[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Static code-checking observations
From: |
Gavin Smith |
Subject: |
Re: Static code-checking observations |
Date: |
Sun, 5 Feb 2017 13:02:25 +0000 |
On 4 February 2017 at 17:42, Hans-Bernhard Bröker <address@hidden> wrote:
>> Index: tilde.c
>> ===================================================================
>> --- tilde.c (Revision 7649)
>> +++ tilde.c (Arbeitskopie)
>> @@ -114,16 +114,13 @@
>> char *
>> tilde_expand (char *string)
>> {
>> - char *result;
>> - int result_size, result_index;
>> + char *result = NULL;
>> + unsigned int result_size = 0, result_index = 0;
>>
>> - result_size = result_index = 0;
>> - result = NULL;
>> -
>> /* Scan through STRING expanding tildes as we come to them. */
>> while (1)
>> {
>> - register int start, end;
>> + unsigned int start, end;
>> char *tilde_word, *expansion;
>> int len;
>>
>> @@ -132,7 +129,10 @@
>>
>> /* Copy the skipped text into the result. */
>> if ((result_index + start + 1) > result_size)
>> - result = xrealloc (result, 1 + (result_size += (start + 20)));
>> + {
>> + result_size += start + 20;
>> + result = xrealloc (result, 1 + result_size);
>> + }
>>
>> strncpy (result + result_index, string, start);
>> result_index += start;
>>
>> I don't know what this is supposed to fix. The line in the log
>>
>> Logic error Unix API
>> info/tilde.c tilde_expand
>> 137 3
>>
>> refers to the line with "strncpy" on it.
>
>
> Exactly, and the trouble is that the checker sees a possiblity that
> strncpy's argument might be NULL.
>
> The trouble here is that `result' is NULL until the branch doing that
> xrealloc has taken place. The changes to unsigned are (failed) attempts to
> allow the checker to see through those calculations more easily and realize
> that the condition will always be true on the first pass, and therefore the
> xrealloc would always make result non-NULL.
>
> The ultimate obstacle may be xrealloc() here, though. Its purpose is to
> never return unless it managed to make its output non-NULL. But it's hard
> for the checker to figure that out cross-module.
tilde_expand isn't actually called anywhere, so I've removed it. :-)