Bryan - Where I work, we have a coding standard that a pointer to malloced memory that is freed be set to NULL afterwards. That way, if somebody attempts to dereference said pointer, they will at least get a segmentation violation. I tried it on your example, and it seems to make splint happy as well. Just insert the line "*newdev = NULL;" after the free(*newdev);
-Pete- On 05/18/2012 09:36 AM, Bryan Evenson wrote: > I have a function that I'm getting a warning and I'm not sure how deal with > the issue. Here's a rundown of the function: > > static int create_device(const char_t* readLine, sDevices **newDev, int > *state) > { > Int retVal = RET_SUCCESS; > *newDev = malloc(sizeof(sDevices)); > If(*newDev != NULL) > { > (*newDev)->data = malloc(sizeof(sPrivateData)); > If((*newDev)->data == NULL) > { > free(*newDev); > retVal = RET_MEM_ERR; > } > } > else > { > retVal = RET_MEM_ERR; > } > return retVal; > } > > In summary I have a struct sDevices which in turn has a member sPrivateData* > data. This function allocates memory for newDev and also for newDev->data. > If the second memory allocation fails, the whole thing is not useful to me so > I deallocate all memory related to newDev. > > Here's the contents of my .splintrc file (I started with -weak and I'm slowly > adding checks in so I only have a few to worry about at a time): > +unix-lib > +enumindex > +trytorecover > -onlytrans > -dependenttrans > -branchstate > -mustfreeonly > -unreachable > -nullstate > -unrecog > -nullpass > -temptrans > -mustfreefresh > -fullinitblock > -compmempass > -compdef > -type > -globstate > -D__signed__=signed > > With this, I get the following warning from Splint: > Released storage *newDev reachable from parameter at return point > Memory is used after it has been released (either by passing as an only > param > or assigning to an only global). (Use -usereleased to inhibit warning) > > > From my understanding, Splint is warning me that *newDev may or may not > > point to valid memory upon exit of the function. I know that, and I know > > that it's the duty of the caller of create_device to verify that the > > function was successful before attempting to access newDev. I've tried > > annotating the newDev parameter in the function declaration as various > > combinations of /*@out@*/, /*@null@*/ and anything else that seems relavant > > and nothing has removed the warning (without creating a new one). If I'm > > understanding correctly, Splint needs to be told that I know *newDev and > > *newDev->data may or may not be defined upon exit of the function. Any > > pointers on how to do that? > > Thanks, > Bryan > > _______________________________________________ > splint-discuss mailing list > splint-discuss@mail.cs.virginia.edu > http://www.cs.virginia.edu/mailman/listinfo/splint-discuss > _______________________________________________ splint-discuss mailing list splint-discuss@mail.cs.virginia.edu http://www.cs.virginia.edu/mailman/listinfo/splint-discuss