Greater Detail
Contents
1. 64 BIT COMPUTING FOR LESS THAN 2000 THE POWER OF 64 BIT computing just got super affordable AMD s new Opteron processor brings 64 bit server pricing below the 2000 mark Running both 32 bit and 64 bit applications simultaneously provides a seamless and simplified migration to 64 bit computing for the first time Opteron At Digital Networks we specialise in servers storage workstations desktops and notebooks designed specifically for Linux use Example pricing for a rackmount server 2U rackmount chassis Single Opteron 240 processor 1 0GB of RAM 36GB Ultra320 SCSI hard disk Dual Gigabit Ethernet 1819 VAT O Visit www dnuk com and find out why corporate customers small and medium businesses and most UK universities choose us for their IT requirements Above specification is an example and is fully configurable Prices correct as of 15 5 03 Please check www dnuk com for current prices Digital Networks United Kingdom Naming Conventions Naming conventions are useful as they assure the readability of code for a team of developers working on it It does not really matter what conventions you use but it is important that each developer applies them consistently Splint can also check for this Some flags specify the appearance of various types of variables or user defined types These flags start with the name of the category such as local for local variables plus the prefix ke2. Weak checking Amount of effort required Null annotations Buffer sizes Function interfaces Memory management Checked macros Figure 1 Most C compilers warn you about simple bugs More complex error classes require more effort Splint allows the programmer to select an appropriate checking level diagram based on 3 tine It expects string input from the user in get_data and inverts this input in reverse_data It then outputs the string and de allocates memory in deal locmem In the current form the program produces the following Splint error message amongst others Potte te 7 0S Imoliei ely 2 temp storage char_p passed as 2 only param free char_p Splint means that the allocated memory has not been de allocated The error message disappears when the only annotation is inserted directly before char in line 11 Now Splint understands that this is an exclusive ref erence in other words the pointer is forced to de allocate the memory it refer Listing 1 Examplet c ite WUE KS 10 1 8 int main unused int argc unused char argv char dpornte r NUNE PO Seine sce oes 4a ya a ieere NUDE ieesurem Ite strcpy dpointer Hello World free dpointer Cie ie LOW OU eS il 5 return 0 ize Siva lips aponte r 3 aponte Porte vO Nievaiian lt 7 www linux magazine com ences There are three ways for the pointer to pass on this obliga
3. PROGRAMMING Splint Checking Code Quality with Splint Greater Detail Splint parses C source code and discovers typical programming errors There is no need to change the code to allow this but you can achieve better results with a bit more effort Developers can describe their programs in special annotations allowing Splint a better understanding of what is going on and helping the tool discover even more dirty code BY HERWART KIRAM ithout modifying the pro gram code or using special flags the static semantics checker Splint 1 applies its sleuthing skills to discovering faulty code An article in issue 27 February 2003 2 described Splint s capabilities when simply thrown in at the deep end Programmers can optimize their use of the program provided they are not too busy for a bit more work that involves adding special annotations to their code Splint evaluates the an notations to gain a better understanding of the source code and this in turn puts the checker in a position to analyze a whole new range of problems These include e Infinite loops e Memory de allocation errors memory leaks e De referencing null pointers e Name convention infringements e Inappropriate interfaces e Buffer overflows e Inaccessible code The C compiler itself is perfectly capable of indicating non complex issues But the more complex the pitfall the programmer falls for the more effort tools have to put into disco vering p
4. a null pointer if no memory is available Splint will issue a warning if a program de references the null pointer The warning for Listing 2 is as follows Motte ta A Po ie yo storage dpointer passed as non null param get_data dpointer You can stop Splint from complaining by re instating line 23 This will allow Splint to recognize that the Jf condition allows the program to de reference the null pointer Correct Interfacing Functions use their interfaces to exchange information with the calling Listing 2 linttest c Sinn dpointer allocmem if doointer NUEL rerurn 0 char_cnt get_data dpointer char_cnt reverse data dpointer printf Number of characters ol OUTPUT 2S Val r ela dpointer deallocmem dpointer if char_cnt 0 recur 02 else aea UW return 0 Code inaccessible int reverse_data char inputdata Vie V sve Chara int a strlen inputdata while i lt a 2 1 www linux magazine com PROGRAMMING Splint environment Function prototypes spec ify the type and number of interfaces It is good programming technique to document the arguments a function will modify and those it will leave untouched The modifies anno tation allows you to tell Splint which arguments and global variables a routine can modify Any discrepancies that occur may be indicative of a programming error Interface definitions also reproduce user defined constants similar t
5. chnique for recognizing possible buffer overflows with a static bounds checker without actually running the program see 5 Enum and Numbers In C it is permissible to assign integer values to variables of arbitrary enumer ated enum types instead of just using the declared values www linux magazine com PROGRAMMING Splint enum weekday MOT DIR Mi weekday 15 Dor Epa Seine Sie Splint will report an error in this case provided you set the checks flag The tool will also recognize use of variables before they have been defined and let you know if the program ignores func tion return values Conclusion The comprehensive User Manual for Splint 3 provides more detail on the program s capabilities Splint is at its most valuable when integrated at the outset of a development process and used consistently at any point after It does not take longer to write anno tated programs than to write programs without annotations However using code annotations does make a developer think about the meaning of a variable or parameter and possibly add a code annotation And will improve the quality of the program code Splint is a big help when it comes avoiding errors and it saves you a lot of debugging time Splint s biggest downer is the fact that it does not support C However the tool is GPL and project leader David Evans has promised to support anyone prepared to write a C front end And tha
6. f you insert i 3 before the end of the while loop The loop is still in finite as the loop variable is a constant but Splint no longer recognizes the prob lem i would be preferable Table 1 Naming conventions Category enumprefix enumerated types enum globprefix global variables typeprefix user defined types typedef externalprefix external names localprefix local names constprefix constants protoparamprefix Character Codes any capital letter A Z any small letter a z parameters in function prototypes causes Splint to report a bug To suppress the warning you can insert a code annotation locally such as the following line to disable the check before the return state ment unreachable and then enable the check again using any character that is not a capital letter unreachable any character that is not a small letter any letter A Z a z any number 0 9 any letter or number A Z a Z 0 9 Splint also checks code accessibility The return statement at the end of main can never be executed as both branches of the previous if condi tion contain return statements This This variant allows you to enable certain checks at critical points at the same time avoiding redundant warnings and false positives Line 8 in Listing 2 pro vides another example of this The matchanyintegral flag prevents Splint from recognizing the assignment of size_t to int as an error
7. meters must be surrounded by brackets e Each macro parameter can be used exactly once only Buffer Overflows Buffer overflows are particularly dan gerous in C programs Many exploits leverage bugs of this type memory access outside the bounds envisaged by the programmer can thus cause serious problems Splint uses internal variables called maxSet and maxRead to manage memory blocks and creates these vari ables automatically for each vector maxSet specifies the threshold for valid memory write access maxRead the threshold for read access This is quite sufficient for simple cases int myarray 10 int 1 63 maray Aa Wa A TOE If you have enabled the bounds checking option Splint will discover that the first attempt to access the array will probably write past the end of the array PocSiblerout oi DoUNnds S to 2 Maray T Unfortunately the tool does not recog nize negative indexing Static checks often do not reveal the actual index values at runtime To avoid this you can use the ensure and require code annotations to stip ulate threshold values for parameters passed to function interfaces However this requires a great deal of effort without actually guaranteeing success It only makes sense that buffer over flow tests are not part of a specific checking level but need to be enabled explicitly by setting the boundswrite and boundsread flags The authors of Splint describe their own te
8. o const in C Splint checks whether argu ments not designated as modifiable are in fact modified at runtime This check is enabled by setting mods flag But the fact that a function does not modify a modifiable argument can also indicate an error To check for this case you will need to set the mustmod flag These tests are available in checks We have assigned the modifies annota tion to all of the routines in our sample program As get_data changes the global variable S_num although the c inputdatati inputdatati SCI WMIOLIUG eueerel e A inouvdetdta lic m Joam PeScuyem ale aet aaa Char iioludatrc lime WUe Ordo CTEM st Sireins 7 void fgets inputdata PUR IZE CS alata S_num strlen inputdata petur i char allocmem void eeu Chiat intel Toc GCs i Zen BURSIZE void deallocmem char char_p free char_p return Splint PROGRAMMING modifies annotation is missing Splint issues the following warning ltattest co 53 22 Undocumented 2 Modi Ved wl Olle a aa 2 S_num strlen outputdata Infinite Loops Splint can test for infinite loops although this will only work in extremely simple cases such as the reverse_data function in our sample program see Listing 2 Splint issues the following warning linttest c 43 9 Suspected 2 infinite loop No value used 2 in loop test i a is modified by test or loop body Unfortunately this warning will dis appear i
9. program that navigates this stage without provoking any warnings expects a list of arguments that it never uses The code annotation unused prevents Splint from outputting an error message The program developer knows that the variables will not be used but is using them on purpose Code annotations always start with and are terminated by The follow ing command displays a list of annotations splint ne le annotations Invalid pointers are a major hassle in software development and account for fifty percent of all errors Splint can also help out with bugs of this type A small but nasty bug has found its way into Listing 1 line 9 de allocates memory containing a string and line 10 attempts to output precisely this string The example we supplied is non criti cal and easily noticed but in a real program several hundred lines of code could be separating the de allocation and the illegal access The memory address might have been overwritten by arbitrary data or be outside of the valid address range Splint reacts with the following warning Examplel c 10 26 Variable 2 dpointer used after being 2 released Destroyed Pointers Things become more difficult when memory allocation and de allocation occurs in a function instead of the main program The program in Listing 2 request memory in the allocmem rou Splint PROGRAMMING Abstract types Fraction of errors detected Stricter type checking
10. rmitted to use this memory again as it has handed over responsibility for it The pointer can be null so the memory area may not have been initialized out It is also possible to assign the only pointer to other pointers To do so the pointer must have the temp attribute Temp pointers are not permit ted to allocate or de allocate memory and the program cannot access them after de allocating a memory area To ensure that this will work for non anno tated programs Splint handles all pointers as temp by default Sample program 2 include lt stdlib h gt Hinclude lt stdio h gt define BUFSIZE 200 Name convention all evaluated types start with Nein veronica oll e e letters apart trom this t matchanyintegral typeprefix TEs Siac emumi n wea allocmem void modifies nothing static void deal locmem char Sab icy int Cel data Cilat xoutputdata modifies outputdata Static int reverse _data char xinputdata modifies inputdata Stele 1 S_Muin int main unused int argc unused char argv Can Dorn ten NW Em Tice Chic a 0 iit soacenchi 0 70 i July 2003 Null Pointers Null pointer access is a common pitfall in C programming Unless otherwise specified Splint assumes that a pointer can never be null To allow this to hap pen programmers need to specify the null attribute Again the mal loc function provides a good example as it returns
11. rogramming errors Figure 1 juxtaposes the effort and return on effort for these tools formal verifi cation tools will discover more errors but they also involve non trivial effort The effort involved in running Splint is minimal but the tool still finds a lot of bugs 68 E July 2003 Commands There are a large number of options and parameters available for the Splint com mand The syntax is as follows splint flags f filename program where flags is a list of options that enable or disable various checks In contrast to most UNIX programs a minus sign will disable the option and a plus sign will enable it Additionally there are shortcuts and checking levels that simultaneously affect a whole bunch of flags Splint provides four dis tinct levels with increasingly strict checking criteria weak standard Default checks and strict see Box Splint Checking Levels If the file splintrc exists and is readable Splint will use the default flags set in the file The f filename flag allows you to specify another file as default The following call will check the Examplel1 c program in Listing 1 Splint checks boundswrite 2 exportheader Examplel c The parameters tell Splint to use the checks level without the exportheader check but enabling boundswrite Smart Comments Splint derives its understanding of the meaning of individual code sections from the source code Thus Splint cannot kno
12. t s what I call a meaningful task that would benefit the whole developer com munity i 1 Splint homepage http www splint org 2 Steven Goodwin and Dean Wilson Walk ing Upright Quality Code Linux Magazine Issue 27 p76 3 Splint User Manual http www splint org manual 4 FAQs http www splint org fag html 5 Whitepaper on buffer overflows http www cs virginia edu evans usenixo1 abstract html Herwart Kiram has been working as a software developer in the telecommunica tions industry for over ten years He special izes in Linux and communication protocols THE AUTHOR
13. tion to other pointers e Passing it to a function in a parameter This uses the only attribute e Passing it to an external reference that also has the only attribute e Returning a value that also has the only attribute After passing on this obligation to another pointer the original pointer can be regarded as dead and should not be re used This allows Splint to ensure that the program de allocates any memory it has allocated exactly once To ensure that this works properly the obligation to de allocate memory must be stipulated This is caused by routines that allocate memory such as malloc or calloc Annotated Libraries Splint provides its own versions of stan dard library headers These headers contain annotated code which Splint will automatically use when checking a pro gram The malloc function looks like this only null 2 VOrde Malll oes a a a The return value is a pointer that refer ences a memory area that the caller must de allocate only The pointer may be null A quick look at the headers sup T 69 plied with Splint standard h and posix h can tell you a lot about annotated code The counterpart to malloc the free function looks like this void free only out 2 SQ eke NCIC on This function expects a pointer to a mem ory area that it will need to de allocate only the function thus assumes respon sibility The calling function is not pe
14. w whether a programmer actually intended to write what Splint regards as broken code or if it is simply a program ming error The program developer can supply additional information in the form of special annotations that are passed to Splint Listing 1 contains some annotations of this type The main function in line 3 Box Splint Checking Levels Weak Weak check for typical uncom mented programs At this level Splint does not discover modifies side effects that occur due to hidden value modifications and does not investigate macros Values returned by functions can be ignored by their caller bool int char and user defined enum types are equivalent Standard In addition to the checks per formed at the weak level Splint additionally checks whether the program uses released memory derferences null pointers contains inaccessible code or infinite loops and parses values returned by functions This www linux magazine com stage also checks whether macros are ok and if functions use all of their parameters bool int and char type are not equivalent and cannot be mixed without explicit type conversion Checks This stricter check additionally ensures that functions exactly adhere to their interface definition At this stage enum and int are also regarded as different types Strict The strictest checking level is of lim ited use for real programs The manpage promises a reward to the first person to write a real
15. yword The pattern for the name then follows after a space character The pat tern uses metacharacters to specify the rules that apply to the name Unfortu nately you cannot use regular expressions For example localprefix L_ amp This example specfies that local variable must start with L_ and can contain only small letters after this point means that the previous character can appear any number of times Table 1 shows the categories and metacharacters for these rules Line 8 of Listing 2 shows another example Any user defined types must start with T_ followed by small letters Macros The macro preprocessor is a powerful tool but it does harbor a number of pit falls Macros simply replace text and thus contravene C syntax A macro that calculates a square is a classical example of this define Quadrat x x x This definition works fine as long as only single values are passed to the macro as in Quadrat i Problems start to occur if you do things like Quadrat i 1 The preprocessor will convert this text to i 1 i 1 and this corresponds to it i 1 rather than i 1 i 1 A call to Quadrat i is also problematic as the result of i i will vary from one imple mentation to the next If you launch Splint with the allmacros flag the tool can check the following amongst other things e A macro parameter cannot be used with a decrement or increment opera tor 72 g July 2003 e Macro para
Download Pdf Manuals
Related Search