Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.
$ vim valgring_test.c #include <stdio.h>
#include <stdlib.h>
int main() {
char *ptr = (char *) malloc(1024);
char ch;
/* Uninitialized read */
ch = ptr[1024];
/* Write beyond the block */
ptr[1024] = 0;
/* Orphan the block */
ptr = 0;
exit(0);
} $ gcc -Wall -pedantic valgrind_test.c this will print the unused variables, warning etc
$ sudo apt-get install splint Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
splint-data
Suggested packages:
splint-doc-html
The following NEW packages will be installed:
splint splint-data
0 upgraded, 2 newly installed, 0 to remove and 261 not upgraded.
Need to get 928 kB of archives.
After this operation, 2,998 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty/universe splint-data all 3.1.2.dfsg1-2 [182 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ trusty/universe splint i386 3.1.2.dfsg1-2 [746 kB]
Fetched 928 kB in 11s (82.7 kB/s)
Selecting previously unselected package splint-data.
(Reading database … 210095 files and directories currently installed.)
Preparing to unpack …/splint-data_3.1.2.dfsg1-2_all.deb …
Unpacking splint-data (3.1.2.dfsg1-2) …
Selecting previously unselected package splint.
Preparing to unpack …/splint_3.1.2.dfsg1-2_i386.deb …
Unpacking splint (3.1.2.dfsg1-2) …
Processing triggers for man-db (2.6.7.1-1ubuntu1) …
Setting up splint-data (3.1.2.dfsg1-2) …
Setting up splint (3.1.2.dfsg1-2) …
$ splint -strict valgrind_test.c Splint 3.1.2 --- 03 May 2009
valgrind_test.c:4:5: Function main declared without parameter list
A function declaration does not have a parameter list. (Use -noparams to
inhibit warning)
valgrind_test.c: (in function main)
valgrind_test.c:6:29: Function malloc expects arg 1 to be size_t gets int: 1024
To allow arbitrary integral types to match any integral type, use
+matchanyintegral.
valgrind_test.c:9:6: Index of possibly null pointer ptr: ptr
A possibly null pointer is dereferenced. Value is either the result of a
function which may return null (in which case, code should check it is not
null), or a global, parameter or structure field declared with the null
qualifier. (Use -nullderef to inhibit warning)
valgrind_test.c:6:13: Storage ptr may become null
valgrind_test.c:9:6: Array element ptr[1024] used before definition
An rvalue is used that may not be initialized to a value on some execution
path. (Use -usedef to inhibit warning)
valgrind_test.c:11:1: Assignment of int to char: ptr[1024] = 0
Types are incompatible. (Use -type to inhibit warning)
valgrind_test.c:13:1: Fresh storage ptr (type char *) not released before
assignment: ptr = 0
A memory leak has been detected. Storage allocated locally is not released
before the last reference to it is lost. (Use -mustfreefresh to inhibit
warning)
valgrind_test.c:6:35: Fresh storage ptr created
valgrind_test.c:9:6: Possible out-of-bounds read: ptr[1024]
Unable to resolve constraint:
requires maxRead(malloc(1024) @ valgrind_test.c:6:22) >= 1024
needed to satisfy precondition:
requires maxRead(ptr @ valgrind_test.c:9:6) >= 1024
A memory read references memory beyond the allocated storage. (Use
-boundsread to inhibit warning)
valgrind_test.c:11:1: Likely out-of-bounds store: ptr[1024]
Unable to resolve constraint:
requires 1023 >= 1024
needed to satisfy precondition:
requires maxSet(ptr @ valgrind_test.c:11:1) >= 1024
A memory write may write to an address beyond the allocated buffer. (Use
-likelyboundswrite to inhibit warning)
Finished checking --- 8 code warnings