Splint - Secure Programming Lint
Download - Documentation - Manual - Links Reporting Bugs - Mailing Lists      Sponsors - Credits

Splint Change Log

This page documents changes to Splint. See CVS repository (http://sourceforge.net/projects/lclint/) for details.

3.1.2 Release (12 July 2007)

Bug Fixes

Declarations of intptr_t and uintptr_t
The standard library declares the intptr_t and uintptr_t types incorrectly. They are declared as int * and unsigned int *, but should be integral types (large enough to hold a pointer) instead.

(Reported by David Sanderson, 25 Sep 2004. Fixed in development standard.h.)

Mode help
Splint crashes when run with -help weak or another mode flag.

(Reported by Clive Bach, 27 July 2004. Fixed in CVS 28 July 2004.)

Missing va_copy
The standard library is missing va_copy.

(Reported by Roland Illig, 21 May 2004. Fixed in CVS, 21 May 2004.)

Shifting in pre-processor expressions
Splint will report an internal error for a preprocessor expression that shifts a negative value. This should produce a warning message instead.

(Reported by Dirk Herrmann, 10 Nov 2003. Fixed in CVS, 18 May 2004, but no warning message added yet.)

gmtime and localtime
The return type is incorrectly specified as /*@null@*/ in the standard library. gmtime and localtime are guaranteed to return non-null values.

(Reported by Terry Colligan, 30 Oct 2003. Fixed in CVS, 2 Nov 2003.)

Redefining __func__
Splint will report an internal bug if built in special definitions like __func__ are redefined.

(Reported by Terry Colligan, 28 Oct 2003. Fixed in CVS, 28 Oct 2003.)

Pragma Line Numbers
Splint does not count
#pragma ...
lines in the line number.

(Reported by Scott Frazer, 27 Oct 2003. Fixed in CVS, 27 Oct 2003.)

Files Unclosed in Win32
Options that involve writing messages to files do not work in Win32. The check that all files are closed was somehow copied to a location it shouldn't be (llmain:830).

(Fixed in CVS 18 Sept 2003.)

Multi-dimensional Arrays
Splint does not interpret declarations of multidimensional arrays correctly. A declaration like int a[][10] is misinterpreted as int a[10][].

(Reported by Bill Leahy, 15 Sept 2003. Fixed in CVS 15 Sept 2003.)

&& and || guards
Splint does not correctly interpret guards for non-boolean expressions in && and || clauses (e.g., if (s && t)).

(Reported by Andrew Bishop. Fixed in CVS 13 August 2003.)

scanf %x
Splint interprets %x in a scanf format string as an int *, but it should be an unsigned int *.

(Reported by Andrew Bishop. Fixed in CVS 13 August 2003.)

+matchanyintegral and unsignedintegrals
When +matchanyintegral is set, splint should allow any int type to match an aribtrary unsigned integral.

(Reported by John Makecki. Fixed in CVS 18 July 2003.)

Shadow updates
When a variable declaration is shadowed, the sRef_updateSref function will find the inner reference when there is an alias to the outer reference.

(Reported by John Makecki. Fixed in CVS 18 July 2003.)

Internal assertion fails for unconventional bounds
An internal assertion will fail for strange array indexes like, i["]<i;++i){--i;}"].

(Reported by Xose Vazquez Perez. Fixed in CVS 12 July 2003.)

Assignments with global structs
Splint does not correctly update state when the rhs of an assignment is a struct with global scope.

(Reported by Steve Brooke. Fixed in CVS, 10 July 2003.)

Defining __STDC__
Splint should define __STDC__. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=171437&msg=7 for details.

(Reported by Vincent Lefevre. Fixed in CVS, 10 July 2003)

Missing signal.h definitions
The posix library is missing some definitions from signal.h.

(Reported by Jerry James. Fixed in CVS, 13 June 2003)

Pre-processing ISO8859-1 characters
Splint does not process ISO8859-1 characters correctly since it is building on a pre-ISO8859-1 version of gcc's pre-processor, and character \377 is indistinguishable from EOF.

(Reported by Kai Hofmann. Fixed in CVS, 6 June 2003)

Printing lltok
Splint prints -> tokens in specifications incorrectly as ".". Reported and fixed by Psanzani.

(Fixed in CVS, 6 June 2003)

3.1.0 Release (21 April 2003)


Added support for numabstract types. A type defined with /*@numabstract@*/ is treated like an abstract type, except the standard C numeric operators (++, --, +, -, <, >, etc.) can be used on it. If +numabstractlit is set, then number literals may be used as numabstract type values. If +numabstractcast is set, casting to a numabstract produces a warning. If +numabstractindex is set, numabstract types may be used to index arrays. If +numabstractprint is set, a warning is produced if a numabstract value is passed as a %d parameter in a printf format string. (Suggested by Simon Hosie)

Changed Boolean support to be more consistent with ISO C99. _Bool is the default boolean type (and bool is defined), and true and false are the default true and false values (instead of TRUE and FALSE).

Added messagestream, warningstream and errorstream control flags so each type of message can be directed to a different standard stream or output file:

     messagestreamstdout, messagestreamstderr, messagestream 
     warningstreamstdout, warningstreamstderr, warningstream 
     errorstreamstdout, errorstreamstderr, errorstream 

Added htmlfileformat flag for producing links around file locations. (Requested by Hien Phan)

Added csv flag to generate comma separated values formatted output file to enable storing and manipulating warings in a database (or Excel). (Suggested by Brian Parrott)

Added support for +longint and +shortint flags, and changed type checking accordingly.

Added flag nullinit to control warnings about initializations that may be missing null annotations.

Add the flags likelybounds, likelybounds-read, and likelybounds-write. These flags cause Splint to produce warnings for potential bounds errors that when there is a high probabity that there is a real problem.

Adding support for the -i <dir> command line include option.

Added the emptyreturn flag to control warnings about missing return values.

Added abstractcompare flag to distinguish warnings about object equality comparisons on abstract types, from uses of other operators.

Added anytype constant to support /*@alt anytype@*/ properly.

Bug Fixes

Fixed bugs causing Splint to report spurious bounds-errors for code involving certain loops.

Fixed bugs Splint to report spurious bounds-errors for certain if-else statements.

Fixed problem with multiple passes on type definitions with /*@alt@*/

Fixed build problem with Mac OS X.

Fixed problem causing crashes if multiple globals clauses are used.

Fixed bug causing Splint to incorrectly display the file name path in error messages when it was given the absolute path name of a file outside of the current directory and the subdirectories below the current directory.

Fixed bug causing Splint to report spurious bounds-errors for code in which sizeof was applied to a string literal.

Fixed bug causing an internal error if a directory was listed on the command line instead a sourcefile.

The getgrgid, getgrnam, and getpwnam functions the Posix and Unix libraries are now declared to return /*@observer@*/ references.

Added snprintf to the standard library. It was added to ISO C99, so should be in the standard library in addition to the Unix library.

Fixed bug causing Splint to misinterpret initializations of char arrays with string literals. In code like char s[] = "abc"; was incorrectly marked as observer. Requested by (Olivier L'Heureux.)

Fixed bug causing the pre-processor to lose necessary whitespace before an identifier that corresponds to the name of a parameterized macro inside a macro expansion. (Reported by Adam Clarke.)

Fixed bugs in which Splint couldnot parse offsetof expressions where the field designator is an array fetch: offsetof(some_struct_t,d[index]). (Reported by Asger Overby.

Updated the declarations of struct iovec and struct msghdr in the unix library to include the /*@dependent@*/ annotations on their pointer fields; the implicit only annotations were incorrect. (Reported by Enrico Scholz.)

Fixed bug causing Splint to report spurious redeclartion warnings for forward enum tags.

Fixed bug causing Splint to report the wrong line number after a multi-line macro instantiation (it only counts as one line). (Reported by Andreas Rasmusson.)

Changed flags.def to make the library setting flags idempotent (doesn't matter if you use - or +). This prevents spurious flag warnings.

Fixed problem with unnamed union definitions within structure definitions. (Reported by Charles Lecklider)

Fixed line and column printing in uses lists (+showalluses) to be consistent with parenfileformat. (Reported by Mat Butler)

Fixed initializations of string literals. An initialization like, char s[] = "test"; copies the literal into the array, so s may be modified. This is different from char *s = "test"; which makes s an observer. (Reported by Ralf Wildenhues)

Fixed problem with resetting null state after error for constants.

Fixed problem with loop guards in loop test effects. New test case looptesteffect. (Reported by Anders Pilegaard)

Added code to fileTable.c for relative paths on systemDir. (Suggested by Jim Zelenka.)

Fixed missing sRef_clearDerived in usymtab_exitScope. This causes dangling references to old sRef's.

Changed pre-processor so multi-line macro parameters do not mess up line numbers.

Added grammar support for compound literals. No checking is done for these yet. (Reported by Peter Anttu.)

Fixed warning message for shiftsigned flag. (Reported by Melson Beebe.)

Fixed skipisoheaders flag. skipansiheaders and skipisoheaders are both supported now. (Reported by Jeroen Ruigrok van der Werven.)

Changed declaration of BUFSIZ to be size_t. (Reported by Walter Briscoe.)


Fixed bug with internal error for unrecognized file names in #line pre-processor directives. (Reported by Stefan Allius.)

Extended grammar to support ISO C99 and gcc obsolete extension for initializing structure fields and array elements using explicit designators. The ISO C99 syntax is struct evil_struct s = { .bad_integer = 1 };. An obsolete gcc extension is supported also: struct evil_struct s = { bad_integer: 1 };. The syntax is supported to allow Splint to parse code that uses this, but no checking is done for the initialzer.

Fixed type parsing to interpret parenthesized pointers correctly (e.g., int (*p)[];). (Reported by Ralf Wildenhues)

Relaxed grammar to allow null statements as external declarations. (This appears to not be allowed according to the ISO C99 grammar, but gcc and some other compilers allow it.) (Reported by Mark Baushke.)

Fixed division by zero error in constant value analysis. (Reported by Sami Farin)

Internal bug report for unnamed enum declarations inside structure declarations. (Reported by Thomas Nordin)

Internal bug report for ((a[0][1]) != 0). (Reported by Thomas Nordin)

Both of these were instances of overly cautious internal bug reporting.



The flag +show-constraint-location is now set by default. This flags causes Splint to include the expression which caused the error in error messages for potential out of bounds errors.

The flag bounds-compact-error-messages has been added. If this flag is set, new lines are not included in the error messages for bounds errors. This flag is intended for situations in which the difference in format between bounds error messages and other type of splint error messages made parsing difficult. It may also be useful in cases where screen space is limited.

Bug Fixes

Fixed bug in which Splint would crash if there is a typedef involving a fixed size array. This problem occured if the flags bounds, boundsread, or boundswrite were set. (Reported by Jim Francis ) Fixed in CVS, 25 Jan 2002.

Fixed bug in which Splint would erroneously warn that a "string literal is assigned to a char array too small to hold it" if an array is initialized with a string containing escape sequences. (Reported by Jeff Johnson) Fixed in CVS, 22 Jan 2002.


Fixed explicit array bounds parsing (reported by Randi J. Relander). C syntax puts array sizes backwards, need to reverse in ctype_makeInnerFixedArray.

Release 3.0.1

Changed name to Splint

.lclintrc changed to .splintrc

Splint will look for .splintrc and .lclintrc files. If both exist, a warning is produced (FLG_WARNRC)

Call showHerald() in llgenerrorreal so herald is displayed before command line warnings.

Fixed sRef's so definitely null references always have alias kind unknown (cannot produce an aliasing error)

Added checking for union initializers (bug reported by Jim Zelenka).

Fixed handling of unrecognized pre-processor directives (bug reported by Pierluigi Sanzani).

Fixed problems with wide character literals (L"string") (bug reported by Nelson Beebe).

Changed grammar to allow multiple /*@fallthrough@*/, /*FALLTHRU*/ and /*FALLTHROUGH*/ comments for one case. (suggested by Nelson Beebe)

Fixed bug in uentry_makeVarFunction for type defined function pointers (bug reported by Alexander Mai)

loopexec is now divided into forloopexec, whileloopexec and iterloopexec flags (all off by default).

Added obviousloopexec (on by default) flag and implemented exprNode_loopMustExec to handle for loops that "obviously" must execute. (This sould be intergrated with the buffer overflow analysis that probably does this more precisely.)

Make /*@special@*/ annotation no longer imply allocated storage. (This was pretty silly. special annotation shouldn't be necessary at all, except for documentation maybe.)

Fixed pre-functions for sets and allocates state clauses to set the state to undefined on entry.

Fixed checking for shift expressions. Replaced shiftsigned with shiftnegative (warns if the right operand of a shift may be negative) and shiftimplementation (warns if left operation of a shift may be negative).

Splint mustfree into mustfreeonly and mustfreefresh to allow more precise control over memory leak checking. mustfree is now a special flag that sets both.

Added call from grammar to check if predicate to report error in before checking body.

Replaced ansilimits with ansi89limits and iso99limits to reflect changes in translation limits between ANSI C89 and ISO C99.

Replaced +control flag with duplicatecases, alwaysexits, emptyreturn and macroreturn (all plain, default +)


Build now uses autoconf. The test suite is now run automaticly each time a top level make is done. (We thank Tim Van Holder for producing the automake and autoconf distribution.)

Improved defaults for LARCH_PATH and LCLIMPORTDIR

Various fixes and improvements in the buffer overflow detection code.

Added the flag slashslashcomment which detects c++ sytle // comments which are not supported by some older compilers additional functions added to the unix library.


Changed typechecking for NULL values to report warnings for mistyped comparisions involving cast NULL pointers (e.g., char *s = (int *) NULL). (Reported by Nelson Beebe.)

Fixed scanner to allow octal constants with L and UL specifiers. (Reported by Nelson Beebe.)

Fixed problem with path flow in do ... while loops. (Reported by Jim Zelenka.)

Fixed but in aliasing for += assignments. (Reported by Nelson Beebe.)

Fixed %c handling in format strings - its an int converted to unsigned char. (Reported by Nelson Beebe.)

Fixed spelling of "preceeding" ("preceding"). (Suggested by Nelson Beebe.)

Changed char_fromInt assertions to allow non-ASCII character sets. (Suggested by Anthony Giorgio)


Expanded the unix library.

The unix library now includes the stdio.h and stdlib.h interfaces as defined by the Single Unix Specification, Version 2. Additionally a number of missing functions were added to the unix library.


Added table of open files to deal with unclosed files on fatal exits. This is important since some platforms cannot unlink open files, and hence, temporary files will not be removed.

Fixed parsing of undeclared macros with parameter lists.

Fixed exprNode_arrayFetch so e1 and e2 are not swapped when type of e1 is ctype_unknown. (Avoid errors for a[0] where a is unknown.)

Made sRef_enterFunctionScope cleanup state if in a macro definition


Fixed fileloc internal assertions for syntactic comments spanning multiple lines comtaining regular comment opens. Added warnings for likely unclosed syntactic comments (/* inside syntactic comment). (Reported by gcarter)

Incorporated Herbert Dietze's fixed to cstring_getCannonicalPrefix (and moved to osd_getCannonicalPrefix). Added test for empty directory strings in context.c. (Suggested by Herbert Dietze)

Changed include path behavior - added C_INCLUDE_PATH files to sysdirs. Some thought and investigation still needed on the right way to handle include paths and sysdirs. (Suggested by Herbert Dietze)

Remove replace_unixdir_with_windir from cpplib.c, replaced with cstring_replaceAll (Suggested by Herbert Dietze)


# ifdef WIN32
extern int yywrap (void) /*@*/ ;
# endif
from globals.h (Suggested by Herbert Dietze)

Allowed .pp files on command line when -nopp is used (warning otherwise)

Added warning in README about bison versions

Fixed spelling of "envirnoment" (Suggested by Alexander Mai)

Added sys/types.h from Standard UNIX Spec to unix.h changed ino_t from integraltype to unsignedintegraltype

Added random functions from stdlib.h Standard UNIX Spec to unix.h Added netinet/in.h from Standard UNIX Spec to unix.h


Added src/DATE to distribution


sRef.c:  removed assertion
      /* evans 2001-08-27 no: can change this - llassert
      (s->info->arrayfetch->arr == arr); */
      this fails for code like:
          addr = &((unsigned char *)chp) [x];
	  addr[0] = 3;
      because setArrayFetchState tries to simplify &a[0] => a[].
      (This may be a bad idea in general!)
fixed OS -> OS2
# if defined(UNIX) || defined(OS2) || defined(MSDOS) || defined(WIN32)
Added support for -I- to turn on ignore source directory include path searching. Code provided by Robin Watts.

Fixed reflection of post clauses on inner fields derived through aliases. (Didn't use sRef_aliasSetCompleteParam!) (Bug reported by Mikhail Bessonov.)

Added warnuse flags: portability, unixstandard

Fixed unix.h to include isascii, toascii, _toupper and to_lower from ctype.h (Bugs reported by Alexander Mai.)

Fixed unix.h to follow Standard UNIX Specification for sys/stat.h (Bugs reported by Alexander Mai.)

Added check to report warnings for < and <= comparisons of unsigned with 0. Controled by +unsignedcompare (on in standard and higher modes). Test: unsignedcompare (Suggested by Martin Smoot.)


Started change log.
Splint - Secure Programming Lint info@splint.org
Download - Documentation - Manual - Links
Source - Linux - Publications - Talks
Reporting Bugs - Mailing Lists       Sponsors - Credits