I haven't had much time to work with lclint (now splint) in a while, but I've been looking over the updated manual. Some of the new features look really spiffy.
I notice, though, that it still doesn't understand realloc: int main () { char *p, *q; p = malloc (42); q = realloc (p, 14); return 0; } This function gets no diagnostics, but it's wrong; whether realloc succeeds or fails, one of the blocks will be leaked. If I drop 'q' and the realloc call, splint does properly complain about the memory leak. Scanning the one-html-file version of the manual, I found no mention of realloc at all. I think it's a rather important limitation to point out -- and, perhaps, some ways to work around it. The method I tried out last time was to create a function that would accept a pointer to allocated storage and a size, and would return (by return value and passed-in pointer) a pointer to allocated storage and an indication of whether the size change was effective. Within the function, I disabled the relevant warnings. It seemed to work okay. Naturally, having splint actually understand realloc's behavior would be far better, including the size of available storage space in both success and failures cases, but I understand that's a difficult thing to accomplish. Ken