0. 快速回忆
Linux 安装 splint
yum install -y splint
// 检测文件 *.c
splint *.c
常会出现的问题
- 空指针报错
- 类型转换报错
- 释放有其他指针引用的空间
- 最后一个指针指引丢失,但空间没有释放
- 数组越界,访问超出申请的 buffer 大小范围
1. splint 介绍
针对C语言的开源程序静态分析工具 -- splint
2. splint消息
检测文件*.c
splint *.c
测试文件 splint_msg.c
//splint_msg.c
int func_splint_msg1(void)
{
int a;
return 0;
}
int func_splint_msg2(void)
{
int* a = (int*)malloc(sizeof(int));
a = NULL;
return 0;
}
Splint 3.1.2 --- 11 Oct 2015
// 给出告警所在函数名,在函数的第一个警告消息报告前打印;
splint_msg.c: (in function func_splint_msg1)
// 消息的正文,文件名、行号、列号显示在的警告的正文前;
splint_msg.c:4:6: Variable a declared but not used
// 有关该可疑错误的详细信息,包含一些怎样去掉这个消息的信息;
A variable is declared but never used. Use /*@unused@*/ in front of
declaration to suppress message. (Use -varuse to inhibit warning)
// 第二条
splint_msg.c: (in function func_splint_msg2)
splint_msg.c:10:2: Fresh storage a (type int *) not released before assignment:
a = NULL
A memory leak has been detected. Storage allocated locally is not released
before the last reference to it is lost. (Use -mustfreefresh to inhibit
warning)
// 给出格外的位置信息,这里消息给出了是在哪里申请了这个可能泄露的内存。
splint_msg.c:9:38: Fresh storage a created
2. 检查控制
splint提供了三种方式可进行检查的控制,分别是.splintrc配置文件、flags标志和格式化注释。
1. flags
splint 支持几百个标志用来控制检查和消息报告
使用时标志前加’+‘或’-’,'+'标志开启这个标志,'-'表示关闭此标志
splint -showcol a.c //在检测a.c时,告警消息中列数不被打印
splint -varuse a.c //在检测a.c时,告警消息中未使用变量告警不被打印
2. .splintrc配置文件
在使用源码安装splint之后,.splintrc 文件将被安装在主目录下
.splintrc 文件中对一些标志作了默认的设定,命令行中指定的 flags 标志会覆盖 .splintrc 文件中的标志。
3. 格式化注释
格式化注释提供一个类型、变量或函数的格外的信息,可以控制标志设置,增加检查效果,所有格式化注释都以/@开始,@/结束,比如在函数参数前加/@null@/,表示该参数可能是NULL,做检测时,splint会加强对该参数的值的检测。
3. 检测分析内容
1. 引用空指针(Null Dereferences)
在Unix操作系统中,解引用空指针将导致我们在程序运行时产生段错误(Segmentation fault)
// null.c
int func_null(void)
{
int *a = NULL;
return *a;
}
Splint 3.1.2 --- 11 Oct 2015
null.c: (in function func_null)
null.c:3:11: Unrecognized identifier: null
Identifier used in code has not been declared. (Use -unrecog to inhibit
warning)
null.c:4:9: Return value type int * does not match declared type int: a
Types are incompatible. (Use -type to inhibit warning)
Finished checking --- 2 code warnings
2. 类型(Types)
我们在编程中经常用到强制类型转换,将有符号值转换为无符号值、大范围类型值赋值给小范围类型
void splint_types(void)
{
short a = 0;
long b = 32768;
a = b;
return;
}
int main() {
return 1;
}
Splint 3.1.2 --- 11 Oct 2015
types.c: (in function splint_types)
types.c:5:2: Assignment of long int to short int: a = b
To ignore type qualifiers in type comparisons use +ignorequals.
Finished checking --- 1 code warning
3. 内存管理(Memory Management)
C语言程序中,将近半数的bug归功于内存管理问题,关乎内存的bug难以发现并且会给程序带来致命的破坏。
由内存释放所产生的问题,我们可以将其分为两种
1. 当尚有其他指针引用的时候,释放一块空间
void memory(void)
{
int *a = (int *)malloc(sizeof(int));
int *b = a;
free(a);
*b = 0;
return;
}
int main() {
return 1;
}
在上面这个例子中,指针a与b指向同一块内存,但在内存释放之后仍对b指向的内容进行赋值操作
Splint 3.1.2 --- 11 Oct 2015
memory.c: (in function memory)
memory.c:6:3: Variable b used after being released
Memory is used after it has been released (either by passing as an only param
or assigning to an only global). (Use -usereleased to inhibit warning)
memory.c:5:7: Storage b released
memory.c:6:3: Dereference of possibly null pointer b: *b
A possibly null pointer is dereferenced. Value is either the result of a
function which may return null (in which case, code should check it is not
null), or a global, parameter or structure field declared with the null
qualifier. (Use -nullderef to inhibit warning)
memory.c:4:11: Storage b may become null
Finished checking --- 2 code warnings
第一个指出我们使用了b指针,而它所指向的内存已被释放
第二个是对解引用空指针的告警
2. 当最后一个指针引用丢失的时候,其指向的空间尚未释放
void memory2(void)
{
int *a = (int *)malloc(sizeof(int));
a = NULL;
return;
}
int main() {
return 1;
}
这个例子中内存尚未释放,就将指向它的唯一指针赋值为NULL
Splint 3.1.2 --- 11 Oct 2015
memory2.c: (in function memory2)
memory2.c:4:2: Fresh storage a (type int *) not released before assignment:
a = NULL
A memory leak has been detected. Storage allocated locally is not released
before the last reference to it is lost. (Use -mustfreefresh to inhibit
warning)
memory2.c:3:38: Fresh storage a created
Finished checking --- 1 code warning
splint抛出一个告警:类型为 int* 的 a 在进行 a = NULL 赋值前没有释放新分配的空间。
4. 缓存边界(Buffer Sizes)
splint 会对数组边界、字符串边界作检测,使用时需要加上 +bounds 的标志
void bound1(void)
{
int a[10];
a[10] = 0;
return ;
}
int main() {
return 1;
}
1. 数组越界
# splint +bounds size1.c
Splint 3.1.2 --- 11 Oct 2015
size1.c: (in function bound1)
size1.c:4:2: Likely out-of-bounds store: a[10]
Unable to resolve constraint:
requires 9 >= 10
needed to satisfy precondition:
requires maxSet(a @ size1.c:4:2) >= 10
A memory write may write to an address beyond the allocated buffer. (Use
-likelyboundswrite to inhibit warning)
Finished checking --- 1 code warning
2. 可能出现越界错误
void bounds2(char *str)
{
char *tmp = getenv("HOME");
if(tmp != NULL)
{
strcpy(str, tmp);
}
return;
}
int main() {
return 1;
}
告警消息提示我们:在使用strcpy(str, tmp)进行字符串复制时,可能出现越界错误
因为str的大小可能不足以容纳环境变量“HOME”对应的字符串。绿色字体的内容指示了如何消除告警消息。
# splint +bounds size2.c
Splint 3.1.2 --- 11 Oct 2015
size2.c: (in function bounds2)
size2.c:6:3: Possible out-of-bounds store: strcpy(str, tmp)
Unable to resolve constraint:
requires maxSet(str @ size2.c:6:10) >= maxRead(getenv("HOME") @
size2.c:3:14)
needed to satisfy precondition:
requires maxSet(str @ size2.c:6:10) >= maxRead(tmp @ size2.c:6:15)
derived from strcpy precondition: requires maxSet(<parameter 1>) >=
maxRead(<parameter 2>)
A memory write may write to an address beyond the allocated buffer. (Use
-boundswrite to inhibit warning)
Finished checking --- 1 code warning
