#7 splint crashes with SIGSEGV after an internal error
Report thanks to acab <acab@clamav.net>
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479619
$ svn co -r3839 http://svn.clamav.net/svn/clamav-devel/trunk/libclamav
[snip...]
$ cd libclamav
$ splint explode.c
[snip...]
explode.c:250:58: Function lookup_tree expects arg 4 to be uint8_t gets
unsigned int: X->got
context.c:2439: at source point
explode.c:251:5: *** Internal Bug at context.c:2439: llassert failed:
gc.inclause == FORCLAUSE [errno: 25]
*** Please report bug to submit@bugs.debian.org (via reportbug) ***
(attempting to continue, results may be incorrect)
usymtab.c:3043: at source point
explode.c:251:5: *** Internal Bug at usymtab.c:3043: llassert failed:
ttab->kind == US_TBRANCH [errno: 25]
*** Please report bug to submit@bugs.debian.org (via reportbug) ***
(attempting to continue, results may be incorrect)
*** Segmentation Violation
*** Location (not trusted): explode.c:251:5
*** Last code point: exprNode.c:10317
*** Previous code point: exprNode.c:10317
It really helps to have a more limited test case for these.
The given URL doesn't retreive an SVN version. I downloaded the source for revision 0.95.2 of this and ran against explode.c. It gives completely different output complaining about __attribute__ tokens (a gcc extention). The SEGV will always happen as splint asserts are usually against a 'non-NULL' value. If the value is NULL, it uses it anyways. The assert could be made to exit. I can not trace what type of input caused this condition.
Small enough test case? Yes, it is weird... but it's the basic trick that underlies protothreads and Duff's device, and it is valid, useful, standards compliant C
void bah(int state)
{
int i;
switch(state) {case 0:
for( i=0;i<10;i++) {
state = 10; /*@fallthrough@*/ case 10:
}
}
}
Sorry, I should have added the output...
/opt/splint-3.1.2/bin/splint bug.c
Splint 3.1.2 --- 08 Jan 2010
context.c:2439: at source point
bug.c:7:11: *** Internal Bug at context.c:2439: llassert failed:
gc.inclause == FORCLAUSE [errno: 0]
*** Please report bug to splint-bug@splint.org ***
(attempting to continue, results may be incorrect)
usymtab.c:3039: at source point
bug.c:7:11: *** Internal Bug at usymtab.c:3039: llassert failed:
ttab->kind == US_TBRANCH [errno: 0]
*** Please report bug to splint-bug@splint.org ***
(attempting to continue, results may be incorrect)
*** Segmentation Violation
*** Location (not trusted): bug.c:7:11
*** Last code point: exprNode.c:10317
*** Previous code point: exprNode.c:10317
*** Please report bug to splint-bug@splint.org
*** A useful bug report should include everything we need to reproduce the bug.
Where is a simple work-a-round. Convert for(;;) into a while() loop.
void bah(int state)
{
int i;
switch(state) {case 0:
i=0;
while(i<10) {
state = 10; /*@fallthrough@*/ case 10:
if( i == 5) {
return;
}
i++;
}
}
}