LCLint Version 2.4 MIT/LCS Distribution Site 13 April 1998 David Evans evs@larch.lcs.mit.edu LCLint is a tool for statically checking C programs. With minimal effort, LCLint can be used as a better lint. If additional effort is invested adding annotations to programs, LCLint can perform stronger checks than can be done by any standard lint. LCLint does many of the traditional lint checks including unused declarations, type inconsistencies, use-before-definition, unreachable code, ignored return values, execution paths with no return, likely infinite loops, and fall-through cases. Our main focus, however, is on more powerful checks that are made possible by additional information given in source code annotations. Annotations are stylized comments that document certain assumptions about functions, variables, parameters, and types. They may be used to indicate where the representation of a user-defined type is hidden, to limit where a global variable may be used or modified, to constrain what a function implementation may do to its parameters, and to express checked assumptions about variables, types, structure fields, function parameters, and function results. In addition to the checks specifically enabled by annotations, many of the traditional lint checks are improved by exploiting this additional information. Some problems detected by LCLint include: o Violations of information hiding. A user-defined type can be declared as abstract, and a message is reported where code inappropriately depends on the representation of the type. o Inconsistent modification of caller-visible state. Functions can be annotated with information on what caller-visible state may be modified by the function, and an error is reported if the modifications produces by the function contradict its declaration. o Inconsistent use of global variables. Information on what global and file scope variables a function may use can be added to function declarations, and a message is reported if the implementation of the function uses other global variables or does not uses every global variable listed in its declaration. o Memory management errors. Instances where storage that has been deallocated is used, or where storage is not deallocated (memory leaks). o Dangerous data sharing or unexpected aliasing. Parameters to a function share storage in a way that may lead to undefined or undesired behavior, or a reference to storage within the representation of an abstract type is created. o Using possibly undefined storage or returning storage that is not completely defined (except as documented). o Dereferencing a possibly null pointer. o Dangerous macro implementations or invocations. o Violations of customizable naming conventions. o Program behavior that is undefined because it depends on order of evaluation, likely infinite loops, fall-through cases, incomplete logic, statements with no effect, ignored return values, unused declarations, and exceeding certain standard limits. LCLint checking can be customized to select what classes of errors are reported using command line flags and stylized comments in the code. For more information, please visit the LCLint home page at http://www.sds.lcs.mit.edu/lclint/