Hi Michal, Which static code analyzer have you used ? On my side, I'm using splint. But I need to add annotations for a better check.
Thanks and regards, Yves 2011/12/20 Michal Hlavinka <[email protected]> > Hi, > > we've used static code analyzer on ksh sources and it found following > problems (after obvious false possitives clean up). We've tested latest > version available (20110630), so because it's quite old now, some problems > can be no longer valid or on different possition. Do you plan to release > new (beta) version soon? > > Michal > > ------------------------------**------------------------------**- > > ksh93/bltins/enum.c: > * dereferencing free()d pointer: fp > 133: struct Enum *ep = (struct Enum*)fp; > 140: free((void*)ep); > 141: nv_putv(np, val, flags,fp); > > ksh93/bltins/test.c: > * uninitialized value used: statb > 646: struct stat statb; > 649: return(statb.st_mode); > > ksh93/bltins/typeset.c: > * possible wrong malloc size multiplication > 913: libattr = (unsigned short*)realloc((void*)liblist, > (maxlib+1)*sizeof(unsigned short*)); > sizeof(unsigned short*) instead of sizeof(unsigned short) ? > > * possible wrong malloc size multiplication > 918: libattr = (unsigned short*)malloc((maxlib+1)***sizeof(unsigned > short*)); > sizeof(unsigned short*) instead of sizeof(unsigned short) ? > > ksh93/edit/emacs.c: > * calling strncpy with a maximum size argument of 80 bytes on destination > array "ep->ed->e_search" of size 80 bytes might leave the destination > string unterminated. > 1297: strncpy(lstring,((char*)**string)+2,SEARCHSIZE); > > ksh93/edit/history.c: > * memory leak: tmpname > 474: tmpname = (char*)malloc(strlen(name)+14)**; > 484: (if) tmpname = name; allocated memory lost > 499: return hist_ptr = hist_old; but 'tmpname' not free()d > > * dereferencing free()d pointer: hp > 779: hist_close(hp); // == free(hp) > 780: if(!sh_histinit(hp->histshell)**) > > ksh93/edit/vi.c: > * calling strncpy with a maximum size argument of 80 bytes on destination > array "vp->ed->e_search" of size 80 bytes might leave the destination > string unterminated. > 2276:strncpy(lsearch, ((char*)virtual)+1, SEARCHSIZE); > > ksh93/sh/env.c: > * memory leak: ep > 190: if(!(ep = newof((Env_t*)0,Env_t,1,0))) > 195: return(0); > > ksh93/sh/init.c: > * dereferencing free()d pointer: fp > 595: free((void*)fp); > 596: nv_putv(np, val, flags, fp); > > * uninitialized value used: last > 1224: char *last; > 1234: if(*last) > > * uninitialized value used: shp > 1256: Shell_t *shp; > 1302: umask(shp->mask=umask(0)); > > * possible wrong sizeof usage > 1772: shgd->stats = (int*)calloc(sizeof(int*),**nstat); > casting return value of malloc sizeof(int *) to (int*), sizeof(int*) > instead of sizeof(int) ? > > * dereferencing free()d pointer: fp > 2180: free((void*)fp); > 2183: nv_putv(np,val,flags,fp); > > ksh93/sh/io.c: > * freeing memory, that was not allocated, strdup() missing? > 265: s = "localhost"; > 270: free(s); > > ksh93/sh/jobs.c: > * dereferencing null variable 'csp' > 267: for(csp=job.colist; csp; csp = csp->next) > Comparing "csp" to null implies that "csp" might be null. > 272: sfprintf(shp->strbuf,"%s.%d%c"**,csp->name,pid&0xff,0); > > ksh93/sh/macro.c: > * memory leak: pattern > 1764: pattern = strdup(argp); > 1978: return(1); but 'pattern' not free()d > > * memory leak: id > 1494: id = prefix(mp->shp,id); /* id = strdup( ) */ > 1978: return(1); but 'id' not free()d > > ksh93/sh/name.c: > * buf NULLed on failure, but not free()d > 137: buf = (char*)realloc(buf,len); > > ksh93/sh/nvtree.c: > * result always false regardless of the values of its operands > 466: if((attr&NV_NOPRINT|NV_**INTEGER)==NV_NOPRINT) > == (attr& (4|8) | 2) == (4 | 8)) > > ksh93/sh/nvtype.c: > * possible null pointer dereference: np, otherwise it is redundant to > check if np is null > 629: if(!np) > 631:sfprintf(sfstderr,"%s: no such variable\n",np->nvname); > > * memory leak: val > 1359: val = strdup(nv_getval(np)); > 1364: return(0); but 'val' not free()d > > ksh93/sh/path.c: > * memory leak: saveargs > 190: saveargs = (char**)malloc(n); > 205: return(-1); but 'saveargs' not free()d > > ksh93/sh/suid_exec.c: > * memory leak: groups > 325: groups = (gid_t*)malloc((maxgroups+1)***sizeof(gid_t)); > 'groups' not free()d > > ksh93/sh/xec.c: > * array 'arglist[2]' index 2 out of bounds > 3570: char *arglist[2] > 3579: arglist[2] = 0; > > lib/libast/comp/catopen.c: > * memory leak: cc > 108: if (!(cc = newof(0, Cc_t, 1, 0))) > 119: return (_ast_nl_catd)(-1); but 'cc' not free()d > > lib/libast/comp/getoptl.c: > * memory leak: t > 54: t = strdup(optstring); > 100: return -1; but 't' not free()d > 138: return c; but 't' not free()d > > lib/libast/comp/regcmp.c: > * va_end not called for: ap > 77: va_start(ap, pattern); > 79: return 0; > > * va_end not called for: ap > 193: va_start(ap, pattern); > 195: return 0; > > lib/libast/disc/sfdcmore.c: > * memory leak: more > 324: if (!(more = (More_t*)malloc(sizeof(More_t) + n))) > 368: return 0; but 'more' not free()d > > lib/libast/disc/sfkeyprintf.c: > * possible null pointer dereference: a > 147: char* a = 0; > 190: if (i == ':' && fp->fmt.fmt == 's' && strlen(a) > 4 && !isalnum(*(a + > 4))) > > lib/libast/hash/hashscan.c: > * possible null pointer dereference: pos > 91: if (!pos) return(pos->tab->root->last.**bucket = 0); > > lib/libast/misc/magic.c: > * possible null pointer dereference: ep > 2444: register Entry_t* rp = 0; > 2490: ep = rp; > 2491: ep->value.lab->mask = 1; > > lib/libast/misc/optjoin.c: > * va_end not called for: ap > 68: va_start(ap, argv); > 82: return 0; > 89: return 1; > 115: return 1; > > lib/libast/misc/stk.c: > * memory leak: 'tp' > 460: if(!(tp = malloc(off))) > 475: return(0); but 'tp' not free()d > > lib/libast/port/astconf.c: > * invalid number of character '((', ')' when these macros are defined: > 'ATT_UNIV;UNIV_MAX' > 747: while (n < univ_max && !streq(value, univ_name[n]) > > lib/libast/port/astquery.c: > * va_end not called for: ap > 54: va_start(ap, format); > 56: return 0; > 63: return -1; > 67: return -1; > 98: return -1; > 103: return 0; > 105: return 1; > > lib/libast/port/lcgen.c: > * resource leak 'hf' > 300: if (!(hf = fopen(hdr, "w"))) > 308: return 1; but 'hf' not closed > > lib/libast/sfio/sfvscanf.c: > * va_end not called for: oargs > 371: va_copy(oargs,args); > > lib/libast/sfio/sfvprintf.c: > * va_end not called for: oargs > 202: va_copy(oargs,args); > > lib/libast/stdio/vfwprintf.c: > * memory leak > 40: if (m = malloc(n + 1)) > 64: return v; but 'm' not free()d > > lib/libast/string/tokscan.c: > * va_end not called for: prv_ap > 235: va_copy(prv_ap, ap); > > lib/libcmd/join.c: > * possible null pointer dereference: cp > 260: if (!(cp= *argv) || cp[1]!='.' || (*cp!='1' && *cp!='2')) > 262: if (*cp=='0' && cp[1]==0) > > lib/libcmd/rev.c: > * memory leak: wp > 77: if (!(wp = newof(wp, wchar_t, w, 0))) > 91: return -1; but 'wp' not free()d > > lib/libcmd/wclib.c: > * result always true regardless of the values of its operand > 453: while(mbc(c) && ((c|WC_ERR) || (c&7)==0)) (c|0x40L) is always 1/true > > lib/libcmd/tty.c: > * invalid number of character '((', ')))' when these macros are defined: > '_mac_STWLINE'. > 94: if (n = ioctl(0, STWLINE, 0)) >= 0) > > > ______________________________**_________________ > ast-developers mailing list > [email protected].**com <[email protected]> > https://mailman.research.att.**com/mailman/listinfo/ast-**developers<https://mailman.research.att.com/mailman/listinfo/ast-developers> >
_______________________________________________ ast-developers mailing list [email protected] https://mailman.research.att.com/mailman/listinfo/ast-developers
