---------- Forwarded message ----------
Date: Wed, 27 Feb 2002 15:51:36 +0000
From: Jon Wilson <[EMAIL PROTECTED]>
To: David Evans <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Overzealous sign checking?
David Evans writes:
>
> On Wed, 27 Feb 2002, Jon Wilson wrote:
>
> >
> > Hi David et al,
> >
> > There's been a lot of discussion between myself and my colleagues
> > about the warnings generated by Splint over such things as this:*
> >
> > unsigned short a = 1 ;
> > long b = 2 ;
> >
> > if ( a < b ) {
> > return FALSE ;
> > }
> >
> > blah.c(10): Operands of < have incompatible types (unsigned short int, long int):
>a < b
> > To ignore signs in type comparisons use +ignoresigns
> >
> > Now while this is clearly true, we would argue it's also harmless IFF
> > we can assume an ANSI compiler.
> >
>
> The question is what should "harmless" mean? Splint considers lots of
> things that are perfectly well defined C code to be worthy of warnings
> since they may reveal program bugs. In this case, you are corred that the
> integer conversion rules mean the code almost certainly means what the
> programmer intended.
>
> I think in this case, what is needed is more precise flags, so you can
> turn off "harmless" sign incompatability warnings. We should have a flag
> list "relaxquals" to control warnings about sign issues that are less
> likely to reveal program bugs and ones where the behavior is
> misleading.
Great, I'm not going mad. That's exactly what I thought (in fact I
tried relaxquals). The new switch would be great, since what we've
seen is developers (half) blindly adding casts just to shut lint
up. That just hides the problems along with the innocuous cases, since
a casts says to the compiler and lint "I know what I'm doing" :->
Actually, a question arises out of this: does Splint check for the
specific platform on which it was built, or an abstract C? As I
understand it, ANSI C just defines that sizeof( char ) <= sizeof(
short ) <= sizeof( long ), so for the (admittedly very odd) platform
where shorts are the same size as longs, the above code would indeed
be dangerous...
Cheers,
Jon
