Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
We are planning to use Splint as code analyzer for our C code base. But we never tried Splint tool before so we want your input on it's benifts, pros and cons.
Lint tools are useful for finding common problems and errors that code reviews tend to miss. My opinion is that you have nothing to lose when doing static code analysis. The only down side is that you might get a lot of false positives or warnings that might be unimportant (i.e. coding style recommendation). You just have to develop good filtering skills. Static analyzers might also not catch everything, but hey it is better than nothing.
Here is a white paper from the SANS institute that might interest you:
http://www.sans.org/reading_room/whitepapers/securecode/secure-software-development-code-analysis-tools_389
Read this blog post and these slides for a quick overview of what it can do for you.
Splint excels at making your code more idiomatic (and therefore easier to read, for various compilers to parse, more portable, and easier to refactor). Splint can find subtle bugs such as implicit casts between ints and floats. Splint tracks down memory leaks and other security vulnerabilities.
Try it: splint hello.c.
As waffleman suggested static analysers do produce a lot of false alarms. I have found Prevent to give better alarms than Sparrow. Those are two we use for static analysis.
An example of a typical false alarm and good alarm is:
bar (char **output)
{
*output = malloc(100);
}
foo()
{
char *output=NULL;
bar(&output)
}
In function bar it would report memory leak for the pointer output. In the function foo it reports NULL dereference when the function bar is called. But nevertheless its a choice between finding a true alarm between 100s of false alarms.
So we can find memory leaks which can be missed during code reviews. Prevent license is expensive and once a alarm is marked false it doesnt appear in the subsequent analysis. Hence you have to find if Splint does the same.
The tool looks for pattern that could possibly be errors. The advantage is that the tool may find latent bugs and the disadvantage is that it may find a whole bunch on false positives as well.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
Been reading through a lot of the bigger, more popular threads here on SO and found the thread about casting malloc() returns particularly interesting. I'm guilty of casting my returns simply because this is how I was taught.
The thing I'm wondering is, if casting a return from malloc() can hide bugs from not including stdlib.h then why is the answer not to cast rather than to always make sure stdlib.h is included?
Isn't not including stdlib.h lazy or bad practice or am I missing something? I realise there are other reasons for not casting but this one stands out for me in particular since it seems like bad practice is in some small way being promoted or accepted here.
So are there any particular instances where one would willingly not include stdlib.h if it's actually required? I see a lot of people being put down for doing these things... casting, yet it seems that nobody really has a problem with this negligence... can someone explain why casting the return is frowned on yet neglecting to include necessary headers is not?
I know it's a contentious issue here and has been the subject of various threads in the past. I'm trying to get back up to speed with things here and break old habits.
Lastly, any good sources of info that's more up to date with current standards...I'm still finding various examples online where the casting is being done, and some of them are quite recent.
A lot of conflicting info out there. Why would you not want to include stdlib.h or be so cavalier with regards to that, yet be so pedantic about the casting?
The "strong-typing" idea says that the compiler should be able to catch most of the programmer's errors before the program is run. Not doing the proper #include is an error, which the compiler can catch (unless you inadvertently suppress it by casting).
"Don't do this error" is not a solution - bugs always happen.
This sort of error is plausible, because it's annoying to check whether your code already has the proper #include whenever you add dynamic memory allocations to it. People tend to forget (or "forget") to do annoying things.
Especially in situations like this:
void addSomeData(someType **data) {
...
... manylines ...
data = (someType *) malloc(sizeof(someType)*n);
where it should have been:
*data = (someType *) malloc(sizeof(someType)*n);
Here the cast enables the compiler to check if you did really what you intended to do. Furthermore, adding redundant information to code can enhance or worsen readability, it is a matter of the situation, the code writers and code readers personal style.
On the other hand, in code lines like this:
struct foo *bar = malloc(sizeof(struct foo));
a cast probably indeed would be of no benefit.
However, I think it is a too simple and indifferentiate rule to say, that a cast of malloc() is always an error (!), as a much cited answer here on SO claims.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I am prone to writing code like this:
if (*t) while (*++t);
It reads: if string t does not start with /0, then move to the end.
Note the while loop has no body, so the semicolon terminates it.
I'd like to know if it is good practice to do this? Why and why not?
C is one of the oldest popular language in use today. I believe there's a good chance of finding one or more established style guide(s).
I know that Google has one for their C++ open source projects - http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml
Can anyone point me to resources on why or why not write code in certain manner?
Usually it is a good practice to write separate lines of code. Like in case of large pieces of code, debugging is clearer if we write code in separate lines.
It depends! Who is going to have to read and maintain this code? Coding standards exist for two major reasons:
To make code more readable and maintainable. When there are multiple developers, it makes code more consisent (which is more readable).
To discourage common errors. For example, a standard might require putting literals first in conditionals to discourage the assignment-as-comparison bug.
How do these goals apply to your specific code? Are you prone to making mistakes? If this is Linux kernel code, it's a lot more tolerable to have code like this than if it's a web app maintained by entry level programmers.
It reads: if string t does not start with /0, then move to the end.
Then consider putting a comment on it that says that.
Surprisingly - it is usually more expensive to maintain code over time than to write it in the first place. Maintenance costs are minimized if code is more readable.
There are three audiences for your code. You should think of how valuable their time is while you are formatting:
Fellow coders, including your co-workers and code-reviewers. You
want these people to have a high reputation of you. You should write code that is easily understandable for them.
Your future self. Convoluted code may be obvious while you are
writing it, but pick it up again in two weeks, and you will not
remember what it means. The 'concise' statement that you wrote in 10
minutes will someday take you 20 minutes to decipher.
The Optimizing Compiler, which will produce efficient code no matter
whether your line is concise or not. The compiler does not care - try to save time for the other two. (Cue angry remarks about this item. I am in favor of writing efficient code, but concise styles like the one we are describing here will not affect compiler efficiency.)
Bad practice, because not easy to parse. I'd do
while (*t) ++t;
and let the compiler do the tiny bit of optimization.
The textual translation of it reads even shorter than yours
advance t until it points to a 0
Although you can write some pretty clever code in one line in C, it's usually not good practice in terms of readability and ease of maintenance. What's straightforward for you to understand may look completely foreign to someone maintaining your code in future.
You need to strike a balance between conciseness and readability. To this end, it's usually better to separate the code out so each line does one thing.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I have been told by more senior, experienced and better-educated programmers than myself that the use of function-pointers in c should be avoided. I have seen the fact that some code contains function pointers as a rationale not to re-use that code, even when the only alternative is complete re-implementation. Upon further discussion I haven't been able to determine why this would be. I am happy to use function pointers where appropriate, and like the interesting and powerful things they allow you to do, but am I throwing caution to the wind by using them?
I see the pros and cons of function pointers as follows:
Pros:
Great opportunity for code modularity
OO-like features in non-OO c (i.e. code and data in the same object)
How else could you reasonably implement a callback?
Cons:
Negative impact to code readability - not always obvious what function is actually called when a function pointer is invoked
Minor performance hit compared to a direct function call
I think Con # 1. can usually reasonably be mitigated by well chosen symbol names and good comments. And Con # 2. will in general not be a big deal. Am I missing something - are there other reasons to avoid function pointers like the plague?
This question looks a little discussion-ey, but I'm looking for good reasons why I shouldn't use function pointers, not opinions
Function pointers are not evil. The main times you "shouldn't" use them are when either:
The use is gratuitous, i.e. not actually needed for what you're doing, or
In situations where you're writing hardened code and the function pointer might be stored at a location you're concerned may be a likely candidate for buffer overflow attacks.
As for when function pointers are needed, Adam's answer provided some good examples. The common theme in all those examples is that the caller needs to be able to provide part of the code that runs from the called function. Without function pointers, the only way you could do this would be to copy-and-paste the implementation of the function and change part of it to call a different function, for every individual usage case. For qsort and bsearch, which can be implemented portably, this would just be a nuisance and hideously ugly. For thread creation, on the other hand, without function pointers you would have to copy and paste part of the system implementation for the particular OS you're running on, and adapt it to call the function you want called. This is obviously unacceptable; your program would then be completely non-portable.
As such, function pointers are absolutely necessary for some tasks, and for other tasks, they are a major convenience which allows general code to be reused. I see no reason why they should not be used in such cases.
No, they're not evil. They're absolute necessary in order to implement various features such as callback functions in C.
Without function pointers, you could not implement:
qsort(3)
bsearch(3)
Window procedures
Threads
Signal handlers
And many more.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
My anti-virus identifies the compiled ".exe" of this source as a virus
"Gen: Variant:Graftor" . Can anybody explain why?
void main()
{
float x=3.0/7.0;
double y=3.0/7.0;
int a= (x==y);
}
Well, unmanaged / native programs can pose security risks and probably your antivirus marked this as such. Antiviruses use heuristics - so the algorithms are aproximate, they tend to work on a "best effort" idea, and in case of antiviruses "false positives" like your sample is preferable to missing actual viruses.
Another possibility is the way you compiled your program, there are a lot of compiler optimization and some are related to security - so your program randomizes certain parts of the memory etc. Maybe the antivirus looks at how a C program is compiled and yours has no security flags turned on? Hmm...
About Generic Detections
Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.
This is a false positive. These sometimes occur in every antivirus product because of the complexity of present-day malware and file compression/protection utilities that are used on both malware and legitimate software.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I know there have been a number of discussions of whether break and continue should be considered harmful generally (with the bottom line being - more or less - that it depends; in some cases they enhance clarity and readability, but in other cases they do not).
Suppose a new project is starting development, with plans for nightly builds including a run through a static analyzer. Should it be part of the coding guidelines for the project to avoid (or strongly discourage) the use of continue and break, even if it can sacrifice a little readability and require excessive indentation? I'm most interested in how this applies to C code.
Essentially, can the use of these control operators significantly complicate the static analysis of the code possibly resulting in additional false negatives, that would otherwise register a potential fault if break or continue were not used?
(Of course a complete static analysis proving the correctness of an aribtrary program is an undecidable proposition, so please keep responses about any hands-on experience with this you have, and not on theoretical impossibilities)
Thanks in advance!
My immediate reaction is that the hoops you'd have to jump through to avoid break and continue would probably hurt the code overall, and make static analysis (or much of anything else) considerably more difficult.
It'll depend a bit on the exact sort of code you're dealing with though. Just for example, if you have something that would really be best implemented as a switch statement, a prohibition against break would essentially force you to use nested if/elses which would make the code much more difficult to analyze correctly, and depending on the circumstances, would be very likely to negatively impact the output code as well.