lint

a C program checker

lint [-#] [-###] [-a] [-b] [-Cfilename] [-c] [-dirout=dir]
[-err=warn] [-errchk=l] [-errfmt=f] [-errhdr=h] [-erroff=t] [-errsecurity=v] [-errtags=a] [-errwarn=t]
[-F] [-fd] [-flagsrc=file] [-h] [-Idir] [-k] [-Ldir] [-lx] [-m] [-m32|-m64]
[-Ncheck=c] [-Nlevel=n] [-n] [-ox] [-p] [-Rfile] [-s] [-u] [-V] [-v] [-Wfile]
[-Xarch=amd64] [-Xarch=v9] [-Xalias_level[=l]] [-XCC=a] [-Xc99[=o]] [-Xexplicitpar=a] [-Xkeeptmp=a] [-Xtemp=dir] [-Xtime=a]
[-Xtransition=a] [-Xustr={ascii_utf16_ushort|no}] [-x] [-y] files

Detects features of C program files which are likely to be bugs, non-portable, or wasteful.

Checks type usage more strictly than the compiler.

Two modes: basic, which is the default for the lint program, and enhanced.
In enhanced mode, the analysis includes:

The enhanced mode is enabled by -Nlevel or -Ncheck

File suffixes

.c are taken to be C source files;
.i are taken to be preprocessor output files (produced with -P option to the compiler).
.ln are taken to be the result of an earlier invocation of lint with either -C, -c, or -o .

Enhanced mode produces .ln files which store additional information which cannot be processed in basic mode.

.c, .i, .ln, and llib-lx.ln files are processed in command-line order.

Default: append the standard C lint library (lliblc.ln) to the end of the list of files.
With -C or -c the .ln and the llib-lx.ln files are ignored. When -C or -c is not used, the second pass of lint checks the .ln and the llib-lx.ln list of files for mutual compatibility.

-# Show each component as invoked (verbose mode).
-### Show each component as invoked, do not execute!
-Cfilename Create first pass .ln file
-c create first pass .ln file for each .c file.
They are not checked for interfunction compatibility.
-dirout=dir directory for output files for -c
simple Display line number and place number of the error,
macro Display source code, line number, and place of the error, with macro unfolding. for one-line (simple) diagnostic messages. Similar to -s , but includes error-position information.
src Display the source code, the line number, and the place of the error (no macro unfolding).
tab Display in tabular format. Default
Last format specified is used.
-m32|-m64 memory model for the program being analyzed. Also searches for lint libraries that correspond

The ILP32 memory model (32-bit int, long, pointer data types) is the default on Solaris and on Linux not 64-bit enabled.
The LP64 memory model (64-bit long, pointer data types) is the default on 64-bit enabled Linux.

-errhdr=h header files when used with -Ncheck.
h is a comma-separated list that consists of one or more of :
[no%]dir Does [not] report the -Ncheck messages for header files included from dir.
%all  
%none Default.
%user Check all used user header files, that is, except those in /usr/include and its subdirectories, as well as those supplied by the compiler.
Default -errhdr=%none. ommitting h is equivalent %user.
-erroff=t Suppress or enable error messages. t is a comma-separated list of one or more of:
[no%]tag Suppress the message specified by this tag.
%all Suppress all messages.
%none Enable all messages. This is the default. Default -erroff=%none. Specifying -erroff is equivalent to specifying -erroff=%all.

-a assignments of long values to variables that are not long are IGNORED.
-b break statements that cannot be reached are IGNORED.
-h heuristic tests that attempt to intuit bugs, improve style, and reduce waste are NOT applied.
-n Do not check compatibility against the standard C lint library.
-v unused arguments in functions are IGNORED.
-m external symbols that could be declared static are IGNORE.
-u functions and external variables used and not defined, or defined and not used are IGNORED.

For running on a subset of files of a larger program.

-errchk=l Check structural arguments passed by value;
Check portability to environment for which the size of long integers and pointers is 64 bits.
l is a comma-separated list of one or more of:
[no%]locfmtchk check printf-like format strings during its first pass. Always checks in second pass!
[no%]parentheses enhance the maintainability(clarity).
If this returns a warning, use additional parentheses to spefificy the precedence of operations.
[no%]signext the normal ANSI/ISO C value-preserving rules allow the extension of the sign of a signed-integral value in an expression of unsigned-integral type. Only effective with -errchk=longptr64
[no%]sizematch larger integer is assigned to a smaller integer. also for assignments which differ in signedness for example, unsigned int = signed int.
[no%]structarg Check structural arguments passed by value and report the cases when formal parameter type is not known.
[no%]longptr64 Check portability to environment for which the size of long integers and pointers is 64 bits and the size of plain integers is 32 bits. Check assignments of pointer expressions and long integer expressions to plain integers, even when explicit cast is used.
%all  
%none  
Default -errchk=%none, ommitting l implies %all. Example: -errchk=longptr64,structarg.
-errsecurity=v check for security loopholes. v must be one of
core check for constructs that are almost either unsafe or difficult to verify.
  • Use of variable format strings with printf() and scanf() family of functions
  • Use of unbounded string (%s) formats in scanf()
  • Use of functions with no safe usage: gets(), cftime(), ascftime(), creat()
  • Incorrect use of open() with O_CREAT
Consider source code that produces warnings at this level to be a bug. The source code in question should be changed. In all cases, straightforward safer alternatives are available.
standard includes all checks from the core level plus checks for constructs that may be safe, but have better alternatives available. This level is well suited for newly-written code. Additional checks at this level include:
  • Use of string copy functions other than strlcpy()
  • Use of weak random number functions
  • Use of unsafe functions to generate temporary files
  • Use of fopen() to create files
  • Use of functions that invoke the shell
Replace source code that produces warnings at this level with new or significantly modified code. Balance addressing these warnings in legacy code against the risks of destabilizing the application.
extended addition, about constructs that may be unsafe in some situations. The checks at this level are useful as an aid in reviewing code, but need not be used as a standard with which acceptable source code must comply. Additional checks
  • Calls to getc() or fgetc() inside a loop
  • Use of functions prone to pathname race conditions
  • Use of the exec() family of functions
  • Race conditions between stat() and other functions
Default: none.
Ommiting v implies standard
-errfmt=f format of lint output. f can be:
-errtags=yes|no Displays the message tag for each error message.
Default -errtags=no
ommitting yes|no implies yes
Works with -errfmt
-errwarn=t If t warning message is issued, exit with a failure status. t is a comma-separated list of one or more of :
tag exit with a fatal status if the message specified by tag is issued as a warning message.
no%tag Prevent from exiting with a fatal status if the message specified by tag is issued only as a warning message. Use to revert a warning message that was previously specified by with tag or %all from causing lint to exit with a fatal status when issued as a warning message.
%all exit with a fatal status if any warning messages are issued. can be followed by no%tag to exempt specific warning messages from this behavior.
%none Prevents any warning messages from causing exit with a fatal status should any warning tag be issued.
Default.
-err=warn aka -errwarn=%all
-F include full path names of files.
-fd Report about old-style function definitions and declarations.
-flagsrc=file options in file one per line.
-Idir Search for included header files in the directory dir before searching the current directory and/or the standard place.
-k Alter the behavior of /*LINTED [message]*/ directives or NOTE(LINTED(message)) annotations.
Print an additional message containing the comment inside the directive or annotation. Normally, warning messages for the code following these directives. is supressed.
-Ldir Search for lint libraries in dir before searching the standard place.
-lx Include the lint library llib-lx.ln. For example, you can include a lint version of the math library lliblm.ln by inserting -lm on the command line.
This argument does not suppress the default use of llib-lc.ln. These lint libraries must be in the assumed directory.
Can be used to reference local lint libraries and is useful of multifile projects.
-Ncheck=c Check header files for corresponding declarations; check macros. c is a comma-separated list of one or more of :
macro consistency of macro definitions across files.
extern one-to-one correspondence of declarations between source and header files (for example, for file1.c and file1.h). Ensure that there are neither extraneous nor missing extern declarations in a header file.
%all  
%none  
no%macro  
no%extern 
Default %none. ommitting c implies %all.
invoke enhanced mode by specifying the level of analysis.
Default. basic analysis mode. Omitting level implies 4
-Nlevel=1 Analyze single procedures. Report unconditional errors that occur on some program execution paths. Does not do global data and control flow analysis.
-Nlevel=2 The default. Analyze the whole program, including global data and control flow. Report unconditional errors that occur on some program execution paths.
-Nlevel=3 Analyze the whole program, including constant propagation, cases when constants are used as actual arguments, as well as the analysis performed under -Nlevel=2.

assumes partial interpretation of the program by creating sets of possible values for program variables. These sets of variables are created on the basis of constants and conditional statements that contain constant operands available in the program. The sets form the basis for creating other sets (a form of constant propagation). Sets received as the result of the analysis are evaluated for correctness according to the following algorithm:

If a correct value exists among all possible values of an object, then that correct value is used as the basis for further propagation; otherwise an error is diagnosed.

-Nlevel=4 Analyze the whole program, and report conditional errors that could occur when certain program execution paths are used, as well as the analysis performed under -Nlevel=3.

At this level, there are additional diagnostic messages.
The analysis algorithm generally corresponds to the analysis algorithm of -Nlevel=3 with the exception that any invalid values now generate an error message. The amount of time required for analysis at this level can increase as much as two orders (about 20 to 100 times more slowly). In this case, the extra time required is directly proportional to the program complexity as characterised by recursion, conditional statements etc. As a result of this, it may be difficult to use this level of analysis for a program that exceeds 100,000 lines.

-p portability check to other dialects of C.
Along with stricter checking, this option causes all non-external names to be truncated to eight characters and all external names to be truncated to six characters and single case.
-s simple diagnostics are produced with "warning:" or "error:" prefixes. Default buffers some messages to produce compound output.
-V Version, i.e. product name and release are written to std err.
-ox create a lint library llib-lx.ln. from all the .ln files used in second pass. Not with -c .
Exclude extraneous messages, use -x.
-v useful if the source file(s) for the lint library are just external interfaces. The library produced can be used later with -lx.

By default, create libraries in basic format.

-Rfile cxref .ln file is output Disables enhanced mode,
-Wfile cflow .ln file is output Disables enhanced mode,
-Xalias_level[=l] eXclude type-based alias-analysis.
any, basic, weak, layout, strict, std, or strong.

Default any.
Run at a level of disambiguation that is no more strict than the level at which you ran the compiler.
See the C User's Guide for more information.
-XCC=yes|no Accept C++-style comments. // starts a comment.
Default is -XCC=no; ommiting the boolean -XCC=yes

Use with -xc99=%none. Under -xc99=%all (the default), lint accepts comments which are indicated by //.

-Xc99=all|none controls recognition from the C99 standard (ISO/IEC 9899:1999, ).
none turns off recognition of C99 features.
all turns on recognition of supported C99 features. -Xc99 without an arguments implies all. compiler support-level defaults to the language features of the C99 standard, the
-Xexplicitpar=yes|no (SPARC) Directs lint to recognize #pragma MP directives. default no ommitting the boolean implies yes.
-Xkeeptmp=yes|no Keep temporary files Default no; omitting the boolean implies yes.
-Xtemp=dir Directory for temporary files. Default /tmp.
-Xtime=yes|no Report the execution time for each pass. Default no; omitting the boolean implies yes.
-Xtransition=yes|no Issue warnings for the differences between K&R C and Sun ANSI C. default no; omitting the boolean implies yes.
-Xustr=[ascii_utf16_ushort|no] enables/disables recognition of string literals of the form U"ASCII_string" as an array of unsigned short int.
Not part of any standard.
default no disables.
specify -Xustr=ascii_ustf16_ushort without also specifying a U"ASCII_string" string literal.
See -xustr in the cc man page .
-x externally declared variables that are referred to but not used are not reported
-y Imply /*LINTLIBRARY*/ or NOTE(LINTLIBRARY) .

lint recognizes many cc command-line options, including -A, -D, -E, -g, -H, -O, -P, -U, -Xa, -Xc, -Xs, -Xt , and -Y , -g and -O are ignored. Unrecognized options are warned about and ignored.

The lint macro allows certain questionable code to be altered or removed for lint. The symbol lint should be considered a reserved word for code that is planned to be checked by lint.

provides the following predefinition predicate by default (not valid in -Xc mode): #assert lint (on)

Predefinitions, not valid in -Xc mode: sun, lint, unix, sparc (SPARC only), i386 (x86 only)

Predefinitions are valid in all modes: __BUILTIN_VA_ARG_INCR, __SUNPRO_C=0x590, __SVR4(SPARC), __SunOS(Solaris), __SunOS_OSN.N(Solaris), __amd64(x86 with-m64), __gnu__linux(linux), __i386(x86), __linux(linux), __linux__(linux), __sparc(SPARC), __sparcv9(with-m64), __sun(Solaris), __unix, __`uname -s`_`uname -r`, __x86_64(x86), linux(x86,linux),

Comments in source:

/*ARGSUSEDn*/ check only the first n arguments for usage; a missing , is taken to be 0 (this directive acts like the -v option for the next function).
/*CONSTCOND*/ or /*CONSTANTCONDITION*/ suppresses complaints about constant operands for the conditional expression.
/*EMPTY*/ suppresses complaints about a null statement consequent on an if statement.
placed after the test expression, and before the semicolon.
To support empty if statements when a valid else statement follows. It suppresses messages on an empty else consequent.
/*FALLTHRU*/ or /*FALLTHROUGH*/ suppresses complaints about fall through to a case or default labelled statement.
Placed immediately preceding the label.
/*LINTED [message]*/ suppresses any intra-file warning except those dealing with unused variables or functions.
placed on the line immediately preceding where the lint warning occurred.
-k alters the way in which lint handles this directive. Instead of suppressing messages, lint prints an additional message, if any, contained in the comment.
useful in conjunction with t-s for post-lint filtering.
/*LINTLIBRARY*/ when -o is invoked, writes to a library .ln file only definitions in the .c file it heads.
suppresses complaints about unused functions and function arguments in this file.
/*NOTREACHED*/ at appropriate points stops comments about unreachable code.
placed just after calls to functions like exit(2)].
/*PRINTFLIKEn*/ check the first (n-1) arguments as usual. The nth argument is interpreted as a printf format string that is used to check the remaining arguments.
/*PROTOLIBn*/ treat function declaration prototypes as function definitions if n is non-zero.
only be used in conjunction with the /* LINTLIBRARY */ directive.
If n<.code> is zero, function prototypes are treated normally.
/*SCANFLIKEn*/ check the first (n-1) arguments as usual. The nth argument is interpreted as a scanf format string that is used to check the remaining arguments.
/*VARARGSn*/ suppresses the usual checking for variable numbers of arguments in the following function declaration. The data types of the first n arguments are checked; a missing n is taken to be 0. The use of the ellipsis terminator (...) in the definition is suggested in new or updated code.

Directives can also be specified in the form of source code annotations, by including the file note.h, for example:

          #include 

          NOTE(ARGSUSED(n))
          NOTE(CONSTANTCONDITION)
          NOTE(EMPTY)
          NOTE(FALLTHROUGH)
          NOTE(LINTLIBRARY)
          NOTE(LINTED(message))
          NOTE(NOTREACHED)
          NOTE(PRINTFLIKE(n))
          NOTE(PRINTFLIKE(func_name,n))
          NOTE(PROTOLIB(n))
          NOTE(SCANFLIKE(n))
          NOTE(SCANFLIKE(func_name,n))
          NOTE(VARARGS(n))
          NOTE(VARARGS(func_name,n))

These directives can be used only as annotations:

NOTE(ALIGNMENT(func_name,n)) where n=1,2,4,8,16,32,64,128; set following function result alignment in n bytes.
For example, malloc() is defined as returning a char* or void*
when in fact it really returns pointers that are word (or even doubleword) aligned.

NOTE(ARGUNUSED(par_name[,par_name…])) do not check the mentioned arguments for usage (this option acts only for the next function).

Show precise source file lines with pointers to the line position where the error occurred.
The option enabling this feature is -errfmt=[macro|simple|src|tab].
Under this option, lint provides the following information:

produces its first output on a per-source-file basis.

Complaints regarding included files are collected and printed after all source files have been processed,
if -s is not specified.
Finally, if the -C or -c option is not used, information gathered from all input files is collected and checked for consistency. At this point, if it is not clear whether a complaint stems from a given source file or from one of its included files, the source filename is printed followed by a question mark.

The behavior of the -C, -c, and the -o options allows for incremental use of lint on a set of C source files.
Generally, one invokes lint once for each source file with the -C or -c option.
Each of these invocations produces a .ln file that corresponds to the .c file, and prints all messages that are about just that source file.
After all the source files have been separately run , it is invoked once more (without the -C or -c option), listing all the .ln files with the needed -lx options. This prints all the inter-file inconsistencies. This scheme works well with make; it allows make to be used to lint only the source files that have been modified since the last time the set of source files were linted.

ENVIRONMENT

$TMPDIR usually /tmp but can be redefined by setting the $TMPDIR [see tempnam in tmpnam(3S)]. $NOTEPATH Colon separated paths of directories containing note definition files

FILES

lint[12] first and second passes
lint2n enhanced second pass
llib-lc.ln declarations for C Library functions (binary format)
TMPDIR/*lint* temporaries
SEE ALSO cc(1), make(1s), cflow(1), cxref(1). See the lint chapter in the C User's Guide. Last change: 2007/04/25 1