Posts Tagged programming
Bullet-Proofing C and C++ Without Draconian Verbosity
Posted by A R Baboon in Computer Science on August 7, 2007
Many, many bugs can be found through static analysis, however, the present state of analysis tools is pretty poor. Often we have two options. Either we shut off many of the warnings or we add so much verbosity to the code that readability suffers. The verbosity is ok when you are working small projects but as soon as you pass the 15 k SLOC mark you need to consider a different strategy. Blanket safety netting is common but again it tends to obscure the semantics of the code. Also things like over zealous casting can be very very dangerous. I have developed over a long period of time a set of techniques that allow static checking while still minimizing the added verbosity. I will list a few here.
The most well known and perhaps oldest (by heritage) static checker is probably SPLint. SPLint really does find quite a few issues and I recommend using it. The problem is that it is also a fire hose of false positives. I have found a number of options to make the false positives more manageable:
splint +unixlib -D__USE_POSIX -exportlocal -nullassign \ -fcn-macros -onlytrans -boolops +ptrnegate -paramuse -retvalint \ +boolint +floatdouble -macroredef -nullret -elseif-complete \ -aliasunique -allimponly -predboolptr -retvalother -globstate \ +matchanyintegral -nullpass
The other method to appease SPLint is to insert tags in your code attributing symbols in statements. For example /*@fallthrough@*/ tells splint you did indeed intend to let a case statement fall through. This kind of annotation is great for communicating to your teammates as well. However an abundance of these annotations will quickly pollute your code and there is no way to customize (i.e. #define) these annotations. Check out the following example of the prototype of free from the SPLint manual:
void free( /*@only@*/ /*@out@*/ /*@null@*/ void *ptr );
So SPLint is asking that you attribute everything at the expense of readability. Fortunately, there is another way that has many additional benefits. I have found that GCC can work effectively hand and hand with SPLint.
The good folks at GCC have provided the ability to add functional attributions to declarations. The syntax is __attribute__(( attribute_info )) where “attribute_info” is replaced by the attribute name and potentially an argument list. These attributes are used by GCC for its own static analysis but also to optimize your code. Much like const and volitile these attributes tell GCC that your code will be constrained such that the optimizer can be more or less aggressive. SPLint seems to respect these attributes even though I have found no such language in the documentation. The following are some convenience macros I frequently use:
#ifdef __GNUC__ #define UNUSED __attribute__ ((unused)) #define DEPRECATED __attribute__ ((deprecated)) #ifndef PURE // means - produces no side effects (by modifying shared globals) #define PURE __attribute__ ((pure)) #endif #ifndef NORETURN // means - exit is always called from this function #define NORETURN __attribute__ ((noreturn)) #endif // 'archetype' is one of printf, scanf, strftime or strfmon #define FMT_FUNC( archetype, fmt_str_idx, first_varg_idx ) \ __attribute__ ((format( archetype, fmt_str_idx, first_varg_idx ))) #define NONNULL_ARGS(arg_indexes...) __attribute__((nonnull( ##arg_indexes ))); #else #define UNUSED #define DEPRECATED #define PURE #define NORETURN #define FMT_FUNC( archetype, fmt_str_idx, first_varg_idx ) #define NONNULL_ARGS(arg_indexes...) #endif
GCC actually is capable of a great deal of static analysis if you enable the right options. The warnings are a lot more reasonable, so I have gotten into the practice of disabling a check in SPLint if it is enabled in GCC (see listing above). The following is a list of GCC arguments that enable full analysis and checking.
-g -Wall -Wdeclaration-after-statement -Wnested-externs -Wextra -O2
The O2 (optimization level 2) is not a mistake. Level 2 needs to be on in order to enable flow analysis within GCC. The “declaration-after-statement” restriction is because SPLint chokes hard on any declarations after the beginning of a block body code (even though it is in C99).
Ok I think this post is long enough. There are more techniques but they will have to come in subsequent posts.
Emacs Tweaks – TAGS
Posted by A R Baboon in Computer Science, Linux and Systems on March 21, 2007
Tags are an index of the definition of symbols in your source files. They allow you to quickly navigate your source files and to find what symbols exist. Originally they were designed for Vi probably because navigation is so poor there that you need navigational aids. Emacs has a number of integrated tag functions that many people just don’t know about. Many other IDEs have implemented this feature since through a series of context menu’s and hovers but fail to capture the basics that are covered so well in Emacs. However Emacs needs a little tweaking in order to take full advantage of capabilities. They are listed below.
More Productive Key Bindings
The following lisp gibberish allows you to search for the definition of the symbol under the mouse pointer and a way to search for all the uses of that symbol in your code. In Emacs you can return to the jumping point by pressing Alt-* (default key binding). I use XEmacs (which is superior) but you can put this in your .emacs file as well.
^^^^ .xemacs/init.el ^^^^
;;;;;;;;;;;;;;;;; ;; Tags setup ;;;;;;;;;;;;;;;;; (defun tags-search-tag-at-point (tagname &optional file-list-form) "*Find tag whose name contains TAGNAME. Identical to `find-tag' but does not prompt for tag when called interactively; instead, uses tag around or before point." (interactive (if current-prefix-arg '(nil nil) (list (find-tag-tag "Search tag: ") nil))) (tags-search tagname file-list-form)) ;; Find definition of the tag under the pointer ;; This nicely parallels M-*, which pops the tag stack. (global-set-key '(control *) 'find-tag-at-point) ;; Find uses/calls of the tag under the pointer ;; This nicely parallels M-, , which cycles through the search results. (global-set-key '(control ,) 'tags-search-tag-at-point) ;; Search and replace all uses of a tag ;; This nicely parallels M-%, which is the normal search and replace. (global-set-key '(control %) 'tags-query-replace) ;; Complete the name of a symbol using the tag table (global-set-key '(meta return) 'tag-complete-symbol)
Fancy Ways to Building Tag Files
The following is a shell script template that you can use to find which files have changed and only reindex as needed. Replace project_dir and src_dir as needed.
^^^^ make_tags.sh ^^^^
#!/bin/sh
function build_tags () {
tag_file="$1"
target_dir="$2"
file_pattern="{*.[ch],Makefile}"
if [ -e "$tag_file" ]; then
files=`find "$target_dir" -maxdepth 1 -name '*.[ch]' -cnewer "$tag_file" -print`
echo $files
if [ "$files" ]; then
etags -f "$tag_file" "$target_dir"/*.[ch]
fi
else
etags -f "$tag_file" "$target_dir"/*.[ch]
fi
}
TAGS_DIR="$HOME/project_dir/tags"
if [ ! -e "$TAGS_DIR" ]; then
mkdir -p "$TAGS_DIR"
fi
build_tags "${TAGS_DIR}/src_dir1.tags" "$HOME/project_dir/src_dir1"
build_tags "${TAGS_DIR}/src_dir2.tags" "$HOME/project_dir/src_dir2"
build_tags "${TAGS_DIR}/usr_include.tags" "/usr/include"
build_tags "${TAGS_DIR}/usr_include_sys.tags" "/usr/include/sys"
build_tags "${TAGS_DIR}/usr_include_GL.tags" "/usr/include/GL"
# make tags for src_dir1 which depends on src_dir2
cat "${TAGS_DIR}/src_dir1.tags" "${TAGS_DIR}/src_dir2.tags" \
"${TAGS_DIR}/usr_include.tags" "${TAGS_DIR}/usr_include_sys.tags" \
"${TAGS_DIR}/usr_include_GL.tags" > "$HOME/project_dir/src_dir1/TAGS"
#make tags for src_dir2
cat "${TAGS_DIR}/src_dir2.tags" \
"${TAGS_DIR}/usr_include.tags" "${TAGS_DIR}/usr_include_sys.tags" \
"${TAGS_DIR}/usr_include_GL.tags" > "$HOME/project_dir/src_dir1/TAGS"
^^^^^^^^^^^^