splint - A tool for statically checking C programs
Splint is a tool for statically checking C programs for security vulnerabilities and com-
mon programming mistakes. With minimal effort, Splint can be used as a better lint(1).If
additional effort is invested adding annotations to programs, Splint can perform stronger
checks than can be done by any standard lint. For full documentation, please see
http://www.splint.org. This man page only covers a few of the available options.
-help Shows help
These flags control directories and files used by Splint. They may be used from the com-
mand line or in an options file, but may not be used as control comments in the source
code. Except where noted. they have the same meaning preceded by - or +.
Set directory for writing temp files. Default is /tmp/.
Add directory to path searched for C include files. Note there is no space after the
I, to be consistent with C preprocessor flags.
Add directory to path search for .lcl specification files.
Load options file <file>. If this flag is used from the command line, the default
~/.splintrc file is not loaded. This flag may be used in an options file to load in
another options file.
-nof Prevents the default options files (./.splintrc and ~/.splintrc) from being loaded.
(Setting -nof overrides +nof, causing the options files to be loaded normally.)
Set directories for system files (default is "/usr/include"). Separate directories
with colons (e.g., "/usr/include:/usr/local/lib"). Flag settings propagate to files
in a system directory. If -systemdirerrors is set, no errors are reported for files
in system directories.
These flags are used to define or undefine pre-processor constants. The -I<directory>
flag is also passed to the C pre-processor.
Passed to the C pre-processor.
Passed to the C pre-processor
Libraries These flags control the creation and use of libraries.
Save state in <file> for loading. The default extension .lcd is added if <file> has
Load state from <file> (created by -dump). The default extension .lcd is added if
<file> has no extension. Only one library file may be loaded.
By default, the standard library is loaded if the -load flag is not used to load a
user library. If no user library is loaded, one of the following flags may be used
to select a different standard library. Precede the flag by + to load the described
library (or prevent a library from being loaded using nolib). See Apppendix F for
information on the provided libraries.
Do not load any library. This prevents the standard library from being loaded.
Use the ANSI standard library (selected by default).
Use strict version of the ANSI standard library.
Use the POSIX standard library.
Use the strict version of the POSIX standard library.
Use UNIX version of standard library.
Use the strict version of the UNIX standard library.
These flags control what additional information is printed by Splint. Setting +<flag>
causes the described information to be printed; setting -<flag> prevents it. By default,
all these flags are off.
Send error messages to standard error (instead of standard out).
Show a summary of all errors reported and suppressed. Counts of suppressed errors
are not necessarily correct since turning a flag off may prevent some checking from
being done to save computation, and errors that are not reported may propagate dif-
ferently from when they are reported.
Show file names are they are processed.
Show list of uses of all external identifiers sorted by number of uses.
Display number of lines processed and checking time.
Display distribution of where checking time is spent.
Suppress herald and error count. (If quiet is not set, Splint prints out a herald
with version information before checking begins, and a line summarizing the total
number of errors reported.)
Print out the standard library filename and creation information.
At most <number> similar errors are reported consecutively. Further errors are sup-
pressed, and a message showing the number of suppressed messages is printed.
Normally, Splint will expect to report no errors. The exit status will be success (0) if
no errors are reported, and failure if any errors are reported. Flags can be used to set
the expected number of reported errors. Because of the provided error suppression mecha-
nisms, these options should probably not be used for final checking real programs but may
be useful in developing programs using make.
Exactly <number> code errors are expected. Splint will exit with failure exit status
unless <number> code errors are detected.
These flags control how messages are printed. They may be set at the command line,
in options files, or locally in syntactic comments. The linelen and limit flags may
be preceded by + or - with the same meaning; for the other flags, + turns on the
describe printing and - turns it off. The box to the left of each flag gives its
Show column number where error is found. Default: +
Show name of function (or macro) definition containing error. The function name is
printed once before the first message detected in that function. Default: +
Show all possible alternate types (see Section 8.2.2). Default: -
Use file(line) format in messages.
Provide hints describing an error and how a message may be suppressed for the first
error reported in each error class. Default: +
Provide hints for all errors reported, even if the hint has already been displayed
for the same error class. Default: -
Set length of maximum message line to <number> characters. Splint will split mes-
sages longer than <number> characters long into multiple lines. Default: 80
Mode Selector Flags
Mode selects flags set the mode checking flags to predefined values. They provide a quick
coarse-grain way of controlling what classes of errors are reported. Specific checking
flags may be set after a mode flag to override the mode settings. Mode flags may be used
locally, however the mode settings will override specific command line flag settings. A
warning is produced if a mode flag is used after a mode checking flag has been set.
These are brief descriptions to give a general idea of what each mode does. To see the
complete flag settings in each mode, use splint -help modes. A mode flag has the same
effect when used with either + or -.
-weak Weak checking, intended for typical unannotated C code. No modifies checking, macro
checking, rep exposure, or clean interface checking is done. Return values of type
int may be ignored. The types bool, int, char and user-defined enum types are all
equivalent. Old style declarations are unreported.
The default mode. All checking done by weak, plus modifies checking, global alias
checking, use all parameters, using released storage, ignored return values or any
type, macro checking, unreachable code, infinite loops, and fall-through cases. The
types bool, int and char are distinct. Old style declarations are reported.
Moderately strict checking. All checking done by standard, plus must modification
checking, rep exposure, return alias, memory management and complete interfaces.
Absurdly strict checking. All checking done by checks, plus modifications and global
variables used in unspecified functions, strict standard library, and strict typing
of C operators. A special reward will be presented to the first person to produce a
real program that produces no errors with strict checking.
If you need to get in contact with the authors send email to mailto:firstname.lastname@example.org
or visit http://www.splint.org
A tool for statically checking C programs splint(1)