Uninit structure member – Uninit checking and static code analysis

A recent software bug caused a serious data damage in our customer’s side, which is using an uninit sturcture member. This post gives a practical comparison between kinds of static code analysis tools for this specific bug among popular commerical tools and open source tools. This post does NOT try to tell which tool is better but only for information. On the other hand, this ‘stupid’ bug may be a good start to begin with real static code analysis…

/* daveti_uninit1.c - BUG */ 
typedef struct s
{
 int a;
 int b;
}S;

int test(S *y)
{
 y->b=0;
 return 0; /* member a has never been used or init'd */
}

int main()
{
 int w=0;
 S x;
 int ret;

 ret=test(&x); /* pass the address of structure x to function test */
 w=x.a; /* now use the uninit structure member a */
 return 0;
}

/* daveti_uninit2.c - BUG */
typedef struct s
{
 int a;
 int b;
}S;

int test(S *y, int k)
{
 if (k==0)
 {
 y->b=0;
 y->a=0; /* y.a is only init'd when k is 0 */
 return 0;
 }
 if (k==1)
 {
 y->b=0;
 return 0; /* y.a has never been used or init'd */
 }

 return 0;
}

int main()
{
 int w=0;
 S x;
 int ret;

 ret=test(&x, 1); /* pass the address of structure x to function test */
 w=x.a; /* use the uninit structure member a */
 return 0;
}

/* daveti_uninit3.c - GOOD */
typedef struct s
{
 int a;
 int b;
}S;

int test(S *y, int k)
{
 if (k==0)
 {
 y->b=0;
 y->a=0;
 return 0;
 }
 else
 {
 y->b=0;
 y->a=1;
 return 0;
 }
}

int main()
{
 int w=0;
 S x;
 int ret;

 ret=test(&x, 1); /* pass the address of structure x to function test */
 w=x.a;
 return 0;
}
Tools / daveti_uninitX.c daveti_uninit1.c (bug) daveti_uninit2.c (bug) daveti_uninit3.c (good)
gcc –Wall (4.1.2) No No No
Klocwork Insight 9.2 Yes No N/A
Coverity 5.5.1 Yes Yes No
CppCheck 1.47 No No No
Splint 3.1.1 Warning when passing x to func Warning when passing x to func Warning when passing x to func
Uno 2.13 No No No

For this speical case, well, Coverity explains the reason why it is the top 1 in static code analysis in commercial products. However, as the bug has been reported to Klocwork, it should have no problem in future release. Meanwhile, as gcc is a pure compiler which apparently does not focus on code analysis, it may not be a surprise to get such a result; CppCheck/Splint/Uno, on the other hand, show nothing to help because of internal limitation. Another 2 open source tools maybe worth a try are mygcc and saturn. If you have any thoughts, please leave me a commemt:)

About daveti

Interested in kernel hacking, compilers, machine learning and guitars.
This entry was posted in Static Code Analysis and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s