Splint - Secure Programming Lint
[email protected]
Download - Documentation - Manual - Links Reporting Bugs - Mailing Lists      Sponsors - Credits

Splint Bugs

This page documents reported bugs in Splint 3.1.2. Splint is no longer actively maintained by our group.

Confirmed Bugs

osd.c does not support Apple

Patched osd.c to support Apple.

(Reported by Rob Cas, fixed in cvs code and build 3 distribution, 8 August 2007)

Function Pointers and memory management
Splint reports spurious errors for memory allocation concerning function pointers. Types declared as function pointers should not default to only storage.

(Reported by Brian Quinlan, 26 Oct 2004.)

Unrelease fresh owned storage not reported
Splint does not report memory leaks for freshly allocated owned storage that is not released:
#include 

typedef struct
{
  /*@owned@*/ int *pOwned;                
} TestStruct;

void testSplint(void)
{
  TestStruct myStruct;
  myStruct.pOwned = (int*)malloc(sizeof(int));
} /* No warning: should report memory leak. */

(Reported by Brian Quinlan, 26 Oct 2004.)

Multi-line comments in macros and line numbers
Splint will miscalculate line numbers after multi-line comments in macro definitions. For example,
#define FOO     /* a macro with a multiline comment
                 * gets the linecount wrong
                 */
(Reported by Kevin Broadey, 17 September 2004.)
Definitions in switches
Splint incorrectly misses undefined variables on switch paths involving default cases:
static int foo (int a)
{
  int i, j;
  switch (a) {
    case 0: /* j not set on this path */
      i = 3;
      break;
    default: /* i not set on this path */
      j = 0;
      break;
    }
  return i + j;  /* no error for j */
}
(Reported by Kevin Broadey, 17 September 2004.)
Parsing Syntactic comments
Splint will report an internal error for unbalanced syntactic comments like
void foo(/*@only*/ /*@null@*/ int*) {}

(Reported by Tim Sylvester, 28 Jan 2004.)

--mode flags
Splint will report an internal error if a mode flag is used with -- (e.g., --strict).

(Reported by Toralf Foerster, 18 Dec 2003.)

Parsing Casts
Splint cannot parse the statement (int) x += 18;.

(Reported by Scott Simon, 23 Oct 2003)

Unsigned Promotion
Splint incorrectly types arithmetic expressions involving unsigned and signed expressions (e.g., unsigned + signed is typed as unsigned).

(Reported by Cat Zimmermann, 21 August 2003. Fixed in CVS 24 August 2003.)

Correction: (1 November 2003): This is not a correct interpretation of the ISO standard. The type of unsigned + signed should be unsigned.

Initializations Order
Splint doesn't analyze variable initializations in order. For example, it will report that pointer1 is uninitialized in
 char *pointer1=(char*)malloc(strlen(line)+1), *pointer2=pointer1;

(Reported by Andrew Bishop.)

Spliced Macros
If a string literal is spliced that involves a macro constant (that is not expanded), splint will produce a parse error. e.g., "__" TARGET_CPU.
boolean names with -nolib
Splint reports an internal error if -booltrue or -boolfalse are defined with -nolib. Reported by Anders Bäck.
Unbraced Switch Statements
Splint produces an internal error for unbraced switch statements (which are permitted by ISO C99). For example,
switch(2) 
  case 1: 
  case 3: 
    return(1);
  return(0);
(Reported by Dirk Noss)

Bugs Fixed in 3.1.1

Splint does not build on OS X

Splint 3.0.1.6 does not build on OS X. This should be fixed in CVS.
We believe this was a problem with automake. We are now using a new version of automake and this seems to have fixed the problem. We have successfully compiled the CVS version on SourceForge's compile farm's Mac OS X server.

Multiple passes on type definitions with /*@alt@*/
Splint will produce a parse error if a type definition like,
typedef long /*@alt int@*/ newtype;
is processed twice (for example if it is in a header file included multiple times).

Reorted by Simon Hosie, fixed in CVS (2002-12-12).

Include flag handling
Splint now support -I <dir>, -i <dir> as well as the original -I<dir>.

Changed in CVS (2002-12-12) will be in 3.0.1.7.

Multiple globals clauses
Splint will produce a warning message, but then crash on an internal error if multiple globals clauses are used. Reported by Gayath Ratnayaka.

Fixed in CVS (2002-12-04) will be in 3.0.1.7.

Spurious bounds errors in for loops
A bug caused Splint to spuriously report bounds errors in certain for loops such as:
	int a[12];
	for (i = 0; i < 12; i++)
	  a[i] = 0;
Fixed in CVS (2002-09-05) will be in 3.0.1.7.
Spurious bounds errors in if-else statements
Constraints were not generated correctly from the if statement test for each branch of an if-else statement. This caused spurious bounds erros.
Fixed in CVS (2002-10-10) will be in 3.0.1.7. Reported by Xiaolan Zhang.
Incorrect Path Displayed
Splint incorrectly reported the file name path in error messages when it was given the absolute path name of a file outside of the current directory and the subdirectories below the current directory.
e.g. after cd /home/; splint /tmp/prog.c Splint will report tmp/prog.c instead of /tmp/prog.c
Fixed in CVS (2002-10-14) will be in 3.0.1.7.
Crashes if started with -i instead of -I
Splint crashed if it was started with the -i flags and given an invalid argument. This was problematic because -i is easily confused with -I.
Fixed in CVS (2002-10-21) will be in 3.0.1.7. Bug reported by Jesse Laird.
sizeof
Splint did not correctly handle code in which sizeof is applied to a string literal. e.g. malloc (sizeof ("abcd") ); This caused Splint to report spurious bounds errors.
Fixed in CVS (2002-11-29) will be in 3.0.1.7. Bug was reported by Xiaolan Zhang
Directories in file list
Splint produces an internal bug report when directories are listed as source files (e.g., splint .). Reportes by Ullrich von Bassewitz. Fixed in development code (2002-07-17), not yet in CVS.
emptyreturn flag
The emptyreturn flag doesn't work (it should be "emptyret" in flags.def). Reported by Adam Clarke. Fixed in CVS (2002-07-08), will be in 3.0.1.7. (This is a temporary fix; a better solution to canonicalizing flag names will be incorporated into a later release.)

getgrgid, getgrnam, getpwnam

These functions from grp.h in the Posix and Unix libraries should be declared to return /*@observer@*/ references. Reported by Enrico Scholz. Fixed in CVS (2002-07-08), will be in 3.0.1.7.
sys/resource.h
The sys/resource.h segment of the Unix library was not updated to SUSv3. The type of rlim_t, struct rlimit and struct rusage have been updated. Reported by Enrico Scholz. Fixed in CVS (2002-07-08), will be in 3.0.1.7.
Standard library missing snprintf
snprintf is in the unix library, but not the standard library. It was added to ISO C99, so should be in the standard library. Reported by Olivier L'Heureux. Fixed in CVS (2002-07-08), will be in 3.0.1.7.
Char literal initializers
Splint misinterprets initializations of char arrays with string literals (see ISO 6.7.8, Example 8):
    char s[] = "abc";
    char *p = "abc";
s is modifiable (not an observer); p is an observer. Reported by Olivier L'Heureux. Fixed in CVS (before 2002-07-05), will be in 3.0.1.7.

pre-processor macros

The pre-processor will lose necessary whitespace before an identifier that corresponds to the name of a parameterized macro inside a macro expansion. For example,
   typedef void (*ErrorProc_t)( void ); 
   typedef void (*WriteProc_t)( int, ErrorProc_t);
   #define ErrorProc_t(name) void (name) ( void )
   #define PrintProc_t(name) void (name) ( int Num, ErrorProc_t /*<- this whitespace is lost!->*/ errorProc )
   static PrintProc_t (foo1); 
Fixed in CVS (2002-07-03), will be in 3.0.1.7. Reported by Adam Clarke.

offsetof syntax

Splint cannot parse offsetof expressions where the field designator is an array fetch: offsetof(some_struct_t,d[index]). Fixed in CVS (2002-07-02), will be in 3.0.1.7. Reported by Asger Overby.
struct iovec and struct msghdr declarations
The unix.h library declares the struct iovec and struct msghdr structures without /*@dependent@*/ annotations on their pointer fields; the implicit only annotations are incorrect for these. The library declarations were changed to:
struct iovec {
  /*@dependent@*/ void *iov_base;
  size_t iov_len; /*: maxSet(iov_base) = iov_len */
};

struct msghdr {
  /*@dependent@*/ void *msg_name;		
  socklen_t msg_namelen;	/*: maxSet (msg_name) >= msg_namelen */
  /*@dependent@*/ struct iovec *msg_iov;	/* scatter/gather array */
  int msg_iovlen;		/* # elements in msg_iov */ /*: maxSet (msg_iov) >= msg_iovlen */
  /*@dependent@*/ void *msg_control;		/* ancillary data, see below */
  socklen_t msg_controllen;     /*: maxSet (msg_control) >= msg_controllen */
  int msg_flags;		/* flags on received message */
} ;
Fixed in CVS (2002-07-02), will be in 3.0.1.7. Reported by Enrico Scholz.
forward enum tags
Splint reports spurious redeclartion warnings for forward enum tags. Fixed in CVS, will be in 3.0.1.7.
Line Numbers after multi-line macro instantiations
Splint will report the wrong line number after a multi-line macro instantiation (it only counts as one line). Reported by Andreas Rasmusson. Fixed in CVS, will be in 3.0.1.7.
GCC_INCLUDE_DIR definition
GCC_INCLUDE_DIR is not defined properly by configure on systems where gcc is not found. If you build on such a system, you need to manually edit config.h to include the definition:
/* system include directory */
#define GCC_INCLUDE_DIR "/usr/include"
Fixed in CVS, will be in 3.0.1.7 release.
Array Initializers
Splint does not handle array initializations with missing values correctly, for example int a[][2] = {{1,2},{3,4},{5,6}}. (Reported by Ka-Liong Lau)
Warning message for -shiftsigned
The warning message for shiftsigned flag referse to the shiftsize flag which does not exist. It should be shiftimplementation instead. Reported by Melson Beebe. Fixed in CVS, 13 Feb 2002.
-skipisoheaders
The skipisoheaders flag does not work as documented. (It should be the same as skipansiheaders.) Reported by Jeroen Ruigrok van der Werven. Fixed in CVS, will be in 3.0.1.7.

BUFSIZ

The standard library declares BUFSIZ as int, but it should be size_t. Reported by Walter Briscoe. Fixed in CVS, will be in 3.0.1.7.

Types with fixed sized arrays

Splint may crash if there is a typedef involving a fixed size array. For example: typedef int Buf[5]; This problem will only occur if the flags bounds, boundsread, or boundswrite are set. A message like:
*** Internal Bug at ctype.c:2687: llassert failed: (ctentry_getKind (cte) == CTK_COMPLEX) || (ctentry_getKind (cte) == CTK_ARRAY) [errno: 25]
will be printed before splint crashes. (Reported by Jim Francis ) Fixed in CVS, 25 Jan 2002.

Char array initialized with strings containing escape sequences

Splint may erroneously warn that a "string literal is assigned to a char array too small to hold it" if an array is initialized with a string containing escape sequences. (Reported by Jeff Johnson) Fixed in CVS, 22 Jan 2002.

Double Compilations

On some platforms, if -j is used to do a parallel make, Splint will compile some files more than once. We're not sure why this happens, but recommend not using the -j option to make.

(Reported by Matthias Andree, 14 Jan 2002.)

Splint - Secure Programming Lint [email protected]
Download - Documentation - Manual - Links
Source - Linux - Publications - Talks
Reporting Bugs    Sponsors - Credits