Report from 2016-08-15 23:51:16

List of analyzer commands

0 /usr/bin/scan-build -o . -enable-checker alpha.core.FixedAddr -enable-checker alpha.core.IdenticalExpr -enable-checker alpha.core.PointerArithm -enable-checker alpha.core.PointerSub -enable-checker alpha.core.SizeofPtr -enable-checker alpha.cplusplus.NewDeleteLeaks -enable-checker alpha.deadcode.IdempotentOperations -enable-checker alpha.deadcode.UnreachableCode -enable-checker alpha.security.ArrayBoundV2 -enable-checker alpha.security.ReturnPtrRange -enable-checker alpha.security.MallocOverflow -enable-checker alpha.unix.MallocWithAnnotations -enable-checker alpha.unix.PthreadLock -enable-checker alpha.unix.Stream -enable-checker alpha.unix.cstring.BufferOverlap -enable-checker alpha.unix.cstring.NotNullTerminated -enable-checker alpha.unix.cstring.OutOfBounds -enable-checker security.insecureAPI.strcpy gcc -o buggy test.c
0 /usr/bin/cppcheck --std=c99 --template="{file}|{line}|{severity}|{id}|{message}" -D__x86_64__ --language=c --platform=unix64 --enable=warning,style,performance,unusedFunction --suppress=preprocessorErrorDirective --suppress=toomanyconfigs --suppress=variableScope --suppress=variableHidingTypedef --suppress=unusedFunction --inconclusive -DFOOMACROFORSERVICEPURPOCES -Dlinux /home/test/check/test.c
0 /usr/bin/frama-c -no-frama-c-stdlib -cpp-gnu-like -val -va -wp -sparecode -security-slicing -nonterm -cpp-extra-args=" -Dlinux -IcHeaderFileGeneratedByBzrPrg.h -I/usr/lib/gcc/x86_64-redhat-linux/4.8.5/include -I/usr/local/include -I/usr/include -I. -m64 -mtune=generic" test.c
0 /usr/bin/oclint -R=/usr/lib64/lib/oclint/rules/ -R=/usr/lib/lib/oclint/rules/ -enable-clang-static-analyzer -rc SHORT_VARIABLE_NAME=1 -rc LONG_LINE=1000 -rc LONG_METHOD=200 -rc LONG_VARIABLE_NAME=200 -rc MAXIMUM_IF_LENGTH=50 /home/test/check/test.c -extra-arg=-IcHeaderFileGeneratedByBzrPrg.h -extra-arg=-I/usr/lib/gcc/x86_64-redhat-linux/4.8.5/include -extra-arg=-I/usr/local/include -extra-arg=-I/usr/include -- gcc -obuggy test.c -c /home/test/check/test.c -c
0 /usr/bin/splint -unrecog -show-column -show-func +force-hints -strict +bounds -hints -D__x86_64__ +trytorecover +locindentspaces 1 -Dlinux -IcHeaderFileGeneratedByBzrPrg.h -I/usr/lib/gcc/x86_64-redhat-linux/4.8.5/include -I/usr/local/include -I/usr/include /home/test/check/test.c

List of files

2
#include <strings.h>
3
#include <stdlib.h>
4
#include <string.h>
5
 
6
int function1(char *a){

splint: Format argument 1 to printf (%d) expects int gets size_t: strlen(a)-->list does not include globals fileSystem

frama-c: Incorrect type for argument 2. The argument will be cast from size_t to int.

oslint: format specifies type 'int' but the argument has type 'unsigned long'

splint: Undocumented modification of file system state possible from call to-->printf: printf("Variable 1 = %d\n", strlen(a))

frama-c: Neither code nor specification for function strlen, generating default assigns from the prototype

splint: Called procedure printf may access file system state, but globals-->list does not include globals fileSystem

frama-c: non-terminating instruction in function function1:

frama-c: accessing uninitialized left-value. assert \initialized(&a);

7
    printf("Variable 1 = %d\n", strlen(a));

splint: Parameter to sizeof is type char: sizeof(char)-->instead: sprintf

oslint: parameter reassignment [convention|P3]

8
    a = malloc(10*sizeof(char));

oslint: format specifies type 'int' but the argument has type 'long'

cppcheck: %d in format string (no. 1) requires 'int' but the argument type is 'signed long'.

splint: Format argument 1 to sprintf (%d) expects int gets long int:-->10000000000L

splint: Possibly null storage a passed as non-null param: sprintf (a, ...)-->test.c:8: Storage a may become null

#include <string.h>
 
int function1(char *a){
    printf("Variable 1 = %d\n", strlen(a));
    a = malloc(10*sizeof(char));
    sprintf(a, "This is huge text, more then array size %d\n", 10000000000L);
    return strlen(a);
}
 
...

splint: Buffer overflow possible with sprintf. Recommend using snprintf-->instead: sprintf

frama-c: Incorrect type for argument 3. The argument will be cast from long long to int.

9
    sprintf(a, "This is huge text, more then array size %d\n", 10000000000L);

clang-analyzer: Potential leak of memory pointed to by 'a'

splint: Fresh storage a not released before return-->test.c:8: Fresh storage a created

#include <string.h>
 
int function1(char *a){
    printf("Variable 1 = %d\n", strlen(a));
    a = malloc(10*sizeof(char));
    sprintf(a, "This is huge text, more then array size %d\n", 10000000000L);
    return strlen(a);
}
 
...

splint: Return value type size_t does not match declared type int: strlen(a)-->test.c:8: Fresh storage a created

#include <string.h>
 
int function1(char *a){
    printf("Variable 1 = %d\n", strlen(a));
    a = malloc(10*sizeof(char));
    sprintf(a, "This is huge text, more then array size %d\n", 10000000000L);
    return strlen(a);
}
 
...

frama-c: unreachable return statement for function function1

oslint: Potential leak of memory pointed to by 'a'

cppcheck: Memory leak: a

frama-c: no final state. Probably unreachable...

frama-c: Neither code nor specification for function malloc, generating default assigns from the prototype

10
    return strlen(a);
11
}
12
 

splint: Function function2 declared without parameter list-->snprintf(internal_buffer, 12, "Another big string to copy to the buffer\n") Unable to resolve constraint: requires maxSet(alloca(10 * sizeof(char)) @ test.c:14) >= 11 needed to satisfy precondition: requires maxSet(internal_buffer @ test.c:15) >= 11 derived from snprintf precondition: requires maxSet(<parameter 1>) >= <parameter 2> + -1

13
char *function2(){

frama-c: Calling undeclared function __builtin_alloca. Old style K&R code?

cppcheck: Obsolete function 'alloca' called. In C99 and later it is recommended to use a variable length array instead.

splint: Parameter to sizeof is type char: sizeof(char)-->snprintf(internal_buffer, 12, "Another big string to copy to the buffer\n") Unable to resolve constraint: requires maxSet(alloca(10 * sizeof(char)) @ test.c:14) >= 11 needed to satisfy precondition: requires maxSet(internal_buffer @ test.c:15) >= 11 derived from snprintf precondition: requires maxSet(<parameter 1>) >= <parameter 2> + -1

14
    char *internal_buffer = alloca(10 * sizeof(char));

splint: Possible out-of-bounds store:-->snprintf(internal_buffer, 12, "Another big string to copy to the buffer\n") Unable to resolve constraint: requires maxSet(alloca(10 * sizeof(char)) @ test.c:14) >= 11 needed to satisfy precondition: requires maxSet(internal_buffer @ test.c:15) >= 11 derived from snprintf precondition: requires maxSet(<parameter 1>) >= <parameter 2> + -1

splint: Return value (type int) ignored: snprintf(interna...-->snprintf(internal_buffer, 12, "Another big string to copy to the buffer\n") Unable to resolve constraint: requires maxSet(alloca(10 * sizeof(char)) @ test.c:14) >= 11 needed to satisfy precondition: requires maxSet(internal_buffer @ test.c:15) >= 11 derived from snprintf precondition: requires maxSet(<parameter 1>) >= <parameter 2> + -1

cppcheck: Buffer is accessed out of bounds.

splint: Function snprintf expects arg 2 to be size_t gets int: 12-->snprintf(internal_buffer, 12, "Another big string to copy to the buffer\n") Unable to resolve constraint: requires maxSet(alloca(10 * sizeof(char)) @ test.c:14) >= 11 needed to satisfy precondition: requires maxSet(internal_buffer @ test.c:15) >= 11 derived from snprintf precondition: requires maxSet(<parameter 1>) >= <parameter 2> + -1

15
    snprintf(internal_buffer, 12, "Another big string to copy to the buffer\n");

clang-analyzer: Address of stack memory allocated by call to alloca() on line 14 returned to caller

oslint: Address of stack memory allocated by call to alloca() on line 14 returned to caller

16
    return internal_buffer;
17
}
18
 
19
int function3(int a, int b){
20
    int c[20];
21
    int i;

oslint: parameter reassignment [convention|P3]

clang-analyzer: The right operand of '*' is a garbage value

splint: Variable i used before definition-->right operand): ++a + a++

oslint: The right operand of '*' is a garbage value

cppcheck: Uninitialized variable: i

22
    a = a * i;
23
    for (i=0;i<21;i++){

clang-analyzer: This statement is never executed

cppcheck: Array 'c[20]' accessed at index 20, which is out of bounds.

splint: Possible out-of-bounds store: c[i]-->Unable to resolve constraint: requires i @ test.c:24 <= 19 needed to satisfy precondition: requires maxSet(c @ test.c:24) >= i @ test.c:24

24
     c[i]=a*b;

oslint: parameter reassignment [convention|P3]

splint: Expression has undefined behavior (left operand modifies a, used by-->right operand): ++a + a++

splint: Expression has undefined behavior (value of left operand a is-->modified by right operand ++a + a++): a = ++a + a++

cppcheck: Expression '++a+a++' depends on order of evaluation of side effects

oslint: multiple unsequenced modifications to 'a'

splint: Expression has undefined behavior (left operand uses a, modified by-->right operand): ++a + a++

25
     a=++a+a++;
26
    }

splint: Possible out-of-bounds read: c[i - 22]-->Unable to resolve constraint: requires maxRead(c @ test.c:27) >= i @ test.c:27 + -22 needed to satisfy precondition: requires maxRead(c @ test.c:27) >= i @ test.c:27 - 22

cppcheck: Array index -1 is out of bounds.

27
    return c[i-22];
28
}
29
 
30
int main(int argc, char **argv){

oslint: initializer-string for char array is too long

clang-analyzer: initializer-string for array of chars is too long [enabled by default]

frama-c: Too many initializers for character array arr

splint: String literal with 12 characters (counting null terminator) is-->assigned to char [10] (insufficient storage available): "12345678901"

31
    char arr[10] = "12345678901";
32
    char *buf;
33
    if (argc>0){

clang-analyzer: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119

frama-c: Neither code nor specification for function strcpy, generating default assigns from the prototype

frama-c: out of bounds read. assert \valid_read(argv+1);

34
    strcpy(arr, argv[1]);
35
    }

clang-analyzer: Function call argument is an uninitialized value

cppcheck: Uninitialized variable: buf

oslint: Function call argument is an uninitialized value

splint: Parse Error. Attempting to continue.-->Code cannot be parsed. For help on parse errors, see splint -help parseerrors.

frama-c: non-terminating instruction in function main:

36
    int result = function1(buf);
37
    printf("Result %d, %s\n", result, arr);
38
    buf = function2();
39
    printf("Buf %s\n", buf);
40
    result = function3(10,20);
41
    printf("Result %d\n", result);

frama-c: Neither code nor specification for function __builtin_bswap64, generating default assigns from the prototype

frama-c: unreachable return statement for function main

frama-c: no final state. Probably unreachable...

frama-c: Neither code nor specification for function __builtin_alloca, generating default assigns from the prototype

frama-c: Neither code nor specification for function __builtin_bswap32, generating default assigns from the prototype

42
    return 0;
43
}