Source files are .c, .h and .lcl files. If there is no suffix, Splint will look for .c and .lcl. Use splint -help for more information Topics: annotations (describes source-code annotations) comments (describes control comments) flags (describes flag categories) flags (describes flags in category) flags all (short description of all flags) flags alpha (list all flags alphabetically) flags full (full description of all flags) mail (information on mailing lists) modes (show mode settings) parseerrors (help on handling parser errors) prefixcodes (character codes in namespace prefixes) references (sources for more information) vars (environment variables) version (information on compilation, maintainer) Finished checking --- no code processed Source files are .c, .h and .lcl files. If there is no suffix, Splint will look for .c and .lcl. Use splint -help for more information Topics: annotations (describes source-code annotations) comments (describes control comments) flags (describes flag categories) flags (describes flags in category) flags all (short description of all flags) flags alpha (list all flags alphabetically) flags full (full description of all flags) mail (information on mailing lists) modes (show mode settings) parseerrors (help on handling parser errors) prefixcodes (character codes in namespace prefixes) references (sources for more information) vars (environment variables) version (information on compilation, maintainer) Command Line: Unrecognized option: asdf A flag is not recognized or used in an incorrect way (Use -badflag to inhibit warning) Finished checking --- no code processed Warning: setting +boolint redundant with current value Finished checking --- no code processed D I S U abstract accessall accessczech accessczechoslovak accessfile accessmodule accessslovak aliasunique allblock allempty allglobs allimponly allmacros alwaysexits annotationerror ansi89limits assignexpose badflag bitwisesigned boolcompare boolfalse boolint boolops booltrue booltype bounds boundsread boundswrite branchstate bufferoverflow bufferoverflowhigh bugslimit casebreak castexpose castfcnptr charindex charint charintliteral charunsignedchar checkedglobalias checkmodglobalias checkpost checkstrictglobalias checkstrictglobs codeimponly commentchar commenterror compdef compdestroy compmempass constmacros constprefix constprefixexclude constuse continuecomment controlnestdepth cppnames czech czechconsts czechfcns czechmacros czechoslovak czechoslovakconsts czechoslovakfcns czechoslovakmacros czechoslovaktypes czechoslovakvars czechtypes czechvars debugfcnconstraint declundef deepbreak deparrays dependenttrans distinctexternalnames distinctinternalnames dump duplicatecases duplicatequals elseifcomplete emptyreturn enumindex enumint enummembers enummemuse enumprefix enumprefixexclude evalorder evalorderuncon exitarg expect exportany exportconst exportfcn exportheader exportheadervar exportiter exportlocal exportmacro exporttype exportvar exposetrans externalnamecaseinsensitive externalnamelen externalprefix externalprefixexclude f fcnderef fcnmacros fcnpost fcnuse fielduse fileextensions filestaticprefix filestaticprefixexclude firstcase fixedformalarray floatdouble forblock forcehints forempty forloopexec formalarray formatcode formatconst formattype forwarddecl freshtrans fullinitblock globalias globalprefix globalprefixexclude globimponly globnoglobs globs globsimpmodsnothing globstate globuse gnuextensions grammar hasyield help hints i ifblock ifempty ignorequals ignoresigns immediatetrans impabstract impcheckedglobs impcheckedspecglobs impcheckedstatics impcheckedstrictglobs impcheckedstrictspecglobs impcheckedstrictstatics impcheckmodglobs impcheckmodinternals impcheckmodspecglobs impcheckmodstatics impconj implementationoptional implictconstraint impouts imptype includenest incompletetype incondefs incondefslib indentspaces infloops infloopsuncon initallelements initsize internalglobs internalglobsnoglobs internalnamecaseinsensitive internalnamelen internalnamelookalike iso99limits isolib isoreserved isoreservedinternal iterbalance iterloopexec iterprefix iterprefixexclude iteryield its4low its4moderate its4mostrisky its4risky its4veryrisky keep keeptrans kepttrans larchpath lclexpect lclimportdir lcs legacy lh libmacros likelybool limit linelen lintcomments load localprefix localprefixexclude longintegral longsignedintegral longunsignedintegral longunsignedunsignedintegral loopexec looploopbreak looploopcontinue loopswitchbreak macroassign macroconstdecl macrodecl macroempty macrofcndecl macromatchname macroparams macroparens macroredef macroreturn macrostmt macrounrecog macrovarprefix macrovarprefixexclude maintype matchanyintegral matchfields mayaliasunique memchecks memimp memtrans misplacedsharequal misscase modfilesys modglobs modglobsnomods modglobsunchecked modinternalstrict modnomods modobserver modobserveruncon mods modsimpnoglobs modstrictglobsnomods moduncon modunconnomods modunspec mts multithreaded mustdefine mustfree mustfreefresh mustfreeonly mustmod mustnotalias mutrep namechecks needspec nestcomment nestedextern neverinclude newdecl newreftrans nextlinemacros noaccess nocomments noeffect noeffectuncon nof nolib noparams nopp noret null nullassign nullderef nullpass nullptrarith nullret nullstate nullterminated nullterminated numenummembers numliteral numstructfields observertrans obviousloopexec oldstyle onlytrans onlyunqglobaltrans orconstraint overload ownedtrans paramimptemp paramuse parenfileformat partial passunknown portability posixlib posixstrictlib predassign predbool predboolint predboolothers predboolptr preproc protoparammatch protoparamname protoparamprefix protoparamprefixexclude ptrarith ptrcompare ptrnegate quiet readonlystrings readonlytrans realcompare redecl redef redundantconstraints redundantsharequal refcounttrans relaxquals relaxtypes repeatunrecog repexpose retalias retexpose retimponly retval retvalbool retvalint retvalother sefparams sefuncon shadow sharedtrans shiftimplementation shiftnegative showallconjs showalluses showcolumn showconstraintlocation showconstraintparens showfunc showscan showsourceloc showsummary singleinclude sizeofformalarray sizeoftype skipansiheaders skipposixheaders skipsysheaders slashslashcomment slovak slovakconsts slovakfcns slovakmacros slovaktypes slovakvars specglobimponly specimponly specmacros specretimponly specstructimponly specundecl specundef stackref statemerge statetransfer staticinittrans statictrans stats strictbranchstate strictdestroy strictlib strictops strictusereleased stringliterallen stringliteralnoroom stringliteralsmaller stringliteraltoolong structimponly supcounts superuser switchloopbreak switchswitchbreak syntax sysdirerrors sysdirexpandmacros sysdirs sysunrecog tagprefix tagprefixexclude temptrans timedist tmpcomments tmpdir toctou topuse trytorecover type typeprefix typeprefixexclude typeuse uncheckedglobalias uncheckedmacroprefix uncheckedmacroprefixexclude uniondef unixlib unixstandard unixstrictlib unqualifiedinittrans unqualifiedtrans unreachable unrecog unrecogcomments unrecogdirective unrecogflagcomments unsignedcompare unusedspecial usedef usereleased usestderr usevarargs varuse voidabstract warnflags warnlintcomments warnmissingglobs warnmissingglobsnoglobs warnposixheaders warnrc warnunixlib warnuse whichlib whileblock whileempty whileloopexec zerobool null --- misuses of null pointer nullderef --- possible dereferencce of null pointer nullpass --- possibly null pointer passed as formal with no null annotation nullret --- possibly null pointer returned as result with no null annotation nullstate --- possibly null pointer reachable from a reference with no null annotation nullassign --- inconsistent assignment or initialization involving null pointer usedef --- use before definition mustdefine --- out storage not defined before return or scope exit uniondef --- at least one field of a union must be defined compdef --- parameter, return value or global completely defined fullinitblock --- initializer sets all fields initallelements --- initializer defines all array elements initsize --- initializer defines extra array elements impouts --- pointer parameters to unspecified functions may be implicit out parameters incondefs --- function, variable or constant redefined with inconsistent type matchfields --- struct or enum type redefined with inconsistent fields or members fcnderef --- dereferencce of a function type realcompare --- dangerous comparison between reals (dangerous because of inexact floating point representations) unsignedcompare --- comparison using <, <=, >= between an unsigned integral and zero constant ptrarith --- arithmetic involving pointer and integer nullptrarith --- arithmetic involving possibly null pointer and integer ptrcompare --- comparison between pointer and number strictops --- primitive operation does not type check strictly bitwisesigned --- a bitwise logical operator does not have unsigned operands shiftnegative --- a shift right operand may be negative shiftimplementation --- a shift left operand may be negative sizeoftype --- sizeof operator has a type argument sizeofformalarray --- sizeof operator has an array formal parameter argument fixedformalarray --- formal parameter of type array is declared with size incompletetype --- formal parameter has an incomplete type formalarray --- formal parameter is an array booltype --- set name of boolean type (default bool) boolfalse --- set name of boolean false (default FALSE) booltrue --- set name of boolean true (default TRUE) likelybool --- type name is probably a boolean type but does not match default boolean type name, "bool", and alternate name is not set boolcompare --- comparison between bools (dangerous because of multiple TRUE values) boolops --- primitive operation (!, && or ||) does not has a boolean argument ptrnegate --- allow ! to be used on pointer operand predassign --- condition test (if, while or for) is an assignment predbool --- type of condition test (if, while or for) not bool (sets predboolint, predboolptr and predboolothers) predboolint --- type of condition test (if, while or for) is an integral type predboolptr --- type of condition test (if, while or for) is a pointer predboolothers --- type of condition test (if, while or for) not bool, int or pointer abstract --- data abstraction barriers impabstract --- assume user type definitions are abstract (unless /*@concrete@*/ is used) accessmodule --- allow access to abstract types in definition module accessfile --- allow access to abstract types by file name convention accessczech --- allow access to abstract types by czech naming convention accessslovak --- allow access to abstract types by slovak naming convention accessczechoslovak --- allow access to abstract types by czechoslovak naming convention accessall --- set accessmodule, accessfile and accessczech mutrep --- representation of mutable type has sharing semantics mustfreefresh --- freshly allocated storage not released before return or scope exit mustfreeonly --- only storage not released before return or scope exit mustfree --- fresh or only storage not released before return or scope exit (sets mustfreefresh and mustfreeonly) usereleased --- storage used after release strictusereleased --- element used after it may have been released compdestroy --- all only references derivable from void pointer out only parameter are released strictdestroy --- report complete destruction errors for array elements that may have been released deparrays --- array elements are dependent storage branchstate --- storage has inconsistent states of alternate paths through a branch strictbranchstate --- storage through array fetch has inconsistent states of alternate paths through a branch memchecks --- sets all dynamic memory checking flags (memimplicit, mustfree, mustdefine, mustnotalias, null, memtrans) compmempass --- actual parameter matches alias kind of formal parameter completely stackref --- external reference to stack-allocated storage is created memtrans --- memory transfer errors (sets all *trans flags) dependenttrans --- dependent transfer errors newreftrans --- new reference transfer to reference counted reference onlytrans --- only storage transferred to non-only reference (memory leak) onlyunqglobaltrans --- only storage transferred to an unqualified global or static reference (memory leak) ownedtrans --- owned storage transferred to non-owned reference (memory leak) freshtrans --- fresh storage transferred to non-only reference (memory leak) sharedtrans --- shared storage transferred to non-shared reference temptrans --- temp storage transferred to non-temporary reference kepttrans --- kept storage transferred to non-temporary reference keeptrans --- keep storage transferred inconsistently immediatetrans --- an immediate address (result of &) is transferred inconsistently refcounttrans --- reference counted storage is transferred in an inconsistent way statictrans --- static storage is transferred in an inconsistent way unqualifiedtrans --- unqualified storage is transferred in an inconsistent way staticinittrans --- static storage is used as an initial value in an inconsistent way unqualifiedinittrans --- unqualified storage is used as an initial value in an inconsistent way readonlytrans --- report memory transfer errors for initializations to read-only string literals passunknown --- passing a value as an un-annotated parameter clears its annotation readonlystrings --- string literals are read-only (error if one is modified or released) memimp --- memory errors for unqualified storage paramimptemp --- assume unannotated parameter is temp allimponly --- sets globimponly, retimponly, structimponly, specglobimponly, specretimponly and specstructimponly codeimponly --- sets globimponly, retimponly and structimponly specimponly --- sets specglobimponly, specretimponly and specstructimponly globimponly --- assume unannotated global storage is only retimponly --- assume unannotated returned storage is only structimponly --- assume unannotated structure field is only specglobimponly --- assume unannotated global storage is only specretimponly --- assume unannotated returned storage is only specstructimponly --- assume unannotated structure field is only aliasunique --- unique parameter is aliased mayaliasunique --- unique parameter may be aliased mustnotalias --- temp storage aliased at return point or scope exit retalias --- function returns alias to parameter or global globalias --- function returns with global aliasing external state (sets checkstrictglobalias, checkedglobalias, checkmodglobalias and uncheckedglobalias) checkstrictglobalias --- function returns with a checkstrict global aliasing external state checkedglobalias --- function returns with a checked global aliasing external state checkmodglobalias --- function returns with a checkmod global aliasing external state uncheckedglobalias --- function returns with an unchecked global aliasing external state exposetrans --- exposure transfer errors observertrans --- observer transfer errors repexpose --- abstract representation is exposed (sets assignexpose, retexpose, and castexpose) retexpose --- abstract representation is exposed (return values only) assignexpose --- abstract representation is exposed (assignments only) castexpose --- abstract representation is exposed through a cast redundantsharequal --- declaration uses observer qualifier that is always true misplacedsharequal --- declaration of unsharable storage uses sharing annotation mods --- unspecified modification of caller-visible state mustmod --- specified modification is not detected modobserver --- possible modification of observer storage modobserveruncon --- possible modification of observer storage through unconstrained call modinternalstrict --- possible modification of internal storage through function call modfilesys --- report undocumented file system modifications (applies to unspecified functions if modnomods is set) modunspec --- modification in unspecified functions (sets modnomods, modglobunspec and modstrictglobsunspec) modnomods --- modification in a function with no modifies clause moduncon --- possible modification through a call to an unconstrained function modunconnomods --- possible modification through a call to an unconstrained function in a function with no modifies clause globsimpmodsnothing --- functions declared with a globals list but no modifies clause are assumed to modify nothing modsimpnoglobs --- functions declared with a modifies clause but no globals list are assumed to use no globals globstate --- returns with global in inconsistent state (null or undefined) globs --- undocumented use of a checked global variable globuse --- global listed for a function not used internalglobs --- use of internalState internalglobsnoglobs --- use of internalState (in function with no globals list) warnmissingglobs --- global variable used in modifies clause is not listed in globals list warnmissingglobsnoglobs --- global variable used in modifies clause in a function with no globals list globnoglobs --- use of checked global in a function with no globals list or specification allglobs --- report use and modification errors for globals not annotated with unchecked checkstrictglobs --- report use and modification errors for checkedstrict globals impcheckedspecglobs --- assume checked qualifier for unqualified global declarations in .lcl files impcheckmodspecglobs --- assume checkmod qualifier for unqualified global declarations in .lcl files impcheckedstrictspecglobs --- assume checkmod qualifier for unqualified global declarations in .lcl files impcheckedglobs --- assume checked qualifier for unqualified global declarations impcheckmodglobs --- assume checkmod qualifier for unqualified global declarations impcheckedstrictglobs --- assume checkedstrict qualifier for unqualified global declarations impcheckedstatics --- assume checked qualifier for unqualified file static declarations impcheckmodstatics --- assume checkmod qualifier for unqualified file static declarations impcheckmodinternals --- assume checkmod qualifier for unqualified local static declarations (for internal state modifications) impcheckedstrictstatics --- assume checkedstrict qualifier for unqualified file static declarations modglobs --- undocumented modification of a checked global variable modglobsnomods --- undocumented modification of a checked global variable in a function declared with no modifies clause modstrictglobsnomods --- undocumented modification of a strict checked global variable in a function declared with no modifies clause modglobsunchecked --- undocumented modification of an unchecked checked global variable noret --- path with no return detected in non-void function emptyreturn --- empty return in function declared to return value alwaysexits --- loop predicate always exits loopexec --- assume all loops execute at least once (sets forloopexec, whileloopexec and iterloopexec) forloopexec --- assume all for loops execute at least once whileloopexec --- assume all while loops execute at least once iterloopexec --- assume all iterator loops execute at least once obviousloopexec --- assume loop that can be determined to always execute always does evalorder --- code has unspecified or implementation-dependent behavior because of order of evaluation evalorderuncon --- code involving call to unspecified function has undefined or implementation-dependent behavior infloops --- likely infinite loop is detected infloopsuncon --- likely infinite loop is detected (may result from unconstrained function) casebreak --- non-empty case in a switch without preceding break misscase --- switch on enum type missing case for some value firstcase --- first statement in switch is not a case duplicatecases --- duplicate cases in switch deepbreak --- break inside nested while or for or switch looploopbreak --- break inside nested while or for switchloopbreak --- break in loop inside switch loopswitchbreak --- break in switch inside loop switchswitchbreak --- break in switch inside switch looploopcontinue --- continue inside nested loop whileempty --- a while statement has no body whileblock --- the body of a while statement is not a block forempty --- a for statement has no body forblock --- the body of a for statement is not a block ifempty --- an if statement has no body ifblock --- the body of an if statement is not a block allempty --- an if, while or for statement has no body (sets ifempty, whileempty and forempty allblock --- the body of an if, while or for statement is not a block (sets ifblock, whileblock and forblock) elseifcomplete --- if ... else if chains must have final else unreachable --- unreachable code detected noeffect --- statement with no effect noeffectuncon --- statement with no effect (except possibly through call to unconstrained function) retval --- return value ignored (sets retvalint, retvalbool and retvalother) retvalother --- return value of type other than bool or int ignored retvalbool --- return value of manifest type bool ignored retvalint --- return value of type int ignored nullterminated --- misuse of nullterminated allocation bounds --- memory bounds checking (sets boundsread and boundswrite) boundsread --- possible out of bounds read boundswrite --- possible buffer overflow from an out of bounds write fcnpost --- display function post conditions redundantconstraints --- display seemingly redundant constraints checkpost --- unable to verify predicate in ensures clause implictconstraint --- generate implicit constraints for functions orconstraint --- use limited OR expressions to resolve constraints nullterminated --- misuse of nullterminated allocation showconstraintparens --- display parentheses around constraint terms showconstraintlocation --- display location for every constraint generated mts --- load meta state declaration and corresponding xh file statetransfer --- storage has been transfered with invalid state statemerge --- control paths merge with storage in incompatible states macroredef --- macro redefined macrounrecog --- unrecognized identifier in macro macroconstdecl --- non-parameterized macro without prototype or specification macrostmt --- macro definition is syntactically not equivalent to function macroempty --- macro definition for is empty macroparams --- macro parameter not used exactly once macroreturn --- return statement in macro body macroassign --- assignment to a macro parameter macroparens --- macro parameter used without parentheses (in potentially dangerous context) macrodecl --- macro without prototype or specification (sets macrofcndecl and macroconstdecl) macrofcndecl --- parameterized macro without prototype or specification sefparams --- a parameter with side-effects is passed as a sef parameter sefuncon --- a parameter with unconstrained side-effects is passed as a sef parameter constmacros --- check all macros without parameter lists as constants fcnmacros --- check all macros with parameter lists as functions allmacros --- sets fcnmacros and constmacros libmacros --- check all macros with declarations in library as functions specmacros --- check all macros corresponding to specified functions or constants macromatchname --- macro definition does not match iter or constant declaration nextlinemacros --- the line after a constant or iter declaration must be a macro definition iterbalance --- iter is not balanced with end_ iteryield --- iter yield parameter is inappropriate hasyield --- iter declaration has no yield parameters namechecks --- controls name checking without changing other settings czech --- czech naming convention (sets accessczech, czechfunctions, czechvars, czechconstants, czechenums, and czechmacros) czechfcns --- czech naming convention violated in a function or iterator declaration czechvars --- czech naming convention violated in a variable declaration czechmacros --- czech naming convention violated in an expanded macro name czechconsts --- czech naming convention violated in a constant declaration czechtypes --- czech naming convention violated in a user-defined type definition slovak --- slovak naming convention violated slovakfcns --- slovak naming convention violated in a function or iterator declaration slovakmacros --- slovak naming convention violated in an expanded macro name slovakvars --- slovak naming convention violated in a variable declaration slovakconsts --- slovak naming convention violated in a constant declaration slovaktypes --- slovak naming convention violated in a use-defined type definition czechoslovak --- czech or slovak naming convention violated czechoslovakfcns --- czechoslovak naming convention violated in a function or iterator declaration czechoslovakmacros --- czechoslovak naming convention violated in an expanded macro name czechoslovakvars --- czechoslovak naming convention violated in a variable declaration czechoslovakconsts --- czechoslovak naming convention violated in a constant declaration czechoslovaktypes --- czechoslovak naming convention violated in a user-defined type definition macrovarprefix --- set namespace prefix for variables declared in a macro body macrovarprefixexclude --- the macrovarprefix may not be used for non-macro variables tagprefix --- set namespace prefix for struct, union and enum tags tagprefixexclude --- the tagprefix may not be used for non-tag identifiers enumprefix --- set namespace prefix for enum members enumprefixexclude --- the enumprefix may not be used for non-enum member identifiers filestaticprefix --- set namespace prefix for file static declarations filestaticprefixexclude --- the filestaticprefix may not be used for identifiers that are not file static globalprefix --- set namespace prefix for global variables globalprefixexclude --- the globalprefix may not be used for non-global identifiers typeprefix --- set namespace prefix for user-defined types typeprefixexclude --- the typeprefix may not be used for identifiers that are not type names externalprefix --- set namespace prefix for external identifiers externalprefixexclude --- the externalprefix may not be used for non-external identifiers localprefix --- set namespace prefix for local variables localprefixexclude --- the localprefix may not be used for non-local identifiers uncheckedmacroprefix --- set namespace prefix for unchecked macros uncheckedmacroprefixexclude --- the uncheckmacroprefix may not be used for identifiers that are not unchecked macros constprefix --- set namespace prefix for constants constprefixexclude --- the constprefix may not be used for non-constant identifiers iterprefix --- set namespace prefix for iterators iterprefixexclude --- the iterprefix may not be used for non-iter identifiers protoparamprefix --- set namespace prefix for parameters in function prototype declarations isoreserved --- external name conflicts with name reserved for system or standard library cppnames --- external or internal name is a C++ keyword or reserved word isoreservedinternal --- internal name conflicts with name reserved for system or standard library distinctexternalnames --- external name is not distinguishable from another external name using the number of significant characters externalnamelen --- set the number of significant characters in an external name externalnamecaseinsensitive --- alphabetic comparisons for external names are case-insensitive distinctinternalnames --- internal name is not distinguishable from another internal name using the number of significant characters internalnamelen --- set the number of significant characters in an internal name internalnamecaseinsensitive --- set whether case is significant an internal names (-internalnamecaseinsensitive means case is significant) internalnamelookalike --- lookalike characters match in internal names protoparamname --- a parameter in a function prototype has a name protoparammatch --- the name of a parameter in a function prototype and corresponding declaration must match (after removing the protoparamprefix protoparamprefixexclude --- the protoparamprefix may not be used for non-declaraction parameter identifiers topuse --- declaration at top level not used exportlocal --- a declaration is exported but not used outside this module exportheader --- a declaration is exported but does not appear in a header file exportheadervar --- a variable declaration is exported but does not appear in a header file fielduse --- field of structure type not used enummemuse --- member of an enum type not used constuse --- constant declared but not used fcnuse --- function declared but not used paramuse --- function parameter not used typeuse --- type declared but not used varuse --- variable declared but not used unusedspecial --- unused declaration in special file (corresponding to .l or .y file) declundef --- function or variable declared but never defined specundef --- function or variable specified but never defined specundecl --- function or variable specified but never declared in a source file newdecl --- report new global declarations in source files needspec --- information in specifications is not also included in syntactic comments nolib --- do not load standard library isolib --- use normal standard library strictlib --- interpret standard library strictly unixlib --- use UNIX (sort-of) standard library unixstrictlib --- use strict version of UNIX (sort-of) library posixlib --- use POSIX standard library posixstrictlib --- use strict POSIX standard library whichlib --- show standard library filename warnposixheaders --- a POSIX header is included, but the POSIX library is not used warnunixlib --- warn when the unix library is used usevarargs --- non-standard included dump --- save state for merging (default suffix .lcd) load --- load state from dump file (default suffix .lcd) singleinclude --- optimize header inclusion to eliminate redundant includes neverinclude --- optimize header inclusion to not include any header files skipsysheaders --- do not include header files in system directories (set by -sysdirs) gnuextensions --- support some gnu (gcc) language extensions noparams --- function declaration has no parameter list oldstyle --- old style function definition maintype --- type of main does not match expected type exitarg --- argument to exit has implementation defined behavior shadow --- declaration reuses name visible in outer scope incondefslib --- function, variable or constant defined in a library is redefined with inconsistent type overload --- library function overloaded nestedextern --- an extern declaration is inside a function scope redecl --- function or variable redeclared redef --- function or variable redefined imptype --- variable declaration has unknown (implicitly int) type tmpdir --- set directory for writing temp files larchpath --- set path for searching for library files (overrides LARCH_PATH environment variable) lclimportdir --- set directory to search for LCL import files (overrides LCLIMPORTDIR) sysdirs --- set directories for system files (default /usr/include). Separate directories with path separator (colons in Unix, semi-colons in Windows). Flag settings propagate to files in a system directory. If -sysdirerrors is set, no errors are reported for files in system directories. skipansiheaders --- prevent inclusion of header files in a system directory with names that match standard ANSI headers. The symbolic information in the standard library is used instead. Flag in effect only if a library including the ANSI library is loaded. The ANSI headers are: assert, ctype, errno, float, limits, locale, math, setjmp, signal, stdarg, stddef, stdio, stdlib, strings, string, time, and wchar. skipposixheaders --- prevent inclusion of header files in a system directory with names that match standard POSIX headers. The symbolic information in the posix library is used instead. The POSIX headers are: dirent, fcntl, grp, pwd, termios, sys/stat, sys/times, sys/types, sys/utsname, sys/wait, unistd, and utime. sysdirerrors --- report errors in files in system directories (set by -sysdirs) sysdirexpandmacros --- expand macros in system directories regardless of other settings, except for macros corresponding to names defined in a load library I --- add to C include path S --- add to spec path exportany --- variable, function or type exported but not specified exportfcn --- function exported but not specified exportmacro --- expanded macro exported but not specified exporttype --- type definition exported but not specified exportvar --- variable exported but not specified exportconst --- constant exported but not specified exportiter --- constant exported but not specified linelen --- set length of messages (number of chars) indentspaces --- set number of spaces to indent sub-messages showcolumn --- show column number where error is found parenfileformat --- show column number where error is found showfunc --- show name of function containing error showallconjs --- show all possible types impconj --- make all alternate types implicit (useful for making system libraries expect --- expect code errors lclexpect --- expect spec errors partial --- check as partial system (-specundef, -declundef, -exportlocal, don't check macros in headers without corresponding .c files) lh --- generate .lh files lcs --- generate .lcs files warnflags --- warn when command line sets flag in abnormal way warnrc --- warn when there are problems with reading the initialization files badflag --- warn about bad command line flags fileextensions --- warn when command line file does not have a recognized extension help --- -help will describe flags f --- read an options file (default ~/.splintrc not loaded) i --- set LCL initilization file nof --- do not read options file commentchar --- set marker character for syntactic comments (default is '@') controlnestdepth --- set maximum nesting depth of compound statements, iteration control structures, and selection control structures (ANSI89 minimum is 15; ISO99 is 63) stringliterallen --- set maximum length of string literals (ANSI89 minimum is 509; ISO99 is 4095) numstructfields --- set maximum number of fields in a struct or union (ANSI89 minimum is 127; ISO99 is 1023) numenummembers --- set maximum number of members of an enum (ANSI89 minimum is 127; ISO99 is 1023) includenest --- set maximum number of nested #include files (ANSI89 minimum is 8; ISO99 is 63) ansi89limits --- check for violations of standard limits (controlnestdepth, stringliterallen, includenest, numstructfields, numenummembers) based on ANSI89 standard iso99limits --- check for violations of standard limits (controlnestdepth, stringliterallen, includenest, numstructfields, numenummembers) based on ISO99 standard D --- passed to pre-processor U --- passed to pre-processor unrecogdirective --- unrecognized pre-processor directive supcounts --- The number of errors detected does not match number in /*@i@*/. limit --- limit consecutive repeated errors syntax --- syntax error in parsing trytorecover --- try to recover from parse error preproc --- preprocessing error type --- type mismatch stringliteraltoolong --- string literal too long for character array stringliteralnoroom --- string literal leaves no room for null terminator stringliteralsmaller --- string literal is smaller than the char array it is assigned to enummembers --- enum members must be int values formattype --- type-mismatch in parameter corresponding to format code in a printf or scanf-like function formatconst --- format parameter is not a string constant (hence variable arguments cannot be typechecked) formatcode --- invalid format code in format string for printf or scanf-like function forwarddecl --- forward declarations of pointers to abstract representation match abstract type voidabstract --- void * matches pointers to abstract types, casting ok (dangerous) castfcnptr --- a pointer to a function is cast to a pointer to void (or vice versa) charindex --- char can be used to index arrays enumindex --- enum can be used to index arrays boolint --- bool and int are equivalent charint --- char and int are equivalent enumint --- enum and int are equivalent floatdouble --- float and double are equivalent ignorequals --- ignore type qualifiers (long, short, unsigned) duplicatequals --- report duplicate type qualifiers (e.g., unsigned unsigned) ignoresigns --- ignore signs in type comparisons (unsigned matches signed) numliteral --- int literals can be reals charintliteral --- character constants (e.g., 'a') can be used as ints relaxquals --- report qualifier mismatches only if dangerous relaxtypes --- allow all numeric types to match charunsignedchar --- allow char and unsigned char types to match matchanyintegral --- allow any intergral type to match an arbitrary integral type (e.g., dev_t) longunsignedintegral --- allow long unsigned type to match an arbitrary integral type (e.g., dev_t) longintegral --- allow long type to match an arbitrary integral type (e.g., dev_t) longunsignedunsignedintegral --- allow long unsigned type to match an arbitrary unsigned integral type (e.g., size_t) longsignedintegral --- allow long type to match an arbitrary signed integral type (e.g., ssize_t) zeroptr --- tread 0 as a pointer zerobool --- treat 0 as a boolean repeatunrecog --- do not suppress repeated unrecognized identifier messages (instead of only reporting the first error) sysunrecog --- report unrecognized identifiers with system (__) prefix unrecog --- unrecognized identifier annotationerror --- annotation is used in inconsistent location commenterror --- inconsistent syntactic comment warnuse --- warn when declaration marked with warn is used bufferoverflow --- possible buffer overflow vulnerability bufferoverflowhigh --- likely buffer overflow vulnerability implementationoptional --- declarator is implementation optional (ISO99 does not require an implementation to provide it) legacy --- legacy declaration in Unix Standard multithreaded --- function is not reentrant portability --- function may have undefined behavior superuser --- function is restricted to superusers toctou --- possible time of check, time of use vulnerability unixstandard --- function is not required in Standard UNIX Specification its4mostrisky --- most risky security vulnerabilities (from its4 database) its4veryrisky --- very risky security vulnerabilities (from its4 database) its4risky --- risky security vulnerabilities (from its4 database) its4moderate --- moderately risky security vulnerabilities (from its4 database) its4low --- risky security vulnerabilities (from its4 database) nocomments --- ignore all stylized comments noaccess --- ignore access comments unrecogcomments --- stylized comment is unrecognized unrecogflagcomments --- stylized flag comment uses an unrecognized flag tmpcomments --- interpret t comments (ignore errors in lines marked with /*@t@*/ lintcomments --- interpret traditional lint comments (/*FALLTHROUGH*/, /*NOTREACHED*/) warnlintcomments --- warn when a traditional lint comment is used continuecomment --- line continuation marker (\) in comment before */ on same line slashslashcomment --- use of // comment nestcomment --- comment begins inside comment quiet --- suppress herald and error count usestderr --- send error messages to standard error (instead of standard out) showsummary --- show summary of all errors reported and suppressed showscan --- show file names are they are processed stats --- display lines processed and time timedist --- display time distribution showalluses --- show sorted list of uses of all globals hints --- provide a hint the first time a particular warning appears forcehints --- provide a hint for every warnings bugslimit --- set maximum number of bugs detected before giving up debugfcnconstraint --- debug function constraints grammar --- debug parsing keep --- do not delete temporary files nopp --- do not pre-process input files showsourceloc --- display the source code location where a warning is produced D passed to pre-processor Category: preproc Default Setting: - Set globally only I add to C include path Categories: directories, headers Default Setting: - Set globally only S add to spec path Categories: directories, specifications Default Setting: - Set globally only U passed to pre-processor Category: preproc Default Setting: - Set globally only abstract data abstraction barriers Category: abstract Default Setting: + Set locally An abstraction barrier is broken. If necessary, use /*@access @*/ to allow access to an abstract type. accessall set accessmodule, accessfile and accessczech Categories: abstract, names Default Setting: - Set locally Sets accessmodule, accessfile and accessczech accessczech allow access to abstract types by czech naming convention Categories: abstract, names Default Setting: + Set locally The representation of an abstract type named is accessible in the definition of a function or constant named _ accessczechoslovak allow access to abstract types by czechoslovak naming convention Categories: abstract, names Default Setting: - Set locally The representation of an abstract type named is accessible in the definition of a function or constant named _ or accessfile allow access to abstract types by file name convention Categories: abstract, names Default Setting: + Set locally The representation of an abstract type named is accessible anywhere in a file named .. accessmodule allow access to abstract types in definition module Categories: abstract, names Default Setting: + Set locally The representation of an abstract type defined in . is accessible anywhere in a file named .. accessslovak allow access to abstract types by slovak naming convention Categories: abstract, names Default Setting: - Set locally The representation of an abstract type named is accessible in the definition of a function or constant named aliasunique unique parameter is aliased Categories: aliasing, memory Mode Settings: -+++ Set locally A unique or only parameter is aliased by some other parameter or visible global. allblock the body of an if, while or for statement is not a block (sets ifblock, whileblock and forblock) Category: controlflow Default Setting: - Set locally Body is a single statement, not a compound block. allempty an if, while or for statement has no body (sets ifempty, whileempty and forempty Category: controlflow Default Setting: - Set locally allglobs report use and modification errors for globals not annotated with unchecked Categories: globals, implicit Mode Settings: --++ Set locally allimponly sets globimponly, retimponly, structimponly, specglobimponly, specretimponly and specstructimponly Categories: memory, implicit Default Setting: - Set locally allmacros sets fcnmacros and constmacros Category: macros Default Setting: - Set locally All macros (not preceded by /*@notfunction@*/) are checked as functions or constants depending on whether or not they have parameter lists. alwaysexits loop predicate always exits Category: controlflow Default Setting: + Set locally annotationerror annotation is used in inconsistent location Categories: declarations, Default Setting: + Set locally A declaration uses an invalid annotation. ansi89limits check for violations of standard limits (controlnestdepth, stringliterallen, includenest, numstructfields, numenummembers) based on ANSI89 standard Categories: limits, ansi Default Setting: - Set locally assignexpose abstract representation is exposed (assignments only) Categories: exposure, abstract Mode Settings: --++ Set locally Storage internal to the representation of an abstract type is assigned to an external pointer. This means clients may have access to a pointer into the abstract representation. If the external pointer is a parameter, the exposed qualifier can be used to allow the assignment, however, this is considered dangerous programming practice. badflag warn about bad command line flags Category: help Default Setting: + Set locally A flag is not recognized or used in an incorrect way bitwisesigned a bitwise logical operator does not have unsigned operands Categories: operations, Mode Settings: ---+ Set locally An operand to a bitwise operator is not an unsigned values. This may have unexpected results depending on the signed representations. boolcompare comparison between bools (dangerous because of multiple TRUE values) Categories: booleans, operations Mode Settings: -+++ Set locally Two bool values are compared directly using a C primitive. This may produce unexpected results since all non-zero values are considered TRUE, so different TRUE values may not be equal. The file bool.h (included in splint/lib) provides bool_equal for safe bool comparisons. boolfalse set name of boolean false (default FALSE) Category: booleans Default Setting: - Set locally String argument. Default: FALSE boolint bool and int are equivalent Categories: typeequivalence, booleans Mode Settings: +--- Set locally To make bool and int types equivalent, use +boolint. boolops primitive operation (!, && or ||) does not has a boolean argument Categories: booleans, operations Mode Settings: -+++ Set locally The operand of a boolean operator is not a boolean. Use +ptrnegate to allow ! to be used on pointers. booltrue set name of boolean true (default TRUE) Category: booleans Default Setting: - Set locally String argument. Default: TRUE booltype set name of boolean type (default bool) Category: booleans Default Setting: - Set locally String argument. Default: lltX_bool bounds memory bounds checking (sets boundsread and boundswrite) Categories: memorybounds, memory Default Setting: - Set locally Memory read or write may be out of bounds of allocated storage. boundsread possible out of bounds read Categories: memorybounds, memory Mode Settings: ---- Set locally A memory read references memory beyond the allocated storage. boundswrite possible buffer overflow from an out of bounds write Categories: memorybounds, memory Mode Settings: ---- Set locally A memory write may write to an address beyond the allocated buffer. branchstate storage has inconsistent states of alternate paths through a branch Category: memory Mode Settings: -+++ Set locally The state of a variable is different depending on which branch is taken. This means no annotation can sensibly be applied to the storage. bufferoverflow possible buffer overflow vulnerability Categories: warnuse, security Mode Settings: -+++ Set locally Use of function that may lead to buffer overflow. bufferoverflowhigh likely buffer overflow vulnerability Categories: warnuse, security Mode Settings: ++++ Set locally Use of function that may lead to buffer overflow. bugslimit set maximum number of bugs detected before giving up Category: debug Default Setting: - Set locally Numeric Argument. Default: 3 casebreak non-empty case in a switch without preceding break Category: controlflow Mode Settings: -+++ Set locally Execution falls through from the previous case. castexpose abstract representation is exposed through a cast Categories: exposure, abstract Mode Settings: --++ Set locally Storage internal to the representation of an abstract type is exposed through a type cast. This means clients may have access to a pointer into the abstract representation. castfcnptr a pointer to a function is cast to a pointer to void (or vice versa) Categories: typeequivalence, pointers Default Setting: + Set locally A pointer to a function is cast to (or used as) a pointer to void (or vice versa). charindex char can be used to index arrays Categories: typeequivalence, arrays Mode Settings: +--- Set locally To allow char types to index arrays, use +charindex. charint char and int are equivalent Category: typeequivalence Mode Settings: +--- Set locally To make char and int types equivalent, use +charint. charintliteral character constants (e.g., 'a') can be used as ints Categories: typeequivalence, numbers Mode Settings: +--- Set locally A character constant is used as an int. Use +charintliteral to allow character constants to be used as ints. (This is safe since the actual type of a char constant is int.) charunsignedchar allow char and unsigned char types to match Category: typeequivalence Mode Settings: +--- Set locally To allow char and unsigned char types to match use +charunsignedchar. checkedglobalias function returns with a checked global aliasing external state Categories: aliasing, globals Mode Settings: -+++ Set locally A global variable aliases externally-visible state when the function returns. checkmodglobalias function returns with a checkmod global aliasing external state Categories: aliasing, globals Mode Settings: -+++ Set locally A global variable aliases externally-visible state when the function returns. checkpost unable to verify predicate in ensures clause Categories: memorybounds, memory Mode Settings: ---- Set locally The function implementation may not satisfy a post condition given in an ensures clause. checkstrictglobalias function returns with a checkstrict global aliasing external state Categories: aliasing, globals Mode Settings: -+++ Set locally A global variable aliases externally-visible state when the function returns. checkstrictglobs report use and modification errors for checkedstrict globals Categories: globals, unconstrained Mode Settings: ++++ Set locally codeimponly sets globimponly, retimponly and structimponly Categories: memory, implicit Default Setting: - Set locally commentchar set marker character for syntactic comments (default is '@') Categories: initializations, comments Default Setting: - Set locally Character Argument. Default: @ Set the marker character for syntactic comments. Comments beginning with /* are interpreted by Splint, where is the comment marker character. commenterror inconsistent syntactic comment Categories: declarations, Default Setting: + Set locally A syntactic comment is used inconsistently. compdef parameter, return value or global completely defined Categories: memory, definition Mode Settings: -+++ Set locally Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. compdestroy all only references derivable from void pointer out only parameter are released Categories: memory, leaks Mode Settings: -+++ Set locally A storage leak due to incomplete deallocation of a structure or deep pointer is suspected. Unshared storage that is reachable from a reference that is being deallocated has not yet been deallocated. Splint assumes when an object is passed as an out only void pointer that the outer object will be deallocated, but the inner objects will not. compmempass actual parameter matches alias kind of formal parameter completely Categories: memory, definition Mode Settings: -+++ Set locally Storage derivable from a parameter does not match the alias kind expected for the formal parameter. constmacros check all macros without parameter lists as constants Category: macros Default Setting: - Set locally Every non-parameterized macro (not preceded by /*@notfunction@*/) is checked as a constant. constprefix set namespace prefix for constants Categories: names, prefixes Default Setting: - Set locally String argument. No default. A constant does not start with the constantprefix constprefixexclude the constprefix may not be used for non-constant identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not a constant starts with the constantprefix. constuse constant declared but not used Category: alluse Mode Settings: -+++ Set locally A constant is declared but not used. Use unused in the constant declaration to suppress message. continuecomment line continuation marker (\) in comment before */ on same line Categories: comments, Default Setting: - Set locally A line continuation marker (\) appears inside a comment on the same line as the comment close. Preprocessors should handle this correctly, but it causes problems for some preprocessors. controlnestdepth set maximum nesting depth of compound statements, iteration control structures, and selection control structures (ANSI89 minimum is 15; ISO99 is 63) Categories: limits, ansi Mode Settings: ---+ Set locally Numeric Argument. Default: 63 Maximum number of control levels exceeded. cppnames external or internal name is a C++ keyword or reserved word Categories: names, ansi Mode Settings: --++ Set locally External name is a C++ keyword or reserved word. This could lead to problems if the code is compiled with a C++ compiler. czech czech naming convention (sets accessczech, czechfunctions, czechvars, czechconstants, czechenums, and czechmacros) Categories: names, abstract Default Setting: - Set locally Name is not consistent with Czech naming convention. czechconsts czech naming convention violated in a constant declaration Categories: names, abstract Default Setting: - Set locally Constant name is not consistent with Czech naming convention. czechfcns czech naming convention violated in a function or iterator declaration Categories: names, abstract Default Setting: - Set locally Function or iterator name is not consistent with Czech naming convention. czechmacros czech naming convention violated in an expanded macro name Categories: names, abstract Default Setting: - Set locally Expanded macro name is not consistent with Czech naming convention. czechoslovak czech or slovak naming convention violated Categories: names, abstract Default Setting: - Set locally Name is not consistent with either Czech or Slovak naming convention. czechoslovakconsts czechoslovak naming convention violated in a constant declaration Categories: names, abstract Default Setting: - Set locally Constant name is not consistent with Czechoslovak naming convention. czechoslovakfcns czechoslovak naming convention violated in a function or iterator declaration Categories: names, abstract Default Setting: - Set locally Function name is not consistent with Czechoslovak naming convention. czechoslovakmacros czechoslovak naming convention violated in an expanded macro name Categories: names, abstract Default Setting: - Set locally Expanded macro name is not consistent with Czechoslovak naming convention. czechoslovaktypes czechoslovak naming convention violated in a user-defined type definition Categories: names, abstract Default Setting: - Set locally Type name is not consistent with Czechoslovak naming convention. Czechoslovak type names may not include uppercase letters or the underscore character. czechoslovakvars czechoslovak naming convention violated in a variable declaration Categories: names, abstract Default Setting: - Set locally Variable name is not consistent with Czechoslovak naming convention. czechtypes czech naming convention violated in a user-defined type definition Categories: names, abstract Default Setting: - Set locally Type name is not consistent with Czech naming convention. Czech type names must not use the underscore character. czechvars czech naming convention violated in a variable declaration Categories: names, abstract Default Setting: - Set locally Variable name is not consistent with Czech naming convention. debugfcnconstraint debug function constraints Categories: debug, memorybounds Mode Settings: ---- Set locally Perform buffer overflow checking even if the errors would be surpressed. declundef function or variable declared but never defined Category: complete Mode Settings: --++ Set locally A function or variable is declared, but not defined in any source code file. deepbreak break inside nested while or for or switch Category: controlflow Default Setting: - Set locally A break statement appears inside the body of a nested while, for or switch statement. Sets looploopbreak, loopswitchbreak, switchloopbreak, switchswitchbreak, and looploopcontinue. deparrays array elements are dependent storage Categories: memory, arrays Mode Settings: --++ Set locally When an element is fetched from an array, Splint analysis is not able to determine if the same element is reused. If +deparrays, Splint will mark local storage assigned from array fetches as dependent. dependenttrans dependent transfer errors Category: memory Mode Settings: -+++ Set locally Dependent storage is transferred to a non-dependent reference. distinctexternalnames external name is not distinguishable from another external name using the number of significant characters Categories: names, ansi Default Setting: - Set locally An external name is not distinguishable from another external name using the number of significant characters. According to ANSI Standard (3.1), an implementation may only consider the first 6 characters significant, and ignore alphabetical case distinctions (ISO C99 requires 31). The +externalnamelen flag may be used to change the number of significant characters, and -externalnamecaseinsensitive to make alphabetical case significant in external names. distinctinternalnames internal name is not distinguishable from another internal name using the number of significant characters Categories: names, ansi Default Setting: - Set locally An internal name is not distinguishable from another internal name using the number of significant characters. According to ANSI89 Standard (3.1), an implementation may only consider the first 31 characters significant (ISO C99 specified 63). The +internalnamelen flag changes the number of significant characters, -internalnamecaseinsensitive to makes alphabetical case significant, and +internalnamelookalike to make similar-looking characters non-distinct. dump save state for merging (default suffix .lcd) Categories: libraries, files Default Setting: - Set globally only Filename argument. No default. duplicatecases duplicate cases in switch Category: controlflow Default Setting: + Set locally Duplicate cases in switch. duplicatequals report duplicate type qualifiers (e.g., unsigned unsigned) Categories: typeequivalence, Default Setting: + Set locally Duplicate type qualifiers not supported by ISO standard. elseifcomplete if ... else if chains must have final else Category: controlflow Mode Settings: ---+ Set locally There is no final else following an else if construct. emptyreturn: enumindex enum can be used to index arrays Categories: typeequivalence, arrays Mode Settings: ---- Set locally To allow enum types to index arrays, use +enumindex. enumint enum and int are equivalent Category: typeequivalence Mode Settings: ++-- Set locally To make enum and int types equivalent, use +enumint. enummembers enum members must be int values Mode Settings: ---- Set locally Type of initial values for enum members must be int. enummemuse member of an enum type not used Category: alluse Mode Settings: -+++ Set locally A member of an enum type is never used. enumprefix set namespace prefix for enum members Categories: names, prefixes Default Setting: - Set locally String argument. No default. An enum member does not start with the enumprefix. enumprefixexclude the enumprefix may not be used for non-enum member identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not an enum member starts with the enumprefix. evalorder code has unspecified or implementation-dependent behavior because of order of evaluation Categories: undefined, ansi Mode Settings: -+++ Set locally Code has unspecified behavior. Order of evaluation of function parameters or subexpressions is not defined, so if a value is used and modified in different places not separated by a sequence point constraining evaluation order, then the result of the expression is unspecified. evalorderuncon code involving call to unspecified function has undefined or implementation-dependent behavior Categories: undefined, ansi Mode Settings: ---+ Set locally Code involving a call to function with no modifies or globals clause may have undefined or implementation-dependent behavior (Splint assumes the unconstrained call may modify any reachable state or use any global). Add a specification for the function. exitarg argument to exit has implementation defined behavior Categories: systemfunctions, undefined Mode Settings: -+++ Set locally The argument to exit should be 0, EXIT_SUCCESS or EXIT_FAILURE expect expect code errors Categories: , errors Default Setting: - Set globally only Numeric Argument. Default: 0 exportany variable, function or type exported but not specified Categories: export, specifications Default Setting: - Set locally A variable, function or type is exported, but not specified. exportconst constant exported but not specified Categories: export, specifications Mode Settings: ---+ Set locally A constant is exported, but not specified. exportfcn function exported but not specified Categories: export, specifications Mode Settings: ---+ Set locally A function is exported, but not specified. exportheader a declaration is exported but does not appear in a header file Categories: alluse, export Mode Settings: --++ Set locally A declaration is exported, but does not appear in a header file. exportheadervar a variable declaration is exported but does not appear in a header file Categories: alluse, export Mode Settings: --++ Set locally A variable declaration is exported, but does not appear in a header file. (Used with exportheader.) exportiter constant exported but not specified Categories: export, specifications Mode Settings: ---+ Set locally A constant is exported, but not specified. exportlocal a declaration is exported but not used outside this module Categories: alluse, export Mode Settings: -+++ Set locally A declaration is exported, but not used outside this module. Declaration can use static qualifier. exportmacro expanded macro exported but not specified Categories: export, specifications Mode Settings: ---+ Set locally A macro is exported, but not specified. exporttype type definition exported but not specified Categories: export, specifications Mode Settings: ---+ Set locally A type is exported, but not specified. exportvar variable exported but not specified Categories: export, specifications Mode Settings: ---+ Set locally A variable is exported, but not specified. exposetrans exposure transfer errors Category: memory Mode Settings: -+++ Set locally Exposed storage is transferred to a non-exposed, non-observer reference. externalnamecaseinsensitive alphabetic comparisons for external names are case-insensitive Categories: names, ansi Default Setting: + Set locally Make alphabetic case insignificant in external names. By ANSI89 standard, case need not be significant in an external name. If +distinctexternalname s is not set, sets +distinctexternalnames with unlimited external name length. externalnamelen set the number of significant characters in an external name Categories: names, ansi Default Setting: - Set locally Numeric Argument. Default: 31 Sets the number of significant characters in an external name (default is 6 for old ANSI89 limit, C99 requires 31). Sets +distinctexternalnames. externalprefix set namespace prefix for external identifiers Categories: names, prefixes Default Setting: - Set locally String argument. No default. An external identifier does not start with the externalprefix externalprefixexclude the externalprefix may not be used for non-external identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not external starts with the externalprefix. f read an options file (default ~/.splintrc not loaded) Categories: initializations, files Default Setting: - Set globally only Filename argument. No default. Read an options file (instead of loading default ~/.splintc) fcnderef dereferencce of a function type Mode Settings: --++ Set locally A function type is dereferenced. The ANSI standard allows this because of implicit conversion of function designators, however the dereference is unnecessary. fcnmacros check all macros with parameter lists as functions Category: macros Default Setting: - Set locally Every parameterized macro (not preceded by /*@notfunction@*/) is checked as a function. fcnpost display function post conditions Categories: memorybounds, display Mode Settings: ---- Set locally Display function post conditions. fcnuse function declared but not used Category: alluse Mode Settings: ++++ Set locally A function is declared but not used. Use /*@unused@*/ in front of function header to suppress message. fielduse field of structure type not used Category: alluse Mode Settings: -+++ Set locally A field is present in a structure type but never used. Use /*@unused@*/ in front of field declaration to suppress message. fileextensions warn when command line file does not have a recognized extension Category: help Default Setting: + Set locally filestaticprefix set namespace prefix for file static declarations Categories: names, prefixes Default Setting: - Set locally String argument. No default. A file-static identifier does not start with the filestaticprefix. filestaticprefixexclude the filestaticprefix may not be used for identifiers that are not file static Categories: names, prefixes Default Setting: - Set locally An identifier that is not file static starts with the filestaticprefix. firstcase first statement in switch is not a case Category: controlflow Mode Settings: -+++ Set locally The first statement after a switch is not a case. fixedformalarray formal parameter of type array is declared with size Categories: declarations, Default Setting: + Set locally A formal parameter is declared as an array with size. The size of the array is ignored in this context, since the array formal parameter is treated as a pointer. floatdouble float and double are equivalent Category: typeequivalence Mode Settings: +--- Set locally To make float and double types equivalent, use +floatdouble. forblock the body of a for statement is not a block Category: controlflow Mode Settings: ---+ Set locally Loop body is a single statement, not a compound block. forcehints provide a hint for every warnings Categories: hints, format Default Setting: - Set locally Provide a hint for every warning forempty a for statement has no body Category: controlflow Mode Settings: ---+ Set locally For statement has no body. forloopexec assume all for loops execute at least once Categories: controlflow, memory Default Setting: - Set locally formalarray formal parameter is an array Categories: declarations, Default Setting: - Set locally A formal parameter is declared as an array. This can be confusing, since a formal array parameter is treated as a pointer. formatcode invalid format code in format string for printf or scanf-like function Default Setting: + Set locally Format code in a format string is not valid. formatconst format parameter is not a string constant (hence variable arguments cannot be typechecked) Mode Settings: -+++ Set locally Format parameter is not known at compile-time. This can lead to security vulnerabilities because the arguments cannot be type checked. formattype type-mismatch in parameter corresponding to format code in a printf or scanf-like function Default Setting: + Set locally Type of parameter is not consistent with corresponding code in format string. forwarddecl forward declarations of pointers to abstract representation match abstract type Categories: typeequivalence, abstract Mode Settings: +--- Set locally freshtrans fresh storage transferred to non-only reference (memory leak) Category: memory Mode Settings: -+++ Set locally Fresh storage (newly allocated in this function) is transferred in a way that the obligation to release storage is not propagated. Use the /*@only@*/ annotation to indicate the a return value is the only reference to the returned storage. fullinitblock initializer sets all fields Category: definition Default Setting: + Set locally Initializer does not set every field in the structure. globalias function returns with global aliasing external state (sets checkstrictglobalias, checkedglobalias, checkmodglobalias and uncheckedglobalias) Categories: aliasing, globals Default Setting: - Set locally A global variable aliases externally-visible state when the function returns. globalprefix set namespace prefix for global variables Categories: names, prefixes Default Setting: - Set locally String argument. No default. A global variable does not start with the globalprefix globalprefixexclude the globalprefix may not be used for non-global identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not a global variable starts with the globalprefix. globimponly assume unannotated global storage is only Categories: memory, implicit Default Setting: + Set locally globnoglobs use of checked global in a function with no globals list or specification Categories: globals, unconstrained Mode Settings: ---+ Set locally A specified global variable is used in the function, but not listed in its globals list. Without +globnoglobs, only globals declared with /*@checkedstrict@*/ will produce use errors in functions without globals lists. The /*@globals ... @*/ control comment can be used to give a globals list for an unspecified function. globs undocumented use of a checked global variable Categories: globals, specifications Default Setting: + Set locally A checked global variable is used in the function, but not listed in its globals clause. By default, only globals specified in .lcl files are checked. To check all globals, use +allglobals. To check globals selectively use /*@checked@*/ in the global declaration. globsimpmodsnothing functions declared with a globals list but no modifies clause are assumed to modify nothing Categories: modification, globals Mode Settings: --++ Set locally An implicit modifies nothing clause is assumed for a function declared with a globals list but not modifies clause. globstate returns with global in inconsistent state (null or undefined) Category: globals Mode Settings: -+++ Set locally A global variable does not satisfy its annotations when control is transferred. globuse global listed for a function not used Categories: globals, specifications Mode Settings: ++++ Set locally A global variable listed in the function's globals list is not used in the body of the function. gnuextensions support some gnu (gcc) language extensions Categories: , ansi Default Setting: + Set locally ANSI C does not allow some language features supported by gcc and other compilers. Use +gnuextensions to allow some of these extensions. grammar debug parsing Category: debug Default Setting: - Set locally hasyield iter declaration has no yield parameters Category: iterators Default Setting: - Set locally An iterator has been declared with no parameters annotated with yield. This may be what you want, if the iterator is meant to do something a fixed number of times, but returns no information to the calling context. Probably, a parameter is missing the yield annotation to indicate that it is assigned a value in the calling context. help -help will describe flags Category: help Default Setting: - Set globally only Display help hints provide a hint the first time a particular warning appears Categories: hints, format Default Setting: + Set locally Provide a hint the first time a particular warning appears i set LCL initilization file Categories: initializations, files Default Setting: - Set globally only Filename argument. No default. ifblock the body of an if statement is not a block Category: controlflow Mode Settings: ---+ Set locally If body is a single statement, not a compound block. ifempty an if statement has no body Category: controlflow Mode Settings: ++++ Set locally If statement has no body. ignorequals ignore type qualifiers (long, short, unsigned) Categories: typeequivalence, numbers Mode Settings: ---- Set locally To ignore type qualifiers in type comparisons use +ignorequals. ignoresigns ignore signs in type comparisons (unsigned matches signed) Categories: typeequivalence, numbers Mode Settings: ---- Set locally To ignore signs in type comparisons use +ignoresigns immediatetrans an immediate address (result of &) is transferred inconsistently Category: memory Mode Settings: -+++ Set locally An immediate address (result of & operator) is transferred inconsistently. impabstract assume user type definitions are abstract (unless /*@concrete@*/ is used) Categories: abstract, implicit Default Setting: - Set locally impcheckedglobs assume checked qualifier for unqualified global declarations Categories: globals, unconstrained Mode Settings: ---- Set locally impcheckedspecglobs assume checked qualifier for unqualified global declarations in .lcl files Categories: globals, unconstrained Mode Settings: -+++ Set locally impcheckedstatics assume checked qualifier for unqualified file static declarations Categories: globals, unconstrained Mode Settings: ---- Set locally impcheckedstrictglobs assume checkedstrict qualifier for unqualified global declarations Categories: globals, unconstrained Mode Settings: ---+ Set locally impcheckedstrictspecglobs assume checkmod qualifier for unqualified global declarations in .lcl files Categories: globals, unconstrained Mode Settings: ---+ Set locally impcheckedstrictstatics assume checkedstrict qualifier for unqualified file static declarations Categories: globals, unconstrained Mode Settings: ---+ Set locally impcheckmodglobs assume checkmod qualifier for unqualified global declarations Categories: globals, unconstrained Mode Settings: ---- Set locally impcheckmodinternals assume checkmod qualifier for unqualified local static declarations (for internal state modifications) Categories: globals, unconstrained Mode Settings: --++ Set locally impcheckmodspecglobs assume checkmod qualifier for unqualified global declarations in .lcl files Categories: globals, unconstrained Mode Settings: ---- Set locally impcheckmodstatics assume checkmod qualifier for unqualified file static declarations Categories: globals, unconstrained Mode Settings: ---- Set locally impconj make all alternate types implicit (useful for making system libraries Category: libraries Default Setting: - Set locally implementationoptional declarator is implementation optional (ISO99 does not require an implementation to provide it) Categories: warnuse, security Mode Settings: --++ Set locally Use of a declarator that is implementation optional, not required by ISO99. implictconstraint generate implicit constraints for functions Categories: memorybounds, memory Mode Settings: ---- Set locally impouts pointer parameters to unspecified functions may be implicit out parameters Categories: definition, implicit Mode Settings: ---- Set locally imptype variable declaration has unknown (implicitly int) type Categories: declarations, Mode Settings: -+++ Set locally A variable declaration has no explicit type. The type is implicitly int. includenest set maximum number of nested #include files (ANSI89 minimum is 8; ISO99 is 63) Categories: limits, ansi Mode Settings: --++ Set locally Numeric Argument. Default: 63 Maximum number of nested #include files exceeded. incompletetype formal parameter has an incomplete type Categories: declarations, Default Setting: + Set locally A formal parameter is declared with an incomplete type. incondefs function, variable or constant redefined with inconsistent type Categories: declarations, Mode Settings: -+++ Set locally A function, variable or constant is redefined with a different type. incondefslib function, variable or constant defined in a library is redefined with inconsistent type Categories: declarations, libraries Mode Settings: -+++ Set locally A function, variable or constant previously defined in a library is redefined with a different type. indentspaces set number of spaces to indent sub-messages Categories: format, display Default Setting: - Set locally Numeric Argument. Default: 3 infloops likely infinite loop is detected Category: controlflow Mode Settings: -+++ Set locally This appears to be an infinite loop. Nothing in the body of the loop or the loop test modifies the value of the loop test. Perhaps the specification of a function called in the loop body is missing a modification. infloopsuncon likely infinite loop is detected (may result from unconstrained function) Category: controlflow Mode Settings: --++ Set locally This appears to be an infinite loop. Nothing in the body of the loop or the loop test modifies the value of the loop test. There may be a modification through a call to an unconstrained function, or an unconstrained function in the loop test may use a global variable modified by the loop body. initallelements initializer defines all array elements Category: definition Default Setting: + Set locally Initializer does not define all elements of a declared array. initsize initializer defines extra array elements Category: definition Default Setting: + Set locally Initializer block contains more elements than the size of a declared array. internalglobs use of internalState Category: globals Mode Settings: ---+ Set locally A called function uses internal state, but the globals list for the function being checked does not include internalState internalglobsnoglobs use of internalState (in function with no globals list) Category: globals Mode Settings: ---+ Set locally A called function uses internal state, but the function being checked has no globals list internalnamecaseinsensitive set whether case is significant an internal names (-internalnamecaseinsensiti ve means case is significant) Categories: names, ansi Default Setting: - Set locally Set whether case is significant an internal names (-internalnamecaseinsens itive means case is significant). By ANSI89 default, case is not significant. If +distinctinternalnames is not set, sets +distinctinternalnames with unlimited internal name length. internalnamelen set the number of significant characters in an internal name Categories: names, ansi Default Setting: - Set locally Numeric Argument. Default: 63 Sets the number of significant characters in an internal name (ANSI89 default is 31.) Sets +distinctinternalnames. internalnamelookalike lookalike characters match in internal names Categories: names, ansi Default Setting: - Set locally Set whether similar looking characters (e.g., "1" and "l") match in internal names. iso99limits check for violations of standard limits (controlnestdepth, stringliterallen, includenest, numstructfields, numenummembers) based on ISO99 standard Categories: limits, ansi Default Setting: - Set locally isolib use normal standard library Categories: libraries, initializations Default Setting: - Set globally only Library based on the ISO standard library specification is used. isoreserved external name conflicts with name reserved for system or standard library Categories: names, ansi Mode Settings: --++ Set locally External name is reserved for system use by ISO C99 standard. isoreservedinternal internal name conflicts with name reserved for system or standard library Categories: names, ansi Mode Settings: ---+ Set locally Internal name is reserved for system in ISO C99 standard (this should not be necessary unless you are worried about C library implementations that violate the standard and use macros). iterbalance iter is not balanced with end_ Category: iterators Default Setting: + Set locally iterloopexec assume all iterator loops execute at least once Categories: controlflow, memory Default Setting: - Set locally iterprefix set namespace prefix for iterators Categories: names, prefixes Default Setting: - Set locally String argument. No default. An iter does not start with the iterator prefix iterprefixexclude the iterprefix may not be used for non-iter identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not a iter starts with the iterprefix. iteryield iter yield parameter is inappropriate Category: iterators Default Setting: + Set locally its4low risky security vulnerabilities (from its4 database) Categories: its4, security Default Setting: - Set locally Security vulnerability classified as risky in its4 database. its4moderate moderately risky security vulnerabilities (from its4 database) Categories: its4, security Default Setting: - Set locally Security vulnerability classified as moderate risk in its4 database. its4mostrisky most risky security vulnerabilities (from its4 database) Categories: its4, security Default Setting: - Set locally Security vulnerability classified as most risky in its4 database. its4risky risky security vulnerabilities (from its4 database) Categories: its4, security Default Setting: - Set locally Security vulnerability classified as risky in its4 database. its4veryrisky very risky security vulnerabilities (from its4 database) Categories: its4, security Default Setting: - Set locally Security vulnerability classified as very risky in its4 database. keep do not delete temporary files Category: debug Default Setting: - Set locally keeptrans keep storage transferred inconsistently Category: memory Mode Settings: -+++ Set locally Keep storage is transferred inconsistently --- either in a way that may add a new alias to it, or release it. kepttrans kept storage transferred to non-temporary reference Category: memory Mode Settings: -+++ Set locally storage is transferred to a non-temporary reference after being passed as keep parameter. The storage may be released or new aliases created. larchpath set path for searching for library files (overrides LARCH_PATH environment variable) Categories: directories, files Default Setting: - Set globally only *** Note: possible difference in the test result because of the default path here: Path argument. Default: .:/usr/local/share/splint/lib:/af10/evans/LCLintDev/ lib: lclexpect expect spec errors Categories: , errors Default Setting: - Set globally only Numeric Argument. Default: 0 lclimportdir set directory to search for LCL import files (overrides LCLIMPORTDIR) Categories: directories, files Default Setting: - Set globally only *** Note: possible difference in the test result because of the default path here: Directory argument. Default: .:/usr/local/share/splint/imports:/af10/evans/L CLintDev/imports lcs generate .lcs files Categories: headers, specifications Default Setting: + Set globally only legacy legacy declaration in Unix Standard Category: warnuse Mode Settings: ---- Set locally Use of a declarator that is marked as a legacy entry in the Unix Standard. lh generate .lh files Categories: headers, specifications Default Setting: - Set globally only libmacros check all macros with declarations in library as functions Category: macros Default Setting: - Set locally Every macro declared in the load library is checked. likelybool type name is probably a boolean type but does not match default boolean type name, "bool", and alternate name is not set Categories: booleans, help Default Setting: + Set locally Use the -booltype, -boolfalse and -booltrue flags to change the name of the default boolean type. limit limit consecutive repeated errors Categories: suppress, errors Default Setting: - Set locally Numeric Argument. Default: -1 linelen set length of messages (number of chars) Categories: format, display Default Setting: - Set locally Numeric Argument. Default: 80 lintcomments interpret traditional lint comments (/*FALLTHROUGH*/, /*NOTREACHED*/) Categories: syncomments, suppress Default Setting: + Set locally load load state from dump file (default suffix .lcd) Categories: libraries, files Default Setting: - Set globally only Filename argument. No default. localprefix set namespace prefix for local variables Categories: names, prefixes Default Setting: - Set locally String argument. No default. A local variable does not start with the localprefix localprefixexclude the localprefix may not be used for non-local identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not a local variable starts with the localprefix. longintegral allow long type to match an arbitrary integral type (e.g., dev_t) Categories: typeequivalence, numbers Mode Settings: ---- Set locally To allow arbitrary integral types to match long unsigned, use +longintegral. longsignedintegral allow long type to match an arbitrary signed integral type (e.g., ssize_t) Categories: typeequivalence, numbers Mode Settings: ---- Set locally To allow arbitrary signed integral types to match long unsigned, use +longsignedintegral. longunsignedintegral allow long unsigned type to match an arbitrary integral type (e.g., dev_t) Categories: typeequivalence, numbers Mode Settings: +--- Set locally To allow arbitrary integral types to match long unsigned, use +longunsignedintegral. longunsignedunsignedintegral allow long unsigned type to match an arbitrary unsigned integral type (e.g., size_t) Categories: typeequivalence, numbers Mode Settings: +--- Set locally To allow arbitrary unsigned integral types to match long unsigned, use +longunsignedunsignedintegral. loopexec assume all loops execute at least once (sets forloopexec, whileloopexec and iterloopexec) Categories: controlflow, memory Default Setting: - Set locally looploopbreak break inside nested while or for Category: controlflow Mode Settings: --++ Set locally A break statement appears inside the body of a nested while or for statement. This is perfectly reasonable code, but check that the break is intended to break only the inner loop. The break statement may be preceded by /*@innerbreak@*/ to suppress the message for this break only. looploopcontinue continue inside nested loop Category: controlflow Mode Settings: ---+ Set locally A continue statement appears inside a loop within a loop. This is perfectly reasonable code, but check that the continue is intended to continue only the inner loop. The continue statement may be preceded by /*@innercontinue@*/ to suppress the message for this continue only. loopswitchbreak break in switch inside loop Category: controlflow Mode Settings: ---+ Set locally A break statement appears inside a switch statement within a while or for loop. This is perfectly reasonable code, but check that the break is intended to break only the inner loop. The break statement may be preceded by /*@switchbreak@*/ to suppress the message for this break only. macroassign assignment to a macro parameter Categories: macros, parameters Mode Settings: -+++ Set locally A macro parameter is used as the left side of an assignment expression. This exhibits behavior that could not be implemented by a function. macroconstdecl non-parameterized macro without prototype or specification Categories: macros, prototypes Mode Settings: -+++ Set locally Macro constant has no declaration. Use /*@constant ...@*/ to declare the macro. macrodecl macro without prototype or specification (sets macrofcndecl and macroconstdecl) Categories: macros, prototypes Mode Settings: ---- Set locally Argument checking cannot be done well for macros without prototypes or specifications, since the types of the arguments are unknown. macroempty macro definition for is empty Category: macros Mode Settings: ---+ Set locally A macro definition has no body. macrofcndecl parameterized macro without prototype or specification Categories: macros, prototypes Mode Settings: -+++ Set locally Function macro has no declaration. macromatchname macro definition does not match iter or constant declaration Category: macros Mode Settings: ++++ Set locally A iter or constant macro is defined using a different name from the one used in the previous syntactic comment macroparams macro parameter not used exactly once Categories: macros, parameters Mode Settings: -+++ Set locally A macro parameter is not used exactly once in all possible invocations of the macro. To behave like a function, each macro parameter must be used exactly once on all invocations of the macro so that parameters with side-effects are evaluated exactly once. Use /*@sef@*/ to denote parameters that must be side-effect free. macroparens macro parameter used without parentheses (in potentially dangerous context) Category: macros Mode Settings: -+++ Set locally A macro parameter is used without parentheses. This could be dangerous if the macro is invoked with a complex expression and precedence rules will change the evaluation inside the macro. macroredef macro redefined Category: macros Mode Settings: -+++ Set locally A macro is defined in more than one place. macroreturn: macrostmt macro definition is syntactically not equivalent to function Category: macros Mode Settings: -+++ Set locally A macro is defined in a way that may cause syntactic problems. If the macro returns a value, use commas to separate expressions; otherwise, use do { } while (FALSE) construct. macrounrecog unrecognized identifier in macro Categories: macros, unrecognized Mode Settings: -+++ Set locally An unrecognized identifier appears in a macro. If the identifier is defined before the macro is used, then this is okay. macrovarprefix set namespace prefix for variables declared in a macro body Categories: names, prefixes Default Setting: + Set locally String argument. Default: m_ A variable declared in a macro body does not start with the macrovarprefix. macrovarprefixexclude the macrovarprefix may not be used for non-macro variables Categories: names, prefixes Default Setting: + Set locally A variable declared outside a macro body starts with the macrovarprefix. maintype type of main does not match expected type Categories: systemfunctions, Default Setting: + Set locally The function main does not match the expected type. matchanyintegral allow any intergral type to match an arbitrary integral type (e.g., dev_t) Categories: typeequivalence, numbers Mode Settings: ---- Set locally To allow arbitrary integral types to match any integral type, use +matchanyintegral. matchfields struct or enum type redefined with inconsistent fields or members Categories: declarations, Mode Settings: -+++ Set locally A struct, union or enum type is redefined with inconsistent fields or members. mayaliasunique unique parameter may be aliased Categories: aliasing, memory Mode Settings: -+++ Set locally A unique or only parameter may be aliased by some other parameter or visible global. memchecks sets all dynamic memory checking flags (memimplicit, mustfree, mustdefine, mustnotalias, null, memtrans) Category: memory Default Setting: - Set locally memimp memory errors for unqualified storage Categories: memory, implicit Mode Settings: -+++ Set locally memtrans memory transfer errors (sets all *trans flags) Category: memory Default Setting: - Set locally Memory is transferred in a way that violates annotations. misplacedsharequal declaration of unsharable storage uses sharing annotation Categories: declarations, Mode Settings: -+++ Set locally A declaration of an unsharable object uses a sharing annotation. misscase switch on enum type missing case for some value Category: controlflow Mode Settings: -+++ Set locally Not all values in an enumeration are present as cases in the switch. modfilesys report undocumented file system modifications (applies to unspecified functions if modnomods is set) Categories: modification, unconstrained Mode Settings: ---+ Set locally modglobs undocumented modification of a checked global variable Categories: globals, modification Mode Settings: -+++ Set locally A checked global variable is modified by the function, but not listed in its modifies clause. modglobsnomods undocumented modification of a checked global variable in a function declared with no modifies clause Categories: globals, modification Mode Settings: ---+ Set locally A checked global variable is modified by the function, but not listed in its modifies clause. modglobsunchecked undocumented modification of an unchecked checked global variable Categories: globals, modification Mode Settings: ---+ Set locally An unchecked global variable is modified by the function, but not listed in its modifies clause. modinternalstrict possible modification of internal storage through function call Categories: modification, memory Mode Settings: ---+ Set locally A function that modifies internalState is called from a function that does not list internalState in its modifies clause modnomods modification in a function with no modifies clause Categories: modification, unconstrained Mode Settings: ---+ Set locally An externally-visible object is modified by a function with no /*@modifies@*/ comment. The /*@modifies ... @*/ control comment can be used to give a modifies list for an unspecified function. modobserver possible modification of observer storage Categories: modification, memory Default Setting: + Set locally Storage declared with observer is possibly modified. Observer storage may not be modified. modobserveruncon possible modification of observer storage through unconstrained call Categories: modification, memory Mode Settings: ---+ Set locally Storage declared with observer may be modified through a call to an unconstrained function. mods unspecified modification of caller-visible state Categories: modification, specifications Default Setting: + Set locally An externally-visible object is modified by a function, but not listed in its modifies clause. modsimpnoglobs functions declared with a modifies clause but no globals list are assumed to use no globals Categories: modification, globals Mode Settings: ---- Set locally An implicit empty globals list is assumed for a function declared with a modifies clause but no globals list. modstrictglobsnomods undocumented modification of a strict checked global variable in a function declared with no modifies clause Categories: globals, modification Mode Settings: ---+ Set locally A checked global variable is modified by the function, but not listed in its modifies clause. moduncon possible modification through a call to an unconstrained function Categories: modification, unconstrained Mode Settings: ---+ Set locally An unconstrained function is called in a function body where modifications are checked. Since the unconstrained function may modify anything, there may be undetected modifications in the checked function. modunconnomods possible modification through a call to an unconstrained function in a function with no modifies clause Categories: modification, unconstrained Mode Settings: ---+ Set locally An unconstrained function is called in a function body where modifications are checked. Since the unconstrained function may modify anything, there may be undetected modifications in the checked function. modunspec modification in unspecified functions (sets modnomods, modglobunspec and modstrictglobsunspec) Categories: modification, unconstrained Default Setting: - Set locally mts load meta state declaration and corresponding xh file Categories: extensible, files Default Setting: - Set globally only Filename argument. No default. multithreaded function is not reentrant Categories: warnuse, security Mode Settings: --++ Set locally Non-reentrant function should not be used in multithreaded code. mustdefine out storage not defined before return or scope exit Categories: memory, definition Mode Settings: -+++ Set locally An out parameter or global is not defined before control is transferred. mustfree fresh or only storage not released before return or scope exit (sets mustfreefresh and mustfreeonly) Categories: memory, leaks Default Setting: - Set locally A memory leak has been detected. mustfreefresh freshly allocated storage not released before return or scope exit Categories: memory, leaks Mode Settings: -+++ Set locally A memory leak has been detected. Storage allocated locally is not released before the last reference to it is lost. mustfreeonly only storage not released before return or scope exit Categories: memory, leaks Mode Settings: -+++ Set locally A memory leak has been detected. Only-qualified storage is not released before the last reference to it is lost. mustmod specified modification is not detected Categories: modification, specifications Mode Settings: --++ Set locally An object listed in the modifies clause is not modified by the implementation of the function. The modification may not be detected if it is done through a call to an unspecified function. mustnotalias temp storage aliased at return point or scope exit Categories: aliasing, memory Mode Settings: -+++ Set locally An alias has been added to a temp-qualifier parameter or global that is visible externally when the function returns. If the aliasing is needed, use the /*@shared@*/ annotation to indicate that new aliases to the parameter may be created. mutrep representation of mutable type has sharing semantics Category: abstract Mode Settings: -+++ Set locally LCL semantics requires that a mutable type exhibits sharing semantics. In order for objects to be shared a indirection is necessary in the representation. A mutable type may be represented by a pointer or an abstract mutable type. Handles into static data are fine, too, but will generate this error message unless it is suppressed. namechecks controls name checking without changing other settings Categories: names, abstract Default Setting: + Set locally needspec information in specifications is not also included in syntactic comments Categories: initializations, specifications Default Setting: - Set locally There is information in the specification that is not duplicated in syntactic comments. Normally, this is not an error, but it may be useful to detect it to make sure checking incomplete systems without the specifications will still use this information. nestcomment comment begins inside comment Categories: comments, Default Setting: + Set locally A comment open sequence (/*) appears within a comment. This usually means an earlier comment was not closed. nestedextern an extern declaration is inside a function scope Category: declarations Mode Settings: -+++ Set locally An extern declaration is used inside a function scope. neverinclude optimize header inclusion to not include any header files Categories: headers, performance Default Setting: - Set globally only Ignore header includes. Only works if relevant information is loaded from a library. newdecl report new global declarations in source files Categories: declarations, libraries Default Setting: - Set locally There is a new declaration that is not declared in a loaded library or earlier file. (Use this flag to check for consistency against a library.) newreftrans new reference transfer to reference counted reference Category: memory Mode Settings: -+++ Set locally A new reference is transferred to a reference counted reference. nextlinemacros the line after a constant or iter declaration must be a macro definition Category: macros Default Setting: + Set locally A constant or iter declaration is not immediately followed by a macro definition. noaccess ignore access comments Categories: syncomments, abstract Default Setting: - Set locally nocomments ignore all stylized comments Categories: syncomments, suppress Default Setting: - Set locally noeffect statement with no effect Categories: effect, controlflow Mode Settings: -+++ Set locally Statement has no visible effect --- no values are modified. noeffectuncon statement with no effect (except possibly through call to unconstrained function) Categories: effect, controlflow Mode Settings: ---+ Set locally Statement has no visible effect --- no values are modified. It may modify something through a call to an unconstrained function. nof do not read options file Categories: initializations, files Default Setting: - Set globally only Do not read the default options file (~/.splintrc) nolib do not load standard library Categories: libraries, initializations Default Setting: - Set globally only noparams function declaration has no parameter list Categories: prototypes, ansi Mode Settings: --++ Set locally A function declaration does not have a parameter list. nopp do not pre-process input files Category: debug Default Setting: - Set locally noret path with no return detected in non-void function Category: controlflow Mode Settings: -+++ Set locally There is a path through a function declared to return a value on which there is no return statement. This means the execution may fall through without returning a meaningful result to the caller. null misuses of null pointer Categories: null, memory Default Setting: - Set locally A possibly null pointer is misused (sets nullderef, nullpass, nullref, nullassign, and nullstate). nullassign inconsistent assignment or initialization involving null pointer Categories: null, memory Mode Settings: -+++ Set locally A reference with no null annotation is assigned or initialized to NULL. Use /*@null@*/ to declare the reference as a possibly null pointer. nullderef possible dereferencce of null pointer Categories: null, memory Mode Settings: -+++ Set locally A possibly null pointer is dereferenced. Value is either the result of a function which may return null (in which case, code should check it is not null), or a global, parameter or structure field declared with the null qualifier. nullpass possibly null pointer passed as formal with no null annotation Categories: null, memory Mode Settings: -+++ Set locally A possibly null pointer is passed as a parameter corresponding to a formal parameter with no /*@null@*/ annotation. If NULL may be used for this parameter, add a /*@null@*/ annotation to the function parameter declaration. nullptrarith arithmetic involving possibly null pointer and integer Categories: operations, pointers Mode Settings: --++ Set locally Pointer arithmetic using a possibly null pointer and integer. nullret possibly null pointer returned as result with no null annotation Categories: null, memory Mode Settings: -+++ Set locally Function returns a possibly null pointer, but is not declared using /*@null@*/ annotation of result. If function may return NULL, add /*@null@*/ annotation to the return value declaration. nullstate possibly null pointer reachable from a reference with no null annotation Categories: null, memory Mode Settings: -+++ Set locally A possibly null pointer is reachable from a parameter or global variable that is not declared using a /*@null@*/ annotation. nullterminated misuse of nullterminated allocation Categories: memorybounds, memory Mode Settings: ---- Set locally A possibly non-nullterminated string/memory is used/referenced as a nullterminated one. nullterminated misuse of nullterminated allocation Categories: memorybounds, memory Mode Settings: ---- Set locally A possibly non-nullterminated string/memory is used/referenced as a nullterminated one. numenummembers set maximum number of members of an enum (ANSI89 minimum is 127; ISO99 is 1023) Categories: limits, ansi Mode Settings: ---+ Set locally Numeric Argument. Default: 1023 Limit on maximum number of members of an enum is exceeded. numliteral int literals can be reals Categories: typeequivalence, numbers Mode Settings: ++-- Set locally An int literal is used as any numeric type (including float and long long). Use +numliteral to allow int literals to be used as any numeric type. numstructfields set maximum number of fields in a struct or union (ANSI89 minimum is 127; ISO99 is 1023) Categories: limits, ansi Mode Settings: ---+ Set locally Numeric Argument. Default: 1023 Maximum number of fields in a struct or union exceeded. observertrans observer transfer errors Category: memory Mode Settings: -+++ Set locally Observer storage is transferred to a non-observer reference. obviousloopexec assume loop that can be determined to always execute always does Categories: controlflow, memory Default Setting: + Set locally oldstyle old style function definition Categories: prototypes, ansi Mode Settings: ---+ Set locally Function definition is in old style syntax. Standard prototype syntax is preferred. onlytrans only storage transferred to non-only reference (memory leak) Category: memory Mode Settings: -+++ Set locally The only reference to this storage is transferred to another reference (e.g., by returning it) that does not have the only annotation. This may lead to a memory leak, since the new reference is not necessarily released. onlyunqglobaltrans only storage transferred to an unqualified global or static reference (memory leak) Category: memory Mode Settings: --++ Set locally The only reference to this storage is transferred to another reference that does not have an aliasing annotation. This may lead to a memory leak, since the new reference is not necessarily released. orconstraint use limited OR expressions to resolve constraints Categories: memorybounds, memory Mode Settings: ---- Set locally overload library function overloaded Categories: declarations, libraries Mode Settings: ---- Set locally A function, variable or constant defined in the library is redefined with a different type. ownedtrans owned storage transferred to non-owned reference (memory leak) Category: memory Mode Settings: -+++ Set locally The owned reference to this storage is transferred to another reference (e.g., by returning it) that does not have the owned annotation. This may lead to a memory leak, since the new reference is not necessarily released. paramimptemp assume unannotated parameter is temp Categories: memory, implicit Default Setting: + Set locally paramuse function parameter not used Categories: alluse, parameters Mode Settings: -+++ Set locally A function parameter is not used in the body of the function. If the argument is needed for type compatibility or future plans, use /*@unused@*/ in the argument declaration. parenfileformat show column number where error is found Categories: format, display Default Setting: - Set locally partial check as partial system (-specundef, -declundef, -exportlocal, don't check macros in headers without corresponding .c files) Categories: , alluse Default Setting: - Set locally passunknown passing a value as an un-annotated parameter clears its annotation Categories: memory, parameters Mode Settings: ---- Set locally portability function may have undefined behavior Categories: warnuse, security Mode Settings: --++ Set locally Use of function that may have implementation-dependent behavior. posixlib use POSIX standard library Categories: libraries, initializations Default Setting: - Set globally only POSIX version of the standard library is used. posixstrictlib use strict POSIX standard library Categories: libraries, initializations Default Setting: - Set globally only POSIX version of the strict standard library is used. predassign condition test (if, while or for) is an assignment Categories: booleans, predicates Default Setting: + Set locally The condition test is an assignment expression. Probably, you mean to use == instead of =. If an assignment is intended, add an extra parentheses nesting (e.g., if ((a = b)) ...) to suppress this message. predbool type of condition test (if, while or for) not bool (sets predboolint, predboolptr and predboolothers) Categories: booleans, predicates Default Setting: - Set locally Test expression type is not boolean. predboolint type of condition test (if, while or for) is an integral type Categories: predicates, booleans Mode Settings: -+++ Set locally Test expression type is not boolean or int. predboolothers type of condition test (if, while or for) not bool, int or pointer Categories: booleans, predicates Mode Settings: ++++ Set locally Test expression type is not boolean. predboolptr type of condition test (if, while or for) is a pointer Categories: booleans, predicates Mode Settings: --++ Set locally Test expression type is not boolean. preproc preprocessing error Categories: , preproc Default Setting: + Set locally protoparammatch the name of a parameter in a function prototype and corresponding declaration must match (after removing the protoparamprefix Categories: names, prefixes Mode Settings: --++ Set locally A parameter in a function definition does not have the same name as the corresponding in the declaration of the function after removing the protoparamprefix protoparamname a parameter in a function prototype has a name Categories: names, prefixes Mode Settings: ---+ Set locally A parameter in a function prototype has a name. This is dangerous, since a macro definition could be visible here. protoparamprefix set namespace prefix for parameters in function prototype declarations Categories: names, prefixes Default Setting: - Set locally String argument. No default. A parameter name in a function prototype declaration does not start with the declaration parameter prefix protoparamprefixexclude the protoparamprefix may not be used for non-declaraction parameter identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not a parameter name in a function prototype starts with the protoparamprefix. ptrarith arithmetic involving pointer and integer Categories: operations, pointers Mode Settings: ---+ Set locally Pointer arithmetic using pointer and integer. ptrcompare comparison between pointer and number Categories: operations, pointers Mode Settings: -+++ Set locally A pointer is compared to a number. ptrnegate allow ! to be used on pointer operand Categories: booleans, pointers Mode Settings: ++-- Set locally The operand of ! operator is a pointer. quiet suppress herald and error count Categories: display, errors Default Setting: - Set locally readonlystrings string literals are read-only (error if one is modified or released) Category: memory Mode Settings: -+++ Set locally String literals are read-only. An error is reported if a string literal may be modified or released. readonlytrans report memory transfer errors for initializations to read-only string literals Category: memory Mode Settings: --++ Set locally A read-only string literal is assigned to a non-observer reference. realcompare dangerous comparison between reals (dangerous because of inexact floating point representations) Category: operations Mode Settings: -+++ Set locally Two real (float, double, or long double) values are compared directly using a C primitive. This may produce unexpected results since floating point representations are inexact. Instead, compare the difference to FLT_EPSILON or DBL_EPSILON. redecl function or variable redeclared Category: declarations Mode Settings: --++ Set locally A function or variable is declared in more than one place. This is not necessarily a problem, since the declarations are consistent. redef function or variable redefined Category: declarations Default Setting: + Set locally A function or variable is redefined. One of the declarations should use extern. redundantconstraints display seemingly redundant constraints Categories: memorybounds, display Mode Settings: ---- Set locally Display seemingly redundant constraints redundantsharequal declaration uses observer qualifier that is always true Categories: declarations, Mode Settings: --++ Set locally A declaration of an immutable object uses a redundant observer qualifier. refcounttrans reference counted storage is transferred in an inconsistent way Category: memory Mode Settings: -+++ Set locally Reference counted storage is transferred in a way that may not be consistent with the reference count. relaxquals report qualifier mismatches only if dangerous Categories: typeequivalence, numbers Mode Settings: ++-- Set locally To allow qualifier mismatches that are not dangerous, use +relaxquals. relaxtypes allow all numeric types to match Categories: typeequivalence, numbers Mode Settings: ---- Set locally To allow all numeric types to match, use +relaxtypes. repeatunrecog do not suppress repeated unrecognized identifier messages (instead of only reporting the first error) Categories: unrecognized, display Default Setting: - Set locally Identifier used in code has not been declared. (Message repeated for future uses in this file.) repexpose abstract representation is exposed (sets assignexpose, retexpose, and castexpose) Categories: exposure, abstract Default Setting: - Set locally The internal representation of an abstract type is visible to the caller. This means clients may have access to a pointer into the abstract representation. retalias function returns alias to parameter or global Category: aliasing Mode Settings: --++ Set locally The returned value shares storage with a parameter or global. If a parameter is to be returned, use the returned qualifier. If the result is not modified, use the observer qualifier on the result type. Otherwise, exposed can be used, but limited checking is done. retexpose abstract representation is exposed (return values only) Categories: exposure, abstract Mode Settings: --++ Set locally The return value shares storage with an instance of an abstract type. This means clients may have access to a pointer into the abstract representation. Use the observer qualifier to return exposed storage that may not be modified by the client. Use the exposed qualifier to return modifiable (but not deallocatable) exposed storage (dangerous). retimponly assume unannotated returned storage is only Categories: memory, implicit Default Setting: + Set locally retval return value ignored (sets retvalint, retvalbool and retvalother) Category: returnvals Default Setting: - Set locally Result returned by function call is not used. If this is intended, cast result to (void) to eliminate message. retvalbool return value of manifest type bool ignored Categories: returnvals, booleans Mode Settings: -+++ Set locally Result returned by function call is not used. If this is intended, can cast result to (void) to eliminate message. retvalint return value of type int ignored Category: returnvals Mode Settings: -+++ Set locally Result returned by function call is not used. If this is intended, can cast result to (void) to eliminate message. retvalother return value of type other than bool or int ignored Categories: returnvals, booleans Mode Settings: ++++ Set locally Result returned by function call is not used. If this is intended, can cast result to (void) to eliminate message. sefparams a parameter with side-effects is passed as a sef parameter Categories: macros, parameters Mode Settings: -+++ Set locally An actual parameter corresponding to a sef parameter may have a side-effect. sefuncon a parameter with unconstrained side-effects is passed as a sef parameter Categories: macros, parameters Mode Settings: --++ Set locally An actual parameter corresponding to a sef parameter involves a call to a procedure with no modifies clause that may have a side-effect. shadow declaration reuses name visible in outer scope Category: declarations Mode Settings: -+++ Set locally An outer declaration is shadowed by the local declaration. sharedtrans shared storage transferred to non-shared reference Category: memory Mode Settings: -+++ Set locally Shared storage is transferred to a non-shared reference. The other reference may release storage needed by this reference. shiftimplementation a shift left operand may be negative Categories: operations, Mode Settings: -+++ Set locally The left operand to a shift operator may be negative (behavior is implementation-defined). shiftnegative a shift right operand may be negative Categories: operations, Mode Settings: -+++ Set locally The right operand to a shift operator may be negative (behavior undefined). showallconjs show all possible types Category: format Default Setting: - Set locally When a library function is declared with multiple possible type, the alternate types are shown only if +showallconjs. showalluses show sorted list of uses of all globals Categories: display, alluse Default Setting: - Set globally only showcolumn show column number where error is found Categories: format, display Default Setting: + Set locally showconstraintlocation display location for every constraint generated Categories: memorybounds, display Mode Settings: ---- Set locally showconstraintparens display parentheses around constraint terms Categories: memorybounds, display Mode Settings: ---- Set locally showfunc show name of function containing error Category: format Default Setting: + Set locally showscan show file names are they are processed Categories: display, files Default Setting: - Set locally showsourceloc display the source code location where a warning is produced Category: debug Default Setting: - Set locally showsummary show summary of all errors reported and suppressed Categories: display, errors Default Setting: - Set locally singleinclude optimize header inclusion to eliminate redundant includes Categories: headers, performance Default Setting: - Set globally only When checking multiple files, each header file is processed only once. This may change the meaning of the code, if the same header file is included in different contexts (e.g., the header file includes #if directives and the values are different when it is included in different places.) sizeofformalarray sizeof operator has an array formal parameter argument Categories: operations, Default Setting: + Set locally Operand of a sizeof operator is a function parameter declared as an array. The value of sizeof will be the size of a pointer to the element type, not the number of elements in the array. sizeoftype sizeof operator has a type argument Categories: operations, Mode Settings: ---+ Set locally Operand of sizeof operator is a type. (Safer to use expression, int *x = sizeof (*x); instead of sizeof (int).) skipansiheaders prevent inclusion of header files in a system directory with names that match standard ANSI headers. The symbolic information in the standard library is used instead. Flag in effect only if a library including the ANSI library is loaded. The ANSI headers are: assert, ctype, errno, float, limits, locale, math, setjmp, signal, stdarg, stddef, stdio, stdlib, strings, string, time, and wchar. Categories: directories, files Default Setting: + Set locally skipposixheaders prevent inclusion of header files in a system directory with names that match standard POSIX headers. The symbolic information in the posix library is used instead. The POSIX headers are: dirent, fcntl, grp, pwd, termios, sys/stat, sys/times, sys/types, sys/utsname, sys/wait, unistd, and utime. Categories: directories, files Default Setting: + Set locally skipsysheaders do not include header files in system directories (set by -sysdirs) Categories: headers, performance Default Setting: - Set globally only Do not include header files in system directories (set by -sysdirs) slashslashcomment use of // comment Categories: comments, Default Setting: - Set locally A // comment is used. ISO C99 allows // comments, but earlier standards did not. slovak slovak naming convention violated Categories: names, abstract Default Setting: - Set locally Name is not consistent with Slovak naming convention. slovakconsts slovak naming convention violated in a constant declaration Categories: names, abstract Default Setting: - Set locally Constant name is not consistent with Slovak naming convention. slovakfcns slovak naming convention violated in a function or iterator declaration Categories: names, abstract Default Setting: - Set locally Function or iterator name is not consistent with Slovak naming convention. slovakmacros slovak naming convention violated in an expanded macro name Categories: names, abstract Default Setting: - Set locally Expanded macro name is not consistent with Slovak naming convention. slovaktypes slovak naming convention violated in a use-defined type definition Categories: names, abstract Default Setting: - Set locally Type name is not consistent with Slovak naming convention. Slovak type names may not include uppercase letters. slovakvars slovak naming convention violated in a variable declaration Categories: names, abstract Default Setting: - Set locally Variable name is not consistent with Slovak naming convention. specglobimponly assume unannotated global storage is only Categories: memory, implicit Default Setting: - Set locally specimponly sets specglobimponly, specretimponly and specstructimponly Categories: memory, implicit Default Setting: - Set locally specmacros check all macros corresponding to specified functions or constants Category: macros Default Setting: + Set locally Every macro declared a specification file is checked. specretimponly assume unannotated returned storage is only Categories: memory, implicit Default Setting: - Set locally specstructimponly assume unannotated structure field is only Categories: memory, implicit Default Setting: - Set locally specundecl function or variable specified but never declared in a source file Categories: complete, specifications Default Setting: - Set locally A function or variable is declared in an .lcl file, but not declared in any source code file. specundef function or variable specified but never defined Categories: complete, specifications Mode Settings: -+++ Set locally A function or variable is declared in an .lcl file, but not defined in any source code file. stackref external reference to stack-allocated storage is created Categories: memory, released Mode Settings: ++++ Set locally A stack reference is pointed to by an external reference when the function returns. The stack-allocated storage is destroyed after the call, leaving a dangling reference. statemerge control paths merge with storage in incompatible states Categories: extensible, memory Mode Settings: ++++ Set locally Control path merge violates user-defined state merge rules. statetransfer storage has been transfered with invalid state Categories: extensible, memory Mode Settings: ++++ Set locally Transfer violates user-defined state rules. staticinittrans static storage is used as an initial value in an inconsistent way Category: memory Mode Settings: --++ Set locally Static storage is used as an initial value in an inconsistent way. statictrans static storage is transferred in an inconsistent way Category: memory Mode Settings: -+++ Set locally Static storage is transferred in an inconsistent way. stats display lines processed and time Category: display Default Setting: - Set globally only strictbranchstate storage through array fetch has inconsistent states of alternate paths through a branch Category: memory Mode Settings: ---+ Set locally The state of a variable through an array fetch is different depending on which branch is taken. This means no annotation can sensibly be applied to the storage. strictdestroy report complete destruction errors for array elements that may have been released Categories: memory, leaks Mode Settings: ---+ Set locally strictlib interpret standard library strictly Categories: libraries, initializations Default Setting: - Set globally only Stricter version of the standard library is used. (The default library is standard.lcd; strict library is strict.lcd.) strictops primitive operation does not type check strictly Categories: operations, Mode Settings: ---+ Set locally A primitive operation does not type check strictly. strictusereleased element used after it may have been released Categories: memory, released Mode Settings: ---+ Set locally Memory (through fetch) is used after it may have been released (either by passing as an only param or assigning to an only global). stringliterallen set maximum length of string literals (ANSI89 minimum is 509; ISO99 is 4095) Categories: limits, ansi Mode Settings: ---+ Set locally Numeric Argument. Default: 4095 Maximum length of string literal exceeded. stringliteralnoroom string literal leaves no room for null terminator Mode Settings: -+++ Set locally A string literal is assigned to a char array that is not big enough to hold the null terminator. stringliteralsmaller string literal is smaller than the char array it is assigned to Mode Settings: --++ Set locally A string literal is assigned to a char array that smaller than the string literal needs. stringliteraltoolong string literal too long for character array Default Setting: + Set locally A string literal is assigned to a char array too small to hold it. structimponly assume unannotated structure field is only Categories: memory, implicit Default Setting: + Set locally supcounts The number of errors detected does not match number in /*@i@*/. Categories: suppress, comments Default Setting: + Set globally only superuser function is restricted to superusers Categories: warnuse, security Mode Settings: --++ Set locally Call to function restricted to superusers. switchloopbreak break in loop inside switch Category: controlflow Mode Settings: --++ Set locally A break statement appears inside the body of a while or for statement within a switch. This is perfectly reasonable code, but check that the break is intended to break only the inner loop. The break statement may be preceded by /*@loopbreak@*/ to suppress the message for this break only. switchswitchbreak break in switch inside switch Category: controlflow Mode Settings: ---+ Set locally A break statement appears inside a switch statement within another switch statement. This is perfectly reasonable code, but check that the break is intended to break only the inner switch. The break statement may be preceded by /*@innerbreak@*/ to suppress the message for this break only. syntax syntax error in parsing Default Setting: + Set locally Code cannot be parsed. For help on parse errors, see splint -help parseerrors. sysdirerrors report errors in files in system directories (set by -sysdirs) Categories: directories, suppress Mode Settings: ---+ Set locally sysdirexpandmacros expand macros in system directories regardless of other settings, except for macros corresponding to names defined in a load library Categories: directories, macros Default Setting: + Set locally sysdirs set directories for system files (default /usr/include). Separate directories with path separator (colons in Unix, semi-colons in Windows). Flag settings propagate to files in a system directory. If -sysdirerrors is set, no errors are reported for files in system directories. Categories: directories, files Default Setting: - Set globally only Path argument. Default: /usr/ sysunrecog report unrecognized identifiers with system (__) prefix Categories: unrecognized, display Default Setting: + Set locally Identifier used in code has not been declared. (Message repeated for future uses in this file.) Use +gnuextensions to make Splint recognize some keywords that are gnu extensions. tagprefix set namespace prefix for struct, union and enum tags Categories: names, prefixes Default Setting: - Set locally String argument. No default. A tag identifier does not start with the tagprefix. tagprefixexclude the tagprefix may not be used for non-tag identifiers Categories: names, prefixes Default Setting: - Set locally An identifier that is not a tag starts with the tagprefix. temptrans temp storage transferred to non-temporary reference Category: memory Mode Settings: -+++ Set locally Temp storage (associated with a formal parameter) is transferred to a non-temporary reference. The storage may be released or new aliases created. timedist display time distribution Category: display Default Setting: - Set globally only tmpcomments interpret t comments (ignore errors in lines marked with /*@t@*/ Categories: syncomments, suppress Mode Settings: ---- Set locally tmpdir set directory for writing temp files Categories: directories, files Default Setting: - Set globally only Directory argument. Default: /tmp/ toctou possible time of check, time of use vulnerability Categories: warnuse, security Mode Settings: ---+ Set locally Possible time of check, time of use vulnerability. topuse declaration at top level not used Categories: alluse, complete Mode Settings: ---+ Set locally An external declaration not used in any source file. trytorecover try to recover from parse error Default Setting: - Set locally Try to recover from parse error. It really means try - this doesn't usually work. type type mismatch Default Setting: + Set locally Types are incompatible. typeprefix set namespace prefix for user-defined types Categories: names, prefixes Default Setting: - Set locally String argument. No default. A user-defined type does not start with the typeprefix typeprefixexclude the typeprefix may not be used for identifiers that are not type names Categories: names, prefixes Default Setting: - Set locally An identifier that is not a type name starts with the typeprefix. typeuse type declared but not used Categories: alluse, Mode Settings: ++++ Set locally A type is declared but not used. Use /*@unused@*/ in front of typedef to suppress messages. uncheckedglobalias function returns with an unchecked global aliasing external state Categories: aliasing, globals Mode Settings: --++ Set locally A global variable aliases externally-visible state when the function returns. uncheckedmacroprefix set namespace prefix for unchecked macros Categories: names, prefixes Default Setting: - Set locally String argument. No default. An unchecked macro name does not start with the uncheckedmacroprefix uncheckedmacroprefixexclude the uncheckmacroprefix may not be used for identifiers that are not unchecked macros Categories: names, prefixes Default Setting: - Set locally An identifier that is not the name of an unchecked macro starts with the uncheckedmacroprefix. uniondef at least one field of a union must be defined Categories: memory, definition Mode Settings: -+++ Set locally No field of a union is defined. Generally, one field of a union is expected to be defined. unixlib use UNIX (sort-of) standard library Categories: libraries, initializations Default Setting: - Set globally only UNIX version of the standard library is used. unixstandard function is not required in Standard UNIX Specification Categories: warnuse, security Mode Settings: ---- Set locally Use of function that need not be provided by UNIX implementations unixstrictlib use strict version of UNIX (sort-of) library Categories: libraries, initializations Default Setting: - Set globally only strict version of the UNIX library is used. unqualifiedinittrans unqualified storage is used as an initial value in an inconsistent way Category: memory Mode Settings: --++ Set locally Unqualified storage is used as an initial value in an inconsistent way. unqualifiedtrans unqualified storage is transferred in an inconsistent way Category: memory Mode Settings: -+++ Set locally Unqualified storage is transferred in an inconsistent way. unreachable unreachable code detected Category: controlflow Mode Settings: -+++ Set locally This code will never be reached on any possible execution. unrecog unrecognized identifier Category: unrecognized Default Setting: + Set locally Identifier used in code has not been declared. unrecogcomments stylized comment is unrecognized Categories: syncomments, Default Setting: + Set locally Word after a stylized comment marker does not correspond to a stylized comment. unrecogdirective unrecognized pre-processor directive Categories: preproc, Default Setting: + Set locally Pre-processor directive is not recognized. unrecogflagcomments stylized flag comment uses an unrecognized flag Categories: syncomments, Default Setting: + Set locally Semantic comment attempts to set a flag that is not recognized. unsignedcompare comparison using <, <=, >= between an unsigned integral and zero constant Category: operations Mode Settings: -+++ Set locally An unsigned value is used in a comparison with zero in a way that is either a bug or confusing. unusedspecial unused declaration in special file (corresponding to .l or .y file) Categories: alluse, complete Mode Settings: ---+ Set locally usedef use before definition Category: definition Mode Settings: -+++ Set locally An rvalue is used that may not be initialized to a value on some execution path. usereleased storage used after release Categories: memory, released Mode Settings: -+++ Set locally Memory is used after it has been released (either by passing as an only param or assigning to an only global). usestderr send error messages to standard error (instead of standard out) Categories: display, errors Default Setting: - Set locally usevarargs non-standard included Categories: libraries, ansi Default Setting: + Set locally Header is not part of ANSI Standard. Should use instead. varuse variable declared but not used Category: alluse Mode Settings: ++++ Set locally A variable is declared but never used. Use /*@unused@*/ in front of declaration to suppress message. voidabstract void * matches pointers to abstract types, casting ok (dangerous) Categories: typeequivalence, abstract Mode Settings: +--- Set locally A pointer to void is cast to a pointer to an abstract type (or vice versa). warnflags warn when command line sets flag in abnormal way Category: help Default Setting: + Set locally Command line sets flag in abnormal way warnlintcomments warn when a traditional lint comment is used Categories: syncomments, suppress Mode Settings: -+++ Set locally A traditional lint comment is used. Some traditional lint comments are interpreted by Splint to enable easier checking of legacy code. It is preferable to replace these comments with the suggested Splint alternative. warnmissingglobs global variable used in modifies clause is not listed in globals list Categories: globals, modification Mode Settings: ---+ Set locally A global variable is used in the modifies clause, but it not listed in the globals list. The variable will be added to the globals list. warnmissingglobsnoglobs global variable used in modifies clause in a function with no globals list Categories: globals, modification Mode Settings: ---+ Set locally A global variable is used in the modifies clause, but the function has no globals list. The variable will be added to the globals list. warnposixheaders a POSIX header is included, but the POSIX library is not used Categories: libraries, ansi Default Setting: + Set locally Header name matches a POSIX header, but the POSIX library is not selected. warnrc warn when there are problems with reading the initialization files Category: help Default Setting: + Set locally There was a problem reading an initialization file warnunixlib warn when the unix library is used Categories: libraries, ansi Default Setting: + Set locally Unix library may not be compatible with all platforms warnuse warn when declaration marked with warn is used Category: warnuse Default Setting: + Set locally Declaration marked with warn clause is used (can be suppresed by more specific flags). whichlib show standard library filename Categories: libraries, initializations Default Setting: - Set globally only whileblock the body of a while statement is not a block Category: controlflow Mode Settings: ---+ Set locally While body is a single statement, not a compound block. whileempty a while statement has no body Category: controlflow Mode Settings: --++ Set locally While statement has no body. whileloopexec assume all while loops execute at least once Categories: controlflow, memory Default Setting: - Set locally zerobool treat 0 as a boolean Categories: typeequivalence, booleans Mode Settings: ++-- Set locally zeroptr tread 0 as a pointer Categories: typeequivalence, pointers Default Setting: + Set locally null =================================== null: A possibly null pointer is misused (sets nullderef, nullpass, nullref, nullassign, and nullstate). nullderef: A possibly null pointer is dereferenced. Value is either the result of a function which may return null (in which case, code should check it is not null), or a global, parameter or structure field declared with the null qualifier. nullpass: A possibly null pointer is passed as a parameter corresponding to a formal parameter with no /*@null@*/ annotation. If NULL may be used for this parameter, add a /*@null@*/ annotation to the function parameter declaration. nullret: Function returns a possibly null pointer, but is not declared using /*@null@*/ annotation of result. If function may return NULL, add /*@null@*/ annotation to the return value declaration. nullstate: A possibly null pointer is reachable from a parameter or global variable that is not declared using a /*@null@*/ annotation. nullassign: A reference with no null annotation is assigned or initialized to NULL. Use /*@null@*/ to declare the reference as a possibly null pointer. definition =================================== usedef: An rvalue is used that may not be initialized to a value on some execution path. memory =================================== mustdefine: An out parameter or global is not defined before control is transferred. uniondef: No field of a union is defined. Generally, one field of a union is expected to be defined. compdef: Storage derivable from a parameter, return value or global is not defined. Use /*@out@*/ to denote passed or returned storage which need not be defined. definition =================================== fullinitblock: Initializer does not set every field in the structure. initallelements: Initializer does not define all elements of a declared array. initsize: Initializer block contains more elements than the size of a declared array. impouts: Pointer parameters to unspecified functions may be implicit out parameters. declarations =================================== incondefs: A function, variable or constant is redefined with a different type. matchfields: A struct, union or enum type is redefined with inconsistent fields or members. =================================== fcnderef: A function type is dereferenced. The ANSI standard allows this because of implicit conversion of function designators, however the dereference is unnecessary. operations =================================== realcompare: Two real (float, double, or long double) values are compared directly using a C primitive. This may produce unexpected results since floating point representations are inexact. Instead, compare the difference to FLT_EPSILON or DBL_EPSILON. unsignedcompare: An unsigned value is used in a comparison with zero in a way that is either a bug or confusing. ptrarith: Pointer arithmetic using pointer and integer. nullptrarith: Pointer arithmetic using a possibly null pointer and integer. ptrcompare: A pointer is compared to a number. strictops: A primitive operation does not type check strictly. bitwisesigned: An operand to a bitwise operator is not an unsigned values. This may have unexpected results depending on the signed representations. shiftnegative: The right operand to a shift operator may be negative (behavior undefined). shiftimplementation: The left operand to a shift operator may be negative (behavior is implementation-defined). sizeoftype: Operand of sizeof operator is a type. (Safer to use expression, int *x = sizeof (*x); instead of sizeof (int).) sizeofformalarray: Operand of a sizeof operator is a function parameter declared as an array. The value of sizeof will be the size of a pointer to the element type, not the number of elements in the array. declarations =================================== fixedformalarray: A formal parameter is declared as an array with size. The size of the array is ignored in this context, since the array formal parameter is treated as a pointer. incompletetype: A formal parameter is declared with an incomplete type. formalarray: A formal parameter is declared as an array. This can be confusing, since a formal array parameter is treated as a pointer. booleans =================================== booltype [lltX_bool]: Set name of boolean type (default bool). boolfalse [FALSE]: Set name of boolean false (default FALSE). booltrue [TRUE]: Set name of boolean true (default TRUE). likelybool: Use the -booltype, -boolfalse and -booltrue flags to change the name of the default boolean type. boolcompare: Two bool values are compared directly using a C primitive. This may produce unexpected results since all non-zero values are considered TRUE, so different TRUE values may not be equal. The file bool.h (included in splint/lib) provides bool_equal for safe bool comparisons. boolops: The operand of a boolean operator is not a boolean. Use +ptrnegate to allow ! to be used on pointers. ptrnegate: The operand of ! operator is a pointer. predassign: The condition test is an assignment expression. Probably, you mean to use == instead of =. If an assignment is intended, add an extra parentheses nesting (e.g., if ((a = b)) ...) to suppress this message. predbool: Test expression type is not boolean. predicates =================================== predboolint: Test expression type is not boolean or int. booleans =================================== predboolptr: Test expression type is not boolean. predboolothers: Test expression type is not boolean. abstract =================================== abstract: An abstraction barrier is broken. If necessary, use /*@access @*/ to allow access to an abstract type. impabstract: Assume user type definitions are abstract (unless /*@concrete@*/ is used). accessmodule: The representation of an abstract type defined in . is accessible anywhere in a file named .. accessfile: The representation of an abstract type named is accessible anywhere in a file named .. accessczech: The representation of an abstract type named is accessible in the definition of a function or constant named _ accessslovak: The representation of an abstract type named is accessible in the definition of a function or constant named accessczechoslovak: The representation of an abstract type named is accessible in the definition of a function or constant named _ or accessall: Sets accessmodule, accessfile and accessczech mutrep: LCL semantics requires that a mutable type exhibits sharing semantics. In order for objects to be shared a indirection is necessary in the representation. A mutable type may be represented by a pointer or an abstract mutable type. Handles into static data are fine, too, but will generate this error message unless it is suppressed. memory =================================== mustfreefresh: A memory leak has been detected. Storage allocated locally is not released before the last reference to it is lost. mustfreeonly: A memory leak has been detected. Only-qualified storage is not released before the last reference to it is lost. mustfree: A memory leak has been detected. usereleased: Memory is used after it has been released (either by passing as an only param or assigning to an only global). strictusereleased: Memory (through fetch) is used after it may have been released (either by passing as an only param or assigning to an only global). compdestroy: A storage leak due to incomplete deallocation of a structure or deep pointer is suspected. Unshared storage that is reachable from a reference that is being deallocated has not yet been deallocated. Splint assumes when an object is passed as an out only void pointer that the outer object will be deallocated, but the inner objects will not. strictdestroy: Report complete destruction errors for array elements that may have been released. deparrays: When an element is fetched from an array, Splint analysis is not able to determine if the same element is reused. If +deparrays, Splint will mark local storage assigned from array fetches as dependent. branchstate: The state of a variable is different depending on which branch is taken. This means no annotation can sensibly be applied to the storage. strictbranchstate: The state of a variable through an array fetch is different depending on which branch is taken. This means no annotation can sensibly be applied to the storage. memchecks: Sets all dynamic memory checking flags (memimplicit, mustfree, mustdefine, mustnotalias, null, memtrans). compmempass: Storage derivable from a parameter does not match the alias kind expected for the formal parameter. stackref: A stack reference is pointed to by an external reference when the function returns. The stack-allocated storage is destroyed after the call, leaving a dangling reference. memtrans: Memory is transferred in a way that violates annotations. dependenttrans: Dependent storage is transferred to a non-dependent reference. newreftrans: A new reference is transferred to a reference counted reference. onlytrans: The only reference to this storage is transferred to another reference (e.g., by returning it) that does not have the only annotation. This may lead to a memory leak, since the new reference is not necessarily released. onlyunqglobaltrans: The only reference to this storage is transferred to another reference that does not have an aliasing annotation. This may lead to a memory leak, since the new reference is not necessarily released. ownedtrans: The owned reference to this storage is transferred to another reference (e.g., by returning it) that does not have the owned annotation. This may lead to a memory leak, since the new reference is not necessarily released. freshtrans: Fresh storage (newly allocated in this function) is transferred in a way that the obligation to release storage is not propagated. Use the /*@only@*/ annotation to indicate the a return value is the only reference to the returned storage. sharedtrans: Shared storage is transferred to a non-shared reference. The other reference may release storage needed by this reference. temptrans: Temp storage (associated with a formal parameter) is transferred to a non-temporary reference. The storage may be released or new aliases created. kepttrans: storage is transferred to a non-temporary reference after being passed as keep parameter. The storage may be released or new aliases created. keeptrans: Keep storage is transferred inconsistently --- either in a way that may add a new alias to it, or release it. immediatetrans: An immediate address (result of & operator) is transferred inconsistently. refcounttrans: Reference counted storage is transferred in a way that may not be consistent with the reference count. statictrans: Static storage is transferred in an inconsistent way. unqualifiedtrans: Unqualified storage is transferred in an inconsistent way. staticinittrans: Static storage is used as an initial value in an inconsistent way. unqualifiedinittrans: Unqualified storage is used as an initial value in an inconsistent way. readonlytrans: A read-only string literal is assigned to a non-observer reference. passunknown: Passing a value as an un-annotated parameter clears its annotation. readonlystrings: String literals are read-only. An error is reported if a string literal may be modified or released. memimp: Memory errors for unqualified storage. paramimptemp: Assume unannotated parameter is temp. allimponly: Sets globimponly, retimponly, structimponly, specglobimponly, specretimponly and specstructimponly. codeimponly: Sets globimponly, retimponly and structimponly. specimponly: Sets specglobimponly, specretimponly and specstructimponly. globimponly: Assume unannotated global storage is only. retimponly: Assume unannotated returned storage is only. structimponly: Assume unannotated structure field is only. specglobimponly: Assume unannotated global storage is only. specretimponly: Assume unannotated returned storage is only. specstructimponly: Assume unannotated structure field is only. aliasing =================================== aliasunique: A unique or only parameter is aliased by some other parameter or visible global. mayaliasunique: A unique or only parameter may be aliased by some other parameter or visible global. mustnotalias: An alias has been added to a temp-qualifier parameter or global that is visible externally when the function returns. If the aliasing is needed, use the /*@shared@*/ annotation to indicate that new aliases to the parameter may be created. retalias: The returned value shares storage with a parameter or global. If a parameter is to be returned, use the returned qualifier. If the result is not modified, use the observer qualifier on the result type. Otherwise, exposed can be used, but limited checking is done. globalias: A global variable aliases externally-visible state when the function returns. checkstrictglobalias: A global variable aliases externally-visible state when the function returns. checkedglobalias: A global variable aliases externally-visible state when the function returns. checkmodglobalias: A global variable aliases externally-visible state when the function returns. uncheckedglobalias: A global variable aliases externally-visible state when the function returns. memory =================================== exposetrans: Exposed storage is transferred to a non-exposed, non-observer reference. observertrans: Observer storage is transferred to a non-observer reference. exposure =================================== repexpose: The internal representation of an abstract type is visible to the caller. This means clients may have access to a pointer into the abstract representation. retexpose: The return value shares storage with an instance of an abstract type. This means clients may have access to a pointer into the abstract representation. Use the observer qualifier to return exposed storage that may not be modified by the client. Use the exposed qualifier to return modifiable (but not deallocatable) exposed storage (dangerous). assignexpose: Storage internal to the representation of an abstract type is assigned to an external pointer. This means clients may have access to a pointer into the abstract representation. If the external pointer is a parameter, the exposed qualifier can be used to allow the assignment, however, this is considered dangerous programming practice. castexpose: Storage internal to the representation of an abstract type is exposed through a type cast. This means clients may have access to a pointer into the abstract representation. declarations =================================== redundantsharequal: A declaration of an immutable object uses a redundant observer qualifier. misplacedsharequal: A declaration of an unsharable object uses a sharing annotation. modification =================================== mods: An externally-visible object is modified by a function, but not listed in its modifies clause. mustmod: An object listed in the modifies clause is not modified by the implementation of the function. The modification may not be detected if it is done through a call to an unspecified function. modobserver: Storage declared with observer is possibly modified. Observer storage may not be modified. modobserveruncon: Storage declared with observer may be modified through a call to an unconstrained function. modinternalstrict: A function that modifies internalState is called from a function that does not list internalState in its modifies clause modfilesys: Report undocumented file system modifications (applies to unspecified functions if modnomods is set). modunspec: Modification in unspecified functions (sets modnomods, modglobunspec and modstrictglobsunspec). modnomods: An externally-visible object is modified by a function with no /*@modifies@*/ comment. The /*@modifies ... @*/ control comment can be used to give a modifies list for an unspecified function. moduncon: An unconstrained function is called in a function body where modifications are checked. Since the unconstrained function may modify anything, there may be undetected modifications in the checked function. modunconnomods: An unconstrained function is called in a function body where modifications are checked. Since the unconstrained function may modify anything, there may be undetected modifications in the checked function. globsimpmodsnothing: An implicit modifies nothing clause is assumed for a function declared with a globals list but not modifies clause. modsimpnoglobs: An implicit empty globals list is assumed for a function declared with a modifies clause but no globals list. globals =================================== globstate: A global variable does not satisfy its annotations when control is transferred. globs: A checked global variable is used in the function, but not listed in its globals clause. By default, only globals specified in .lcl files are checked. To check all globals, use +allglobals. To check globals selectively use /*@checked@*/ in the global declaration. globuse: A global variable listed in the function's globals list is not used in the body of the function. internalglobs: A called function uses internal state, but the globals list for the function being checked does not include internalState internalglobsnoglobs: A called function uses internal state, but the function being checked has no globals list warnmissingglobs: A global variable is used in the modifies clause, but it not listed in the globals list. The variable will be added to the globals list. warnmissingglobsnoglobs: A global variable is used in the modifies clause, but the function has no globals list. The variable will be added to the globals list. globnoglobs: A specified global variable is used in the function, but not listed in its globals list. Without +globnoglobs, only globals declared with /*@checkedstrict@*/ will produce use errors in functions without globals lists. The /*@globals ... @*/ control comment can be used to give a globals list for an unspecified function. allglobs: Report use and modification errors for globals not annotated with unchecked. checkstrictglobs: Report use and modification errors for checkedstrict globals. impcheckedspecglobs: Assume checked qualifier for unqualified global declarations in .lcl files. impcheckmodspecglobs: Assume checkmod qualifier for unqualified global declarations in .lcl files. impcheckedstrictspecglobs: Assume checkmod qualifier for unqualified global declarations in .lcl files. impcheckedglobs: Assume checked qualifier for unqualified global declarations. impcheckmodglobs: Assume checkmod qualifier for unqualified global declarations. impcheckedstrictglobs: Assume checkedstrict qualifier for unqualified global declarations. impcheckedstatics: Assume checked qualifier for unqualified file static declarations. impcheckmodstatics: Assume checkmod qualifier for unqualified file static declarations. impcheckmodinternals: Assume checkmod qualifier for unqualified local static declarations (for internal state modifications). impcheckedstrictstatics: Assume checkedstrict qualifier for unqualified file static declarations. modglobs: A checked global variable is modified by the function, but not listed in its modifies clause. modglobsnomods: A checked global variable is modified by the function, but not listed in its modifies clause. modstrictglobsnomods: A checked global variable is modified by the function, but not listed in its modifies clause. modglobsunchecked: An unchecked global variable is modified by the function, but not listed in its modifies clause. controlflow =================================== noret: There is a path through a function declared to return a value on which there is no return statement. This means the execution may fall through without returning a meaningful result to the caller. emptyreturn: Empty return in function declared to return value. alwaysexits: Loop predicate always exits. loopexec: Assume all loops execute at least once (sets forloopexec, whileloopexec and iterloopexec). forloopexec: Assume all for loops execute at least once. whileloopexec: Assume all while loops execute at least once. iterloopexec: Assume all iterator loops execute at least once. obviousloopexec: Assume loop that can be determined to always execute always does. undefined =================================== evalorder: Code has unspecified behavior. Order of evaluation of function parameters or subexpressions is not defined, so if a value is used and modified in different places not separated by a sequence point constraining evaluation order, then the result of the expression is unspecified. evalorderuncon: Code involving a call to function with no modifies or globals clause may have undefined or implementation-dependent behavior (Splint assumes the unconstrained call may modify any reachable state or use any global). Add a specification for the function. controlflow =================================== infloops: This appears to be an infinite loop. Nothing in the body of the loop or the loop test modifies the value of the loop test. Perhaps the specification of a function called in the loop body is missing a modification. infloopsuncon: This appears to be an infinite loop. Nothing in the body of the loop or the loop test modifies the value of the loop test. There may be a modification through a call to an unconstrained function, or an unconstrained function in the loop test may use a global variable modified by the loop body. casebreak: Execution falls through from the previous case. misscase: Not all values in an enumeration are present as cases in the switch. firstcase: The first statement after a switch is not a case. duplicatecases: Duplicate cases in switch. deepbreak: A break statement appears inside the body of a nested while, for or switch statement. Sets looploopbreak, loopswitchbreak, switchloopbreak, switchswitchbreak, and looploopcontinue. looploopbreak: A break statement appears inside the body of a nested while or for statement. This is perfectly reasonable code, but check that the break is intended to break only the inner loop. The break statement may be preceded by /*@innerbreak@*/ to suppress the message for this break only. switchloopbreak: A break statement appears inside the body of a while or for statement within a switch. This is perfectly reasonable code, but check that the break is intended to break only the inner loop. The break statement may be preceded by /*@loopbreak@*/ to suppress the message for this break only. loopswitchbreak: A break statement appears inside a switch statement within a while or for loop. This is perfectly reasonable code, but check that the break is intended to break only the inner loop. The break statement may be preceded by /*@switchbreak@*/ to suppress the message for this break only. switchswitchbreak: A break statement appears inside a switch statement within another switch statement. This is perfectly reasonable code, but check that the break is intended to break only the inner switch. The break statement may be preceded by /*@innerbreak@*/ to suppress the message for this break only. looploopcontinue: A continue statement appears inside a loop within a loop. This is perfectly reasonable code, but check that the continue is intended to continue only the inner loop. The continue statement may be preceded by /*@innercontinue@*/ to suppress the message for this continue only. whileempty: While statement has no body. whileblock: While body is a single statement, not a compound block. forempty: For statement has no body. forblock: Loop body is a single statement, not a compound block. ifempty: If statement has no body. ifblock: If body is a single statement, not a compound block. allempty: An if, while or for statement has no body (sets ifempty, whileempty and forempty. allblock: Body is a single statement, not a compound block. elseifcomplete: There is no final else following an else if construct. unreachable: This code will never be reached on any possible execution. effect =================================== noeffect: Statement has no visible effect --- no values are modified. noeffectuncon: Statement has no visible effect --- no values are modified. It may modify something through a call to an unconstrained function. returnvals =================================== retval: Result returned by function call is not used. If this is intended, cast result to (void) to eliminate message. retvalother: Result returned by function call is not used. If this is intended, can cast result to (void) to eliminate message. retvalbool: Result returned by function call is not used. If this is intended, can cast result to (void) to eliminate message. retvalint: Result returned by function call is not used. If this is intended, can cast result to (void) to eliminate message. memorybounds =================================== nullterminated: A possibly non-nullterminated string/memory is used/referenced as a nullterminated one. bounds: Memory read or write may be out of bounds of allocated storage. boundsread: A memory read references memory beyond the allocated storage. boundswrite: A memory write may write to an address beyond the allocated buffer. fcnpost: Display function post conditions. redundantconstraints: Display seemingly redundant constraints checkpost: The function implementation may not satisfy a post condition given in an ensures clause. implictconstraint: Generate implicit constraints for functions. orconstraint: Use limited OR expressions to resolve constraints. nullterminated: A user annotated non-nullterminated buffer is used/referenced as a nullterminated one. showconstraintparens: Display parentheses around constraint terms. showconstraintlocation: Display location for every constraint generated. extensible =================================== mts : Load meta state declaration and corresponding xh file. statetransfer: Transfer violates user-defined state rules. statemerge: Control path merge violates user-defined state merge rules. macros =================================== macroredef: A macro is defined in more than one place. macrounrecog: An unrecognized identifier appears in a macro. If the identifier is defined before the macro is used, then this is okay. macroconstdecl: Macro constant has no declaration. Use /*@constant ...@*/ to declare the macro. macrostmt: A macro is defined in a way that may cause syntactic problems. If the macro returns a value, use commas to separate expressions; otherwise, use do { } while (FALSE) construct. macroempty: A macro definition has no body. macroparams: A macro parameter is not used exactly once in all possible invocations of the macro. To behave like a function, each macro parameter must be used exactly once on all invocations of the macro so that parameters with side-effects are evaluated exactly once. Use /*@sef@*/ to denote parameters that must be side-effect free. macroreturn: The body of a macro declared as a function uses a return statement. This exhibits behavior that could not be implemented by a function. macroassign: A macro parameter is used as the left side of an assignment expression. This exhibits behavior that could not be implemented by a function. macroparens: A macro parameter is used without parentheses. This could be dangerous if the macro is invoked with a complex expression and precedence rules will change the evaluation inside the macro. macrodecl: Argument checking cannot be done well for macros without prototypes or specifications, since the types of the arguments are unknown. macrofcndecl: Function macro has no declaration. sefparams: An actual parameter corresponding to a sef parameter may have a side-effect. sefuncon: An actual parameter corresponding to a sef parameter involves a call to a procedure with no modifies clause that may have a side-effect. constmacros: Every non-parameterized macro (not preceded by /*@notfunction@*/) is checked as a constant. fcnmacros: Every parameterized macro (not preceded by /*@notfunction@*/) is checked as a function. allmacros: All macros (not preceded by /*@notfunction@*/) are checked as functions or constants depending on whether or not they have parameter lists. libmacros: Every macro declared in the load library is checked. specmacros: Every macro declared a specification file is checked. macromatchname: A iter or constant macro is defined using a different name from the one used in the previous syntactic comment nextlinemacros: A constant or iter declaration is not immediately followed by a macro definition. iterators =================================== iterbalance: Iter is not balanced with end_. iteryield: Iter yield parameter is inappropriate. hasyield: An iterator has been declared with no parameters annotated with yield. This may be what you want, if the iterator is meant to do something a fixed number of times, but returns no information to the calling context. Probably, a parameter is missing the yield annotation to indicate that it is assigned a value in the calling context. names =================================== namechecks: Controls name checking without changing other settings. czech: Name is not consistent with Czech naming convention. czechfcns: Function or iterator name is not consistent with Czech naming convention. czechvars: Variable name is not consistent with Czech naming convention. czechmacros: Expanded macro name is not consistent with Czech naming convention. czechconsts: Constant name is not consistent with Czech naming convention. czechtypes: Type name is not consistent with Czech naming convention. Czech type names must not use the underscore character. slovak: Name is not consistent with Slovak naming convention. slovakfcns: Function or iterator name is not consistent with Slovak naming convention. slovakmacros: Expanded macro name is not consistent with Slovak naming convention. slovakvars: Variable name is not consistent with Slovak naming convention. slovakconsts: Constant name is not consistent with Slovak naming convention. slovaktypes: Type name is not consistent with Slovak naming convention. Slovak type names may not include uppercase letters. czechoslovak: Name is not consistent with either Czech or Slovak naming convention. czechoslovakfcns: Function name is not consistent with Czechoslovak naming convention. czechoslovakmacros: Expanded macro name is not consistent with Czechoslovak naming convention. czechoslovakvars: Variable name is not consistent with Czechoslovak naming convention. czechoslovakconsts: Constant name is not consistent with Czechoslovak naming convention. czechoslovaktypes: Type name is not consistent with Czechoslovak naming convention. Czechoslovak type names may not include uppercase letters or the underscore character. macrovarprefix [m_]: <-> A variable declared in a macro body does not start with the macrovarprefix. macrovarprefixexclude: A variable declared outside a macro body starts with the macrovarprefix. tagprefix : <-> A tag identifier does not start with the tagprefix. tagprefixexclude: An identifier that is not a tag starts with the tagprefix. enumprefix : <-> An enum member does not start with the enumprefix. enumprefixexclude: An identifier that is not an enum member starts with the enumprefix. filestaticprefix : <-> A file-static identifier does not start with the filestaticprefix. filestaticprefixexclude: An identifier that is not file static starts with the filestaticprefix. globalprefix : <-> A global variable does not start with the globalprefix globalprefixexclude: An identifier that is not a global variable starts with the globalprefix. typeprefix : <-> A user-defined type does not start with the typeprefix typeprefixexclude: An identifier that is not a type name starts with the typeprefix. externalprefix : <-> An external identifier does not start with the externalprefix externalprefixexclude: An identifier that is not external starts with the externalprefix. localprefix : <-> A local variable does not start with the localprefix localprefixexclude: An identifier that is not a local variable starts with the localprefix. uncheckedmacroprefix : <-> An unchecked macro name does not start with the uncheckedmacroprefix uncheckedmacroprefixexclude: An identifier that is not the name of an unchecked macro starts with the uncheckedmacroprefix. constprefix : <-> A constant does not start with the constantprefix constprefixexclude: An identifier that is not a constant starts with the constantprefix. iterprefix : <-> An iter does not start with the iterator prefix iterprefixexclude: An identifier that is not a iter starts with the iterprefix. protoparamprefix : <-> A parameter name in a function prototype declaration does not start with the declaration parameter prefix isoreserved: External name is reserved for system use by ISO C99 standard. cppnames: External name is a C++ keyword or reserved word. This could lead to problems if the code is compiled with a C++ compiler. isoreservedinternal: Internal name is reserved for system in ISO C99 standard (this should not be necessary unless you are worried about C library implementations that violate the standard and use macros). distinctexternalnames: An external name is not distinguishable from another external name using the number of significant characters. According to ANSI Standard (3.1), an implementation may only consider the first 6 characters significant, and ignore alphabetical case distinctions (ISO C99 requires 31). The +externalnamelen flag may be used to change the number of significant characters, and -externalnamecaseinsensitive to make alphabetical case significant in external names. externalnamelen [31]: Sets the number of significant characters in an external name (default is 6 for old ANSI89 limit, C99 requires 31). Sets +distinctexternalnames. externalnamecaseinsensitive: Make alphabetic case insignificant in external names. By ANSI89 standard, case need not be significant in an external name. If +distinctexternalnames is not set, sets +distinctexternalnames with unlimited external name length. distinctinternalnames: An internal name is not distinguishable from another internal name using the number of significant characters. According to ANSI89 Standard (3.1), an implementation may only consider the first 31 characters significant (ISO C99 specified 63). The +internalnamelen flag changes the number of significant characters, -internalnamecaseinsensitive to makes alphabetical case significant, and +internalnamelookalike to make similar-looking characters non-distinct. internalnamelen [63]: Sets the number of significant characters in an internal name (ANSI89 default is 31.) Sets +distinctinternalnames. internalnamecaseinsensitive: Set whether case is significant an internal names (-internalnamecaseinsensiti ve means case is significant). By ANSI89 default, case is not significant. If +distinctinternalnames is not set, sets +distinctinternalnames with unlimited internal name length. internalnamelookalike: Set whether similar looking characters (e.g., "1" and "l") match in internal names. protoparamname: A parameter in a function prototype has a name. This is dangerous, since a macro definition could be visible here. protoparammatch: A parameter in a function definition does not have the same name as the corresponding in the declaration of the function after removing the protoparamprefix protoparamprefixexclude: An identifier that is not a parameter name in a function prototype starts with the protoparamprefix. alluse =================================== topuse: An external declaration not used in any source file. exportlocal: A declaration is exported, but not used outside this module. Declaration can use static qualifier. exportheader: A declaration is exported, but does not appear in a header file. exportheadervar: A variable declaration is exported, but does not appear in a header file. (Used with exportheader.) fielduse: A field is present in a structure type but never used. Use /*@unused@*/ in front of field declaration to suppress message. enummemuse: A member of an enum type is never used. constuse: A constant is declared but not used. Use unused in the constant declaration to suppress message. fcnuse: A function is declared but not used. Use /*@unused@*/ in front of function header to suppress message. paramuse: A function parameter is not used in the body of the function. If the argument is needed for type compatibility or future plans, use /*@unused@*/ in the argument declaration. typeuse: A type is declared but not used. Use /*@unused@*/ in front of typedef to suppress messages. varuse: A variable is declared but never used. Use /*@unused@*/ in front of declaration to suppress message. unusedspecial: Unused declaration in special file (corresponding to .l or .y file). complete =================================== declundef: A function or variable is declared, but not defined in any source code file. specundef: A function or variable is declared in an .lcl file, but not defined in any source code file. specundecl: A function or variable is declared in an .lcl file, but not declared in any source code file. declarations =================================== newdecl: There is a new declaration that is not declared in a loaded library or earlier file. (Use this flag to check for consistency against a library.) initializations =================================== needspec: There is information in the specification that is not duplicated in syntactic comments. Normally, this is not an error, but it may be useful to detect it to make sure checking incomplete systems without the specifications will still use this information. libraries =================================== nolib: <-> Do not load standard library. isolib: Library based on the ISO standard library specification is used. strictlib: Stricter version of the standard library is used. (The default library is standard.lcd; strict library is strict.lcd.) unixlib: UNIX version of the standard library is used. unixstrictlib: strict version of the UNIX library is used. posixlib: POSIX version of the standard library is used. posixstrictlib: POSIX version of the strict standard library is used. whichlib: Show standard library filename. warnposixheaders: Header name matches a POSIX header, but the POSIX library is not selected. warnunixlib: Unix library may not be compatible with all platforms usevarargs: Header is not part of ANSI Standard. Should use instead. dump : Save state for merging (default suffix .lcd). load : Load state from dump file (default suffix .lcd). headers =================================== singleinclude: When checking multiple files, each header file is processed only once. This may change the meaning of the code, if the same header file is included in different contexts (e.g., the header file includes #if directives and the values are different when it is included in different places.) neverinclude: Ignore header includes. Only works if relevant information is loaded from a library. skipsysheaders: Do not include header files in system directories (set by -sysdirs) =================================== gnuextensions: ANSI C does not allow some language features supported by gcc and other compilers. Use +gnuextensions to allow some of these extensions. prototypes =================================== noparams: A function declaration does not have a parameter list. oldstyle: Function definition is in old style syntax. Standard prototype syntax is preferred. systemfunctions =================================== maintype: The function main does not match the expected type. exitarg: The argument to exit should be 0, EXIT_SUCCESS or EXIT_FAILURE declarations =================================== shadow: An outer declaration is shadowed by the local declaration. incondefslib: A function, variable or constant previously defined in a library is redefined with a different type. overload: A function, variable or constant defined in the library is redefined with a different type. nestedextern: An extern declaration is used inside a function scope. redecl: A function or variable is declared in more than one place. This is not necessarily a problem, since the declarations are consistent. redef: A function or variable is redefined. One of the declarations should use extern. imptype: A variable declaration has no explicit type. The type is implicitly int. directories =================================== tmpdir [/tmp/]: Set directory for writing temp files. *** Note: possible difference in the test result because of the default path here: larchpath [.:/usr/local/share/splint/lib:/af10/evans/LCLintDev/lib:]: Set path for searching for library files (overrides LARCH_PATH environment variable). *** Note: possible difference in the test result because of the default path here: lclimportdir [.:/usr/local/share/splint/imports:/af10/evans/LCLintDe v/imports]: Set directory to search for LCL import files (overrides LCLIMPORTDIR). sysdirs [/usr/]: Set directories for system files (default /usr/include). Separate directories with path separator (colons in Unix, semi-colons in Windows). Flag settings propagate to files in a system directory. If -sysdirerrors is set, no errors are reported for files in system directories.. skipansiheaders: Prevent inclusion of header files in a system directory with names that match standard ANSI headers. The symbolic information in the standard library is used instead. Flag in effect only if a library including the ANSI library is loaded. The ANSI headers are: assert, ctype, errno, float, limits, locale, math, setjmp, signal, stdarg, stddef, stdio, stdlib, strings, string, time, and wchar.. skipposixheaders: Prevent inclusion of header files in a system directory with names that match standard POSIX headers. The symbolic information in the posix library is used instead. The POSIX headers are: dirent, fcntl, grp, pwd, termios, sys/stat, sys/times, sys/types, sys/utsname, sys/wait, unistd, and utime.. sysdirerrors: Report errors in files in system directories (set by -sysdirs). sysdirexpandmacros: Expand macros in system directories regardless of other settings, except for macros corresponding to names defined in a load library. I: Add to C include path. S: Add to spec path. export =================================== exportany: A variable, function or type is exported, but not specified. exportfcn: A function is exported, but not specified. exportmacro: A macro is exported, but not specified. exporttype: A type is exported, but not specified. exportvar: A variable is exported, but not specified. exportconst: A constant is exported, but not specified. exportiter: A constant is exported, but not specified. format =================================== linelen [80]: Set length of messages (number of chars). indentspaces [3]: Set number of spaces to indent sub-messages. showcolumn: Show column number where error is found. parenfileformat: Show column number where error is found. showfunc: Show name of function containing error. showallconjs: When a library function is declared with multiple possible type, the alternate types are shown only if +showallconjs. libraries =================================== impconj: Make all alternate types implicit (useful for making system libraries. =================================== expect [0]: Expect code errors. lclexpect [0]: Expect spec errors. partial: <-> Check as partial system (-specundef, -declundef, -exportlocal, don't check macros in headers without corresponding .c files). headers =================================== lh: Generate .lh files. lcs: Generate .lcs files. help =================================== warnflags: Command line sets flag in abnormal way warnrc: There was a problem reading an initialization file badflag: A flag is not recognized or used in an incorrect way fileextensions: Warn when command line file does not have a recognized extension. help: Display help initializations =================================== f : Read an options file (instead of loading default ~/.splintc) i : Set LCL initilization file. nof: Do not read the default options file (~/.splintrc) commentchar [@]: Set the marker character for syntactic comments. Comments beginning with /* are interpreted by Splint, where is the comment marker character. limits =================================== controlnestdepth [63]: Maximum number of control levels exceeded. stringliterallen [4095]: Maximum length of string literal exceeded. numstructfields [1023]: Maximum number of fields in a struct or union exceeded. numenummembers [1023]: Limit on maximum number of members of an enum is exceeded. includenest [63]: Maximum number of nested #include files exceeded. ansi89limits: Check for violations of standard limits (controlnestdepth, stringliterallen, includenest, numstructfields, numenummembers) based on ANSI89 standard. iso99limits: Check for violations of standard limits (controlnestdepth, stringliterallen, includenest, numstructfields, numenummembers) based on ISO99 standard. preproc =================================== D: Passed to pre-processor. U: Passed to pre-processor. unrecogdirective: Pre-processor directive is not recognized. suppress =================================== supcounts: The number of errors detected does not match number in /*@i@*/.. limit [-1]: Limit consecutive repeated errors. =================================== syntax: Code cannot be parsed. For help on parse errors, see splint -help parseerrors. trytorecover: Try to recover from parse error. It really means try - this doesn't usually work. preproc: Preprocessing error. =================================== type: Types are incompatible. stringliteraltoolong: A string literal is assigned to a char array too small to hold it. stringliteralnoroom: A string literal is assigned to a char array that is not big enough to hold the null terminator. stringliteralsmaller: A string literal is assigned to a char array that smaller than the string literal needs. enummembers: Type of initial values for enum members must be int. formattype: Type of parameter is not consistent with corresponding code in format string. formatconst: Format parameter is not known at compile-time. This can lead to security vulnerabilities because the arguments cannot be type checked. formatcode: Format code in a format string is not valid. typeequivalence =================================== forwarddecl: Forward declarations of pointers to abstract representation match abstract type. voidabstract: A pointer to void is cast to a pointer to an abstract type (or vice versa). castfcnptr: A pointer to a function is cast to (or used as) a pointer to void (or vice versa). charindex: To allow char types to index arrays, use +charindex. enumindex: To allow enum types to index arrays, use +enumindex. boolint: To make bool and int types equivalent, use +boolint. charint: To make char and int types equivalent, use +charint. enumint: To make enum and int types equivalent, use +enumint. floatdouble: To make float and double types equivalent, use +floatdouble. ignorequals: To ignore type qualifiers in type comparisons use +ignorequals. duplicatequals: Duplicate type qualifiers not supported by ISO standard. ignoresigns: To ignore signs in type comparisons use +ignoresigns numliteral: An int literal is used as any numeric type (including float and long long). Use +numliteral to allow int literals to be used as any numeric type. charintliteral: A character constant is used as an int. Use +charintliteral to allow character constants to be used as ints. (This is safe since the actual type of a char constant is int.) relaxquals: To allow qualifier mismatches that are not dangerous, use +relaxquals. relaxtypes: To allow all numeric types to match, use +relaxtypes. charunsignedchar: To allow char and unsigned char types to match use +charunsignedchar. matchanyintegral: To allow arbitrary integral types to match any integral type, use +matchanyintegral. longunsignedintegral: To allow arbitrary integral types to match long unsigned, use +longunsignedintegral. longintegral: To allow arbitrary integral types to match long unsigned, use +longintegral. longunsignedunsignedintegral: To allow arbitrary unsigned integral types to match long unsigned, use +longunsignedunsignedintegral. longsignedintegral: To allow arbitrary signed integral types to match long unsigned, use +longsignedintegral. zeroptr: Tread 0 as a pointer. zerobool: Treat 0 as a boolean. unrecognized =================================== repeatunrecog: Identifier used in code has not been declared. (Message repeated for future uses in this file.) sysunrecog: Identifier used in code has not been declared. (Message repeated for future uses in this file.) Use +gnuextensions to make Splint recognize some keywords that are gnu extensions. unrecog: Identifier used in code has not been declared. declarations =================================== annotationerror: A declaration uses an invalid annotation. commenterror: A syntactic comment is used inconsistently. warnuse =================================== warnuse: Declaration marked with warn clause is used (can be suppresed by more specific flags). bufferoverflow: Use of function that may lead to buffer overflow. bufferoverflowhigh: Use of function that may lead to buffer overflow. implementationoptional: Use of a declarator that is implementation optional, not required by ISO99. legacy: Use of a declarator that is marked as a legacy entry in the Unix Standard. multithreaded: Non-reentrant function should not be used in multithreaded code. portability: Use of function that may have implementation-dependent behavior. superuser: Call to function restricted to superusers. toctou: Possible time of check, time of use vulnerability. unixstandard: Use of function that need not be provided by UNIX implementations its4 =================================== its4mostrisky: Security vulnerability classified as most risky in its4 database. its4veryrisky: Security vulnerability classified as very risky in its4 database. its4risky: Security vulnerability classified as risky in its4 database. its4moderate: Security vulnerability classified as moderate risk in its4 database. its4low: Security vulnerability classified as risky in its4 database. syncomments =================================== nocomments: Ignore all stylized comments. noaccess: Ignore access comments. unrecogcomments: Word after a stylized comment marker does not correspond to a stylized comment. unrecogflagcomments: Semantic comment attempts to set a flag that is not recognized. tmpcomments: Interpret t comments (ignore errors in lines marked with /*@t@*/. lintcomments: Interpret traditional lint comments (/*FALLTHROUGH*/, /*NOTREACHED*/). warnlintcomments: A traditional lint comment is used. Some traditional lint comments are interpreted by Splint to enable easier checking of legacy code. It is preferable to replace these comments with the suggested Splint alternative. comments =================================== continuecomment: A line continuation marker (\) appears inside a comment on the same line as the comment close. Preprocessors should handle this correctly, but it causes problems for some preprocessors. slashslashcomment: A // comment is used. ISO C99 allows // comments, but earlier standards did not. nestcomment: A comment open sequence (/*) appears within a comment. This usually means an earlier comment was not closed. display =================================== quiet: Suppress herald and error count. usestderr: Send error messages to standard error (instead of standard out). showsummary: Show summary of all errors reported and suppressed. showscan: Show file names are they are processed. stats: Display lines processed and time. timedist: Display time distribution. showalluses: Show sorted list of uses of all globals. hints =================================== hints: Provide a hint the first time a particular warning appears forcehints: Provide a hint for every warning debug =================================== bugslimit [3]: Set maximum number of bugs detected before giving up. debugfcnconstraint: Perform buffer overflow checking even if the errors would be surpressed. grammar: <-> Debug parsing. keep: <-> Do not delete temporary files. nopp: <-> Do not pre-process input files. showsourceloc: <-> Display the source code location where a warning is produced.