zoukankan      html  css  js  c++  java
  • C++代码静态分析工具splint


      最近在项目中使用了静态程序分析工具PC-Lint, 体会到它在项目实施中带给开发人员的方便。PC-Lint是一款针对C/C++语言、windows平台的静态分析工具,FlexeLint是针对其他平 台的PC-Lint版本。由于PC-Lint/FlexeLint是商业的程序分析工具,不便于大家对其进行学习和使用,因而下面我将介绍一个针对C语言 的开源程序静态分析工具——splint


    先来说说什么是“静态程序分析(Static program analysis)”,静态程序分析是指使用自动化工具软件对程序源代码进行检查,以分析程序行为的技术,应用于程序的正确性检查、安全缺陷检测、程序优 化等。它的特点就是不执行程序,相反,通过在真实或模拟环境中执行程序进行分析的方法称为“动态程序分析(Dynamic program analysis)”。

    那在什么情况下需要进行静态程序分析呢?静态程序分析往往作为一个多人参与的项目中代码审查过程的一个阶段,因编写完一部分代码之后就可以进行静态 分析,分析过程不需要执行整个程序,这有助于在项目早期发现以下问题:变量声明了但未使用、变量类型不匹配、变量在使用前未定义、不可达代码、死循环、数 组越界、内存泄漏等。

    静态分析工具在代码通过编译之后再对代码进行分析。我们会问:静态分析工具与编译器相比,所做的工作有什么不同?静态分析工具相比 编译器,对代码进行了更加严格的检查,像数组越界访问、内存泄漏、使用不当的类型转换等问题,都可以通过静态分析工具检查出来,我们甚至可以在分析工具的 分析标准里定义代码的编写规范,在检测到不符合编写规范的代码时抛出告警,这些功能都是编译器没有的。

    既然静态分析工具发挥了不小的作用,何不在编译器里兼备静态分析的功能?对于这个问题,S. C. Johnson(他是最古老的静态分析工具Lint的作者)在其1978年发表的论文《Lint, a C Program Checker》中 给出了他的答案:“Lint与C编译器在功能上的分离既有历史原因,也有现实的意义。编译器负责把C源程序快速、高效地转变为可执行文件,不对代码做类型 检查(特别是对分别编译的程序),有益于做到快速与高效。而Lint没有“高效”的要求,可以花更多时间对代码进行更深入、仔细的检查。”


    splint effort-benefit curve




    splint *.c



     1 //splint_msg.c
    2 int func_splint_msg1(void)
    3 {
    4 int a;
    5 return 0;
    6 }
    7 int func_splint_msg2(void)
    8 {
    9 int* a = (int*)malloc(sizeof(int));
    10 a = NULL;
    11 return 0;
    12 }

    运行splint splint_msg.c之后,我们来看输出的告警信息:

    splint_msg.c: (in function func_splint_msg1)
    splint_msg.c:4:6: Variable a declared but not used
    A variable is declared but never used. Use /*@unused@*/ in front of
    declaration to suppress message. (Use -varuse to inhibit warning)

    splint_msg.c: (in function func_splint_msg2)
    splint_msg.c:10:2: Fresh storage a (type int *) not released before assignment:
    a = NULL
    A memory leak has been detected. Storage allocated locally is not released
    before the last reference to it is lost. (Use -mustfreefresh to inhibit
    splint_msg.c:9:37: Fresh storage a created

    Finished checking --- 2 code warnings








    splint -showcol a.c   //在检测a.c时,告警消息中列数不被打印
    splint -varuse a.c //在检测a.c时,告警消息中未使用变量告警不被打印




    1.解引用空指针(Null Dereferences)

    在Unix操作系统中,解引用空指针将导致我们在程序运行时产生段错误(Segmentation fault),一个简单的解引用空指针例子如下:

    1 //null_dereferences.c
    2 int func_null_dereferences(void)
    3 {
    4 int* a = NULL;
    5 return *a;
    6 }

    执行splint null_dereference.c命令,将产生以下告警消息:

    null_dereference.c: (in function func_null_dereferences)
    null_dereference.c:5:10: Dereference of null pointer a: *a
    A possibly null pointer is dereferenced. Value is either the result of a
    function which may return null (in which case, code should check it is not
    null), or a global, parameter or structure field declared with the null
    qualifier. (Use -nullderef to inhibit warning)
    null_dereference.c:4:11: Storage a becomes null

    Finished checking --- 1 code warnin



    1 //types.c
    2 void splint_types(void)
    3 {
    4 short a = 0;
    5 long b = 32768;
    6 a = b;
    7 return;
    8 }

    执行splint types.c命令,将产生以下告警消息:

    types.c: (in function splint_types)
    types.c:6:2: Assignment of long int to short int: a = b
    To ignore type qualifiers in type comparisons use +ignorequals.

    Finished checking --- 1 code warning

    3.内存管理(Memory Management)


    • 当尚有其他指针引用的时候,释放一块空间
    1 //memory_management1.c
    2 void memory_management1(void)
    3 {
    4 int* a = (int*)malloc(sizeof(int));
    5 int* b = a;
    6 free(a);
    7 *b = 0;
    8 return;
    9 }


    memory_management1.c: (in function memory_management1)
    memory_management1.c:7:3: Variable b used after being released
    Memory is used after it has been released (either by passing as an only param
    or assigning to an only global). (Use -usereleased to inhibit warning)
    memory_management1.c:6:7: Storage b released
    memory_management1.c:7:3: Dereference of possibly null pointer b: *b
    A possibly null pointer is dereferenced. Value is either the result of a
    function which may return null (in which case, code should check it is not
    null), or a global, parameter or structure field declared with the null
    qualifier. (Use -nullderef to inhibit warning)
    memory_management1.c:5:11: Storage b may become null

    Finished checking --- 2 code warnings


    • 当最后一个指针引用丢失的时候,其指向的空间尚未释放
    1 //memory_management2.c
    2 void memory_management2(void)
    3 {
    4 int* a = (int*)malloc(sizeof(int));
    5 a = NULL;
    6 return;
    7 }

    这个例子中内存尚未释放,就将指向它的唯一指针赋值为NULL,我们来看splint memory_management2.c的检测结果:

    memory_management2.c: (in function memory_management2)
    memory_management2.c:5:2: Fresh storage a (type int *) not released before assignment:
    a = NULL
    A memory leak has been detected. Storage allocated locally is not released
    before the last reference to it is lost. (Use -mustfreefresh to inhibit
    memory_management2.c:4:37: Fresh storage a created

    Finished checking --- 1 code warning

    splint抛出一个告警:类型为int*的a在进行a = NULL赋值前没有释放新分配的空间。

    4.缓存边界(Buffer Sizes)


    1 //bounds1.c
    2 void bounds1(void)
    3 {
    4 int a[10];
    5 a[10] = 0;
    6 return;
    7 }

    使用splint +bounds bounds1.c命令对其进行检测,结果如下:

    bounds1.c: (in function bounds1)
    bounds1.c:5:2: Likely out-of-bounds store: a[10]
    Unable to resolve constraint:
    requires 9 >= 10
    needed to satisfy precondition:
    requires maxSet(a @ bounds1.c:5:2) >= 10
    A memory write may write to an address beyond the allocated buffer. (Use
    -likelyboundswrite to inhibit warning)

    Finished checking --- 1 code warning


     1 //bounds2.c
    2 void bounds2(char* str)
    3 {
    4 char* tmp = getenv("HOME");
    5 if(tmp != NULL)
    6 {
    7 strcpy(str, tmp);
    8 }
    9 return;
    10 }

    不对这个例子进行详细检查,可能我们不能发现其中隐含的问题,执行splint +bounds bounds2.c之后,会抛出如下告警:

    bounds2.c: (in function bounds2)
    bounds2.c:7:3: Possible out-of-bounds store: strcpy(str, tmp)
    Unable to resolve constraint:
    requires maxSet(str @ bounds2.c:7:10) >= maxRead(getenv("HOME") @
    needed to satisfy precondition:
    requires maxSet(str @ bounds2.c:7:10) >= maxRead(tmp @ bounds2.c:7:15)
    derived from strcpy precondition: requires maxSet(<parameter 1>) >=
    maxRead(<parameter 2>)
    A memory write may write to an address beyond the allocated buffer. (Use
    -boundswrite to inhibit warning)

    Finished checking --- 1 code warning

    告警消息提示我们:在使用strcpy(str, tmp)进行字符串复制时,可能出现越界错误,因为str的大小可能不足以容纳环境变量“HOME”对应的字符串。绿色字体的内容指示了如何消除告警消息。



    这里仅给出了splint检查的4种检测:解引用空指针、类型、内存管理、缓存边界,除此之外,splint还对宏(Macros)、函数接口 (Function Interfaces)、控制流(Control Flow)等内容作检测,很多检测标志和格式化注释都未在本文中提到,更详细的内容请查看splint使用手册


  • 相关阅读:
    Shelve Instance 操作详解
    Rebuild Instance 操作详解
    Snapshot Instance 操作详解
    Nova Suspend/Rescue 操作详解
    Pause/Resume Instance 操作详解
    Terminate Instance 操作详解
    Nova reboot 和 lock 操作
    Start Instance 操作详解
    tar --help
    VIM标记 mark 详解
  • 原文地址:https://www.cnblogs.com/blueoverflow/p/4888747.html
Copyright © 2011-2022 走看看