README.md revision 1.10
1 [//]: # ($NetBSD: README.md,v 1.10 2023/01/21 21:14:38 rillig Exp $) 2 3 # Introduction 4 5 Lint1 analyzes a single translation unit of C code. 6 7 * It reads the output of the C preprocessor, retaining the comments. 8 * The lexer in `scan.l` and `lex.c` splits the input into tokens. 9 * The parser in `cgram.y` creates types and expressions from the tokens. 10 * It checks declarations in `decl.c`. 11 * It checks initializations in `init.c`. 12 * It checks types and expressions in `tree.c`. 13 14 To see how a specific lint message is triggered, read the corresponding unit 15 test in `tests/usr.bin/xlint/lint1/msg_???.c`. 16 17 # Features 18 19 ## Type checking 20 21 Lint has stricter type checking than most C compilers. 22 23 In _strict bool mode_, lint treats `bool` as a type that is incompatible with 24 other scalar types, like in C#, Go, Java. 25 See the test `d_c99_bool_strict.c` for details. 26 27 Lint warns about type conversions that may result in alignment problems. 28 See the test `msg_135.c` for examples. 29 30 ## Control flow analysis 31 32 Lint roughly tracks the control flow inside a single function. 33 It doesn't follow `goto` statements precisely though, 34 it rather assumes that each label is reachable. 35 See the test `msg_193.c` for examples. 36 37 ## Error handling 38 39 Lint tries to continue parsing and checking even after seeing errors. 40 This part of lint is not robust though, so expect some crashes here, 41 as variables may not be properly initialized or be null pointers. 42 The cleanup after handling a parse error is often incomplete. 43 44 ## Configurable diagnostic messages 45 46 Whether lint prints a message and whether each message is an error, a warning 47 or just informational depends on several things: 48 49 * The language level, with its possible values: 50 * traditional C (`-t`) 51 * migration from traditional C and C90 (default) 52 * C90 (`-s`) 53 * C99 (`-S`) 54 * C11 (`-Ac11`) 55 * In GCC mode (`-g`), lint allows several GNU extensions, 56 reducing the amount of printed messages. 57 * In strict bool mode (`-T`), lint issues errors when `bool` is mixed with 58 other scalar types, reusing the existing messages 107 and 211, while also 59 defining new messages that are specific to strict bool mode. 60 * The option `-a` performs the check for lossy conversions from large integer 61 types, the option `-aa` extends this check to small integer types as well, 62 reusing the same message ID. 63 * The option `-X` suppresses arbitrary messages by their message ID. 64 * The option `-q` enables additional queries that are not suitable as regular 65 warnings but may be interesting to look at on a case-by-case basis. 66 67 # Fundamental types 68 69 Lint mainly analyzes expressions (`tnode_t`), which are formed from operators 70 (`op_t`) and their operands (`tnode_t`). 71 Each node has a data type (`type_t`) and a few other properties that depend on 72 the operator. 73 74 ## type_t 75 76 The basic types are `int`, `_Bool`, `unsigned long`, `pointer` and so on, 77 as defined in `tspec_t`. 78 79 Concrete types like `int` or `const char *` are created by `gettyp(INT)`, 80 or by deriving new types from existing types, using `block_derive_pointer`, 81 `block_derive_array` and `block_derive_function`. 82 (See [below](#memory-management) for the meaning of the prefix `block_`.) 83 84 After a type has been created, it should not be modified anymore. 85 Ideally all references to types would be `const`, but that's still on the 86 to-do list and not trivial. 87 In the meantime, before modifying a type, 88 it needs to be copied using `block_dup_type` or `expr_dup_type`. 89 90 ## tnode_t 91 92 When lint parses an expression, 93 it builds a tree of nodes representing the AST. 94 Each node has an operator that defines which other members may be accessed. 95 The operators and their properties are defined in `ops.def`. 96 Some examples for operators: 97 98 | Operator | Meaning | 99 |----------|--------------------------------------------| 100 | CON | compile-time constant in `tn_val` | 101 | NAME | references the identifier in `tn_sym` | 102 | UPLUS | the unary operator `+tn_left` | 103 | PLUS | the binary operator `tn_left + tn_right` | 104 | CALL | a direct function call | 105 | ICALL | an indirect function call | 106 | CVT | an implicit conversion or an explicit cast | 107 108 As an example, the expression `strcmp(names[i], "name")` has this internal 109 structure: 110 111 ~~~text 112 1: 'call' type 'int' 113 2: '&' type 'pointer to function(pointer to const char, pointer to const char) returning int' 114 3: 'name' 'strcmp' with extern 'function(pointer to const char, pointer to const char) returning int' 115 4: 'push' type 'pointer to const char' 116 5: 'convert' type 'pointer to const char' 117 6: '&' type 'pointer to char' 118 7: 'string' type 'array[5] of char', lvalue, length 4, "name" 119 8: 'push' type 'pointer to const char' 120 9: 'load' type 'pointer to const char' 121 10: '*' type 'pointer to const char', lvalue 122 11: '+' type 'pointer to pointer to const char' 123 12: 'load' type 'pointer to pointer to const char' 124 13: 'name' 'names' with auto 'pointer to pointer to const char', lvalue 125 14: '*' type 'long' 126 15: 'convert' type 'long' 127 16: 'load' type 'int' 128 17: 'name' 'i' with auto 'int', lvalue 129 18: 'constant' type 'long', value 8 130 ~~~ 131 132 | Lines | Notes | 133 |--------|------------------------------------------------------------------| 134 | 4, 8 | Each argument of the function call corresponds to a `PUSH` node. | 135 | 5, 9 | The left operand of a `PUSH` node is the actual argument. | 136 | 8 | The right operand is the `PUSH` node of the previous argument. | 137 | 5, 9 | The arguments of a call are ordered from right to left. | 138 | 10, 11 | Array access is represented as `*(left + right)`. | 139 | 14, 18 | Array and struct offsets are in premultiplied form. | 140 | 18 | The size of a pointer on this platform is 8 bytes. | 141 142 See `debug_node` for how to interpret the members of `tnode_t`. 143 144 ## sym_t 145 146 There is a single symbol table (`symtab`) for the whole translation unit. 147 This means that the same identifier may appear multiple times. 148 To distinguish the identifiers, each symbol has a block level. 149 Symbols from inner scopes are added to the beginning of the table, 150 so they are found first when looking for the identifier. 151 152 # Memory management 153 154 ## Block scope 155 156 The memory that is allocated by the `block_*_alloc` functions is freed at the 157 end of analyzing the block, that is, after the closing `}`. 158 See `compound_statement_rbrace:` in `cgram.y`. 159 160 ## Expression scope 161 162 The memory that is allocated by the `expr_*_alloc` functions is freed at the 163 end of analyzing the expression. 164 See `expr_free_all`. 165 166 # Null pointers 167 168 * Expressions can be null. 169 * This typically happens in case of syntax errors or other errors. 170 * The subtype of a pointer, array or function is never null. 171 172 # Common variable names 173 174 | Name | Type | Meaning | 175 |------|-----------|------------------------------------------------------| 176 | t | `tspec_t` | a simple type such as `INT`, `FUNC`, `PTR` | 177 | tp | `type_t` | a complete type such as `pointer to array[3] of int` | 178 | stp | `type_t` | the subtype of a pointer, array or function | 179 | tn | `tnode_t` | a tree node, mostly used for expressions | 180 | op | `op_t` | an operator used in an expression | 181 | ln | `tnode_t` | the left-hand operand of a binary operator | 182 | rn | `tnode_t` | the right-hand operand of a binary operator | 183 | sym | `sym_t` | a symbol from the symbol table | 184 185 # Abbreviations in variable names 186 187 | Abbr | Expanded | 188 |------|---------------------------------------------| 189 | l | left | 190 | r | right | 191 | o | old (during type conversions) | 192 | n | new (during type conversions) | 193 | op | operator | 194 | arg | the number of the argument, for diagnostics | 195 196 # Debugging 197 198 Useful breakpoints are: 199 200 | Function/Code | File | Remarks | 201 |---------------------|---------|------------------------------------------------------| 202 | build_binary | tree.c | Creates an expression for a unary or binary operator | 203 | initialization_expr | init.c | Checks a single initializer | 204 | expr | tree.c | Checks a full expression | 205 | typeok | tree.c | Checks two types for compatibility | 206 | vwarning_at | err.c | Prints a warning | 207 | verror_at | err.c | Prints an error | 208 | assert_failed | err.c | Prints the location of a failed assertion | 209 | `switch (yyn)` | cgram.c | Reduction of a grammar rule | 210 211 # Tests 212 213 The tests are in `tests/usr.bin/xlint`. 214 By default, each test is run with the lint flags `-g` for GNU mode, 215 `-S` for C99 mode and `-w` to report warnings as errors. 216 217 Each test can override the lint flags using comments of the following forms: 218 219 * `/* lint1-flags: -tw */` replaces the default flags. 220 * `/* lint1-extra-flags: -p */` adds to the default flags. 221 222 Most tests check the diagnostics that lint generates. 223 They do this by placing `expect` comments near the location of the diagnostic. 224 The comment `/* expect+1: ... */` expects a diagnostic to be generated for the 225 code 1 line below, `/* expect-5: ... */` expects a diagnostic to be generated 226 for the code 5 lines above. 227 Each `expect` comment must be in a single line. 228 At the start and the end of the comment, the placeholder `...` stands for an 229 arbitrary sequence of characters. 230 There may be other code or comments in the same line of the `.c` file. 231 232 Each diagnostic has its own test `msg_???.c` that triggers the corresponding 233 diagnostic. 234 Most other tests focus on a single feature. 235 236 ## Adding a new test 237 238 1. Run `make add-test NAME=test_name`. 239 2. Run `cd ../../../tests/usr.bin/xlint/lint1`. 240 3. Sort the `FILES` lines in `Makefile`. 241 4. Make the test generate the desired diagnostics. 242 5. Run `./accept.sh test_name` until it no longer complains. 243 6. Run `cd ../../..`. 244 7. Run `cvs commit distrib/sets/lists/tests/mi tests/usr.bin/xlint`. 245
Indexes created Wed Oct 01 18:09:54 GMT 2025