347222045"></a><a name="_Ref534824531">Figure 23</a>.
8503 Prefix Character Codes</p></td></tr></table></center>
8504 <h2 style='margin-left:0in;text-indent:0in'><a name=
8505 "_Toc534975020"></a><a name="_Ref348079479"></a><a name=
8506 "_Ref347240790"></a><a name="_Toc344355427">12.3<span style=
8507 'font:7.0pt "Times New Roman"'> </span>
8508 Naming Restrictions</a></h2>
8509 <p class="TextFontCX">Additional naming restrictions can be used to
8510 check that names do no conflict with names reserved for the
8511 standard library, and that identifier are sufficiently distinct
8512 (either for the compiler and linker, or for the programmer.)
8513 Restrictions may be different for names that are needed by the
8514 linker (<i>external</i> names) and names that are only needed
8515 during compilations (<i>internal</i> names). Names of
8516 non-<span class="CodeText"><span style=
8517 'font-size:10.0pt'>static</span></span> functions and global
8518 variables are external; all other names are internal.</p>
8519 <p class="Sidebar" align="right"><a name=
8520 "_Ref350062822"></a><a name="_Ref348845288"></a><a name=
8521 "_Toc344355429"></a><a name="_Ref343248602"> </a></p>
8522 <p class="Sidebar" align="right">The decision to retain the old
8523 six-character case-insensitive restriction on significance was most
8525 <p class="Sidebar" align="right" style='text-align:right'><i>ANSI C
8527 <h3 style='margin-left:0in;text-indent:0in'><a name=
8528 "_Toc534975021">12.3.1<span style=
8529 'font:7.0pt "Times New Roman"'> </span> Reserved
8531 <p class="TextFontCX">Many names are reserved for the
8532 implementation and standard library. A complete list of
8533 reserved names can be found in [vdL, p. 126-128]. Some name
8534 prefixes such as <span class="CodeText"><span style=
8535 'font-size:10.0pt'>str</span></span> followed by a lowercase
8536 character are reserved for future library extensions. Most C
8537 compilers do not detect naming conflicts, and they can lead to
8538 unpredictable program behavior. If <span class=
8539 "Flag"><span style='font-size:10.0pt'>ansi-reserved</span></span>
8540 is on, Splint warns about external names that conflict with
8541 reserved names. If <span class="Flag"><span style=
8542 'font-size:10.0pt'>ansi-reserved-internal</span></span> is on,
8543 warnings are also produced for internal names.</p>
8544 <p class="TextFontCX"> </p>
8545 <p class="TextFontCX">If <span class="Flag"><span style=
8546 'font-size:10.0pt'>+cpp-names</span></span> is set, Splint warns
8547 about identifier names that are keywords or reserved words in
8548 C++. This is useful if the code may later be compiled with a
8549 C++ compiler (of course, this is not enough to ensure the meaning
8550 of the code is not changed when it is compiled as C++.)</p>
8551 <h3 style='margin-left:0in;text-indent:0in'><a name=
8552 "_Toc534975022">12.3.2<span style=
8553 'font:7.0pt "Times New Roman"'> </span> Distinct
8555 <p class="TextFontCX">Splint can check that names differ within a
8556 given number of characters, optionally ignoring alphabetic case and
8557 differences between characters that look similar. The number
8558 of significant characters may be different for external and
8559 internal names. </p>
8560 <p class="TextFontCX"> </p>
8561 <p class="TextFontCX">Using <span class="Flag"><span style=
8562 'font-size:10.0pt'>+distinct-external-names</span></span> sets
8563 the number of significant characters for external names to six and
8564 makes alphabetical case insignificant for external names.
8565 This is the minimum significance acceptable in an ANSI-conforming
8566 compiler. Most modern compilers exceed these minimums (which
8567 are particularly hard to follow if one uses the Czech or Slovak
8568 naming convention). The number of significant characters can
8569 be changed using the <span class="Flag"><span style=
8570 'font-size:10.0pt'>external-name-length
8571 <i><number></i></span></span> flag. If
8572 <span class="Flag"><span style=
8573 'font-size:10.0pt'>external-name-case-insensitive</span></span>
8574 is on, alphabetical case is ignored in comparing external
8575 names. Splint reports identifiers that differ only in
8576 alphabetic case.</p>
8577 <p class="TextFontCX">For internal identifiers, a conforming
8578 compiler must recognize at least 31 characters and treat
8579 alphabetical cases distinctly. Nevertheless, it may still be
8580 useful to check that internal names are more distinct then required
8581 by the compiler to minimize the likelihood that identifiers are
8582 confused in the program. Analogously to external names, the
8583 <span class="Flag"><span style=
8584 'font-size:10.0pt'>internal-name-length</span></span><span class="Flag">
8586 'font-size:10.0pt'> <i><number></i></span></span> flag
8587 sets the number of significant characters in an internal name and
8588 <span class="Flag"><span style=
8589 'font-size:10.0pt'>internal-name-case-insensitive</span></span>
8590 sets the case sensitivity. The <span class=
8591 "Flag"><span style='font-size:10.0pt'>internal-name-look-alike</span></span>
8592 flag further restricts distinctions between
8593 identifiers. When set, similar-looking characters match
8594 — the lowercase letter <span class=
8595 "CodeText"><span style='font-size:10.0pt'>l</span></span>
8596 matches the uppercase letter <span class=
8597 "CodeText"><span style='font-size:10.0pt'>I</span></span> and
8598 the number <span class="CodeText"><span style=
8599 'font-size:10.0pt'>1</span></span>; the letter <span class=
8600 "CodeText"><span style='font-size:10.0pt'>O</span></span> or
8601 <span class="CodeText"><span style=
8602 'font-size:10.0pt'>o</span></span> matches the number
8603 <span class="CodeText"><span style=
8604 'font-size:10.0pt'>0</span></span>; <span class=
8605 "CodeText"><span style='font-size:10.0pt'>5</span></span>
8606 matches <span class="CodeText"><span style=
8607 'font-size:10.0pt'>S</span></span>; and <span class=
8608 "CodeText"><span style='font-size:10.0pt'>2</span></span>
8609 matches <span class="CodeText"><span style=
8610 'font-size:10.0pt'>Z</span></span>. Identifiers that
8611 are not distinct except for look-alike characters will
8612 produce an error message. External names are also
8613 internal names, so they must satisfy both the external and
8614 internal distinct identifier checks. Figure 24 provides
8615 some examples of distinct name checking.</p>
8617 <table class="MsoNormalTable" border="0" cellspacing="0"
8618 cellpadding="0" style=
8619 'margin-left:9.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
8621 <td valign="top" style=
8622 'width:166.5pt;border:solid black 1.5pt; border-bottom:none;background:black;padding:0in 5.4pt 0in 5.4pt'>
8623 <p class="TextFontCX" align="center" style='text-align:center'>
8624 <span class="Keyword"><b><span style=
8625 'font-size:10.0pt; color:white'>names.c</span></b></span></p></td>
8626 <td valign="top" style=
8627 'width:256.5pt;border-top:solid black 1.5pt; border-left:none;border-bottom:none;border-right:solid black 1.5pt; background:black;padding:0in 5.4pt 0in 5.4pt'>
8628 <p class="TextFontCX" align="center" style='text-align:center'>
8629 <b><span style='color:white'>Running
8630 Splint</span></b></p></td></tr>
8632 <td valign="top" style=
8633 'width:166.5pt;border:solid black 1.5pt; border-top:none;padding:0in 5.4pt 0in 5.4pt'>
8634 <p class="Verbatim"><span class="Line"><span style=
8635 'font-size:8.0pt'> </span></span>char *stringrev (char
8637 <p class="Verbatim"> </p>
8638 <p class="Verbatim"><span class="Line"><span style=
8639 'font-size:8.0pt'>3</span></span> int f (int x)</p>
8640 <p class="Verbatim"><span class="Line"><span style=
8641 'font-size:8.0pt'> </span></span> {</p>
8642 <p class="Verbatim"><span class="Line"><span style=
8643 'font-size:8.0pt'>5</span></span> int lookalike = 1;</p>
8644 <p class="Verbatim"><span class="Line"><span style=
8645 'font-size:8.0pt'>6</span></span> int looka1ike = 2;</p>
8646 <p class="Verbatim"> </p>
8647 <p class="Verbatim"> if (x > 3)</p>
8648 <p class="Verbatim"> {</p>
8649 <p class="Verbatim"><span class="Line"><span style=
8650 'font-size:8.0pt'>10</span></span> int x =
8652 <p class="Verbatim"> x +=
8654 <p class="Verbatim"> }</p>
8655 <p class="Verbatim"> </p>
8656 <p class="Verbatim"> return x;</p>
8657 <p class="Verbatim">}
8658 </p></td>
8659 <td valign="top" style=
8660 'width:256.5pt;border-top:none;border-left: none;border-bottom:solid black 1.5pt;border-right:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
8661 <p class="lclintrun">> splint names.c
8662 +distinctinternalnames </p>
8663 <p class="lclintrun">
8664
8665 +internalnamelookalike +isoreserved</p>
8666 <p class="lclintrun"> </p>
8667 <p class="lclintrun">names.c:1: Name stringreverse is reserved for
8669 <p class="lclintrun"> library extensions.
8670 Functions that begin with</p>
8671 <p class="lclintrun"> "str" and a lowercase
8672 letter may be added to</p>
8673 <p class="lclintrun"> <stdlib.h> or
8674 <string.h>. (ISO99:7.26.9)</p>
8675 <p class="lclintrun">names.c:6: Internal identifier looka1ike is
8677 <p class="lclintrun"> distinguishable from
8678 lookalike except by lookalike</p>
8679 <p class="lclintrun"> characters</p>
8680 <p class="lclintrun"> names.c:5: Declaration of
8682 <p class="lclintrun">names.c:10: Variable x shadows outer
8684 <p class="lclintrun" style='page-break-after:avoid'>
8685 names.c:3: Previous declaration of x: int</p></td></tr></table>
8686 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
8688 <td valign="top" style=
8689 'padding-top:5.05pt;padding-right: 9.35pt;padding-bottom:5.05pt;padding-left:9.35pt'>
8690 <p class="MsoCaption"><a name="_Ref343085825"></a><a name=
8691 "_Ref343085797"></a><a name="_Ref343065542"></a><a name=
8692 "_Ref349992283"></a><a name="_Ref534642902"></a><a name=
8693 "_Ref534642319"></a><a name="_Toc534824626"></a><a name=
8694 "_Ref534823650">Figure 24</a>. Distinct
8695 Names</p></td></tr></table></center>
8696 <h1 style='margin-left:0in;text-indent:0in'><a name=
8697 "_Ref534981356"></a><a name="_Ref534978939"></a><a name=
8698 "_Toc534975023">13<span style=
8699 'font:7.0pt "Times New Roman"'> </span>
8700 <a id="completeness" name="completeness">
8701 Completeness</a></a></h1>
8702 <p class="TextFontCX">Splint can report warnings for unused
8703 declarations and exported declarations that are not used
8705 <h2 style='margin-left:0in;text-indent:0in'><a name=
8706 "_Toc534975024"></a><a name="_Ref534744216">13.1<span style=
8707 'font:7.0pt "Times New Roman"'> </span>
8708 Unused Declarations</a></h2>
8709 <p class="TextFontCX">Splint detects constants, functions,
8710 parameters, variables, types, enumerator members, and structure or
8711 union fields that are declared but never used. The flags
8712 <span class="Flag"><span style=
8713 'font-size:10.0pt'>constuse</span></span>, <span class=
8714 "Flag"><span style='font-size:10.0pt'>fcnuse</span></span>,
8715 <span class="Flag"><span style=
8716 'font-size:10.0pt'>paramuse</span></span>, <span class=
8717 "Flag"><span style='font-size:10.0pt'>varuse</span></span>,
8718 <span class="Flag"><span style=
8719 'font-size:10.0pt'>typeuse</span></span>, <span class=
8720 "Flag"><span style='font-size:10.0pt'>enummemuse</span></span> and
8721 <span class="Flag"><span style=
8722 'font-size:10.0pt'>fielduse</span></span> control whether unused
8723 declaration errors are reported for each kind of declaration.
8724 Errors for exported declarations are reported only if
8725 <span class="Flag"><span style=
8726 'font-size:10.0pt'>topuse</span></span> is on (see Section
8728 <p class="TextFontCX"><a name="_Ref349900444"></a><a name=
8729 "_Ref349850608"></a><a name="_Ref349850429"> </a></p>
8730 <p class="TextFontCX">The <span class="Annot"><span style=
8731 'font-size:10.0pt'>/*@unused@*/</span></span> annotation can
8732 be used before a declaration to indicate that the item declared
8733 need not be used. Unused declaration errors are not reported
8734 for identifiers declared with <span class=
8735 "Annot"><span style='font-size:10.0pt'>unused</span></span><a name="_Toc344355432">
8736 </a><a name="_Ref343110935">.</a></p>
8737 <h2 style='margin-left:0in;text-indent:0in'><a name=
8738 "_Toc534975025"></a><a name="_Toc344355433"></a><a name=
8739 "_Ref343110504">13.2<span style=
8740 'font:7.0pt "Times New Roman"'> </span>
8741 Complete</a> Programs</h2>
8742 <p class="TextFontCX">Splint can be used on both complete and
8743 partial programs. When checking complete programs,
8744 additional checks can be done to ensure that every identifier
8745 declared by the program is defined and used, and that functions
8746 that do not need to be exported are declared <span class=
8747 "CodeText"><span style='font-size:10.0pt'>static</span></span>.</p>
8748 <p class="TextFontCX"> </p>
8749 <p class="TextFontCX">Splint checks that all declared variables and
8750 functions are defined (controlled by <span class=
8751 "Flag"><span style='font-size:10.0pt'>compdef</span></span><span class="Flag">
8752 <span style='font-size:10.0pt'>)</span></span>. Declarations
8753 of functions and variables that are defined in an external library,
8754 may be preceded by <span class="Annot"><span style=
8755 'font-size:10.0pt'>/*@external@*/</span></span> to suppress
8756 undefined declaration errors.</p>
8757 <p class="TextFontCX"> </p>
8758 <p class="TextFontCX">Splint reports external declarations that are
8759 unused (controlled by <span class="Flag"><span style=
8760 'font-size:10.0pt'>topuse</span></span>). Which declarations
8761 are reported also depends on the declaration use flags (Section
8762 13.1). The <span class="Flag"><span style=
8763 'font-size:10.0pt'>+partial</span></span> flag sets flags for
8764 checking a partial system. Top-level unused declarations,
8765 undefined declarations, and unnecessary external names are not
8766 reported if <span class="Flag"><span style=
8767 'font-size:10.0pt'>+partial</span></span> is set.</p>
8768 <h3 style='margin-left:0in;text-indent:0in'><a name=
8769 "_Toc534975026">13.2.1<span style=
8770 'font:7.0pt "Times New Roman"'> </span>
8771 Unnecessarily External Names</a></h3>
8772 <p class="TextFontCX">Splint can report variables and functions
8773 that are declared with global scope (i.e., without using
8774 <span class="CodeText"><span style=
8775 'font-size:10.0pt'>static</span></span>), that are not used outside
8776 the file in which they are defined. In a stand-alone system,
8777 these identifiers should usually be declared using
8778 <span class="CodeText"><span style=
8779 'font-size:10.0pt'>static</span></span> to limit their
8780 scope. If the <span class="Flag"><span style=
8781 'font-size:10.0pt'>export-static</span></span> flag is on,
8782 Splint will report declarations that could have file
8783 scope. It should only be used when all relevant source
8784 files are listed on the Splint command line; otherwise,
8785 variables and functions may be incorrectly identified as only
8786 used in the file scope since Splint did not process the other
8787 file in which they are used.</p>
8788 <h3 style='margin-left:0in;text-indent:0in'><a name=
8789 "_Toc534975027">13.2.2<span style=
8790 'font:7.0pt "Times New Roman"'> </span>
8791 Declarations Missing from Headers</a></h3>
8792 <p class="TextFontCX">A common practice in C programming styles, is
8793 that every function or variable exported by <span class=
8794 "Keyword"><i><span style=
8795 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
8797 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>
8798 is declared in <span class="Keyword"><i><span style=
8799 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
8801 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.
8802 If the <span class="Flag"><span style=
8803 'font-size:10.0pt'>export-header</span></span> flag is on, Splint
8804 will report exported declarations in <span class=
8805 "Keyword"><i><span style=
8806 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
8808 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>
8809 that are not declared in <span class=
8810 "Keyword"><i><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
8811 M</span></i></span><span class="Keyword"><span style=
8812 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.</p>
8813 <h1 style='margin-left:0in;text-indent:0in'><a name=
8814 "_Toc534975028"></a><a name="_Ref534642392"></a><a name=
8815 "_Ref349900301">14<span style=
8816 'font:7.0pt "Times New Roman"'> </span>
8817 <a id="libraries" name="libraries">
8818 Libraries</a> and Header File Inclusion</a></h1>
8819 <p class="TextFontCX">Libraries can be used to record interface
8820 information. A library containing information about the
8821 standard C Library is used to enable checking of library
8822 calls. Program libraries can be created to enable fast
8823 checking of single modules in a large program.</p>
8824 <h2 style='margin-left:0in;text-indent:0in'><a name=
8825 "_Toc534975029"></a><a name="_Ref534035506"></a><a name=
8826 "_Ref348801560"></a><a name="_Ref347465531"></a><a name=
8827 "_Ref344887939"></a><a name="_Toc344355445">14.1<span style=
8828 'font:7.0pt "Times New Roman"'> </span>
8829 Standard Librar</a>ies</h2>
8830 <p class="TextFontCX">In order to check calls to library functions,
8831 Splint uses an annotated standard library. This contains more
8832 information about function interfaces then is available in the
8833 system header files since it uses annotations. Further, it
8834 contains only those functions documented in the ISO C99
8835 standard. Many systems include extra functions in their
8836 system libraries; programs that use these functions cannot be
8837 compiled on other systems that do not provide them. Certain
8838 types defined by the library are treated as abstract types
8839 (e.g., a program should not rely on how the <span class=
8840 "CodeText"><span style='font-size:10.0pt'>FILE</span></span> type
8841 is implemented). When checking source code, Splint does
8842 include system headers corresponding to files in the library, but
8843 instead uses the library description of the standard library.</p>
8844 <p class="TextFontCX"> </p>
8845 <p class="TextFontCX">The Splint distribution includes several
8846 different standard libraries: the ANSI standard library, the POSIX
8847 standard library<a href="#_ftn19" name="_ftnref19" title=
8848 ""><span class="MsoFootnoteReference"><span class=
8849 "MsoFootnoteReference"><span style=
8850 'font-size:11.0pt;font-family:"Times New Roman"'>[19]</span></span></span></a>,
8851 and a UNIX library based on the Open Group’s Single Unix
8852 Specification. Each library comes in two versions: the
8853 standard version and the strict version.</p>
8854 <h3 style='margin-left:0in;text-indent:0in'><a name=
8855 "_Toc534975030">14.1.1<span style=
8856 'font:7.0pt "Times New Roman"'> </span> ISO
8857 Standard Library</a></h3>
8858 <p class="TextFontCX">The default behavior of Splint is to use the
8859 ISO standard library (loaded from <span class=
8860 "CodeText"><span style=
8861 'font-size:10.0pt'>standard.lcd</span></span>). This library
8862 is based on the standard library described in the ISO C99
8864 <h3 style='margin-left:0in;text-indent:0in'><a name=
8865 "_Toc534975031">14.1.2<span style=
8866 'font:7.0pt "Times New Roman"'> </span> POSIX
8868 <p class="TextFontCX">The POSIX library is selected by the
8869 <span class="Flag"><span style=
8870 'font-size:10.0pt'>+posixlib</span></span> flag. The
8871 POSIX library is based on the IEEE Std 1003.1-1990. </p>
8872 <h3 style='margin-left:0in;text-indent:0in'><a name=
8873 "_Toc534975032">14.1.3<span style=
8874 'font:7.0pt "Times New Roman"'> </span> UNIX
8876 <p class="afterlist">The UNIX library is selected by the
8877 <span class="Flag"><span style=
8878 'font-size:10.0pt'>+unixlib</span></span> flag. This library
8879 is based on the Open Group’s Single Unix Specification,
8880 Version 2. In the UNIX library, <span class=
8881 "CodeText"><span style='font-size:10.0pt'>free</span></span> is
8882 declared with a non-null parameter. ISO specifies that
8883 <span class="CodeText"><span style=
8884 'font-size:10.0pt'>free</span></span> should handle the argument
8885 <span class="CodeText"><span style=
8886 'font-size:10.0pt'>NULL</span></span>, but several UNIX platforms
8887 crash if <span class="CodeText"><span style=
8888 'font-size:10.0pt'>NULL</span></span> is passed to
8889 <span class="CodeText"><span style=
8890 'font-size:10.0pt'>free</span></span>.</p>
8891 <h3 style='margin-left:0in;text-indent:0in'><a name=
8892 "_Toc534975033">14.1.4<span style=
8893 'font:7.0pt "Times New Roman"'> </span> Strict
8895 <p class="TextFontCX">Stricter versions of the libraries are used
8896 is the <span class="Flag"><span style=
8897 'font-size:10.0pt'>-ansi-strict</span></span>, <span class=
8899 'font-size:10.0pt'>posix-strict-lib</span></span> or
8900 <span class="Flag"><span style=
8901 'font-size:10.0pt'>unix-strict-lib</span></span> flag is used.
8902 These libraries use a stricter interpretation of the library.
8903 They will detect more errors in some programs, but may to produce
8904 many spurious errors for typical code.</p>
8905 <p class="TextFontCX"> </p>
8906 <p class="beforelist">The differences between the standard
8907 libraries and the strict libraries are:</p>
8908 <p class="MsoListBullet"><span style=
8909 'font-family:Symbol'>·<span style=
8910 'font:7.0pt "Times New Roman"'> </span></span>
8911 The standard libraries declare the printing functions
8912 (<span class="CodeText"><span style=
8913 'font-size:10.0pt'>fprintf</span></span>, <span class=
8914 "CodeText"><span style=
8915 'font-size:10.0pt'>printf</span></span>, and <span class=
8916 "CodeText"><span style=
8917 'font-size:10.0pt'>sprintf</span></span>) that may return
8918 error codes to return <span class="CodeText"><span style=
8919 'font-size:10.0pt'>int</span></span> or <span class=
8920 "CodeText"><span style=
8921 'font-size:10.0pt'>void</span></span>. This prevents
8922 typical programs from leading to deluge of ignored return
8923 value errors, but may mean some relevant errors are not
8924 detected. In the strict library, they are declared to
8925 return <span class="CodeText"><span style=
8926 'font-size:10.0pt'>int</span></span>, so ignored return value
8927 errors will be reported (depending on other flag
8928 settings). Programs should check that this return value
8929 is non-negative.</p>
8930 <p class="MsoListBullet"><span style=
8931 'font-family:Symbol'>·<span style=
8932 'font:7.0pt "Times New Roman"'> </span></span>
8933 The standard libraries declare some parameters and return values to
8934 be alternate types (<span class="CodeText"><span style=
8935 'font-size:10.0pt'>int</span></span> or <span class=
8936 "CodeText"><span style='font-size:10.0pt'>bool</span></span>, or
8937 <span class="CodeText"><span style=
8938 'font-size:10.0pt'>int</span></span> or <span class=
8939 "CodeText"><span style=
8940 'font-size:10.0pt'>char</span></span>). The ISO C99 standard
8941 specifies these types as <span class="CodeText"><span style=
8942 'font-size: 10.0pt'>int</span></span> to be compatible with older
8943 versions of the library, but logically they make more sense as
8944 <span class="CodeText"><span style=
8945 'font-size:10.0pt'>bool</span></span> or <span class=
8946 "CodeText"><span style='font-size:10.0pt'>char</span></span>.
8947 In the strict library, the stronger type is used. The
8948 parameter to <span class="CodeText"><span style=
8949 'font-size:10.0pt'>assert</span></span> is <span class=
8950 "CodeText"><span style='font-size:10.0pt'>int</span></span> or
8951 <span class="CodeText"><span style=
8952 'font-size:10.0pt'>bool</span></span> in the standard library, and
8953 <span class="CodeText"><span style=
8954 'font-size:10.0pt'>bool</span></span> in the strict library.
8955 The parameter to the character functions <span class=
8956 "CodeText"><span style='font-size:10.0pt'>isalnum</span></span>,
8957 <span class="CodeText"><span style=
8958 'font-size:10.0pt'>isalpha</span></span>, <span class=
8959 "CodeText"><span style='font-size:10.0pt'>iscntrl</span></span>,
8960 <span class="CodeText"><span style=
8961 'font-size:10.0pt'>isdigit</span></span>, <span class=
8962 "CodeText"><span style='font-size:10.0pt'>isgraph</span></span>,
8963 <span class="CodeText"><span style=
8964 'font-size:10.0pt'>islower</span></span>, <span class=
8965 "CodeText"><span style='font-size:10.0pt'>isprint</span></span>,
8966 <span class="CodeText"><span style=
8967 'font-size:10.0pt'>ispunct</span></span>, <span class=
8968 "CodeText"><span style='font-size:10.0pt'>isspace</span></span>,
8969 <span class="CodeText"><span style=
8970 'font-size:10.0pt'>isupper</span></span>, <span class=
8971 "CodeText"><span style='font-size:10.0pt'>isxdigit</span></span>,
8972 <span class="CodeText"><span style=
8973 'font-size:10.0pt'>tolower</span></span> and
8974 <span class="CodeText"><span style=
8975 'font-size:10.0pt'>toupper</span></span> is <span class=
8976 "CodeText"><span style='font-size:10.0pt'>char</span></span>
8977 or <span class="CodeText"><span style=
8978 'font-size:10.0pt'>unsigned char</span></span> or
8979 <span class="CodeText"><span style=
8980 'font-size:10.0pt'>int</span></span> in the standard library
8981 and <span class="CodeText"><span style=
8982 'font-size:10.0pt'>char</span></span> in the strict
8983 library. The type of the return value of the character
8984 classification functions (all of the previous character
8985 functions except <span class="CodeText"><span style=
8986 'font-size:10.0pt'>tolower</span></span> and <span class=
8987 "CodeText"><span style=
8988 'font-size:10.0pt'>toupper</span></span>) is <span class=
8989 "CodeText"><span style='font-size:10.0pt'>bool</span></span>
8990 or <span class="CodeText"><span style=
8991 'font-size:10.0pt'>int</span></span> in the standard library
8992 and <span class="CodeText"><span style=
8993 'font-size:10.0pt'>bool</span></span> in the strict
8994 library. The type of the first parameter to
8995 <span class="CodeText"><span style=
8996 'font-size:10.0pt'>ungetc</span></span> is <span class=
8997 "CodeText"><span style='font-size:10.0pt'>char</span></span>
8998 or <span class="CodeText"><span style=
8999 'font-size:10.0pt'>int</span></span> in the standard library
9000 and <span class="CodeText"><span style=
9001 'font-size:10.0pt'>char</span></span> in the strict library
9002 (<span class="CodeText"><span style=
9003 'font-size:10.0pt'>EOF</span></span> should not be passed to
9004 <span class="CodeText"><span style=
9005 'font-size:10.0pt'>ungetc</span></span>). The second
9006 parameter to <span class="CodeText"><span style=
9007 'font-size:10.0pt'>strchr</span></span> and <span class=
9008 "CodeText"><span style=
9009 'font-size:10.0pt'>strrchr</span></span> is <span class=
9010 "CodeText"><span style='font-size:10.0pt'>char</span></span>
9011 or <span class="CodeText"><span style=
9012 'font-size:10.0pt'>int</span></span> in the standard library
9013 and <span class="CodeText"><span style=
9014 'font-size:10.0pt'>char</span></span> in the strict
9016 <p class="MsoListBullet"><span style=
9017 'font-family:Symbol'>·<span style=
9018 'font:7.0pt "Times New Roman"'> </span></span>
9019 The global variables <span class="CodeText"><span style=
9020 'font-size:10.0pt'>stdin</span></span>, <span class=
9021 "CodeText"><span style=
9022 'font-size:10.0pt'>stdout</span></span> and <span class=
9023 "CodeText"><span style=
9024 'font-size:10.0pt'>stderr</span></span> are declared as
9025 <span class="CodeText"><span style=
9026 'font-size:10.0pt'>unchecked</span></span> variables (see Section
9027 7.2) in the standard libraries. In the strict libraries, they
9028 are<span class="CodeText"><span style=
9029 'font-size:10.0pt'>checked</span></span>.</p>
9030 <p class="MsoListBullet"><span style=
9031 'font-family:Symbol'>·<span style=
9032 'font:7.0pt "Times New Roman"'> </span></span>
9033 The global variable <span class="CodeText"><span style=
9034 'font-size:10.0pt'>errno</span></span> is declared
9035 <span class="CodeText"><span style=
9036 'font-size:10.0pt'>unchecked</span></span> in the
9037 standard libraries, but declared <span class=
9038 "CodeText"><span style=
9039 'font-size:10.0pt'>checkedstrict</span></span> in the
9040 strict libraries.</p>
9041 <p class="TextFontCX"> </p>
9042 <p class="TextFontCX">If no library flag is used, Splint will load
9043 the standard library, <span class="Keyword"><span style=
9044 'font-size:10.0pt;font-family:Arial;color:windowtext'>standard.lcd</span></span>.
9045 If <span class="Flag"><span style=
9046 'font-size:10.0pt'>+nolib</span></span> is set, no library is
9047 loaded. The library source files can easily be modified, and
9048 new libraries created to better suit a particular application.</p>
9049 <h2 style='margin-left:0in;text-indent:0in'><a name=
9050 "_Toc534975034"></a><a name="_Toc344355447">14.2<span style=
9051 'font:7.0pt "Times New Roman"'> </span>
9052 Generating Libraries</a></h2>
9053 <p class="TextFontCX">To enable running Splint on large systems,
9054 mechanisms are provided for creating libraries containing necessary
9055 information. This means source files can be checked
9056 independently, after a library has been created. The command line
9057 option <span class="Flag"><span style=
9058 'font-size:10.0pt'>-dump</span></span> <span class=
9059 "Flag"><span style='font-size:10.0pt'><i>library</i></span></span>
9060 stores information in the file <span class=
9061 "Keyword"><i><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
9062 library</span></i></span> (the default extension <span class=
9063 "Keyword"><span style=
9064 'font-size:10.0pt;font-family:Arial; color:windowtext'>.lcd</span></span>
9065 is added). Then, <span class="Flag"><span style=
9066 'font-size:10.0pt'>-load</span></span> <span class=
9067 "Flag"><span style='font-size:10.0pt'><i>library</i></span></span>
9068 loads the library. The library contains interface information
9069 from the files checked when the library was created.</p>
9070 <h3 style='margin-left:0in;text-indent:0in'><a name=
9071 "_Toc534975035">14.2.1<span style=
9072 'font:7.0pt "Times New Roman"'> </span> Generating
9073 the Standard Libraries</a></h3>
9074 <p class="TextFontCX">The standard libraries are generated from
9075 header files included in the Splint distribution. Some
9076 libraries are generated from more than one header file. Since
9077 the POSIX library subsumes the standard library, the headers for
9078 the standard and POSIX libraries are combined to produce the POSIX
9079 library. Similarly, the UNIX library is composed of the
9080 standard, POSIX and UNIX headers. The header files include
9081 some sections that are conditionally selected by defining
9082 <span class="CodeText"><span style=
9083 'font-size:10.0pt'>STRICT</span></span>. The commands to
9084 generate the standard libraries are:</p>
9085 <p class="example" style=
9086 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9087 splint -nolib ansi.h -dump ansi</p>
9088 <p class="example" style=
9089 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9090 splint -nolib -DSTRICT ansi.h -dump ansistrict</p>
9091 <p class="example" style=
9092 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9093 splint -nolib ansi.h posix.h -dump posix</p>
9094 <p class="example" style=
9095 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9096 splint -nolib -DSTRICT ansi.h posix.h -dump posixstrict</p>
9097 <p class="example" style=
9098 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9099 splint -nolib ansi.h posix.h unix.h -dump unix</p>
9100 <p class="example" style=
9101 'margin-top:0in;margin-right:.2in;margin-bottom:0in; margin-left:.2in;margin-bottom:.0001pt'>
9102 splint -nolib -DSTRICT ansi.h posix.h unix.h -dump unixstrict</p>
9103 <h2 style='margin-left:0in;text-indent:0in'><a name=
9104 "_Ref534979539"></a><a name="_Toc534975036"></a><a name=
9105 "_Ref348080056"></a><a name="_Toc344355448">14.3<span style=
9106 'font:7.0pt "Times New Roman"'> </span>
9107 Header File Inclusion</a></h2>
9108 <p class="TextFontCX">The standard behavior of Splint on
9110 <p class="example"><span class="Keyword"><span style=
9111 'font-size:10.0pt'>#include <<i>X</i>.h></span></span></p>
9112 <p class="TextFontCX">is to search for a file named
9113 <span class="Keyword"><i><span style=
9114 'font-size:10.0pt;font-family:Arial; color:windowtext'>X</span></i></span><span class="Keyword">
9116 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9117 on the include search path (set using <span class=
9118 "Flag"><span style='font-size: 10.0pt'>–I</span></span>) and
9119 then the system base include path (read from the <span class=
9120 "CodeText"><span style='font-size:10.0pt'>include</span></span>
9121 environment variable if set or using a default value, usually
9122 <span class="Keyword"><span style=
9123 'font-size:10.0pt;font-family:Arial;color:windowtext'>/usr/include</span></span>).
9124 If <span class="Keyword"><i><span style=
9125 'font-size:10.0pt;font-family:Arial; color:windowtext'>X</span></i></span><span class="Keyword">
9127 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9128 is the name of a header file in a loaded standard library and
9129 <span class="Keyword"><i><span style=
9130 'font-size:10.0pt;font-family:Arial;color:windowtext'>X</span></i></span><span class="Keyword">
9132 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9133 is found in a directory that is a system directory (as set by the
9134 <span class="Flag"><span style=
9135 'font-size:10.0pt'>-sysdirs</span></span> flag; the default is
9136 <span class="Keyword"><span style=
9137 'font-size:10.0pt;font-family:Arial;color:windowtext'>/usr/include</span></span>),
9138 <span class="Keyword"><i><span style=
9139 'font-size:10.0pt;font-family:Arial; color:windowtext'>X</span></i></span><span class="Keyword">
9141 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9142 will not be included if <span class="Flag"><span style=
9143 'font-size:10.0pt'>+skip-iso-headers</span></span> or
9144 <span class="Flag"><span style=
9145 'font-size:10.0pt'>+skip-posix-headers</span></span> (depending
9146 on whether <span class="Keyword"><i><span style=
9147 'font-size:10.0pt;font-family:Arial;color:windowtext'>X</span></i></span><span class="Keyword">
9149 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9150 is an ISO or POSIX header file) is on (both are on by
9151 default). To force all headers to be included normally, use
9152 <span class="Flag"><span style=
9153 'font-size: 10.0pt'>‑skip-iso-headers</span></span>. </p>
9154 <p class="TextFontCX"> </p>
9155 <p class="TextFontCX">Sometimes headers in system directories
9156 contain non-standard syntax that Splint is unable to parse.
9157 The <span class="Flag"><span style=
9158 'font-size:10.0pt'>+skip-sys-headers</span></span> flag may be
9159 used to prevent any include file in a system directory from being
9161 <p class="TextFontCX"> </p>
9162 <p class="TextFontCX">Splint is fast enough that it can be run on
9163 medium-size (10,000 line) programs without performance
9164 concerns. Libraries can be used to enable efficient checking
9165 of small modules in large programs. To further improve
9166 performance, header file inclusion can be optimized.</p>
9167 <p class="TextFontCX"> </p>
9168 <p class="TextFontCX">When processing a complete system in which
9169 many files include the same headers, a large fraction of processing
9170 time is wasted re-reading header files unnecessarily. If you
9171 are checking a 100-file program, and every file includes
9172 <span class="Flag"><span style=
9173 'font-size:10.0pt;font-family:Arial;color:windowtext'>utils.h</span></span>,
9174 Splint will have to process <span class=
9175 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
9176 utils.h</span></span> 100 times (as would most C compilers).
9177 If the <span class="Flag"><span style=
9178 'font-size:10.0pt'>+single-include</span></span> flag is used, each
9179 header file is processed only once. Single header file
9180 processing produces a significant efficiency improvement when
9181 checking large programs split into many files, but is only safe if
9182 the same header file included in different contexts always has the
9183 same meaning (i.e., it does not depend on preprocessor variable
9184 defined differently at different inclusion sites).</p>
9185 <p class="TextFontCX"> </p>
9186 <p class="TextFontCX">When processing a single file in a large
9187 system, a large fraction of the time is spent processing included
9188 header files. This can be avoided if the information in the
9189 header files is stored in a library instead. If
9190 <span class="Flag"><span style=
9191 'font-size:10.0pt'>+never-include</span></span> is set,
9192 inclusion of files ending in <span class="Flag"><span style=
9193 'font-size: 10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9194 is prevented. Files with different suffixes are
9195 included normally. To do this the header files must not
9196 include any expanded macros. That is, the header file must be
9197 processed with <span class="Flag"><span style=
9198 'font-size:10.0pt'>+all-macros</span></span>, and there must
9199 be no <span class="Annot"><span style=
9200 'font-size:10.0pt'>/*@notfunction@*/</span></span> control
9201 comments in the header. Then, the <span class=
9203 'font-size:10.0pt'>+never-include</span></span> flag may be
9204 used to prevent inclusion of header files. Alternately,
9205 non-function macros can be moved to a different file with a
9206 name that does not end in <span class="Keyword"><span style=
9207 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.
9208 Remember, that this file must be included directly from the
9209 <span class="Keyword"><span style=
9210 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>
9211 file, since if it is included from an <span class=
9212 "Keyword"><span style=
9213 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
9214 file indirectly, that <span class="Keyword"><span style=
9215 'font-size:10.0pt; font-family:Arial;color:windowtext'>.h</span></span>
9216 file is ignored so the other file is never included.</p>
9217 <p class="TextFontCX"> </p>
9218 <p class="TextFontCX">These options can be used for significant
9219 performance improvements on large systems. The performance
9220 depends on how the code is structured, but checking a single module
9221 in a large program is several times faster if libraries and
9222 <span class="Flag"><span style=
9223 'font-size:10.0pt'>+noinclude</span></span> are used.</p>
9224 <h3 style='margin-left:0in;text-indent:0in'><a name=
9225 "_Toc534975037">14.3.1<span style=
9226 'font:7.0pt "Times New Roman"'> </span>
9227 Preprocessing Constants</a></h3>
9228 <p class="TextFontCX">Splint defines the preprocessor constant
9229 <span class="CodeText"><span style=
9230 'font-size:10.0pt'>S_SPLINT_S</span></span> when preprocessing
9231 source files. If you want to include code that is processed
9232 only when Splint is used, surround the code with</p>
9233 <p class="TextFontCX" align="left" style='text-align: left'>
9234 <span class="Keyword"><span style=
9235 'font-size:10.0pt'> </span></span></p>
9236 <p class="TextFontCX" align="left" style='text-align: left'>
9237 <span class="Keyword"><span style='font-size:10.0pt'># ifdef
9238 S_SPLINT_S</span></span></p>
9239 <p class="TextFontCX" align="left" style='text-align: left'>
9240 …</p>
9241 <p class="TextFontCX"><span class="Keyword"><span style=
9242 'font-size:10.0pt'># endif</span></span></p>
9243 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
9244 <a name="_Toc534975038"></a><a name="_Toc344355451"></a><a name=
9245 "_Ref343065611">Appendix A<span style=
9246 'font:7.0pt "Times New Roman"'> </span>
9247 <a id="availability" name="availability">
9248 Availability</a></a></p>
9249 <p class="afterlist">The web home page for Splint is
9250 <span class="Keyword"><span style=
9251 'font-size:10.0pt;font-family:Arial;color:windowtext'><a href=
9252 "http://www.splint.org/">http://www.splint.org</a></span></span>.
9253 It includes this guide in HTML format, samples demonstrating
9254 Splint, and links to related web sites. Splint is
9255 available as source code and binary executables for several
9256 platforms. Splint may be freely distributed and
9257 modified under the GNU General Public License. The
9258 latest development code is available through SourceForge.</p>
9259 <p class="TextFontCX"> </p>
9260 <p class="TextFontCX">Splint development is largely driven by
9261 suggestions and comments from users. We are also very
9262 interested in hearing about your experiences using Splint in
9263 developing or maintaining programs, enforcing coding standards, or
9264 teaching courses. For general information, suggestions, and
9265 questions on Splint send mail to <span class=
9266 "Keyword"><span style='font-size:10.0pt;font-family:Arial;color:windowtext'>
9267 splint@cs.virginia.edu</span></span>.</p>
9268 <p class="TextFontCX"> </p>
9269 <p class="TextFontCX">To report a bug in Splint send a message to
9270 <span class="Keyword"><span style=
9271 'font-size:10.0pt;font-family: Arial;color:windowtext'>splint-bug@cs.virginia.edu</span></span>.</p>
9272 <p class="TextFontCX"> </p>
9273 <p class="beforelist">There are two mailing lists associated with
9275 <p class="URL"><span class="Keyword"><span style=
9276 'font-family:Arial;color:windowtext'>splint-announce@virginia.edu</span></span></p>
9277 <p class="IndentText">Reserved for announcements of new releases
9278 and bug fixes. All users should add themselves to this
9280 <p class="URL"><span class="Keyword"><span style=
9281 'font-family:Arial;color:windowtext'>splint-interest@virginia.edu</span></span></p>
9282 <p class="IndentText">Informal discussions on the use and
9283 development of Splint. </p>
9284 <p class="TextFontCX"> </p>
9285 <p class="TextFontCX"><a name="_Ref344882161"></a><a name=
9286 "_Ref344871249"></a><a name="_Ref344870532"></a><a name=
9287 "_Ref344870294">To subscribe to a mailing list, send a message
9288 to</a> <span class="PlainText"><span style=
9289 'font-size:10.0pt;font-family:Arial'>majordomo@virginia.edu</span></span>
9290 containing the body</p>
9291 <p class="URL"><span class="Keyword"><span style=
9292 'font-family:Arial;color:windowtext'>subscribe
9293 splint-announce</span></span><span style=
9294 'font-size:11.0pt;font-family:"Times New Roman"'>or</span>
9295 <span class="Keyword"><span style=
9296 'font-family:Arial;color:windowtext'>subscribe
9297 splint-interest</span></span><a name=
9298 "_Ref348343340"></a><a name="_Ref348330382">.</a></p>
9299 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
9300 <a name="_Toc534975039"></a><a name="_Ref397875360">Appendix
9302 'font:7.0pt "Times New Roman"'> </span>
9303 <a id="flags" name="flags">
9305 </a><a name="_Toc344355437"></a></p>
9306 <p class="beforelist">There are four different types of flags:</p>
9307 <p class="MsoListBullet"><span style=
9308 'font-family:Symbol'>·<span style=
9309 'font:7.0pt "Times New Roman"'> </span></span>
9310 Global flags for controlling initializations and global
9312 <p class="MsoListBullet"><span style=
9313 'font-family:Symbol'>·<span style=
9314 'font:7.0pt "Times New Roman"'> </span></span>
9315 Message format flags for controlling how messages are displayed</p>
9316 <p class="MsoListBullet"><span style=
9317 'font-family:Symbol'>·<span style=
9318 'font:7.0pt "Times New Roman"'> </span></span>
9319 Mode selectors for coarse control of Splint checking</p>
9320 <p class="MsoListBullet"><span style=
9321 'font-family:Symbol'>·<span style=
9322 'font:7.0pt "Times New Roman"'> </span></span>
9323 Checking flags that control checking and what classes of messages
9325 <p class="afterlist">Global flags can be used in initialization
9326 files and at the command line; all other flags may also be used in
9327 control comments.</p>
9328 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9329 <a name="_Toc534975050">Key</a></p>
9330 <p class="beforelist">To the left of each flag name is a flag
9331 descriptor encoding what kind of flag it is and its default
9332 value. The descriptions are:</p>
9334 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9335 height="14" align="left">
9337 <td valign="top" align="left" height="14" style=
9338 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9339 <p class="TextFontCX" align="center" style=
9340 'text-align:center;background:#CCCCCC'><span style=
9341 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
9342 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
9343 <p class="TextFontCX">A <i>plain</i> flag. The value after
9344 the colon gives the default setting (e.g., this flag is
9346 <p class="TextFontCX"> </p>
9348 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9349 height="14" align="left">
9351 <td valign="top" align="left" height="14" style=
9352 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9353 <p class="TextFontCX" align="center" style=
9354 'text-align:center;background:#CCCCCC'><span style=
9355 'font-size:10.0pt'>m:</span><span class="Flag"><span style=
9356 'font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
9357 <p class="TextFontCX">A <i>mode checking flag</i>. The value
9358 of the flag is set by the mode selector. The four signs give
9359 the setting in the weak, standard, checks and strict modes. (e.g.,
9360 this flag is off in the weak and standard modes, and on in the
9361 checks and strict modes.)</p>
9362 <p class="TextFontCX"> </p>
9364 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9365 height="14" align="left">
9367 <td valign="top" align="left" height="14" style=
9368 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9369 <p class="TextFontCX" align="center" style=
9370 'text-align:center;background:#CCCCCC'><span style=
9371 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
9372 <p class="TextFontCX">A <i>shortcut</i> flag. This flag sets
9373 other flags, so it has no default value.</p>
9374 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
9375 <a name="_Toc534975061">Flag Name Abbreviations</a></p>
9376 <p class="beforelist">Within a flag name, abbreviations may be
9377 used. Figure 25 shows the flag name abbreviations. The
9378 expanded and short forms are interchangeable in flag names.</p>
9380 <table class="MsoNormalTable" border="0" cellspacing="0"
9381 cellpadding="0" style=
9382 'margin-left:99.9pt;border-collapse:collapse;margin-left:-2.25pt; margin-right:-2.25pt'>
9384 <td valign="top" style=
9385 'width:171.0pt;border:none;border-bottom:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
9386 <p class="TextFontCX" align="center" style='text-align:center'>
9387 Expanded Form</p></td>
9388 <td valign="top" style=
9389 'width:67.5pt;border:none;border-bottom:solid black 1.5pt; padding:0in 5.4pt 0in 5.4pt'>
9390 <p class="TextFontCX" align="center" style='text-align:center'>
9391 Short Form</p></td></tr>
9393 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9394 <p class="TextFontCX"><span class="Flag"><span style=
9395 'font-size:10.0pt'>constant</span></span></p></td>
9396 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9397 <p class="TextFontCX"><span class="Flag"><span style=
9398 'font-size:10.0pt'>const</span></span></p></td></tr>
9400 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9401 <p class="TextFontCX"><span class="Flag"><span style=
9402 'font-size:10.0pt'>declaration</span></span></p></td>
9403 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9404 <p class="TextFontCX"><span class="Flag"><span style=
9405 'font-size:10.0pt'>decl</span></span></p></td></tr>
9407 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9408 <p class="TextFontCX"><span class="Flag"><span style=
9409 'font-size:10.0pt'>function</span></span></p></td>
9410 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9411 <p class="TextFontCX"><span class="Flag"><span style=
9412 'font-size:10.0pt'>fcn</span></span></p></td></tr>
9414 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9415 <p class="TextFontCX"><span class="Flag"><span style=
9416 'font-size:10.0pt'>global</span></span></p></td>
9417 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9418 <p class="TextFontCX"><span class="Flag"><span style=
9419 'font-size:10.0pt'>glob</span></span></p></td></tr>
9421 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9422 <p class="TextFontCX"><span class="Flag"><span style=
9423 'font-size:10.0pt'>implicit</span></span><span class=
9425 'font-size:10.0pt;font-family:"Times New Roman"'>,</span></span>
9426 <span class="Flag"><span style=
9427 'font-size:10.0pt'>implied</span></span></p></td>
9428 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9429 <p class="TextFontCX"><span class="Flag"><span style=
9430 'font-size:10.0pt'>imp</span></span></p></td></tr>
9432 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9433 <p class="TextFontCX"><span class="Flag"><span style=
9434 'font-size:10.0pt'>iterator</span></span></p></td>
9435 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9436 <p class="TextFontCX"><span class="Flag"><span style=
9437 'font-size:10.0pt'>iter</span></span></p></td></tr>
9439 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9440 <p class="TextFontCX"><span class="Flag"><span style=
9441 'font-size:10.0pt'>length</span></span></p></td>
9442 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9443 <p class="TextFontCX"><span class="Flag"><span style=
9444 'font-size:10.0pt'>len</span></span></p></td></tr>
9446 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9447 <p class="TextFontCX"><span class="Flag"><span style=
9448 'font-size:10.0pt'>modifies</span></span></p></td>
9449 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9450 <p class="TextFontCX"><span class="Flag"><span style=
9451 'font-size:10.0pt'>mods</span></span></p></td></tr>
9453 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9454 <p class="TextFontCX"><span class="Flag"><span style=
9455 'font-size:10.0pt'>modify</span></span></p></td>
9456 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9457 <p class="TextFontCX"><span class="Flag"><span style=
9458 'font-size:10.0pt'>mod</span></span></p></td></tr>
9460 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9461 <p class="TextFontCX"><span class="Flag"><span style=
9462 'font-size:10.0pt'>memory</span></span></p></td>
9463 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9464 <p class="TextFontCX"><span class="Flag"><span style=
9465 'font-size:10.0pt'>mem</span></span></p></td></tr>
9467 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9468 <p class="TextFontCX"><span class="Flag"><span style=
9469 'font-size:10.0pt'>parameter</span></span></p></td>
9470 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9471 <p class="TextFontCX"><span class="Flag"><span style=
9472 'font-size:10.0pt'>param</span></span></p></td></tr>
9474 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9475 <p class="TextFontCX"><span class="Flag"><span style=
9476 'font-size:10.0pt'>pointer</span></span></p></td>
9477 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9478 <p class="TextFontCX" style='page-break-after: avoid'>
9479 <span class="Flag"><span style=
9480 'font-size:10.0pt'>ptr</span></span></p></td></tr>
9482 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9483 <p class="TextFontCX"><span class="Flag"><span style=
9484 'font-size:10.0pt'>return</span></span></p></td>
9485 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9486 <p class="TextFontCX"><span class="Flag"><span style=
9487 'font-size:10.0pt'>ret</span></span></p></td></tr>
9489 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9490 <p class="TextFontCX"><span class="Flag"><span style=
9491 'font-size:10.0pt'>variable</span></span></p></td>
9492 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9493 <p class="TextFontCX"><span class="Flag"><span style=
9494 'font-size:10.0pt'>var</span></span></p></td></tr>
9496 <td valign="top" style='width:171.0pt;padding:0in 5.4pt 0in 5.4pt'>
9497 <p class="TextFontCX"><span class="Flag"><span style=
9498 'font-size:10.0pt'>unconstrained, unconst</span></span></p></td>
9499 <td valign="top" style='width:67.5pt;padding:0in 5.4pt 0in 5.4pt'>
9500 <p class="TextFontCX" style='page-break-after: avoid'>
9501 <span class="Flag"><span style=
9502 'font-size:10.0pt'>uncon</span></span></p></td></tr></table>
9503 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0">
9505 <td valign="top" style=
9506 'padding-top:.1in;padding-right: 9.35pt;padding-bottom:.1in;padding-left:9.35pt'>
9507 <p class="MsoCaption"><a name="_Toc534824627"></a><a name=
9508 "_Ref534824456">Figure 25</a>. Flag Name
9509 Abbreviations</p></td></tr></table></center>
9510 <p class="beforelist">The expanded and short forms are
9511 interchangeable in flag names.</p>
9512 <p class="beforelist">For example, <span class=
9513 "Flag"><span style='font-size:10.0pt'>globsimpmodsnothing</span></span>
9514 and <span class="Flag"><span style=
9515 'font-size:10.0pt'>globalsimpliesmodifiesnothing</span></span>
9516 denote the same flag. Abbreviations in flag names allow
9517 pronounceable, descriptive names to be used without making
9518 flag names excessively long (although one must admit even
9519 <span class="Flag"><span style=
9520 'font-size:10.0pt'>globsimpmodsnothing</span></span> is a bit
9522 <p class="TextFontCX">To make flag names more readable, the space,
9523 dash (<span class="Flag"><span style=
9524 'font-size:10.0pt'>-</span></span>), and underscore
9525 (<span class="Flag"><span style=
9526 'font-size:10.0pt'>_</span></span>) characters may be used
9527 inside a flag name. Hence, <span class=
9529 'font-size:10.0pt'>globals-implies-modifies-nothing</span></span>,
9530 <span class="Flag"><span style=
9531 'font-size:10.0pt'>glob_imps_­mods­nothing</span></span>
9532 and <span class="Flag"><span style=
9533 'font-size:10.0pt'>globsimpmodsnothing</span></span> are
9535 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
9536 <a name="_Toc534975040">Global Flags</a></p>
9537 <p class="TextFontCX">Global flags can be set at the command line
9538 or in an options file, but cannot be set locally using stylized
9539 comments. These flags control on-line help, initialization
9540 files, pre-processor flags, libraries and output.</p>
9541 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9542 <a name="_Toc534975041">Help</a></p>
9543 <p class="beforelist">On-line help provides documentation on Splint
9544 operation and flags. When a help flag is used, no checking is
9545 done by Splint. Help flags may be preceded by
9546 <span class="Flag"><span style=
9547 'font-size:10.0pt'>-</span></span> or <span class=
9548 "Flag"><span style='font-size:10.0pt'>+</span></span>.</p>
9549 <p class="TextFontCX"><span class="Flag"><span style=
9550 'font-size:10.0pt'>help</span></span></p>
9551 <p class="IndentText">Display general help overview, including list
9552 of additional help topics.</p>
9553 <p class="TextFontCX"><span class="Flag"><span style=
9554 'font-size:10.0pt'>help</span></span> <span class=
9556 'font-size:10.0pt'><topic></span></span></p>
9557 <p class="indentbefore">Display help on <i><topic></i>.
9558 Available topics:</p>
9559 <table class="MsoNormalTable" border="0" cellspacing="0"
9560 cellpadding="0" style=
9561 'width:400.5pt;margin-left:27.9pt;border-collapse:collapse'>
9563 <td valign="top" style=
9564 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9565 <p class="TextFontCX" style='text-indent:5.4pt'><span class=
9567 'font-size:10.0pt'>annotations</span></span></p></td>
9568 <td valign="top" style=
9569 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9570 <p class="TextFontCX" align="left" style='text-align:left'>describe
9571 annotations</p></td></tr>
9573 <td valign="top" style=
9574 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9575 <p class="TextFontCX"><span class="Flag"><span style=
9576 'font-size:10.0pt'>comments</span></span></p></td>
9577 <td valign="top" style=
9578 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9579 <p class="TextFontCX" align="left" style='text-align:left'>describe
9580 control comments</p></td></tr>
9582 <td valign="top" style=
9583 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9584 <p class="TextFontCX"><span class="Flag"><span style=
9585 'font-size:10.0pt'>flags</span></span></p></td>
9586 <td valign="top" style=
9587 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9588 <p class="TextFontCX" align="left" style='text-align:left'>describe
9589 flag categories</p></td></tr>
9591 <td valign="top" style=
9592 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9593 <p class="TextFontCX"><span class="Flag"><span style=
9594 'font-size:10.0pt'>flags
9595 <i><category></i></span></span></p></td>
9596 <td valign="top" style=
9597 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9598 <p class="TextFontCX" align="left" style='text-align:left'>all
9599 flags pertaining to <category> (one of the categories listed
9600 by <span class="Flag"><span style='font-size:10.0pt'>splint -help
9601 flags</span></span>)</p></td></tr>
9603 <td valign="top" style=
9604 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9605 <p class="TextFontCX"><span class="Flag"><span style=
9606 'font-size:10.0pt'>flags alpha</span></span>
9607 </p></td>
9608 <td valign="top" style=
9609 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9610 <p class="TextFontCX" align="left" style='text-align:left'>all
9611 flags in alphabetical order</p></td></tr>
9613 <td valign="top" style=
9614 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9615 <p class="TextFontCX"><span class="Flag"><span style=
9616 'font-size:10.0pt'>flags full</span></span></p></td>
9617 <td valign="top" style=
9618 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9619 <p class="TextFontCX" align="left" style='text-align:left'>print a
9620 full description of all flags</p></td></tr>
9622 <td valign="top" style=
9623 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9624 <p class="TextFontCX"><span class="Flag"><span style=
9625 'font-size:10.0pt'>mail</span></span></p></td>
9626 <td valign="top" style=
9627 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9628 <p class="TextFontCX" align="left" style='text-align:left'>print
9629 information on mailing lists</p></td></tr>
9631 <td valign="top" style=
9632 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9633 <p class="TextFontCX"><span class="Flag"><span style=
9634 'font-size:10.0pt'>modes</span></span></p></td>
9635 <td valign="top" style=
9636 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9637 <p class="TextFontCX" align="left" style='text-align:left'>flags
9638 settings in modes</p></td></tr>
9640 <td valign="top" style=
9641 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9642 <p class="TextFontCX"><span class="Flag"><span style=
9643 'font-size:10.0pt'>prefixcodes</span></span></p></td>
9644 <td valign="top" style=
9645 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9646 <p class="TextFontCX" align="left" style='text-align:left'>
9647 character codes for setting namespace prefixes</p></td></tr>
9649 <td valign="top" style=
9650 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9651 <p class="TextFontCX"><span class="Flag"><span style=
9652 'font-size:10.0pt'>references</span></span></p></td>
9653 <td valign="top" style=
9654 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9655 <p class="TextFontCX" align="left" style='text-align:left'>print
9656 references to relevant papers and web sites</p></td></tr>
9658 <td valign="top" style=
9659 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9660 <p class="TextFontCX"><span class="Flag"><span style=
9661 'font-size:10.0pt'>vars</span></span></p></td>
9662 <td valign="top" style=
9663 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9664 <p class="TextFontCX" align="left" style='text-align:left'>describe
9665 environment variables</p></td></tr>
9667 <td valign="top" style=
9668 'width:144.65pt;padding:0in 5.4pt 0in 5.4pt'>
9669 <p class="TextFontCX"><span class="Flag"><span style=
9670 'font-size:10.0pt'>version</span></span></p></td>
9671 <td valign="top" style=
9672 'width:255.85pt;padding:0in 5.4pt 0in 5.4pt'>
9673 <p class="TextFontCX" align="left" style='text-align:left'>print
9674 maintainer and version information</p>
9675 <p class="TextFontCX" align="left" style='text-align:left'>
9676 </p></td></tr></table>
9677 <p class="afterlist"><span class="Flag"><span style=
9678 'font-size:10.0pt'>help</span></span> <span class=
9680 'font-size:10.0pt'><flag></span></span></p>
9681 <p class="IndentText">Describe flag <i><flag></i>. (May
9682 list several flags.)</p>
9683 <p class="TextFontCX"><span class="Flag"><span style=
9684 'font-size:10.0pt'>warn-flags</span></span></p>
9685 <p class="IndentText">Display a warning when a flag is set in a
9686 surprising way. An error is reported if an obsolete flag is
9687 set, a flag is set to its current value (i.e., the
9688 <span class="Flag"><span style=
9689 'font-size:10.0pt'>+</span></span> or <span class=
9690 "Flag"><span style='font-size:10.0pt'>-</span></span> may be
9691 wrong), or a mode selector flag is set after mode checking
9692 flags that will be reset by the mode were set. By
9693 default, <span class="Flag"><span style=
9694 'font-size:10.0pt'>+warn-flags</span></span> is on. To
9695 suppress flag warnings, use <span class="Flag"><span style=
9696 'font-size:10.0pt'>‑warn-flags</span></span>.</p>
9698 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9699 height="14" align="left">
9701 <td valign="top" align="left" height="14" style=
9702 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9703 <p class="TextFontCX" align="center" style=
9704 'text-align:center;background:#CCCCCC'><span style=
9705 'font-size:10.0pt'>P:</span> <span class=
9706 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9707 <p class="TextFontCX"><span class="Flag"><span style=
9708 'font-size:10.0pt'>warn-rc</span></span></p>
9709 <p class="IndentText">There was a problem reading an initialization
9712 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9713 height="14" align="left">
9715 <td valign="top" align="left" height="14" style=
9716 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9717 <p class="TextFontCX" align="center" style=
9718 'text-align:center;background:#CCCCCC'><span style=
9719 'font-size:10.0pt'>P:</span> <span class=
9720 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9721 <p class="TextFontCX"><span class="Flag"><span style=
9722 'font-size:10.0pt'>bad-flag</span></span></p>
9723 <p class="IndentText">A flag is not recognized or used in an
9726 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9727 height="14" align="left">
9729 <td valign="top" align="left" height="14" style=
9730 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9731 <p class="TextFontCX" align="center" style=
9732 'text-align:center;background:#CCCCCC'><span style=
9733 'font-size:10.0pt'>P:</span> <span class=
9734 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9735 <p class="TextFontCX"><span class="Flag"><span style=
9736 'font-size:10.0pt'>fileextensions</span></span></p>
9737 <p class="IndentText">Warn when command line file does not have a
9738 recognized extension.</p>
9739 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9740 <a name="_Toc534975042">Initialization</a></p>
9741 <p class="beforelist">These flags control directories and files
9742 used by Splint. They may be used from the command line or in
9743 an options file, but may not be used as control comments in the
9744 source code. Except where noted. they have the same meaning
9745 preceded by <span class="Flag"><span style=
9746 'font-size:10.0pt'>-</span></span> or <span class=
9747 "Flag"><span style='font-size:10.0pt'>+</span></span>. </p>
9748 <p class="TextFontCX"><span class="Flag"><span style=
9749 'font-size:10.0pt'>tmpdir</span></span> <span class=
9751 'font-size:10.0pt'><i><directory></i></span></span></p>
9752 <p class="IndentText">Set directory for writing temp files.
9753 Default is <span class="ProgramNameChar"><span style=
9754 'font-size:10.0pt'>/tmp/</span></span>.</p>
9755 <p class="TextFontCX"><span class="Flag"><span style=
9756 'font-size:10.0pt'>I<i><directory></i></span></span></p>
9757 <p class="IndentText">Add directory to path searched for C include
9758 files. Note there is no space after the <span class=
9759 "Flag"><span style='font-size:10.0pt'>I</span></span>, to be
9760 consistent with C preprocessor flags.</p>
9761 <p class="TextFontCX"><span class="Flag"><span style=
9762 'font-size:10.0pt'>S<i><directory></i></span></span></p>
9763 <p class="IndentText">Add directory to path search for
9764 <span class="ProgramNameChar"><span style=
9765 'font-size:10.0pt'>.lcl</span></span> specification
9767 <p class="IndentText"> </p>
9768 <p class="TextFontCX"><span class="Flag"><span style=
9769 'font-size:10.0pt'>larchpath</span></span> <span class=
9771 'font-size:10.0pt'><i><path></i></span></span></p>
9772 <p class="IndentText">Set path to search for library files.
9773 Overrides <span class="CodeText"><span style=
9774 'font-size:10.0pt'>LARCH_PATH</span></span> environment
9776 <p class="TextFontCX"><span class="Flag"><span style=
9777 'font-size:10.0pt'>lclimportdir</span></span> <span class=
9779 'font-size:10.0pt'><i><directory></i></span></span></p>
9780 <p class="IndentText">Set directory to search for LCL import
9781 files. Overrides<span class="CodeText"><span style=
9782 'font-size:10.0pt'>LCLIMPORTDIR</span></span> environment
9784 <p class="IndentText"> </p>
9785 <p class="TextFontCX"><span class="Flag"><span style=
9786 'font-size:10.0pt'>f</span></span> <span class=
9787 "Flag"><span style='font-size:10.0pt'><i><file></i></span></span></p>
9788 <p class="MsoNormal" style='margin-left:13.5pt'>Load options from
9789 <span class="Flag"><i><span style=
9790 'font-size:10.0pt'><file></span></i></span>. If this
9791 flag is used from the command line, the default <span class=
9792 "FileNameChar"><span style=
9793 'font-size:10.0pt'>~/.splintrc</span></span> file is not
9794 loaded. This flag may be used in an options file to include
9795 another options file.</p>
9796 <p class="TextFontCX"><span class="Flag"><span style=
9797 'font-size:10.0pt'>i</span></span> <span class=
9798 "Flag"><span style='font-size:10.0pt'><i><file></i></span></span></p>
9799 <p class="MsoNormal" style='margin-left:13.5pt'>Set LCL
9800 initilization file.</p>
9801 <p class="TextFontCX"><span class="Flag"><span style=
9802 'font-size:10.0pt'>nof</span></span></p>
9803 <p class="IndentText">Prevents the default options files
9804 (<span class="FileNameChar"><span style=
9805 'font-size:10.0pt'>./.splintrc</span></span>and <span class=
9806 "FileNameChar"><span style=
9807 'font-size:10.0pt'>~/.splintrc</span></span>) from being
9808 loaded. (Setting <span class="Flag"><span style=
9809 'font-size:10.0pt'>-nof</span></span> overrides <span class=
9810 "Flag"><span style='font-size:10.0pt'>+nof</span></span>, causing
9811 the options files to be loaded normally.)</p>
9812 <p class="TextFontCX"><span class="Flag"><span style=
9813 'font-size:10.0pt'>sys-dirs</span></span></p>
9814 <p class="IndentText">Set directories for system files (default is
9815 <span class="FileNameChar"><span style=
9816 'font-size:10.0pt'>/usr/</span></span>). Separate directories
9817 with the path separator for your operating system (e.g.,
9818 semi-colons for Windows or colons for Unix: <span class=
9819 "FileNameChar"><span style=
9820 'font-size:10.0pt'>/usr/include:/usr/local/lib</span></span>).
9821 Flag settings propagate to files in a system directory. If
9822 <span class="Flag"><span style=
9823 'font-size:10.0pt'>-sys-dir-errors</span></span> is set, no errors
9824 are reported for files in system directories.</p>
9825 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9826 <a name="_Toc534975043"></a><a name=
9827 "_Ref345883190">Pre-processor</a></p>
9829 <p class="beforelist">These flags are used to define or undefine
9830 pre-processor constants. The <span class=
9831 "Flag"><span style='font-size:10.0pt'>-I<i><directory></i></span></span>
9832 flag is also passed to the C pre-processor.</p>
9833 <p class="TextFontCX"><span class="Flag"><span style=
9834 'font-size:10.0pt'>D<initializer></span></span></p>
9835 <p class="IndentText">Passed to the C pre-processor.</p>
9837 <p class="FileName0" style='margin-left:0in'><span class=
9838 "Flag">U<initializer></span></p>
9839 <p class="IndentText">Passed to the C pre-processor.</p>
9842 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9843 height="14" align="left">
9845 <td valign="top" align="left" height="14" style=
9846 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9847 <p class="TextFontCX" align="center" style=
9848 'text-align:center;background:#CCCCCC'><span style=
9849 'font-size:10.0pt'>P:</span> <span class=
9850 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9851 <p class="TextFontCX"><span class="Flag"><span style=
9852 'font-size:10.0pt'>unrecogdirective</span></span></p>
9853 <p class="IndentText">Preprocessor directive is not recognized.
9857 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9858 height="14" align="left">
9860 <td valign="top" align="left" height="14" style=
9861 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9862 <p class="TextFontCX" align="center" style=
9863 'text-align:center;background:#CCCCCC'><span style=
9864 'font-size:10.0pt'>P:</span> <span class=
9865 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9866 <p class="TextFontCX"><span class="Flag"><span style=
9867 'font-size:10.0pt'>preproc</span></span></p>
9868 <p class="IndentText">Preprocessing error.
9872 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9873 <a name="_Toc534975044">Libraries</a></p>
9874 <p class="beforelist">These flags control the creation and use of
9876 <p class="TextFontCX"><span class="Flag"><span style=
9877 'font-size:10.0pt'>dump</span></span> <span class=
9879 'font-size:10.0pt'><i><file></i></span></span></p>
9880 <p class="IndentText">Save state in <span class=
9881 "Flag"><i><span style=
9882 'font-size: 10.0pt'><file></span></i></span> for
9883 loading. The default extension <span class=
9884 "ProgramNameChar"><span style='font-size:10.0pt'>.lcd</span></span>
9885 is added if <span class="Flag"><i><span style=
9886 'font-size:10.0pt'><file></span></i></span> has no
9888 <p class="TextFontCX"><span class="Flag"><span style=
9889 'font-size:10.0pt'>load</span></span><span class=
9890 "Flag"><span style='font-size:10.0pt'> <i><file></i></span></span></p>
9891 <p class="IndentText">Load state from <span class=
9892 "Flag"><i><span style=
9893 'font-size: 10.0pt'><file></span></i></span> (created by
9894 <span class="Flag"><span style=
9895 'font-size:10.0pt'>-dump</span></span>). The default
9896 extension <span class="FileNameChar"><span style=
9897 'font-size:10.0pt'>.lcd</span></span> is added if
9898 <span class="Flag"><i><span style=
9899 'font-size:10.0pt'><file></span></i></span> has no
9900 extension. Only one library file may be loaded.</p>
9901 <p class="betweenlists">By default, the standard library is loaded
9902 if the <span class="Flag"><span style=
9903 'font-size:10.0pt'>-load</span></span> flag is not used to load a
9904 user library. If no user library is loaded, one of the
9905 following flags may be used to select a different standard
9906 library. Precede the flag by <span class=
9907 "Flag"><span style='font-size:10.0pt'>+</span></span> to load
9908 the described library (or to prevent a library from being
9909 loaded using <span class="Flag"><span style=
9910 'font-size:10.0pt'>no-lib</span></span>). See Section 14.1
9911 for information on the provided libraries.</p>
9912 <p class="TextFontCX"><span class="Flag"><span style=
9913 'font-size:10.0pt'>no-lib</span></span></p>
9914 <p class="IndentText">Do not load any library. This prevents
9915 the standard library from being loaded.</p>
9916 <p class="TextFontCX"><span class="Flag"><span style=
9917 'font-size:10.0pt'>ansi-lib</span></span></p>
9918 <p class="IndentText">Use the ANSI standard library (selected by
9920 <p class="TextFontCX"><span class="Flag"><span style=
9921 'font-size:10.0pt'>strict-lib</span></span></p>
9922 <p class="IndentText">Use strict version of the ANSI standard
9924 <p class="TextFontCX"><span class="Flag"><span style=
9925 'font-size:10.0pt'>posix-lib</span></span></p>
9926 <p class="IndentText">Use the POSIX standard library.</p>
9927 <p class="TextFontCX"><span class="Flag"><span style=
9928 'font-size:10.0pt'>posix-strict-lib</span></span></p>
9929 <p class="IndentText">Use the strict version of the POSIX standard
9931 <p class="TextFontCX"><span class="Flag"><span style=
9932 'font-size:10.0pt'>unix-lib</span></span></p>
9933 <p class="IndentText">Use UNIX version of standard library.</p>
9934 <p class="TextFontCX"><span class="Flag"><span style=
9935 'font-size:10.0pt'>unix-strict-lib</span></span></p>
9936 <p class="IndentText">Use the strict version of the UNIX standard
9938 <p class="IndentText"> </p>
9939 <p class="TextFontCX"><span class="Flag"><span style=
9940 'font-size:10.0pt'>which-lib</span></span></p>
9941 <p class="IndentText">Print out the standard library filename and
9942 creation information.</p>
9945 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9946 height="14" align="left">
9948 <td valign="top" align="left" height="14" style=
9949 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9950 <p class="TextFontCX" align="center" style=
9951 'text-align:center;background:#CCCCCC'><span style=
9952 'font-size:10.0pt'>P:</span> <span class=
9953 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9954 <p class="TextFontCX"><span class="Flag"><span style=
9955 'font-size:10.0pt'>newdecl</span></span></p>
9956 <p class="IndentText">There is a new declaration that is not declared in a loaded library or
9957 earlier file. (Use this flag to check for consistency against a library.)
9962 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
9963 height="14" align="left">
9965 <td valign="top" align="left" height="14" style=
9966 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
9967 <p class="TextFontCX" align="center" style=
9968 'text-align:center;background:#CCCCCC'><span style=
9969 'font-size:10.0pt'>P:</span> <span class=
9970 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
9971 <p class="TextFontCX"><span class="Flag"><span style=
9972 'font-size:10.0pt'>impconj</span></span></p>
9973 <p class="IndentText">Make all alternate types implicit (useful for making system libraries).
9976 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
9977 <a name="_Toc534975045">Output</a></p>
9978 <p class="beforelist">These flags control what additional
9979 information Splint prints. Setting <span class=
9981 'font-size:10.0pt'>+<i><flag></i></span></span> causes the
9982 described information to be printed; setting <span class=
9984 'font-size:10.0pt'>-<i><flag></i></span></span> prevents
9985 it. By default, all these flags are off.</p>
9986 <p class="TextFontCX"><span class="Flag"><span style=
9987 'font-size:10.0pt'>use-stderr</span></span></p>
9988 <p class="IndentText">Send error messages to standard error
9989 (instead of standard output).</p>
9990 <p class="TextFontCX"><span class="Flag"><span style=
9991 'font-size:10.0pt'>show-summary</span></span></p>
9992 <p class="IndentText">Show a summary of all errors reported and
9993 suppressed. Counts of suppressed errors are not necessarily
9994 correct since turning a flag off may prevent some checking from
9995 being done to save computation, and errors that are not reported
9996 may propagate differently from when they are reported.</p>
9997 <p class="TextFontCX"><span class="Flag"><span style=
9998 'font-size:10.0pt'>show-scan</span></span></p>
9999 <p class="IndentText">Show file names are they are processed.</p>
10000 <p class="TextFontCX"><span class="Flag"><span style=
10001 'font-size:10.0pt'>show-all-uses</span></span></p>
10002 <p class="IndentText">Show list of uses of all external identifiers
10003 sorted by number of uses.</p>
10004 <p class="TextFontCX"><span class="Flag"><span style=
10005 'font-size:10.0pt'>stats</span></span></p>
10006 <p class="IndentText">Display number of lines processed and
10008 <p class="TextFontCX"><span class="Flag"><span style=
10009 'font-size:10.0pt'>time-dist</span></span></p>
10010 <p class="IndentText">Display distribution of where checking time
10012 <p class="TextFontCX"><span class="Flag"><span style=
10013 'font-size:10.0pt'>quiet</span></span></p>
10014 <p class="IndentText">Suppress herald and error count. (If
10015 <span class="Flag"><span style=
10016 'font-size:10.0pt'>quiet</span></span> is not set, Splint prints
10017 out a herald with version information before checking begins, and a
10018 line summarizing the total number of errors reported.)</p>
10019 <p class="TextFontCX"><span class="Flag"><span style=
10020 'font-size:10.0pt'>which-lib</span></span></p>
10021 <p class="IndentText">Print out the standard library filename and
10022 creation information.</p>
10023 <p class="TextFontCX"><span class="Flag"><span style=
10024 'font-size:10.0pt'>limit</span></span> <span class=
10025 "Flag"><span style=
10026 'font-size:10.0pt'><i><number></i></span></span></p>
10027 <p class="IndentText">At most <span class=
10028 "Flag"><i><span style='font-size:10.0pt'><number></span></i></span>
10029 similar errors are reported consecutively. Further
10030 errors are suppressed, and a message showing the number of
10031 suppressed messages is printed.</p>
10032 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10033 <a name="_Toc534975046">Expected Errors</a></p>
10034 <p class="beforelist">Normally, Splint will expect to report no
10035 errors. The exit status will be success (<span class=
10036 "Keyword"><span style='font-size:10.0pt'>0</span></span>) if no
10037 errors are reported, and failure if any errors are reported.
10038 Flags can be used to set the expected number of reported
10039 errors. Because of the provided error suppression mechanisms,
10040 these options should probably not be used for final checking real
10041 programs but may be useful in developing programs using make.</p>
10042 <p class="TextFontCX"><span class="Flag"><span style=
10043 'font-size:10.0pt'>expect</span></span> <span class=
10044 "Flag"><span style=
10045 'font-size:10.0pt'><i><number></i></span></span></p>
10046 <p class="IndentText">Exactly <span class=
10047 "Flag"><i><span style='font-size:10.0pt'><number></span></i></span>
10048 code errors are expected. Splint will exit with failure
10049 exit status unless <span class="Flag"><i><span style=
10050 'font-size:10.0pt'><number></span></i></span> code
10051 errors are detected.</p>
10052 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
10053 <a name="_Toc534975047">Message Format</a></p>
10054 <p class="beforelist">These flags control how messages are
10055 printed. They may be set at the command line, in options
10056 files, or locally in syntactic comments. The
10057 <span class="Flag"><span style=
10058 'font-size:10.0pt'>line-len</span></span> and <span class=
10059 "Flag"><span style='font-size:10.0pt'>limit</span></span>
10060 flags may be preceded by <span class="Flag"><span style=
10061 'font-size:10.0pt'>+</span></span> or <span class=
10062 "Flag"><span style='font-size:10.0pt'>-</span></span> with
10063 the same meaning; for the other flags, <span class=
10064 "Flag"><span style='font-size: 10.0pt'>+</span></span> turns
10065 on the describe printing and <span class="Flag"><span style=
10066 'font-size:10.0pt'>-</span></span> turns it off. The
10067 box to the left of each flag gives its default value.</p>
10069 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10070 height="14" align="left">
10072 <td valign="top" align="left" height="14" style=
10073 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10074 <p class="TextFontCX" align="center" style=
10075 'text-align:center;background:#CCCCCC'><span class=
10076 "Flag"><span style=
10077 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10078 <p class="TextFontCX"><span class="Flag"><span style=
10079 'font-size:10.0pt'>show-column</span></span></p>
10080 <p class="IndentText">Show column number where error is found.</p>
10082 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10083 height="14" align="left">
10085 <td valign="top" align="left" height="14" style=
10086 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10087 <p class="TextFontCX" align="center" style=
10088 'text-align:center;background:#CCCCCC'><span class=
10089 "Flag"><span style=
10090 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10091 <p class="TextFontCX"><span class="Flag"><span style=
10092 'font-size:10.0pt'>show-func</span></span></p>
10093 <p class="IndentText">Show name of function (or macro) definition
10094 containing error. The function name is printed once before
10095 the first message detected in that function.</p>
10097 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10098 height="14" align="left">
10100 <td valign="top" align="left" height="14" style=
10101 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10102 <p class="TextFontCX" align="center" style=
10103 'text-align:center;background:#CCCCCC'><span class=
10104 "Flag"><span style=
10105 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10106 <p class="TextFontCX"><span class="Flag"><span style=
10107 'font-size:10.0pt'>show-all-conjs</span></span></p>
10108 <p class="IndentText">Show all possible alternate types (see
10111 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10112 height="14" align="left">
10114 <td valign="top" align="left" height="14" style=
10115 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10116 <p class="TextFontCX" align="center" style=
10117 'text-align:center;background:#CCCCCC'><span class=
10118 "Flag"><span style=
10119 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10120 <p class="TextFontCX"><span class="Flag"><span style=
10121 'font-size:10.0pt'>paren-file-format</span></span></p>
10122 <p class="IndentText">Use <span class="Flag"><i><span style=
10123 'font-size:10.0pt'><file></span></i></span><span class=
10124 "CodeText"><span style=
10125 'font-size:10.0pt'>(</span></span><span class=
10126 "Flag"><i><span style='font-size:10.0pt'><line></span></i></span><span class="CodeText">
10127 <span style='font-size:10.0pt'>)</span></span> format in
10128 messages. (Default is + for Win32 for compatibility with
10129 Microsoft VisualStudio.)</p>
10131 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10132 height="14" align="left">
10134 <td valign="top" align="left" height="14" style=
10135 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10136 <p class="TextFontCX" align="center" style=
10137 'text-align:center;background:#CCCCCC'><span class=
10138 "Flag"><span style=
10139 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10140 <p class="TextFontCX"><span class="Flag"><span style=
10141 'font-size:10.0pt'>hints</span></span></p>
10142 <p class="IndentText">Provide hints describing an error and how a
10143 message may be suppressed for the first error reported in each
10146 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10147 height="14" align="left">
10149 <td valign="top" align="left" height="14" style=
10150 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10151 <p class="TextFontCX" align="center" style=
10152 'text-align:center;background:#CCCCCC'><span class=
10153 "Flag"><span style=
10154 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10155 <p class="TextFontCX"><span class="Flag"><span style=
10156 'font-size:10.0pt'>force-hints</span></span></p>
10157 <p class="IndentText">Provide hints for all errors reported, even
10158 if the hint has already been displayed for the same error
10161 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10162 height="14" align="left">
10164 <td valign="top" align="left" height="14" style=
10165 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10166 <p class="TextFontCX" align="center" style=
10167 'text-align:center;background:#CCCCCC'><span class=
10168 "Flag"><span style=
10169 'font-size:10.0pt'>80</span></span></p></td></tr></table></div>
10170 <p class="TextFontCX"><span class="Flag"><span style=
10171 'font-size:10.0pt'>line-len</span></span> <span class=
10172 "Flag"><span style=
10173 'font-size:10.0pt'><i><number></i></span></span></p>
10174 <p class="IndentText">Set length of maximum message line to
10175 <span class="Flag"><i><span style=
10176 'font-size:10.0pt'><number></span></i></span>
10177 characters. Splint will split messages longer than
10178 <span class="Flag"><i><span style=
10179 'font-size: 10.0pt'><number></span></i></span> characters
10180 long into multiple lines.</p>
10183 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10184 height="14" align="left">
10186 <td valign="top" align="left" height="14" style=
10187 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10188 <p class="TextFontCX" align="center" style=
10189 'text-align:center;background:#CCCCCC'><span class=
10190 "Flag"><span style=
10191 'font-size:10.0pt'>3</span></span></p></td></tr></table></div>
10192 <p class="TextFontCX"><span class="Flag"><span style=
10193 'font-size:10.0pt'>indentspaces</span></span> <span class=
10194 "Flag"><span style=
10195 'font-size:10.0pt'><i><number></i></span></span></p>
10196 <p class="IndentText">
10197 Set the number of spaces to indent sub-messages.
10199 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
10200 <a name="_Toc534975048">Mode Selector Flags</a></p>
10201 <p class="TextFontCX">Mode selects flags set the mode checking
10202 flags to predefined values. They provide a quick coarse-grain
10203 way of controlling what classes of errors are reported. Specific
10204 checking flags may be set after a mode flag to override the mode
10205 settings. Mode flags may be used locally, however the mode
10206 settings will override specific command line flag settings. A
10207 warning is produced if a mode flag is used after a mode checking
10208 flag has been set.</p>
10209 <p class="TextFontCX"> </p>
10210 <p class="beforelist">These are brief descriptions to give a
10211 general idea of what each mode does. To see the complete flag
10212 settings in each mode, use <span class="Flag"><span style=
10213 'font-size:10.0pt'>splint -help modes</span></span>. A mode flag
10214 has the same effect when used with either <span class=
10215 "Flag"><span style='font-size:10.0pt'>+</span></span> or
10216 <span class="Flag"><span style=
10217 'font-size:10.0pt'>-</span></span>.</p>
10218 <p class="TextFontCX"><span class="Flag"><span style=
10219 'font-size:10.0pt'>weak</span></span></p>
10220 <p class="IndentText">Weak checking, intended for typical
10221 unannotated C code. No modifies checking, macro checking, rep
10222 exposure, or clean interface checking is done. Return values
10223 of type <span class="CodeText"><span style=
10224 'font-size:10.0pt'>int</span></span> may be ignored. The
10225 types <span class="CodeText"><span style=
10226 'font-size:10.0pt'>bool</span></span>, <span class=
10227 "CodeText"><span style='font-size:10.0pt'>int</span></span>,
10228 <span class="CodeText"><span style=
10229 'font-size:10.0pt'>char</span></span> and user-defined
10230 <span class="CodeText"><span style=
10231 'font-size:10.0pt'>enum</span></span> types are all
10232 equivalent. Old style declarations are unreported.</p>
10233 <p class="TextFontCX"><span class="Flag"><span style=
10234 'font-size:10.0pt'>standard</span></span></p>
10235 <p class="IndentText">The default mode. All checking done by
10236 <span class="Flag"><span style=
10237 'font-size:10.0pt'>weak</span></span>, plus modifies checking,
10238 global, alias checking, use all parameters, using released storage,
10239 ignored return values or any type, macro checking, unreachable
10240 code, infinite loops, and fall through cases. The types
10241 <span class="CodeText"><span style=
10242 'font-size:10.0pt'>bool</span></span>, <span class=
10243 "CodeText"><span style='font-size:10.0pt'>int</span></span> and
10244 <span class="CodeText"><span style=
10245 'font-size:10.0pt'>char</span></span> are distinct. Old style
10246 declarations are reported.</p>
10247 <p class="TextFontCX"> <span class="Flag"><span style=
10248 'font-size:10.0pt'>checks</span></span></p>
10249 <p class="IndentText">Moderately strict checking. All
10250 checking done by <span class="Flag"><span style=
10251 'font-size:10.0pt'>standard</span></span>, plus must modification
10252 checking, rep exposure, return alias, memory management and
10253 complete interfaces.</p>
10254 <p class="TextFontCX"><span class="Flag"><span style=
10255 'font-size:10.0pt'>strict</span></span></p>
10256 <p class="IndentText">Absurdly strict checking. All checking
10257 done by <span class="Flag"><span style=
10258 'font-size:10.0pt'>checks</span></span>, plus modifications and
10259 global variables used in unspecified functions, strict standard
10260 library, and strict typing of C operators. A special reward will be
10261 presented to the first person to produce a real program that
10262 produces no errors with <span class="Flag"><span style=
10263 'font-size:10.0pt'>strict</span></span> checking.</p>
10264 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
10265 <a name="_Ref344798116"></a><a name="_Toc534975049">Checking
10267 <p class="TextFontCX">These flags control checking done by
10268 Splint. They may be set locally using syntactic comments,
10269 from the command line, or in an options file. Some flags
10270 directly control whether a certain class of message is
10271 reported. Preceding the flag by <span class=
10272 "Flag"><span style='font-size:10.0pt'>+</span></span> turns
10273 reporting on, and preceding the flag by <span class=
10274 "Flag"><span style='font-size:10.0pt'>-</span></span> turns
10275 reporting off. Other flags control checking less directly by
10276 determining default values (what annotations are implicit), making
10277 types equivalent (to prevent certain type errors), controlling
10278 representation access, etc. For these flags, the effect of
10279 <span class="Flag"><span style='font-size:10.0pt'>+</span></span>
10280 is described, and the effect of <span class=
10281 "Flag"><span style='font-size:10.0pt'>-</span></span> is the
10282 opposite (or explicitly explained if there is no clear
10283 opposite). The organization of this section mirrors
10285 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10286 <a name="_Toc534975051"></a>
10287 <a name="_Toc534975056">Null
10288 Dereferences</a> <span class="TextFontCXChar"><span style=
10289 'font-size:11.0pt; font-weight:normal'>(Section
10290 2)</span></span></p>
10293 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10294 height="14" align="left">
10296 <td valign="top" align="left" height="14" style=
10297 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10298 <p class="TextFontCX" align="center" style=
10299 'text-align:center;background:#CCCCCC'><span style=
10300 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
10301 <p class="TextFontCX"><span class="Flag"><span style=
10302 'font-size:10.0pt'>null</span></span></p>
10303 <p class="IndentText">A possibly null pointer may be dereferenced,
10304 or used somewhere a non-null pointer is expected. (sets nulldref, nullpass, nullassign, and nullstate</p>
10307 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10308 height="14" align="left">
10310 <td valign="top" align="left" height="14" style=
10311 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10312 <p class="TextFontCX" align="center" style=
10313 'text-align:center;background:#CCCCCC'><span style=
10314 'font-size:10.0pt'>m:</span><span class=
10315 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10316 <p class="TextFontCX"><span class="Flag"><span style=
10317 'font-size:10.0pt'>
10320 <p class="IndentText">A possibly null pointer is dereferenced. Value is either the result of a function which may return null (in which case,
10321 code should check it is not null), or a global, parameter or structure field declared with the null qualifier.
10327 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10328 height="14" align="left">
10330 <td valign="top" align="left" height="14" style=
10331 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10332 <p class="TextFontCX" align="center" style=
10333 'text-align:center;background:#CCCCCC'><span style=
10334 'font-size:10.0pt'>m:</span><span class=
10335 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10336 <p class="TextFontCX"><span class="Flag"><span style=
10337 'font-size:10.0pt'>
10340 <p class="IndentText">
10341 A possibly null pointer is passed as a parameter corresponding to a formal parameter with no /*@null@*/ annotation. If NULL may be
10342 used for this parameter, add a /*@null@*/ annotation to the function parameter declaration.
10345 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10346 height="14" align="left">
10348 <td valign="top" align="left" height="14" style=
10349 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10350 <p class="TextFontCX" align="center" style=
10351 'text-align:center;background:#CCCCCC'><span style=
10352 'font-size:10.0pt'>m:</span><span class=
10353 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10354 <p class="TextFontCX"><span class="Flag"><span style=
10355 'font-size:10.0pt'>
10358 <p class="IndentText">
10359 Function returns a possibly null pointer, but is not declared using /*@null@*/ annotation of result. If function may return NULL, add /*@null@*/ annotation to the return value declaration.
10363 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10364 height="14" align="left">
10366 <td valign="top" align="left" height="14" style=
10367 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10368 <p class="TextFontCX" align="center" style=
10369 'text-align:center;background:#CCCCCC'><span style=
10370 'font-size:10.0pt'>m:</span><span class=
10371 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10372 <p class="TextFontCX"><span class="Flag"><span style=
10373 'font-size:10.0pt'>
10376 <p class="IndentText">
10377 A possibly null pointer is reachable from a parameter or global variable that is not declared using a /*@null@*/ annotation.
10382 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10383 height="14" align="left">
10385 <td valign="top" align="left" height="14" style=
10386 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10387 <p class="TextFontCX" align="center" style=
10388 'text-align:center;background:#CCCCCC'><span style=
10389 'font-size:10.0pt'>m:</span><span class=
10390 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10391 <p class="TextFontCX"><span class="Flag"><span style=
10392 'font-size:10.0pt'>
10395 <p class="IndentText">
10396 A reference with no null annotation is assigned or initialized to NULL. Use /*@null@*/ to declare the reference as a possibly null pointer.
10399 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10400 <a name="_Toc534975055">Use Before Definition</a>
10401 <span class="TextFontCXChar"><span style=
10402 'font-size:11.0pt; font-weight:normal'>(Section
10403 3)</span></span></p>
10405 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10406 height="14" align="left">
10408 <td valign="top" align="left" height="14" style=
10409 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10410 <p class="TextFontCX" align="center" style=
10411 'text-align:center;background:#CCCCCC'><span style=
10412 'font-size:10.0pt'>m:</span><span class=
10413 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10414 <p class="TextFontCX"><span class="Flag"><span style=
10415 'font-size:10.0pt'>usedef</span></span></p>
10416 <p class="IndentText">The value of a location that may not be
10417 initialized on some execution path is used.</p>
10419 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10420 height="14" align="left">
10422 <td valign="top" align="left" height="14" style=
10423 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10424 <p class="TextFontCX" align="center" style=
10425 'text-align:center;background:#CCCCCC'><span style=
10426 'font-size:10.0pt'>m:</span><span class=
10427 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
10428 <p class="TextFontCX"><span class="Flag"><span style=
10429 'font-size:10.0pt'>impouts</span></span></p>
10430 <p class="IndentText">Allow unannotated pointer parameters to
10431 functions to be implicit out parameters.</p>
10433 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10434 height="14" align="left">
10436 <td valign="top" align="left" height="14" style=
10437 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10438 <p class="TextFontCX" align="center" style=
10439 'text-align:center;background:#CCCCCC'><span style=
10440 'font-size:10.0pt'>m:</span><span class=
10441 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10442 <p class="TextFontCX"><span class="Flag"><span style=
10443 'font-size:10.0pt'>compdef</span></span></p>
10444 <p class="IndentText">Storage derivable from a parameter, return
10445 value or global variable is not completely defined.</p>
10447 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10448 height="14" align="left">
10450 <td valign="top" align="left" height="14" style=
10451 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10452 <p class="TextFontCX" align="center" style=
10453 'text-align:center;background:#CCCCCC'><span style=
10454 'font-size:10.0pt'>m:</span><span class=
10455 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10456 <p class="TextFontCX"><span class="Flag"><span style=
10457 'font-size:10.0pt'>uniondef</span></span></p>
10458 <p class="IndentText">No field of a union is defined. (No
10459 error is reported if at least one union field is defined.)</p>
10461 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10462 height="14" align="left">
10464 <td valign="top" align="left" height="14" style=
10465 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10466 <p class="TextFontCX" align="center" style=
10467 'text-align:center;background:#CCCCCC'><span style=
10468 'font-size:10.0pt'>m:</span><span class=
10469 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10470 <p class="TextFontCX"><span class="Flag"><span style=
10471 'font-size:10.0pt'>mustdefine</span></span></p>
10472 <p class="IndentText">Parameter declared with <span class=
10473 "Keyword"><span style='font-size:10.0pt'>out</span></span> is not
10474 defined before return or scope exit.</p>
10477 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10480 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10481 height="14" align="left">
10483 <td valign="top" align="left" height="14" style=
10484 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10485 <p class="TextFontCX" align="center" style=
10486 'text-align:center;background:#CCCCCC'><span style=
10487 'font-size:10.0pt'>P:</span><span class=
10488 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10489 <p class="TextFontCX"><span class="Flag"><span style=
10490 'font-size:10.0pt'>
10493 <p class="IndentText">
10494 Initializer does not set every field in the structure.
10499 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10500 height="14" align="left">
10502 <td valign="top" align="left" height="14" style=
10503 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10504 <p class="TextFontCX" align="center" style=
10505 'text-align:center;background:#CCCCCC'><span style=
10506 'font-size:10.0pt'>P:</span><span class=
10507 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10508 <p class="TextFontCX"><span class="Flag"><span style=
10509 'font-size:10.0pt'>
10512 <p class="IndentText">
10513 Initializer does not define all elements of a declared array.
10518 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10519 height="14" align="left">
10521 <td valign="top" align="left" height="14" style=
10522 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10523 <p class="TextFontCX" align="center" style=
10524 'text-align:center;background:#CCCCCC'><span style=
10525 'font-size:10.0pt'>P:</span><span class=
10526 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10527 <p class="TextFontCX"><span class="Flag"><span style=
10528 'font-size:10.0pt'>
10531 <p class="IndentText">
10532 Initializer block contains more elements than the size of a declared array.
10537 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10538 height="14" align="left">
10540 <td valign="top" align="left" height="14" style=
10541 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10542 <p class="TextFontCX" align="center" style=
10543 'text-align:center;background:#CCCCCC'><span style=
10544 'font-size:10.0pt'>m:</span><span class=
10545 "Keyword"><span style='font-size:10.0pt'>---</span></span></p></td></tr></table></div>
10546 <p class="TextFontCX"><span class="Flag"><span style=
10547 'font-size:10.0pt'>
10550 <p class="IndentText">
10551 Pointer parameters to unspecified functions may be implicit <span class=
10552 "Keyword"><span style='font-size:10.0pt'>out</span></span> parameters.
10555 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10556 Declarations<span class="TextFontCXChar"><span style=
10557 'font-size:11.0pt; font-weight:normal'></span></span>
10558 <span class="TextFontCXChar">
10560 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
10563 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10564 height="14" align="left">
10566 <td valign="top" align="left" height="14" style=
10567 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10568 <p class="TextFontCX" align="center" style=
10569 'text-align:center;background:#CCCCCC'><span style=
10570 'font-size:10.0pt'>m:</span><span class=
10571 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10572 <p class="TextFontCX"><span class="Flag"><span style=
10573 'font-size:10.0pt'>
10576 <p class="IndentText">
10577 A function, variable or constant is redefined with a different type.
10581 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10582 height="14" align="left">
10584 <td valign="top" align="left" height="14" style=
10585 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10586 <p class="TextFontCX" align="center" style=
10587 'text-align:center;background:#CCCCCC'><span style=
10588 'font-size:10.0pt'>m:</span><span class=
10589 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10590 <p class="TextFontCX"><span class="Flag"><span style=
10591 'font-size:10.0pt'>
10594 <p class="IndentText">
10595 A function type is dereferenced. The ANSI standard allows this because of
10596 implicit conversion of function designators, however the dereference is unnecessary.
10600 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10601 height="14" align="left">
10603 <td valign="top" align="left" height="14" style=
10604 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10605 <p class="TextFontCX" align="center" style=
10606 'text-align:center;background:#CCCCCC'><span style=
10607 'font-size:10.0pt'>m:</span><span class=
10608 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10609 <p class="TextFontCX"><span class="Flag"><span style=
10610 'font-size:10.0pt'>
10613 <p class="IndentText">
10614 A declaration of an immutable object uses a redundant observer qualifier.
10619 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10620 height="14" align="left">
10622 <td valign="top" align="left" height="14" style=
10623 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10624 <p class="TextFontCX" align="center" style=
10625 'text-align:center;background:#CCCCCC'><span style=
10626 'font-size:10.0pt'>m:</span><span class=
10627 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10628 <p class="TextFontCX"><span class="Flag"><span style=
10629 'font-size:10.0pt'>
10632 <p class="IndentText">
10633 A declaration of an unsharable object uses a sharing annotation.
10636 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
10637 Types <span class="TextFontCXChar"><span style=
10638 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
10639 <span class="TextFontCXChar"><span style=
10640 'font-size:11.0pt; font-weight:normal'>4</span></span>
10641 <span class="TextFontCXChar">
10643 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
10644 <p class="IndentText"> </p>
10647 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10648 height="14" align="left">
10650 <td valign="top" align="left" height="14" style=
10651 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10652 <p class="TextFontCX" align="center" style=
10653 'text-align:center;background:#CCCCCC'><span style=
10654 'font-size:10.0pt'>P:</span> <span class=
10655 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10656 <p class="TextFontCX"><span class="Flag"><span style=
10657 'font-size:10.0pt'>
10660 <p class="IndentText">Type mismatch.</p>
10663 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10664 height="14" align="left">
10666 <td valign="top" align="left" height="14" style=
10667 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10668 <p class="TextFontCX" align="center" style=
10669 'text-align:center;background:#CCCCCC'><span style=
10670 'font-size:10.0pt'>P:</span> <span class=
10671 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10672 <p class="TextFontCX"><span class="Flag"><span style=
10673 'font-size:10.0pt'>
10674 string-literal-too-long
10676 <p class="IndentText">
10677 A string literal is assigned to a char array too small to hold it.
10681 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10682 height="14" align="left">
10684 <td valign="top" align="left" height="14" style=
10685 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10686 <p class="TextFontCX" align="center" style=
10687 'text-align:center;background:#CCCCCC'><span style=
10688 'font-size:10.0pt'>m:</span> <span class=
10689 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10690 <p class="TextFontCX"><span class="Flag"><span style=
10691 'font-size:10.0pt'>
10692 string-literal-too-no-room
10694 <p class="IndentText">
10695 A string literal is assigned to a char array that is not big enough to hold the null terminator.
10700 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10701 height="14" align="left">
10703 <td valign="top" align="left" height="14" style=
10704 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10705 <p class="TextFontCX" align="center" style=
10706 'text-align:center;background:#CCCCCC'><span style=
10707 'font-size:10.0pt'>m:</span> <span class=
10708 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10709 <p class="TextFontCX"><span class="Flag"><span style=
10710 'font-size:10.0pt'>
10711 string-literal-smaller
10713 <p class="IndentText">
10714 A string literal is assigned to a char array that smaller than the string literal needs.
10719 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10720 height="14" align="left">
10722 <td valign="top" align="left" height="14" style=
10723 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10724 <p class="TextFontCX" align="center" style=
10725 'text-align:center;background:#CCCCCC'><span style=
10726 'font-size:10.0pt'>m:</span> <span class=
10727 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10728 <p class="TextFontCX"><span class="Flag"><span style=
10729 'font-size:10.0pt'>
10732 <p class="IndentText">
10733 Type of initial values for enum members must be int.
10736 <p class="Heading10">Boolean Types <span class=
10737 "HeadingNote"><span style=
10738 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
10739 <span class="HeadingNote"><span style=
10740 'font-size:10.5pt;font-weight:normal;font-style: normal'>4.2</span></span><span class="HeadingNote">
10742 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
10743 <p class="TextFontCX">These flags control the type name used to
10744 represent Booleans, and whether the Boolean type is abstract.</p>
10745 <p class="TextFontCX"> </p>
10747 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10748 height="14" align="left">
10750 <td valign="top" align="left" height="14" style=
10751 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10752 <p class="TextFontCX" align="center" style=
10753 'text-align:center;background:#CCCCCC'><span style=
10754 'font-size:10.0pt'>P:</span> <span class=
10755 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
10756 <p class="TextFontCX"><span class="Flag"><span style=
10757 'font-size:10.0pt'>bool</span></span></p>
10758 <p class="IndentText">Boolean type is an abstract type.</p>
10760 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10761 height="14" align="left">
10763 <td valign="top" align="left" height="14" style=
10764 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10765 <p class="TextFontCX" align="center" style=
10766 'text-align:center;background:#CCCCCC'><span style=
10767 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
10768 'font-size:10.0pt'>bool</span></span></p></td></tr></table></div>
10769 <p class="TextFontCX"><span class="Flag"><span style=
10770 'font-size:10.0pt'>booltype</span></span> <span class=
10771 "Flag"><span style=
10772 'font-size:10.0pt'><i><name></i></span></span></p>
10773 <p class="IndentText">Set name of Boolean type to
10774 <i><name></i>.</p>
10776 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10777 height="14" align="left">
10779 <td valign="top" align="left" height="14" style=
10780 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10781 <p class="TextFontCX" align="center" style=
10782 'text-align:center;background:#CCCCCC'><span style=
10783 'font-size:10.0pt'>P:</span><span class="Flag"><span style=
10784 'font-size:10.0pt'>FALSE</span></span></p></td></tr></table></div>
10785 <p class="TextFontCX"><span class="Flag"><span style=
10786 'font-size:10.0pt'>boolfalse</span></span> <span class=
10787 "Flag"><span style=
10788 'font-size:10.0pt'><i><name></i></span></span></p>
10789 <p class="IndentText">Set name of Boolean false to
10790 <i><name></i>.</p>
10792 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10793 height="14" align="left">
10795 <td valign="top" align="left" height="14" style=
10796 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10797 <p class="TextFontCX" align="center" style=
10798 'text-align:center;background:#CCCCCC'><span style=
10799 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
10800 'font-size:10.0pt'>TRUE</span></span></p></td></tr></table></div>
10801 <p class="TextFontCX"><span class="Flag"><span style=
10802 'font-size:10.0pt'>booltrue</span></span> <span class=
10803 "Flag"><span style=
10804 'font-size:10.0pt'><i><name></i></span></span></p>
10805 <p class="IndentText">Set name of Boolean true to
10806 <i><name></i>.</p>
10809 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10810 height="14" align="left">
10812 <td valign="top" align="left" height="14" style=
10813 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10814 <p class="TextFontCX" align="center" style=
10815 'text-align:center;background:#CCCCCC'><span style=
10816 'font-size:10.0pt'>P:</span> <span class=
10817 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10818 <p class="TextFontCX"><span class="Flag"><span style=
10819 'font-size:10.0pt'>
10822 <p class="IndentText">
10823 Splint has found a type which appears to be the boolean type. Use the -booltype, -boolfalse and -booltrue flags to change the name of the default boolean type.
10827 <p class="Heading10"><a name="_Ref344871224">Predicates</a></p>
10829 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10830 height="14" align="left">
10832 <td valign="top" align="left" height="14" style=
10833 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10834 <p class="TextFontCX" align="center" style=
10835 'text-align:center;background:#CCCCCC'><span style=
10836 'font-size:10.0pt'>m:</span><span class=
10837 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10838 <p class="TextFontCX"><span class="Flag"><span style=
10839 'font-size:10.0pt'>pred-bool-ptr</span></span></p>
10840 <p class="IndentText">Type of condition test is a pointer.</p>
10842 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10843 height="14" align="left">
10845 <td valign="top" align="left" height="14" style=
10846 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10847 <p class="TextFontCX" align="center" style=
10848 'text-align:center;background:#CCCCCC'><span style=
10849 'font-size:10.0pt'>m:</span><span class=
10850 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
10851 <p class="TextFontCX"><span class="Flag"><span style=
10852 'font-size:10.0pt'>pred-bool-int</span></span></p>
10853 <p class="IndentText">Type of condition test is an integral
10856 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10857 height="14" align="left">
10859 <td valign="top" align="left" height="14" style=
10860 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10861 <p class="TextFontCX" align="center" style=
10862 'text-align:center;background:#CCCCCC'><span style=
10863 'font-size:10.0pt'>m:</span><span class=
10864 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
10865 <p class="TextFontCX"><span class="Flag"><span style=
10866 'font-size:10.0pt'>pred-bool-others</span></span></p>
10867 <p class="IndentText">Type of condition test is not a Boolean,
10868 pointer or integral type.</p>
10870 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10871 height="14" align="left">
10873 <td valign="top" align="left" height="14" style=
10874 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10875 <p class="TextFontCX" align="center" style=
10876 'text-align:center;background:#CCCCCC'><span style=
10877 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
10878 <p class="TextFontCX"><span class="Flag"><span style=
10879 'font-size:10.0pt'>pred-bool</span></span></p>
10880 <p class="IndentText">Sets <span class="Flag"><span style=
10881 'font-size:10.0pt'>predboolint</span></span>, <span class=
10882 "Flag"><span style='font-size:10.0pt'>predboolptr</span></span> and
10883 <span class="Flag"><span style=
10884 'font-size:10.0pt'>preboolothers</span></span>.</p>
10886 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10887 height="14" align="left">
10889 <td valign="top" align="left" height="14" style=
10890 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10891 <p class="TextFontCX" align="center" style=
10892 'text-align:center;background:#CCCCCC'><span style=
10893 'font-size:10.0pt'>P:</span> <span class=
10894 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
10895 <p class="TextFontCX"><span class="Flag"><span style=
10896 'font-size:10.0pt'>pred-assign</span></span></p>
10897 <p class="IndentText">The condition test is an assignment
10898 expression. If an assignment is intended, add an extra parentheses
10899 nesting (e.g., <span class="CodeText"><span style=
10900 'font-size:10.0pt'>if ((a = b))</span></span> ...).</p>
10901 <p class="Heading10">Primitive Operations</p>
10903 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10904 height="14" align="left">
10906 <td valign="top" align="left" height="14" style=
10907 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10908 <p class="TextFontCX" align="center" style=
10909 'text-align:center;background:#CCCCCC'><span style=
10910 'font-size:10.0pt'>m:</span><span class=
10911 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
10912 <p class="TextFontCX"><span class="Flag"><span style=
10913 'font-size:10.0pt'>ptr-arith</span></span></p>
10914 <p class="IndentText">Arithmetic involving pointer and integer.</p>
10917 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10918 height="14" align="left">
10920 <td valign="top" align="left" height="14" style=
10921 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10922 <p class="TextFontCX" align="center" style=
10923 'text-align:center;background:#CCCCCC'><span style=
10924 'font-size:10.0pt'>m:</span> <span class=
10925 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
10926 <p class="TextFontCX"><span class="Flag"><span style=
10927 'font-size:10.0pt'>
10930 <p class="IndentText">
10931 Pointer arithmetic using a possibly null pointer and integer.
10936 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10937 height="14" align="left">
10939 <td valign="top" align="left" height="14" style=
10940 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10941 <p class="TextFontCX" align="center" style=
10942 'text-align:center;background:#CCCCCC'><span style=
10943 'font-size:10.0pt'>m:</span> <span class=
10944 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
10945 <p class="TextFontCX"><span class="Flag"><span style=
10946 'font-size:10.0pt'>
10949 <p class="IndentText">
10950 The operand of a boolean operator is not a boolean. Use +ptrnegate to allow ! to be used on pointers.
10953 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10954 height="14" align="left">
10956 <td valign="top" align="left" height="14" style=
10957 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10958 <p class="TextFontCX" align="center" style=
10959 'text-align:center;background:#CCCCCC'><span style=
10960 'font-size:10.0pt'>m:</span><span class=
10961 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
10962 <p class="TextFontCX"><span class="Flag"><span style=
10963 'font-size:10.0pt'>ptr-negate</span></span></p>
10964 <p class="IndentText">Allow the operand of the <span class=
10965 "CodeText"><span style='font-size:10.0pt'>!</span></span> operator
10966 to be a pointer.</p>
10968 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10969 height="14" align="left">
10971 <td valign="top" align="left" height="14" style=
10972 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10973 <p class="TextFontCX" align="center" style=
10974 'text-align:center;background:#CCCCCC'><span style=
10975 'font-size:10.0pt'>m:</span><span class=
10976 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
10977 <p class="TextFontCX"><span class="Flag"><span style=
10978 'font-size:10.0pt'>bitwise-signed</span></span><span class=
10979 "Flag"><span style='font-size:10.0pt'> </span></span></p>
10980 <p class="IndentText">An operand to a bitwise operator is not an
10981 unsigned value. This may have unexpected results depending on the
10982 signed representations.</p>
10986 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
10987 height="14" align="left">
10989 <td valign="top" align="left" height="14" style=
10990 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
10991 <p class="TextFontCX" align="center" style=
10992 'text-align:center;background:#CCCCCC'><span style=
10993 'font-size:10.0pt'>m:</span> <span class=
10994 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
10995 <p class="TextFontCX"><span class="Flag"><span style=
10996 'font-size:10.0pt'>
10997 shiftimplementation
10999 <p class="IndentText">
11000 The left operand to a shift operator may be negative (behavior is implementation-defined).
11005 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11006 height="14" align="left">
11008 <td valign="top" align="left" height="14" style=
11009 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11010 <p class="TextFontCX" align="center" style=
11011 'text-align:center;background:#CCCCCC'><span style=
11012 'font-size:10.0pt'>m:</span> <span class=
11013 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11014 <p class="TextFontCX"><span class="Flag"><span style=
11015 'font-size:10.0pt'>
11018 <p class="IndentText">
11019 The right operand to a shift operator may be negative (behavior undefined).
11023 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11024 height="14" align="left">
11026 <td valign="top" align="left" height="14" style=
11027 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11028 <p class="TextFontCX" align="center" style=
11029 'text-align:center;background:#CCCCCC'><span style=
11030 'font-size:10.0pt'>m:</span><span class=
11031 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11032 <p class="TextFontCX"><span class="Flag"><span style=
11033 'font-size:10.0pt'>shift-signed</span></span></p>
11034 <p class="IndentText">The left operand to a shift operator is not
11035 an unsigned value.</p>
11037 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11038 height="14" align="left">
11040 <td valign="top" align="left" height="14" style=
11041 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11042 <p class="TextFontCX" align="center" style=
11043 'text-align:center;background:#CCCCCC'><span style=
11044 'font-size:10.0pt'>m:</span><span class=
11045 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11046 <p class="TextFontCX"><span class="Flag"><span style=
11047 'font-size:10.0pt'>strict-ops</span></span></p>
11048 <p class="IndentText">Primitive operation does not type check
11051 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11052 height="14" align="left">
11054 <td valign="top" align="left" height="14" style=
11055 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11056 <p class="TextFontCX" align="center" style=
11057 'text-align:center;background:#CCCCCC'><span style=
11058 'font-size:10.0pt'>m:</span><span class=
11059 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11060 <p class="TextFontCX"><span class="Flag"><span style=
11061 'font-size:10.0pt'>sizeof-type</span></span></p>
11062 <p class="IndentText">Operand of <span class=
11063 "CodeText"><span style='font-size:10.0pt'>sizeof</span></span>
11064 operator is a type. (Safer to use <span class=
11065 "CodeText"><span style='font-size:10.0pt'>int *x = sizeof
11066 (*x);</span></span> instead of <span class=
11067 "CodeText"><span style='font-size:10.0pt'>sizeof
11068 (int)</span></span>.)</p>
11069 <p class="Heading10">Array Formal Parameters</p>
11070 <p class="TextFontCX">These flags control reporting of common
11071 errors caused by confusion about the semantics of array formal
11073 <p class="TextFontCX"> </p>
11075 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11076 height="14" align="left">
11078 <td valign="top" align="left" height="14" style=
11079 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11080 <p class="TextFontCX" align="center" style=
11081 'text-align:center;background:#CCCCCC'><span style=
11082 'font-size:10.0pt'>P:</span> <span class=
11083 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11084 <p class="TextFontCX"><span class="Flag"><span style=
11085 'font-size:10.0pt'>sizeof-formal-array</span></span></p>
11086 <p class="IndentText">The <span class="CodeText"><span style=
11087 'font-size:10.0pt'>sizeof</span></span> operator is used on a
11088 parameter declared as an array. (In many instances this has
11089 unexpected behavior, since the result is the size of a pointer to
11090 the element type, not the number of elements in the array.)</p>
11091 <p class="IndentText"> </p>
11093 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11094 height="14" align="left">
11096 <td valign="top" align="left" height="14" style=
11097 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11098 <p class="TextFontCX" align="center" style=
11099 'text-align:center;background:#CCCCCC'><span style=
11100 'font-size:10.0pt'>P:</span> <span class=
11101 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11102 <p class="TextFontCX"><span class="Flag"><span style=
11103 'font-size:10.0pt'>fixed-formal-array</span></span></p>
11104 <p class="IndentText">An array formal parameter is declared with a
11105 fixed size (e.g., <span class="CodeText"><span style=
11106 'font-size:10.0pt'>int x[20]</span></span>). This is likely
11107 to be confusing, since the size is ignored.</p>
11109 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11110 height="14" align="left">
11112 <td valign="top" align="left" height="14" style=
11113 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11114 <p class="TextFontCX" align="center" style=
11115 'text-align:center;background:#CCCCCC'><span style=
11116 'font-size:10.0pt'>P:</span> <span class=
11117 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11118 <p class="TextFontCX"><span class="Flag"><span style=
11119 'font-size:10.0pt'>formal-array</span></span></p>
11120 <p class="IndentText">A formal parameter is declared as an
11121 array. This is probably not a problem, but can be confusing
11122 since it is treated as a pointer. </p>
11123 <p class="Heading10">Format Codes</p>
11125 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11126 height="14" align="left">
11128 <td valign="top" align="left" height="14" style=
11129 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11130 <p class="TextFontCX" align="center" style=
11131 'text-align:center;background:#CCCCCC'><span style=
11132 'font-size:10.0pt'>P:</span> <span class=
11133 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11134 <p class="TextFontCX"><span class="Flag"><span style=
11135 'font-size:10.0pt'>format-code</span></span></p>
11136 <p class="IndentText">Invalid format code in format string for
11137 <span class="Annot"><span style=
11138 'font-size:10.0pt'>printflike</span></span> or <span class=
11139 "Annot"><span style='font-size:10.0pt'>scanflike</span></span>
11142 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11143 height="14" align="left">
11145 <td valign="top" align="left" height="14" style=
11146 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11147 <p class="TextFontCX" align="center" style=
11148 'text-align:center;background:#CCCCCC'><span style=
11149 'font-size:10.0pt'>P:</span> <span class=
11150 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11151 <p class="TextFontCX"><span class="Flag"><span style=
11152 'font-size:10.0pt'>format-type</span></span></p>
11153 <p class="IndentText">Type-mismatch in parameter corresponding to
11154 format code in a <span class="Annot"><span style=
11155 'font-size:10.0pt'>printflike</span></span> or <span class=
11156 "Annot"><span style='font-size:10.0pt'>scanflike</span></span>
11160 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11161 height="14" align="left">
11163 <td valign="top" align="left" height="14" style=
11164 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11165 <p class="TextFontCX" align="center" style=
11166 'text-align:center;background:#CCCCCC'><span style=
11167 'font-size:10.0pt'>P:</span> <span class=
11168 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11169 <p class="TextFontCX"><span class="Flag"><span style=
11170 'font-size:10.0pt'>format-const</span></span></p>
11171 <p class="IndentText">Format parameter is not known at compile-time. This can lead to security vulnerabilities because the arguments cannot be type checked.</p>
11173 <p class="Heading10">Main</p>
11175 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11176 height="14" align="left">
11178 <td valign="top" align="left" height="14" style=
11179 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11180 <p class="TextFontCX" align="center" style=
11181 'text-align:center;background:#CCCCCC'><span style=
11182 'font-size:10.0pt'>P:</span> <span class=
11183 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11184 <p class="TextFontCX"><span class="Flag"><span style=
11185 'font-size:10.0pt'>main-type</span></span></p>
11186 <p class="IndentText">Type of <span class=
11187 "CodeText"><span style='font-size:10.0pt'>main</span></span>
11188 does not match expected type (function returning an
11189 <span class="CodeText"><span style=
11190 'font-size:10.0pt'>int</span></span>, taking no parameters or
11191 two parameters of type <span class="CodeText"><span style=
11192 'font-size:10.0pt'>int</span></span> and <span class=
11193 "CodeText"><span style='font-size:10.0pt'>char
11194 **</span></span>.)</p>
11195 <p class="Heading10">Comparisons</p>
11197 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11198 height="14" align="left">
11200 <td valign="top" align="left" height="14" style=
11201 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11202 <p class="TextFontCX" align="center" style=
11203 'text-align:center;background:#CCCCCC'><a name=
11204 "boolcompare"></a><a name="boolprose"><span style=
11205 'font-size:10.0pt'>m:</span></a><span class=
11206 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11207 <p class="TextFontCX"><span class="Flag"><span style=
11208 'font-size:10.0pt'>bool-compare</span></span></p>
11209 <p class="IndentText">Comparison between Boolean values. This
11210 is dangerous since there may be multiple true values as any
11211 non-zero value is interpreted as true.</p>
11213 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11214 height="14" align="left">
11216 <td valign="top" align="left" height="14" style=
11217 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11218 <p class="TextFontCX" align="center" style=
11219 'text-align:center;background:#CCCCCC'><span style=
11220 'font-size:10.0pt'>m:</span><span class=
11221 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11222 <p class="TextFontCX"><span class="Flag"><span style=
11223 'font-size:10.0pt'>real-compare</span></span></p>
11224 <p class="IndentText">Comparison involving <span class=
11225 "CodeText"><span style='font-size:10.0pt'>float</span></span> or
11226 <span class="CodeText"><span style=
11227 'font-size:10.0pt'>double</span></span> values. This is
11228 dangerous since it may produce unexpected results because floating
11229 point representations are inexact.</p>
11231 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11232 height="14" align="left">
11234 <td valign="top" align="left" height="14" style=
11235 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11236 <p class="TextFontCX" align="center" style=
11237 'text-align:center;background:#CCCCCC'><span style=
11238 'font-size:10.0pt'>m:</span><span class=
11239 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11240 <p class="TextFontCX"><span class="Flag"><span style=
11241 'font-size:10.0pt'>ptr-compare</span></span></p>
11242 <p class="IndentText">Comparison between pointer and number.</p>
11245 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11246 height="14" align="left">
11248 <td valign="top" align="left" height="14" style=
11249 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11250 <p class="TextFontCX" align="center" style=
11251 'text-align:center;background:#CCCCCC'><span style=
11252 'font-size:10.0pt'>m:</span><span class=
11253 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11254 <p class="TextFontCX"><span class="Flag"><span style=
11255 'font-size:10.0pt'>unsigned-compare</span></span></p>
11256 <p class="IndentText">
11257 An unsigned value is used in a comparison with zero in a way that is either a bug or confusing.
11260 <p class="Heading10">Type Equivalence</p>
11262 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11263 height="14" align="left">
11265 <td valign="top" align="left" height="14" style=
11266 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11267 <p class="TextFontCX" align="center" style=
11268 'text-align:center;background:#CCCCCC'><a name=
11269 "globs"></a><span style=
11270 'font-size:10.0pt'>m:</span><span class="Keyword"><span style='font-size: 10.0pt'>
11271 +---</span></span></p></td></tr></table></div>
11272 <p class="TextFontCX"><span class="Flag"><span style=
11273 'font-size:10.0pt'>void-abstract</span></span></p>
11274 <p class="IndentText">Allow <span class=
11275 "CodeText"><span style='font-size:10.0pt'>void
11276 *</span></span> to match pointers to abstract types.
11277 (Casting a pointer to an abstract type to a pointer to
11278 <span class="CodeText"><span style=
11279 'font-size:10.0pt'>void</span></span> is okay if <span class=
11280 "Flag"><span style=
11281 'font-size:10.0pt'>+void-abstract</span></span> is set.)</p>
11283 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11284 height="14" align="left">
11286 <td valign="top" align="left" height="14" style=
11287 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11288 <p class="TextFontCX" align="center" style=
11289 'text-align:center;background:#CCCCCC'><span style=
11290 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
11291 <p class="TextFontCX"><span class="Flag"><span style=
11292 'font-size:10.0pt'>cast-fcn-ptr</span></span></p>
11293 <p class="IndentText"> A pointer to a function is cast to (or
11294 used as) a pointer to void (or vice versa).</p>
11296 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11297 height="14" align="left">
11299 <td valign="top" align="left" height="14" style=
11300 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11301 <p class="TextFontCX" align="center" style=
11302 'text-align:center;background:#CCCCCC'><span style=
11303 'font-size:10.0pt'>m:</span><span class=
11304 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11305 <p class="TextFontCX"><span class="Flag"><span style=
11306 'font-size:10.0pt'>forward-decl</span></span></p>
11307 <p class="IndentText">Forward declarations of pointers to abstract
11308 representation match abstract type.</p>
11310 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11311 height="14" align="left">
11313 <td valign="top" align="left" height="14" style=
11314 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11315 <p class="TextFontCX" align="center" style=
11316 'text-align:center;background:#CCCCCC'><span style=
11317 'font-size:10.0pt'>m:</span><span class=
11318 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11319 <p class="TextFontCX"><span class="Flag"><span style=
11320 'font-size:10.0pt'>imp-type</span></span></p>
11321 <p class="IndentText">A variable declaration has no explicit
11322 type. The type is implicitly int.</p>
11324 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11325 height="14" align="left">
11327 <td valign="top" align="left" height="14" style=
11328 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11329 <p class="TextFontCX" align="center" style=
11330 'text-align:center;background:#CCCCCC'><span style=
11331 'font-size:10.0pt'>P:</span> <span class=
11332 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11333 <p class="TextFontCX"><span class="Flag"><span style=
11334 'font-size:10.0pt'>incomplete-type</span></span></p>
11335 <p class="IndentText">A formal parameter is declared with an
11336 incomplete type (e.g., <span class="Keyword"><span style=
11337 'font-size:10.0pt'>int[][]</span></span>).</p>
11339 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11340 height="14" align="left">
11342 <td valign="top" align="left" height="14" style=
11343 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11344 <p class="TextFontCX" align="center" style=
11345 'text-align:center;background:#CCCCCC'><span style=
11346 'font-size:10.0pt'>m:</span><span class=
11347 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11348 <p class="TextFontCX"><span class="Flag"><span style=
11349 'font-size:10.0pt'>char-index</span></span></p>
11350 <p class="IndentText">Allow <span class=
11351 "CodeText"><span style='font-size:10.0pt'>char</span></span>
11352 to index arrays.</p>
11354 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11355 height="14" align="left">
11357 <td valign="top" align="left" height="14" style=
11358 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11359 <p class="TextFontCX" align="center" style=
11360 'text-align:center;background:#CCCCCC'><span style=
11361 'font-size:10.0pt'>m:</span><span class=
11362 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
11363 <p class="TextFontCX"><span class="Flag"><span style=
11364 'font-size:10.0pt'>enum-index</span></span></p>
11365 <p class="IndentText">Allow members of <span class=
11366 "CodeText"><span style='font-size:10.0pt'>enum</span></span>type to
11369 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11370 height="14" align="left">
11372 <td valign="top" align="left" height="14" style=
11373 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11374 <p class="TextFontCX" align="center" style=
11375 'text-align:center;background:#CCCCCC'><span style=
11376 'font-size:10.0pt'>m:</span><span class=
11377 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11378 <p class="TextFontCX"><span class="Flag"><span style=
11379 'font-size:10.0pt'>bool-int</span></span></p>
11380 <p class="IndentText">Make <span class=
11381 "CodeText"><span style='font-size:10.0pt'>bool</span></span>
11382 and <span class="CodeText"><span style=
11383 'font-size:10.0pt'>int</span></span> are equivalent.
11384 (No type errors are reported when a Boolean is used where an
11385 integral type is expected and vice versa.)</p>
11387 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11388 height="14" align="left">
11390 <td valign="top" align="left" height="14" style=
11391 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11392 <p class="TextFontCX" align="center" style=
11393 'text-align:center;background:#CCCCCC'><span style=
11394 'font-size:10.0pt'>m:</span><span class=
11395 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11396 <p class="TextFontCX"><span class="Flag"><span style=
11397 'font-size:10.0pt'>char-int</span></span></p>
11398 <p class="IndentText">Make <span class=
11399 "CodeText"><span style='font-size:10.0pt'>char</span></span>
11400 and <span class="CodeText"><span style=
11401 'font-size:10.0pt'>int</span></span> types equivalent</p>
11404 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11405 height="14" align="left">
11407 <td valign="top" align="left" height="14" style=
11408 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11409 <p class="TextFontCX" align="center" style=
11410 'text-align:center;background:#CCCCCC'><span style=
11411 'font-size:10.0pt'>m:</span><span class=
11412 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11413 <p class="TextFontCX"><span class="Flag"><span style=
11414 'font-size:10.0pt'>charunsignedchar</span></span></p>
11415 <p class="IndentText">To allow <span class=
11416 "CodeText"><span style='font-size:10.0pt'>char</span></span>
11417 and <span class="CodeText"><span style=
11418 'font-size:10.0pt'>unsigned char</span></span> types to match use
11419 <span class="Flag"><span style=
11420 'font-size:10.0pt'>+charunsignedchar</span></span>
11424 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11425 height="14" align="left">
11427 <td valign="top" align="left" height="14" style=
11428 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11429 <p class="TextFontCX" align="center" style=
11430 'text-align:center;background:#CCCCCC'><span style=
11431 'font-size:10.0pt'>m:</span><span class=
11432 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
11433 <p class="TextFontCX"><span class="Flag"><span style=
11434 'font-size:10.0pt'>enum-int</span></span></p>
11435 <p class="IndentText">Make <span class=
11436 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
11437 and <span class="CodeText"><span style=
11438 'font-size:10.0pt'>int</span></span> types equivalent</p>
11440 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11441 height="14" align="left">
11443 <td valign="top" align="left" height="14" style=
11444 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11445 <p class="TextFontCX" align="center" style=
11446 'text-align:center;background:#CCCCCC'><span style=
11447 'font-size:10.0pt'>m:</span><span class=
11448 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11449 <p class="TextFontCX"><span class="Flag"><span style=
11450 'font-size:10.0pt'>float-double</span></span></p>
11451 <p class="IndentText">Make <span class=
11452 "CodeText"><span style='font-size:10.0pt'>float</span></span>
11453 and <span class="CodeText"><span style=
11454 'font-size:10.0pt'>double</span></span> types equivalent</p>
11456 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11457 height="14" align="left">
11459 <td valign="top" align="left" height="14" style=
11460 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11461 <p class="TextFontCX" align="center" style=
11462 'text-align:center;background:#CCCCCC'><span style=
11463 'font-size:10.0pt'>m:</span><span class=
11464 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
11465 <p class="TextFontCX"><span class="Flag"><span style=
11466 'font-size:10.0pt'>ignore-quals</span></span></p>
11467 <p class="IndentText">Ignore type qualifiers (<span class=
11468 "CodeText"><span style='font-size:10.0pt'>long</span></span>,
11469 <span class="CodeText"><span style=
11470 'font-size:10.0pt'>short</span></span>, <span class=
11471 "CodeText"><span style=
11472 'font-size:10.0pt'>unsigned</span></span>).</p>
11474 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11475 height="14" align="left">
11477 <td valign="top" align="left" height="14" style=
11478 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11479 <p class="TextFontCX" align="center" style=
11480 'text-align:center;background:#CCCCCC'><span style=
11481 'font-size:10.0pt'>m:</span><span class=
11482 "Keyword"><span style='font-size:10.0pt'>++--</span></span></p></td></tr></table></div>
11483 <p class="TextFontCX"><span class="Flag"><span style=
11484 'font-size:10.0pt'>relax-quals</span></span></p>
11485 <p class="IndentText">Report qualifier mismatches only if dangerous
11486 (information may be lost since a larger type is assigned to (or
11487 passed as) a smaller one or a comparison uses <span class=
11488 "CodeText"><span style='font-size:10.0pt'>signed</span></span> and
11489 <span class="CodeText"><span style=
11490 'font-size:10.0pt'>unsigned</span></span> values.)</p>
11492 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11493 height="14" align="left">
11495 <td valign="top" align="left" height="14" style=
11496 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11497 <p class="TextFontCX" align="center" style=
11498 'text-align:center;background:#CCCCCC'><span style=
11499 'font-size:10.0pt'>m:</span><span class=
11500 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
11501 <p class="TextFontCX"><span class="Flag"><span style=
11502 'font-size:10.0pt'>ignore-signs</span></span></p>
11503 <p class="IndentText">Ignore signs in type comparisons
11504 (<span class="CodeText"><span style=
11505 'font-size:10.0pt'>unsigned</span></span> matches
11506 <span class="CodeText"><span style=
11507 'font-size:10.0pt'>signed</span></span>).</p>
11508 <p class="IndentText"> </p>
11510 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11511 height="14" align="left">
11513 <td valign="top" align="left" height="14" style=
11514 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11515 <p class="TextFontCX" align="center" style=
11516 'text-align:center;background:#CCCCCC'><span style=
11517 'font-size:10.0pt'>P:</span> <span class=
11518 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11519 <p class="TextFontCX"><span class="Flag"><span style=
11520 'font-size:10.0pt'>long-integral</span></span></p>
11521 <p class="IndentText">Allow long type to match an arbitrary
11522 integral type (e.g., <span class="CodeText"><span style=
11523 'font-size:10.0pt'>dev_t</span></span>).</p>
11525 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11526 height="14" align="left">
11528 <td valign="top" align="left" height="14" style=
11529 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11530 <p class="TextFontCX" align="center" style=
11531 'text-align:center;background:#CCCCCC'><span style=
11532 'font-size:10.0pt'>m:</span><span class=
11533 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11534 <p class="TextFontCX"><span class="Flag"><span style=
11535 'font-size:10.0pt'>long-unsigned-integral</span></span></p>
11536 <p class="IndentText">Allow unsigned long type to match an
11537 arbitrary integral type (e.g., <span class=
11538 "CodeText"><span style='font-size:10.0pt'>dev_t</span></span>).</p>
11540 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11541 height="14" align="left">
11543 <td valign="top" align="left" height="14" style=
11544 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11545 <p class="TextFontCX" align="center" style=
11546 'text-align:center;background:#CCCCCC'><span style=
11547 'font-size:10.0pt'>P:</span> <span class=
11548 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11549 <p class="TextFontCX"><span class="Flag"><span style=
11550 'font-size:10.0pt'>match-any-integral</span></span></p>
11551 <p class="IndentText">Allow any integral type to match an
11554 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11555 height="14" align="left">
11557 <td valign="top" align="left" height="14" style=
11558 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11559 <p class="TextFontCX" align="center" style=
11560 'text-align:center;background:#CCCCCC'><span style=
11561 'font-size:10.0pt'>P:</span> <span class=
11562 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11563 <p class="TextFontCX"><span class="Flag"><span style=
11564 'font-size:10.0pt'>long-unsigned-unsigned-integral</span></span></p>
11565 <p class="IndentText">Allow unsigned long type to match an
11566 arbitrary unsigned integral type (e.g., <span class=
11567 "CodeText"><span style=
11568 'font-size:10.0pt'>size_t</span></span>).</p>
11570 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11571 height="14" align="left">
11573 <td valign="top" align="left" height="14" style=
11574 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11575 <p class="TextFontCX" align="center" style=
11576 'text-align:center;background:#CCCCCC'><span style=
11577 'font-size:10.0pt'>m:</span><span class=
11578 "Keyword"><span style='font-size:10.0pt'>+---</span></span></p></td></tr></table></div>
11579 <p class="TextFontCX"><span class="Flag"><span style=
11580 'font-size:10.0pt'>long-signed-integral</span></span></p>
11581 <p class="IndentText">Allow long type to match an arbitrary signed
11582 integral type (e.g., <span class="CodeText"><span style=
11583 'font-size:10.0pt'>ssize_t</span></span>).</p>
11584 <p class="TextFontCX"><span class="Flag"><span style=
11585 'font-size:10.0pt'> </span></span></p>
11587 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11588 height="14" align="left">
11590 <td valign="top" align="left" height="14" style=
11591 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11592 <p class="TextFontCX" align="center" style=
11593 'text-align:center;background:#CCCCCC'><span style=
11594 'font-size:10.0pt'>P:</span> <span class=
11595 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11596 <p class="TextFontCX"><span class="Flag"><span style=
11597 'font-size:10.0pt'>num-literal</span></span></p>
11598 <p class="IndentText">Integer literals can be used as floats.</p>
11600 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11601 height="14" align="left">
11603 <td valign="top" align="left" height="14" style=
11604 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11605 <p class="TextFontCX" align="center" style=
11606 'text-align:center;background:#CCCCCC'><span style=
11607 'font-size:10.0pt'>P:</span> <span class=
11608 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11609 <p class="TextFontCX"><span class="Flag"><span style=
11610 'font-size:10.0pt'>char-int-literal</span></span></p>
11611 <p class="IndentText">A character constant may be used as an
11612 <span class="CodeText"><span style=
11613 'font-size:10.0pt'>int</span></span>.</p>
11615 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11616 height="14" align="left">
11618 <td valign="top" align="left" height="14" style=
11619 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11620 <p class="TextFontCX" align="center" style=
11621 'text-align:center;background:#CCCCCC'><span style=
11622 'font-size:10.0pt'>P:</span> <span class=
11623 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11624 <p class="TextFontCX"><span class="Flag"><span style=
11625 'font-size:10.0pt'>zero-ptr</span></span></p>
11626 <p class="IndentText">Literal <span class=
11627 "CodeText"><span style='font-size:10.0pt'>0</span></span> may
11628 be used as a pointer.</p>
11630 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11631 height="14" align="left">
11633 <td valign="top" align="left" height="14" style=
11634 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11635 <p class="TextFontCX" align="center" style=
11636 'text-align:center;background:#CCCCCC'><span style=
11637 'font-size:10.0pt'>P:</span> <span class=
11638 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11639 <p class="TextFontCX"><span class="Flag"><span style=
11640 'font-size:10.0pt'>zero-bool</span></span></p>
11641 <p class="IndentText">Treat <span class=
11642 "CodeText"><span style='font-size:10.0pt'>0</span></span> as a boolean.
11645 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11646 height="14" align="left">
11648 <td valign="top" align="left" height="14" style=
11649 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11650 <p class="TextFontCX" align="center" style=
11651 'text-align:center;background:#CCCCCC'><span style=
11652 'font-size:10.0pt'>P:</span> <span class=
11653 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11654 <p class="TextFontCX"><span class="Flag"><span style=
11655 'font-size:10.0pt'>relax-types</span></span></p>
11656 <p class="IndentText">Allow all numeric types to match.</p>
11657 <p class="Heading10"><a name="_Toc534975052">Abstract Types</a>
11658 <span class="TextFontCXChar"><span style=
11659 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
11660 <span class="TextFontCXChar"><span style=
11661 'font-size:11.0pt; font-weight:normal'>4.3</span></span><span class="TextFontCXChar">
11663 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
11665 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11666 height="14" align="left">
11668 <td valign="top" align="left" height="14" style=
11669 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11670 <p class="TextFontCX" align="center" style=
11671 'text-align:center;background:#CCCCCC'><span style=
11672 'font-size:10.0pt'>P:</span> <span class=
11673 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11674 <p class="TextFontCX"><span class="Flag"><span style=
11675 'font-size:10.0pt'>abstract</span></span></p>
11676 <p class="IndentText">A data abstraction barrier is violated</p>
11678 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11679 height="14" align="left">
11681 <td valign="top" align="left" height="14" style=
11682 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11683 <p class="TextFontCX" align="center" style=
11684 'text-align:center;background:#CCCCCC'><span style=
11685 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
11686 'font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11687 <p class="TextFontCX"><span class="Flag"><span style=
11688 'font-size:10.0pt'>imp-abstract</span></span></p>
11689 <p class="IndentText">Implicit <span class=
11690 "Annot"><span style='font-size:10.0pt'>abstract</span></span>
11691 annotation for type declarations that do not use <span class=
11692 "Annot"><span style=
11693 'font-size:10.0pt'>concrete</span></span>.</p>
11695 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11696 height="14" align="left">
11698 <td valign="top" align="left" height="14" style=
11699 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11700 <p class="TextFontCX" align="center" style=
11701 'text-align:center;background:#CCCCCC'><span style=
11702 'font-size:10.0pt'>m:</span><span class="Flag"><span style=
11703 'font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11704 <p class="TextFontCX"><span class="Flag"><span style=
11705 'font-size:10.0pt'>mut-rep</span></span></p>
11706 <p class="IndentText">Representation of mutable type has sharing
11708 <p class="Heading10">Access <span class=
11709 "TextFontCXChar"><span style=
11710 'font-size:11.0pt; font-weight:normal'>(Section
11711 4.3.1)</span></span></p>
11713 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11714 height="14" align="left">
11716 <td valign="top" align="left" height="14" style=
11717 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11718 <p class="TextFontCX" align="center" style=
11719 'text-align:center;background:#CCCCCC'><span style=
11720 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
11721 <p class="TextFontCX"><span class="Flag"><span style=
11722 'font-size:10.0pt'>access-module</span></span></p>
11723 <p class="IndentText">An abstract type defined in
11724 <span class="ProgramNameChar"><i>M</i></span><span class=
11725 "ProgramNameChar">.h</span> (or specified in <span class=
11726 "ProgramNameChar"><i>M</i></span><span class=
11727 "ProgramNameChar">.lcl</span>) is accessible in <span class=
11728 "ProgramNameChar"><i>M</i></span><span class=
11729 "ProgramNameChar">.c</span>.</p>
11731 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11732 height="14" align="left">
11734 <td valign="top" align="left" height="14" style=
11735 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11736 <p class="TextFontCX" align="center" style=
11737 'text-align:center;background:#CCCCCC'><span style=
11738 'font-size:10.0pt'>P:</span> <span class=
11739 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11740 <p class="TextFontCX"><span class="Flag"><span style=
11741 'font-size:10.0pt'>access-file</span></span></p>
11742 <p class="IndentText">An abstract type named <span class=
11743 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11744 is accessible in files named <span class=
11745 "ProgramNameChar"><i>type</i></span><span class=
11746 "ProgramNameChar">.*</span></p>
11748 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11749 height="14" align="left">
11751 <td valign="top" align="left" height="14" style=
11752 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11753 <p class="TextFontCX" align="center" style=
11754 'text-align:center;background:#CCCCCC'><span style=
11755 'font-size:10.0pt'>P:</span> <span class=
11756 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
11757 <p class="MsoListBullet"><span class="Flag"><span style=
11758 'font-size:10.0pt'>access-czech</span></span></p>
11759 <p class="IndentText">An abstract type named <span class=
11760 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11761 may be accessible in a function named <span class=
11762 "CodeText"><i><span style=
11763 'font-size:10.0pt'>type_name</span></i></span>. (Section
11766 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11767 height="14" align="left">
11769 <td valign="top" align="left" height="14" style=
11770 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11771 <p class="TextFontCX" align="center" style=
11772 'text-align:center;background:#CCCCCC'><span style=
11773 'font-size:10.0pt'>P:</span> <span class=
11774 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11775 <p class="MsoListBullet"><span class="Flag"><span style=
11776 'font-size:10.0pt'>access-slovak</span></span></p>
11777 <p class="IndentText">An abstract type named <span class=
11778 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11779 may be accessible in a function named <span class=
11780 "CodeText"><i><span style=
11781 'font-size:10.0pt'>typeName</span></i></span>.
11782 (Section.12.1.2)</p>
11784 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11785 height="14" align="left">
11787 <td valign="top" align="left" height="14" style=
11788 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11789 <p class="TextFontCX" align="center" style=
11790 'text-align:center;background:#CCCCCC'><span style=
11791 'font-size:10.0pt'>P:</span> <span class=
11792 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
11793 <p class="MsoListBullet"><span class="Flag"><span style=
11794 'font-size:10.0pt'>access-czechoslovak</span></span></p>
11795 <p class="IndentText">An abstract type named <span class=
11796 "CodeText"><i><span style='font-size:10.0pt'>type</span></i></span>
11797 may be accessible in a function named <span class=
11798 "CodeText"><i><span style=
11799 'font-size:10.0pt'>type_name</span></i></span> or
11800 <span class="CodeText"><i><span style=
11801 'font-size:10.0pt'>typeName</span></i></span>. (Section
11804 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11805 height="14" align="left">
11807 <td valign="top" align="left" height="14" style=
11808 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11809 <p class="TextFontCX" align="center" style=
11810 'text-align:center;background:#CCCCCC'><span style=
11811 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
11812 <p class="TextFontCX"><span class="Flag"><span style=
11813 'font-size:10.0pt'>access-all</span></span></p>
11814 <p class="IndentText">Sets <span class="Flag"><span style=
11815 'font-size:10.0pt'>access-module</span></span>, <span class=
11816 "Flag"><span style='font-size:10.0pt'>access-file</span></span> and
11817 <span class="Flag"><span style=
11818 'font-size:10.0pt'>access-czech</span></span>.</p>
11819 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
11820 <a name="_Toc534975053">Memory Management</a> <span class=
11821 "TextFontCXChar"><span style=
11822 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
11823 <span class="TextFontCXChar"><span style=
11824 'font-size:11.0pt; font-weight:normal'>5</span></span><span class="TextFontCXChar">
11826 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
11827 <p class="TextFontCX">Reporting of memory management errors is
11828 controlled by flags setting checking and implicit annotations and
11829 code annotations. </p>
11830 <p class="Heading10">Deallocation Errors <span class=
11831 "TextFontCXChar"><span style=
11832 'font-size:11.0pt; font-weight:normal'>(Section
11833 5.2)</span></span></p>
11835 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11836 height="14" align="left">
11838 <td valign="top" align="left" height="14" style=
11839 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11840 <p class="TextFontCX" align="center" style=
11841 'text-align:center;background:#CCCCCC'><span style=
11842 'font-size:10.0pt'>m:</span><span class=
11843 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11844 <p class="TextFontCX"><span class="Flag"><span style=
11845 'font-size:10.0pt'>use-released</span></span></p>
11846 <p class="IndentText">Storage used after it may have been
11849 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11850 height="14" align="left">
11852 <td valign="top" align="left" height="14" style=
11853 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11854 <p class="TextFontCX" align="center" style=
11855 'text-align:center;background:#CCCCCC'><span style=
11856 'font-size:10.0pt'>m:</span><span class=
11857 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11858 <p class="TextFontCX"><span class="Flag"><span style=
11859 'font-size:10.0pt'>strict-use-released</span></span></p>
11860 <p class="IndentText">An array element used after it may have been
11862 <p class="Heading10">Inconsistent Branches</p>
11864 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11865 height="14" align="left">
11867 <td valign="top" align="left" height="14" style=
11868 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11869 <p class="TextFontCX" align="center" style=
11870 'text-align:center;background:#CCCCCC'><span style=
11871 'font-size:10.0pt'>m:</span><span class=
11872 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11873 <p class="TextFontCX"><span class="Flag"><span style=
11874 'font-size:10.0pt'>branch-state</span></span></p>
11875 <p class="IndentText">Storage has inconsistent states of alternate
11876 paths through a branch (e.g., it is released in the true branch of
11877 an if-statement, but there is no else branch.)</p>
11879 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11880 height="14" align="left">
11882 <td valign="top" align="left" height="14" style=
11883 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11884 <p class="TextFontCX" align="center" style=
11885 'text-align:center;background:#CCCCCC'><span style=
11886 'font-size:10.0pt'>m:</span><span class=
11887 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
11888 <p class="TextFontCX"><span class="Flag"><span style=
11889 'font-size:10.0pt'>strict-branch-state</span></span></p>
11890 <p class="IndentText">Storage through array fetch has inconsistent
11891 states of alternate paths through a branch. Since array
11892 elements are not checked accurately, this may lead to spurious
11895 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11896 height="14" align="left">
11898 <td valign="top" align="left" height="14" style=
11899 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11900 <p class="TextFontCX" align="center" style=
11901 'text-align:center;background:#CCCCCC'><span style=
11902 'font-size:10.0pt'>m:</span><span class=
11903 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
11904 <p class="TextFontCX"><span class="Flag"><span style=
11905 'font-size:10.0pt'>dep-arrays</span></span></p>
11906 <p class="IndentText">Treat array elements as <span class=
11907 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
11908 storage. Checking of array elements cannot be done accurately
11909 by Splint. If <span class="Flag"><span style=
11910 'font-size:10.0pt'>dep-arrays</span></span> is not set, array
11911 elements are assumed to be independent, so code that releases the
11912 same element more than once will produce no error. If
11913 <span class="Flag"><span style=
11914 'font-size:10.0pt'>dep-arrays</span></span> is set, array elements
11915 are assumed to be dependent, so code that releases the same element
11916 more that once will produce an error, but code that releases
11917 different elements correctly will produce a spurious error.</p>
11918 <p class="Heading10">Memory Leaks</p>
11920 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11921 height="14" align="left">
11923 <td valign="top" align="left" height="14" style=
11924 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11925 <p class="TextFontCX" align="center" style=
11926 'text-align:center;background:#CCCCCC'><span style=
11927 'font-size:10.0pt'>m:</span><span class=
11928 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11929 <p class="TextFontCX"><span class="Flag"><span style=
11930 'font-size:10.0pt'>must-free</span></span></p>
11931 <p class="IndentText">Allocated storage was not released before
11932 return or scope exit. Errors are reported for
11933 <span class="Annot"><span style=
11934 'font-size:10.0pt'>only</span></span>, <span class=
11935 "Annot"><span style='font-size:10.0pt'>fresh</span></span> or
11936 <span class="Annot"><span style=
11937 'font-size:10.0pt'>owned</span></span> storage.</p>
11941 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11942 height="14" align="left">
11944 <td valign="top" align="left" height="14" style=
11945 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11946 <p class="TextFontCX" align="center" style=
11947 'text-align:center;background:#CCCCCC'><span style=
11948 'font-size:10.0pt'>m:</span><span class=
11949 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11950 <p class="TextFontCX"><span class="Flag"><span style=
11951 'font-size:10.0pt'>mustfreefresh</span></span></p>
11952 <p class="IndentText">
11953 Allocated storage was not released before return or scope exit. Errors are reported for
11954 <span class="Annot"><span style='font-size:10.0pt'>fresh</span></span> storage
11959 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11960 height="14" align="left">
11962 <td valign="top" align="left" height="14" style=
11963 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11964 <p class="TextFontCX" align="center" style=
11965 'text-align:center;background:#CCCCCC'><span style=
11966 'font-size:10.0pt'>m:</span><span class=
11967 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
11968 <p class="TextFontCX"><span class="Flag"><span style=
11969 'font-size:10.0pt'>mustfreeonly</span></span></p>
11970 <p class="IndentText">
11971 Allocated storage was not released before return or scope exit. Errors are reported for
11972 <span class="Annot"><span style='font-size:10.0pt'>only</span></span> storage
11976 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11977 height="14" align="left">
11979 <td valign="top" align="left" height="14" style=
11980 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11981 <p class="TextFontCX" align="center" style=
11982 'text-align:center;background:#CCCCCC'><span style=
11983 'font-size:10.0pt'>shortcut</span><span class=
11984 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
11985 <p class="TextFontCX"><span class="Flag"><span style=
11986 'font-size:10.0pt'>memchecks</span></span></p>
11987 <p class="IndentText">
11988 Sets all dynamic memory checking flags
11990 "Flag"><span style='font-size:10.0pt'>memimplicit, mustfree, mustdefine, mustnotalias, null, memtrans</span> </span>).
11994 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
11995 height="14" align="left">
11997 <td valign="top" align="left" height="14" style=
11998 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
11999 <p class="TextFontCX" align="center" style=
12000 'text-align:center;background:#CCCCCC'><span style=
12001 'font-size:10.0pt'>m:</span><span class=
12002 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12003 <p class="TextFontCX"><span class="Flag"><span style=
12004 'font-size:10.0pt'>comp-destroy</span></span></p>
12005 <p class="IndentText">All only references derivable from
12006 <span class="Annot"><span style='font-size:10.0pt'>out
12007 only</span></span> parameter of type <span class=
12008 "CodeText"><span style='font-size:10.0pt'>void *</span></span> must
12009 be released. (This is the type of the parameter to
12010 <span class="CodeText"><span style=
12011 'font-size:10.0pt'>free</span></span>, but may also be used for
12012 user-defined deallocation functions.)</p>
12014 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12015 height="14" align="left">
12017 <td valign="top" align="left" height="14" style=
12018 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12019 <p class="TextFontCX" align="center" style=
12020 'text-align:center;background:#CCCCCC'><span style=
12021 'font-size:10.0pt'>m:</span><span class=
12022 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12023 <p class="TextFontCX"><span class="Flag"><span style=
12024 'font-size:10.0pt'>strict-destroy</span></span></p>
12025 <p class="IndentText">Report complete destruction errors for array
12026 elements that may have been released. (If <span class=
12027 "Flag"><span style='font-size:10.0pt'>strict-destroy</span></span>
12028 is not set, Splint will assume that if any array element was
12029 released, the entire array was correctly released.)</p>
12030 <p class="Heading10">Transfer Errors</p>
12031 <p class="beforelist">A transfer error is reported when storage is
12032 transferred (by an assignment, passing a parameter, or returning)
12033 in a way that is inconsistent.</p>
12035 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12036 height="14" align="left">
12038 <td valign="top" align="left" height="14" style=
12039 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12040 <p class="TextFontCX" align="center" style=
12041 'text-align:center;background:#CCCCCC'><span style=
12042 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12043 <p class="TextFontCX"><span class="Flag"><span style=
12044 'font-size:10.0pt'>mem-trans</span></span></p>
12045 <p class="IndentText">Sets all memory transfer errors flags.</p>
12047 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12048 height="14" align="left">
12050 <td valign="top" align="left" height="14" style=
12051 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12052 <p class="TextFontCX" align="center" style=
12053 'text-align:center;background:#CCCCCC'><span style=
12054 'font-size:10.0pt'>m:</span><span class=
12055 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12056 <p class="TextFontCX"><span class="Flag"><span style=
12057 'font-size:10.0pt'>only-trans</span></span></p>
12058 <p class="IndentText">Only storage transferred to non-only
12059 reference (memory leak).</p>
12061 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12062 height="14" align="left">
12064 <td valign="top" align="left" height="14" style=
12065 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12066 <p class="TextFontCX" align="center" style=
12067 'text-align:center;background:#CCCCCC'><span style=
12068 'font-size:10.0pt'>m:</span><span class=
12069 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12070 <p class="TextFontCX"><span class="Flag"><span style=
12071 'font-size:10.0pt'>ownedtrans</span></span></p>
12072 <p class="IndentText">Owned storage transferred to non-owned
12073 reference (memory leak).</p>
12075 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12076 height="14" align="left">
12078 <td valign="top" align="left" height="14" style=
12079 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12080 <p class="TextFontCX" align="center" style=
12081 'text-align:center;background:#CCCCCC'><span style=
12082 'font-size:10.0pt'>m:</span><span class=
12083 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12084 <p class="TextFontCX"><span class="Flag"><span style=
12085 'font-size:10.0pt'>fresh-trans</span></span></p>
12086 <p class="IndentText">Newly-allocated storage transferred to
12087 non-only reference (memory leak).</p>
12089 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12090 height="14" align="left">
12092 <td valign="top" align="left" height="14" style=
12093 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12094 <p class="TextFontCX" align="center" style=
12095 'text-align:center;background:#CCCCCC'><span style=
12096 'font-size:10.0pt'>m:</span><span class=
12097 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12098 <p class="TextFontCX"><span class="Flag"><span style=
12099 'font-size:10.0pt'>shared-trans</span></span></p>
12100 <p class="IndentText">Shared storage transferred to non-shared
12103 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12104 height="14" align="left">
12106 <td valign="top" align="left" height="14" style=
12107 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12108 <p class="TextFontCX" align="center" style=
12109 'text-align:center;background:#CCCCCC'><span style=
12110 'font-size:10.0pt'>m:</span><span class=
12111 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12112 <p class="TextFontCX"><span class="Flag"><span style=
12113 'font-size:10.0pt'>dependent-trans</span></span></p>
12114 <p class="IndentText">Inconsistent <span class=
12115 "Annot"><span style='font-size:10.0pt'>dependent</span></span>
12116 transfer. Dependent storage is transferred to a non-dependent
12119 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12120 height="14" align="left">
12122 <td valign="top" align="left" height="14" style=
12123 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12124 <p class="TextFontCX" align="center" style=
12125 'text-align:center;background:#CCCCCC'><span style=
12126 'font-size:10.0pt'>m:</span><span class=
12127 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12128 <p class="TextFontCX"><span class="Flag"><span style=
12129 'font-size:10.0pt'>temp-trans</span></span></p>
12130 <p class="IndentText">Temporary storage (associated with a
12131 <span class="Annot"><span style=
12132 'font-size:10.0pt'>temp</span></span> formal parameter) is
12133 transferred to a non-temporary reference. The storage may be
12134 released or new aliases created.</p>
12136 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12137 height="14" align="left">
12139 <td valign="top" align="left" height="14" style=
12140 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12141 <p class="TextFontCX" align="center" style=
12142 'text-align:center;background:#CCCCCC'><span style=
12143 'font-size:10.0pt'>m:</span><span class=
12144 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12145 <p class="TextFontCX"><span class="Flag"><span style=
12146 'font-size:10.0pt'>kept-trans</span></span></p>
12147 <p class="IndentText">Kept storage (storage what was passed as
12148 <span class="Annot"><span style=
12149 'font-size:10.0pt'>keep</span></span>) transferred to non-temporary
12152 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12153 height="14" align="left">
12155 <td valign="top" align="left" height="14" style=
12156 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12157 <p class="TextFontCX" align="center" style=
12158 'text-align:center;background:#CCCCCC'><span style=
12159 'font-size:10.0pt'>m:</span><span class=
12160 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12161 <p class="TextFontCX"><span class="Flag"><span style=
12162 'font-size:10.0pt'>keep-trans</span></span></p>
12163 <p class="IndentText">Keep storage is transferred in a way that may
12164 add a new alias to it, or release it.</p>
12166 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12167 height="14" align="left">
12169 <td valign="top" align="left" height="14" style=
12170 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12171 <p class="TextFontCX" align="center" style=
12172 'text-align:center;background:#CCCCCC'><span style=
12173 'font-size:10.0pt'>m:</span><span class=
12174 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12175 <p class="TextFontCX"><span class="Flag"><span style=
12176 'font-size:10.0pt'>refcount-trans</span></span></p>
12177 <p class="IndentText">Reference counted storage is transferred in
12178 an inconsistent way.</p>
12180 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12181 height="14" align="left">
12183 <td valign="top" align="left" height="14" style=
12184 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12185 <p class="TextFontCX" align="center" style=
12186 'text-align:center;background:#CCCCCC'><span style=
12187 'font-size:10.0pt'>m:</span><span class=
12188 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12189 <p class="TextFontCX"><span class="Flag"><span style=
12190 'font-size:10.0pt'>newref-trans</span></span></p>
12191 <p class="IndentText">A new reference transferred to a reference
12192 counted reference (reference count is not set correctly).</p>
12194 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12195 height="14" align="left">
12197 <td valign="top" align="left" height="14" style=
12198 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12199 <p class="TextFontCX" align="center" style=
12200 'text-align:center;background:#CCCCCC'><span style=
12201 'font-size:10.0pt'>m:</span><span class=
12202 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12203 <p class="TextFontCX"><span class="Flag"><span style=
12204 'font-size:10.0pt'>immediate-trans</span></span></p>
12205 <p class="IndentText">An immediate address (result of
12206 <span class="CodeText"><span style=
12207 'font-size:10.0pt'>&</span></span>) is transferred
12208 inconsistently.</p>
12210 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12211 height="14" align="left">
12213 <td valign="top" align="left" height="14" style=
12214 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12215 <p class="TextFontCX" align="center" style=
12216 'text-align:center;background:#CCCCCC'><span style=
12217 'font-size:10.0pt'>m:</span><span class=
12218 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12219 <p class="TextFontCX"><span class="Flag"><span style=
12220 'font-size:10.0pt'>static-trans</span></span></p>
12221 <p class="IndentText">Static storage is transferred in an
12222 inconsistent way.</p>
12224 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12225 height="14" align="left">
12227 <td valign="top" align="left" height="14" style=
12228 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12229 <p class="TextFontCX" align="center" style=
12230 'text-align:center;background:#CCCCCC'><span style=
12231 'font-size:10.0pt'>m:</span><span class=
12232 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12233 <p class="TextFontCX"><span class="Flag"><span style=
12234 'font-size:10.0pt'>expose-trans</span></span></p>
12235 <p class="IndentText">Inconsistent exposure transfer. Exposed
12236 storage is transferred to a non-<span class=
12237 "Annot"><span style='font-size:10.0pt'>exposed</span></span>,
12238 non-<span class="Annot"><span style=
12239 'font-size:10.0pt'>observer</span></span> reference.</p>
12241 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12242 height="14" align="left">
12244 <td valign="top" align="left" height="14" style=
12245 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12246 <p class="TextFontCX" align="center" style=
12247 'text-align:center;background:#CCCCCC'><span style=
12248 'font-size:10.0pt'>m:</span><span class=
12249 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12250 <p class="TextFontCX"><span class="Flag"><span style=
12251 'font-size:10.0pt'>observer-trans</span></span></p>
12252 <p class="IndentText">Inconsistent <span class=
12253 "Annot"><span style='font-size:10.0pt'>observer</span></span>
12254 transfer. Observer storage is transferred to a non-observer
12257 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12258 height="14" align="left">
12260 <td valign="top" align="left" height="14" style=
12261 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12262 <p class="TextFontCX" align="center" style=
12263 'text-align:center;background:#CCCCCC'><span style=
12264 'font-size:10.0pt'>m:</span><span class=
12265 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12266 <p class="TextFontCX"><span class="Flag"><span style=
12267 'font-size:10.0pt'>unqualified-trans</span></span></p>
12268 <p class="IndentText">Unqualified storage is transferred in an
12269 inconsistent way.</p>
12270 <p class="Heading11">Initializers</p>
12272 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12273 height="14" align="left">
12275 <td valign="top" align="left" height="14" style=
12276 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12277 <p class="TextFontCX" align="center" style=
12278 'text-align:center;background:#CCCCCC'><span style=
12279 'font-size:10.0pt'>m:</span><span class=
12280 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12281 <p class="TextFontCX"><span class="Flag"><span style=
12282 'font-size:10.0pt'>only-unq-global-trans</span></span></p>
12283 <p class="IndentText">Only storage transferred to an unqualified
12284 global or static reference. This may lead to a memory leak, since
12285 the new reference is not necessarily released.</p>
12287 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12288 height="14" align="left">
12290 <td valign="top" align="left" height="14" style=
12291 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12292 <p class="TextFontCX" align="center" style=
12293 'text-align:center;background:#CCCCCC'><span style=
12294 'font-size:10.0pt'>m:</span><span class=
12295 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12296 <p class="TextFontCX"><span class="Flag"><span style=
12297 'font-size:10.0pt'>static-init-trans</span></span></p>
12298 <p class="IndentText">Static storage is used as an initial value in
12299 an inconsistent way.</p>
12301 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12302 height="14" align="left">
12304 <td valign="top" align="left" height="14" style=
12305 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12306 <p class="TextFontCX" align="center" style=
12307 'text-align:center;background:#CCCCCC'><span style=
12308 'font-size:10.0pt'>m:</span><span class=
12309 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12310 <p class="TextFontCX"><span class="Flag"><span style=
12311 'font-size:10.0pt'>unqualified-init-trans</span></span></p>
12312 <p class="IndentText">Unqualified storage is used as an initial
12313 value in an inconsistent way.</p>
12314 <p class="Heading11">Derived Storage</p>
12316 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12317 height="14" align="left">
12319 <td valign="top" align="left" height="14" style=
12320 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12321 <p class="TextFontCX" align="center" style=
12322 'text-align:center;background:#CCCCCC'><span style=
12323 'font-size:10.0pt'>m:</span><span class=
12324 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12325 <p class="TextFontCX"><span class="Flag"><span style=
12326 'font-size:10.0pt'>comp-mem-pass</span></span></p>
12327 <p class="IndentText">Storage derivable from a parameter does not
12328 match the alias kind expected for the formal parameter.</p>
12329 <p class="Heading11">Stack References</p>
12331 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12332 height="14" align="left">
12334 <td valign="top" align="left" height="14" style=
12335 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12336 <p class="TextFontCX" align="center" style=
12337 'text-align:center;background:#CCCCCC'><span style=
12338 'font-size:10.0pt'>m:</span><span class=
12339 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
12340 <p class="TextFontCX"><span class="Flag"><span style=
12341 'font-size:10.0pt'>stack-ref</span></span></p>
12342 <p class="IndentText">A stack reference is pointed to by an
12343 external reference when the function returns. Since the call
12344 frame will be destroyed when the function returns the return value
12345 will point to dead storage. (Section 5.2.6)</p>
12346 <p class="Heading10">Implicit Memory Annotations <span class=
12347 "HeadingNote"><span style=
12348 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
12349 <span class="HeadingNote"><span style=
12350 'font-size:10.5pt;font-weight:normal;font-style: normal'>5.3</span></span><span class="HeadingNote">
12352 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
12356 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12357 height="14" align="left">
12359 <td valign="top" align="left" height="14" style=
12360 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12361 <p class="TextFontCX" align="center" style=
12362 'text-align:center;background:#CCCCCC'><span style=
12363 'font-size:10.0pt'>shortcut</span> <span class=
12364 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
12365 <p class="TextFontCX"><span class="Flag"><span style=
12366 'font-size:10.0pt'>all-imp-only</span></span></p>
12367 <p class="IndentText">Sets
12368 <span class="Flag"><span style=
12369 'font-size:10.0pt'>
12370 glob-imp-only, ret-imp-only, struct-imp-only, specglobimponly, specretimponly
12373 <span class="Flag"><span style=
12374 'font-size:10.0pt'>
12381 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12382 height="14" align="left">
12384 <td valign="top" align="left" height="14" style=
12385 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12386 <p class="TextFontCX" align="center" style=
12387 'text-align:center;background:#CCCCCC'><span style=
12388 'font-size:10.0pt'>P:</span> <span class=
12389 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12390 <p class="TextFontCX"><span class="Flag"><span style=
12391 'font-size:10.0pt'>glob-imp-only</span></span></p>
12392 <p class="IndentText">Assume unannotated global storage is
12397 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12398 height="14" align="left">
12400 <td valign="top" align="left" height="14" style=
12401 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12402 <p class="TextFontCX" align="center" style=
12403 'text-align:center;background:#CCCCCC'><span style=
12404 'font-size:10.0pt'>P:</span> <span class=
12405 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12406 <p class="TextFontCX"><span class="Flag"><span style=
12407 'font-size:10.0pt'>param-imp-temp</span></span></p>
12408 <p class="IndentText">Assume unannotated parameter is
12409 <span class="Annot"><span style=
12410 'font-size:10.0pt'>temp</span></span>.</p>
12412 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12413 height="14" align="left">
12415 <td valign="top" align="left" height="14" style=
12416 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12417 <p class="TextFontCX" align="center" style=
12418 'text-align:center;background:#CCCCCC'><span style=
12419 'font-size:10.0pt'>P:</span> <span class=
12420 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12421 <p class="TextFontCX"><span class="Flag"><span style=
12422 'font-size:10.0pt'>ret-imp-only</span></span></p>
12423 <p class="IndentText">Assume unannotated returned storage is
12424 <span class="Annot"><span style=
12425 'font-size:10.0pt'>only</span></span>.</p>
12427 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12428 height="14" align="left">
12430 <td valign="top" align="left" height="14" style=
12431 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12432 <p class="TextFontCX" align="center" style=
12433 'text-align:center;background:#CCCCCC'><span style=
12434 'font-size:10.0pt'>P:</span> <span class=
12435 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12436 <p class="TextFontCX"><span class="Flag"><span style=
12437 'font-size:10.0pt'>struct-imp-only</span></span></p>
12438 <p class="IndentText">Assume unannotated structure or union field
12439 is <span class="Annot"><span style=
12440 'font-size:10.0pt'>only</span></span>.</p>
12442 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12443 height="14" align="left">
12445 <td valign="top" align="left" height="14" style=
12446 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12447 <p class="TextFontCX" align="center" style=
12448 'text-align:center;background:#CCCCCC'><span style=
12449 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12450 <p class="TextFontCX"><span class="Flag"><span style=
12451 'font-size:10.0pt'>code-imp-only</span></span></p>
12452 <p class="IndentText">Sets <span class="Flag"><span style=
12453 'font-size:10.0pt'>glob-imp-only</span></span>, <span class=
12454 "Flag"><span style='font-size:10.0pt'>ret-imp-only</span></span>
12455 and <span class="Flag"><span style=
12456 'font-size:10.0pt'>struct-imp-only</span></span>.</p>
12458 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12459 height="14" align="left">
12461 <td valign="top" align="left" height="14" style=
12462 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12463 <p class="TextFontCX" align="center" style=
12464 'text-align:center;background:#CCCCCC'><span style=
12465 'font-size:10.0pt'>m:</span><span class=
12466 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12467 <p class="TextFontCX"><span class="Flag"><span style=
12468 'font-size:10.0pt'>mem-imp</span></span></p>
12469 <p class="IndentText">Report memory errors for unqualified
12472 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12473 height="14" align="left">
12475 <td valign="top" align="left" height="14" style=
12476 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12477 <p class="TextFontCX" align="center" style=
12478 'text-align:center;background:#CCCCCC'><span style=
12479 'font-size:10.0pt'>m:</span><span class=
12480 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
12481 <p class="TextFontCX"><span class="Flag"><span style=
12482 'font-size:10.0pt'>pass-unknown</span></span></p>
12483 <p class="IndentText">Passing a value as an unannotated parameter
12484 clears its annotation. This will prevent many spurious errors
12485 from being report for unannotated programs, but eliminates the
12486 possibility of detecting many errors.</p>
12487 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
12488 <a name="_Toc534975054">Sharing</a> <span class=
12489 "TextFontCXChar"><span style=
12490 'font-size:11.0pt; font-weight:normal'>(Section
12491 6)</span></span></p>
12492 <p class="Heading10">Aliasing <span class=
12493 "TextFontCXChar"><span style=
12494 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
12495 <span class="TextFontCXChar"><span style=
12496 'font-size:11.0pt; font-weight:normal'>6.1</span></span><span class="TextFontCXChar">
12498 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
12500 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12501 height="14" align="left">
12503 <td valign="top" align="left" height="14" style=
12504 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12505 <p class="TextFontCX" align="center" style=
12506 'text-align:center;background:#CCCCCC'><span style=
12507 'font-size:10.0pt'>m:</span><span class=
12508 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12509 <p class="TextFontCX"><span class="Flag"><span style=
12510 'font-size:10.0pt'>alias-unique</span></span></p>
12511 <p class="IndentText">An actual parameter that is passed as a
12512 <span class="Annot"><span style=
12513 'font-size:10.0pt'>unique</span></span> formal parameter is aliased
12514 by another parameter or global variable.</p>
12516 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12517 height="14" align="left">
12519 <td valign="top" align="left" height="14" style=
12520 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12521 <p class="TextFontCX" align="center" style=
12522 'text-align:center;background:#CCCCCC'><span style=
12523 'font-size:10.0pt'>m:</span><span class=
12524 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12525 <p class="TextFontCX"><span class="Flag"><span style=
12526 'font-size:10.0pt'>may-alias-unique</span></span></p>
12527 <p class="IndentText">An actual parameter that is passed as a
12528 <span class="Annot"><span style=
12529 'font-size:10.0pt'>unique</span></span> formal parameter may be
12530 aliased by another parameter or global variable.</p>
12532 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12533 height="14" align="left">
12535 <td valign="top" align="left" height="14" style=
12536 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12537 <p class="TextFontCX" align="center" style=
12538 'text-align:center;background:#CCCCCC'><span style=
12539 'font-size:10.0pt'>m:</span><span class=
12540 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12541 <p class="TextFontCX"><span class="Flag"><span style=
12542 'font-size:10.0pt'>must-not-alias</span></span></p>
12543 <p class="IndentText">An alias has been added to a
12544 <span class="Annot"><span style=
12545 'font-size:10.0pt'>temp</span></span>-qualifier parameter
12546 or global that is visible externally when the function
12549 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12550 height="14" align="left">
12552 <td valign="top" align="left" height="14" style=
12553 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12554 <p class="TextFontCX" align="center" style=
12555 'text-align:center;background:#CCCCCC'><span style=
12556 'font-size:10.0pt'>m:</span><span class=
12557 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12558 <p class="TextFontCX"><span class="Flag"><span style=
12559 'font-size:10.0pt'>ret-alias</span></span></p>
12560 <p class="IndentText">A function returns an alias to parameter or
12562 <p class="Heading10">Exposure <span class=
12563 "HeadingNote"><span style='font-size: 10.5pt;font-weight:normal;font-style:normal'>
12564 (Section</span></span> <span class="HeadingNote"><span style=
12565 'font-size:10.5pt;font-weight:normal;font-style: normal'>6.2</span></span><span class="HeadingNote">
12567 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
12569 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12570 height="14" align="left">
12572 <td valign="top" align="left" height="14" style=
12573 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12574 <p class="TextFontCX" align="center" style=
12575 'text-align:center;background:#CCCCCC'><span style=
12576 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12577 <p class="TextFontCX"><span class="Flag"><span style=
12578 'font-size:10.0pt'>rep-expose</span></span></p>
12579 <p class="IndentText">The internal representation of an abstract
12580 type is visible to the caller. This means clients may have
12581 access to a pointer into the abstract representation. (Sets
12582 <span class="Flag"><span style=
12583 'font-size:10.0pt'>assign-expose</span></span>, <span class=
12584 "Flag"><span style='font-size:10.0pt'>ret-expose</span></span>, and
12585 <span class="Flag"><span style=
12586 'font-size:10.0pt'>cast-expose</span></span>.)</p>
12588 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12589 height="14" align="left">
12591 <td valign="top" align="left" height="14" style=
12592 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12593 <p class="TextFontCX" align="center" style=
12594 'text-align:center;background:#CCCCCC'><span style=
12595 'font-size:10.0pt'>m:</span><span class=
12596 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12597 <p class="TextFontCX"><span class="Flag"><span style=
12598 'font-size:10.0pt'>assign-expose</span></span></p>
12599 <p class="IndentText">Abstract representation is exposed by an
12600 assignment or passed parameter.</p>
12602 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12603 height="14" align="left">
12605 <td valign="top" align="left" height="14" style=
12606 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12607 <p class="TextFontCX" align="center" style=
12608 'text-align:center;background:#CCCCCC'><span style=
12609 'font-size:10.0pt'>m:</span><span class=
12610 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12611 <p class="TextFontCX"><span class="Flag"><span style=
12612 'font-size:10.0pt'>cast-expose</span></span></p>
12613 <p class="IndentText">Abstract representation is exposed through a
12616 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12617 height="14" align="left">
12619 <td valign="top" align="left" height="14" style=
12620 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12621 <p class="TextFontCX" align="center" style=
12622 'text-align:center;background:#CCCCCC'><span style=
12623 'font-size:10.0pt'>m:</span><span class=
12624 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12625 <p class="TextFontCX"><span class="Flag"><span style=
12626 'font-size:10.0pt'>ret-expose</span></span></p>
12627 <p class="IndentText">Abstract representation is exposed by a
12629 <p class="Heading11">Observer Modifications</p>
12631 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12632 height="14" align="left">
12634 <td valign="top" align="left" height="14" style=
12635 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12636 <p class="TextFontCX" align="center" style=
12637 'text-align:center;background:#CCCCCC'><span style=
12638 'font-size:10.0pt'>P:</span> <span class=
12639 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12640 <p class="TextFontCX"><span class="Flag"><span style=
12641 'font-size:10.0pt'>mod-observer</span></span></p>
12642 <p class="IndentText">Possible modification of observer
12645 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12646 height="14" align="left">
12648 <td valign="top" align="left" height="14" style=
12649 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12650 <p class="TextFontCX" align="center" style=
12651 'text-align:center;background:#CCCCCC'><span style=
12652 'font-size:10.0pt'>m:</span><span class=
12653 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12654 <p class="TextFontCX"><span class="Flag"><span style=
12655 'font-size:10.0pt'>mod-observer-uncon</span></span></p>
12656 <p class="IndentText">Storage declared with observer may be
12657 modified through a call to an unconstrained function.</p>
12658 <p class="Heading11">String Literals <span class=
12659 "TextFontCXChar"><span style=
12660 'font-weight: normal;font-style:normal'>(Section
12661 6.2.1)</span></span></p>
12663 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12664 height="14" align="left">
12666 <td valign="top" align="left" height="14" style=
12667 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12668 <p class="TextFontCX" align="center" style=
12669 'text-align:center;background:#CCCCCC'><span style=
12670 'font-size:10.0pt'>m:</span><span class=
12671 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12672 <p class="TextFontCX"><span class="Flag"><span style=
12673 'font-size:10.0pt'>read-only-trans</span></span></p>
12674 <p class="IndentText">Report memory transfer errors for
12675 initializations to read-only string literals</p>
12677 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12678 height="14" align="left">
12680 <td valign="top" align="left" height="14" style=
12681 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12682 <p class="TextFontCX" align="center" style=
12683 'text-align:center;background:#CCCCCC'><span style=
12684 'font-size:10.0pt'>m:</span><span class=
12685 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12686 <p class="TextFontCX"><span class="Flag"><span style=
12687 'font-size:10.0pt'>read-only-strings</span></span></p>
12688 <p class="IndentText">String literals are read-only (ISO
12689 semantics). An error is reported if a string literal may be
12690 modified or released.</p>
12691 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
12692 Function Interfaces <span class="TextFontCXChar"><span style=
12693 'font-size:11.0pt;font-weight:normal'>(Section</span></span>
12694 <span class="TextFontCXChar"><span style=
12695 'font-size:11.0pt; font-weight:normal'>7</span></span><span class="TextFontCXChar">
12697 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
12698 <p class="Heading10">Modification <span class=
12699 "TextFontCXChar"><span style=
12700 'font-size:11.0pt; font-weight:normal'>(Section
12701 7.1)</span></span></p>
12703 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12704 height="14" align="left">
12706 <td valign="top" align="left" height="14" style=
12707 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12708 <p class="TextFontCX" align="center" style=
12709 'text-align:center;background:#CCCCCC'><span style=
12710 'font-size:10.0pt'>P:</span> <span class=
12711 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12712 <p class="TextFontCX"><span class="Flag"><span style=
12713 'font-size:10.0pt'>modifies</span></span></p>
12714 <p class="IndentText">Undocumented modification of caller-visible
12715 state. Without <span class="Flag"><span style=
12716 'font-size:10.0pt'>+moduncon</span></span>, modification errors are
12717 only reported in the definitions of functions declared with a
12718 modifies clause (or specified).</p>
12720 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12721 height="14" align="left">
12723 <td valign="top" align="left" height="14" style=
12724 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12725 <p class="TextFontCX" align="center" style=
12726 'text-align:center;background:#CCCCCC'><span style=
12727 'font-size:10.0pt'>m:</span><span class=
12728 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12729 <p class="TextFontCX"><span class="Flag"><span style=
12730 'font-size:10.0pt'>must-mod</span></span></p>
12731 <p class="IndentText">Documented modification is not
12732 detected. An object listed in the modifies clause for a
12733 function, is not modified by the implementation.</p>
12735 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12736 height="14" align="left">
12738 <td valign="top" align="left" height="14" style=
12739 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12740 <p class="TextFontCX" align="center" style=
12741 'text-align:center;background:#CCCCCC'><span style=
12742 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
12743 <p class="TextFontCX"><span class="Flag"><span style=
12744 'font-size:10.0pt'>mod-uncon</span></span></p>
12745 <p class="IndentText">Report modification errors in functions
12746 declared without a modifies clause.(Sets <span class=
12747 "Flag"><span style='font-size:10.0pt'>mod-nomods</span></span>,
12748 <span class="Flag"><span style=
12749 'font-size:10.0pt'>mod-globs-nomods</span></span> and
12750 <span class="Flag"><span style=
12751 'font-size:10.0pt'>mod-strict-globs-nomods</span></span>.)</p>
12753 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12754 height="14" align="left">
12756 <td valign="top" align="left" height="14" style=
12757 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12758 <p class="TextFontCX" align="center" style=
12759 'text-align:center;background:#CCCCCC'><span style=
12760 'font-size:10.0pt'>m:</span><span class=
12761 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12762 <p class="TextFontCX"><span class="Flag"><span style=
12763 'font-size:10.0pt'>mod-nomods</span></span></p>
12764 <p class="IndentText">Report modification errors (not involving
12765 global variables) in functions declared without a modifies
12768 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12769 height="14" align="left">
12771 <td valign="top" align="left" height="14" style=
12772 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12773 <p class="TextFontCX" align="center" style=
12774 'text-align:center;background:#CCCCCC'><span style=
12775 'font-size:10.0pt'>m:</span><span class=
12776 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12777 <p class="TextFontCX"><span class="Flag"><span style=
12778 'font-size:10.0pt'>mod-uncon-nomods</span></span></p>
12779 <p class="IndentText">An unconstrained function is called in a
12780 function body where modifications are checked. Since the
12781 unconstrained function may modify anything, there may be undetected
12782 modifications in the checked function.</p>
12784 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12785 height="14" align="left">
12787 <td valign="top" align="left" height="14" style=
12788 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12789 <p class="TextFontCX" align="center" style=
12790 'text-align:center;background:#CCCCCC'><span style=
12791 'font-size:10.0pt'>m:</span><span class=
12792 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12793 <p class="TextFontCX"><span class="Flag"><span style=
12794 'font-size:10.0pt'>mod-internal-strict</span></span></p>
12795 <p class="IndentText">A function that modifies <span class=
12796 "Annot"><span style='font-size:10.0pt'>internalState</span></span>
12797 is called from a function that does not list <span class=
12798 "Annot"><span style='font-size:10.0pt'>internalState</span></span>
12799 in its modifies clause.</p>
12801 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12802 height="14" align="left">
12804 <td valign="top" align="left" height="14" style=
12805 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12806 <p class="TextFontCX" align="center" style=
12807 'text-align:center;background:#CCCCCC'><span style=
12808 'font-size:10.0pt'>m:</span><span class=
12809 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12810 <p class="TextFontCX"><span class="Flag"><span style=
12811 'font-size:10.0pt'>mod-file-sys</span></span></p>
12812 <p class="IndentText">A function modifies the file system but does
12813 not list <span class="Annot"><span style=
12814 'font-size:10.0pt'>fileSystem</span></span> in its modifies
12816 <p class="Heading10">Global Variables <span class=
12817 "HeadingNote"><span style=
12818 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
12819 <span class="HeadingNote"><span style=
12820 'font-size:10.5pt;font-weight:normal;font-style: normal'>7.2</span></span><span class="HeadingNote">
12822 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
12823 <p class="beforelist"><a name="globflags"></a>Errors involving the
12824 use and modification of global and file static variables are
12825 reported depending on flag settings, annotations where the global
12826 variable is declared, and whether or not the function where the
12827 global is used was declared with a globals clause.</p>
12829 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12830 height="14" align="left">
12832 <td valign="top" align="left" height="14" style=
12833 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12834 <p class="TextFontCX" align="center" style=
12835 'text-align:center;background:#CCCCCC'><span style=
12836 'font-size:10.0pt'>P:</span> <span class=
12837 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
12838 <p class="TextFontCX"><span class="Flag"><span style=
12839 'font-size:10.0pt'>globs</span></span></p>
12840 <p class="IndentText">Undocumented use of a checked global variable
12841 in a function with a globals list.</p>
12843 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12844 height="14" align="left">
12846 <td valign="top" align="left" height="14" style=
12847 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12848 <p class="TextFontCX" align="center" style=
12849 'text-align:center;background:#CCCCCC'><span style=
12850 'font-size:10.0pt'>m:</span><span class=
12851 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
12852 <p class="TextFontCX"><span class="Flag"><span style=
12853 'font-size:10.0pt'>glob-use</span></span></p>
12854 <p class="IndentText">A global listed in the globals list is not
12855 used in the implementation.</p>
12857 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12858 height="14" align="left">
12860 <td valign="top" align="left" height="14" style=
12861 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12862 <p class="TextFontCX" align="center" style=
12863 'text-align:center;background:#CCCCCC'><span style=
12864 'font-size:10.0pt'>m:</span><span class=
12865 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12866 <p class="TextFontCX"><span class="Flag"><span style=
12867 'font-size:10.0pt'>glob-noglobs</span></span></p>
12868 <p class="IndentText">Use of a checked global in a function with no
12871 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12872 height="14" align="left">
12874 <td valign="top" align="left" height="14" style=
12875 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12876 <p class="TextFontCX" align="center" style=
12877 'text-align:center;background:#CCCCCC'><span style=
12878 'font-size:10.0pt'>m:</span><span class=
12879 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12880 <p class="TextFontCX"><span class="Flag"><span style=
12881 'font-size:10.0pt'>internal-globs</span></span></p>
12882 <p class="IndentText">Undocumented use of internal state (should
12883 have <span class="Annot"><span style='font-size:10.0pt'>globals
12884 internalState</span></span>).</p>
12886 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12887 height="14" align="left">
12889 <td valign="top" align="left" height="14" style=
12890 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12891 <p class="TextFontCX" align="center" style=
12892 'text-align:center;background:#CCCCCC'><span style=
12893 'font-size:10.0pt'>m:</span><span class=
12894 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12895 <p class="TextFontCX"><span class="Flag"><span style=
12896 'font-size:10.0pt'>internal-globs-noglobs</span></span></p>
12897 <p class="TextFontCX">
12898 Use of internal state in function with no globals list.</p>
12900 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12901 height="14" align="left">
12903 <td valign="top" align="left" height="14" style=
12904 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12905 <p class="TextFontCX" align="center" style=
12906 'text-align:center;background:#CCCCCC'><span style=
12907 'font-size:10.0pt'>m:</span><span class=
12908 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12909 <p class="TextFontCX"><span class="Flag"><span style=
12910 'font-size:10.0pt'>glob-state</span></span></p>
12911 <p class="IndentText">A function returns with global in
12912 inconsistent state (null or undefined)</p>
12914 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12915 height="14" align="left">
12917 <td valign="top" align="left" height="14" style=
12918 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12919 <p class="TextFontCX" align="center" style=
12920 'text-align:center;background:#CCCCCC'><span style=
12921 'font-size:10.0pt'>m:</span><span class=
12922 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
12923 <p class="TextFontCX"><span class="Flag"><span style=
12924 'font-size:10.0pt'>all-globs</span></span></p>
12925 <p class="IndentText">Report use and modification errors for
12926 globals not annotated with <span class="Annot"><span style=
12927 'font-size:10.0pt'>unchecked</span></span>.</p>
12929 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12930 height="14" align="left">
12932 <td valign="top" align="left" height="14" style=
12933 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12934 <p class="TextFontCX" align="center" style=
12935 'text-align:center;background:#CCCCCC'><span style=
12936 'font-size:10.0pt'>m:</span><span class=
12937 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
12938 <p class="TextFontCX"><span class="Flag"><span style=
12939 'font-size:10.0pt'>check-strict-globs</span></span></p>
12940 <p class="IndentText">Report use and modification errors for
12941 <span class="Annot"><span style=
12942 'font-size:10.0pt'>checkedstrict</span></span> globals.</p>
12943 <p class="Heading11">Modification of Global Variables</p>
12945 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12946 height="14" align="left">
12948 <td valign="top" align="left" height="14" style=
12949 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12950 <p class="TextFontCX" align="center" style=
12951 'text-align:center;background:#CCCCCC'><span style=
12952 'font-size:10.0pt'>m:</span><span class=
12953 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
12954 <p class="TextFontCX"><span class="Flag"><span style=
12955 'font-size:10.0pt'>mod-globs</span></span></p>
12956 <p class="IndentText">Undocumented modification of a checked global
12959 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12960 height="14" align="left">
12962 <td valign="top" align="left" height="14" style=
12963 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12964 <p class="TextFontCX" align="center" style=
12965 'text-align:center;background:#CCCCCC'><span style=
12966 'font-size:10.0pt'>m:</span><span class=
12967 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12968 <p class="TextFontCX"><span class="Flag"><span style=
12969 'font-size:10.0pt'>mod-globs-unchecked</span></span></p>
12970 <p class="IndentText">Undocumented modification of an
12971 <span class="Annot"><span style=
12972 'font-size:10.0pt'>unchecked</span></span>
12973 global variable.</p>
12975 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12976 height="14" align="left">
12978 <td valign="top" align="left" height="14" style=
12979 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12980 <p class="TextFontCX" align="center" style=
12981 'text-align:center;background:#CCCCCC'><span style=
12982 'font-size:10.0pt'>m:</span><span class=
12983 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12984 <p class="TextFontCX"><span class="Flag"><span style=
12985 'font-size:10.0pt'>mod-globs-nomods</span></span></p>
12986 <p class="IndentText">Undocumented modification of a checked global
12987 variable in a function with no modifies clause.</p>
12989 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
12990 height="14" align="left">
12992 <td valign="top" align="left" height="14" style=
12993 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
12994 <p class="TextFontCX" align="center" style=
12995 'text-align:center;background:#CCCCCC'><span style=
12996 'font-size:10.0pt'>m:</span><span class=
12997 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
12998 <p class="TextFontCX"><span class="Flag"><span style=
12999 'font-size:10.0pt'>mod-strict-globs-nomods</span></span></p>
13000 <p class="IndentText">Undocumented modification of a
13001 <span class="Annot"><span style=
13002 'font-size:10.0pt'>checkedstrict</span></span>
13003 global variable in a function declared with no modifies
13005 <p class="Heading11">Globals Lists and Modifies Clauses</p>
13007 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13008 height="14" align="left">
13010 <td valign="top" align="left" height="14" style=
13011 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13012 <p class="TextFontCX" align="center" style=
13013 'text-align:center;background:#CCCCCC'><span style=
13014 'font-size:10.0pt'>m:</span><span class=
13015 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13016 <p class="TextFontCX"><span class="Flag"><span style=
13017 'font-size:10.0pt'>warn-missing-globs</span></span></p>
13018 <p class="IndentText">Global variable used in modifies clause is
13019 not listed in globals list. (The global is added to the
13022 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13023 height="14" align="left">
13025 <td valign="top" align="left" height="14" style=
13026 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13027 <p class="TextFontCX" align="center" style=
13028 'text-align:center;background:#CCCCCC'><span style=
13029 'font-size:10.0pt'>m:</span><span class=
13030 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13031 <p class="TextFontCX"><span class="Flag"><span style=
13032 'font-size:10.0pt'>warn-missing-globs-noglobs</span></span></p>
13033 <p class="IndentText">Global variable used in modifies clause of a
13034 function with no globals list.</p>
13036 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13037 height="14" align="left">
13039 <td valign="top" align="left" height="14" style=
13040 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13041 <p class="TextFontCX" align="center" style=
13042 'text-align:center;background:#CCCCCC'><span style=
13043 'font-size:10.0pt'>m:</span><span class=
13044 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13045 <p class="TextFontCX"><span class="Flag"><span style=
13046 'font-size:10.0pt'>globs-imp-mods-nothing</span></span></p>
13047 <p class="IndentText">A function declared with a globals list but
13048 no modifies clause is assumed to modify nothing.</p>
13050 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13051 height="14" align="left">
13053 <td valign="top" align="left" height="14" style=
13054 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13055 <p class="TextFontCX" align="center" style=
13056 'text-align:center;background:#CCCCCC'><span style=
13057 'font-size:10.0pt'>m:</span><span class=
13058 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13059 <p class="TextFontCX"><span class="Flag"><span style=
13060 'font-size:10.0pt'>mods-imp-noglobs</span></span></p>
13061 <p class="IndentText">A function declared with a modifies clause
13062 but no globals list is assumed to use no globals.</p>
13063 <p class="Heading11">Implicit Checking Annotations</p>
13065 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13066 height="14" align="left">
13068 <td valign="top" align="left" height="14" style=
13069 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13070 <p class="TextFontCX" align="center" style=
13071 'text-align:center;background:#CCCCCC'><span style=
13072 'font-size:10.0pt'>m:</span><span class=
13073 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13074 <p class="TextFontCX"><span class="Flag"><span style=
13075 'font-size:10.0pt'>imp-checked-globs</span></span></p>
13076 <p class="IndentText">Implicit <span class=
13077 "Annot"><span style='font-size:10.0pt'>checked</span></span> annotation
13078 on global variables with no checking annotation.</p>
13080 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13081 height="14" align="left">
13083 <td valign="top" align="left" height="14" style=
13084 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13085 <p class="TextFontCX" align="center" style=
13086 'text-align:center;background:#CCCCCC'><span style=
13087 'font-size:10.0pt'>m:</span><span class=
13088 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13089 <p class="TextFontCX"><span class="Flag"><span style=
13090 'font-size:10.0pt'>imp-checked-statics</span></span></p>
13091 <p class="IndentText">Implicit <span class=
13092 "Annot"><span style='font-size:10.0pt'>checked</span></span> qualifier
13093 file static scope variables with no checking annotation.</p>
13095 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13096 height="14" align="left">
13098 <td valign="top" align="left" height="14" style=
13099 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13100 <p class="TextFontCX" align="center" style=
13101 'text-align:center;background:#CCCCCC'><span style=
13102 'font-size:10.0pt'>m:</span><span class=
13103 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13104 <p class="TextFontCX"><span class="Flag"><span style=
13105 'font-size:10.0pt'>imp-checkmod-globs</span></span></p>
13106 <p class="IndentText">Implicit <span class=
13107 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13108 qualifier on global variables with no checking
13110 <p class="IndentText"><span class="Flag"><span style=
13111 'font-size:10.0pt'> </span></span></p>
13113 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13114 height="14" align="left">
13116 <td valign="top" align="left" height="14" style=
13117 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13118 <p class="TextFontCX" align="center" style=
13119 'text-align:center;background:#CCCCCC'><span style=
13120 'font-size:10.0pt'>m:</span><span class=
13121 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13122 <p class="TextFontCX"><span class="Flag"><span style=
13123 'font-size:10.0pt'>imp-checkmod-statics</span></span></p>
13124 <p class="IndentText">Implicit <span class=
13125 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13126 qualifier file static scope variables with no checking
13129 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13130 height="14" align="left">
13132 <td valign="top" align="left" height="14" style=
13133 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13134 <p class="TextFontCX" align="center" style=
13135 'text-align:center;background:#CCCCCC'><span style=
13136 'font-size:10.0pt'>m:</span><span class=
13137 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13138 <p class="TextFontCX"><span class="Flag"><span style=
13139 'font-size:10.0pt'>imp-checkedstrict-globs</span></span></p>
13140 <p class="IndentText">Implicit <span class=
13141 "Annot"><span style='font-size:10.0pt'>checked</span></span>
13142 qualifier on global variables with no checking
13145 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13146 height="14" align="left">
13148 <td valign="top" align="left" height="14" style=
13149 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13150 <p class="TextFontCX" align="center" style=
13151 'text-align:center;background:#CCCCCC'><span style=
13152 'font-size:10.0pt'>m:</span><span class=
13153 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13154 <p class="TextFontCX"><span class="Flag"><span style=
13155 'font-size:10.0pt'>imp-checkedstrict-statics</span></span></p>
13156 <p class="IndentText">Implicit <span class=
13157 "Annot"><span style='font-size:10.0pt'>checked</span></span>
13158 qualifier file static scope variables with no checking
13161 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13162 height="14" align="left">
13164 <td valign="top" align="left" height="14" style=
13165 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13166 <p class="TextFontCX" align="center" style=
13167 'text-align:center;background:#CCCCCC'><span style=
13168 'font-size:10.0pt'>m:</span><span class=
13169 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13170 <p class="TextFontCX"><span class="Flag"><span style=
13171 'font-size:10.0pt'>imp-checkmod-internals</span></span></p>
13172 <p class="IndentText">Implicit <span class=
13173 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13174 qualifier on function scope static variables with no checking
13177 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13178 height="14" align="left">
13180 <td valign="top" align="left" height="14" style=
13181 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13182 <p class="TextFontCX" align="center" style=
13183 'text-align:center;background:#CCCCCC'><span style=
13184 'font-size:10.0pt'>m:</span><span class=
13185 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13186 <p class="IndentText" style='margin-left:0in'><span class=
13187 "Keyword"><span style='font-size:10.0pt'> </span></span></p>
13188 <p class="Heading11">Global Aliasing</p>
13190 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13191 height="14" align="left">
13193 <td valign="top" align="left" height="14" style=
13194 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13195 <p class="TextFontCX" align="center" style=
13196 'text-align:center;background:#CCCCCC'><span style=
13197 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13198 <p class="TextFontCX"><span class="Flag"><span style=
13199 'font-size:10.0pt'>glob-alias</span></span></p>
13200 <p class="IndentText">Function returns with global aliasing
13201 external state (sets <span class="Flag"><span style=
13202 'font-size:10.0pt'>checkstrict-glob-alias</span></span>,
13203 <span class="Flag"><span style=
13204 'font-size:10.0pt'>checked-glob-alias</span></span>,
13205 c<span class="Flag"><span style=
13206 'font-size:10.0pt'>heckmod-glob-alias</span></span> and
13207 <span class="Flag"><span style=
13208 'font-size:10.0pt'>unchecked-glob-alias</span></span>).</p>
13210 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13211 height="14" align="left">
13213 <td valign="top" align="left" height="14" style=
13214 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13215 <p class="TextFontCX" align="center" style=
13216 'text-align:center;background:#CCCCCC'><span style=
13217 'font-size:10.0pt'>m:</span><span class=
13218 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13219 <p class="TextFontCX"><span class="Flag"><span style=
13220 'font-size:10.0pt'>checkstrict-glob-alias</span></span></p>
13221 <p class="IndentText">Function returns with a <span class=
13222 "Annot"><span style='font-size:10.0pt'>checkedstrict</span></span>
13223 global aliasing external state.</p>
13225 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13226 height="14" align="left">
13228 <td valign="top" align="left" height="14" style=
13229 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13230 <p class="TextFontCX" align="center" style=
13231 'text-align:center;background:#CCCCCC'><span style=
13232 'font-size:10.0pt'>m:</span><span class=
13233 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13234 <p class="TextFontCX"><span class="Flag"><span style=
13235 'font-size:10.0pt'>checked-glob-alias</span></span></p>
13236 <p class="IndentText">Function returns with a <span class=
13237 "Annot"><span style='font-size:10.0pt'>checked</span></span>
13238 global aliasing external state.</p>
13240 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13241 height="14" align="left">
13243 <td valign="top" align="left" height="14" style=
13244 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13245 <p class="TextFontCX" align="center" style=
13246 'text-align:center;background:#CCCCCC'><span style=
13247 'font-size:10.0pt'>m:</span><span class=
13248 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13249 <p class="TextFontCX"><span class="Flag"><span style=
13250 'font-size:10.0pt'>checkmod-glob-alias</span></span></p>
13251 <p class="IndentText">Function returns with a <span class=
13252 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
13253 global aliasing external state.</p>
13255 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13256 height="14" align="left">
13258 <td valign="top" align="left" height="14" style=
13259 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13260 <p class="TextFontCX" align="center" style=
13261 'text-align:center;background:#CCCCCC'><span style=
13262 'font-size:10.0pt'>m:</span><span class=
13263 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13264 <p class="TextFontCX"><span class="Flag"><span style=
13265 'font-size:10.0pt'>unchecked-glob-alias</span></span></p>
13266 <p class="IndentText">Function returns with an <span class=
13267 "Annot"><span style='font-size:10.0pt'>unchecked</span></span>
13268 global aliasing external state.</p>
13269 <p class="Heading10">Declaration Consistency <span style=
13270 'font-weight:normal'>(Section 7.3)</span></p>
13272 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13273 height="14" align="left">
13275 <td valign="top" align="left" height="14" style=
13276 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13277 <p class="TextFontCX" align="center" style=
13278 'text-align:center;background:#CCCCCC'><span style=
13279 'font-size:10.0pt'>m:</span><span class=
13280 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13281 <p class="TextFontCX"><span class="Flag"><span style=
13282 'font-size:10.0pt'>incon-defs</span></span></p>
13283 <p class="IndentText">Identifier redeclared or redefined with
13284 inconsistent type.</p>
13286 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13287 height="14" align="left">
13289 <td valign="top" align="left" height="14" style=
13290 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13291 <p class="TextFontCX" align="center" style=
13292 'text-align:center;background:#CCCCCC'><span style=
13293 'font-size:10.0pt'>m:</span><span class=
13294 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13295 <p class="TextFontCX"><span class="Flag"><span style=
13296 'font-size:10.0pt'>incon-defs-lib</span></span></p>
13297 <p class="IndentText">Identifier defined in a library is redefined
13298 with inconsistent type.</p>
13300 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13301 height="14" align="left">
13303 <td valign="top" align="left" height="14" style=
13304 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13305 <p class="TextFontCX" align="center" style=
13306 'text-align:center;background:#CCCCCC'><span style=
13307 'font-size:10.0pt'>m:</span><span class=
13308 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
13309 <p class="TextFontCX"><span class="Flag"><span style=
13310 'font-size:10.0pt'>overload</span></span></p>
13311 <p class="IndentText">Standard library function overloaded.</p>
13313 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13314 height="14" align="left">
13316 <td valign="top" align="left" height="14" style=
13317 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13318 <p class="TextFontCX" align="center" style=
13319 'text-align:center;background:#CCCCCC'><span style=
13320 'font-size:10.0pt'>m:</span><span class=
13321 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13322 <p class="TextFontCX"><span class="Flag"><span style=
13323 'font-size:10.0pt'>match-fields</span></span></p>
13324 <p class="IndentText">A <span class="CodeText"><span style=
13325 'font-size:10.0pt'>struct</span></span> or <span class=
13326 "CodeText"><span style='font-size:10.0pt'>enum</span></span> type
13327 is redefined with inconsistent fields or members.</p>
13328 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
13329 <a name="_Toc534975057">Macros</a> <span class=
13330 "TextFontCXChar"><span style=
13331 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
13332 <span class="TextFontCXChar"><span style=
13333 'font-size:11.0pt; font-weight:normal'>11</span></span><span class="TextFontCXChar">
13335 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
13336 <p class="TextFontCX">These flags control expansion and checking of
13337 macro definitions and invocations.</p>
13338 <p class="Heading10">Macro Expansion</p>
13339 <p class="beforelist">These flags control which macros are checked
13340 as functions or constants, and which are expanded in the
13341 pre-processing phase. Macros preceded by <span class=
13342 "Annot"><span style=
13343 'font-size:10.0pt'>/*@notfunction@*/</span></span> are never
13344 expanded regardless of these flag settings. These flags may
13345 be used in source-file control comments.</p>
13347 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13348 height="14" align="left">
13350 <td valign="top" align="left" height="14" style=
13351 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13352 <p class="TextFontCX" align="center" style=
13353 'text-align:center;background:#CCCCCC'><span style=
13354 'font-size:10.0pt'>P:</span> <span class=
13355 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13356 <p class="TextFontCX"><span class="Flag"><span style=
13357 'font-size:10.0pt'>fcn-macros</span></span></p>
13358 <p class="IndentText">Macros defined with parameter lists are not
13359 expanded and are checked as functions.</p>
13361 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13362 height="14" align="left">
13364 <td valign="top" align="left" height="14" style=
13365 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13366 <p class="TextFontCX" align="center" style=
13367 'text-align:center;background:#CCCCCC'><span style=
13368 'font-size:10.0pt'>P:</span> <span class=
13369 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13370 <p class="TextFontCX"><span class="Flag"><span style=
13371 'font-size:10.0pt'>const-macros</span></span></p>
13372 <p class="IndentText">Macros defined without parameter lists are
13373 not expanded and are checked as constants.</p>
13375 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13376 height="14" align="left">
13378 <td valign="top" align="left" height="14" style=
13379 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13380 <p class="TextFontCX" align="center" style=
13381 'text-align:center;background:#CCCCCC'><span style=
13382 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13383 <p class="TextFontCX"><span class="Flag"><span style=
13384 'font-size:10.0pt'>all-macros</span></span></p>
13385 <p class="IndentText">Sets <span class="Flag"><span style=
13386 'font-size:10.0pt'>fcn-macros</span></span> and <span class=
13387 "Flag"><span style=
13388 'font-size:10.0pt'>const-macros</span></span>.</p>
13390 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13391 height="14" align="left">
13393 <td valign="top" align="left" height="14" style=
13394 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13395 <p class="TextFontCX" align="center" style=
13396 'text-align:center;background:#CCCCCC'><span style=
13397 'font-size:10.0pt'>P:</span> <span class=
13398 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13399 <p class="TextFontCX"><span class="Flag"><span style=
13400 'font-size:10.0pt'>lib-macros</span></span></p>
13401 <p class="IndentText">Macros defining identifiers declared in a
13402 loaded library are not expanded and are checked according to the
13403 library information.<span class="Flag"><span style=
13404 'font-size:10.0pt'> </span></span></p>
13405 <p class="Heading10">Macro Definitions</p>
13406 <p class="beforelist">These flags control what errors are reported
13407 in macro definitions.</p>
13409 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13410 height="14" align="left">
13412 <td valign="top" align="left" height="14" style=
13413 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13414 <p class="TextFontCX" align="center" style=
13415 'text-align:center;background:#CCCCCC'><span style=
13416 'font-size:10.0pt'>m:</span><span class=
13417 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13418 <p class="TextFontCX"><span class="Flag"><span style=
13419 'font-size:10.0pt'>macro-stmt</span></span></p>
13420 <p class="IndentText">Macro definition is not syntactically
13421 equivalent to function. This means if the macro is used as a
13422 statement (e.g., <span class="CodeText"><span style=
13423 'font-size:10.0pt'>if (test) macro();</span></span>) unexpected
13424 behavior may result. One fix is to surround the macro body
13425 with <span class="CodeText"><span style='font-size:10.0pt'>do {
13426 … } while (FALSE)</span></span>.</p>
13428 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13429 height="14" align="left">
13431 <td valign="top" align="left" height="14" style=
13432 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13433 <p class="TextFontCX" align="center" style=
13434 'text-align:center;background:#CCCCCC'><span style=
13435 'font-size:10.0pt'>m:</span><span class=
13436 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13437 <p class="TextFontCX"><span class="Flag"><span style=
13438 'font-size:10.0pt'>macro-return</span></span></p>
13439 <p class="IndentText">
13440 The body of a macro declared as a function uses a
13441 <span class="CodeText"><span style='font-size:10.0pt'>return</span></span>
13442 statement. This exhibits behavior that could not be implemented by a function.
13445 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13446 height="14" align="left">
13448 <td valign="top" align="left" height="14" style=
13449 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13450 <p class="TextFontCX" align="center" style=
13451 'text-align:center;background:#CCCCCC'><span style=
13452 'font-size:10.0pt'>m:</span><span class=
13453 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13454 <p class="TextFontCX"><span class="Flag"><span style=
13455 'font-size:10.0pt'>macro-assign</span></span></p>
13456 <p class="IndentText">A macro parameter is used as the left side of
13457 an assignment expression.</p>
13459 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13460 height="14" align="left">
13462 <td valign="top" align="left" height="14" style=
13463 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13464 <p class="TextFontCX" align="center" style=
13465 'text-align:center;background:#CCCCCC'><span style=
13466 'font-size:10.0pt'>m:</span><span class=
13467 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13468 <p class="TextFontCX"><span class="Flag"><span style=
13469 'font-size:10.0pt'>macro-parens</span></span></p>
13470 <p class="IndentText">A macro parameter is used without parentheses
13471 (in potentially dangerous context).</p>
13473 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13474 height="14" align="left">
13476 <td valign="top" align="left" height="14" style=
13477 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13478 <p class="TextFontCX" align="center" style=
13479 'text-align:center;background:#CCCCCC'><span style=
13480 'font-size:10.0pt'>m:</span><span class=
13481 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
13482 <p class="TextFontCX"><span class="Flag"><span style=
13483 'font-size:10.0pt'>macro-empty</span></span></p>
13484 <p class="IndentText">Macro definition of a function is
13485 empty. </p>
13487 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13488 height="14" align="left">
13490 <td valign="top" align="left" height="14" style=
13491 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13492 <p class="TextFontCX" align="center" style=
13493 'text-align:center;background:#CCCCCC'><span style=
13494 'font-size:10.0pt'>m:</span><span class=
13495 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13496 <p class="TextFontCX"><span class="Flag"><span style=
13497 'font-size:10.0pt'>macro-redef</span></span></p>
13498 <p class="IndentText">Macro is redefined. There is another
13499 macro defined with the same name.</p>
13501 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13502 height="14" align="left">
13504 <td valign="top" align="left" height="14" style=
13505 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13506 <p class="TextFontCX" align="center" style=
13507 'text-align:center;background:#CCCCCC'><span style=
13508 'font-size:10.0pt'>m:</span><span class=
13509 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13510 <p class="TextFontCX"><span class="Flag"><span style=
13511 'font-size:10.0pt'>macro-unrecog</span></span> </p>
13512 <p class="IndentText">An unrecognized identifier appears in a macro
13513 definition. Since the identifier may be defined where the
13514 macro is used, this could be okay, but Splint will not be able to
13515 check the unrecognized identifier appropriately.</p>
13516 <p class="Heading11">Corresponding Declarations</p>
13518 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13519 height="14" align="left">
13521 <td valign="top" align="left" height="14" style=
13522 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13523 <p class="TextFontCX" align="center" style=
13524 'text-align:center;background:#CCCCCC'><span style=
13525 'font-size:10.0pt'>m:</span><span class=
13526 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
13527 <p class="TextFontCX"><span class="Flag"><span style=
13528 'font-size:10.0pt'>macro-match-name</span></span></p>
13529 <p class="IndentText">An <span class="Annot"><span style=
13530 'font-size:10.0pt'>iter</span></span> or <span class=
13531 "Annot"><span style=
13532 'font-size:10.0pt'>constant</span></span> macro is defined
13533 using a different name from the one used in the previous syntactic
13536 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13537 height="14" align="left">
13539 <td valign="top" align="left" height="14" style=
13540 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13541 <p class="TextFontCX" align="center" style=
13542 'text-align:center;background:#CCCCCC'><span style=
13543 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13544 <p class="TextFontCX"><span class="Flag"><span style=
13545 'font-size:10.0pt'>macro-decl</span></span></p>
13546 <p class="IndentText">A macro definition has no corresponding
13547 declaration. (Sets <span class="Flag"><span style=
13548 'font-size:10.0pt'>macrofcndecl</span></span> and
13549 <span class="Flag"><span style=
13550 'font-size:10.0pt'>macroconstdecl</span></span>.)</p>
13552 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13553 height="14" align="left">
13555 <td valign="top" align="left" height="14" style=
13556 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13557 <p class="TextFontCX" align="center" style=
13558 'text-align:center;background:#CCCCCC'><span style=
13559 'font-size:10.0pt'>m:</span><span class=
13560 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13561 <p class="TextFontCX"><span class="Flag"><span style=
13562 'font-size:10.0pt'>macro-fcn-decl</span></span></p>
13563 <p class="IndentText">Macro definition with parameter list has no
13564 corresponding function prototype. Without a prototype, the types of
13565 the macro result and parameters are unknown.</p>
13567 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13568 height="14" align="left">
13570 <td valign="top" align="left" height="14" style=
13571 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13572 <p class="TextFontCX" align="center" style=
13573 'text-align:center;background:#CCCCCC'><span style=
13574 'font-size:10.0pt'>m:</span><span class=
13575 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13576 <p class="TextFontCX"><span class="Flag"><span style=
13577 'font-size:10.0pt'>macro-const-decl</span></span></p>
13578 <p class="IndentText">A macro definition without parameter list has
13579 no corresponding constant declaration.<span class=
13580 "Flag"><span style=
13581 'font-size: 10.0pt'> </span></span></p>
13583 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13584 height="14" align="left">
13586 <td valign="top" align="left" height="14" style=
13587 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13588 <p class="TextFontCX" align="center" style=
13589 'text-align:center;background:#CCCCCC'><span style=
13590 'font-size:10.0pt'>P:</span> <span class=
13591 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13592 <p class="TextFontCX"><span class="Flag"><span style=
13593 'font-size:10.0pt'>next-line-macros</span></span></p>
13594 <p class="IndentText">A constant or iter declaration is not
13595 immediately followed by a macro definition.</p>
13596 <p class="Heading10">Side Effect Free Parameters <span class=
13597 "HeadingNote"><span style=
13598 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
13599 <span class="HeadingNote"><span style=
13600 'font-size:10.5pt;font-weight:normal;font-style: normal'>11.2.1</span></span><span class="HeadingNote">
13602 'font-size: 10.5pt;font-weight:normal;font-style:normal'>)</span></span></p>
13603 <p class="beforelist">These flags control error reporting for
13604 parameters with inconsistent side effects in invocations of checked
13605 function macros and function calls.</p>
13607 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13608 height="14" align="left">
13610 <td valign="top" align="left" height="14" style=
13611 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13612 <p class="TextFontCX" align="center" style=
13613 'text-align:center;background:#CCCCCC'><span style=
13614 'font-size:10.0pt'>m:</span><span class=
13615 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
13616 <p class="TextFontCX"><span class="Flag"><span style=
13617 'font-size:10.0pt'>sef-params</span></span></p>
13618 <p class="IndentText">An actual parameter with side effects is
13619 passed as a formal parameter declared with <span class=
13620 "Annot"><span style='font-size:10.0pt'>sef</span></span>.</p>
13622 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13623 height="14" align="left">
13625 <td valign="top" align="left" height="14" style=
13626 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13627 <p class="TextFontCX" align="center" style=
13628 'text-align:center;background:#CCCCCC'><span style=
13629 'font-size:10.0pt'>m:</span><span class=
13630 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
13631 <p class="TextFontCX"><span class="Flag"><span style=
13632 'font-size:10.0pt'>sef-uncon</span></span></p>
13633 <p class="IndentText">An actual parameter involving a call to an
13634 unconstrained function (declared without modifies clause) that may
13635 modify anything is passed as a <span class=
13636 "Annot"><span style='font-size:10.0pt'>sef</span></span>
13638 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
13639 <a name="_Toc534975058">Iterators</a></p>
13641 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13642 height="14" align="left">
13644 <td valign="top" align="left" height="14" style=
13645 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13646 <p class="TextFontCX" align="center" style=
13647 'text-align:center;background:#CCCCCC'><span style=
13648 'font-size:10.0pt'>P:</span> <span class=
13649 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13650 <p class="TextFontCX"><span class="Flag"><span style=
13651 'font-size:10.0pt'>iterbalance</span></span></p>
13652 <p class="IndentText">Iter is not balanced with end
13653 <span class="CodeText"><span style='font-size:10.0pt'> <iter></span></span>.
13657 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13658 height="14" align="left">
13660 <td valign="top" align="left" height="14" style=
13661 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13662 <p class="TextFontCX" align="center" style=
13663 'text-align:center;background:#CCCCCC'><span style=
13664 'font-size:10.0pt'>P:</span> <span class=
13665 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13666 <p class="TextFontCX"><span class="Flag"><span style=
13667 'font-size:10.0pt'>iteryield</span></span></p>
13668 <p class="IndentText">Iter yield parameter is inappropriate.
13672 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13673 height="14" align="left">
13675 <td valign="top" align="left" height="14" style=
13676 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13677 <p class="TextFontCX" align="center" style=
13678 'text-align:center;background:#CCCCCC'><span style=
13679 'font-size:10.0pt'>P:</span> <span class=
13680 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13681 <p class="TextFontCX"><span class="Flag"><span style=
13682 'font-size:10.0pt'>has-yield</span></span></p>
13683 <p class="IndentText">An iterator has been declared with no
13684 parameters annotated with <span class="Annot"><span style=
13685 'font-size:10.0pt'>yield</span></span>.</p>
13687 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
13688 <a name="_Toc534975059">Naming Conventions</a> <span class=
13689 "TextFontCXChar"><span style=
13690 'font-size:11.0pt; font-weight:normal'>(Section
13691 12)</span></span></p>
13693 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13694 height="14" align="left">
13696 <td valign="top" align="left" height="14" style=
13697 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13698 <p class="TextFontCX" align="center" style=
13699 'text-align:center;background:#CCCCCC'><span style=
13700 'font-size:10.0pt'>P:</span> <span class=
13701 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13702 <p class="TextFontCX"><span class="Flag"><span style=
13703 'font-size:10.0pt'>name-checks</span></span></p>
13704 <p class="IndentText">Turns all name checking on or off without
13705 changing other settings.</p>
13706 <p class="Heading10">Type-Based Naming Conventions
13707 <span style='font-size:10.5pt; font-weight:normal'>(Section
13709 <p class="Heading11">Czech Naming Convention</p>
13711 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13712 height="14" align="left">
13714 <td valign="top" align="left" height="14" style=
13715 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13716 <p class="TextFontCX" align="center" style=
13717 'text-align:center;background:#CCCCCC'><span style=
13718 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13719 <p class="TextFontCX"><span class="Flag"><span style=
13720 'font-size:10.0pt'>czech</span></span></p>
13721 <p class="IndentText">Selects complete Czech naming convention
13722 (sets <span class="Flag"><span style=
13723 'font-size:10.0pt'>access-czech</span></span>, <span class=
13724 "Flag"><span style='font-size:10.0pt'>czech-fcns</span></span>,
13725 <span class="Flag"><span style=
13726 'font-size:10.0pt'>czech-vars</span></span>, <span class=
13727 "Flag"><span style='font-size:10.0pt'>czech-consts</span></span>,
13728 <span class="Flag"><span style=
13729 'font-size:10.0pt'>czech-macros</span></span>, and
13730 <span class="Flag"><span style=
13731 'font-size:10.0pt'>czech-types</span></span>).</p>
13733 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13734 height="14" align="left">
13736 <td valign="top" align="left" height="14" style=
13737 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13738 <p class="TextFontCX" align="center" style=
13739 'text-align:center;background:#CCCCCC'><span style=
13740 'font-size:10.0pt'>P:</span> <span class=
13741 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
13742 <p class="TextFontCX"><span class="Flag"><span style=
13743 'font-size:10.0pt'>access-czech</span></span></p>
13744 <p class="IndentText">Allow access to abstract types following
13745 Czech naming convention. The representation of an abstract
13746 type named <span class="CodeText"><i><span style=
13747 'font-size:10.0pt'>t</span></i></span> is accessible in the
13748 definition of a function or constant named <span class=
13749 "CodeText"><i><span style=
13750 'font-size:10.0pt'>t_name</span></i></span>.</p>
13752 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13753 height="14" align="left">
13755 <td valign="top" align="left" height="14" style=
13756 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13757 <p class="TextFontCX" align="center" style=
13758 'text-align:center;background:#CCCCCC'><span style=
13759 'font-size:10.0pt'>P:</span> <span class=
13760 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13761 <p class="TextFontCX"><span class="Flag"><span style=
13762 'font-size:10.0pt'>czech-fcns</span></span></p>
13763 <p class="IndentText">Function or iterator name is not consistent
13764 with Czech naming convention.</p>
13766 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13767 height="14" align="left">
13769 <td valign="top" align="left" height="14" style=
13770 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13771 <p class="TextFontCX" align="center" style=
13772 'text-align:center;background:#CCCCCC'><span style=
13773 'font-size:10.0pt'>P:</span> <span class=
13774 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13775 <p class="TextFontCX"><span class="Flag"><span style=
13776 'font-size:10.0pt'>czech-vars</span></span></p>
13777 <p class="IndentText"> Variable name is not consistent with
13778 Czech naming convention.</p>
13780 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13781 height="14" align="left">
13783 <td valign="top" align="left" height="14" style=
13784 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13785 <p class="TextFontCX" align="center" style=
13786 'text-align:center;background:#CCCCCC'><span style=
13787 'font-size:10.0pt'>P:</span> <span class=
13788 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13789 <p class="TextFontCX"><span class="Flag"><span style=
13790 'font-size:10.0pt'>czech-macros</span></span></p>
13791 <p class="IndentText"> Expanded macro name is not consistent
13792 with Czech naming convention.</p>
13794 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13795 height="14" align="left">
13797 <td valign="top" align="left" height="14" style=
13798 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13799 <p class="TextFontCX" align="center" style=
13800 'text-align:center;background:#CCCCCC'><span style=
13801 'font-size:10.0pt'>P:</span> <span class=
13802 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13803 <p class="TextFontCX"><span class="Flag"><span style=
13804 'font-size:10.0pt'>czech-consts</span></span></p>
13805 <p class="IndentText">Constant name is not consistent with Czech
13806 naming convention.</p>
13808 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13809 height="14" align="left">
13811 <td valign="top" align="left" height="14" style=
13812 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13813 <p class="TextFontCX" align="center" style=
13814 'text-align:center;background:#CCCCCC'><span style=
13815 'font-size:10.0pt'>P:</span> <span class=
13816 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13817 <p class="TextFontCX"><span class="Flag"><span style=
13818 'font-size:10.0pt'>czech-types</span></span></p>
13819 <p class="IndentText">Type name is not consistent with Czech naming
13820 convention. Czech type names must not use the underscore
13822 <p class="Heading11">Slovak Naming Convention</p>
13824 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13825 height="14" align="left">
13827 <td valign="top" align="left" height="14" style=
13828 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13829 <p class="TextFontCX" align="center" style=
13830 'text-align:center;background:#CCCCCC'><span style=
13831 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13832 <p class="TextFontCX"><span class="Flag"><span style=
13833 'font-size:10.0pt'>slovak</span></span></p>
13834 <p class="IndentText">Selects complete Slovak naming convention
13835 (sets <span class="Flag"><span style=
13836 'font-size:10.0pt'>access-slovak</span></span>, <span class=
13837 "Flag"><span style='font-size:10.0pt'>slovak-fcns</span></span>,
13838 <span class="Flag"><span style=
13839 'font-size:10.0pt'>slovak-vars</span></span>, <span class=
13840 "Flag"><span style='font-size:10.0pt'>slovak-consts</span></span>,
13841 <span class="Flag"><span style=
13842 'font-size:10.0pt'>slovak-macros</span></span>, and
13843 <span class="Flag"><span style=
13844 'font-size:10.0pt'>slovak-types</span></span>).</p>
13846 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13847 height="14" align="left">
13849 <td valign="top" align="left" height="14" style=
13850 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13851 <p class="TextFontCX" align="center" style=
13852 'text-align:center;background:#CCCCCC'><span style=
13853 'font-size:10.0pt'>P:</span> <span class=
13854 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13855 <p class="TextFontCX"><span class="Flag"><span style=
13856 'font-size:10.0pt'>access-slovak</span></span></p>
13857 <p class="IndentText">Allow access to abstract types following
13858 Slovak naming convention. The representation of an abstract type
13859 named <span class="CodeText"><i><span style=
13860 'font-size:10.0pt'>t</span></i></span> is accessible in the
13861 definition of a function or constant named <span class=
13862 "CodeText"><i><span style=
13863 'font-size:10.0pt'>tName</span></i></span>.</p>
13865 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13866 height="14" align="left">
13868 <td valign="top" align="left" height="14" style=
13869 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13870 <p class="TextFontCX" align="center" style=
13871 'text-align:center;background:#CCCCCC'><span style=
13872 'font-size:10.0pt'>P:</span> <span class=
13873 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13874 <p class="TextFontCX"><span class="Flag"><span style=
13875 'font-size:10.0pt'>slovak-fcns</span></span></p>
13876 <p class="IndentText">Function or iterator name is not consistent
13877 with Slovak naming convention.</p>
13879 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13880 height="14" align="left">
13882 <td valign="top" align="left" height="14" style=
13883 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13884 <p class="TextFontCX" align="center" style=
13885 'text-align:center;background:#CCCCCC'><span style=
13886 'font-size:10.0pt'>P:</span> <span class=
13887 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13888 <p class="TextFontCX"><span class="Flag"><span style=
13889 'font-size:10.0pt'>slovak-macros</span></span></p>
13890 <p class="IndentText">Expanded macro name is not consistent with
13891 Slovak naming convention.</p>
13893 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13894 height="14" align="left">
13896 <td valign="top" align="left" height="14" style=
13897 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13898 <p class="TextFontCX" align="center" style=
13899 'text-align:center;background:#CCCCCC'><span style=
13900 'font-size:10.0pt'>P:</span> <span class=
13901 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13902 <p class="TextFontCX"><span class="Flag"><span style=
13903 'font-size:10.0pt'>slovak-vars</span></span></p>
13904 <p class="IndentText"> Variable name is not consistent with
13905 Slovak naming convention.</p>
13907 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13908 height="14" align="left">
13910 <td valign="top" align="left" height="14" style=
13911 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13912 <p class="TextFontCX" align="center" style=
13913 'text-align:center;background:#CCCCCC'><span style=
13914 'font-size:10.0pt'>P:</span> <span class=
13915 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13916 <p class="TextFontCX"><span class="Flag"><span style=
13917 'font-size:10.0pt'>slovak-consts</span></span></p>
13918 <p class="IndentText"> Constant name is not consistent with
13919 Slovak naming convention.</p>
13921 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13922 height="14" align="left">
13924 <td valign="top" align="left" height="14" style=
13925 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13926 <p class="TextFontCX" align="center" style=
13927 'text-align:center;background:#CCCCCC'><span style=
13928 'font-size:10.0pt'>P:</span> <span class=
13929 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13930 <p class="TextFontCX"><span class="Flag"><span style=
13931 'font-size:10.0pt'>slovak-types</span></span></p>
13932 <p class="IndentText">Type name is not consistent with Slovak
13933 naming convention. Slovak type names may not include
13934 uppercase letters.</p>
13935 <p class="Heading11">Czechoslovak Naming Convention</p>
13937 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13938 height="14" align="left">
13940 <td valign="top" align="left" height="14" style=
13941 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13942 <p class="TextFontCX" align="center" style=
13943 'text-align:center;background:#CCCCCC'><span style=
13944 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
13945 <p class="TextFontCX"><span class="Flag"><span style=
13946 'font-size:10.0pt'>czechoslovak</span></span></p>
13947 <p class="IndentText">Selects complete Czechoslovak naming
13948 convention (sets <span class="Flag"><span style=
13949 'font-size:10.0pt'>access-czechoslovak</span></span>,
13950 <span class="Flag"><span style=
13951 'font-size:10.0pt'>czechoslovak-fcns</span></span>,
13952 <span class="Flag"><span style=
13953 'font-size:10.0pt'>czechoslovak-vars</span></span>,
13954 <span class="Flag"><span style=
13955 'font-size:10.0pt'>czechoslovak-consts</span></span>,
13956 <span class="Flag"><span style=
13957 'font-size:10.0pt'>czechoslovak-macros</span></span>, and
13958 <span class="Flag"><span style=
13959 'font-size:10.0pt'>czechoslovak-types</span></span>).</p>
13961 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13962 height="14" align="left">
13964 <td valign="top" align="left" height="14" style=
13965 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13966 <p class="TextFontCX" align="center" style=
13967 'text-align:center;background:#CCCCCC'><span style=
13968 'font-size:10.0pt'>P:</span> <span class=
13969 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13970 <p class="TextFontCX"><span class="Flag"><span style=
13971 'font-size:10.0pt'>access-czechoslovak</span></span></p>
13972 <p class="IndentText">Allow access to abstract types by
13973 Czechoslovak naming convention. The representation of an abstract
13974 type named <span class="CodeText"><i><span style=
13975 'font-size:10.0pt'>t</span></i></span> is accessible in the
13976 definition of a function or constant named <span class=
13977 "CodeText"><i><span style=
13978 'font-size:10.0pt'>t_name</span></i></span> or <span class=
13979 "CodeText"><i><span style=
13980 'font-size:10.0pt'>tName</span></i></span>.</p>
13982 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13983 height="14" align="left">
13985 <td valign="top" align="left" height="14" style=
13986 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
13987 <p class="TextFontCX" align="center" style=
13988 'text-align:center;background:#CCCCCC'><span style=
13989 'font-size:10.0pt'>P:</span> <span class=
13990 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
13991 <p class="TextFontCX"><span class="Flag"><span style=
13992 'font-size:10.0pt'>czechoslovak-fcns</span></span></p>
13993 <p class="IndentText"> Function name is not consistent with
13994 Czechoslovak naming convention.</p>
13996 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
13997 height="14" align="left">
13999 <td valign="top" align="left" height="14" style=
14000 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14001 <p class="TextFontCX" align="center" style=
14002 'text-align:center;background:#CCCCCC'><span style=
14003 'font-size:10.0pt'>P:</span> <span class=
14004 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14005 <p class="TextFontCX"><span class="Flag"><span style=
14006 'font-size:10.0pt'>czechoslovak-macros</span></span></p>
14007 <p class="IndentText">Expanded macro name is not consistent with
14008 Czechoslovak naming convention.</p>
14010 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14011 height="14" align="left">
14013 <td valign="top" align="left" height="14" style=
14014 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14015 <p class="TextFontCX" align="center" style=
14016 'text-align:center;background:#CCCCCC'><span style=
14017 'font-size:10.0pt'>P:</span> <span class=
14018 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14019 <p class="TextFontCX"><span class="Flag"><span style=
14020 'font-size:10.0pt'>czechoslovak-vars</span></span></p>
14021 <p class="IndentText">Variable name is not consistent with
14022 Czechoslovak naming convention.</p>
14024 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14025 height="14" align="left">
14027 <td valign="top" align="left" height="14" style=
14028 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14029 <p class="TextFontCX" align="center" style=
14030 'text-align:center;background:#CCCCCC'><span style=
14031 'font-size:10.0pt'>P:</span> <span class=
14032 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14033 <p class="TextFontCX"><span class="Flag"><span style=
14034 'font-size:10.0pt'>czechoslovak-consts</span></span></p>
14035 <p class="IndentText">Constant name is not consistent with
14036 Czechoslovak naming convention.</p>
14038 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14039 height="14" align="left">
14041 <td valign="top" align="left" height="14" style=
14042 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14043 <p class="TextFontCX" align="center" style=
14044 'text-align:center;background:#CCCCCC'><span style=
14045 'font-size:10.0pt'>P:</span> <span class=
14046 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14047 <p class="TextFontCX"><span class="Flag"><span style=
14048 'font-size:10.0pt'>czechoslovak-types</span></span></p>
14049 <p class="IndentText">Type name is not consistent with Czechoslovak
14050 naming convention. Czechoslovak type names may not include
14051 uppercase letters or the underscore character.</p>
14052 <p class="Heading10">Namespace Prefixes <span style=
14053 'font-size:10.5pt; font-weight:normal'>(Section 12.2)</span></p>
14054 <p class="TextFontCX"><span class="Flag"><span style=
14055 'font-size:10.0pt'>macro-var-prefix</span></span><span class=
14056 "Flag"><span style='font-size:10.0pt'> <i><prefix
14057 string></i></span></span></p>
14058 <p class="IndentText">Set namespace prefix for variables declared
14059 in a macro body. (Default is <span class=
14060 "CodeText"><span style='font-size:10.0pt'>m_</span></span>.)</p>
14062 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14063 height="14" align="left">
14065 <td valign="top" align="left" height="14" style=
14066 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14067 <p class="TextFontCX" align="center" style=
14068 'text-align:center;background:#CCCCCC'>P: <span class=
14069 "Keyword"><span style=
14070 'font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14071 <p class="TextFontCX"><span class="Flag"><span style=
14072 'font-size:10.0pt'>macro-var-prefix-exclude</span></span></p>
14073 <p class="IndentText">A variable declared outside a macro body
14074 starts with the <span class="Flag"><span style=
14075 'font-size:10.0pt'>macro-var-prefix</span></span>.</p>
14076 <p class="TextFontCX"><span class="Flag"><span style=
14077 'font-size:10.0pt'>tag-prefix</span></span><span class=
14078 "Flag"><span style='font-size:10.0pt'> <i><prefix
14079 string></i></span></span></p>
14080 <p class="IndentText">Set namespace prefix of <span class=
14081 "CodeText"><span style='font-size:10.0pt'>struct</span></span>,
14082 <span class="CodeText"><span style=
14083 'font-size:10.0pt'>union</span></span> or <span class=
14084 "CodeText"><span style='font-size:10.0pt'>enum</span></span> tag
14087 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14088 height="14" align="left">
14090 <td valign="top" align="left" height="14" style=
14091 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14092 <p class="TextFontCX" align="center" style=
14093 'text-align:center;background:#CCCCCC'><span style=
14094 'font-size:10.0pt'>P:</span> <span class=
14095 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14096 <p class="TextFontCX"><span class="Flag"><span style=
14097 'font-size:10.0pt'>tag-prefix-exclude</span></span></p>
14098 <p class="IndentText">An identifier that is not a tag starts with
14099 the <span class="Flag"><span style=
14100 'font-size:10.0pt'>tagprefix</span></span>.</p>
14101 <p class="TextFontCX"><span class="Flag"><span style=
14102 'font-size:10.0pt'>enum-prefix</span></span><span class=
14103 "Flag"><span style='font-size:10.0pt'> <i><prefix
14104 string></i></span></span></p>
14105 <p class="IndentText">Set namespace prefix for <span class=
14106 "CodeText"><span style='font-size:10.0pt'>enum</span></span>
14109 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14110 height="14" align="left">
14112 <td valign="top" align="left" height="14" style=
14113 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14114 <p class="TextFontCX" align="center" style=
14115 'text-align:center;background:#CCCCCC'><span style=
14116 'font-size:10.0pt'>P:</span> <span class=
14117 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14118 <p class="TextFontCX"><span class="Flag"><span style=
14119 'font-size:10.0pt'>enum-prefix-exclude</span></span></p>
14120 <p class="IndentText">An identifier that is not an
14121 <span class="CodeText"><span style=
14122 'font-size:10.0pt'>enum</span></span> member starts with the
14123 <span class="Flag"><span style=
14124 'font-size:10.0pt'>enumprefix</span></span>.</p>
14125 <p class="TextFontCX"><span class="Flag"><span style=
14126 'font-size:10.0pt'>file-static-prefix</span></span><span class="Flag">
14127 <span style='font-size:10.0pt'> <i><prefix
14128 string></i></span></span></p>
14129 <p class="IndentText">Set namespace prefix for file
14130 <span class="CodeText"><span style=
14131 'font-size:10.0pt'>static</span></span> declarations.</p>
14133 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14134 height="14" align="left">
14136 <td valign="top" align="left" height="14" style=
14137 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14138 <p class="TextFontCX" align="center" style=
14139 'text-align:center;background:#CCCCCC'><span style=
14140 'font-size:10.0pt'>P:</span> <span class=
14141 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14142 <p class="TextFontCX"><span class="Flag"><span style=
14143 'font-size:10.0pt'>file-static-prefix-exclude</span></span></p>
14144 <p class="IndentText">An identifier that is not file static starts
14145 with the <span class="Flag"><span style=
14146 'font-size:10.0pt'>filestaticprefix</span></span>.</p>
14147 <p class="TextFontCX"><span class="Flag"><span style=
14148 'font-size:10.0pt'>global-prefix</span></span><span class=
14149 "Flag"><span style='font-size:10.0pt'> <i><prefix
14150 string></i></span></span></p>
14151 <p class="IndentText">Set namespace prefix for global
14154 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14155 height="14" align="left">
14157 <td valign="top" align="left" height="14" style=
14158 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14159 <p class="TextFontCX" align="center" style=
14160 'text-align:center;background:#CCCCCC'><span style=
14161 'font-size:10.0pt'>P:</span> <span class=
14162 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14163 <p class="TextFontCX"><span class="Flag"><span style=
14164 'font-size:10.0pt'>global-prefix-exclude</span></span></p>
14165 <p class="IndentText">An identifier that is not a global variable
14166 starts with the <span class="Flag"><span style=
14167 'font-size:10.0pt'>globalprefix</span></span>.</p>
14168 <p class="TextFontCX"><span class="Flag"><span style=
14169 'font-size:10.0pt'>type-prefix</span></span><span class=
14170 "Flag"><span style='font-size:10.0pt'> <i><prefix
14171 string></i></span></span></p>
14172 <p class="IndentText">Set namespace prefix for user-defined
14175 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14176 height="14" align="left">
14178 <td valign="top" align="left" height="14" style=
14179 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14180 <p class="TextFontCX" align="center" style=
14181 'text-align:center;background:#CCCCCC'><span style=
14182 'font-size:10.0pt'>P:</span> <span class=
14183 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14184 <p class="TextFontCX"><span class="Flag"><span style=
14185 'font-size:10.0pt'>type-prefix-exclude</span></span></p>
14186 <p class="IndentText">An identifier that is not a type name starts
14187 with the <span class="Flag"><span style=
14188 'font-size:10.0pt'>typeprefix</span></span>.</p>
14189 <p class="TextFontCX"><span class="Flag"><span style=
14190 'font-size:10.0pt'>external-prefix</span></span><span class=
14191 "Flag"><span style='font-size:10.0pt'> <i><prefix
14192 string></i></span></span></p>
14193 <p class="IndentText">Set namespace prefix for external
14196 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14197 height="14" align="left">
14199 <td valign="top" align="left" height="14" style=
14200 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14201 <p class="TextFontCX" align="center" style=
14202 'text-align:center;background:#CCCCCC'><span style=
14203 'font-size:10.0pt'>P:</span> <span class=
14204 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14205 <p class="TextFontCX"><span class="Flag"><span style=
14206 'font-size:10.0pt'>external-prefix-exclude</span></span></p>
14207 <p class="IndentText">An identifier that is not external starts
14208 with the <span class="Flag"><span style=
14209 'font-size:10.0pt'>externalprefix</span></span>.</p>
14210 <p class="TextFontCX"><span class="Flag"><span style=
14211 'font-size:10.0pt'>local-prefix</span></span><span class=
14212 "Flag"><span style='font-size:10.0pt'> <i><prefix
14213 string></i></span></span></p>
14214 <p class="IndentText">Set namespace prefix for local variables.</p>
14216 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14217 height="14" align="left">
14219 <td valign="top" align="left" height="14" style=
14220 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14221 <p class="TextFontCX" align="center" style=
14222 'text-align:center;background:#CCCCCC'><span style=
14223 'font-size:10.0pt'>P:</span> <span class=
14224 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14225 <p class="TextFontCX"><span class="Flag"><span style=
14226 'font-size:10.0pt'>local-prefix-exclude</span></span></p>
14227 <p class="IndentText"> An identifier that is not a local
14228 variable starts with the <span class="Flag"><span style=
14229 'font-size:10.0pt'>localprefix</span></span>.</p>
14230 <p class="TextFontCX"><span class="Flag"><span style=
14231 'font-size:10.0pt'>unchecked-macro-prefix</span></span><span class="Flag">
14232 <span style='font-size:10.0pt'> <i><prefix
14233 string></i></span></span></p>
14234 <p class="IndentText">Set namespace prefix for unchecked
14237 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14238 height="14" align="left">
14240 <td valign="top" align="left" height="14" style=
14241 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14242 <p class="TextFontCX" align="center" style=
14243 'text-align:center;background:#CCCCCC'><span style=
14244 'font-size:10.0pt'>P:</span> <span class=
14245 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14246 <p class="TextFontCX"><span class="Flag"><span style=
14247 'font-size:10.0pt'>unchecked-macro-prefix-exclude</span></span></p>
14248 <p class="IndentText">An identifier that is not the name of an
14249 unchecked macro starts with the <span class=
14250 "Flag"><span style='font-size:10.0pt'>uncheckedmacroprefix</span></span>.</p>
14251 <p class="TextFontCX"><span class="Flag"><span style=
14252 'font-size:10.0pt'>const-prefix</span></span><span class=
14253 "Flag"><span style='font-size:10.0pt'> <i><prefix
14254 string></i></span></span></p>
14255 <p class="IndentText">Set namespace prefix for constants.</p>
14257 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14258 height="14" align="left">
14260 <td valign="top" align="left" height="14" style=
14261 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14262 <p class="TextFontCX" align="center" style=
14263 'text-align:center;background:#CCCCCC'><span style=
14264 'font-size:10.0pt'>P:</span> <span class=
14265 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14266 <p class="TextFontCX"><span class="Flag"><span style=
14267 'font-size:10.0pt'>const-prefix-exclude</span></span></p>
14268 <p class="IndentText">An identifier that is not a constant starts
14269 with the <span class="Flag"><span style=
14270 'font-size:10.0pt'>constantprefix</span></span>.</p>
14271 <p class="TextFontCX"><span class="Flag"><span style=
14272 'font-size:10.0pt'>iter-prefix</span></span><span class=
14273 "Flag"><span style='font-size:10.0pt'> <i><prefix
14274 string></i></span></span></p>
14275 <p class="IndentText">Set namespace prefix for iterators.</p>
14277 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14278 height="14" align="left">
14280 <td valign="top" align="left" height="14" style=
14281 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14282 <p class="TextFontCX" align="center" style=
14283 'text-align:center;background:#CCCCCC'><span style=
14284 'font-size:10.0pt'>P:</span> <span class=
14285 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14286 <p class="TextFontCX"><span class="Flag"><span style=
14287 'font-size:10.0pt'>iter-prefix-exclude</span></span></p>
14288 <p class="IndentText">An identifier that is not an
14289 <span class="Flag"><span style=
14290 'font-size:10.0pt'>iter</span></span> starts with the
14291 <span class="Flag"><span style=
14292 'font-size:10.0pt'>iterprefix</span></span>.</p>
14293 <p class="TextFontCX"><span class="Flag"><span style=
14294 'font-size:10.0pt'>proto-param-prefix</span></span><span class="Flag">
14295 <span style='font-size:10.0pt'> <i><prefix
14296 string></i></span></span></p>
14297 <p class="IndentText">Set namespace prefix for parameters in
14298 function prototypes.</p>
14300 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14301 height="14" align="left">
14303 <td valign="top" align="left" height="14" style=
14304 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14305 <p class="TextFontCX" align="center" style=
14306 'text-align:center;background:#CCCCCC'><span style=
14307 'font-size:10.0pt'>P:</span> <span class=
14308 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14309 <p class="TextFontCX"><span class="Flag"><span style=
14310 'font-size:10.0pt'>proto-param-prefix-exclude</span></span></p>
14311 <p class="IndentText">An identifier that is not a parameter in a
14312 function prototype starts with the <span class=
14313 "Flag"><span style='font-size:10.0pt'>protoprarmprefix</span></span>.</p>
14315 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14316 height="14" align="left">
14318 <td valign="top" align="left" height="14" style=
14319 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14320 <p class="TextFontCX" align="center" style=
14321 'text-align:center;background:#CCCCCC'><span style=
14322 'font-size:10.0pt'>m:</span><span class=
14323 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14324 <p class="TextFontCX"><span class="Flag"><span style=
14325 'font-size:10.0pt'>proto-param-name</span></span></p>
14326 <p class="IndentText">A parameter in a function prototype has a
14327 name (can interfere with macro definitions).</p>
14329 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14330 height="14" align="left">
14332 <td valign="top" align="left" height="14" style=
14333 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14334 <p class="TextFontCX" align="center" style=
14335 'text-align:center;background:#CCCCCC'><span style=
14336 'font-size:10.0pt'>m:</span><span class=
14337 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14338 <p class="TextFontCX"><span class="Flag"><span style=
14339 'font-size:10.0pt'>proto-param-match</span></span></p>
14340 <p class="IndentText">The name of a parameter in a function
14341 definition does not match the corresponding name of the parameter
14342 in a function prototype (after removing the <span class=
14343 "Flag"><span style=
14344 'font-size:10.0pt'>protoparamprefix</span></span>).</p>
14345 <p class="Heading10">Naming Restrictions <span style=
14346 'font-size:10.5pt; font-weight:normal'>(Section 12.3)</span></p>
14348 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14349 height="14" align="left">
14351 <td valign="top" align="left" height="14" style=
14352 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14353 <p class="TextFontCX" align="center" style=
14354 'text-align:center;background:#CCCCCC'><span style=
14355 'font-size:10.0pt'>m:</span><span class=
14356 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14357 <p class="TextFontCX"><span class="Flag"><span style=
14358 'font-size:10.0pt'>shadow</span></span></p>
14359 <p class="IndentText">Declaration reuses name visible in outer
14361 <p class="Heading11">Reserved Names</p>
14363 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14364 height="14" align="left">
14366 <td valign="top" align="left" height="14" style=
14367 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14368 <p class="TextFontCX" align="center" style=
14369 'text-align:center;background:#CCCCCC'><span style=
14370 'font-size:10.0pt'>m:</span><span class=
14371 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14372 <p class="TextFontCX"><span class="Flag"><span style=
14373 'font-size:10.0pt'>ansi-reserved</span></span></p>
14374 <p class="IndentText">External name conflicts with name reserved
14375 for the compiler or standard library.</p>
14377 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14378 height="14" align="left">
14380 <td valign="top" align="left" height="14" style=
14381 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14382 <p class="TextFontCX" align="center" style=
14383 'text-align:center;background:#CCCCCC'><span style=
14384 'font-size:10.0pt'>m:</span><span class=
14385 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14386 <p class="TextFontCX"><span class="Flag"><span style=
14387 'font-size:10.0pt'>ansi-reserved-internal</span></span></p>
14388 <p class="IndentText"> Internal name conflicts with name
14389 reserved for the compiler or standard library.</p>
14392 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14393 height="14" align="left">
14395 <td valign="top" align="left" height="14" style=
14396 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14397 <p class="TextFontCX" align="center" style=
14398 'text-align:center;background:#CCCCCC'><span style=
14399 'font-size:10.0pt'>m:</span><span class=
14400 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14401 <p class="TextFontCX"><span class="Flag"><span style=
14402 'font-size:10.0pt'>iso-reserved</span></span></p>
14403 <p class="IndentText">
14404 External name is reserved for system use by ISO C99 standard.
14408 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14409 height="14" align="left">
14411 <td valign="top" align="left" height="14" style=
14412 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14413 <p class="TextFontCX" align="center" style=
14414 'text-align:center;background:#CCCCCC'><span style=
14415 'font-size:10.0pt'>m:</span><span class=
14416 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14417 <p class="TextFontCX"><span class="Flag"><span style=
14418 'font-size:10.0pt'>iso-reserved-internal</span></span></p>
14419 <p class="IndentText">
14420 Internal name is reserved for system in ISO C99 standard (this should not be necessary unless you are worried about C library implementations that violate the standard and use macros).
14424 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14425 height="14" align="left">
14427 <td valign="top" align="left" height="14" style=
14428 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14429 <p class="TextFontCX" align="center" style=
14430 'text-align:center;background:#CCCCCC'><span style=
14431 'font-size:10.0pt'>m:</span><span class=
14432 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14433 <p class="TextFontCX"><span class="Flag"><span style=
14434 'font-size:10.0pt'>cpp-names</span></span></p>
14435 <p class="IndentText">Internal or external name conflicts with a
14436 C++ reserved word. (Will cause problems if program is
14437 compiled with a C++ compiler.)</p>
14438 <p class="Heading11">Distinct External Names</p>
14440 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14441 height="14" align="left">
14443 <td valign="top" align="left" height="14" style=
14444 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14445 <p class="TextFontCX" align="center" style=
14446 'text-align:center;background:#CCCCCC'><span style=
14447 'font-size:10.0pt'>P:</span> <span class=
14448 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14449 <p class="TextFontCX"><span class="Flag"><span style=
14450 'font-size:10.0pt'>distinct-external-names</span></span></p>
14451 <p class="IndentText">An external name is not distinguishable from
14452 another external name using <span class="Flag"><span style=
14453 'font-size:10.0pt'>externalnamelen</span></span><i> </i>significant
14456 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14457 height="14" align="left">
14459 <td valign="top" align="left" height="14" style=
14460 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14461 <p class="TextFontCX" align="center" style=
14462 'text-align:center;background:#CCCCCC'><span style=
14463 'font-size:10.0pt'>P: 6</span></p></td></tr></table></div>
14464 <p class="TextFontCX"><span class="Flag"><span style=
14465 'font-size:10.0pt'>external-name-len</span></span><span class="Flag">
14467 'font-size:10.0pt'> <i><number></i></span></span></p>
14468 <p class="IndentText">Sets the number of significant characters in
14469 an external name (ANSI default minimum is 6). Sets
14470 <span class="Flag"><span style=
14471 'font-size:10.0pt'>+distinct-external-names</span></span>.</p>
14473 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14474 height="14" align="left">
14476 <td valign="top" align="left" height="14" style=
14477 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14478 <p class="TextFontCX" align="center" style=
14479 'text-align:center;background:#CCCCCC'><span style=
14480 'font-size:10.0pt'>P:</span> <span class=
14481 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14482 <p class="TextFontCX"><span class="Flag"><span style=
14483 'font-size:10.0pt'>external-name-case-insensitive</span></span></p>
14484 <p class="IndentText">Make alphabetic case insignificant in
14485 external names. According to ANSI standard, case need not be
14486 significant in an external name. If <span class=
14487 "Flag"><span style=
14488 'font-size:10.0pt'>+distinct-external-names</span></span> is
14489 not set, sets <span class="Flag"><span style=
14490 'font-size:10.0pt'>+distinct-external-names</span></span> with
14491 unlimited external name length.</p>
14492 <p class="Heading11">Distinct Internal Names</p>
14494 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14495 height="14" align="left">
14497 <td valign="top" align="left" height="14" style=
14498 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14499 <p class="TextFontCX" align="center" style=
14500 'text-align:center;background:#CCCCCC'><span style=
14501 'font-size:10.0pt'>m:</span><span class=
14502 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
14503 <p class="TextFontCX"><span class="Flag"><span style=
14504 'font-size:10.0pt'>distinct-internal-names</span></span></p>
14505 <p class="IndentText">An internal name is not distinguishable from
14506 another internal name using <span class="Flag"><span style=
14507 'font-size:10.0pt'>internalnamelen</span></span> significant
14508 characters. (Also effected by <span class=
14509 "Flag"><span style=
14510 'font-size:10.0pt'>internal-name-case-insensitive</span></span> and
14511 <span class="Flag"><span style=
14512 'font-size:10.0pt'>internal-name-lookalike</span></span>.)</p>
14514 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14515 height="14" align="left">
14517 <td valign="top" align="left" height="14" style=
14518 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14519 <p class="TextFontCX" align="center" style=
14520 'text-align:center;background:#CCCCCC'><span style=
14521 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
14522 'font-size:10.0pt'>31</span></span></p></td></tr></table></div>
14523 <p class="TextFontCX"><span class="Flag"><span style=
14524 'font-size:10.0pt'>internal-name-len</span></span><span class="Flag">
14526 'font-size:10.0pt'> <i><number></i></span></span></p>
14527 <p class="IndentText">Set the number of significant characters in
14528 an internal name. Sets <span class="Flag"><span style=
14529 'font-size:10.0pt'>+distinct-internal-names</span></span>.</p>
14531 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14532 height="14" align="left">
14534 <td valign="top" align="left" height="14" style=
14535 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14536 <p class="TextFontCX" align="center" style=
14537 'text-align:center;background:#CCCCCC'><span style=
14538 'font-size:10.0pt'>P:</span> <span class=
14539 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14540 <p class="TextFontCX"><span class="Flag"><span style=
14541 'font-size:10.0pt'>internal-name-case-insensitive</span></span></p>
14542 <p class="IndentText">Set whether case is significant an internal
14543 names (<span class="Flag"><span style=
14544 'font-size:10.0pt'>-internal-name-case-insensitive</span></span> means
14545 case is significant). If <span class=
14546 "Flag"><span style='font-size:10.0pt'>+distinct-internal-names</span></span> is
14547 not set, sets <span class="Flag"><span style=
14548 'font-size:10.0pt'>+distinct-internal-names</span></span>
14549 with unlimited internal name length.</p>
14551 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14552 height="14" align="left">
14554 <td valign="top" align="left" height="14" style=
14555 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14556 <p class="TextFontCX" align="center" style=
14557 'text-align:center;background:#CCCCCC'><span style=
14558 'font-size:10.0pt'>P:</span> <span class=
14559 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14560 <p class="TextFontCX"><span class="Flag"><span style=
14561 'font-size:10.0pt'>internal-name-lookalike</span></span></p>
14562 <p class="IndentText"> Set whether similar looking characters
14563 (e.g., “<span class="Keyword"><span style=
14564 'font-size:10.0pt'>1</span></span>” and
14565 “<span class="Keyword"><span style=
14566 'font-size:10.0pt'>l</span></span>”) match in internal
14568 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
14569 Control Flow <span class="TextFontCXChar"><span style=
14570 'font-size:11.0pt; font-weight:normal'>(Section
14571 8)</span></span></p>
14572 <p class="Heading10">Undefined Evaluation Order <span class=
14573 "HeadingNote"><span style=
14574 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
14575 <span class="HeadingNote"><span style=
14576 'font-size:10.5pt;font-weight:normal;font-style: normal'>8.2</span></span><span class="HeadingNote">
14578 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
14580 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14581 height="14" align="left">
14583 <td valign="top" align="left" height="14" style=
14584 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14585 <p class="TextFontCX" align="center" style=
14586 'text-align:center;background:#CCCCCC'><span style=
14587 'font-size:10.0pt'>m:</span><span class=
14588 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14589 <p class="Heading10" style='margin:0in;margin-bottom:.0001pt'>
14590 <span class="Flag"><span style=
14591 'font-size:10.0pt;font-weight:normal'>eval-order</span></span></p>
14592 <p class="IndentText">Behavior of an expression is unspecified or
14593 implementation-dependent because sub-expressions contain
14594 interfering side effects that may be evaluated in any order.</p>
14596 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14597 height="14" align="left">
14599 <td valign="top" align="left" height="14" style=
14600 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14601 <p class="TextFontCX" align="center" style=
14602 'text-align:center;background:#CCCCCC'><span style=
14603 'font-size:10.0pt'>m:</span><span class=
14604 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14605 <p class="TextFontCX"><span class="Flag"><span style=
14606 'font-size:10.0pt'>eval-order-uncon</span></span></p>
14607 <p class="IndentText">An expression may be undefined because a
14608 sub-expression contains a call to an unconstrained function (no
14609 modifies clause) that may modify something that may be modified or
14610 used by another sub-expression.</p>
14611 <p class="Heading10">Problematic Control Structures
14612 <span class="HeadingNote"><span style=
14613 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
14614 <span class="HeadingNote"><span style=
14615 'font-size:10.5pt;font-weight:normal;font-style: normal'>8.3</span></span><span class="HeadingNote">
14617 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
14619 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14620 height="14" align="left">
14622 <td valign="top" align="left" height="14" style=
14623 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14624 <p class="TextFontCX" align="center" style=
14625 'text-align:center;background:#CCCCCC'><span style=
14626 'font-size:10.0pt'>m:</span><span class=
14627 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14628 <p class="TextFontCX"><span class="Flag"><span style=
14629 'font-size:10.0pt'>inf-loops</span></span></p>
14630 <p class="IndentText">Likely infinite loop is detected (Section
14633 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14634 height="14" align="left">
14636 <td valign="top" align="left" height="14" style=
14637 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14638 <p class="TextFontCX" align="center" style=
14639 'text-align:center;background:#CCCCCC'><span style=
14640 'font-size:10.0pt'>m:</span><span class=
14641 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14642 <p class="TextFontCX"><span class="Flag"><span style=
14643 'font-size:10.0pt'>inf-loops-uncon</span></span></p>
14644 <p class="IndentText">Likely infinite loop is detected. Loop
14645 test or body calls an unconstrained function that may produce an
14646 undetected modification.</p>
14648 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14649 height="14" align="left">
14651 <td valign="top" align="left" height="14" style=
14652 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14653 <p class="TextFontCX" align="center" style=
14654 'text-align:center;background:#CCCCCC'><span style=
14655 'font-size:10.0pt'>m:</span><span class=
14656 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14657 <p class="TextFontCX"><span class="Flag"><span style=
14658 'font-size:10.0pt'>elseif-complete</span></span></p>
14659 <p class="IndentText">There is no finals else following an else if
14660 construct (Section 8.3.5).</p>
14663 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14664 height="14" align="left">
14666 <td valign="top" align="left" height="14" style=
14667 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14668 <p class="TextFontCX" align="center" style=
14669 'text-align:center;background:#CCCCCC'><span style=
14670 'font-size:10.0pt'>m:</span><span class=
14671 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14672 <p class="TextFontCX"><span class="Flag"><span style=
14673 'font-size:10.0pt'>case-break</span></span></p>
14674 <p class="IndentText">There is a non-empty case in a switch not
14675 followed by a <span class="CodeText"><span style=
14676 'font-size:10.0pt'>break</span></span><span class=
14677 "HeadingNote"><span style=
14678 'font-size:10.5pt;font-style:normal'>(Section</span></span>
14679 <span class="HeadingNote"><span style=
14680 'font-size:10.5pt;font-style:normal'>8.3.2</span></span><span class="HeadingNote">
14682 'font-size:10.5pt;font-style:normal'>).</span></span></p>
14686 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14687 height="14" align="left">
14689 <td valign="top" align="left" height="14" style=
14690 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14691 <p class="TextFontCX" align="center" style=
14692 'text-align:center;background:#CCCCCC'><span style=
14693 'font-size:10.0pt'>m:</span><span class=
14694 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14695 <p class="TextFontCX"><span class="Flag"><span style=
14696 'font-size:10.0pt'>first-case</span></span></p>
14697 <p class="IndentText">
14698 The first statement after a switch is not a case.
14703 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14704 height="14" align="left">
14706 <td valign="top" align="left" height="14" style=
14707 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14708 <p class="TextFontCX" align="center" style=
14709 'text-align:center;background:#CCCCCC'><span style=
14710 'font-size:10.0pt'>m:</span><span class=
14711 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14712 <p class="TextFontCX"><span class="Flag"><span style=
14713 'font-size:10.0pt'>Duplicate-case</span></span></p>
14714 <p class="IndentText">
14715 Duplicate cases in switch.
14719 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14720 height="14" align="left">
14722 <td valign="top" align="left" height="14" style=
14723 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14724 <p class="TextFontCX" align="center" style=
14725 'text-align:center;background:#CCCCCC'><span style=
14726 'font-size:10.0pt'>m:</span><span class=
14727 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
14728 <p class="TextFontCX"><span class="Flag"><span style=
14729 'font-size:10.0pt'>miss-case</span></span></p>
14730 <p class="IndentText">A switch on an <span class=
14731 "CodeText"><span style='font-size: 10.0pt'>enum</span></span> type
14732 is missing a case for a member of the enumerator.</p>
14735 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14736 height="14" align="left">
14738 <td valign="top" align="left" height="14" style=
14739 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14740 <p class="TextFontCX" align="center" style=
14741 'text-align:center;background:#CCCCCC'><span style=
14742 'font-size:10.0pt'>P</span><span class=
14743 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14744 <p class="TextFontCX"><span class="Flag"><span style=
14745 'font-size:10.0pt'>emptyreturn
14747 <p class="IndentText">Empty return in function declared to return value.</p>
14750 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14751 height="14" align="left">
14753 <td valign="top" align="left" height="14" style=
14754 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14755 <p class="TextFontCX" align="center" style=
14756 'text-align:center;background:#CCCCCC'><span style=
14757 'font-size:10.0pt'>P</span><span class=
14758 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14759 <p class="TextFontCX"><span class="Flag"><span style=
14760 'font-size:10.0pt'>alwaysexits
14762 <p class="IndentText">
14763 Loop predicate always exits.
14767 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14768 height="14" align="left">
14770 <td valign="top" align="left" height="14" style=
14771 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14772 <p class="TextFontCX" align="center" style=
14773 'text-align:center;background:#CCCCCC'><span style=
14774 'font-size:10.0pt'>shortcut</span><span class=
14775 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
14776 <p class="TextFontCX"><span class="Flag"><span style=
14777 'font-size:10.0pt'>loop-exec</span></span></p>
14778 <p class="IndentText">Assume all loops execute at least once.
14779 This effects use-before-definition and memory checking.
14780 It should probably not be used globally, but may be used
14781 surrounding a particular loop that is known to always execute to
14782 prevent spurious messages.
14784 <span class="Flag"><span style=
14785 'font-size:10.0pt'>
14786 for-loop-exec, while-loop-exec and iter-loop-exec
14791 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14792 height="14" align="left">
14794 <td valign="top" align="left" height="14" style=
14795 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14796 <p class="TextFontCX" align="center" style=
14797 'text-align:center;background:#CCCCCC'><span style=
14798 'font-size:10.0pt'>P</span><span class=
14799 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14800 <p class="TextFontCX"><span class="Flag"><span style=
14801 'font-size:10.0pt'>for-loop-exec
14803 <p class="IndentText">
14804 Assume all<span class=
14805 "CodeText"><span style='font-size: 10.0pt'>
14808 loops execute at least once. This effects use-before-definition
14809 and memory checking. It should probably not be used globally, but may be used
14810 surrounding a particular loop that is known to always execute to prevent spurious messages.
14816 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14817 height="14" align="left">
14819 <td valign="top" align="left" height="14" style=
14820 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14821 <p class="TextFontCX" align="center" style=
14822 'text-align:center;background:#CCCCCC'><span style=
14823 'font-size:10.0pt'>P</span><span class=
14824 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14825 <p class="TextFontCX"><span class="Flag"><span style=
14826 'font-size:10.0pt'>while-loop-exec
14828 <p class="IndentText">
14829 Assume all<span class=
14830 "CodeText"><span style='font-size: 10.0pt'>
14833 loops execute at least once. This effects use-before-definition
14834 and memory checking. It should probably not be used globally, but may be used
14835 surrounding a particular loop that is known to always execute to prevent spurious messages.
14840 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14841 height="14" align="left">
14843 <td valign="top" align="left" height="14" style=
14844 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14845 <p class="TextFontCX" align="center" style=
14846 'text-align:center;background:#CCCCCC'><span style=
14847 'font-size:10.0pt'>P</span><span class=
14848 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
14849 <p class="TextFontCX"><span class="Flag"><span style=
14850 'font-size:10.0pt'>iter-loop-exec
14852 <p class="IndentText">
14853 Assume all<span class=
14854 "CodeText"><span style='font-size: 10.0pt'>
14857 loops execute at least once. This effects use-before-definition
14858 and memory checking. It should probably not be used globally, but may be used
14859 surrounding a particular loop that is known to always execute to prevent spurious messages.
14865 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14866 height="14" align="left">
14868 <td valign="top" align="left" height="14" style=
14869 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14870 <p class="TextFontCX" align="center" style=
14871 'text-align:center;background:#CCCCCC'><span style=
14872 'font-size:10.0pt'>P</span><span class=
14873 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
14874 <p class="TextFontCX"><span class="Flag"><span style=
14875 'font-size:10.0pt'>obvious-loop-exec
14877 <p class="IndentText">
14878 Assume loop that can be determined to always execute always does.
14881 <p class="Heading10">Deep Break <span class=
14882 "TextFontCXChar"><span style=
14883 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
14884 <span class="TextFontCXChar"><span style=
14885 'font-size:11.0pt; font-weight:normal'>8.3.3</span></span><span class="TextFontCXChar">
14887 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
14889 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14890 height="14" align="left">
14892 <td valign="top" align="left" height="14" style=
14893 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14894 <p class="TextFontCX" align="center" style=
14895 'text-align:center;background:#CCCCCC'><span style=
14896 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
14897 <p class="TextFontCX"><span class="Flag"><span style=
14898 'font-size:10.0pt'>deep-break</span></span></p>
14899 <p class="IndentText">Report errors for <span class=
14900 "CodeText"><span style='font-size:10.0pt'>break</span></span>
14901 statements inside a nested <span class=
14902 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14903 <span class="CodeText"><span style=
14904 'font-size:10.0pt'>for</span></span> or <span class=
14905 "CodeText"><span style=
14906 'font-size:10.0pt'>switch</span></span>. (Sets all
14907 nested break and continue flags.)</p>
14909 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14910 height="14" align="left">
14912 <td valign="top" align="left" height="14" style=
14913 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14914 <p class="TextFontCX" align="center" style=
14915 'text-align:center;background:#CCCCCC'><span style=
14916 'font-size:10.0pt'>m:</span><span class=
14917 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14918 <p class="MsoListBullet"><span class="Flag"><span style=
14919 'font-size:10.0pt'>loop-loop-break</span></span></p>
14920 <p class="IndentText"><span class="TextFontCXChar">There is
14921 a</span> <span class="CodeText"><span style=
14922 'font-size:10.0pt'>break</span></span> inside a <span class=
14923 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14924 <span class="CodeText"><span style=
14925 'font-size:10.0pt'>for</span></span> or iterator loop that is
14926 inside a <span class="CodeText"><span style=
14927 'font-size: 10.0pt'>while</span></span>, <span class=
14928 "CodeText"><span style='font-size:10.0pt'>for</span></span> or
14929 iterator loop. Mark with <span class="Annot"><span style=
14930 'font-size:10.0pt'>/*@innerbreak@*/</span></span> to suppress the
14933 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14934 height="14" align="left">
14936 <td valign="top" align="left" height="14" style=
14937 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14938 <p class="TextFontCX" align="center" style=
14939 'text-align:center;background:#CCCCCC'><span style=
14940 'font-size:10.0pt'>m:</span><span class=
14941 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
14942 <p class="MsoListBullet"><span class="Flag"><span style=
14943 'font-size:10.0pt'>switch-loop-break</span></span></p>
14944 <p class="IndentText"><span class="TextFontCXChar">There is
14945 a</span><span class="CodeText"><span style=
14946 'font-size:10.0pt'>break</span></span> inside a <span class=
14947 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14948 <span class="CodeText"><span style=
14949 'font-size:10.0pt'>for</span></span> or iterator loop that is
14950 inside a <span class="CodeText"><span style=
14951 'font-size: 10.0pt'>switch</span></span> statement. Mark with
14952 <span class="Annot"><span style=
14953 'font-size:10.0pt'>/*@loopbreak@*/</span></span>.</p>
14955 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14956 height="14" align="left">
14958 <td valign="top" align="left" height="14" style=
14959 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14960 <p class="TextFontCX" align="center" style=
14961 'text-align:center;background:#CCCCCC'><span style=
14962 'font-size:10.0pt'>m:</span><span class=
14963 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14964 <p class="MsoListBullet"><span class="Flag"><span style=
14965 'font-size:10.0pt'>loop-switch-break</span></span></p>
14966 <p class="IndentText"><span class="TextFontCXChar">There is
14967 a</span><span class="CodeText"><span style=
14968 'font-size:10.0pt'>break</span></span> inside a <span class=
14969 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
14970 statement that is inside a <span class=
14971 "CodeText"><span style='font-size:10.0pt'>while</span></span>,
14972 <span class="CodeText"><span style=
14973 'font-size:10.0pt'>for</span></span> or iterator loop.
14974 Mark with /<span class="Annot"><span style=
14975 'font-size:10.0pt'>*@switchbreak@*/</span></span>.</p>
14977 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14978 height="14" align="left">
14980 <td valign="top" align="left" height="14" style=
14981 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
14982 <p class="TextFontCX" align="center" style=
14983 'text-align:center;background:#CCCCCC'><span style=
14984 'font-size:10.0pt'>m:</span><span class=
14985 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
14986 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
14987 <span class="Flag"><span style=
14988 'font-size:10.0pt'>switch-switch-break</span></span></p>
14989 <p class="IndentText"><span class="TextFontCXChar">There is
14990 a</span><span class="CodeText"><span style=
14991 'font-size:10.0pt'>break</span></span> inside a <span class=
14992 "CodeText"><span style='font-size:10.0pt'>switch</span></span>
14993 statement that is inside another <span class=
14994 "CodeText"><span style='font-size: 10.0pt'>switch</span></span>
14995 statement. Mark with <span class="Annot"><span style=
14996 'font-size:10.0pt'>/*@innerbreak@*/</span></span>.</p>
14998 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
14999 height="14" align="left">
15001 <td valign="top" align="left" height="14" style=
15002 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15003 <p class="TextFontCX" align="center" style=
15004 'text-align:center;background:#CCCCCC'><span style=
15005 'font-size:10.0pt'>m:</span><span class=
15006 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15007 <p class="TextFontCX"><span class="Flag"><span style=
15008 'font-size:10.0pt'>loop-loop-continue</span></span></p>
15009 <p class="IndentText">There is a <span class=
15010 "CodeText"><span style='font-size: 10.0pt'>continue</span></span>
15011 inside a while, for or iterator loop that is inside a while,
15012 for or iterator loop. Mark with <span class=
15013 "Annot"><span style=
15014 'font-size:10.0pt'>/*@innercontinue@*/</span></span>.</p>
15015 <p class="Heading10">Loop and if Bodies <span class=
15016 "TextFontCXChar"><span style=
15017 'font-size:11.0pt; font-weight:normal'>(Section
15018 8.3.4)</span></span></p>
15020 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15021 height="14" align="left">
15023 <td valign="top" align="left" height="14" style=
15024 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15025 <p class="TextFontCX" align="center" style=
15026 'text-align:center;background:#CCCCCC'><span style=
15027 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15028 <p class="TextFontCX"><span class="Flag"><span style=
15029 'font-size:10.0pt'>all-empty</span></span></p>
15030 <p class="IndentText">An if, while or for statement has no body
15031 (sets <span class="Flag"><span style=
15032 'font-size:10.0pt'>if-empty</span></span>, <span class=
15033 "Flag"><span style=
15034 'font-size:10.0pt'>while-empty</span></span> and
15035 <span class="Flag"><span style=
15036 'font-size:10.0pt'>for-empty</span></span>.)</p>
15038 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15039 height="14" align="left">
15041 <td valign="top" align="left" height="14" style=
15042 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15043 <p class="TextFontCX" align="center" style=
15044 'text-align:center;background:#CCCCCC'><span style=
15045 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15046 <p class="TextFontCX"><span class="Flag"><span style=
15047 'font-size:10.0pt'>all-block</span></span></p>
15048 <p class="IndentText">The body of an <span class=
15049 "CodeText"><span style='font-size: 10.0pt'>if</span></span>,
15050 <span class="CodeText"><span style=
15051 'font-size:10.0pt'>while</span></span> or <span class=
15052 "CodeText"><span style='font-size:10.0pt'>for</span></span>
15053 statement is not a block (sets <span class=
15054 "Flag"><span style='font-size:10.0pt'>if-block</span></span>,
15055 <span class="Flag"><span style=
15056 'font-size:10.0pt'>while-block</span></span> and
15057 <span class="Flag"><span style=
15058 'font-size:10.0pt'>for-block</span></span>.)</p>
15060 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15061 height="14" align="left">
15063 <td valign="top" align="left" height="14" style=
15064 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15065 <p class="TextFontCX" align="center" style=
15066 'text-align:center;background:#CCCCCC'><span style=
15067 'font-size:10.0pt'>m:</span><span class=
15068 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15069 <p class="TextFontCX"><span class="Flag"><span style=
15070 'font-size:10.0pt'>while-empty</span></span></p>
15071 <p class="IndentText">A while statement has no body.</p>
15073 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15074 height="14" align="left">
15076 <td valign="top" align="left" height="14" style=
15077 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15078 <p class="TextFontCX" align="center" style=
15079 'text-align:center;background:#CCCCCC'><span style=
15080 'font-size:10.0pt'>m:</span><span class=
15081 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15082 <p class="TextFontCX"><span class="Flag"><span style=
15083 'font-size:10.0pt'>while-block</span></span></p>
15084 <p class="IndentText"> The body of a <span class=
15085 "CodeText"><span style='font-size: 10.0pt'>while</span></span>
15086 statement is not a block</p>
15088 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15089 height="14" align="left">
15091 <td valign="top" align="left" height="14" style=
15092 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15093 <p class="TextFontCX" align="center" style=
15094 'text-align:center;background:#CCCCCC'><span style=
15095 'font-size:10.0pt'>m:</span><span class=
15096 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15097 <p class="TextFontCX"><span class="Flag"><span style=
15098 'font-size:10.0pt'>for-empty</span></span></p>
15099 <p class="IndentText">A <span class="CodeText"><span style=
15100 'font-size:10.0pt'>for</span></span> statement has no body.</p>
15102 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15103 height="14" align="left">
15105 <td valign="top" align="left" height="14" style=
15106 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15107 <p class="TextFontCX" align="center" style=
15108 'text-align:center;background:#CCCCCC'><span style=
15109 'font-size:10.0pt'>m:</span><span class=
15110 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15111 <p class="TextFontCX"><span class="Flag"><span style=
15112 'font-size:10.0pt'>for-block</span></span></p>
15113 <p class="IndentText">The body of a <span class=
15114 "CodeText"><span style='font-size: 10.0pt'>for</span></span>
15115 statement is not a block.</p>
15117 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15118 height="14" align="left">
15120 <td valign="top" align="left" height="14" style=
15121 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15122 <p class="TextFontCX" align="center" style=
15123 'text-align:center;background:#CCCCCC'><span style=
15124 'font-size:10.0pt'>m:</span><span class=
15125 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15126 <p class="TextFontCX"><span class="Flag"><span style=
15127 'font-size:10.0pt'>if-empty</span></span></p>
15128 <p class="IndentText">An <span class="CodeText"><span style=
15129 'font-size:10.0pt'>if</span></span> statement has no body.</p>
15131 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15132 height="14" align="left">
15134 <td valign="top" align="left" height="14" style=
15135 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15136 <p class="TextFontCX" align="center" style=
15137 'text-align:center;background:#CCCCCC'><span style=
15138 'font-size:10.0pt'>m:</span><span class=
15139 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15140 <p class="TextFontCX"><span class="Flag"><span style=
15141 'font-size:10.0pt'>ifblock</span></span></p>
15142 <p class="IndentText">The body of an <span class=
15143 "CodeText"><span style='font-size: 10.0pt'>if</span></span>
15144 statement is not a block.</p>
15145 <p class="Heading10">Suspicious Statements <span class=
15146 "TextFontCXChar"><span style=
15147 'font-size:11.0pt; font-weight:normal'>(Section
15148 8.4)</span></span></p>
15150 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15151 height="14" align="left">
15153 <td valign="top" align="left" height="14" style=
15154 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15155 <p class="TextFontCX" align="center" style=
15156 'text-align:center;background:#CCCCCC'><span style=
15157 'font-size:10.0pt'>m:</span><span class=
15158 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15159 <p class="TextFontCX"><span class="Flag"><span style=
15160 'font-size:10.0pt'>unreachable</span></span></p>
15161 <p class="IndentText">Code is not reached on any possible
15164 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15165 height="14" align="left">
15167 <td valign="top" align="left" height="14" style=
15168 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15169 <p class="TextFontCX" align="center" style=
15170 'text-align:center;background:#CCCCCC'><span style=
15171 'font-size:10.0pt'>m:</span><span class=
15172 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15173 <p class="TextFontCX"><span class="Flag"><span style=
15174 'font-size:10.0pt'>noeffect</span></span></p>
15175 <p class="IndentText">Statement has no effect.</p>
15177 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15178 height="14" align="left">
15180 <td valign="top" align="left" height="14" style=
15181 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15182 <p class="TextFontCX" align="center" style=
15183 'text-align:center;background:#CCCCCC'><span style=
15184 'font-size:10.0pt'>m:</span><span class=
15185 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15186 <p class="TextFontCX"><span class="Flag"><span style=
15187 'font-size:10.0pt'>noeffect-uncon</span></span></p>
15188 <p class="IndentText">Statement involving call to unconstrained
15189 function may have no effect.</p>
15191 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15192 height="14" align="left">
15194 <td valign="top" align="left" height="14" style=
15195 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15196 <p class="TextFontCX" align="center" style=
15197 'text-align:center;background:#CCCCCC'><span style=
15198 'font-size:10.0pt'>m:</span><span class=
15199 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15200 <p class="TextFontCX"><span class="Flag"><span style=
15201 'font-size:10.0pt'>noret</span></span></p>
15202 <p class="IndentText">There is a path with no <span class=
15203 "Keyword"><span style='font-size:10.0pt'>return</span></span> in a
15204 function declared to return a non-<span class=
15205 "Keyword"><span style='font-size:10.0pt'>void</span></span>
15207 <p class="Heading10">Ignored Return Values <span class=
15208 "TextFontCXChar"><span style=
15209 'font-size:11.0pt; font-weight:normal'>(Section</span></span>
15210 <span class="TextFontCXChar"><span style=
15211 'font-size:11.0pt; font-weight:normal'>8.4.2</span></span><span class="TextFontCXChar">
15213 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
15214 <p class="beforelist">These flags control when errors are reported
15215 for function calls that do not use the return value. Casting
15216 the function call to <span class="CodeText"><span style=
15217 'font-size:10.0pt'>void</span></span> or declaring the called
15218 function to return <span class="Annot"><span style=
15219 'font-size:10.0pt'>/*@alt void@*/</span></span>.</p>
15221 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15222 height="14" align="left">
15224 <td valign="top" align="left" height="14" style=
15225 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15226 <p class="TextFontCX" align="center" style=
15227 'text-align:center;background:#CCCCCC'><span style=
15228 'font-size:10.0pt'>m:</span><span class=
15229 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15230 <p class="TextFontCX"><span class="Flag"><span style=
15231 'font-size:10.0pt'>ret-val-bool</span></span></p>
15232 <p class="IndentText">Return value of type <span class=
15233 "CodeText"><span style='font-size:10.0pt'>bool</span></span>
15236 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15237 height="14" align="left">
15239 <td valign="top" align="left" height="14" style=
15240 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15241 <p class="TextFontCX" align="center" style=
15242 'text-align:center;background:#CCCCCC'><span style=
15243 'font-size:10.0pt'>m:</span><span class=
15244 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15245 <p class="TextFontCX"><span class="Flag"><span style=
15246 'font-size:10.0pt'>ret-val-int</span></span></p>
15247 <p class="IndentText">Return value of type <span class=
15248 "CodeText"><span style='font-size:10.0pt'>int</span></span>
15251 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15252 height="14" align="left">
15254 <td valign="top" align="left" height="14" style=
15255 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15256 <p class="TextFontCX" align="center" style=
15257 'text-align:center;background:#CCCCCC'><span style=
15258 'font-size:10.0pt'>m:</span><span class=
15259 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15260 <p class="TextFontCX"><span class="Flag"><span style=
15261 'font-size:10.0pt'>ret-val-other</span></span></p>
15262 <p class="IndentText">Return value of type other than
15263 <span class="CodeText"><span style=
15264 'font-size:10.0pt'>bool</span></span> or <span class=
15265 "CodeText"><span style='font-size:10.0pt'>int</span></span>
15268 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15269 height="14" align="left">
15271 <td valign="top" align="left" height="14" style=
15272 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15273 <p class="TextFontCX" align="center" style=
15274 'text-align:center;background:#CCCCCC'><span style=
15275 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15276 <p class="TextFontCX"><span class="Flag"><span style=
15277 'font-size:10.0pt'>ret-val</span></span></p>
15278 <p class="IndentText">Return value ignored (Sets <span class=
15279 "Flag"><span style='font-size:10.0pt'>retvalbool</span></span>,
15280 <span class="Flag"><span style=
15281 'font-size:10.0pt'>retvalint</span></span>, <span class=
15282 "Flag"><span style=
15283 'font-size:10.0pt'>retvalother</span></span>.)</p>
15285 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
15286 Memory Bounds <span class="HeadingNote"><span style=
15287 'font-size:10.5pt;font-weight:normal;font-style: normal'>(Section</span></span>
15288 <span class="HeadingNote"><span style=
15289 'font-size:10.5pt;font-weight:normal;font-style: normal'>9</span></span>)
15292 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15293 height="14" align="left">
15295 <td valign="top" align="left" height="14" style=
15296 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15297 <p class="TextFontCX" align="center" style=
15298 'text-align:center;background:#CCCCCC'><span style=
15299 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15300 <p class="TextFontCX"><span class="Flag"><span style=
15301 'font-size:10.0pt'>bounds</span></span></p>
15302 <p class="IndentText">
15303 Memory read or write may be out of bounds of allocated storage
15305 "Flag"><span style='font-size:10.0pt'>boundsread</span></span>
15307 <span class="Flag"><span style=
15308 'font-size:10.0pt'>boundswrite</span></span>
15312 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15313 height="14" align="left">
15315 <td valign="top" align="left" height="14" style=
15316 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15317 <p class="TextFontCX" align="center" style=
15318 'text-align:center;background:#CCCCCC'><span style=
15319 'font-size:10.0pt'>m:</span><span class=
15320 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15321 <p class="TextFontCX"><span class="Flag"><span style=
15322 'font-size:10.0pt'>boundsread</span></span></p>
15323 <p class="IndentText">
15324 A memory read references memory beyond the allocated storage
15325 (also sets <span class=
15326 "Flag"><span style='font-size:10.0pt'>likelyboundsread</span></span>.
15330 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15331 height="14" align="left">
15333 <td valign="top" align="left" height="14" style=
15334 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15335 <p class="TextFontCX" align="center" style=
15336 'text-align:center;background:#CCCCCC'><span style=
15337 'font-size:10.0pt'>m:</span><span class=
15338 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15339 <p class="TextFontCX"><span class="Flag"><span style=
15340 'font-size:10.0pt'>boundswrite</span></span></p>
15341 <p class="IndentText">
15342 A memory write may write to an address beyond the allocated buffer
15343 (also sets <span class=
15344 "Flag"><span style='font-size:10.0pt'>likelyboundswrite</span></span>.
15348 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15349 height="14" align="left">
15351 <td valign="top" align="left" height="14" style=
15352 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15353 <p class="TextFontCX" align="center" style=
15354 'text-align:center;background:#CCCCCC'><span style=
15355 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15356 <p class="TextFontCX"><span class="Flag"><span style=
15357 'font-size:10.0pt'>likelybounds</span></span></p>
15358 <p class="IndentText">
15359 Likely memory read or write is likely to be out of bounds of allocated storage
15361 "Flag"><span style='font-size:10.0pt'>likelyboundsread</span></span>
15363 <span class="Flag"><span style=
15364 'font-size:10.0pt'>likelyboundswrite)</span></span>
15369 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15370 height="14" align="left">
15372 <td valign="top" align="left" height="14" style=
15373 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15374 <p class="TextFontCX" align="center" style=
15375 'text-align:center;background:#CCCCCC'><span style=
15376 'font-size:10.0pt'>m:</span><span class=
15377 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15378 <p class="TextFontCX"><span class="Flag"><span style=
15379 'font-size:10.0pt'>likelyboundsread</span></span></p>
15380 <p class="IndentText">
15381 A likely memory read references memory beyond the allocated storage
15382 (also sets <span class=
15383 "Flag"><span style='font-size:10.0pt'>likelyboundsread</span></span>.
15387 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15388 height="14" align="left">
15390 <td valign="top" align="left" height="14" style=
15391 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15392 <p class="TextFontCX" align="center" style=
15393 'text-align:center;background:#CCCCCC'><span style=
15394 'font-size:10.0pt'>m:</span><span class=
15395 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15396 <p class="TextFontCX"><span class="Flag"><span style=
15397 'font-size:10.0pt'>likelyboundswrite</span></span></p>
15398 <p class="IndentText">
15399 A memory write is likely to write to an address beyond the allocated buffer.
15403 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15404 height="14" align="left">
15406 <td valign="top" align="left" height="14" style=
15407 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15408 <p class="TextFontCX" align="center" style=
15409 'text-align:center;background:#CCCCCC'><span style=
15410 'font-size:10.0pt'>m:</span><span class=
15411 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15412 <p class="TextFontCX"><span class="Flag">fcnpost<span style=
15413 'font-size:10.0pt'></span></span></p>
15414 <p class="IndentText">
15415 Display function post conditions.
15420 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15421 height="14" align="left">
15423 <td valign="top" align="left" height="14" style=
15424 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15425 <p class="TextFontCX" align="center" style=
15426 'text-align:center;background:#CCCCCC'><span style=
15427 'font-size:10.0pt'>m:</span><span class=
15428 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15429 <p class="TextFontCX"><span class="Flag">redundantconstraints<span style=
15430 'font-size:10.0pt'></span></span></p>
15431 <p class="IndentText">
15432 Display seemingly redundant conditions.
15435 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15436 height="14" align="left">
15438 <td valign="top" align="left" height="14" style=
15439 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15440 <p class="TextFontCX" align="center" style=
15441 'text-align:center;background:#CCCCCC'><span style=
15442 'font-size:10.0pt'>m:</span><span class=
15443 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
15444 <p class="TextFontCX"><span class="Flag">checkpost<span style=
15445 'font-size:10.0pt'></span></span></p>
15446 <p class="IndentText">
15447 The functions implementation may not satidfy a post condition given in an ensures clause.
15452 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15453 height="14" align="left">
15455 <td valign="top" align="left" height="14" style=
15456 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15457 <p class="TextFontCX" align="center" style=
15458 'text-align:center;background:#CCCCCC'><span style=
15459 'font-size:10.0pt'>P-</span><span class=
15460 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15461 <p class="TextFontCX"><span class="Flag">showconstraintparens<span style=
15462 'font-size:10.0pt'></span></span></p>
15463 <p class="IndentText">
15464 Display parentheses around constraint terms.
15467 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15468 height="14" align="left">
15470 <td valign="top" align="left" height="14" style=
15471 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15472 <p class="TextFontCX" align="center" style=
15473 'text-align:center;background:#CCCCCC'><span style=
15474 'font-size:10.0pt'>P+</span><span class=
15475 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15476 <p class="TextFontCX"><span class="Flag">showconstraintlocation<span style=
15477 'font-size:10.0pt'></span></span></p>
15478 <p class="IndentText">
15479 Display location for every constraint generated.
15482 <p class="beforelist">
15483 The following flags are mainly of interest to Splint developers. The default values are adequate in normal use. They are included for completeness.
15487 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15488 height="14" align="left">
15490 <td valign="top" align="left" height="14" style=
15491 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15492 <p class="TextFontCX" align="center" style=
15493 'text-align:center;background:#CCCCCC'><span style=
15494 'font-size:10.0pt'>P-</span><span class=
15495 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15496 <p class="TextFontCX"><span class="Flag">
15498 <span style='font-size:10.0pt'></span></span></p>
15499 <p class="IndentText">
15500 Perform buffer overflow checking even if the errors would be inhibited.
15506 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15507 height="14" align="left">
15509 <td valign="top" align="left" height="14" style=
15510 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15511 <p class="TextFontCX" align="center" style=
15512 'text-align:center;background:#CCCCCC'><span style=
15513 'font-size:10.0pt'>P-</span><span class=
15514 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15515 <p class="TextFontCX"><span class="Flag">
15517 <span style='font-size:10.0pt'></span></span></p>
15518 <p class="IndentText">
15519 Generate implicit constraints for functions. This is an experimental option.
15520 Currently this option reduces the number of bounds errors but causes real error to be missed.
15525 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15526 height="14" align="left">
15528 <td valign="top" align="left" height="14" style=
15529 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15530 <p class="TextFontCX" align="center" style=
15531 'text-align:center;background:#CCCCCC'><span style=
15532 'font-size:10.0pt'>P-</span><span class=
15533 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15534 <p class="TextFontCX"><span class="Flag">
15536 <span style='font-size:10.0pt'></span></span></p>
15537 <p class="IndentText">
15538 This flags affects the internal constraint resolution.  If set, the internal constraint resolution is more accurate.  The performance impact is minimal so there is little reason not to have this flag set.</p>
15540 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
15541 Extensible Checking <span class="HeadingNote"><span style=
15542 'font-size:10.5pt;font-weight:normal;font-style: normal'>(Section</span></span>
15543 <span class="HeadingNote"><span style=
15544 'font-size:10.5pt;font-weight:normal;font-style: normal'>13</span></span><span class="HeadingNote">
15546 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
15550 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15551 height="14" align="left">
15553 <td valign="top" align="left" height="14" style=
15554 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15555 <p class="TextFontCX" align="center" style=
15556 'text-align:center;background:#CCCCCC'><span style=
15557 'font-size:10.0pt'>P-</span><span class=
15558 "Keyword"><span style='font-size:10.0pt'></span></span></p></td></tr></table></div>
15559 <p class="TextFontCX"><span class="Flag">
15561 <span style='font-size:10.0pt'></span></span></p>
15562 <p class="IndentText">
15563 Load meta state declaration and corresponding xh file.
15568 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15569 height="14" align="left">
15571 <td valign="top" align="left" height="14" style=
15572 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15573 <p class="TextFontCX" align="center" style=
15574 'text-align:center;background:#CCCCCC'><span style=
15575 'font-size:10.0pt'>m:</span><span class=
15576 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15577 <p class="TextFontCX"><span class="Flag">
15579 <span style='font-size:10.0pt'></span></span></p>
15580 <p class="IndentText">
15581 Transfer violates user-defined state rules.
15586 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15587 height="14" align="left">
15589 <td valign="top" align="left" height="14" style=
15590 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15591 <p class="TextFontCX" align="center" style=
15592 'text-align:center;background:#CCCCCC'><span style=
15593 'font-size:10.0pt'>m:</span><span class=
15594 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15595 <p class="TextFontCX"><span class="Flag">
15597 <span style='font-size:10.0pt'></span></span></p>
15598 <p class="IndentText">
15599 Control path merge violates user-defined state merge rules.
15602 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
15603 Completeness <span class="HeadingNote"><span style=
15604 'font-size:10.5pt;font-weight:normal;font-style: normal'>(Section</span></span>
15605 <span class="HeadingNote"><span style=
15606 'font-size:10.5pt;font-weight:normal;font-style: normal'>13</span></span><span class="HeadingNote">
15608 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
15609 <p class="Heading10">Unused Declarations <span class=
15610 "HeadingNote"><span style=
15611 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
15612 <span class="HeadingNote"><span style=
15613 'font-size:10.5pt;font-weight:normal;font-style: normal'>13.1</span></span><span class="HeadingNote">
15615 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
15616 <p class="beforelist">These flags control when errors are reported
15617 for declarations that are never used. The <span class=
15618 "Annot"><span style='font-size:10.0pt'>unused</span></span>
15619 annotation can be used to prevent unused errors from being report
15620 for a particular declaration.</p>
15622 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15623 height="14" align="left">
15625 <td valign="top" align="left" height="14" style=
15626 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15627 <p class="TextFontCX" align="center" style=
15628 'text-align:center;background:#CCCCCC'><span style=
15629 'font-size:10.0pt'>m:</span><span class=
15630 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15631 <p class="TextFontCX"><span class="Flag"><span style=
15632 'font-size:10.0pt'>top-use</span></span></p>
15633 <p class="IndentText">An external declaration is not used in any
15636 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15637 height="14" align="left">
15639 <td valign="top" align="left" height="14" style=
15640 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15641 <p class="TextFontCX" align="center" style=
15642 'text-align:center;background:#CCCCCC'><span style=
15643 'font-size:10.0pt'>m:</span><span class=
15644 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15645 <p class="TextFontCX"><span class="Flag"><span style=
15646 'font-size:10.0pt'>const-use</span></span></p>
15647 <p class="IndentText">Constant never used.</p>
15649 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15650 height="14" align="left">
15652 <td valign="top" align="left" height="14" style=
15653 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15654 <p class="TextFontCX" align="center" style=
15655 'text-align:center;background:#CCCCCC'><span style=
15656 'font-size:10.0pt'>m:</span><span class=
15657 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15658 <p class="TextFontCX"><span class="Flag"><span style=
15659 'font-size:10.0pt'>enum-mem-use</span></span></p>
15660 <p class="IndentText">Member of enumerator never used.</p>
15662 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15663 height="14" align="left">
15665 <td valign="top" align="left" height="14" style=
15666 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15667 <p class="TextFontCX" align="center" style=
15668 'text-align:center;background:#CCCCCC'><span style=
15669 'font-size:10.0pt'>m:</span><span class=
15670 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15671 <p class="TextFontCX"><span class="Flag"><span style=
15672 'font-size:10.0pt'>var-use</span></span></p>
15673 <p class="IndentText">Variable never used.</p>
15675 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15676 height="14" align="left">
15678 <td valign="top" align="left" height="14" style=
15679 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15680 <p class="TextFontCX" align="center" style=
15681 'text-align:center;background:#CCCCCC'><span style=
15682 'font-size:10.0pt'>m:</span><span class=
15683 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15684 <p class="TextFontCX"><span class="Flag"><span style=
15685 'font-size:10.0pt'>param-use</span></span></p>
15686 <p class="IndentText">Function parameter never used.</p>
15688 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15689 height="14" align="left">
15691 <td valign="top" align="left" height="14" style=
15692 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15693 <p class="TextFontCX" align="center" style=
15694 'text-align:center;background:#CCCCCC'><span style=
15695 'font-size:10.0pt'>m:</span><span class=
15696 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15697 <p class="TextFontCX"><span class="Flag"><span style=
15698 'font-size:10.0pt'>fcn-use</span></span></p>
15699 <p class="IndentText">Function is never used.</p>
15701 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15702 height="14" align="left">
15704 <td valign="top" align="left" height="14" style=
15705 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15706 <p class="TextFontCX" align="center" style=
15707 'text-align:center;background:#CCCCCC'><span style=
15708 'font-size:10.0pt'>m:</span><span class=
15709 "Keyword"><span style='font-size:10.0pt'>++++</span></span></p></td></tr></table></div>
15710 <p class="TextFontCX"><span class="Flag"><span style=
15711 'font-size:10.0pt'>type-use</span></span></p>
15712 <p class="IndentText">Defined type never used.</p>
15714 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15715 height="14" align="left">
15717 <td valign="top" align="left" height="14" style=
15718 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15719 <p class="TextFontCX" align="center" style=
15720 'text-align:center;background:#CCCCCC'><span style=
15721 'font-size:10.0pt'>m:</span><span class=
15722 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15723 <p class="TextFontCX"><span class="Flag"><span style=
15724 'font-size:10.0pt'>field-use</span></span></p>
15725 <p class="IndentText">Field of structure or union type is never
15728 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15729 height="14" align="left">
15731 <td valign="top" align="left" height="14" style=
15732 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15733 <p class="TextFontCX" align="center" style=
15734 'text-align:center;background:#CCCCCC'><span style=
15735 'font-size:10.0pt'>m:</span><span class=
15736 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15737 <p class="TextFontCX"><span class="Flag"><span style=
15738 'font-size:10.0pt'>unused-special</span></span></p>
15739 <p class="IndentText">Declaration in a special file (corresponding
15740 to <span class="ProgramNameChar">.l</span> or <span class=
15741 "ProgramNameChar">.y</span> file) is unused.</p>
15742 <p class="Heading10">Complete Programs <span class=
15743 "TextFontCXChar"><span style=
15744 'font-size:11.0pt; font-weight:normal'>(Section
15745 13.2)</span></span></p>
15747 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15748 height="14" align="left">
15750 <td valign="top" align="left" height="14" style=
15751 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15752 <p class="TextFontCX" align="center" style=
15753 'text-align:center;background:#CCCCCC'><span style=
15754 'font-size:10.0pt'>m:</span><span class=
15755 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15756 <p class="TextFontCX"><span class="Flag"><span style=
15757 'font-size:10.0pt'>decl-undef</span></span></p>
15758 <p class="IndentText">Function, variable, iterator or constant
15759 declared but never defined.</p>
15761 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15762 height="14" align="left">
15764 <td valign="top" align="left" height="14" style=
15765 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15766 <p class="TextFontCX" align="center" style=
15767 'text-align:center;background:#CCCCCC'><span style=
15768 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
15769 <p class="TextFontCX"><span class="Flag"><span style=
15770 'font-size:10.0pt'>partial</span></span></p>
15771 <p class="IndentText">Check as partial system (sets
15772 <span class="Flag"><span style=
15773 'font-size:10.0pt'>-decl-undef</span></span>, <span class=
15774 "Flag"><span style=
15775 'font-size:10.0pt'>-export-local</span></span> and
15776 prevents checking of macros in headers without corresponding
15777 <span class="ProgramNameChar">.c</span> files.)</p>
15778 <p class="Heading10">Exports</p>
15780 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15781 height="14" align="left">
15783 <td valign="top" align="left" height="14" style=
15784 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15785 <p class="TextFontCX" align="center" style=
15786 'text-align:center;background:#CCCCCC'><span style=
15787 'font-size:10.0pt'>m:</span><span class=
15788 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15789 <p class="TextFontCX"><span class="Flag"><span style=
15790 'font-size:10.0pt'>export-local</span></span></p>
15791 <p class="IndentText">A declaration is exported but not used
15792 outside this module. (Declaration can use the
15793 <span class="CodeText"><span style=
15794 'font-size: 10.0pt'>static</span></span> qualifier.)</p>
15796 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15797 height="14" align="left">
15799 <td valign="top" align="left" height="14" style=
15800 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15801 <p class="TextFontCX" align="center" style=
15802 'text-align:center;background:#CCCCCC'><span style=
15803 'font-size:10.0pt'>m:</span><span class=
15804 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15805 <p class="TextFontCX"><span class="Flag"><span style=
15806 'font-size:10.0pt'>export-header</span></span></p>
15807 <p class="IndentText">A declaration (other than a variable) is
15808 exported but does not appear in a header file.</p>
15810 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15811 height="14" align="left">
15813 <td valign="top" align="left" height="14" style=
15814 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15815 <p class="TextFontCX" align="center" style=
15816 'text-align:center;background:#CCCCCC'><span style=
15817 'font-size:10.0pt'>m:</span><span class=
15818 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15819 <p class="TextFontCX"><span class="Flag"><span style=
15820 'font-size:10.0pt'>export-header-var</span></span></p>
15821 <p class="IndentText">A variable declaration is exported but does
15822 not appear in a header file.</p>
15823 <p class="Heading10">Unrecognized Identifiers</p>
15825 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15826 height="14" align="left">
15828 <td valign="top" align="left" height="14" style=
15829 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15830 <p class="TextFontCX" align="center" style=
15831 'text-align:center;background:#CCCCCC'><span style=
15832 'font-size:10.0pt'>P:</span> <span class=
15833 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15834 <p class="TextFontCX"><span class="Flag"><span style=
15835 'font-size:10.0pt'>unrecog</span></span></p>
15836 <p class="IndentText">An unrecognized identifier is used.</p>
15838 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15839 height="14" align="left">
15841 <td valign="top" align="left" height="14" style=
15842 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15843 <p class="TextFontCX" align="center" style=
15844 'text-align:center;background:#CCCCCC'><span style=
15845 'font-size:10.0pt'>P:</span> <span class=
15846 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15847 <p class="TextFontCX"><span class="Flag"><span style=
15848 'font-size:10.0pt'>sys-unrecog</span></span></p>
15849 <p class="IndentText">Report unrecognized identifiers that start
15850 with the system prefix, <span class="Keyword"><span style=
15851 'font-size:10.0pt'>__</span></span> (two underscores).</p>
15853 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15854 height="14" align="left">
15856 <td valign="top" align="left" height="14" style=
15857 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15858 <p class="TextFontCX" align="center" style=
15859 'text-align:center;background:#CCCCCC'><span style=
15860 'font-size:10.0pt'>P:</span> <span class=
15861 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
15862 <p class="TextFontCX"><span class="Flag"><span style=
15863 'font-size:10.0pt'>repeat-unrecog</span></span></p>
15864 <p class="IndentText">Report multiple messages for unrecognized
15865 identifiers. If <span class="Flag"><span style=
15866 'font-size:10.0pt'>repeatunrecog</span></span> is not set, an error
15867 is reported only the first time a particular unrecognized
15868 identifier appears in the file.</p>
15869 <p class="Heading10">Multiple Definition and Declarations</p>
15871 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15872 height="14" align="left">
15874 <td valign="top" align="left" height="14" style=
15875 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15876 <p class="TextFontCX" align="center" style=
15877 'text-align:center;background:#CCCCCC'><span style=
15878 'font-size:10.0pt'>P:</span> <span class=
15879 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15880 <p class="TextFontCX"><span class="Flag"><span style=
15881 'font-size:10.0pt'>redef</span></span></p>
15882 <p class="IndentText">A function or variable is defined more than
15885 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15886 height="14" align="left">
15888 <td valign="top" align="left" height="14" style=
15889 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15890 <p class="TextFontCX" align="center" style=
15891 'text-align:center;background:#CCCCCC'><span style=
15892 'font-size:10.0pt'>m:</span><span class=
15893 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15894 <p class="TextFontCX"><span class="Flag"><span style=
15895 'font-size:10.0pt'>redecl</span></span></p>
15896 <p class="IndentText">An identifier is declared more than once.</p>
15898 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15899 height="14" align="left">
15901 <td valign="top" align="left" height="14" style=
15902 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15903 <p class="TextFontCX" align="center" style=
15904 'text-align:center;background:#CCCCCC'><span style=
15905 'font-size:10.0pt'>m:</span><span class=
15906 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15907 <p class="TextFontCX"><span class="Flag"><span style=
15908 'font-size:10.0pt'>nested-extern</span></span></p>
15909 <p class="IndentText">An <span class="Keyword"><span style=
15910 'font-size:10.0pt'>extern</span></span> declaration is used inside
15911 a function body.</p>
15912 <p class="Heading10">ISO Conformance</p>
15914 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15915 height="14" align="left">
15917 <td valign="top" align="left" height="14" style=
15918 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15919 <p class="TextFontCX" align="center" style=
15920 'text-align:center;background:#CCCCCC'><span style=
15921 'font-size:10.0pt'>m:</span><span class=
15922 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
15923 <p class="TextFontCX"><span class="Flag"><span style=
15924 'font-size:10.0pt'>noparams</span></span></p>
15925 <p class="IndentText">A function is declared without a parameter
15926 list prototype.</p>
15928 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15929 height="14" align="left">
15931 <td valign="top" align="left" height="14" style=
15932 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15933 <p class="TextFontCX" align="center" style=
15934 'text-align:center;background:#CCCCCC'><span style=
15935 'font-size:10.0pt'>m:</span><span class=
15936 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
15937 <p class="TextFontCX"><span class="Flag"><span style=
15938 'font-size:10.0pt'>old-style</span></span></p>
15939 <p class="IndentText">Function definition is in old style
15940 syntax. Standard prototype syntax is preferred.</p>
15942 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15943 height="14" align="left">
15945 <td valign="top" align="left" height="14" style=
15946 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15947 <p class="TextFontCX" align="center" style=
15948 'text-align:center;background:#CCCCCC'><span style=
15949 'font-size:10.0pt'>m:</span><span class=
15950 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
15951 <p class="TextFontCX"><span class="Flag"><span style=
15952 'font-size:10.0pt'>exit-arg</span></span></p>
15953 <p class="IndentText">Argument to <span class=
15954 "CodeText"><span style=
15955 'font-size: 10.0pt'>exit</span></span> has implementation
15956 defined behavior. The only valid arguments to
15957 <span class="CodeText"><span style=
15958 'font-size:10.0pt'>exit</span></span> are <span class=
15959 "CodeText"><span style=
15960 'font-size:10.0pt'>EXIT_SUCCESS</span></span>, <span class=
15961 "CodeText"><span style=
15962 'font-size:10.0pt'>EXIT_FAILURE</span></span> and
15963 <span class="CodeText"><span style=
15964 'font-size:10.0pt'>0</span></span>. An error is
15965 reported if Splint can determine statically that the argument
15966 to <span class="CodeText"><span style=
15967 'font-size:10.0pt'>exit</span></span> is not one of
15970 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
15971 height="14" align="left">
15973 <td valign="top" align="left" height="14" style=
15974 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
15975 <p class="TextFontCX" align="center" style=
15976 'text-align:center;background:#CCCCCC'><span style=
15977 'font-size:10.0pt'>P:</span> <span class=
15978 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
15979 <p class="TextFontCX"><span class="Flag"><span style=
15980 'font-size:10.0pt'>use-varargs</span></span></p>
15981 <p class="IndentText">Report if <span class=
15982 "CodeText"><span style='font-size:10.0pt'><varargs.h></span></span>
15983 is used (should use <span class=
15984 "ProgramNameChar"><span style='font-size:10.0pt'>stdarg.h</span></span>).</p>
15985 <p class="Heading10">Limits</p>
15986 <p class="beforelist">The ANSI Standard includes limits on minimum
15987 numbers that a conforming compiler must support. Whether of
15988 not a particular compiler exceeds these limits, it is worth
15989 checking that a program does not exceed them so that other
15990 compilers may safely compile it. In addition, exceeding a
15991 limit may indicate a problem in the code (e.g., it is too complex
15992 if the control nest depth limit is exceeded) that should be fixed
15993 regardless of the compiler. Splint checks the following
15994 limits. For each limit, the maximum value may be set from the
15995 command line (or locally using a stylized comment). The
15996 minimum limits were increased for the ISO C99 specification.
15997 If the <span class="Flag"><span style=
15998 'font-size:10.0pt'>iso99-limits</span></span> flag is used, all
15999 limits are checked with the minimum values of an ISO C99 conforming
16000 compiler. If the <span class="Flag"><span style=
16001 'font-size:10.0pt'>ansi89-limits</span></span> flag is used, all
16002 limits are checked with the minimum values of an ANSI C89
16003 conforming compiler.</p>
16005 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16006 height="14" align="left">
16008 <td valign="top" align="left" height="14" style=
16009 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16010 <p class="TextFontCX" align="center" style=
16011 'text-align:center;background:#CCCCCC'><span style=
16012 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
16013 <p class="TextFontCX"><span class="Flag"><span style=
16014 'font-size:10.0pt'>ansi89-limits</span></span></p>
16015 <p class="IndentText">Check for violations of minimum limits
16016 prescribed by ANSI C89 standard (sets <span class=
16017 "Flag"><span style=
16018 'font-size:10.0pt'>control-nest-depth</span></span>,
16019 <span class="Flag"><span style=
16020 'font-size:10.0pt'>string-literal-len</span></span>,
16021 <span class="Flag"><span style=
16022 'font-size:10.0pt'>include-nest</span></span>, <span class=
16023 "Flag"><span style=
16024 'font-size:10.0pt'>num-struct-fields</span></span>, and
16025 <span class="Flag"><span style=
16026 'font-size:10.0pt'>num-enum-members</span></span>).</p>
16028 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16029 height="14" align="left">
16031 <td valign="top" align="left" height="14" style=
16032 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16033 <p class="TextFontCX" align="center" style=
16034 'text-align:center;background:#CCCCCC'><span style=
16035 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
16036 <p class="TextFontCX"><span class="Flag"><span style=
16037 'font-size:10.0pt'>iso99-limits</span></span></p>
16038 <p class="IndentText">Check for violations of minimum limits
16039 prescribed by ISO C99 standard (sets <span class=
16040 "Flag"><span style=
16041 'font-size:10.0pt'>control-nest-depth</span></span>,
16042 <span class="Flag"><span style=
16043 'font-size:10.0pt'>string-literal-len</span></span>,
16044 <span class="Flag"><span style=
16045 'font-size:10.0pt'>include-nest</span></span>, <span class=
16046 "Flag"><span style=
16047 'font-size:10.0pt'>num-struct-fields</span></span>, and
16048 <span class="Flag"><span style=
16049 'font-size:10.0pt'>num-enum-members</span></span>).</p>
16052 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16053 height="14" align="left">
16055 <td valign="top" align="left" height="14" style=
16056 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16057 <p class="TextFontCX" align="center" style=
16058 'text-align:center;background:#CCCCCC'><span style=
16059 'font-size:10.0pt'>m:</span><span class=
16060 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16061 <p class="TextFontCX"><span class="Flag"><span style=
16062 'font-size:10.0pt'>control-nest-depth</span></span><span class="Flag">
16064 'font-size:10.0pt'> <i><number></i></span></span></p>
16065 <p class="IndentText">Set maximum nesting depth of compound
16066 statements, iteration control structures, and selection control
16067 structures (ISO C99 minimum is 63; ANSI C89 minimum is 15).</p>
16069 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16070 height="14" align="left">
16072 <td valign="top" align="left" height="14" style=
16073 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16074 <p class="TextFontCX" align="center" style=
16075 'text-align:center;background:#CCCCCC'><span style=
16076 'font-size:10.0pt'>m:</span><span class=
16077 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16078 <p class="TextFontCX"><span class="Flag"><span style=
16079 'font-size:10.0pt'>string-literal-len</span></span><span class="Flag">
16081 'font-size:10.0pt'> <i><number></i></span></span></p>
16082 <p class="IndentText">Set maximum length of string literals (ISO
16083 C99 minimum is 4095; ANSI C89 minimum is 509).</p>
16085 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16086 height="14" align="left">
16088 <td valign="top" align="left" height="14" style=
16089 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16090 <p class="TextFontCX" align="center" style=
16091 'text-align:center;background:#CCCCCC'><span style=
16092 'font-size:10.0pt'>m:</span><span class=
16093 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16094 <p class="TextFontCX"><span class="Flag"><span style=
16095 'font-size:10.0pt'>num-struct-fields</span></span><span class="Flag">
16097 'font-size:10.0pt'> <i><number></i></span></span></p>
16098 <p class="IndentText">Set maximum number of fields in a
16099 <span class="CodeText"><span style=
16100 'font-size:10.0pt'>struct</span></span> or <span class=
16101 "CodeText"><span style='font-size:10.0pt'>union</span></span>
16102 (ISO C99 minimum is 1023; ANSI minimum is 127).</p>
16104 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16105 height="14" align="left">
16107 <td valign="top" align="left" height="14" style=
16108 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16109 <p class="TextFontCX" align="center" style=
16110 'text-align:center;background:#CCCCCC'><span style=
16111 'font-size:10.0pt'>m:</span><span class=
16112 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16113 <p class="TextFontCX"><span class="Flag"><span style=
16114 'font-size:10.0pt'>num-enum-members</span></span><span class=
16115 "Flag"><span style=
16116 'font-size:10.0pt'> <i><number></i></span></span></p>
16117 <p class="IndentText">Set maximum number of members of an
16118 <span class="CodeText"><span style=
16119 'font-size:10.0pt'>enum</span></span> type (ISO C99 minimum is
16120 1023; ANSI minimum is 127).</p>
16122 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16123 height="14" align="left">
16125 <td valign="top" align="left" height="14" style=
16126 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16127 <p class="TextFontCX" align="center" style=
16128 'text-align:center;background:#CCCCCC'><span style=
16129 'font-size:10.0pt'>m:</span><span class=
16130 "Keyword"><span style='font-size:10.0pt'>--++</span></span></p></td></tr></table></div>
16131 <p class="TextFontCX"><span class="Flag"><span style=
16132 'font-size:10.0pt'>include-nest</span></span><span class=
16133 "Flag"><span style=
16134 'font-size:10.0pt'> <i><number></i></span></span></p>
16135 <p class="IndentText">Set maximum number of nested
16136 <span class="CodeText"><span style=
16137 'font-size:10.0pt'>#include</span></span> files (ISO C99
16138 minimum is 63; ANSI minimum is 8).</p>
16139 <p class="Heading10">Header Inclusion <a name=
16140 "_Ref344793948"><span class="TextFontCXChar"><span style=
16141 'font-size:11.0pt; font-weight:normal'>(Section</span></span></a>
16142 <span class="TextFontCXChar"><span style=
16143 'font-size:11.0pt; font-weight:normal'>14.3</span></span><span class="TextFontCXChar">
16145 'font-size:11.0pt; font-weight:normal'>)</span></span></p>
16147 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16148 height="14" align="left">
16150 <td valign="top" align="left" height="14" style=
16151 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16152 <p class="TextFontCX" align="center" style=
16153 'text-align:center;background:#CCCCCC'><span style=
16154 'font-size:10.0pt'>P:</span> <span class=
16155 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16156 <p class="TextFontCX"><span class="Flag"><span style=
16157 'font-size:10.0pt'>skip-ansi-headers</span></span></p>
16158 <p class="IndentText">Prevent inclusion of header files in a system
16159 directory with names that match standard ANSI headers. The
16160 symbolic information in the standard library is used instead.
16161 Flag in effect only if a library that includes the standard library is
16162 used. The ANSI headers are: <span class=
16163 "CodeText"><span style='font-size:10.0pt'>assert</span></span>,
16165 "CodeText"><span style='font-size:10.0pt'>ctype</span></span>,
16166 <span class="CodeText"><span style=
16167 'font-size:10.0pt'>errno</span></span>,
16168 <span class="CodeText"><span style=
16169 'font-size:10.0pt'>float</span></span>,
16171 "CodeText"><span style='font-size:10.0pt'>limits</span></span>,
16172 <span class="CodeText"><span style=
16173 'font-size:10.0pt'>locale</span></span>, <span class=
16174 "CodeText"><span style='font-size:10.0pt'>math</span></span>,
16175 <span class="CodeText"><span style=
16176 'font-size:10.0pt'>setjmp</span></span>, <span class=
16177 "CodeText"><span style='font-size:10.0pt'>signal</span></span>,
16178 <span class="CodeText"><span style=
16179 'font-size:10.0pt'>stdarg</span></span>,
16180 <span class="CodeText"><span style=
16181 'font-size:10.0pt'>stddef</span></span>, <span class=
16182 "CodeText"><span style='font-size:10.0pt'>stdio</span></span>,
16183 <span class="CodeText"><span style=
16184 'font-size:10.0pt'>stdlib</span></span>,
16186 "CodeText"><span style='font-size:10.0pt'>strings</span></span>,
16188 "CodeText"><span style='font-size:10.0pt'>string</span></span>,
16190 "CodeText"><span style='font-size:10.0pt'>time</span></span>,
16191 and <span class="CodeText"><span style=
16192 'font-size:10.0pt'>wchar</span></span>.
16196 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16197 height="14" align="left">
16199 <td valign="top" align="left" height="14" style=
16200 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16201 <p class="TextFontCX" align="center" style=
16202 'text-align:center;background:#CCCCCC'><span style=
16203 'font-size:10.0pt'>P:</span> <span class=
16204 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16205 <p class="TextFontCX"><span class="Flag"><span style=
16206 'font-size:10.0pt'>skip-iso-headers</span></span></p>
16207 <p class="IndentText">Prevent inclusion of header files in a system
16208 directory with names that match standard ISO C99 headers. The
16209 symbolic information in the standard library is used instead.
16210 In effect only if a library that includes the standard library is
16211 used. The ISO C99 headers are: <span class=
16212 "CodeText"><span style='font-size:10.0pt'>assert</span></span>,
16213 <span class="CodeText"><span style=
16214 'font-size:10.0pt'>complex</span></span>, <span class=
16215 "CodeText"><span style='font-size:10.0pt'>ctype</span></span>,
16216 <span class="CodeText"><span style=
16217 'font-size:10.0pt'>errno</span></span>, <span class=
16218 "CodeText"><span style='font-size:10.0pt'>fenv</span></span>,
16219 <span class="CodeText"><span style=
16220 'font-size:10.0pt'>float</span></span>, <span class=
16221 "CodeText"><span style='font-size:10.0pt'>inttypes</span></span>,
16222 <span class="CodeText"><span style=
16223 'font-size:10.0pt'>iso646</span></span>, <span class=
16224 "CodeText"><span style='font-size:10.0pt'>limits</span></span>,
16225 <span class="CodeText"><span style=
16226 'font-size:10.0pt'>locale</span></span>, <span class=
16227 "CodeText"><span style='font-size:10.0pt'>math</span></span>,
16228 <span class="CodeText"><span style=
16229 'font-size:10.0pt'>setjmp</span></span>, <span class=
16230 "CodeText"><span style='font-size:10.0pt'>signal</span></span>,
16231 <span class="CodeText"><span style=
16232 'font-size:10.0pt'>stdarg</span></span>, <span class=
16233 "CodeText"><span style='font-size:10.0pt'>stdbool</span></span>,
16234 <span class="CodeText"><span style=
16235 'font-size:10.0pt'>stddef</span></span>, <span class=
16236 "CodeText"><span style='font-size:10.0pt'>stdio</span></span>,
16237 <span class="CodeText"><span style=
16238 'font-size:10.0pt'>stdlib</span></span>, <span class=
16239 "CodeText"><span style='font-size:10.0pt'>string</span></span>,
16240 <span class="CodeText"><span style=
16241 'font-size:10.0pt'>tgmath</span></span>, <span class=
16242 "CodeText"><span style='font-size:10.0pt'>time</span></span>,
16243 <span class="CodeText"><span style=
16244 'font-size:10.0pt'>wchar</span></span>, and <span class=
16245 "CodeText"><span style='font-size:10.0pt'>wctype</span></span>.</p>
16249 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16250 height="14" align="left">
16252 <td valign="top" align="left" height="14" style=
16253 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16254 <p class="TextFontCX" align="center" style=
16255 'text-align:center;background:#CCCCCC'><span style=
16256 'font-size:10.0pt'>P:</span> <span class=
16257 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16258 <p class="TextFontCX"><span class="Flag"><span style=
16259 'font-size:10.0pt'>skip-posix-headers</span></span></p>
16260 <p class="IndentText">Prevent inclusion of header files in a system
16261 directory with names that match standard POSIX headers. The
16262 symbolic information in the standard library is used instead.
16263 In effect only if a library that includes the POSIX library is
16264 used. The skipped POSIX headers are: <span class=
16265 "CodeText"><span style='font-size:10.0pt'>dirent</span></span>,
16266 <span class="CodeText"><span style=
16267 'font-size:10.0pt'>fcntl</span></span>, <span class=
16268 "CodeText"><span style='font-size:10.0pt'>grp</span></span>,
16269 <span class="CodeText"><span style=
16270 'font-size:10.0pt'>pwd</span></span>, <span class=
16271 "CodeText"><span style='font-size:10.0pt'>termios</span></span>,
16272 <span class="CodeText"><span style=
16273 'font-size:10.0pt'>sys/stat</span></span>, <span class=
16274 "CodeText"><span style='font-size:10.0pt'>sys/times</span></span>,
16275 <span class="CodeText"><span style=
16276 'font-size:10.0pt'>sys/types</span></span>, <span class=
16277 "CodeText"><span style=
16278 'font-size:10.0pt'>sys/utsname</span></span>, <span class=
16279 "CodeText"><span style='font-size:10.0pt'>sys/wait</span></span>,
16280 <span class="CodeText"><span style=
16281 'font-size:10.0pt'>unistd</span></span>, and <span class=
16282 "CodeText"><span style='font-size:10.0pt'>utime</span></span>.</p>
16285 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16286 height="14" align="left">
16288 <td valign="top" align="left" height="14" style=
16289 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16290 <p class="TextFontCX" align="center" style=
16291 'text-align:center;background:#CCCCCC'><span style=
16292 'font-size:10.0pt'>P:</span> <span class=
16293 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16294 <p class="TextFontCX"><span class="Flag"><span style=
16295 'font-size:10.0pt'>warn-posix-headers</span></span></p>
16296 <p class="IndentText">Report use of a POSIX header when checking a
16297 program with a non-POSIX library.</p>
16298 <p class="IndentText"> </p>
16301 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16302 height="14" align="left">
16304 <td valign="top" align="left" height="14" style=
16305 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16306 <p class="TextFontCX" align="center" style=
16307 'text-align:center;background:#CCCCCC'><span style=
16308 'font-size:10.0pt'>P:</span> <span class=
16309 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16310 <p class="TextFontCX"><span class="Flag"><span style=
16311 'font-size:10.0pt'>warn-unix-headers</span></span></p>
16312 <p class="IndentText">
16313 Warn the user that the unix library may not be compatible with all platforms.
16317 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16318 height="14" align="left">
16320 <td valign="top" align="left" height="14" style=
16321 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16322 <p class="TextFontCX" align="center" style=
16323 'text-align:center;background:#CCCCCC'><span style=
16324 'font-size:10.0pt'>P:</span> <span class=
16325 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16326 <p class="TextFontCX"><span class="Flag"><span style=
16327 'font-size:10.0pt'>skip-sys-headers</span></span></p>
16328 <p class="IndentText">Prevent inclusion of all header files in
16329 system directories.</p>
16331 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16332 height="14" align="left">
16334 <td valign="top" align="left" height="14" style=
16335 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16336 <p class="TextFontCX" align="center" style=
16337 'text-align:center;background:#CCCCCC'><span style=
16338 'font-size:10.0pt'>P:</span> <span class=
16339 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16340 <p class="TextFontCX"><span class="Flag"><span style=
16341 'font-size:10.0pt'>sys-dir-expand-macros</span></span></p>
16342 <p class="IndentText">Expand macros in system directories
16343 regardless of other settings, except for macros corresponding to
16344 names defined in a load library.</p>
16346 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16347 height="14" align="left">
16349 <td valign="top" align="left" height="14" style=
16350 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16351 <p class="TextFontCX" align="center" style=
16352 'text-align:center;background:#CCCCCC'><span style=
16353 'font-size:10.0pt'>m:</span><span class=
16354 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
16355 <p class="TextFontCX"><span class="Flag"><span style=
16356 'font-size:10.0pt'>sys-dir-errors</span></span></p>
16357 <p class="IndentText">Report errors in files in system directories
16358 (set by <span class="Flag"><span style=
16359 'font-size:10.0pt'>-sys-dirs</span></span>). </p>
16360 <p class="IndentText"><span class="HeadingNote"><span style=
16361 'font-size:10.5pt; font-style:normal'> </span></span></p>
16364 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16365 height="14" align="left">
16367 <td valign="top" align="left" height="14" style=
16368 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16369 <p class="TextFontCX" align="center" style=
16370 'text-align:center;background:#CCCCCC'><span style=
16371 'font-size:10.0pt'>P:</span><span class=
16372 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16373 <p class="TextFontCX"><span class="Flag"><span style=
16374 'font-size:10.0pt'>
16377 <p class="IndentText">
16378 Warn when a system file was listed as a command line file but Splint
16379 is not set to report errors for system files. This prevents accidentally missing warnings
16380 in system files when Splint is run in a system directory.
16384 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16385 height="14" align="left">
16387 <td valign="top" align="left" height="14" style=
16388 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16389 <p class="TextFontCX" align="center" style=
16390 'text-align:center;background:#CCCCCC'><span style=
16391 'font-size:10.0pt'>global:</span> <span class=
16392 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16393 <p class="TextFontCX"><span class="Flag"><span style=
16394 'font-size:10.0pt'>single-include</span></span></p>
16395 <p class="IndentText">Optimize header inclusion to only include
16396 each header file once.</p>
16398 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16399 height="14" align="left">
16401 <td valign="top" align="left" height="14" style=
16402 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16403 <p class="TextFontCX" align="center" style=
16404 'text-align:center;background:#CCCCCC'><span style=
16405 'font-size:10.0pt'>global:</span> <span class=
16406 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16407 <p class="TextFontCX"><span class="Flag"><span style=
16408 'font-size:10.0pt'>never-include</span></span></p>
16409 <p class="IndentText">Use library information instead of including
16411 <p class="Heading10">Comments</p>
16412 <p class="beforelist">These flags control how syntactic comments
16413 are interpreted.</p>
16415 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16416 height="14" align="left">
16418 <td valign="top" align="left" height="14" style=
16419 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16420 <p class="TextFontCX" align="center" style=
16421 'text-align:center;background:#CCCCCC'><span style=
16422 'font-size:10.0pt'>P:</span> <span class="Flag"><span style=
16423 'font-size:10.0pt'>@</span></span></p></td></tr></table></div>
16424 <p class="TextFontCX"><span class="Flag"><span style=
16425 'font-size:10.0pt'>comment-char</span></span> <span class=
16426 "Flag"><i><span style=
16427 'font-size:10.0pt'><char></span></i></span></p>
16428 <p class="IndentText">Set the marker character for syntactic
16429 comments. Comments beginning with <span class=
16430 "CodeText"><span style=
16431 'font-size:10.0pt'>/*</span></span><span class=
16432 "Flag"><i><span style=
16433 'font-size:10.0pt'><char></span></i></span> are interpreted
16436 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16437 height="14" align="left">
16439 <td valign="top" align="left" height="14" style=
16440 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16441 <p class="TextFontCX" align="center" style=
16442 'text-align:center;background:#CCCCCC'><span style=
16443 'font-size:10.0pt'>P:</span> <span class=
16444 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16445 <p class="TextFontCX"><span class="Flag"><span style=
16446 'font-size:10.0pt'>noaccess</span></span></p>
16447 <p class="IndentText">Ignore access comments.</p>
16449 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16450 height="14" align="left">
16452 <td valign="top" align="left" height="14" style=
16453 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16454 <p class="TextFontCX" align="center" style=
16455 'text-align:center;background:#CCCCCC'><span style=
16456 'font-size:10.0pt'>P:</span> <span class=
16457 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16458 <p class="TextFontCX"><span class="Flag"><span style=
16459 'font-size:10.0pt'>nocomments</span></span></p>
16460 <p class="IndentText">Ignore all stylized comments.</p>
16462 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16463 height="14" align="left">
16465 <td valign="top" align="left" height="14" style=
16466 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16467 <p class="TextFontCX" align="center" style=
16468 'text-align:center;background:#CCCCCC'><span style=
16469 'font-size:10.0pt'>P:</span> <span class=
16470 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16471 <p class="TextFontCX"><span class="Flag"><span style=
16472 'font-size:10.0pt'>sup-counts</span></span></p>
16473 <p class="IndentText">Actual number of errors does not match number
16474 in <span class="Annot"><span style=
16475 'font-size:10.0pt'>/*@i</span></span><span class=
16476 "Annot"><span style=
16477 'font-size:10.0pt'><n>@*/</span></span></p>
16479 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16480 height="14" align="left">
16482 <td valign="top" align="left" height="14" style=
16483 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16484 <p class="TextFontCX" align="center" style=
16485 'text-align:center;background:#CCCCCC'><span style=
16486 'font-size:10.0pt'>P:</span> <span class=
16487 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16488 <p class="TextFontCX"><span class="Flag"><span style=
16489 'font-size:10.0pt'>lint-comments</span></span></p>
16490 <p class="IndentText">Interpret traditional lint comments
16491 (<span class="CodeText"><span style=
16492 'font-size:10.0pt'>/*FALLTHROUGH*/</span></span>,
16493 <span class="CodeText"><span style=
16494 'font-size:10.0pt'>/*NOTREACHED*/</span></span>, <span class=
16495 "CodeText"><span style=
16496 'font-size:10.0pt'>/*PRINTFLIKE*/</span></span>).</p>
16498 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16499 height="14" align="left">
16501 <td valign="top" align="left" height="14" style=
16502 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16503 <p class="TextFontCX" align="center" style=
16504 'text-align:center;background:#CCCCCC'><span style=
16505 'font-size:10.0pt'>m:</span><span class=
16506 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
16507 <p class="TextFontCX"><span class="Flag"><span style=
16508 'font-size:10.0pt'>warn-lint-comments</span></span></p>
16509 <p class="IndentText">Print a warning and suggest an alternative
16510 when a traditional lint comment is used. </p>
16512 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16513 height="14" align="left">
16515 <td valign="top" align="left" height="14" style=
16516 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16517 <p class="TextFontCX" align="center" style=
16518 'text-align:center;background:#CCCCCC'><span style=
16519 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16520 <p class="TextFontCX"><span class="Flag"><span style=
16521 'font-size:10.0pt'>unrecog-comments</span></span></p>
16522 <p class="IndentText">Stylized comment is unrecognized.</p>
16525 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16526 height="14" align="left">
16528 <td valign="top" align="left" height="14" style=
16529 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16530 <p class="TextFontCX" align="center" style=
16531 'text-align:center;background:#CCCCCC'><span style=
16532 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16533 <p class="TextFontCX"><span class="Flag"><span style=
16534 'font-size:10.0pt'>annotationerror
16536 <p class="IndentText">
16537 A declaration uses an invalid annotation.
16542 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16543 height="14" align="left">
16545 <td valign="top" align="left" height="14" style=
16546 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16547 <p class="TextFontCX" align="center" style=
16548 'text-align:center;background:#CCCCCC'><span style=
16549 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16550 <p class="TextFontCX"><span class="Flag"><span style=
16551 'font-size:10.0pt'>commenterror
16553 <p class="IndentText">
16554 A syntactic comment is used inconsistently.
16557 <p class="Heading10">Parsing</p>
16559 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16560 height="14" align="left">
16562 <td valign="top" align="left" height="14" style=
16563 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16564 <p class="TextFontCX" align="center" style=
16565 'text-align:center;background:#CCCCCC'><span style=
16566 'font-size:10.0pt'>P:</span> <span class=
16567 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16568 <p class="TextFontCX"><span class="Flag"><span style=
16569 'font-size:10.0pt'>continue-comment</span></span></p>
16570 <p class="IndentText">A line continuation marker
16571 (<span class="CodeText"><span style=
16572 'font-size:10.0pt'>\</span></span>) appears inside a comment
16573 on the same line as the comment close. Preprocessors should
16574 handle this correctly, but it causes problems for some
16577 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16578 height="14" align="left">
16580 <td valign="top" align="left" height="14" style=
16581 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16582 <p class="TextFontCX" align="center" style=
16583 'text-align:center;background:#CCCCCC'><span style=
16584 'font-size:10.0pt'>P:</span> <span class=
16585 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16586 <p class="TextFontCX"><span class="Flag"><span style=
16587 'font-size:10.0pt'>nest-comment</span></span></p>
16588 <p class="IndentText">A comment open sequence (<span class=
16589 "CodeText"><span style='font-size:10.0pt'>/*</span></span>) appears
16590 inside a comment. This usually indicates that an earlier
16591 comment was not closed.</p>
16594 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16595 height="14" align="left">
16597 <td valign="top" align="left" height="14" style=
16598 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16599 <p class="TextFontCX" align="center" style=
16600 'text-align:center;background:#CCCCCC'><span style=
16601 'font-size:10.0pt'>P:</span> <span class=
16602 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16603 <p class="TextFontCX"><span class="Flag"><span style=
16604 'font-size:10.0pt'>slashslashcomment</span></span></p>
16605 <p class="IndentText">A
16607 "CodeText"><span style='font-size:10.0pt'>//</span></span>
16608 comment is used.  ISO C99 allows
16610 "CodeText"><span style='font-size:10.0pt'>//</span></span>
16611 comments, but earlier standards did not.
16615 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16616 height="14" align="left">
16618 <td valign="top" align="left" height="14" style=
16619 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16620 <p class="TextFontCX" align="center" style=
16621 'text-align:center;background:#CCCCCC'><span style=
16622 'font-size:10.0pt'>P: +</span></p></td></tr></table></div>
16623 <p class="TextFontCX"><span class="Flag"><span style=
16624 'font-size:10.0pt'>duplicate-quals</span></span></p>
16625 <p class="IndentText">Report duplicate type qualifiers (e.g.,
16626 <span class="CodeText"><span style='font-size:10.0pt'>unsigned
16627 unsigned</span></span>).</p>
16629 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16630 height="14" align="left">
16632 <td valign="top" align="left" height="14" style=
16633 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16634 <p class="TextFontCX" align="center" style=
16635 'text-align:center;background:#CCCCCC'><span style=
16636 'font-size:10.0pt'>P:</span> <span class=
16637 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16638 <p class="TextFontCX"><span class="Flag"><span style=
16639 'font-size:10.0pt'>gnu-extensions</span></span></p>
16640 <p class="IndentText">Support some GNU and Microsoft language
16644 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16645 height="14" align="left">
16647 <td valign="top" align="left" height="14" style=
16648 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16649 <p class="TextFontCX" align="center" style=
16650 'text-align:center;background:#CCCCCC'><span style=
16651 'font-size:10.0pt'>P:</span> <span class=
16652 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
16653 <p class="TextFontCX"><span class="Flag"><span style=
16654 'font-size:10.0pt'>syntax</span></span></p>
16655 <p class="IndentText">Parse error.</p>
16658 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16659 height="14" align="left">
16661 <td valign="top" align="left" height="14" style=
16662 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16663 <p class="TextFontCX" align="center" style=
16664 'text-align:center;background:#CCCCCC'><span style=
16665 'font-size:10.0pt'>P:</span> <span class=
16666 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
16667 <p class="TextFontCX"><span class="Flag"><span style=
16668 'font-size:10.0pt'>try-to-recover</span></span></p>
16669 <p class="IndentText">Try to recover from a parse error. If
16670 <span class="Flag"><span style=
16671 'font-size:10.0pt'>trytorecover</span></span> is not set, Splint
16672 will abort checking after a parse error is detected. If it is
16673 set, Splint will attempt to recover, but Splint does performs only
16674 minimal error recovery. It is likely that trying to recover
16675 after a parse error will lead to an internal assertion failing.</p>
16678 <p class="Heading10">Warn use</p>
16681 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16682 height="14" align="left">
16684 <td valign="top" align="left" height="14" style=
16685 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16686 <p class="TextFontCX" align="center" style=
16687 'text-align:center;background:#CCCCCC'><span style=
16688 'font-size:10.0pt'>m:</span> <span class=
16689 "Keyword"><span style='font-size:10.0pt'>-+++
16690 </span></span></p></td></tr></table></div>
16691 <p class="TextFontCX"><span class="Flag"><span style=
16692 'font-size:10.0pt'>
16695 <p class="IndentText">
16696 Use of function that may lead to buffer overflow.
16700 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16701 height="14" align="left">
16703 <td valign="top" align="left" height="14" style=
16704 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16705 <p class="TextFontCX" align="center" style=
16706 'text-align:center;background:#CCCCCC'><span style=
16707 'font-size:10.0pt'>m:</span> <span class=
16708 "Keyword"><span style='font-size:10.0pt'>++++
16709 </span></span></p></td></tr></table></div>
16710 <p class="TextFontCX"><span class="Flag"><span style=
16711 'font-size:10.0pt'>
16714 <p class="IndentText">
16715 Use of function that may lead to buffer overflow.
16721 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16722 height="14" align="left">
16724 <td valign="top" align="left" height="14" style=
16725 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16726 <p class="TextFontCX" align="center" style=
16727 'text-align:center;background:#CCCCCC'><span style=
16728 'font-size:10.0pt'>m:</span> <span class=
16729 "Keyword"><span style='font-size:10.0pt'>--++
16730 </span></span></p></td></tr></table></div>
16731 <p class="TextFontCX"><span class="Flag"><span style=
16732 'font-size:10.0pt'>
16733 implementationoptional
16735 <p class="IndentText">
16736 Use of a declarator that is implementation optional, not required by ISO99.
16741 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16742 height="14" align="left">
16744 <td valign="top" align="left" height="14" style=
16745 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16746 <p class="TextFontCX" align="center" style=
16747 'text-align:center;background:#CCCCCC'><span style=
16748 'font-size:10.0pt'>m:</span> <span class=
16749 "Keyword"><span style='font-size:10.0pt'>--++
16750 </span></span></p></td></tr></table></div>
16751 <p class="TextFontCX"><span class="Flag"><span style=
16752 'font-size:10.0pt'>
16755 <p class="IndentText">
16756 Non-reentrant function should not be used in multithreaded code.
16760 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16761 height="14" align="left">
16763 <td valign="top" align="left" height="14" style=
16764 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16765 <p class="TextFontCX" align="center" style=
16766 'text-align:center;background:#CCCCCC'><span style=
16767 'font-size:10.0pt'>m:</span> <span class=
16768 "Keyword"><span style='font-size:10.0pt'>--++
16769 </span></span></p></td></tr></table></div>
16770 <p class="TextFontCX"><span class="Flag"><span style=
16771 'font-size:10.0pt'>
16774 <p class="IndentText">
16775 Use of function that may have implementation-dependent behavior.
16780 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16781 height="14" align="left">
16783 <td valign="top" align="left" height="14" style=
16784 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16785 <p class="TextFontCX" align="center" style=
16786 'text-align:center;background:#CCCCCC'><span style=
16787 'font-size:10.0pt'>m:</span> <span class=
16788 "Keyword"><span style='font-size:10.0pt'>--++
16789 </span></span></p></td></tr></table></div>
16790 <p class="TextFontCX"><span class="Flag"><span style=
16791 'font-size:10.0pt'>
16794 <p class="IndentText">
16795 Call to function restricted to superusers.
16800 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16801 height="14" align="left">
16803 <td valign="top" align="left" height="14" style=
16804 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16805 <p class="TextFontCX" align="center" style=
16806 'text-align:center;background:#CCCCCC'><span style=
16807 'font-size:10.0pt'>m:</span> <span class=
16808 "Keyword"><span style='font-size:10.0pt'>---+
16809 </span></span></p></td></tr></table></div>
16810 <p class="TextFontCX"><span class="Flag"><span style=
16811 'font-size:10.0pt'>
16814 <p class="IndentText">
16815 Possible time of check, time of use vulnerability.
16821 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16822 height="14" align="left">
16824 <td valign="top" align="left" height="14" style=
16825 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16826 <p class="TextFontCX" align="center" style=
16827 'text-align:center;background:#CCCCCC'><span style=
16828 'font-size:10.0pt'>m:</span> <span class=
16829 "Keyword"><span style='font-size:10.0pt'>----
16830 </span></span></p></td></tr></table></div>
16831 <p class="TextFontCX"><span class="Flag"><span style=
16832 'font-size:10.0pt'>
16835 <p class="IndentText">
16836 Use of function that need not be provided by UNIX implementations
16839 <p class="Heading10">ITS4 compatibility flags</p>
16843 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16844 height="14" align="left">
16846 <td valign="top" align="left" height="14" style=
16847 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16848 <p class="TextFontCX" align="center" style=
16849 'text-align:center;background:#CCCCCC'><span style=
16850 'font-size:10.0pt'>P:</span> <span class=
16851 "Keyword"><span style='font-size:10.0pt'>-
16852 </span></span></p></td></tr></table></div>
16853 <p class="TextFontCX"><span class="Flag"><span style=
16854 'font-size:10.0pt'>
16857 <p class="IndentText">
16858 Security vulnerability classified as most risky in its4 database.
16862 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16863 height="14" align="left">
16865 <td valign="top" align="left" height="14" style=
16866 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16867 <p class="TextFontCX" align="center" style=
16868 'text-align:center;background:#CCCCCC'><span style=
16869 'font-size:10.0pt'>P:</span> <span class=
16870 "Keyword"><span style='font-size:10.0pt'>-
16871 </span></span></p></td></tr></table></div>
16872 <p class="TextFontCX"><span class="Flag"><span style=
16873 'font-size:10.0pt'>
16876 <p class="IndentText">
16877 Security vulnerability classified as very risky in its4 database.
16882 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16883 height="14" align="left">
16885 <td valign="top" align="left" height="14" style=
16886 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16887 <p class="TextFontCX" align="center" style=
16888 'text-align:center;background:#CCCCCC'><span style=
16889 'font-size:10.0pt'>P:</span> <span class=
16890 "Keyword"><span style='font-size:10.0pt'>-
16891 </span></span></p></td></tr></table></div>
16892 <p class="TextFontCX"><span class="Flag"><span style=
16893 'font-size:10.0pt'>
16896 <p class="IndentText">
16897 Security vulnerability classified as risky in its4 database.
16902 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16903 height="14" align="left">
16905 <td valign="top" align="left" height="14" style=
16906 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16907 <p class="TextFontCX" align="center" style=
16908 'text-align:center;background:#CCCCCC'><span style=
16909 'font-size:10.0pt'>P:</span> <span class=
16910 "Keyword"><span style='font-size:10.0pt'>-
16911 </span></span></p></td></tr></table></div>
16912 <p class="TextFontCX"><span class="Flag"><span style=
16913 'font-size:10.0pt'>
16916 <p class="IndentText">
16917 Security vulnerability classified as moderate risk in its4 database.
16923 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16924 height="14" align="left">
16926 <td valign="top" align="left" height="14" style=
16927 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16928 <p class="TextFontCX" align="center" style=
16929 'text-align:center;background:#CCCCCC'><span style=
16930 'font-size:10.0pt'>P:</span> <span class=
16931 "Keyword"><span style='font-size:10.0pt'>-
16932 </span></span></p></td></tr></table></div>
16933 <p class="TextFontCX"><span class="Flag"><span style=
16934 'font-size:10.0pt'>
16937 <p class="IndentText">
16938 Security vulnerability classified as risky in its4 database.
16941 <p class="Heading10">Debug flags</p>
16944 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16945 height="14" align="left">
16947 <td valign="top" align="left" height="14" style=
16948 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16949 <p class="TextFontCX" align="center" style=
16950 'text-align:center;background:#CCCCCC'><span style=
16951 'font-size:10.0pt'>P:</span> <span class=
16952 "Keyword"><span style='font-size:10.0pt'>3
16953 </span></span></p></td></tr></table></div>
16954 <p class="TextFontCX"><span class="Flag"><span style=
16955 'font-size:10.0pt'>
16958 <p class="IndentText">
16959 Set maximum number of bugs detected before giving up.
16964 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16965 height="14" align="left">
16967 <td valign="top" align="left" height="14" style=
16968 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16969 <p class="TextFontCX" align="center" style=
16970 'text-align:center;background:#CCCCCC'><span style=
16971 'font-size:10.0pt'>m:</span> <span class=
16972 "Keyword"><span style='font-size:10.0pt'>----
16973 </span></span></p></td></tr></table></div>
16974 <p class="TextFontCX"><span class="Flag"><span style=
16975 'font-size:10.0pt'>
16978 <p class="IndentText">
16979 Perform buffer overflow checking even if the errors would be surpressed.
16985 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
16986 height="14" align="left">
16988 <td valign="top" align="left" height="14" style=
16989 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
16990 <p class="TextFontCX" align="center" style=
16991 'text-align:center;background:#CCCCCC'><span style=
16992 'font-size:10.0pt'>P:</span> <span class=
16993 "Keyword"><span style='font-size:10.0pt'>-
16994 </span></span></p></td></tr></table></div>
16995 <p class="TextFontCX"><span class="Flag"><span style=
16996 'font-size:10.0pt'>
16999 <p class="IndentText">
17000 Debug parsing. Prints bison generated debuging information.
17006 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
17007 height="14" align="left">
17009 <td valign="top" align="left" height="14" style=
17010 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
17011 <p class="TextFontCX" align="center" style=
17012 'text-align:center;background:#CCCCCC'><span style=
17013 'font-size:10.0pt'>P:</span> <span class=
17014 "Keyword"><span style='font-size:10.0pt'>-
17015 </span></span></p></td></tr></table></div>
17016 <p class="TextFontCX"><span class="Flag"><span style=
17017 'font-size:10.0pt'>
17020 <p class="IndentText">
17021 Do not delete temporary files.
17026 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
17027 height="14" align="left">
17029 <td valign="top" align="left" height="14" style=
17030 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
17031 <p class="TextFontCX" align="center" style=
17032 'text-align:center;background:#CCCCCC'><span style=
17033 'font-size:10.0pt'>P:</span> <span class=
17034 "Keyword"><span style='font-size:10.0pt'>-
17035 </span></span></p></td></tr></table></div>
17036 <p class="TextFontCX"><span class="Flag"><span style=
17037 'font-size:10.0pt'>
17040 <p class="IndentText">
17041 Do not pre-process input files.
17046 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
17047 height="14" align="left">
17049 <td valign="top" align="left" height="14" style=
17050 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
17051 <p class="TextFontCX" align="center" style=
17052 'text-align:center;background:#CCCCCC'><span style=
17053 'font-size:10.0pt'>P:</span> <span class=
17054 "Keyword"><span style='font-size:10.0pt'>-
17055 </span></span></p></td></tr></table></div>
17056 <p class="TextFontCX"><span class="Flag"><span style=
17057 'font-size:10.0pt'>
17060 <p class="IndentText">
17061 Display the source code location where a warning is produced.
17067 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
17068 <a name="_Toc534975062"></a><a name="_Ref348845752">Appendix
17070 'font:7.0pt "Times New Roman"'> </span>
17071 <a id="annotations" name="annotations">
17072 Annotations</a></a></p>
17073 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17074 <a name="_Toc534975063"></a><a name="_Ref348010146">Suppressin</a>g
17076 <p class="beforelist">Several annotations are provided for
17077 suppressing messages. In general, it is usually better to use
17078 specific flags to suppress a particular error permanently, but the
17079 general error suppression flags may be more convenient for quickly
17080 suppressing messages for code that will be corrected or documented
17082 <p class="TextFontCX"><span class="Flag"><span style=
17083 'font-size:10.0pt'>ignore</span></span></p>
17084 <p class="TextFontCX"><span class="Flag"><span style=
17085 'font-size:10.0pt'>end</span></span></p>
17086 <p class="IndentText">No errors will be reported in code regions
17087 between <span class="Annot"><span style=
17088 'font-size:10.0pt'>/*@ignore@*/</span></span> and
17089 <span class="Annot"><span style=
17090 'font-size:10.0pt'>/*@end@*/</span></span>. These
17091 comments can be used to easily suppress an unlimited number
17092 of messages, but are dangerous since if real errors are
17093 introduced in the <span class="Flag"><span style=
17094 'font-size:10.0pt'>ignore</span></span>…<span class=
17095 "Flag"><span style='font-size:10.0pt'>end</span></span>
17096 region they will not be reported. The <span class=
17097 "Annot"><span style='font-size:10.0pt'>ignore</span></span>
17098 and <span class="Annot"><span style=
17099 'font-size:10.0pt'>end</span></span> comments must be matched
17100 — a warning is printed if the file ends in an ignore
17101 region or if <span class="Flag"><span style=
17102 'font-size:10.0pt'>ignore</span></span> is used inside ignore
17104 <p class="TextFontCX"><span class="Flag"><span style=
17105 'font-size:10.0pt'>i</span></span></p>
17106 <p class="IndentText">No errors will be reported from an
17107 <span class="Annot"><span style=
17108 'font-size:10.0pt'>/*@i@*/</span></span> comment to the end of the
17110 <p class="TextFontCX"><span class="Flag"><span style=
17111 'font-size:10.0pt'>i</span></span><span class=
17112 "Flag"><span style='font-size:10.0pt'><i><n></i></span></span></p>
17113 <p class="IndentText">No errors will be reported from an
17114 <span class="Annot"><span style=
17115 'font-size:10.0pt'>/*@i<i><n></i>@*/</span></span> (e.g.,
17116 <span class="Annot"><span style=
17117 'font-size:10.0pt'>/*@i3@*/</span></span>) comment to the end of
17118 the line. If there are not exactly <i>n</i> errors suppressed
17119 from the comment point to the end of the line, Splint will report
17120 an error. This is more robust than <span class=
17121 "Annot"><span style='font-size:10.0pt'>i</span></span> or
17122 <span class="Annot"><span style=
17123 'font-size:10.0pt'>ignore</span></span> since a message is
17124 generated if the expected number errors is not present. Since
17125 errors are not necessarily detected until after this file is
17126 processed (for example, and unused variable error), suppress count
17127 errors are reported after all files have been processed. The
17128 <span class="Flag"><span style=
17129 'font-size: 10.0pt'>‑supcounts</span></span> flag may be used
17130 to suppress these errors. This is useful when a system if
17131 being rechecked with different flag settings.</p>
17132 <p class="TextFontCX"><span class="Annot"><span style=
17133 'font-size:10.0pt'>t</span></span></p>
17134 <p class="TextFontCX"><span class="Flag"><span style=
17135 'font-size:10.0pt'>t<i><n></i></span></span></p>
17136 <p class="IndentText">Like <span class="Annot"><span style=
17137 'font-size:10.0pt'>i</span></span> and <span class=
17138 "Annot"><span style=
17139 'font-size:10.0pt'>i<i><n></i></span></span>, except
17140 controlled by <span class="Flag"><span style=
17141 'font-size:10.0pt'>+tmpcomments</span></span> flag. These can
17142 be used to temporarily suppress certain errors. Then,
17143 <span class="Flag"><span style=
17144 'font-size:10.0pt'>-tmpcomments</span></span> can be set to find
17146 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
17147 <a name="_Toc534975064">Syntactic Annotations</a></p>
17148 <p class="TextFontCX">The grammar below is the C syntax from
17149 [K&R,A13] modified to show the syntax of syntactic
17150 comments. Only productions effected by Splint annotations are
17151 shown. In the annotations, the <span class=
17152 "Annot"><span style='font-size:10.0pt'>@</span></span> represents
17153 the comment marker char, set by <span class=
17154 "Flag"><span style='font-size:10.0pt'>-commentchar</span></span> (default
17155 is <span class="Annot"><span style=
17156 'font-size:10.0pt'>@</span></span>).</p>
17157 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17158 <a name="_Toc534975065">Functions</a></p>
17159 <p class="TextFontCX"><i>direct-declarator</i> <span style=
17160 'font-family:Symbol'>Þ</span></p>
17161 <p class="TextFontCX" style='text-indent:.5in'><i>
17162 direct-declarator</i> <span class="Annot"><span style=
17163 'font-size:10.0pt'>(</span></span><i>parameter-type-list<sub>opt</sub></i>
17164 <span class="Annot"><span style='font-size: 10.0pt'>)</span></span>
17165 <i>stateClause*<sub>opt</sub> globals<sub>opt</sub>
17166 modifies<sub>opt</sub></i></p>
17167 <p class="TextFontCX" style='text-indent:.5in'><i>|
17168 direct-declarator</i> <span class="Annot"><span style=
17169 'font-size:10.0pt'>(</span></span><i>identifier-list<sub>opt</sub></i>
17170 <span class="Annot"><span style='font-size: 10.0pt'>)</span></span>
17171 <i>stateClause*<sub>opt</sub> globals<sub>opt</sub>
17172 modifies<sub>opt</sub></i></p>
17173 <p class="TextFontCX"><i> </i></p>
17174 <p class="TextFontCX"><i>stateClause</i> <span style=
17175 'font-family:Symbol'>Þ</span> <span class=
17176 "Annot"><span style='font-size:10.0pt'>/*@</span></span> (
17177 <span class="Annot"><span style=
17178 'font-size:10.0pt'>uses</span></span> <i>|</i> <span class=
17179 "Annot"><span style='font-size:10.0pt'>sets</span></span>
17180 <i>|</i> <span class="Annot"><span style=
17181 'font-size:10.0pt'>defines</span></span> <i>|</i>
17182 <span class="Annot"><span style=
17183 'font-size:10.0pt'>allocates</span></span> <i>|</i>
17184 <span class="Annot"><span style=
17185 'font-size:10.0pt'>releases</span></span>)
17186 <i>reference,<sup>+</sup></i> <span class=
17187 "Annot"><span style='font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>
17188 <span class="Annot"><span style=
17189 'font-size:10.0pt'>@*/</span></span></p>
17190 <p class="TextFontCX" align="right" style='text-align: right'>
17191 <i>
17192 |</i> <span class="Annot"><span style=
17193 'font-size:10.0pt'>/*@</span></span> ( <span class=
17194 "Annot"><span style='font-size:10.0pt'>ensures</span></span> |
17195 <span class="Annot"><span style=
17196 'font-size:10.0pt'>requires</span></span> ) <i>stateTag</i>
17197 <i>reference,<sup>+</sup></i> <span class=
17198 "Annot"><span style='font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>
17199 <span class="Annot"><span style=
17200 'font-size:10.0pt'>@*/ </span></span>
17202 <p class="TextFontCX"><i> </i></p>
17203 <p class="TextFontCX"><i>stateTag</i> <span style=
17204 'font-family:Symbol'>Þ</span> <span class=
17205 "Annot"><span style='font-size: 10.0pt'>only</span></span>
17206 <i>|</i> <span class="Annot"><span style=
17207 'font-size: 10.0pt'>shared</span></span> <i>|</i>
17208 <span class="Annot"><span style=
17209 'font-size: 10.0pt'>owned</span></span> <i>|</i> <span class=
17210 "Annot"><span style=
17211 'font-size: 10.0pt'>dependent</span></span> <i>|</i>
17212 <span class="Annot"><span style=
17213 'font-size:10.0pt'>observer</span></span> <i>|</i>
17214 <span class="Annot"><span style=
17215 'font-size:10.0pt'>exposed</span></span> <i>|</i>
17216 <span class="Annot"><span style=
17217 'font-size:10.0pt'>isnull</span></span> <i>|</i> <span class=
17218 "Annot"><span style=
17219 'font-size:10.0pt'>notnull</span></span></p>
17220 <p class="TextFontCX" align="right" style=
17221 'text-align: right;text-indent:.5in'><i> |
17222 identifier </i>
17223 (Annotation defined by metastate definition, Section 10)</p>
17224 <p class="TextFontCX" style='text-indent:.5in'>
17225 <i> </i></p>
17226 <p class="TextFontCX"><i>globals</i> <span style=
17227 'font-family:Symbol'>Þ</span> <span class=
17228 "Annot"><span style='font-size: 10.0pt'>/*@globals</span></span>
17229 <i>globitem,<sup>+</sup></i> <span class="Annot"><span style=
17230 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>
17231 <span class="Annot"><span style=
17232 'font-size:10.0pt'>@*/</span></span> <i>|</i> <span class=
17233 "Annot"><span style=
17234 'font-size:10.0pt'>/*@globals</span></span><i>declaration-list<sub>opt </sub></i>
17235 <span class="Annot"><span style=
17236 'font-size: 10.0pt'>;</span></span><i><sub>opt</sub></i><span class="Annot">
17237 <span style='font-size:10.0pt'>@*/</span></span><span class=
17238 "Keyword"><span style='font-size:10.0pt'> </span></span></p>
17239 <p class="TextFontCX"><i>globitem</i> <span style=
17240 'font-family:Symbol'>Þ</span> [ ( <span class=
17241 "Annot"><span style='font-size:10.0pt'>undef</span></span> |
17242 <span class="Annot"><span style=
17243 'font-size:10.0pt'>killed</span></span> )* ] <span class=
17244 "Keyword"><i><sub><span style=
17245 'font-size:10.5pt;font-family:"Times New Roman"'> </span></sub></i></span><i>
17246 identifier | </i> <span class="Annot"><span style=
17247 'font-size:10.0pt'>internalState</span></span><i>| </i>
17248 <span class="Annot"><span style=
17249 'font-size:10.0pt'>fileSystem</span></span></p>
17250 <p class="TextFontCX"><i> </i></p>
17251 <p class="TextFontCX"><i>modifies</i> <span style=
17252 'font-family:Symbol'>Þ</span> <span class=
17253 "Annot"><span style='font-size:10.0pt'>/*@modifies</span></span>
17254 (<span class="Annot"><span style=
17255 'font-size:10.0pt'>nothing</span></span> <i>|</i>
17256 (<i>expression</i> | <span class="Annot"><span style=
17257 'font-size:10.0pt'>internalState</span></span> | <span class=
17258 "Annot"><span style=
17259 'font-size:10.0pt'>fileSystem</span></span>)<i><sup>+</sup></i><span class="Annot">
17261 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i>)
17262 <span class="Annot"><span style=
17263 'font-size:10.0pt'>@*/</span></span><span class=
17264 "Keyword"><span style=
17265 'font-size:10.0pt'> </span></span></p>
17266 <p class="TextFontCX" align="right" style='text-align: right'>
17267 <span class="Keyword"><span style=
17268 'font-size:10.0pt'> </span></span> <i>|</i>
17269 <span class="Annot"><span style=
17270 'font-size:10.0pt'>/*@*/</span></span><span class=
17271 "Keyword"><span style='font-size:10.0pt'>
17272
17273 </span></span>(Abbreviation for
17274 no globals and modifies nothing.)</p>
17275 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17276 <a name="_Toc534975066">Iterators</a> <span class=
17277 "TextFontCXChar"><span style=
17278 'font-size:11.0pt; font-weight:normal'>(Section
17279 11.4)</span></span></p>
17280 <p class="beforelist">The globals and modifies clauses for an
17281 iterator are the same as those for a function, except they are not
17282 enclosed by a comment, since the iterator is already a comment.</p>
17283 <p class="TextFontCX"><i>direct-declarator</i></p>
17284 <p class="TextFontCX" style='text-indent:.5in'><span style=
17285 'font-family:Symbol'>Þ</span> <span class=
17286 "Annot"><span style='font-size: 10.0pt'>/*@iter</span></span>
17287 <i>identifier</i> <span class="Annot"><span style=
17288 'font-size:10.0pt'>(</span></span><i>parameter-type-list<sub>opt</sub></i>
17289 <span class="Annot"><span style=
17290 'font-size:10.0pt'>)</span></span>
17291 <i>iterGlobals<sub>opt</sub> iterModifies<sub>opt</sub></i>
17292 <span class="Annot"><span style=
17293 'font-size:10.0pt'>@*/</span></span></p>
17294 <p class="TextFontCX"><i> </i></p>
17295 <p class="TextFontCX"><i>iter-globals</i> <span style=
17296 'font-family:Symbol'>Þ</span> <span class=
17297 "Annot"><span style='font-size: 10.0pt'>globals</span></span>
17298 <i>declaration-list<sub>opt</sub></i> <span class=
17299 "Annot"><span style=
17300 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i></p>
17301 <p class="TextFontCX"><i>iter-modifies</i> <span style=
17302 'font-family:Symbol'>Þ</span> <span class=
17303 "Annot"><span style='font-size: 10.0pt'>modifies</span></span><i>
17304 moditem,+</i><span class="Annot"><span style=
17305 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i><i>|</i>
17306 <span class="Annot"><span style=
17307 'font-size:10.0pt'> modifies
17308 nothing</span></span><span class="Annot"><span style=
17309 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i></p>
17310 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17311 <a name="_Toc534975067">Constants</a> <span class=
17312 "TextFontCXChar"><span style=
17313 'font-size:11.0pt; font-weight:normal'>(Section
17314 11.1)</span></span></p>
17315 <p class="TextFontCX"><i>external-declaration</i>
17316 <span style='font-family:Symbol'>Þ</span> <span class=
17317 "Annot"><span style=
17318 'font-size: 10.0pt'>/*@constant</span></span> <i>declaration
17319 <sub> </sub></i><span class="Annot"><span style=
17320 'font-size:10.0pt'>;</span></span><i><sub>opt</sub></i><span class="Annot">
17321 <span style='font-size:10.0pt'>@*/</span></span></p>
17322 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17323 <a name="_Toc534975068"></a><a name="_Ref344807420">Alternate
17324 Types</a> <span class="TextFontCXChar"><span style=
17325 'font-size:11.0pt; font-weight:normal'>(Section
17326 4.4)</span></span></p>
17327 <p class="beforelist">Alternate types may be used in the type
17328 specification of parameters and return values.</p>
17329 <p class="TextFontCX" align="left" style='text-align: left'>
17330 <i>extended-type</i><span style='font-family:Symbol'>Þ</span>
17331 <i>type-specifier alt-type <sub>opt</sub></i></p>
17332 <p class="TextFontCX"><i>alt-type</i> <span style=
17333 'font-family:Symbol'>Þ</span> <span class=
17334 "Annot"><span style='font-size: 10.0pt'>/*@alt</span></span>
17335 <i>basic-type,<sup>+</sup></i> <span class=
17336 "Annot"><span style='font-size:10.0pt'>@*/</span></span></p>
17337 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17338 <a name="_Toc534975069">Declarator Annotations</a></p>
17339 <p class="TextFontCX">General annotations appear after
17340 <i>storage-class-specifier</i>s and before
17341 <i>type-specifier</i>s. Multiple annotations may be used in
17342 any order. Here, annotations are without the surrounding
17343 comment. In a declaration, the annotation would be surrounded
17344 by <span class="Annot"><span style=
17345 'font-size:10.0pt'>/*@</span></span> and <span class=
17346 "Annot"><span style='font-size:10.0pt'>@*/</span></span>. In
17347 a globals or modifies clause or iterator or constant declaration,
17348 no surrounding comments would be used since they are within a
17350 <p class="Heading10" align="left" style='text-align:left'>Type
17351 Definitions <span class="TextFontCXChar"><span style=
17352 'font-size:11.0pt; font-weight:normal'>(Section
17353 4.3)</span></span></p>
17354 <p class="beforelist">A type definition may use any either
17355 <span class="Annot"><span style=
17356 'font-size:10.0pt'>abstract</span></span> or <span class=
17357 "Annot"><span style='font-size:10.0pt'>concrete</span></span>,
17358 either <span class="Annot"><span style=
17359 'font-size:10.0pt'>mutable</span></span> or <span class=
17360 "Annot"><span style='font-size:10.0pt'>immutable</span></span>, and
17361 <span class="Annot"><span style=
17362 'font-size:10.0pt'>refcounted</span></span>. Only a pointer
17363 to a <span class="Annot"><span style=
17364 'font-size:10.0pt'>struct</span></span> may be declared with
17365 <span class="Annot"><span style=
17366 'font-size:10.0pt'>refcounted</span></span>. Mutability
17367 annotations may not be used with concrete types since concrete
17368 types inherit their mutability from the actual type.</p>
17369 <p class="TextFontCX"><span class="Annot"><span style=
17370 'font-size:10.0pt'>abstract</span></span></p>
17371 <p class="MsoNormal" style='margin-left:13.5pt'>Type is abstraction
17372 (representation is hidden from clients.)</p>
17373 <p class="TextFontCX"><span class="Annot"><span style=
17374 'font-size:10.0pt'>concrete</span></span></p>
17375 <p class="MsoNormal" style='margin-left:13.5pt'>Type is concrete
17376 (representation is visible to clients.)</p>
17377 <p class="TextFontCX"><span class="Annot"><span style=
17378 'font-size:10.0pt'>immutable</span></span></p>
17379 <p class="MsoNormal" style='margin-left:13.5pt'>Instances of the
17380 type cannot change value.</p>
17381 <p class="TextFontCX"><span class="Annot"><span style=
17382 'font-size:10.0pt'>mutable</span></span></p>
17383 <p class="MsoNormal" style='margin-left:13.5pt'>Instances of the
17384 type can change value.</p>
17385 <p class="TextFontCX"><span class="Annot"><span style=
17386 'font-size:10.0pt'>refcounted</span></span></p>
17387 <p class="IndentText">Reference counted (Section 5.4).</p>
17388 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17389 <a name="_Toc534975070">Type Access</a></p>
17390 <p class="TextFontCX">Control comments may also be used to override
17391 type access settings.</p>
17392 <p class="TextFontCX"><span class="Annot"><span style=
17393 'font-size:10.0pt'> </span></span></p>
17394 <p class="TextFontCX"><span class="Annot"><span style=
17395 'font-size:10.0pt'>/*@access
17396 <i><type></i>,<sup>+</sup>@*/</span></span><span class=
17397 "Annot"><span style='font-size:10.0pt'> </span></span></p>
17398 <p class="IndentText">Allows the following code to access the
17399 representation of <span class="Annot"><i><span style=
17400 'font-size:10.0pt'><type></span></i></span>. Type
17401 access applies from the point of the comment to the end of the file
17402 or the next access control comment for this type.</p>
17403 <p class="TextFontCX"><span class="Annot"><span style=
17404 'font-size:10.0pt'>/*@noaccess</span></span> <span class=
17405 "Annot"><span style=
17406 'font-size:10.0pt'><i><type></i>,<sup>+</sup>@*/</span></span></p>
17407 <p class="IndentText">Restricts access to the representation of
17408 <span class="Annot"><i><span style=
17409 'font-size:10.0pt'><type></span></i></span>. The type
17410 in a <span class="Annot"><span style=
17411 'font-size:10.0pt'>noaccess</span></span> comment must have been
17412 declared as an abstract type. </p>
17413 <p class="Heading10">Global Variables <span class=
17414 "HeadingNote"><span style=
17415 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17416 <span class="HeadingNote"><span style=
17417 'font-size:10.5pt;font-weight:normal;font-style: normal'>7.2</span></span><span class="HeadingNote">
17419 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
17420 <p class="beforelist">One check annotation may be used on a global
17421 or file-static variable declaration.</p>
17422 <p class="TextFontCX"><span class="Annot"><span style=
17423 'font-size:10.0pt'>unchecked</span></span></p>
17424 <p class="IndentText"><span class="Annot"><span style=
17425 'font-size:10.0pt;font-family: "Times New Roman"'>Weakest checking
17426 for global use.</span></span></p>
17427 <p class="TextFontCX"><span class="Annot"><span style=
17428 'font-size:10.0pt'>checkmod</span></span></p>
17429 <p class="IndentText"><span class="Annot"><span style=
17430 'font-size:10.0pt;font-family: "Times New Roman"'>Check
17431 modification by not use of global.</span></span></p>
17432 <p class="TextFontCX"><span class="Annot"><span style=
17433 'font-size:10.0pt'>checked</span></span></p>
17434 <p class="IndentText"><span class="Annot"><span style=
17435 'font-size:10.0pt;font-family: "Times New Roman"'>Check use and
17436 modification of global.</span></span></p>
17437 <p class="TextFontCX"><span class="Annot"><span style=
17438 'font-size:10.0pt'>checkedstrict</span></span></p>
17439 <p class="IndentText"><span class="Annot"><span style=
17440 'font-size:10.0pt;font-family: "Times New Roman"'>Check use of
17441 global, even in functions with no global list.</span></span></p>
17442 <p class="Heading10">Memory Management <span class=
17443 "HeadingNote"><span style=
17444 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17445 <span class="HeadingNote"><span style=
17446 'font-size:10.5pt;font-weight:normal;font-style: normal'>3</span></span><span class="HeadingNote">
17448 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17449 <p class="TextFontCX"><span class="Annot"><span style=
17450 'font-size:10.0pt'>dependent</span></span></p>
17451 <p class="IndentText"><span class="Annot"><span style=
17452 'font-size:10.0pt;font-family: "Times New Roman"'>A reference to
17453 externally-owned storage. (Section</span></span>
17454 <span class="Annot"><span style=
17455 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.2</span></span><span class="Annot">
17457 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17458 <p class="TextFontCX"><span class="Annot"><span style=
17459 'font-size:10.0pt'>keep</span></span></p>
17460 <p class="IndentText"><span class="Annot"><span style=
17461 'font-size:10.0pt;font-family: "Times New Roman"'>A parameter that
17462 is kept by the called function. The caller may use the
17463 storage after the call, but the called function is responsible for
17464 making sure it is deallocated. (Section</span></span>
17465 <span class="Annot"><span style=
17466 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.4</span></span><span class="Annot">
17468 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17469 <p class="TextFontCX"><span class="Annot"><span style=
17470 'font-size:10.0pt'>killref</span></span></p>
17471 <p class="IndentText">A <span class="Annot"><span style=
17472 'font-size:10.0pt'>refcounted</span></span> parameter. This
17473 reference is killed by the call. (Section 5.4)</p>
17474 <p class="TextFontCX"><span class="Annot"><span style=
17475 'font-size:10.0pt'>only</span></span></p>
17476 <p class="IndentText"><span class="Annot"><span style=
17477 'font-size:10.0pt;font-family: "Times New Roman"'>An unshared
17478 reference. Associated memory must be released before
17479 reference is lost.
17480 (Section </span></span><span class="Annot"><span style=
17481 'font-size:10.0pt;font-family:"Times New Roman"'>5.2</span></span><span class="Annot">
17483 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17484 <p class="TextFontCX"><span class="Annot"><span style=
17485 'font-size:10.0pt'>owned</span></span></p>
17486 <p class="IndentText"><span class="Annot"><span style=
17487 'font-size:10.0pt;font-family: "Times New Roman"'>Storage may be
17488 shared by dependent references, but associated memory must be
17489 released before this reference is lost.
17490 (Section</span></span> <span class="Annot"><span style=
17491 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.2</span></span><span class="Annot">
17493 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17494 <p class="TextFontCX"><span class="Annot"><span style=
17495 'font-size:10.0pt'>shared</span></span></p>
17496 <p class="IndentText"><span class="Annot"><span style=
17497 'font-size:10.0pt;font-family: "Times New Roman"'>Shared reference
17498 that is never deallocated. (Section</span></span>
17499 <span class="Annot"><span style=
17500 'font-size:10.0pt;font-family:"Times New Roman"'>5.2.5</span></span><span class="Annot">
17502 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17503 <p class="TextFontCX"><span class="Annot"><span style=
17504 'font-size:10.0pt'>temp</span></span></p>
17505 <p class="IndentText">A temporary parameter. May not be
17506 released, and new aliases to it may not be created. (Section
17508 <p class="Heading10">Aliasing <span class=
17509 "HeadingNote"><span style=
17510 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17511 <span class="HeadingNote"><span style=
17512 'font-size:10.5pt;font-weight:normal;font-style: normal'>6</span></span><span class="HeadingNote">
17514 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17515 <p class="beforelist">Both alias annotations may be used on a
17516 parameter declaration.</p>
17517 <p class="TextFontCX"><span class="Annot"><span style=
17518 'font-size:10.0pt'>unique</span></span></p>
17519 <p class="IndentText"><span class="Annot"><span style=
17520 'font-size:10.0pt;font-family: "Times New Roman"'>Parameter that
17521 may not be aliased by any other reference visible to the function.
17522 (Section </span></span><span class="Annot"><span style=
17523 'font-size:10.0pt;font-family:"Times New Roman"'>6.1.1</span></span><span class="Annot">
17525 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17526 <p class="TextFontCX"><span class="Annot"><span style=
17527 'font-size:10.0pt'>returned</span></span></p>
17528 <p class="IndentText"><span class="Annot"><span style=
17529 'font-size:10.0pt;font-family: "Times New Roman"'>Parameter that
17530 may be aliased by the return value. (Section</span></span>
17531 <span class="Annot"><span style=
17532 'font-size:10.0pt;font-family:"Times New Roman"'>6.1.2</span></span><span class="Annot">
17534 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17535 <p class="Heading10">Exposure <span class=
17536 "HeadingNote"><span style=
17537 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17538 <span class="HeadingNote"><span style=
17539 'font-size:10.5pt;font-weight:normal;font-style: normal'>6.2</span></span><span class="HeadingNote">
17541 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17542 <p class="TextFontCX"><span class="Annot"><span style=
17543 'font-size:10.0pt'>observer</span></span></p>
17544 <p class="IndentText"><span class="Annot"><span style=
17545 'font-size:10.0pt;font-family: "Times New Roman"'>Reference that
17546 cannot be modified. (Section</span></span> <span class=
17547 "Annot"><span style=
17548 'font-size:10.0pt;font-family:"Times New Roman"'>6.2.1</span></span><span class="Annot">
17550 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17551 <p class="TextFontCX"><span class="Annot"><span style=
17552 'font-size:10.0pt'>exposed</span></span></p>
17553 <p class="IndentText"><span class="Annot"><span style=
17554 'font-size:10.0pt;font-family: "Times New Roman"'>Exposed reference
17555 to storage in another object. (Section</span></span>
17556 <span class="Annot"><span style=
17557 'font-size:10.0pt;font-family:"Times New Roman"'>6.2</span></span><span class="Annot">
17559 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17560 <p class="Heading10">Definition State <span class=
17561 "HeadingNote"><span style=
17562 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17563 <span class="HeadingNote"><span style=
17564 'font-size:10.5pt;font-weight:normal;font-style: normal'>3</span></span><span class="HeadingNote">
17566 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
17567 <p class="TextFontCX"><span class="Annot"><span style=
17568 'font-size:10.0pt'>out</span></span></p>
17569 <p class="IndentText"><span class="Annot"><span style=
17570 'font-size:10.0pt;font-family: "Times New Roman"'>Storage reachable
17571 from reference need not be defined.</span></span></p>
17572 <p class="TextFontCX"><span class="Annot"><span style=
17573 'font-size:10.0pt'>in</span></span></p>
17574 <p class="IndentText"><span class="Annot"><span style=
17575 'font-size:10.0pt;font-family: "Times New Roman"'>All storage
17576 reachable from reference must be defined.</span></span></p>
17577 <p class="TextFontCX"><span class="Annot"><span style=
17578 'font-size:10.0pt'>partial</span></span></p>
17579 <p class="IndentText"><span class="Annot"><span style=
17580 'font-size:10.0pt;font-family: "Times New Roman"'>Partially
17581 defined. A structure may have undefined fields. No
17582 errors reported when fields are used.</span></span></p>
17583 <p class="TextFontCX"><span class="Annot"><span style=
17584 'font-size:10.0pt'>reldef</span></span></p>
17585 <p class="IndentText"><span class="Annot"><span style=
17586 'font-size:10.0pt;font-family: "Times New Roman"'>Relax definition
17587 checking. No errors when reference is not defined, or when it
17588 is used.</span></span></p>
17589 <p class="Heading10">Global State <span class=
17590 "TextFontCXChar"><span style=
17591 'font-size:11.0pt; font-weight:normal'>(Section
17592 7.2.2)</span></span></p>
17593 <p class="TextFontCX">These annotations may only be used in globals
17594 lists. Both annotations may be used for the same variable, to
17595 mean the variable is undefined before and after the call.</p>
17596 <p class="TextFontCX"> </p>
17597 <p class="TextFontCX"><span class="Annot"><span style=
17598 'font-size:10.0pt'>undef</span></span></p>
17599 <p class="IndentText"><span class="Annot"><span style=
17600 'font-size:10.0pt;font-family: "Times New Roman"'>Variable is
17601 undefined before the call.</span></span></p>
17602 <p class="TextFontCX"><span class="Annot"><span style=
17603 'font-size:10.0pt'>killed</span></span></p>
17604 <p class="IndentText"><span class="Annot"><span style=
17605 'font-size:10.0pt;font-family: "Times New Roman"'>Variable is
17606 undefined after the call.</span></span></p>
17607 <p class="Heading10">Null State <span class=
17608 "HeadingNote"><span style=
17609 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17610 <span class="HeadingNote"><span style=
17611 'font-size:10.5pt;font-weight:normal;font-style: normal'>2</span></span><span class="HeadingNote">
17613 'font-size:10.5pt;font-weight:normal;font-style: normal'>)</span></span></p>
17614 <p class="TextFontCX"><span class="Annot"><span style=
17615 'font-size:10.0pt'>null</span></span></p>
17616 <p class="IndentText"><span class="Annot"><span style=
17617 'font-size:10.0pt;font-family: "Times New Roman"'>Possibly null
17618 pointer.</span></span></p>
17619 <p class="TextFontCX"><span class="Annot"><span style=
17620 'font-size:10.0pt'>notnull</span></span><span class=
17621 "Annot"><span style=
17622 'font-size:10.0pt'> </span></span></p>
17623 <p class="IndentText"><span class="Annot"><span style=
17624 'font-size:10.0pt;font-family: "Times New Roman"'>Non-null
17625 pointer.</span></span></p>
17626 <p class="TextFontCX"><span class="Annot"><span style=
17627 'font-size:10.0pt'>relnull</span></span></p>
17628 <p class="IndentText"><span class="Annot"><span style=
17629 'font-size:10.0pt;font-family: "Times New Roman"'>Relax null
17630 checking. No errors when</span></span> <span class=
17631 "CodeText"><span style=
17632 'font-size:10.0pt'>NULL</span></span><span class=
17633 "Annot"><span style=
17634 'font-size:10.0pt;font-family:"Times New Roman"'>is assigned to it,
17635 or when it is used as a non-null pointer.</span></span></p>
17636 <p class="Heading10">Null Predicates <span class=
17637 "HeadingNote"><span style=
17638 'font-size:10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17639 <span class="HeadingNote"><span style=
17640 'font-size:10.5pt;font-weight:normal;font-style: normal'>2.1.1</span></span><span class="HeadingNote">
17642 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17643 <p class="beforelist">A null predicate annotation may be used of
17644 the return value of a function returning a Boolean type, taking a
17645 possibly-null pointer for its first argument.</p>
17646 <p class="TextFontCX"><span class="Annot"><span style=
17647 'font-size:10.0pt'>nullwhentrue</span></span></p>
17648 <p class="IndentText"><span class="Annot"><span style=
17649 'font-size:10.0pt;font-family: "Times New Roman"'>If result is
17650 true, first parameter is</span></span> <span class=
17651 "CodeText"><span style=
17652 'font-size:10.0pt'>NULL</span></span><span class=
17653 "Annot"><span style=
17654 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17655 <p class="TextFontCX"><span class="Annot"><span style=
17656 'font-size:10.0pt'>falsewhennull</span></span></p>
17657 <p class="IndentText"><span class="Annot"><span style=
17658 'font-size:10.0pt;font-family: "Times New Roman"'>If result
17659 is</span></span> <span class="CodeText"><span style=
17660 'font-size:10.0pt'>TRUE</span></span><span class=
17661 "Annot"><span style=
17662 'font-size:10.0pt;font-family:"Times New Roman"'>, first parameter
17663 is not</span></span> <span class="CodeText"><span style=
17664 'font-size:10.0pt'>NULL</span></span><span class=
17665 "Annot"><span style=
17666 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17667 <p class="Heading10">Execution <span class=
17668 "HeadingNote"><span style=
17669 'font-size: 10.5pt;font-weight:normal;font-style:normal'>(Section</span></span>
17670 <span class="HeadingNote"><span style=
17671 'font-size:10.5pt;font-weight:normal;font-style: normal'>8.1</span></span><span class="HeadingNote">
17673 'font-size:10.5pt; font-weight:normal;font-style:normal'>)</span></span></p>
17674 <p class="beforelist">The <span class="Annot"><span style=
17675 'font-size:10.0pt'>noreturn</span></span>, <span class=
17676 "Annot"><span style='font-size:10.0pt'>maynotreturn</span></span>
17677 and <span class="Annot"><span style=
17678 'font-size:10.0pt'>alwaysreturn</span></span> annotations may be
17679 used on any function. The <span class=
17680 "Annot"><span style='font-size:10.0pt'>noreturnwhentrue</span></span>
17681 and <span class="Annot"><span style=
17682 'font-size:10.0pt'>noreturnwhenfalse</span></span>
17683 annotations may only be used on functions whose first
17684 argument is a Boolean. </p>
17685 <p class="TextFontCX"><span class="Annot"><span style=
17686 'font-size:10.0pt'>noreturn</span></span><span class=
17687 "Annot"><span style=
17688 'font-size:10.0pt'> </span></span></p>
17689 <p class="IndentText"><span class="Annot"><span style=
17690 'font-size:10.0pt;font-family: "Times New Roman"'>Function never
17691 returns.</span></span></p>
17692 <p class="TextFontCX"><span class="Annot"><span style=
17693 'font-size:10.0pt'>maynotreturn</span></span></p>
17694 <p class="IndentText"><span class="Annot"><span style=
17695 'font-size:10.0pt;font-family: "Times New Roman"'>Function may or
17696 may not return.</span></span></p>
17697 <p class="TextFontCX"><span class="Annot"><span style=
17698 'font-size:10.0pt'>noreturnwhentrue</span></span></p>
17699 <p class="IndentText"><span class="Annot"><span style=
17700 'font-size:10.0pt;font-family: "Times New Roman"'>Function does not
17701 return if first parameter is</span></span> <span class=
17702 "Keyword"><span style=
17703 'font-size:10.0pt'>TRUE</span></span><span class=
17704 "Annot"><span style=
17705 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17706 <p class="TextFontCX"><span class="Annot"><span style=
17707 'font-size:10.0pt'>noreturnwhenfalse</span></span></p>
17708 <p class="IndentText"><span class="Annot"><span style=
17709 'font-size:10.0pt;font-family: "Times New Roman"'>Function does not
17710 return if first parameter if</span></span> <span class=
17711 "Keyword"><span style=
17712 'font-size:10.0pt'>FALSE</span></span><span class=
17713 "Annot"><span style=
17714 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17715 <p class="TextFontCX"><span class="Annot"><span style=
17716 'font-size:10.0pt'>alwaysreturn</span></span></p>
17717 <p class="IndentText"><span class="Annot"><span style=
17718 'font-size:10.0pt;font-family: "Times New Roman"'>Function always
17719 returns.</span></span></p>
17720 <p class="Heading10">Side Effects <span style=
17721 'font-size:10.5pt;font-weight: normal'>(Section 11.2.1)</span></p>
17722 <p class="TextFontCX"><span class="Annot"><span style=
17723 'font-size:10.0pt'>sef</span></span></p>
17724 <p class="IndentText"><span class="Annot"><span style=
17725 'font-size:10.0pt;font-family:"Times New Roman"'>Corresponding
17726 actual parameter has no side effects.</span></span></p>
17727 <p class="Heading10">Declarations</p>
17728 <p class="beforelist">These annotations can be used on a
17729 declaration to control unused or undefined error reporting.</p>
17730 <p class="TextFontCX"><span class="Annot"><span style=
17731 'font-size:10.0pt'>unused</span></span></p>
17732 <p class="IndentText"><span class="Annot"><span style=
17733 'font-size:10.0pt;font-family: "Times New Roman"'>Identifier need
17734 not be used (no unused errors reported.)
17735 (Section</span></span> <span class="Annot"><span style=
17736 'font-size:10.0pt;font-family:"Times New Roman"'>13.1</span></span><span class="Annot">
17738 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17739 <p class="TextFontCX"><span class="Annot"><span style=
17740 'font-size:10.0pt'>external</span></span></p>
17741 <p class="IndentText"><span class="Annot"><span style=
17742 'font-size:10.0pt;font-family: "Times New Roman"'>Identifier is
17743 defined externally (no undefined error reported.)
17744 (Section</span></span> <span class="Annot"><span style=
17745 'font-size:10.0pt;font-family:"Times New Roman"'>13.2</span></span><span class="Annot">
17747 'font-size:10.0pt;font-family:"Times New Roman"'>)</span></span></p>
17748 <p class="Heading10">Switch Statements</p>
17749 <p class="TextFontCX"><span class="Annot"><span style=
17750 'font-size:10.0pt'>fallthrough</span></span></p>
17751 <p class="IndentText"><span class="Annot"><span style=
17752 'font-size:10.0pt;font-family:"Times New Roman"'>Fall through
17753 case. No message is reported if the previous case may fall
17754 through into the one immediately after the</span></span>
17755 <span class="Annot"><span style=
17756 'font-size:10.0pt'>fallthrough</span></span><span class=
17757 "Annot"><span style=
17758 'font-size:10.0pt;font-family:"Times New Roman"'>.</span></span></p>
17759 <p class="Heading10">Break and Continue Statements
17760 <span class="TextFontCXChar"><span style=
17761 'font-size:11.0pt; font-weight:normal'>(Section
17762 8.3.3)</span></span></p>
17763 <p class="beforelist">These annotations are used before a
17764 <span class="CodeText"><span style=
17765 'font-size:10.0pt'>break</span></span> or <span class=
17766 "CodeText"><span style='font-size:10.0pt'>continue</span></span>
17768 <p class="TextFontCX"><span class="Annot"><span style=
17769 'font-size:10.0pt'>innerbreak</span></span></p>
17770 <p class="IndentText"><span class="Annot"><span style=
17771 'font-size:10.0pt;font-family: "Times New Roman"'>Break is breaking
17772 an inner loop or switch.</span></span></p>
17773 <p class="TextFontCX"><span class="Annot"><span style=
17774 'font-size:10.0pt'>loopbreak</span></span></p>
17775 <p class="IndentText"><span class="Annot"><span style=
17776 'font-size:10.0pt;font-family: "Times New Roman"'>Break is breaking
17777 a loop.</span></span></p>
17778 <p class="TextFontCX"><span class="Annot"><span style=
17779 'font-size:10.0pt'>switchbreak</span></span></p>
17780 <p class="IndentText"><span class="Annot"><span style=
17781 'font-size:10.0pt;font-family: "Times New Roman"'>Break is breaking
17782 a switch.</span></span></p>
17783 <p class="TextFontCX"><span class="Annot"><span style=
17784 'font-size:10.0pt'>innercontinue</span></span><span class=
17785 "Annot"><span style=
17786 'font-size:10.0pt'><i> </i></span></span></p>
17787 <p class="IndentText"><span class="Annot"><span style=
17788 'font-size:10.0pt;font-family: "Times New Roman"'>Continue is
17789 continuing an inner loop.</span></span></p>
17790 <p class="Heading10">Unreachable Code</p>
17791 <p class="beforelist">This annotation is used before a statement to
17792 prevent unreachable code errors.</p>
17793 <p class="TextFontCX"><span class="Annot"><span style=
17794 'font-size:10.0pt'>notreached</span></span></p>
17795 <p class="IndentText"><span class="Annot"><span style=
17796 'font-size:10.0pt;font-family: "Times New Roman"'>Statement may be
17797 unreachable.</span></span></p>
17798 <p class="Heading10">Format String Arguments </p>
17799 <p class="beforelist">These annotations are used immediately before
17800 a function declaration.</p>
17801 <p class="TextFontCX"><span class="Annot"><span style=
17802 'font-size:10.0pt'>printflike</span></span></p>
17803 <p class="IndentText"><span class="Annot"><span style=
17804 'font-size:10.0pt;font-family: "Times New Roman"'>Check variable
17805 arguments like</span></span> <span class=
17806 "CodeText"><span style='font-size:10.0pt'>printf</span></span><span class="Annot">
17808 'font-size:10.0pt;font-family:"Times New Roman"'>library
17809 function. </span></span></p>
17810 <p class="TextFontCX"><span class="Annot"><span style=
17811 'font-size:10.0pt'>scanflike</span></span></p>
17812 <p class="IndentText"><span class="Annot"><span style=
17813 'font-size:10.0pt;font-family: "Times New Roman"'>Check variable
17814 arguments like</span></span> <span class=
17815 "CodeText"><span style='font-size:10.0pt'>scanf</span></span><a name="_Toc344355453">
17816 </a><a name="_Ref343091002"></a><a name=
17817 "_Ref343065628"><span class="Annot"><span style=
17818 'font-size:10.0pt;font-family:"Times New Roman"'>library
17819 function.</span></span></a></p>
17820 <p class="Heading10"><a name="_Ref348789839">Use Warnings</a></p>
17821 <p class="beforelist">These annotations are used immediately before
17822 a function, variable or type declaration.</p>
17823 <p class="TextFontCX"><span class="Annot"><span style=
17824 'font-size:10.0pt'>warn <i><flag-specifier></i>
17825 <i><message></i></span></span></p>
17826 <p class="IndentText">Issue a warning (controlled by
17827 <span class="Flag"><span style=
17828 'font-size:10.0pt'>flag-specifier</span></span>) where this
17829 declarator is used.</p>
17830 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17831 <a name="_Toc534975071">Macro Expansion</a></p>
17832 <p class="TextFontCX"><a href=
17833 "mailto:/*@notfunction@*/"><span class="Annot"><span style=
17834 'font-size:10.0pt'>/*@notfunction@*/</span></span></a></p>
17835 <p class="IndentText">The next macro definition is not intended to
17836 be a function, and should be expanded in line instead of checked as
17837 a macro function definition.</p>
17838 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17839 <a name="_Toc534975072">Arbitrary Integral Types</a></p>
17840 <p class="TextFontCX">These annotations are used to represent
17841 arbitrary integral types. Syntactically, they replace the
17842 implicit <span class="Flag"><span style=
17843 'font-size:10.0pt'>int</span></span> type.</p>
17844 <p class="TextFontCX"> </p>
17845 <p class="TextFontCX"><span class="Annot"><span style=
17846 'font-size:10.0pt'>/*@integraltype@*/</span></span></p>
17847 <p class="IndentText">An arbitrary integral type. The actual
17848 type may be any one of <span class="CodeText"><span style=
17849 'font-size:10.0pt'>short</span></span>, <span class=
17850 "CodeText"><span style='font-size:10.0pt'>int</span></span>,
17851 <span class="CodeText"><span style=
17852 'font-size:10.0pt'>long</span></span>, <span class=
17853 "CodeText"><span style='font-size:10.0pt'>unsigned
17854 short</span></span>, <span class="CodeText"><span style=
17855 'font-size:10.0pt'>unsigned</span></span>, or <span class=
17856 "CodeText"><span style='font-size:10.0pt'>unsigned
17857 long</span></span>.</p>
17858 <p class="TextFontCX"><span class="Annot"><span style=
17859 'font-size:10.0pt'>/*@unsignedintegraltype@*/</span></span></p>
17860 <p class="IndentText">An arbitrary unsigned integral type.
17861 The actual type may be any one of <span class=
17862 "CodeText"><span style='font-size:10.0pt'>unsigned
17863 short</span></span>, <span class="CodeText"><span style=
17864 'font-size:10.0pt'>unsigned</span></span>, or <span class=
17865 "CodeText"><span style='font-size:10.0pt'>unsigned
17866 long</span></span>.</p>
17867 <p class="TextFontCX"><span class="Annot"><span style=
17868 'font-size:10.0pt'>/*@signedintegraltype@*/</span></span></p>
17869 <p class="IndentText">An arbitrary signed integral type. The
17870 actual type may be any one of <span class=
17871 "CodeText"><span style='font-size:10.0pt'>short</span></span>,
17872 <span class="CodeText"><span style=
17873 'font-size:10.0pt'>int</span></span>, or <span class=
17874 "CodeText"><span style=
17875 'font-size:10.0pt'>long</span></span>.</p>
17876 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
17877 <a name="_Toc534975073"></a><a name="_Ref347471625">Traditional
17878 Lint Comments</a></p>
17879 <p class="TextFontCX">Some of the control comments supported by
17880 most standard UNIX lints are supported by Splint so legacy systems
17881 can be checked more easily. These comments are not lexically
17882 consistent with Splint comments, and their meanings are less
17883 precise (and may vary between different lint programs), so we
17884 recommend that Splint comments are used instead except for checking
17885 legacy systems already containing standard lint comments.</p>
17886 <p class="TextFontCX"> </p>
17887 <p class="beforelist">These standard lint comments supported by
17889 <p class="TextFontCX"><span class="Annot"><span style=
17890 'font-size:10.0pt'>/*FALLTHROUGH*/</span></span> (alternate
17891 misspelling, <span class="Annot"><span style=
17892 'font-size:10.0pt'>/*FALLTHRU*/</span></span>)</p>
17893 <p class="IndentText">Prevents errors for fall through cases.
17894 Same meaning as <span class="Annot"><span style=
17895 'font-size:10.0pt'>/*@fallthrough@*/</span></span>.</p>
17896 <p class="MsoListBullet"><span class="Annot"><span style=
17897 'font-size:10.0pt'>/*NOTREACHED*/</span></span></p>
17898 <p class="IndentText">Prevents errors about unreachable code (until
17899 the end of the function). Same meaning as <span class=
17900 "Annot"><span style=
17901 'font-size:10.0pt'>/*@notreached@*/</span></span>. </p>
17902 <p class="MsoListBullet"><span class="Annot"><span style=
17903 'font-size:10.0pt'>/*PRINTFLIKE*/</span></span></p>
17904 <p class="indentbefore">Arguments similar to the <span class=
17905 "CodeText"><span style='font-size:10.0pt'>printf</span></span>
17906 library function (there didn’t seem to be much of a consensus
17907 among standard lints as to exactly what this means). Splint
17909 <p class="IndentText"><span class="Annot"><span style=
17910 'font-size:10.0pt'>/*@printflike@*/</span></span></p>
17911 <p class="IndentText" style='margin-left:.5in'>Function takes zero
17912 or more arguments of any type, an unmodified <span class=
17913 "CodeText"><span style='font-size:10.0pt'>char *</span></span>
17914 format string argument and zero of more arguments of type and
17915 number dictated by the format string. Format codes are
17916 interpreted identically to the <span class=
17917 "CodeText"><span style='font-size:10.0pt'>printf</span></span>
17918 standard library function. May return a result of any
17919 type. (Splint interprets <span class=
17920 "Annot"><span style=
17921 'font-size:10.0pt'>/*PRINTFLIKE*/</span></span> as
17922 <span class="Annot"><span style=
17923 'font-size:10.0pt'>/*@printflike@*/</span></span>.)</p>
17924 <p class="IndentText"><span class="Annot"><span style=
17925 'font-size:10.0pt'>/*@scanflike@*/</span></span></p>
17926 <p class="IndentText" style='margin-left:.5in'>Like
17927 <span class="Annot"><span style=
17928 'font-size:10.0pt'>printflike</span></span>, except format
17929 codes are interpreted as in the <span class=
17930 "CodeText"><span style='font-size:10.0pt'>scanf</span></span>
17931 library function.</p>
17932 <p class="IndentText"> </p>
17933 <p class="MsoListBullet" style='margin-left:0in;text-indent:0in'>
17934 <span class="Annot"><span style=
17935 'font-size:10.0pt'>/*ARGSUSED*/</span></span></p>
17936 <p class="IndentText">Turns off unused parameter messages for this
17937 function. The control comment, <span class=
17938 "Annot"><span style=
17939 'font-size:10.0pt'>/*@‑paramuse</span></span><span class="Annot">
17940 <span style='font-size:10.0pt'>@*/</span></span> can be used to the
17941 same effect, or <span class="Annot"><span style=
17942 'font-size:10.0pt'>/*@unused@*/</span></span> can be used in
17943 individual parameter declarations.</p>
17944 <p class="IndentText"> </p>
17945 <p class="TextFontCX">Splint will ignore standard lint comments if
17946 <span class="Flag"><span style=
17947 'font-size:10.0pt'>-lint-comments</span></span> is used. If
17948 <span class="Flag"><span style=
17949 'font-size:10.0pt'>+warn-lint-comments</span></span> is used,
17950 Splint generates a message for standard lint comments and suggest
17951 replacements<a name="_Ref348801565">.</a></p>
17952 <p class="MsoHeading8" style='margin-left:0in;text-indent:0in'>
17953 <a name="_Toc534975074">Metastate Definitions</a></p>
17954 <p class="TextFontCX">The grammar for <span class=
17955 "ProgramNameChar">.mts</span> files is shown below.</p>
17956 <p class="MsoNormal"> </p>
17957 <p class="TextFontCX" align="left" style=
17958 'margin-left: .25in;text-align:left'><i><span lang=
17959 "FR">metastate</span></i> <span lang="FR"> </span>
17960 <span style='font-family:Symbol'>Þ</span> <span lang=
17961 "FR">[</span> <span class="Annot"><span style=
17962 'font-size:10.0pt'>global</span></span> <span lang="FR">]</span>
17963 <span class="Annot"><span style=
17964 'font-size:10.0pt'>attribute</span></span> <i><span lang=
17965 "FR">identifier clause*</span></i> <span class=
17966 "Annot"><span style='font-size: 10.0pt'>end</span></span></p>
17967 <p class="TextFontCX" align="left" style=
17968 'margin-left: .25in;text-align:left'><i><span lang=
17969 "FR">clause</span></i> <span lang=
17970 "FR"> </span> <span style=
17971 'font-family:Symbol'>Þ</span> <i><span lang=
17972 "FR">contextClause</span></i> <span lang="FR">| <i>valuesClause</i>
17973 | <i>defaultClause | defaultsClause</i></span></p>
17974 <p class="TextFontCX" align="left" style=
17975 'margin-left: .75in;text-align:left;text-indent:.25in'>
17976 <i><span lang="FR"> </span></i>
17977 <span lang="FR">| <i>annotationsClause</i> | <i>mergeClause |
17978 transfersClause | loserefClause</i></span></p>
17979 <p class="TextFontCX" align="left" style=
17980 'margin-left: 1.25in;text-align:left'><i><span lang="FR">|
17981 preconditionsClause | postconditionsClause</span></i></p>
17982 <p class="TextFontCX" align="left" style=
17983 'margin-left: .25in;text-align:left'><i><span lang=
17984 "FR">contextClause</span></i><span style=
17985 'font-family:Symbol'>Þ</span> <span class=
17986 "Annot"><span style='font-size: 10.0pt'>context</span></span>
17987 <i><span lang="FR">contextSelector</span></i></p>
17988 <p class="TextFontCX" align="left" style=
17989 'margin-left: .25in;text-align:left'><i><span lang=
17990 "FR">contextSelector</span></i> <span style=
17991 'font-family:Symbol'>Þ</span> <span lang="FR">(</span>
17992 <span class="Annot"><span style=
17993 'font-size:10.0pt'>parameter</span></span> <span lang="FR">|</span>
17994 <span class="Annot"><span style=
17995 'font-size:10.0pt'>reference</span></span> <span lang="FR">|</span>
17996 <span class="Annot"><span style=
17997 'font-size:10.0pt'>result</span></span> <span lang="FR">|</span>
17998 <span class="Annot"><span style=
17999 'font-size:10.0pt'>clause</span></span> <span lang="FR">|</span>
18000 <span class="Annot"><span style=
18001 'font-size:10.0pt'>literal</span></span> <span lang="FR">|</span>
18002 <span class="Annot"><span style=
18003 'font-size:10.0pt'>null</span></span> <span lang="FR">) [
18004 <i>type</i> ]</span></p>
18005 <p class="TextFontCX" align="left" style=
18006 'margin-left: .25in;text-align:left'><i><span lang=
18007 "FR">valuesClause</span></i><span style=
18008 'font-family:Symbol'>Þ</span> <span class=
18009 "Annot"><span style='font-size: 10.0pt'>oneof</span></span>
18010 <i>valueChoice</i>,*</p>
18011 <p class="TextFontCX" align="left" style=
18012 'margin-left: .25in;text-align:left'> </p>
18013 <p class="TextFontCX" align="left" style=
18014 'margin-left: .25in;text-align:left'><i><span lang=
18015 "FR">defaultClause</span></i> <span style=
18016 'font-family:Symbol'>Þ</span> <span class=
18017 "Annot"><span style='font-size: 10.0pt'>default</span></span>
18018 <i>valueChoide</i></p>
18019 <p class="TextFontCX" align="left" style=
18020 'margin-left: .25in;text-align:left'><i><span lang=
18021 "FR">defaultsClause</span></i><span style=
18022 'font-family:Symbol'>Þ</span> <span class=
18023 "Annot"><span style='font-size: 10.0pt'>defaults</span></span>
18024 <span lang="FR">( <i>contextSelector</i></span> <span class=
18025 "Annot"><span style='font-size:10.0pt'>==></span></span>
18026 <i>valueChoice</i> <span lang="FR">)*</span></p>
18027 <p class="TextFontCX" align="left" style=
18028 'margin-left: .25in;text-align:left'><i><span lang=
18029 "FR"> </span></i></p>
18030 <p class="TextFontCX" align="left" style=
18031 'margin-left: .25in;text-align:left'><i><span lang=
18032 "FR">annotationsClause</span></i><span style=
18033 'font-family:Symbol'>Þ</span> <span class=
18034 "Annot"><span style='font-size: 10.0pt'>annotations</span></span>
18035 ( <i>identifier</i> [ <i><span lang=
18036 "FR">contextSelector</span></i> <span lang="FR">]</span>
18037 <span class="Annot"><span style=
18038 'font-size: 10.0pt'>==></span></span> <i>valueChoice</i>
18039 )<i><span lang="FR">*</span></i></p>
18040 <p class="TextFontCX" align="left" style=
18041 'margin-left: .25in;text-align:left'><i><span lang=
18042 "FR"> </span></i></p>
18043 <p class="TextFontCX" align="left" style=
18044 'margin-left: .25in;text-align:left'><i><span lang=
18045 "FR">mergeClause</span></i><span style=
18046 'font-family:Symbol'>Þ</span> <span class=
18047 "Annot"><span style='font-size: 10.0pt'>merge</span></span> (
18048 <i>mergeItem</i> <span class="Annot"><span style=
18049 'font-size:10.0pt'>+</span></span> <i>mergeItem</i>
18050 <span class="Annot"><span style=
18051 'font-size:10.0pt'>==></span></span> <i>transferAction</i>
18052 )<i><span lang="FR">*</span></i></p>
18053 <p class="TextFontCX" align="left" style=
18054 'margin-left: .25in;text-align:left'><i><span lang=
18055 "FR">mergeItem</span></i><span style=
18056 'font-family:Symbol'>Þ</span> <i>valueChoice |</i>
18057 <span class="Annot"><span style=
18058 'font-size:10.0pt'>*</span></span></p>
18059 <p class="TextFontCX" align="left" style=
18060 'margin-left: .25in;text-align:left'><i><span lang=
18061 "FR"> </span></i></p>
18062 <p class="TextFontCX" align="left" style=
18063 'margin-left: .25in;text-align:left'><i><span lang=
18064 "FR">transfersClause</span></i><span style=
18065 'font-family:Symbol'>Þ</span> <span class=
18066 "Annot"><span style='font-size: 10.0pt'>transfers</span></span>
18067 ( <i>valueChoice</i> <span class="Annot"><span style=
18068 'font-size:10.0pt'>as</span></span>
18069 <i>valueChoice</i><span class="Annot"><span style=
18070 'font-size:10.0pt'>==></span></span> <i>transferAction</i>
18071 )<i><span lang="FR">*</span></i></p>
18072 <p class="TextFontCX" align="left" style=
18073 'margin-left: .25in;text-align:left'><i><span lang=
18074 "FR">loserefClause</span></i><span style=
18075 'font-family:Symbol'>Þ</span> <span class=
18076 "Annot"><span style='font-size: 10.0pt'>losereference</span></span>
18077 ( <i>valueChoice</i> <span class="Annot"><span style=
18078 'font-size:10.0pt'>==></span></span> <i>errorAction</i>
18079 )<i><span lang="FR">*</span></i></p>
18080 <p class="TextFontCX" align="left" style=
18081 'margin-left: .25in;text-align:left'><i><span lang=
18082 "FR"> </span></i></p>
18083 <p class="TextFontCX" align="left" style=
18084 'margin-left: .25in;text-align:left'><i><span lang=
18085 "FR">transferAction</span></i><span style=
18086 'font-family:Symbol'>Þ</span> <i>valueChoice |
18087 errorAction</i></p>
18088 <p class="TextFontCX" align="left" style=
18089 'margin-left: .25in;text-align:left'>
18090 <i>errorAction</i><span style='font-family:Symbol'>Þ</span>
18091 <span class="Annot"><span style=
18092 'font-size:10.0pt'>error</span></span> [ <i>stringLiteral</i>
18094 <p class="TextFontCX" align="left" style=
18095 'margin-left: .25in;text-align:left'><i><span lang=
18096 "FR"> </span></i></p>
18097 <p class="TextFontCX" align="left" style=
18098 'margin-left: .25in;text-align:left'><i><span lang=
18099 "FR">valueChoice</span></i><span style=
18100 'font-family:Symbol'>Þ</span>
18101 <i>identifier</i> </p>
18102 <p class="TextFontCX"> </p>
18103 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
18104 <a name="_Toc534975075"></a><a name="_Ref397875216"></a><a name=
18105 "_Ref350066976"></a><a name="_Ref348788300">Appendix
18106 D<span style='font:7.0pt "Times New Roman"'> </span>
18107 <a id="specifications" name="specifications">
18111 <p class="TextFontCX">Another way of providing more information
18112 about programs is to use formal specifications. Although this
18113 document has largely ignored specifications, Splint was originally
18114 designed to use the information in LCL specifications instead of
18115 source-code annotations. This document focuses on annotations
18116 since it takes less effort to add annotations to source code than
18117 to maintain an additional specification file. Annotations can
18118 express everything that can be expressed in LCL specifications that
18119 is relevant to Splint checking. However, LCL specifications
18120 can provide more precise documentation on program interfaces than
18121 is possible with Splint annotations. This appendix (extracted
18122 from [Evans94]) is a very brief introduction to LCL
18123 Specifications. For more information, consult
18124 [GH93]. </p>
18125 <p class="TextFontCX"> </p>
18126 <p class="TextFontCX">The Larch family of languages is a two-tiered
18127 approach to formal specification. A specification is built using
18128 two languages — the <i>Larch Shared Language</i> (LSL), which
18129 is independent of the implementation language, and a <i>Larch
18130 Interface Language</i> designed for the specific implementation
18131 language. An LSL specification defines <i>sorts</i>,
18132 analogous to abstract types in a programming language, and
18133 <i>operators</i>, analogous to procedures. It expresses the
18134 underlying semantics of an abstraction.</p>
18135 <p class="TextFontCX"> </p>
18136 <p class="TextFontCX">The interface language specifies an interface
18137 to an abstraction in a particular programming language. It
18138 captures the details of the interface needed by a client using the
18139 abstraction and places constraints on both correct implementations
18140 and uses of the module. The semantics of the interface are
18141 described using primitives and sorts and operators defined in LSL
18142 specifications. Interface languages have been designed for
18143 several programming languages.</p>
18144 <p class="TextFontCX"> </p>
18145 <p class="TextFontCX">LCL [GH93, Tan95] is a Larch interface
18146 language for Standard C. LCL uses a C-like syntax.
18147 Traditionally, a C module <span class=
18148 "Keyword"><i><span style='font-size:10.0pt;font-family:Arial; color:windowtext'>
18149 M</span></i></span> consists of a source file, <span class=
18150 "Keyword"><i><span style=
18151 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18153 'font-size:10.0pt;font-family:Arial;color:windowtext'>.c</span></span>,
18154 and a header file, <span class="Keyword"><i><span style=
18155 'font-size:10.0pt; font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18157 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>.
18158 The header file contains prototype declarations for functions,
18159 variables and constants exported by <span class=
18160 "Keyword"><i><span style=
18161 'font-size:10.0pt; font-family:Arial;color:windowtext'>M</span></i></span>,
18162 as well as those macro definitions that implement exported
18163 functions or constants, and definitions of exported types. When
18164 using LCL, a module includes two additional files —
18165 <span class="Keyword"><i><span style=
18166 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18168 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>,
18169 a formal specification of <span class=
18170 "Keyword"><i><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18171 M</span></i></span>, and <span class=
18172 "Keyword"><i><span style='font-size:10.0pt;font-family:Arial;color:windowtext'>
18173 M</span></i></span><span class="Keyword"><span style=
18174 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>,
18175 which is derived by Splint (if the <span class=
18176 "Flag"><span style='font-size:10.0pt'>lh</span></span> flag
18177 is on) from <span class="Keyword"><i><span style=
18178 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18180 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>.
18181 Clients use <span class="Keyword"><i><span style=
18182 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18184 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>
18185 for documentation, and should not need to look at any
18186 implementation file. The derived file, <span class=
18187 "Keyword"><i><span style=
18188 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18190 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>,
18191 contains include directives (if <span class=
18192 "Keyword"><i><span style=
18193 'font-size: 10.0pt;font-family:Arial;color:windowtext'>M</span></i></span>
18194 depends on other specified modules), prototypes of functions and
18195 declarations of variables as specified in <span class=
18196 "Keyword"><i><span style=
18197 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18199 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>.
18200 The file <span class="Keyword"><i><span style=
18201 'font-size:10.0pt;font-family:Arial; color:windowtext'>M</span></i></span><span class="Keyword">
18203 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>
18204 should include <span class="Keyword"><i><span style=
18205 'font-size:10.0pt;font-family: Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18207 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>
18208 and retain the implementation aspects of the old <span class=
18209 "Keyword"><i><span style=
18210 'font-size:10.0pt;font-family:Arial;color:windowtext'>M</span></i></span><span class="Keyword">
18212 'font-size:10.0pt;font-family:Arial;color:windowtext'>.h</span></span>,
18213 but is no longer used for c<a name="_Ref348845779">lient
18214 documentation.</a></p>
18215 <p class="MsoHeading9" style='margin-left:0in;text-indent:0in'>
18216 <a name="_Toc534975076">Specification Flags</a></p>
18217 <p class="TextFontCX">These flags are relevant only when Splint is
18218 used with LCL specifications.</p>
18219 <p class="Heading10">Global Flags</p>
18220 <p class="TextFontCX"><span class="Flag"><span style=
18221 'font-size:10.0pt'>lcs</span></span></p>
18222 <p class="IndentText">Generate <span class=
18223 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18224 .lcs</span></span> files containing symbolic state of
18225 <span class="Keyword"><span style=
18226 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>
18227 files (used for imports). By default <span class=
18228 "Keyword"><span style=
18229 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lcs</span></span>
18230 files are generated for each <span class=
18231 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18232 .lcl</span></span> file processed. Use <span class=
18233 "Flag"><span style='font-size:10.0pt'>-lcs</span></span> to prevent
18234 generation of <span class="Keyword"><span style=
18235 'font-size:10.0pt;font-family: Arial;color:windowtext'>.lcs</span></span>
18237 <p class="TextFontCX"><span class="Flag"><span style=
18238 'font-size:10.0pt'>lh</span></span></p>
18239 <p class="IndentText">Generate <span class=
18240 "Keyword"><span style='font-size:10.0pt; font-family:Arial;color:windowtext'>
18241 .lh</span></span> files. By default, <span class=
18242 "Flag"><span style='font-size:10.0pt'>-lh</span></span> is set and
18243 no <span class="Keyword"><span style=
18244 'font-size:10.0pt;font-family:Arial;color:windowtext'>.lh</span></span>
18245 files are generated. Use <span class=
18246 "Flag"><span style='font-size:10.0pt'>+lh</span></span> to
18247 enable <span class="Flag"><span style=
18248 'font-size:10.0pt'>.lh</span></span> file
18249 generation. </p>
18250 <p class="TextFontCX"><span class="Flag"><span style=
18251 'font-size:10.0pt'>i</span></span> <span class=
18252 "Flag"><span style='font-size:10.0pt'><file></span></span></p>
18253 <p class="IndentText">Set LCL initialization file to
18254 <span class="Flag"><i><span style=
18255 'font-size:10.0pt'><file></span></i></span>. The
18256 LCL initialization file is read if any <span class=
18257 "Keyword"><span style=
18258 'font-size: 10.0pt;font-family:Arial;color:windowtext'>.lcl</span></span>
18259 files are listed on the command line. The default file
18260 is <span class="Keyword"><span style=
18261 'font-size:10.0pt;font-family:Arial;color:windowtext'>lclinit.lci</span></span>,
18262 found on the <span class="Keyword"><span style=
18263 'font-size:10.0pt;font-family: Arial;color:windowtext'>LARCH_PATH</span></span>.</p>
18264 <p class="TextFontCX"><span class="Flag"><span style=
18265 'font-size:10.0pt'>lclexpect</span></span> <span class=
18266 "Flag"><span style=
18267 'font-size:10.0pt'><i><number></i></span></span></p>
18268 <p class="IndentText">Exactly <span class=
18269 "Flag"><i><span style='font-size:10.0pt'><number></span></i></span>
18270 specification errors are expected. Specification errors
18271 are errors detected when checking the specifications.
18272 They do not depend on the source code.</p>
18273 <p class="Heading10">Implicit Globals Checking Qualifiers</p>
18275 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18276 height="14" align="left">
18278 <td valign="top" align="left" height="14" style=
18279 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18280 <p class="TextFontCX" align="center" style=
18281 'text-align:center;background:#CCCCCC'><span style=
18282 'font-size:10.0pt'>m:</span><span class=
18283 "Keyword"><span style='font-size:10.0pt'>-++-</span></span></p></td></tr></table></div>
18284 <p class="TextFontCX"><span class="Flag"><span style=
18285 'font-size:10.0pt'>imp-checked-spec-globs</span></span></p>
18286 <p class="IndentText">Implicit <span class=
18287 "Annot"><span style='font-size:10.0pt'>checked</span></span>
18288 qualifier on global variables specified in an LCL file with
18289 no checking annotation.</p>
18291 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18292 height="14" align="left">
18294 <td valign="top" align="left" height="14" style=
18295 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18296 <p class="TextFontCX" align="center" style=
18297 'text-align:center;background:#CCCCCC'><span style=
18298 'font-size:10.0pt'>m:</span><span class=
18299 "Keyword"><span style='font-size:10.0pt'>----</span></span></p></td></tr></table></div>
18300 <p class="TextFontCX"><span class="Flag"><span style=
18301 'font-size:10.0pt'>imp-checkmod-spec-globs</span></span></p>
18303 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18304 height="14" align="left">
18306 <td valign="top" align="left" height="14" style=
18307 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18308 <p class="TextFontCX" align="center" style=
18309 'text-align:center;background:#CCCCCC'><span style=
18310 'font-size:10.0pt'>m:</span><span class=
18311 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18312 <p class="IndentText">Implicit <span class=
18313 "Annot"><span style='font-size:10.0pt'>checkmod</span></span>
18314 qualifier on global variables specified in an LCL file with
18315 no checking annotation.</p>
18316 <p class="TextFontCX"><span class="Flag"><span style=
18317 'font-size:10.0pt'>imp-checkedstrict-spec-globs</span></span></p>
18318 <p class="IndentText">Implicit <span class=
18319 "Annot"><span style='font-size:10.0pt'>checked</span></span>
18320 qualifier on global variables specified in an LCL file with
18321 no checking annotation.</p>
18323 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18324 height="14" align="left">
18326 <td valign="top" align="left" height="14" style=
18327 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18328 <p class="TextFontCX" align="center" style=
18329 'text-align:center;background:#CCCCCC'><span style=
18330 'font-size:10.0pt'>P:</span> <span class=
18331 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18332 <p class="Heading10">Implicit Annotations</p>
18333 <p class="TextFontCX"><span class="Flag"><span style=
18334 'font-size:10.0pt'>spec-glob-imp-only</span></span></p>
18335 <p class="IndentText">Implicit <span class=
18336 "Annot"><span style='font-size:10.0pt'>only</span></span>
18337 annotation on global variable declaration in an LCL file with
18338 no allocation annotation.</p>
18340 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18341 height="14" align="left">
18343 <td valign="top" align="left" height="14" style=
18344 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18345 <p class="TextFontCX" align="center" style=
18346 'text-align:center;background:#CCCCCC'><span style=
18347 'font-size:10.0pt'>P:</span> <span class=
18348 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18349 <p class="TextFontCX"><span class="Flag"><span style=
18350 'font-size:10.0pt'>spec-ret-imp-only</span></span></p>
18351 <p class="IndentText">Implicit <span class=
18352 "Annot"><span style='font-size:10.0pt'>only</span></span>
18353 annotation on return value declaration in an LCL file with no
18354 allocation annotation.</p>
18356 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18357 height="14" align="left">
18359 <td valign="top" align="left" height="14" style=
18360 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18361 <p class="TextFontCX" align="center" style=
18362 'text-align:center;background:#CCCCCC'><span style=
18363 'font-size:10.0pt'>P:</span> <span class=
18364 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18365 <p class="TextFontCX"><span class="Flag"><span style=
18366 'font-size:10.0pt'>spec-struct-imp-only</span></span></p>
18367 <p class="IndentText">Implicit <span class=
18368 "Annot"><span style='font-size:10.0pt'>only</span></span>
18369 annotation on structure field declarations in an LCL file
18370 with no allocation annotation.</p>
18372 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18373 height="14" align="left">
18375 <td valign="top" align="left" height="14" style=
18376 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18377 <p class="TextFontCX" align="center" style=
18378 'text-align:center;background:#CCCCCC'><span style=
18379 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
18380 <p class="TextFontCX"><span class="Flag"><span style=
18381 'font-size:10.0pt'>spec-imp-only</span></span></p>
18382 <p class="IndentText">Sets <span class="Flag"><span style=
18383 'font-size:10.0pt'>spec-glob-imp-only</span></span>,
18384 <span class="Flag"><span style=
18385 'font-size:10.0pt'>spec-ret-imp-only</span></span> and
18386 <span class="Flag"><span style=
18387 'font-size:10.0pt'>spec-struct-imp-only</span></span>.</p>
18388 <p class="Heading10">Macro Expansion</p>
18390 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18391 height="14" align="left">
18393 <td valign="top" align="left" height="14" style=
18394 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18395 <p class="TextFontCX" align="center" style=
18396 'text-align:center;background:#CCCCCC'><span style=
18397 'font-size:10.0pt'>P:</span> <span class=
18398 "Keyword"><span style='font-size:10.0pt'>+</span></span></p></td></tr></table></div>
18399 <p class="TextFontCX"><span class="Flag"><span style=
18400 'font-size:10.0pt'>spec-macros</span></span></p>
18401 <p class="IndentText">Macros defining specified identifiers are not
18402 expanded and are checked according to the
18403 specification.<span class="Flag"><span style=
18404 'font-size:10.0pt'> </span></span></p>
18406 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18407 height="14" align="left">
18409 <td valign="top" align="left" height="14" style=
18410 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18411 <p class="TextFontCX" align="center" style=
18412 'text-align:center;background:#CCCCCC'><span style=
18413 'font-size:10.0pt'>m:</span><span class=
18414 "Keyword"><span style='font-size:10.0pt'>-+++</span></span></p></td></tr></table></div>
18415 <p class="Heading10">Complete Programs and Specifications</p>
18416 <p class="TextFontCX"><span class="Flag"><span style=
18417 'font-size:10.0pt'>spec-undef</span></span></p>
18418 <p class="IndentText">Function, variable, iterator or constant
18419 specified but never defined.</p>
18421 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18422 height="14" align="left">
18424 <td valign="top" align="left" height="14" style=
18425 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18426 <p class="TextFontCX" align="center" style=
18427 'text-align:center;background:#CCCCCC'><span style=
18428 'font-size:10.0pt'>P:</span> <span class=
18429 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18430 <p class="TextFontCX"><span class="Flag"><span style=
18431 'font-size:10.0pt'>spec-undecl</span></span></p>
18432 <p class="IndentText">Function, variable, iterator or constant
18433 specified but never declared.</p>
18435 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18436 height="14" align="left">
18438 <td valign="top" align="left" height="14" style=
18439 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18440 <p class="TextFontCX" align="center" style=
18441 'text-align:center;background:#CCCCCC'><span style=
18442 'font-size:10.0pt'>P:</span> <span class=
18443 "Keyword"><span style='font-size:10.0pt'>-</span></span></p></td></tr></table></div>
18444 <p class="TextFontCX"><span class="Flag"><span style=
18445 'font-size:10.0pt'>need-spec</span></span></p>
18447 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18448 height="14" align="left">
18450 <td valign="top" align="left" height="14" style=
18451 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18452 <p class="TextFontCX" align="center" style=
18453 'text-align:center;background:#CCCCCC'><span style=
18454 'font-size:10.0pt'>shortcut</span></p></td></tr></table></div>
18455 <p class="IndentText">There is information in the specification
18456 that is not duplicated in syntactic comments. Normally, this
18457 is not an error, but it may be useful to detect it to make sure
18458 checking incomplete systems without the specifications will still
18459 use this information.</p>
18460 <p class="TextFontCX"><span class="Flag"><span style=
18461 'font-size:10.0pt'>export-any</span></span></p>
18463 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18464 height="14" align="left">
18466 <td valign="top" align="left" height="14" style=
18467 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18468 <p class="TextFontCX" align="center" style=
18469 'text-align:center;background:#CCCCCC'><span style=
18470 'font-size:10.0pt'>m:</span><span class=
18471 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18472 <p class="IndentText">An error is reported for any identifier that
18473 is exported but not specified. (Sets all export flags
18475 <p class="TextFontCX"><span class="Flag"><span style=
18476 'font-size:10.0pt'>export-const</span></span></p>
18477 <p class="IndentText">Constant exported but not specified.</p>
18479 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18480 height="14" align="left">
18482 <td valign="top" align="left" height="14" style=
18483 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18484 <p class="TextFontCX" align="center" style=
18485 'text-align:center;background:#CCCCCC'><span style=
18486 'font-size:10.0pt'>m:</span><span class=
18487 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18488 <p class="TextFontCX"><span class="Flag"><span style=
18489 'font-size:10.0pt'>export-var</span></span></p>
18490 <p class="IndentText">Variable exported but not specified.</p>
18492 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18493 height="14" align="left">
18495 <td valign="top" align="left" height="14" style=
18496 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18497 <p class="TextFontCX" align="center" style=
18498 'text-align:center;background:#CCCCCC'><span style=
18499 'font-size:10.0pt'>m:</span><span class=
18500 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18501 <p class="TextFontCX"><span class="Flag"><span style=
18502 'font-size:10.0pt'>export-fcn</span></span></p>
18503 <p class="IndentText">Function exported but not specified.</p>
18505 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18506 height="14" align="left">
18508 <td valign="top" align="left" height="14" style=
18509 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18510 <p class="TextFontCX" align="center" style=
18511 'text-align:center;background:#CCCCCC'><span style=
18512 'font-size:10.0pt'>m:</span><span class=
18513 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18514 <p class="TextFontCX"><span class="Flag"><span style=
18515 'font-size:10.0pt'>export-iter</span></span></p>
18516 <p class="IndentText">Iterator exported but not specified.</p>
18518 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18519 height="14" align="left">
18521 <td valign="top" align="left" height="14" style=
18522 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18523 <p class="TextFontCX" align="center" style=
18524 'text-align:center;background:#CCCCCC'><span style=
18525 'font-size:10.0pt'>m:</span><span class=
18526 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18527 <p class="TextFontCX"><span class="Flag"><span style=
18528 'font-size:10.0pt'>export-macro</span></span></p>
18529 <p class="IndentText">An expanded macro exported but not
18532 <table cellspacing="0" cellpadding="0" hspace="0" vspace="0"
18533 height="14" align="left">
18535 <td valign="top" align="left" height="14" style=
18536 'padding-top:0in;padding-right: 9.35pt;padding-bottom:0in;padding-left:9.35pt'>
18537 <p class="TextFontCX" align="center" style=
18538 'text-align:center;background:#CCCCCC'><span style=
18539 'font-size:10.0pt'>m:</span><span class=
18540 "Keyword"><span style='font-size:10.0pt'>---+</span></span></p></td></tr></table></div>
18541 <p class="TextFontCX"><span class="Flag"><span style=
18542 'font-size:10.0pt'>export-type</span></span></p>
18543 <p class="IndentText">Type definition exported but not
18545 <p class="MsoHeading7" style='margin-left:0in;text-indent:0in'>
18546 <a name="_Toc534975077"></a><a name="_Ref534642451"></a><a name=
18547 "_Toc344355450">Appendix E<span style=
18548 'font:7.0pt "Times New Roman"'> </span>
18549 <a id="annotated" name="annotated">
18550 Annotated Bibliography</a></a></p>
18551 <h4 style='margin-left:0in;text-indent:0in'>Splint</h4>
18552 <p class="TextFontCX">All of these papers are available at
18553 <span style='font-size:10.0pt;font-family:Arial'><a href=
18554 "http://www.splint.org/publications/">http://www.splint.org/publications/</a></span>. </p>
18555 <p class="TextFontCX"> </p>
18556 <p class="TextFontCX" align="left" style='text-align: left'>
18557 [Barker01] Chris Barker. <i>Static Error Checking of C Applications
18558 Ported from UNIX to WIN32 Systems Using LCLint</i>. Senior Thesis,
18559 University of Virginia Deptartment of Computer Science. May
18561 <p class="TextFontCX" align="left" style='text-align: left'>
18563 <p class="IndentText">Describes annotations and checks useful for
18564 porting applications.</p>
18565 <p class="TextFontCX" align="left" style='text-align: left'>
18567 <p class="TextFontCX" align="left" style='text-align: left'>
18568 [Evans94] David Evans. <i>Using specifications to check source
18569 code</i>. MIT/LCS/TR 628, Laboratory for Computer Science,
18570 MIT, June 1994.</p>
18571 <p class="TextFontCX" align="left" style='text-align: left'>
18573 <p class="IndentText">MIT SM Thesis. Describes research
18574 behind Splint, focusing on how specifications can be exploited to
18575 do lightweight checking. Includes case studies using
18577 <p class="TextFontCX" align="left" style='text-align: left'>
18579 <p class="TextFontCX" align="left" style='text-align: left'>
18580 [EGHT94] David Evans, John Guttag, Jim Horning and Yang Meng
18581 Tan. <i>LCL</i><i>int: A tool for using specifications to
18582 check code</i>. SIGSOFT Symposium on the Foundations of
18583 Software Engineering, December 1994.</p>
18584 <p class="TextFontCX" align="left" style='text-align: left'>
18586 <p class="IndentText">Somewhat obsolete introduction to
18587 LCLint. Shows how LCLint is used to find errors in a sample
18589 <p class="TextFontCX" align="left" style='text-align: left'>
18591 <p class="TextFontCX" align="left" style='text-align: left'>
18592 [Evans96] David Evans. <i>Static Detection of Dynamic Memory
18593 Errors</i>. SIGPLAN Conference on Programming Language Design
18594 and Implementation (PLDI ’96), Philadelphia, PA., May
18596 <p class="TextFontCX" align="left" style='text-align: left'>
18598 <p class="IndentText">Describes approach for exploiting annotations
18599 added to code to detect a wide class of errors. Focuses on
18600 memory management checks described in Section 5 of this
18602 <p class="TextFontCX" align="left" style='text-align: left'>
18604 <p class="TextFontCX" align="left" style='text-align: left'>
18605 [Evans00] David Evans. <i>Annotation-Assisted Lightweight
18606 Static Checking. </i> First International Workshop on
18607 Automated Program Analysis, Testing and Verification.
18608 February, 2000.</p>
18609 <p class="IndentText"> </p>
18610 <p class="IndentText">Short position paper describing research
18611 agenda behind Splint.</p>
18612 <p class="IndentText" style='margin-left:0in'> </p>
18613 <p class="IndentText" style='margin-left:0in'>[Evans02] David Evans
18614 and David Larochelle. <i>Improving Security Using Extensible
18615 Lightweight Static Analysis</i>. IEEE Software, Jan/Feb
18617 <p class="IndentText" style='margin-left:0in'> </p>
18618 <p class="IndentText">Most security attacks exploit instances of
18619 well-known classes of implementations flaws. This article
18620 describes how Splint can be used to detect common security
18621 vulnerabilities (including buffer overflows and format string
18622 vulnerabilities).</p>
18623 <p class="IndentText"> </p>
18624 <p class="IndentText" style='margin-left:0in'>[Larochelle01] David
18625 Larochelle and David Evans. Statically Detecting Likely
18626 Buffer Overflow Vulnerabilities. 2001 USENIX Security
18627 Symposium, Washington, D. C., August 13-17, 2001. </p>
18628 <p class="IndentText"> </p>
18629 <p class="IndentText">Buffer overflow attacks may be today's single
18630 most important security threat. This paper describes how Splint can
18631 be used to detect likely vulnerabilities through an analysis of the
18632 program source code and presents experience using our approach to
18633 detect buffer overflow vulnerabilities in two security-sensitive
18635 <p class="IndentText"> </p>
18636 <h4 style='margin-left:0in;text-indent:0in'>C</h4>
18637 <p class="TextFontCX" align="left" style='text-align: left'>[ISO99]
18638 International Standard ISO/IEC 9899. <i>Programming languages
18639 – C.</i> Second edition. December 1999.</p>
18640 <p class="IndentText"> </p>
18641 <p class="IndentText">International standard specification for C
18642 programming language. Approved by ANSI May 2000.</p>
18643 <p class="TextFontCX" align="left" style='text-align: left'>
18645 <p class="TextFontCX" align="left" style='text-align: left'>[KR88]
18646 Brian W. Kernighan and Dennis M. Ritchie. <i>The C
18647 Programming Language</i>, second edition. Prentice Hall, New
18649 <p class="TextFontCX" align="left" style='text-align: left'>
18651 <p class="IndentText">Standard reference for ANSI C. If you
18652 haven’t heard of this one, you probably didn’t get this
18653 far (unless you started at the back).</p>
18654 <p class="TextFontCX" align="left" style='text-align: left'>
18656 <p class="TextFontCX" align="left" style='text-align: left'>[vdL94]
18657 Peter van der Linden. <i>Expert C Programming: Deep C
18658 Secrets</i>. SunSoft Press, Prentice Hall, New Jersey,
18660 <p class="TextFontCX" align="left" style='text-align: left'>
18662 <p class="IndentText">Filled with useful information on the darker
18663 corners of C, as well as lots of industry anecdotes and
18664 humor. Splint’s reserved name checking is loosely based
18665 on the list of reserved names in this book.</p>
18666 <h4 style='margin-left:0in;text-indent:0in'>Methodology</h4>
18667 <p class="TextFontCX" align="left" style='text-align: left'>[GH93]
18668 John Guttag and James Horning with Stephen J. Garland, Kevin D.
18669 Jones, Andrés Modet, and Jeannette M. Wing. <i>Larch:
18670 Languages and Tools for Formal Specification</i>. Springer-Verlag,
18671 Texts and Monographs in Computer Science, 1993.</p>
18672 <p class="IndentText"> </p>
18673 <p class="IndentText">Overview of the Larch family of specification
18674 languages and related tools. Includes a chapter on LCL, the
18675 Larch C interface language, on which Splint is based.</p>
18676 <p class="IndentText" style='margin-left:0in'> </p>
18677 <p class="TextFontCX" align="left" style='text-align: left'>[LG86]
18678 Barbara Liskov and John Guttag. <i>Abstraction and
18679 Specification in Program Development</i>, MIT Press, Cambridge, MA,
18681 <p class="IndentText"> </p>
18682 <p class="IndentText">Describes a programming methodology using
18683 abstract types and specified interfaces. Much of the
18684 methodology upon which Splint is based comes from this book.
18685 Uses the CLU programming language. </p>
18686 <p class="IndentText"> </p>
18687 <p class="TextFontCX" align="left" style='text-align: left'>
18688 [Liskov01] Barbara Liskov with John Guttag. <i>Program
18689 Development in Java</i>, Addison Wesley, 2001.</p>
18690 <p class="IndentText"> </p>
18691 <p class="IndentText">An updated version of [LG86] for the Java
18692 programming language. </p>
18693 <p class="IndentText"> </p>
18694 <p class="TextFontCX" align="left" style='text-align: left'>[Tan95]
18695 Yang Meng Tan. <i>Formal Specification Techniques for
18696 Engineering Modular C</i>. Kluwer International Series in
18697 Software Engineering, Volume 1, Kluwer Academic Publishers, Boston,
18699 <p class="MsoNormal" align="left" style='text-align:left'>
18701 <p class="IndentText">Modified and updated version of MIT Ph D
18702 thesis, previously published as MIT/LCS/TR-619, 1994.
18703 Includes presentation of the semantics of LCL and a case study
18705 <p class="IndentText" style='margin-left:0in'> </p>
18706 <h4 style='margin-left:0in;text-indent:0in'>Secure Programming</h4>
18707 <p class="TextFontCX" align="left" style='text-align: left'>[Hat95]
18708 Les Hatton. <i>Safer C: Developing Software for
18709 High-integrity and Safety-critical Systems</i>. McGraw-Hill
18710 International Series in Software Engineering, 1995.</p>
18711 <p class="TextFontCX" align="left" style='text-align: left'>
18713 <p class="IndentText">A broad work on all aspects of developing
18714 safety-critical software, focusing on the C language.
18715 Provides good justification for the use of C in safety-critical
18716 systems, and the necessity of tool-supported programming
18717 standards. Splint users will be interested to see how many of
18718 the errors listed as only being dynamically detectable can be
18719 detected statically by Splint.</p>
18720 <p class="IndentText" style='margin-left:0in'> </p>
18721 <p class="IndentText" style='margin-left:0in'>[VM02] John Viega and
18722 Gary McGraw. <i>Building Secure Software: How to Avoid
18723 Security Problems the</i> <i>Right Way</i><i>.</i>
18724 Addison-Wesley, 2002.</p>
18725 <p class="IndentText">A comprehensive survey of techniques and
18726 principles for building secure programs.</p>
18727 <p class="IndentText" style='margin-left:0in'> </p>
18728 <p class="IndentText" style='margin-left:0in'>See also [Evans02]
18730 [Larochelle01].</p></center></center></center></center></center></center></center></center></center></center></center></div>
18732 'font-size:11.0pt;font-family:"Times New Roman"'><br clear="all"
18733 style='page-break-before:right'></span>
18736 'font-size:11.0pt;font-family:"Times New Roman"'><br clear="all"
18737 style='page-break-before:auto'></span>
18738 <div class="Section8">
18739 <p class="IndentText"> </p></div>
18740 <div><br clear="all">
18742 <hr align="left" size="1" width="33%">
18744 <p class="MsoFootnoteText"><a href="#_ftnref1" name="_ftn1"
18745 title=""><span class="MsoFootnoteReference"><span class=
18746 "MsoFootnoteReference"><span style=
18747 'font-size:10.0pt;font-family:"Times New Roman"'>[1]</span></span></span></a>
18748 Lint is a common programming tool for detecting anomalies in C
18749 programs. S. C. Johnson developed the original lint in the
18750 late seventies, mainly because early versions of C did not
18751 support function prototypes. Splint was originally named
18752 LCLint because it was originally intended to check for
18753 inconsistencies between LCL specifications and C
18754 implementations. To reflect divergence from LCL and
18755 increased focus on detecting security vulnerabilities, the name
18756 was changed to Splint, short for “Specification
18757 Lint” and “Secure Programming Lint”.</p></div>
18759 <p class="MsoFootnoteText"><a href="#_ftnref2" name="_ftn2"
18760 title=""><span class="MsoFootnoteReference"><span class=
18761 "MsoFootnoteReference"><span style=
18762 'font-size:10.0pt;font-family:"Times New Roman"'>[2]</span></span></span></a>
18763 The meta-notation, <span class="Annot">item,<sup>+</sup></span>
18764 is used to denote a comma separated list of items. For
18766
18767 <span class="Annot">/*@access mstring, intSet@*/</span></p>
18768 <p class="MsoFootnoteText">allows access to the representations of
18769 both <span class="CodeText">mstring</span> and <span class=
18770 "CodeText">intSet</span>.) </p></div>
18772 <p class="MsoFootnoteText"><a href="#_ftnref3" name="_ftn3"
18773 title=""><span class="MsoFootnoteReference"><span class=
18774 "MsoFootnoteReference"><span style=
18775 'font-size:10.0pt;font-family:"Times New Roman"'>[3]</span></span></span></a>
18776 This section is largely based on [Evans96]. It
18777 semi-formally defines some of the terms needed to describe
18778 memory management checking; if you are satisfied with an
18779 intuitive understanding of these terms, this section may be
18782 <p class="MsoFootnoteText"><a href="#_ftnref4" name="_ftn4"
18783 title=""><span class="MsoFootnoteReference"><span class=
18784 "MsoFootnoteReference"><span style=
18785 'font-size:10.0pt;font-family:"Times New Roman"'>[4]</span></span></span></a>
18786 This is similar to the LISP storage model, except that objects
18787 are typed.</p></div>
18789 <p class="TextFontCX"><a href="#_ftnref5" name="_ftn5" title=
18790 ""><span class="MsoFootnoteReference"><span class=
18791 "MsoFootnoteReference"><span style=
18792 'font-size:11.0pt;font-family:"Times New Roman"'>[5]</span></span></span></a>
18793 <span style='font-size:10.0pt'>Except</span> <span class=
18794 "CodeText"><span style=
18795 'font-size:10.0pt'>sizeof</span></span><span style=
18796 'font-size:10.0pt'>, which does not need the value of its
18797 argument.</span></p></div>
18799 <p class="TextFontCX"><a href="#_ftnref6" name="_ftn6" title=
18800 ""><span class="MsoFootnoteReference"><span class=
18801 "MsoFootnoteReference"><span style=
18802 'font-size:11.0pt;font-family:"Times New Roman"'>[6]</span></span></span></a>
18803 If the storage is not assigned to a reference, an internal
18804 reference is created to track the storage.</p></div>
18806 <p class="MsoFootnoteText"><a href="#_ftnref7" name="_ftn7"
18807 title=""><span class="MsoFootnoteReference"><span class=
18808 "MsoFootnoteReference"><span style=
18809 'font-size:10.0pt;font-family:"Times New Roman"'>[7]</span></span></span></a>
18810 The declaration of <span class="CodeText">free</span> has a
18811 <span class="Annot">null</span> annotation on the parameter
18812 to indicate that the argument may be <span class=
18813 "CodeText">NULL</span>. According to [ISO, 7.20.3.2],
18814 <span class="CodeText">NULL</span> may be passed to
18815 <span class="CodeText">free</span> without no action.
18816 On some UNIX platforms, passing <span class=
18817 "CodeText">NULL</span> to free causes a program crash so the
18818 UNIX version of the standard library specifies <span class=
18819 "CodeText">free</span> without the <span class=
18820 "Annot">null</span> annotation on its parameter. To check
18821 that allocated objects are completely destroyed (e.g., all
18822 unshared objects inside a structure are deallocated before
18823 the structure is deallocated), Splint checks that any
18824 parameter passed as an <span class="CodeText">out only void
18825 *</span> does not contain references to live, unshared
18826 objects. This makes sense, since such a parameter could
18827 not be used sensibly in any way other than deallocating its
18830 <p class="MsoFootnoteText"><a href="#_ftnref8" name="_ftn8"
18831 title=""><span class="MsoFootnoteReference"><span class=
18832 "MsoFootnoteReference"><span style=
18833 'font-size:10.0pt;font-family:"Times New Roman"'>[8]</span></span></span></a>
18834 In versions of Splint before 3.0, the <span class=
18835 "Annot">noreturn</span> annotation was named <span class=
18836 "Annot">exits</span>. The <span class=
18837 "Annot">noreturn</span> annotation means the same thing, but is
18838 a more appropriate name. For legacy code, Splint still
18839 supports the <span class="Annot">exits</span> annotations.
18840 Similarly, <span class="Annot">maynotreturn</span> replaces
18841 <span class="Annot">mayexit</span>, <span class=
18842 "Annot">noreturnwhentrue</span> replaces <span class=
18843 "Annot">truexit</span> and <span class=
18844 "Annot">noreturnwhenfalse</span> replaces <span class=
18845 "Annot">falseexit</span>.</p></div>
18847 <p class="MsoFootnoteText"><a href="#_ftnref9" name="_ftn9"
18848 title=""><span class="MsoFootnoteReference"><span class=
18849 "MsoFootnoteReference"><span style=
18850 'font-size:10.0pt;font-family:"Times New Roman"'>[9]</span></span></span></a>The
18851 <span class="Annot">sef</span> annotation denotes a parameter as
18852 side effect free (see Section 11.2.1). We use
18853 <span class="CodeText">bool /*@alt int@*/</span> as the type
18854 of the parameter, to indicate that it may be either a Boolean
18855 or an integer.</p></div>
18857 <p class="MsoFootnoteText"><a href="#_ftnref10" name="_ftn10"
18858 title=""><span class="MsoFootnoteReference"><span class=
18859 "MsoFootnoteReference"><span style=
18860 'font-size:10.0pt;font-family:"Times New Roman"'>[10]</span></span></span></a>
18861 Peter van der Linden estimates that default fall through is the
18862 wrong behavior 97% of the time. [vdL95, p. 37]</p></div>
18864 <p class="MsoFootnoteText"><a href="#_ftnref11" name="_ftn11"
18865 title=""><span class="MsoFootnoteReference"><span class=
18866 "MsoFootnoteReference"><span style=
18867 'font-size:10.0pt;font-family:"Times New Roman"'>[11]</span></span></span></a>
18868 “Software Glitch Cripples AT&T Network”,
18869 Telephony, 22 January 1990.</p></div>
18871 <p class="MsoFootnoteText"><a href="#_ftnref12" name="_ftn12"
18872 title=""><span class="MsoFootnoteReference"><span class=
18873 "MsoFootnoteReference"><span style=
18874 'font-size:10.0pt;font-family:"Times New Roman"'>[12]</span></span></span></a>
18875 See [Larochelle01] for information on internal aspects of the
18876 checking.</p></div>
18878 <p class="MsoFootnoteText"><a href="#_ftnref13" name="_ftn13"
18879 title=""><span class="MsoFootnoteReference"><span class=
18880 "MsoFootnoteReference"><span style=
18881 'font-size:10.0pt;font-family:"Times New Roman"'>[13]</span></span></span></a>
18882 This section is largely based on [Evans02].</p></div>
18884 <p class="MsoFootnoteText"><a href="#_ftnref14" name="_ftn14"
18885 title=""><span class="MsoFootnoteReference"><span class=
18886 "MsoFootnoteReference"><span style=
18887 'font-size:10.0pt;font-family:"Times New Roman"'>[14]</span></span></span></a>
18888 C. Cowan et al., <i>FormatGuard: Automatic Protection from
18889 printf Format String Vulnerabilities</i>. 10th Usenix
18890 Security Symposium, 2001.</p></div>
18892 <p class="MsoFootnoteText"><a href="#_ftnref15" name="_ftn15"
18893 title=""><span class="MsoFootnoteReference"><span class=
18894 "MsoFootnoteReference"><span style=
18895 'font-size:10.0pt;font-family:"Times New Roman"'>[15]</span></span></span></a>
18896 To be completely correct, all the macro parameters should be
18897 evaluated before the macro has any side effects. Splint
18898 does not check this.</p></div>
18900 <p class="MsoFootnoteText"><a href="#_ftnref16" name="_ftn16"
18901 title=""><span class="MsoFootnoteReference"><span class=
18902 "MsoFootnoteReference"><span style=
18903 'font-size:10.0pt;font-family:"Times New Roman"'>[16]</span></span></span></a>
18904 Functions that do not produce to the same result each time they
18905 are called with the same arguments should be declared to modify
18906 <span class="Annot">internalState</span> so they will lead to
18907 errors if they are passed as <span class="Annot">sef</span>
18908 parameters.</p></div>
18910 <p class="MsoFootnoteText"><a href="#_ftnref17" name="_ftn17"
18911 title=""><span class="MsoFootnoteReference"><span class=
18912 "MsoFootnoteReference"><span style=
18913 'font-size:10.0pt;font-family:"Times New Roman"'>[17]</span></span></span></a>
18914 The most renowned C naming convention is the Hungarian naming
18915 convention, introduced by Charles Simonyi [Simonyi, Charles, and
18916 Martin Heller. “The Hungarian
18917 Revolution.” <i>BYTE</i>, August 1991, p.
18918 131-38]. The names for Splint naming conventions follow
18919 the tradition of using Central European nationalities as
18920 mnemonics for naming conventions. The Splint conventions
18921 are similar to the Hungarian naming convention in that they
18922 encode type information in names, except that the Splint
18923 conventions encode the names of accessible abstract
18924 types instead of the type of the declaration of return
18925 value. Prefixes used in the Hungarian naming convention
18926 are not supported by Splint.</p>
18927 <p class="MsoFootnoteText"> </p></div>
18929 <p class="MsoFootnoteText"><a href="#_ftnref18" name="_ftn18"
18930 title=""><span class="MsoFootnoteReference"><span class=
18931 "MsoFootnoteReference"><span style=
18932 'font-size:10.0pt;font-family:"Times New Roman"'>[18]</span></span></span></a>
18933 Of course, namespace prefixes should really be described by
18934 regular expressions. If there is sufficient interest (that
18935 is, someone volunteers to program it), regular expressions will
18936 be supported in a future version of Splint.</p></div>
18938 <p class="MsoFootnoteText"><a href="#_ftnref19" name="_ftn19"
18939 title=""><span class="MsoFootnoteReference"><span class=
18940 "MsoFootnoteReference"><span style=
18941 'font-size:10.0pt;font-family:"Times New Roman"'>[19]</span></span></span></a>
18942 POSIX library was contributed by Jens
18943 Schweikhardt.</p></div></div>
18944 <!--#include virtual="footer.html"-->
andersk / splint.git / blob