| blob | e3691b1a9c18ecd23f9153b593a7f3ffdcb270b6 |
3 <html>
4 <head>
6 </head>
8 <body>
12 <p>The propose of this document is to provide an example of
13 how to use wrapper functions to create programs that are
14 more robust and that Splint can check more
15 effectively. The C standard library function realloc
16 has complex semantics and is easy to use incorrectly.
17 Still, it is a popular function, and we are frequently
18 asked how to use Splint to check code that uses
19 realloc. We hope to answer these questions in this
20 section. Additionally, we hope this example will
21 provide insight into other ways to work around some of the
22 limitations of Splint’s checking, and serve as a
23 template for users wishing to create their own wrapper
24 functions.</p>
26 <p>Splint cannot currently describe general functions where
27 some of the attributes are dependent on one or more of the
28 possible return values. Often, functions are defined
29 to modify their outputs, and perhaps allocate storage, but
30 can also return an error indication, in which case none of
31 the modifications or allocations will take place.</p>
33 <p>One very common example of this is the C standard
34 library function realloc( void *pointer, size_t
35 size). When realloc succeeds, the pointer passed to
36 it is no longer valid. The returned pointer points to
37 available storage with the specified size, and the values
38 are copied from the leading portion of the original storage
39 indicated by the pointer passed to the function. When
40 realloc returns a NULL pointer, and more than zero bytes
41 were supposed to be allocated, no new storage has been
42 allocated. The original pointer passed in is not
43 deallocated and its contents are still accessible.
44 (Under ANSI C '89 and later, malloc and realloc may return
45 NULL if asked for zero bytes. In this case, realloc
46 would release the old storage.)</p>
48 <p>If you use realloc, -usereleased can be used to suppress
49 warnings. However, this may result in legitimate
50 warnings for other errors being suppressed as well.
51 If you don't mind crafting your code to work around
52 Splint's quirks, you can isolate this difficult-to-describe
53 behavior to a single function that's easy to verify by
54 inspection, and use that function elsewhere. For
55 example:</p>
61 grow_or_free (/*@only@*/ void *ptr,
62 size_t newsize)<br>
64
65 /*@*/<br>
69 void
70 *newptr;<br>
72 newptr =
73 realloc (ptr, newsize);<br>
75 if (newptr ==
79
80 /* Splint would complain,<br>
83
87
88 free (ptr);<br>
91
92 return NULL;<br>
96 return
97 newptr;<br>
103 <p>It would also be possible to use a function that always
104 returns a valid pointer, and separately indicates whether
105 it managed to change the size to that desired by the
106 caller.</p>
107 </div>
108 </body>
109 </html>