Closed gy741 closed 6 years ago
linas
commented
6 years ago I had no idea that alloca was obsolete!
The viterbi code is dead. The other errors are probably legit.
Thanks for the report. @ampli want to take a stab at this? I was wondering if I was spending my time wisely, when I suspect you would be interested ...
gy741
commented
6 years ago @linas
Hello,
If you are interested in software security(bug), You recommend using Coverity Scan.
Ref: https://scan.coverity.com/
Thanks.
ampli
commented
6 years ago [bindings/java-jni/jni-client.c:86]: (error) Memory leak: msg @linas, this I leave for you...
[bindings/lisp/link-interface.cl:28]: (error) No pair for character ('). Can't process file. File is either invalid or unicode, which is currently not supported.
It is not clear why it is flagged - doesn't seem like an error.
[link-grammar/dict-common/dict-impl.c:148]: (warning) Obsolete function 'alloca' called. In C99 and later it is recommended to use a variable length array instead.
Will be converted to VLA when MSVC supports it. Meanwhile, if someone knows a platform that has a problem with alloca() as used in the LG library, please tell me (just for my knowledge). (Note that there are alloca() variants that can work when there is no conventional stack.)
[link-grammar/print/print-util.c:39]: (error) Null pointer dereference
39 mblen = mbsrtowcs(NULL, &s, 0, NULL);
This is cppcheck problem, as mbsrtowcs() is documented to support using NULL in these positions.
[link-grammar/error.c:387]: (error) va_list 'given_features' was opened but not closed by va_end().
I suppose this is because the possible "return" before the end. I will add a_end(given_features);
[link-grammar/print/print-util.c:183]: (error) va_list 'args' was opened but not closed by va_end().
I suppose this is because "goto err" that may skip the existing va_end(args). I will add another one in the "error:" block.
[link-grammar/sat-solver/variables.hpp:429]: (warning) Member variable 'LinkTopCWVar::label' is not initialized in the constructor.
Thi seems to be a FAT link leftover. I ifdefed it out (and also other link_top_cw related constructs). They should be eventually totally removed.
[link-grammar/sat-solver/word-tag.cpp:94] -> [link-grammar/sat-solver/word-tag.cpp:80]: (warning) Either the condition 'var!=NULL' is redundant or there is possible null pointer dereference: last_var.
Removed var!=NULL.
[link-grammar/tokenize/regex-tokenizer.c:802]: (error) Memory leak: callout_data.cgnum
Used for demo only. Not used at all just now. I will not fix it for now.
[link-grammar/tokenize/tokenize.c:456] -> [link-grammar/tokenize/tokenize.c:454]: (warning) Either the condition 'NULL==altp' is redundant or there is possible null pointer dereference: altp.
Initial statement order didn't support allowing a NULL argument. I changed the order.
[link-grammar/tokenize/tokenize.c:1030] -> [link-grammar/tokenize/tokenize.c:1028]: (warning) Either the condition 'NULL!=wq' is redundant or there is possible null pointer dereference: wq.
The assert() check was too late. I changed its order.
[link-grammar/tokenize/anysplit.c:289] -> [link-grammar/tokenize/anysplit.c:286]: (warning) Either the condition 'NULL!=re' is redundant or there is possible null pointer dereference: re.
A preceding lgdebug() didn't support using a NULL re. I fixed it.
[link-grammar/tokenize/tokenize.c:3259]: (warning) Assert statement modifies 'max_words'.
This is a rare case in which the incrementing side effect is desired However, it is easy to separate it to another sentence with no harm. I moved the increment to a new sentence and added a comment that it for the assert().
[link-grammar/tokenize/wordgraph.c:50] -> [link-grammar/tokenize/wordgraph.c:49]: (warning) Either the condition 'NULL!=gword' is redundant or there is possible null pointer dereference: gword.
This was a bug - the assert() checked the wrong variable. I fixed it.
[viterbi/disjoin.cc:123]: (error) Memory leak: junct
The files in this directory are not incorporated in the code any more.
gy741
commented
6 years ago @linas @ampli
Hello,
I brought additional analytical information through PVS-Studio.
PR was merged and analyzed.
The documentation for all analyzer warnings is available here: www.viva64.com/en/w
Please review.
Thanks.
/home/karas/link-grammar/minisat/minisat/mtl/Vec.h 103 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'data' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/minisat/minisat/mtl/Alg.h 39 err V529 Odd semicolon ';' after 'for' operator.
/home/karas/link-grammar/minisat/minisat/mtl/Map.h 158 err V529 Odd semicolon ';' after 'for' operator.
/home/karas/link-grammar/minisat/minisat/core/Solver.cc 89 err V670 The uninitialized class member 'ca' is used to initialize the 'watches' member. Remember that members are initialized in the order of their declarations inside a class.
/home/karas/link-grammar/minisat/minisat/core/Solver.cc 56 err V730 Not all members of a class are initialized inside the constructor. Consider inspecting: max_learnts, learntsize_adjust_confl, learntsize_adjust_cnt.
/home/karas/link-grammar/sat-solver/util.cpp 63 warn V522 There might be dereferencing of a potential null pointer 'flist'. Check lines: 63, 62.
/home/karas/link-grammar/sat-solver/util.cpp 68 warn V522 There might be dereferencing of a potential null pointer 'elist'. Check lines: 68, 67.
/home/karas/link-grammar/sat-solver/variables.hpp 433 err V730 Not all members of a class are initialized inside the constructor. Consider inspecting: label.
/home/karas/link-grammar/sat-solver/word-tag.hpp 31 warn V547 Expression 'word_xnode' is always false.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 473 warn V522 There might be dereferencing of a potential null pointer 'new_node'. Check lines: 473, 472.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 485 warn V522 There might be dereferencing of a potential null pointer 'exp'. Check lines: 485, 484.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 510 warn V764 Possible incorrect order of arguments passed to 'link_cw' function: 'wj' and 'wi'.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 1427 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1427, 1426.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 1526 warn V774 The 'linkage' pointer was used after the memory was released.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 1527 warn V586 The 'free' function is called twice for deallocation of the same memory space.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 1754 warn V522 There might be dereferencing of a potential null pointer 'e'. Check lines: 1754, 1753.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 1768 err V641 The size of the allocated memory buffer is not a multiple of the element size.
/home/karas/link-grammar/sat-solver/sat-encoder.cpp 1770 err V641 The size of the allocated memory buffer is not a multiple of the element size.
/home/karas/link-grammar/api.c 117 warn V522 There might be dereferencing of a potential null pointer 'po'. Check lines: 117, 110.
/home/karas/link-grammar/api.c 459 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 459, 458.
/home/karas/link-grammar/disjunct-utils.c 225 warn V522 There might be dereferencing of a potential null pointer 'new_e'. Check lines: 225, 224.
/home/karas/link-grammar/disjunct-utils.c 242 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 242, 224.
/home/karas/link-grammar/error.c 48 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'lge' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/error.c 49 warn V522 There might be dereferencing of a potential null pointer 'lge'. Check lines: 49, 48.
/home/karas/link-grammar/error.c 373 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/error.c 382 warn V547 Expression 'NULL == dir_sep' is always true.
/home/karas/link-grammar/post-process/pp_linkset.c 71 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 71, 70.
/home/karas/link-grammar/post-process/pp_linkset.c 39 warn V522 Dereferencing of the null pointer 'ls' might take place. The potential null pointer is passed into 'initialize' function. Inspect the first argument. Check lines: 39, 82, 81.
/home/karas/link-grammar/string-set.c 89 warn V522 There might be dereferencing of a potential null pointer 'ss'. Check lines: 89, 86.
/home/karas/link-grammar/string-set.c 91 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 91, 90.
/home/karas/link-grammar/string-set.c 124 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 124, 123.
/home/karas/link-grammar/string-set.c 160 warn V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 160, 158.
/home/karas/link-grammar/utilities.c 438 warn V522 There might be dereferencing of a potential null pointer 'ds'. Check lines: 438, 437.
/home/karas/link-grammar/utilities.c 441 warn V522 There might be dereferencing of a potential null pointer 'ds->str'. Check lines: 441, 440.
/home/karas/link-grammar/utilities.c 464 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'ds->str' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/dict-common/dict-common.c 92 warn V547 Expression 'NULL == dictionary' is always true.
/home/karas/link-grammar/dict-common/dict-utils.c 71 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 71, 70.
/home/karas/link-grammar/dict-common/dict-utils.c 83 warn V522 There might be dereferencing of a potential null pointer 'nl'. Check lines: 83, 82.
/home/karas/link-grammar/dict-common/file-utils.c 63 warn V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 63, 61.
/home/karas/link-grammar/dict-common/file-utils.c 340 warn V522 There might be dereferencing of a potential null pointer 'p'. Check lines: 340, 336.
/home/karas/link-grammar/dict-common/dict-impl.c 273 warn V575 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 273, 272.
/home/karas/link-grammar/dict-common/dict-impl.c 378 warn V522 There might be dereferencing of a potential null pointer 'dict->afdict_class'. Check lines: 378, 375.
/home/karas/link-grammar/dict-common/dict-impl.c 617 warn V522 There might be dereferencing of a potential null pointer 'sm_re'. Check lines: 617, 600.
/home/karas/link-grammar/dict-common/idiom.c 165 warn V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 165, 164.
/home/karas/link-grammar/dict-common/idiom.c 177 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 177, 176.
/home/karas/link-grammar/dict-common/idiom.c 179 warn V522 There might be dereferencing of a potential null pointer 'dn'. Check lines: 179, 176.
/home/karas/link-grammar/dict-common/idiom.c 279 warn V522 There might be dereferencing of a potential null pointer 'ell'. Check lines: 279, 278.
/home/karas/link-grammar/dict-common/idiom.c 280 warn V522 There might be dereferencing of a potential null pointer 'elr'. Check lines: 280, 279.
/home/karas/link-grammar/dict-common/print-dict.c 127 warn V560 A part of conditional expression is always true: el.
/home/karas/link-grammar/dict-common/regex-morph.c 45 warn V575 The potential null pointer is passed into 'regerror' function. Inspect the third argument. Check lines: 45, 39.
/home/karas/link-grammar/dict-common/regex-morph.c 74 warn V575 The potential null pointer is passed into 'regcomp' function. Inspect the first argument. Check lines: 74, 67.
/home/karas/link-grammar/dict-file/dictionary.c 67 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/dict-file/dictionary.c 120 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 120, 119.
/home/karas/link-grammar/dict-file/read-regex.c 162 warn V522 There might be dereferencing of a potential null pointer 'new_re'. Check lines: 162, 161.
/home/karas/link-grammar/dict-file/read-regex.c 99 warn V557 Array overrun is possible. The value of 'i' index could reach 50.
/home/karas/link-grammar/dict-file/read-dict.c 266 err V739 EOF should not be compared with a value of the 'char' type. The 'dict->already_got_it' should be of the 'int' type.
/home/karas/link-grammar/dict-file/read-dict.c 640 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 640, 558.
/home/karas/link-grammar/dict-file/read-dict.c 718 warn V522 There might be dereferencing of a potential null pointer 'stmp'. Check lines: 718, 713.
/home/karas/link-grammar/dict-file/read-dict.c 753 warn V522 There might be dereferencing of a potential null pointer 'e'. Check lines: 753, 752.
/home/karas/link-grammar/dict-file/read-dict.c 765 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 765, 752.
/home/karas/link-grammar/dict-file/read-dict.c 779 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 779, 752.
/home/karas/link-grammar/dict-file/read-dict.c 797 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 797, 752.
/home/karas/link-grammar/dict-file/read-dict.c 801 warn V522 There might be dereferencing of a potential null pointer 'ell'. Check lines: 801, 800.
/home/karas/link-grammar/dict-file/read-dict.c 802 warn V522 There might be dereferencing of a potential null pointer 'elr'. Check lines: 802, 801.
/home/karas/link-grammar/dict-file/read-dict.c 819 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 819, 752.
/home/karas/link-grammar/dict-file/read-dict.c 823 warn V522 There might be dereferencing of a potential null pointer 'ell'. Check lines: 823, 822.
/home/karas/link-grammar/dict-file/read-dict.c 824 warn V522 There might be dereferencing of a potential null pointer 'elr'. Check lines: 824, 823.
/home/karas/link-grammar/dict-file/read-dict.c 850 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 850, 752.
/home/karas/link-grammar/dict-file/read-dict.c 969 warn V522 There might be dereferencing of a potential null pointer 'zn'. Check lines: 969, 752.
/home/karas/link-grammar/dict-file/read-dict.c 978 warn V522 There might be dereferencing of a potential null pointer 'flist'. Check lines: 978, 977.
/home/karas/link-grammar/dict-file/read-dict.c 983 warn V522 There might be dereferencing of a potential null pointer 'elist'. Check lines: 983, 982.
/home/karas/link-grammar/dict-file/read-dict.c 988 warn V522 There might be dereferencing of a potential null pointer 'an'. Check lines: 988, 752.
/home/karas/link-grammar/dict-file/read-dict.c 1578 warn V769 The 'dict_name' pointer in the 'dict_name + skip_slash' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 1578, 1569.
/home/karas/link-grammar/dict-file/read-dict.c 1619 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 1619, 558.
/home/karas/link-grammar/dict-file/read-dict.c 1623 warn V522 There might be dereferencing of a potential null pointer 'dn'. Check lines: 1623, 558.
/home/karas/link-grammar/dict-file/word-file.c 38 warn V560 A part of conditional expression is always false: 127 < dp.
/home/karas/link-grammar/dict-file/word-file.c 100 warn V522 There might be dereferencing of a potential null pointer 'wf'. Check lines: 100, 99.
/home/karas/link-grammar/dict-file/word-file.c 113 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 113, 112.
/home/karas/link-grammar/dict-file/word-file.c 115 warn V522 There might be dereferencing of a potential null pointer 'dn'. Check lines: 115, 112.
/home/karas/link-grammar/linkage/freeli.c 75 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 75, 74.
/home/karas/link-grammar/linkage/lisjuncts.c 90 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 90, 89.
/home/karas/link-grammar/linkage/linkage.c 457 warn V522 There might be dereferencing of a potential null pointer 'join'. Check lines: 457, 455.
/home/karas/link-grammar/linkage/linkage.c 373 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/linkage/linkage.c 403 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/linkage/linkage.c 536 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/linkage/linkage.c 579 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/linkage/sane.c 383 warn V547 Expression 'NULL != wpp->word' is always false.
/home/karas/link-grammar/parse/fast-match.c 79 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'ctxt->match_list' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/parse/extract-links.c 198 warn V756 The 'i' counter is not used inside a nested loop. Consider inspecting usage of 't' counter.
/home/karas/link-grammar/parse/extract-links.c 641 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'lkg->link_array' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/parse/count.c 59 warn V756 The 'i' counter is not used inside a nested loop. Consider inspecting usage of 't' counter.
/home/karas/link-grammar/parse/count.c 430 err V595 The 'le' pointer was utilized before it was verified against nullptr. Check lines: 430, 438.
/home/karas/link-grammar/parse/preparation.c 132 warn V756 The 'w' counter is not used inside a nested loop. Consider inspecting usage of 'd' counter.
/home/karas/link-grammar/parse/parse.c 39 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 39, 38.
/home/karas/link-grammar/parse/prune.c 1089 warn V560 A part of conditional expression is always false: ((5) <= 4).
/home/karas/link-grammar/parse/prune.c 1089 warn V560 A part of conditional expression is always true: (verbosity > 4).
/home/karas/link-grammar/post-process/post-process.c 384 warn V560 A part of conditional expression is always true: count == 0.
/home/karas/link-grammar/post-process/post-process.c 505 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'pp_data->word_links' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/post-process/post-process.c 518 warn V522 There might be dereferencing of a potential null pointer 'lol'. Check lines: 518, 517.
/home/karas/link-grammar/post-process/post-process.c 552 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'pp_data->domain_array' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/post-process/post-process.c 554 warn V522 There might be dereferencing of a potential null pointer 'pp_data->domain_array'. Check lines: 554, 552.
/home/karas/link-grammar/post-process/post-process.c 572 warn V522 There might be dereferencing of a potential null pointer 'lol'. Check lines: 572, 570.
/home/karas/link-grammar/post-process/post-process.c 806 warn V522 There might be dereferencing of a potential null pointer 'dtl'. Check lines: 806, 805.
/home/karas/link-grammar/post-process/post-process.c 920 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 920, 919.
/home/karas/link-grammar/post-process/post-process.c 935 warn V522 There might be dereferencing of a potential null pointer 'pp'. Check lines: 935, 934.
/home/karas/link-grammar/post-process/post-process.c 945 warn V522 There might be dereferencing of a potential null pointer 'pp->relevant_contains_one_rules'. Check lines: 945, 940.
/home/karas/link-grammar/post-process/post-process.c 946 warn V522 There might be dereferencing of a potential null pointer 'pp->relevant_contains_none_rules'. Check lines: 946, 943.
/home/karas/link-grammar/post-process/post-process.c 956 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 956, 955.
/home/karas/link-grammar/post-process/post-process.c 963 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 963, 962.
/home/karas/link-grammar/post-process/post-process.c 1089 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'pp_data->visited' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/post-process/post-process.c 1275 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1275, 1274.
/home/karas/link-grammar/post-process/post-process.c 1286 warn V522 There might be dereferencing of a potential null pointer 'dtl'. Check lines: 1286, 1285.
/home/karas/link-grammar/post-process/post-process.c 1314 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1314, 1313.
/home/karas/link-grammar/post-process/post-process.c 1320 warn V522 There might be dereferencing of a potential null pointer 'dta'. Check lines: 1320, 1274.
/home/karas/link-grammar/post-process/pp_knowledge.c 97 warn V522 There might be dereferencing of a potential null pointer 'k->starting_link_lookup_table'. Check lines: 97, 93.
/home/karas/link-grammar/post-process/pp_knowledge.c 213 warn V522 There might be dereferencing of a potential null pointer 'k->form_a_cycle_rules'. Check lines: 213, 200.
/home/karas/link-grammar/post-process/pp_knowledge.c 259 warn V522 There might be dereferencing of a potential null pointer 'k->bounded_rules'. Check lines: 259, 248.
/home/karas/link-grammar/post-process/pp_knowledge.c 400 warn V522 There might be dereferencing of a potential null pointer 'k'. Check lines: 400, 399.
/home/karas/link-grammar/post-process/constituents.c 1137 warn V522 There might be dereferencing of a potential null pointer 'cn'. Check lines: 1137, 1136.
/home/karas/link-grammar/post-process/constituents.c 1171 err V522 Dereferencing of the null pointer 'last_child' might take place.
/home/karas/link-grammar/prepare/expand.c 56 warn V547 Expression 'dx' is always false.
/home/karas/link-grammar/print/print-util.c 89 err V575 The null pointer is passed into 'mbrtowc' function. Inspect the fourth argument.
/home/karas/link-grammar/print/print-util.c 114 err V575 The null pointer is passed into 'mbrtowc' function. Inspect the fourth argument.
/home/karas/link-grammar/print/print-util.c 189 err V530 The return value of function 'abs' is required to be utilized.
/home/karas/link-grammar/print/print.c 438 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer '* start' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/print/print.c 439 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer '* pic' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/print/print.c 440 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer '* xpic' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/print/print.c 448 warn V769 The 'picmem' pointer in the 'picmem + max_bytes' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 448, 445.
/home/karas/link-grammar/print/print.c 683 warn V547 Expression 'display_short' is always true.
/home/karas/link-grammar/tokenize/anysplit.c 288 err V522 Dereferencing of the null pointer 're' might take place.
/home/karas/link-grammar/tokenize/anysplit.c 319 warn V522 There might be dereferencing of a potential null pointer 'new_re'. Check lines: 319, 318.
/home/karas/link-grammar/print/print-util.h 37 warn V522 Dereferencing of the null pointer 's' might take place. The potential null pointer is passed into 'patch_subscript_mark' function. Inspect the first argument. Check lines: 'print-util.h:37', 'anysplit.c:328', 'anysplit.c:324'.
/home/karas/link-grammar/tokenize/anysplit.c 383 warn V522 There might be dereferencing of a potential null pointer 'as'. Check lines: 383, 382.
/home/karas/link-grammar/tokenize/anysplit.c 512 warn V547 Expression 'sample_point < 0' is always false.
/home/karas/link-grammar/tokenize/wordgraph.c 31 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 31, 29.
/home/karas/link-grammar/tokenize/wordgraph.c 62 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'arr' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/tokenize/wordgraph.c 63 warn V522 There might be dereferencing of a potential null pointer 'arr'. Check lines: 63, 62.
/home/karas/link-grammar/tokenize/wordgraph.c 132 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'wp' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/tokenize/wordgraph.c 133 warn V522 There might be dereferencing of a potential null pointer 'wp'. Check lines: 133, 132.
/home/karas/link-grammar/tokenize/wordgraph.c 317 warn V522 There might be dereferencing of a potential null pointer 'hier_position'. Check lines: 317, 314.
/home/karas/link-grammar/tokenize/tokenize.c 163 warn V575 The 'strnlen' function processes '(len) = [-1..4]' elements. Inspect the second argument.
/home/karas/link-grammar/tokenize/tokenize.c 244 warn V522 There might be dereferencing of a potential null pointer 'wq_element'. Check lines: 244, 235.
/home/karas/link-grammar/tokenize/tokenize.c 961 warn V519 The 'subword->start' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 960, 961.
/home/karas/link-grammar/tokenize/tokenize.c 1069 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'arr' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/tokenize/tokenize.c 1070 warn V522 There might be dereferencing of a potential null pointer 'arr'. Check lines: 1070, 1069.
/home/karas/link-grammar/tokenize/tokenize.c 2025 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/tokenize/tokenize.c 2166 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
/home/karas/link-grammar/tokenize/tokenize.c 2555 warn V560 A part of conditional expression is always true: dict->affix_table.
/home/karas/link-grammar/tokenize/tokenize.c 2555 warn V560 A part of conditional expression is always true: dict->affix_table->anysplit.
/home/karas/link-grammar/tokenize/tokenize.c 2555 warn V571 Recurring check. The 'dict->affix_table' condition was already verified in line 2554.
/home/karas/link-grammar/tokenize/tokenize.c 2623 err V547 Expression ''\\0' == downcase[0]' is always true.
/home/karas/link-grammar/tokenize/tokenize.c 3014 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'sent->word' is lost. Consider assigning realloc() to a temporary pointer.
/home/karas/link-grammar/tokenize/tokenize.c 3015 warn V522 There might be dereferencing of a potential null pointer 'sent->word'. Check lines: 3015, 3014.
/home/karas/link-grammar/tokenize/tokenize.c 3285 err V522 Dereferencing of the null pointer 'wg_word' might take place.
/home/karas/link-parser/command-line.c 562 warn V522 There might be dereferencing of a potential null pointer 'co'. Check lines: 562, 561.
/home/karas/link-parser/link-parser.c 193 warn V768 The expression 'mode = copts->display_constituents' is of enum type. It is odd that it is used as an expression of a Boolean-type.Hello @gy741, Many thanks for this list (and the previous one). Here are the results of my review. I will send the PR tomorrow. I marked the start of each line with the review resolution.
| Legend | Meaning |
|---|---|
| EXTERNAL | External program - not fixed. For realloc() fix see MALLOC below. |
| MALLOC | Ignored. Currently the allocation results are not checked, and the library is designed to falt on a NULL dereference read. A "global" fix is to be introduced using an malloc/realloc wrapper, in which the small allocations will not be able to fail, and the big ones will use longjmp on failure, so the library will never fault on NULL dereference or loss memory due to a failed allocation. |
| FP | False positive (actually fine). |
| FPF | False positive that maybe can be fixed in order to be removed from such lists. |
| BUG | Bug (fixed). Not particularly harmful. |
| BUG! or BUG!!! | Bad bug! (fixed). One of them (BUG!!!) created in the cppcheck fix... |
| FALSE | The error analysis that found a problem seems to be incorrect. |
| TRUE | Analysys is correct. Action taken. |
| COMMENTED-OUT & MARKED FOR REVIEW | The analysis is true. A review is needed in case something else was intended (but it seems a leftover from an unpublish initial code change). |
| ? ??? | Not clear why it is flagged as a problem (if someone knows - please advise). |
| MAYBE | Maybe there is a problem - it depends on the algo correctness. Maybe an asser() can be added. |
EXTERNAL minisat/mtl/Vec.h 103 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'data' is lost. Consider assigning realloc() to a temporary pointer.
EXTERNAL minisat/mtl/Alg.h 39 err V529 Odd semicolon ';' after 'for' operator.
EXTERNAL minisat/minisat/mtl/Map.h 158 err V529 Odd semicolon ';' after 'for' operator.
EXTERNAL minisat/core/Solver.cc 89 err V670 The uninitialized class member 'ca' is used to initialize the 'watches' member. Remember that members are initialized in the order of their declarations inside a class.
EXTERNAL minisat/minisat/core/Solver.cc 56 err V730 Not all members of a class are initialized inside the constructor. Consider inspecting: max_learnts, learntsize_adjust_confl, learntsize_adjust_cnt.
MALLOC util.cpp 63 warn V522 There might be dereferencing of a potential null pointer 'flist'. Check lines: 63, 62.
MALLOC util.cpp 68 warn V522 There might be dereferencing of a potential null pointer 'elist'. Check lines: 68, 67.
cleanup6 variables.hpp 433 err V730 Not all members of a class are initialized inside the constructor. Consider inspecting: label.
FPF word-tag.hpp 31 warn V547 Expression 'word_xnode' is always false.
MALLOC sat-encoder.cpp 473 warn V522 There might be dereferencing of a potential null pointer 'new_node'. Check lines: 473, 472.
MALLOC sat-encoder.cpp 485 warn V522 There might be dereferencing of a potential null pointer 'exp'. Check lines: 485, 484.
FP sat-encoder.cpp 510 warn V764 Possible incorrect order of arguments passed to 'link_cw' function: 'wj' and 'wi'.
MALLOC sat-encoder.cpp 1427 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1427, 1426.
FP sat-encoder.cpp 1526 warn V774 The 'linkage' pointer was used after the memory was released.
FP sat-encoder.cpp 1527 warn V586 The 'free' function is called twice for deallocation of the same memory space.
MALLOC sat-encoder.cpp 1754 warn V522 There might be dereferencing of a potential null pointer 'e'. Check lines: 1754, 1753.
BUG sat-encoder.cpp 1768 err V641 The size of the allocated memory buffer is not a multiple of the element size.
? sat-encoder.cpp 1770 err V641 The size of the allocated memory buffer is not a multiple of the element size.
MALLOC api.c 117 warn V522 There might be dereferencing of a potential null pointer 'po'. Check lines: 117, 110.
MALLOC api.c 459 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 459, 458.
MALLOC disjunct-utils.c 225 warn V522 There might be dereferencing of a potential null pointer 'new_e'. Check lines: 225, 224.
MALLOC disjunct-utils.c 242 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 242, 224.
MALLOC error.c 48 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'lge' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC error.c 49 warn V522 There might be dereferencing of a potential null pointer 'lge'. Check lines: 49, 48.
FP error.c 373 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
FP error.c 382 warn V547 Expression 'NULL == dir_sep' is always true.
MALLOC pp_linkset.c 71 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 71, 70.
MALLOC pp_linkset.c 39 warn V522 Dereferencing of the null pointer 'ls' might take place. The potential null pointer is passed into 'initialize' function. Inspect the first argument. Check lines: 39, 82, 81.
MALLOC string-set.c 89 warn V522 There might be dereferencing of a potential null pointer 'ss'. Check lines: 89, 86.
MALLOC string-set.c 91 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 91, 90.
MALLOC string-set.c 124 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 124, 123.
MALLOC string-set.c 160 warn V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 160, 158.
MALLOC utilities.c 438 warn V522 There might be dereferencing of a potential null pointer 'ds'. Check lines: 438, 437.
MALLOC utilities.c 441 warn V522 There might be dereferencing of a potential null pointer 'ds->str'. Check lines: 441, 440.
MALLOC utilities.c 464 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'ds->str' is lost. Consider assigning realloc() to a temporary pointer.
FALSE dict-common.c 92 warn V547 Expression 'NULL == dictionary' is always true.
MALLOC dict-utils.c 71 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 71, 70.
MALLOC dict-utils.c 83 warn V522 There might be dereferencing of a potential null pointer 'nl'. Check lines: 83, 82.
MALLOC file-utils.c 63 warn V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 63, 61.
MALLOC file-utils.c 340 warn V522 There might be dereferencing of a potential null pointer 'p'. Check lines: 340, 336.
MALLOC dict-impl.c 273 warn V575 The potential null pointer is passed into 'strchr' function. Inspect the first argument. Check lines: 273, 272.
MALLOC dict-impl.c 378 warn V522 There might be dereferencing of a potential null pointer 'dict->afdict_class'. Check lines: 378, 375.
MALLOC dict-impl.c 617 warn V522 There might be dereferencing of a potential null pointer 'sm_re'. Check lines: 617, 600.
MALLOC idiom.c 165 warn V575 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 165, 164.
MALLOC idiom.c 177 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 177, 176.
MALLOC idiom.c 179 warn V522 There might be dereferencing of a potential null pointer 'dn'. Check lines: 179, 176.
MALLOC idiom.c 279 warn V522 There might be dereferencing of a potential null pointer 'ell'. Check lines: 279, 278.
MALLOC idiom.c 280 warn V522 There might be dereferencing of a potential null pointer 'elr'. Check lines: 280, 279.
FIXED print-dict.c 127 warn V560 A part of conditional expression is always true: el.
MALLOC regex-morph.c 45 warn V575 The potential null pointer is passed into 'regerror' function. Inspect the third argument. Check lines: 45, 39.
MALLOC regex-morph.c 74 warn V575 The potential null pointer is passed into 'regcomp' function. Inspect the first argument. Check lines: 74, 67.
FP dictionary.c 67 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
MALLOC dictionary.c 120 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 120, 119.
MALLOC read-regex.c 162 warn V522 There might be dereferencing of a potential null pointer 'new_re'. Check lines: 162, 161.
BUG! read-regex.c 99 warn V557 Array overrun is possible. The value of 'i' index could reach 50.
BUG read-dict.c 266 err V739 EOF should not be compared with a value of the 'char' type. The 'dict->already_got_it' should be of the 'int' type.
MALLOC read-dict.c 640 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 640, 558.
MALLOC read-dict.c 718 warn V522 There might be dereferencing of a potential null pointer 'stmp'. Check lines: 718, 713.
MALLOC read-dict.c 753 warn V522 There might be dereferencing of a potential null pointer 'e'. Check lines: 753, 752.
MALLOC read-dict.c 765 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 765, 752.
MALLOC read-dict.c 779 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 779, 752.
MALLOC read-dict.c 797 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 797, 752.
MALLOC read-dict.c 801 warn V522 There might be dereferencing of a potential null pointer 'ell'. Check lines: 801, 800.
MALLOC read-dict.c 802 warn V522 There might be dereferencing of a potential null pointer 'elr'. Check lines: 802, 801.
MALLOC read-dict.c 819 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 819, 752.
MALLOC read-dict.c 823 warn V522 There might be dereferencing of a potential null pointer 'ell'. Check lines: 823, 822.
MALLOC read-dict.c 824 warn V522 There might be dereferencing of a potential null pointer 'elr'. Check lines: 824, 823.
MALLOC read-dict.c 850 warn V522 There might be dereferencing of a potential null pointer 'n'. Check lines: 850, 752.
MALLOC read-dict.c 969 warn V522 There might be dereferencing of a potential null pointer 'zn'. Check lines: 969, 752.
MALLOC read-dict.c 978 warn V522 There might be dereferencing of a potential null pointer 'flist'. Check lines: 978, 977.
MALLOC read-dict.c 983 warn V522 There might be dereferencing of a potential null pointer 'elist'. Check lines: 983, 982.
MALLOC read-dict.c 988 warn V522 There might be dereferencing of a potential null pointer 'an'. Check lines: 988, 752.
MALLOC read-dict.c 1578 warn V769 The 'dict_name' pointer in the 'dict_name + skip_slash' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 1578, 1569.
MALLOC read-dict.c 1619 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 1619, 558.
MALLOC read-dict.c 1623 warn V522 There might be dereferencing of a potential null pointer 'dn'. Check lines: 1623, 558.
OK word-file.c 38 warn V560 A part of conditional expression is always false: 127 < dp.
MALLOC word-file.c 100 warn V522 There might be dereferencing of a potential null pointer 'wf'. Check lines: 100, 99.
MALLOC word-file.c 113 warn V522 There might be dereferencing of a potential null pointer 'dn_new'. Check lines: 113, 112.
MALLOC word-file.c 115 warn V522 There might be dereferencing of a potential null pointer 'dn'. Check lines: 115, 112.
MALLOC freeli.c 75 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 75, 74.
MALLOC lisjuncts.c 90 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 90, 89.
MALLOC linkage.c 457 warn V522 There might be dereferencing of a potential null pointer 'join'. Check lines: 457, 455.
FP linkage.c 373 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
FP linkage.c 403 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
FP linkage.c 536 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
FP linkage.c 579 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
COMMENTED-OUT & MARKED FOR REVIEW sane.c 383 warn V547 Expression 'NULL != wpp->word' is always false.
MALLOC fast-match.c 79 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'ctxt->match_list' is lost. Consider assigning realloc() to a temporary pointer.
OK extract-links.c 198 warn V756 The 'i' counter is not used inside a nested loop. Consider inspecting usage of 't' counter.
MALLOC extract-links.c 641 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'lkg->link_array' is lost. Consider assigning realloc() to a temporary pointer.
OK count.c 59 warn V756 The 'i' counter is not used inside a nested loop. Consider inspecting usage of 't' counter.
FP count.c 430 err V595 The 'le' pointer was utilized before it was verified against nullptr. Check lines: 430, 438.
OK preparation.c 132 warn V756 The 'w' counter is not used inside a nested loop. Consider inspecting usage of 'd' counter.
MALLOC parse.c 39 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 39, 38.
FP (macro expansion) prune.c 1089 warn V560 A part of conditional expression is always false: ((5) <= 4).
FP (macro expansion) prune.c 1089 warn V560 A part of conditional expression is always true: (verbosity > 4).
FALSE post-process.c 384 warn V560 A part of conditional expression is always true: count == 0.
MALLOC post-process.c 505 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'pp_data->word_links' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC post-process.c 518 warn V522 There might be dereferencing of a potential null pointer 'lol'. Check lines: 518, 517.
MALLOC post-process.c 552 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'pp_data->domain_array' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC post-process.c 554 warn V522 There might be dereferencing of a potential null pointer 'pp_data->domain_array'. Check lines: 554, 552.
MALLOC post-process.c 572 warn V522 There might be dereferencing of a potential null pointer 'lol'. Check lines: 572, 570.
MALLOC /post-process.c 806 warn V522 There might be dereferencing of a potential null pointer 'dtl'. Check lines: 806, 805.
MALLOC /post-process.c 920 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 920, 919.
MALLOC /post-process.c 935 warn V522 There might be dereferencing of a potential null pointer 'pp'. Check lines: 935, 934.
MALLOC /post-process.c 945 warn V522 There might be dereferencing of a potential null pointer 'pp->relevant_contains_one_rules'. Check lines: 945, 940.
MALLOC /post-process.c 946 warn V522 There might be dereferencing of a potential null pointer 'pp->relevant_contains_none_rules'. Check lines: 946, 943.
MALLOC /post-process.c 956 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 956, 955.
MALLOC /post-process.c 963 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 963, 962.
MALLOC /post-process.c 1089 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'pp_data->visited' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC /post-process.c 1275 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1275, 1274.
MALLOC /post-process.c 1286 warn V522 There might be dereferencing of a potential null pointer 'dtl'. Check lines: 1286, 1285.
MALLOC /post-process.c 1314 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 1314, 1313.
MALLOC /post-process.c 1320 warn V522 There might be dereferencing of a potential null pointer 'dta'. Check lines: 1320, 1274.
/home/karas/link-grammar/post-process/pp_knowledge.c 97 warn V522 There might be dereferencing of a potential null pointer 'k->starting_link_lookup_table'. Check lines: 97, 93.
/home/karas/link-grammar/post-process/pp_knowledge.c 213 warn V522 There might be dereferencing of a potential null pointer 'k->form_a_cycle_rules'. Check lines: 213, 200.
/home/karas/link-grammar/post-process/pp_knowledge.c 259 warn V522 There might be dereferencing of a potential null pointer 'k->bounded_rules'. Check lines: 259, 248.
/home/karas/link-grammar/post-process/pp_knowledge.c 400 warn V522 There might be dereferencing of a potential null pointer 'k'. Check lines: 400, 399.
/home/karas/link-grammar/post-process/constituents.c 1137 warn V522 There might be dereferencing of a potential null pointer 'cn'. Check lines: 1137, 1136.
MAYBE constituents.c 1171 err V522 Dereferencing of the null pointer 'last_child' might take place.
OK (USE_CORPUS not defined) /home/karas/link-grammar/prepare/expand.c 56 warn V547 Expression 'dx' is always false.
OK print-util.c 89 err V575 The null pointer is passed into 'mbrtowc' function. Inspect the fourth argument.
OK print-util.c 114 err V575 The null pointer is passed into 'mbrtowc' function. Inspect the fourth argument.
OK (tricky macro) print-util.c 189 err V530 The return value of function 'abs' is required to be utilized.
MALLOC /print.c 438 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer '* start' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC /print.c 439 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer '* pic' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC /print.c 440 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer '* xpic' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC /print.c 448 warn V769 The 'picmem' pointer in the 'picmem + max_bytes' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 448, 445.
OK (as intended) /home/karas/link-grammar/print/print.c 683 warn V547 Expression 'display_short' is always true.
BUG!!! anysplit.c 288 err V522 Dereferencing of the null pointer 're' might take place.
MALLOC anysplit.c 319 warn V522 There might be dereferencing of a potential null pointer 'new_re'. Check lines: 319, 318.
MALLOC print-util.h 37 warn V522 Dereferencing of the null pointer 's' might take place. The potential null pointer is passed into 'patch_subscript_mark' function. Inspect the first argument. Check lines: 'print-util.h:37', 'anysplit.c:328', 'anysplit.c:324'.
MALLOC anysplit.c 383 warn V522 There might be dereferencing of a potential null pointer 'as'. Check lines: 383, 382.
OK (as designed) anysplit.c 512 warn V547 Expression 'sample_point < 0' is always false.
MALLOC /wordgraph.c 31 warn V575 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 31, 29.
MALLOC /wordgraph.c 62 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'arr' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC /wordgraph.c 63 warn V522 There might be dereferencing of a potential null pointer 'arr'. Check lines: 63, 62.
MALLOC /wordgraph.c 132 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'wp' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC /wordgraph.c 133 warn V522 There might be dereferencing of a potential null pointer 'wp'. Check lines: 133, 132.
MALLOC /wordgraph.c 317 warn V522 There might be dereferencing of a potential null pointer 'hier_position'. Check lines: 317, 314.
??? (tricky macro?) tokenize.c 163 warn V575 The 'strnlen' function processes '(len) = [-1..4]' elements. Inspect the second argument.
MALLOC tokenize.c 244 warn V522 There might be dereferencing of a potential null pointer 'wq_element'. Check lines: 244, 235.
BUG! tokenize.c 961 warn V519 The 'subword->start' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 960, 961.
MALLOC tokenize.c 1069 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'arr' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC tokenize.c 1070 warn V522 There might be dereferencing of a potential null pointer 'arr'. Check lines: 1070, 1069.
FP tokenize.c 2025 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
FP tokenize.c 2166 warn V505 The 'alloca' function is used inside the loop. This can quickly overflow stack.
TRUE (removed) tokenize.c 2555 warn V560 A part of conditional expression is always true: dict->affix_table.
TRUE (removed) tokenize.c 2555 warn V560 A part of conditional expression is always true: dict->affix_table->anysplit.
TRUE (removed) tokenize.c 2555 warn V571 Recurring check. The 'dict->affix_table' condition was already verified in line 2554.
TRUE (but left intact, since the code here may change again) tokenize.c 2623 err V547 Expression ''\\0' == downcase[0]' is always true.
MALLOC tokenize.c 3014 warn V701 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'sent->word' is lost. Consider assigning realloc() to a temporary pointer.
MALLOC tokenize.c 3015 warn V522 There might be dereferencing of a potential null pointer 'sent->word'. Check lines: 3015, 3014.
FP tokenize.c 3285 err V522 Dereferencing of the null pointer 'wg_word' might take place.
MALLOC command-line.c 562 warn V522 There might be dereferencing of a potential null pointer 'co'. Check lines: 562, 561.
OK link-parser.c 193 warn V768 The expression 'mode = copts->display_constituents' is of enum type. It is odd that it is used as an expression of a Boolean-type.I also ran scan-build, the static analyzer of clang.
Recently I also did it and fixed several problems it pointed out.
However, there are more that must be addressed (some look very bad).
Especially, I didn't fix problems of assigning to variables that are never read, unless these were bugs.
But I think such errors should be fixed too, for readability and also so they will not be found again so the static analyzer output will be shorter and more useful.
Some constructs may cause false positives. The clang analyzer defines __clang_analyzer__ to suppress messages in such cases, and I will use it where needed. (I can also use cppcheck suppressions where needed - I still need to find out how to do it globally for memory allocation NULL reports.)
So I will most probably send soon a PR to address some of these problems. EDIT: The shown analysis is of commit 10fda9b8.
API Argument with 'nonnull' attribute passed null usr/local/src/link-grammar-devel/clang-sa/link-grammar/linkage/sane.c wordgraph_path_append 114 8
Logic error Assigned value is garbage or undefined usr/local/src/link-grammar-devel/clang-sa/link-grammar/tokenize/tokenize.c mprefix_split 1592 44
Logic error Dangerous construct in a vforked process tmp/link-grammar/clang-sa/conftest.c main 63 1
Dead store Dead assignment usr/local/src/link-grammar-devel/clang-sa/link-parser/link-parser.c main 900 1
Dead store Dead assignment usr/local/src/link-grammar-devel/clang-sa/link-grammar/tokenize/tokenize.c separate_word 2455 1
Dead store Dead assignment usr/local/src/link-grammar-devel/clang-sa/link-grammar/dict-file/read-dict.c link_advance 296 1
Dead store Dead assignment usr/local/src/link-grammar-devel/clang-sa/link-grammar/dict-file/read-regex.c read_regex_file 135 1
Dead store Dead assignment usr/local/src/link-grammar-devel/clang-sa/link-grammar/dict-file/dictionary.c dictionary_six_str 213 1
Dead store Dead assignment tmp/link-grammar/clang-sa/conftest.c main 48 1 View Report Report Bug Open File
Logic error Dereference of null pointer tmp/link-grammar/clang-sa/bindings/python3/lg_python_wrap.cc delete_lg_errinfo 3573 13
Logic error Dereference of null pointer tmp/link-grammar/clang-sa/bindings/python/lg_python_wrap.cc delete_lg_errinfo 3573 13
Logic error Dereference of null pointer usr/local/src/link-grammar-devel/clang-sa/link-grammar/tokenize/tokenize.c flatten_wordgraph 3350 16
Logic error Dereference of null pointer usr/local/src/link-grammar-devel/clang-sa/link-grammar/tokenize/wg-display.c wordgraph2dot 337 7
Logic error Dereference of null pointer tmp/link-grammar/clang-sa/link-grammar/post-process/pp_lexer.c yy_load_buffer_state 1360 54
Logic error Dereference of null pointer usr/local/src/link-grammar-devel/clang-sa/link-grammar/dict-file/read-dict.c insert_list 1475 149
Logic error Dereference of null pointer usr/local/src/link-grammar-devel/clang-sa/link-grammar/dict-file/read-dict.c insert_list 1471 149
Logic error Garbage return value usr/local/src/link-grammar-devel/clang-sa/link-grammar/parse/fast-match.c do_match_with_cache 481 16
Memory error Memory leak usr/local/src/link-grammar-devel/clang-sa/link-grammar/dict-file/read-dict.c read_entry 1611 41
Security Potential insecure implementation-specific behavior in call 'vfork' tmp/link-grammar/clang-sa/conftest.c main 63 1
Logic error Result of operation is garbage or undefined usr/local/src/link-grammar-devel/clang-sa/link-grammar/print/print.c linkage_print_diagram_ctxt 746 42
Memory error Use of zero allocated tmp/link-grammar/clang-sa/link-grammar/post-process/pp_lexer.c pp_lexer_get_next_group_of_tokens_of_label 2135 6
Memory error Use-after-free usr/local/src/link-grammar-devel/clang-sa/link-grammar/dict-file/read-dict.c insert_list 1513 37Hello,
A good idea and approach.
There are many projects in opencog.
We can inspect other projects with the same analysis method.
But because we can get overloaded, When we have free time, we can think again.
Thanks.
ampli
commented
6 years ago Note that the static analysis is of commit 10fda9b8. This was a time-consuming fix session. The explanations here were also added as commit messages (sometimes with different wording). I got down to small details in the messages as notes to self because most of this stuff is somehow subtle.
A PR will be sent soon.
Summary:
| Legend | Meaning |
|---|---|
| FP | False positive. Where possible, I added a suppression and mentioned it. |
| NR | Not relevant. |
| TRUE | Fixed. |
| BUG | A non-fatal bug. Fixed. |
| FP+BUG | The exact reported diagnosis is FP, but it uncovers a bug (suppressed + fixed). |
API Argument with 'nonnull' attribute passed null sane.c wordgraph_path_append 114 8Cannot happen because in this call, which passes a NULL path, the given words (last argument - p) are the first token in each wordgraph path, so if (MT_INFRASTRUCTURE == p->prev[0]->morpheme_type) is true and the false branch is not taken. However, I added an asset in the "false" branch to ensure that path cannot be null then (and this is also said to suppress this error).
Logic error Assigned value is garbage or undefined tokenize.c mprefix_split 1592 44This has never caused a problem because this happens only when sz==0, and the loop exits then without using w any more.
So for now I commented it out until the algo here will get reviewed.
NR Logic error Dangerous construct in a vforked process conftest.c main 63 1
TRUE Dead store Dead assignment link-parser.c main 900 1
Remove the assinment. Add '(void)" to signify that the result got neglected on purpose.
Dead store Dead assignment tokenize.c separate_word 2455 1A leftover after code change. Not needed now. Removed.
Dead store Dead assignment read-dict.c link_advance 296 1No need to set quote_mode=false before return Removed.
Dead store Dead assignment read-regex.c read_regex_file 135 1It clearly always gets assigned in the loop before it is checked in the terminating "while". Removed.
Add assert() for consistency.
NR Dead store Dead assignment conftest.c main 48 1
TRUE Logic error Dereference of null pointer python3/lg_python_wrap.cc delete_lg_errinfo 3573 13
TRUE Logic error Dereference of null pointer python/lg_python_wrap.cc delete_lg_errinfo 3573 13
The problem may happens if the lg_error structure is set to None. One way to do that could be to manually invoke the default handler with first argument set to None. But the C function default_error_handler() crashes then, before delete_lg_errinfo(NULL) is called. A fix has been done to raise a ValueError in that case, to prevent a crash in the C code.
However, there may be other ways to set lg_errinfo to NULL. So a direct fix has been implemented too.
Logic error Dereference of null pointer tokenize.c flatten_wordgraph 3350The assert() expression has a bug: wg_word->next[0]->next can be NULL (if this the last word, usually RIGHT-WALL). Fixed.
FP Logic error Dereference of null pointer wg-display.c wordgraph2dot 337 7
Suppression code added.
NR? Logic error Dereference of null pointer tmp/link-grammar/clang-sa/link-grammar/post-process/pp_lexer.c yy_load_buffer_state 1360 54
This code reads a file which its content is not controlled by the program input. Hence there is no urge to fix this problem.
Logic error Dereference of null pointer read-dict.c insert_list 1474 149
FP Logic error Dereference of null pointer read-dict.c insert_list 1470 1491467 dn = p;
146 ← Null pointer value stored to 'dn' →The variable p is invariant over the recursive calls. If p is not NULL in the start,
the indicated problem cannot happen. So there doesn't seem to be a problem here unless read_entry() may call with p==NULL, for which I also didn't find evidences.
This diagnostic can be suppressed by __builtin_unreachable() or by an assert() (not done yet).
FP Logic error Garbage return value fast-match.c do_match_with_cache 481 16
I just (yet) insist not to initialize match field of match_cache without a real need...
The "maybe uninitialized" warning of GCC/clang gets suppressed with a pragma "diagnostic ignored". But for some reason iti s not obeyed by the clang static analyzer.
Fixed - diagnostic Suppressed using __builtin_unreachable().Memory error Memory leak read-dict.c read_entry 1610 41dn is inserted in the Dict_node list, which is freed at dict close, so it seems there is no actual problem.
I didn't check how suppress such a diagnostic.
Logic error Result of operation is garbage or undefined print.c linkage_print_diagram_ctxt 746 42 ...
} while (i < N_words_to_print);
if (0 == uwidth)
{
uwidth = x_screen_width - RIGHT_MARGIN - (c == 0)*word_offset[i] - 1;
c += utf8_chars_in_width(linkage->word[i]+c, uwidth);
}
if (NULL != pctx) /* PS junk */
{
pctx->row_starts[pctx->N_rows] = i - (!print_word_0);
if (i < N_words_to_print) pctx->N_rows++;
}
Referring to the code snippet above: The static analysis finds out that word_offset[N_words_to_print] is uninitialized, and that i==N_words_to_print if the "while" loops ends on its condition. So apparently word_offset[i] may be then garbage. But this is not possible (and the static analysis didn't get it because utf8_strwidth() is in another file) since uwidth!=0 then. However, i==N_words_to_print may cause another problem that is uncovered due to this diagnostic: A non-existing PS row is then set to start with a non-existing word number. Fixed.
Memory error Use of zero allocated pp_lexer.c pp_lexer_get_next_group_of_tokens_of_label 2135 6Seems false positive because when n==0 it cannot be greater than lt->extents.
Memory error Use-after-free read-dict.c insert_list 1512 37Seems false positive: p may be freed when k==0, but then the call to insert_list(dict, p, k) returnes because l==0 before p is used.
I don't have an idea how to (correctly) suppress this message.
linas
commented
6 years ago Amir, yes, thanks very much; these are time-consuming and painful, but they're important. The good news seems to be that compilers are picking up the task more and more, and warning at the time that the code is being written.
ampli
commented
6 years ago As most of the problems indicted above by the 3 static analyzers have been (hopefully) handled I'm am closing this issue. Notes:
Since it is easy to use the clang static analyzer and it doesn't produce tons of messages, I will run it before I send PR's.
Here a way to run it:
$ scan-build -o /tmp/lg-scan-build ./configure
$ make
scan-build: 11 bugs found.
scan-build: Run 'scan-view /tmp/lg-scan-build/2018-01-28-163000-27947-1' to examine bug reports.The scan-view program shows the report in a web browser window. In the case of link-grammar there is no need to tell scan-build to enable assertion even when not configured in debug mode, because they are always enabled.
Hello,
I do not know if this information will help you.
I checked the source code using cppcheck.
I received the following report.
There may be a false here.
Thanks.