Hi,
it's compose of two analyzers. Most data came from Coverity. I don't
know the name of the second analyzer, I just got its output from one user.
Michal
On 12/21/2011 11:41 AM, Yves Crespin wrote:
Hi Michal,
Which static code analyzer have you used ?
On my side, I'm using splint. But I need to add annotations for a better
check.
Thanks and regards,
Yves
2011/12/20 Michal Hlavinka <[email protected]
<mailto:[email protected]>>
Hi,
we've used static code analyzer on ksh sources and it found
following problems (after obvious false possitives clean up). We've
tested latest version available (20110630), so because it's quite
old now, some problems can be no longer valid or on different
possition. Do you plan to release new (beta) version soon?
Michal
------------------------------__------------------------------__-
ksh93/bltins/enum.c:
* dereferencing free()d pointer: fp
133: struct Enum *ep = (struct Enum*)fp;
140: free((void*)ep);
141: nv_putv(np, val, flags,fp);
ksh93/bltins/test.c:
* uninitialized value used: statb
646: struct stat statb;
649: return(statb.st_mode);
ksh93/bltins/typeset.c:
* possible wrong malloc size multiplication
913: libattr = (unsigned short*)realloc((void*)liblist,
(maxlib+1)*sizeof(unsigned short*));
sizeof(unsigned short*) instead of sizeof(unsigned short) ?
* possible wrong malloc size multiplication
918: libattr = (unsigned short*)malloc((maxlib+1)*__sizeof(unsigned
short*));
sizeof(unsigned short*) instead of sizeof(unsigned short) ?
ksh93/edit/emacs.c:
* calling strncpy with a maximum size argument of 80 bytes on
destination array "ep->ed->e_search" of size 80 bytes might leave
the destination string unterminated.
1297: strncpy(lstring,((char*)__string)+2,SEARCHSIZE);
ksh93/edit/history.c:
* memory leak: tmpname
474: tmpname = (char*)malloc(strlen(name)+14)__;
484: (if) tmpname = name; allocated memory lost
499: return hist_ptr = hist_old; but 'tmpname' not free()d
* dereferencing free()d pointer: hp
779: hist_close(hp); // == free(hp)
780: if(!sh_histinit(hp->histshell)__)
ksh93/edit/vi.c:
* calling strncpy with a maximum size argument of 80 bytes on
destination array "vp->ed->e_search" of size 80 bytes might leave
the destination string unterminated.
2276:strncpy(lsearch, ((char*)virtual)+1, SEARCHSIZE);
ksh93/sh/env.c:
* memory leak: ep
190: if(!(ep = newof((Env_t*)0,Env_t,1,0)))
195: return(0);
ksh93/sh/init.c:
* dereferencing free()d pointer: fp
595: free((void*)fp);
596: nv_putv(np, val, flags, fp);
* uninitialized value used: last
1224: char *last;
1234: if(*last)
* uninitialized value used: shp
1256: Shell_t *shp;
1302: umask(shp->mask=umask(0));
* possible wrong sizeof usage
1772: shgd->stats = (int*)calloc(sizeof(int*),__nstat);
casting return value of malloc sizeof(int *) to (int*), sizeof(int*)
instead of sizeof(int) ?
* dereferencing free()d pointer: fp
2180: free((void*)fp);
2183: nv_putv(np,val,flags,fp);
ksh93/sh/io.c:
* freeing memory, that was not allocated, strdup() missing?
265: s = "localhost";
270: free(s);
ksh93/sh/jobs.c:
* dereferencing null variable 'csp'
267: for(csp=job.colist; csp; csp = csp->next)
Comparing "csp" to null implies that "csp" might be null.
272: sfprintf(shp->strbuf,"%s.%d%c"__,csp->name,pid&0xff,0);
ksh93/sh/macro.c:
* memory leak: pattern
1764: pattern = strdup(argp);
1978: return(1); but 'pattern' not free()d
* memory leak: id
1494: id = prefix(mp->shp,id); /* id = strdup( ) */
1978: return(1); but 'id' not free()d
ksh93/sh/name.c:
* buf NULLed on failure, but not free()d
137: buf = (char*)realloc(buf,len);
ksh93/sh/nvtree.c:
* result always false regardless of the values of its operands
466: if((attr&NV_NOPRINT|NV___INTEGER)==NV_NOPRINT)
== (attr& (4|8) | 2) == (4 | 8))
ksh93/sh/nvtype.c:
* possible null pointer dereference: np, otherwise it is redundant
to check if np is null
629: if(!np)
631:sfprintf(sfstderr,"%s: no such variable\n",np->nvname);
* memory leak: val
1359: val = strdup(nv_getval(np));
1364: return(0); but 'val' not free()d
ksh93/sh/path.c:
* memory leak: saveargs
190: saveargs = (char**)malloc(n);
205: return(-1); but 'saveargs' not free()d
ksh93/sh/suid_exec.c:
* memory leak: groups
325: groups = (gid_t*)malloc((maxgroups+1)*__sizeof(gid_t));
'groups' not free()d
ksh93/sh/xec.c:
* array 'arglist[2]' index 2 out of bounds
3570: char *arglist[2]
3579: arglist[2] = 0;
lib/libast/comp/catopen.c:
* memory leak: cc
108: if (!(cc = newof(0, Cc_t, 1, 0)))
119: return (_ast_nl_catd)(-1); but 'cc' not free()d
lib/libast/comp/getoptl.c:
* memory leak: t
54: t = strdup(optstring);
100: return -1; but 't' not free()d
138: return c; but 't' not free()d
lib/libast/comp/regcmp.c:
* va_end not called for: ap
77: va_start(ap, pattern);
79: return 0;
* va_end not called for: ap
193: va_start(ap, pattern);
195: return 0;
lib/libast/disc/sfdcmore.c:
* memory leak: more
324: if (!(more = (More_t*)malloc(sizeof(More_t) + n)))
368: return 0; but 'more' not free()d
lib/libast/disc/sfkeyprintf.c:
* possible null pointer dereference: a
147: char* a = 0;
190: if (i == ':' && fp->fmt.fmt == 's' && strlen(a) > 4 &&
!isalnum(*(a + 4)))
lib/libast/hash/hashscan.c:
* possible null pointer dereference: pos
91: if (!pos) return(pos->tab->root->last.__bucket = 0);
lib/libast/misc/magic.c:
* possible null pointer dereference: ep
2444: register Entry_t* rp = 0;
2490: ep = rp;
2491: ep->value.lab->mask = 1;
lib/libast/misc/optjoin.c:
* va_end not called for: ap
68: va_start(ap, argv);
82: return 0;
89: return 1;
115: return 1;
lib/libast/misc/stk.c:
* memory leak: 'tp'
460: if(!(tp = malloc(off)))
475: return(0); but 'tp' not free()d
lib/libast/port/astconf.c:
* invalid number of character '((', ')' when these macros are
defined: 'ATT_UNIV;UNIV_MAX'
747: while (n < univ_max && !streq(value, univ_name[n])
lib/libast/port/astquery.c:
* va_end not called for: ap
54: va_start(ap, format);
56: return 0;
63: return -1;
67: return -1;
98: return -1;
103: return 0;
105: return 1;
lib/libast/port/lcgen.c:
* resource leak 'hf'
300: if (!(hf = fopen(hdr, "w")))
308: return 1; but 'hf' not closed
lib/libast/sfio/sfvscanf.c:
* va_end not called for: oargs
371: va_copy(oargs,args);
lib/libast/sfio/sfvprintf.c:
* va_end not called for: oargs
202: va_copy(oargs,args);
lib/libast/stdio/vfwprintf.c:
* memory leak
40: if (m = malloc(n + 1))
64: return v; but 'm' not free()d
lib/libast/string/tokscan.c:
* va_end not called for: prv_ap
235: va_copy(prv_ap, ap);
lib/libcmd/join.c:
* possible null pointer dereference: cp
260: if (!(cp= *argv) || cp[1]!='.' || (*cp!='1' && *cp!='2'))
262: if (*cp=='0' && cp[1]==0)
lib/libcmd/rev.c:
* memory leak: wp
77: if (!(wp = newof(wp, wchar_t, w, 0)))
91: return -1; but 'wp' not free()d
lib/libcmd/wclib.c:
* result always true regardless of the values of its operand
453: while(mbc(c) && ((c|WC_ERR) || (c&7)==0)) (c|0x40L) is always
1/true
lib/libcmd/tty.c:
* invalid number of character '((', ')))' when these macros are
defined: '_mac_STWLINE'.
94: if (n = ioctl(0, STWLINE, 0)) >= 0)
_________________________________________________
ast-developers mailing list
[email protected].__com
<mailto:[email protected]>
https://mailman.research.att.__com/mailman/listinfo/ast-__developers
<https://mailman.research.att.com/mailman/listinfo/ast-developers>
_______________________________________________
ast-developers mailing list
[email protected]
https://mailman.research.att.com/mailman/listinfo/ast-developers
