See http://www.freelists.org/post/procps/Scan-results,5


	based on:
filtered-with-patches.err

	these are the categories i've assigned:
defect_was_fixed
	EVALUATION_ORDER
		pmap
	TAINTED_STRING
		tload

possibly_filter_out_?
	MISSING_BREAK
		slabtop
		ps/output

avoidable_false_positive
	DEADCODE
		proc/readproc
	FORWARD_NULL
		top
		vmstat
	RESOURCE_LEAK
		ps/parser (3)
	STRING_NULL
		pwdx
		proc/readproc
	TAINTED_SCALAR
		pgrep
		slabtop
		top (3)
	TAINTED_STRING
		watch (2)
	TOCTOU
		sysctl (2)
	UNINIT
		ps/output (2)

unavoidable_false_positive_?
	UNREACHABLE
		ps/sortformat

unavoidable_false_positive_but_patched_anyway
	OVERRUN_STATIC
		top (no defect, but i yield)



	pgrep ------------------------------------------------------------------------
Error: TAINTED_SCALAR:
	agree that argv might be tainted
	but the (int)argv[1][1] index is being passed to isdigit() function (and glibc safely indexes into array sized at 384 bytes)
	my_category: avoidable_false_positive (out of step with current glibc implementation)
pgrep.c:720: tainted_data: Passing tainted variable "argv" to a tainted sink.
pgrep.c:558: data_index: Using tainted variable "(int)argv[1][1]" as an index to pointer "*__ctype_b_loc()".


	pmap -------------------------------------------------------------------------
Error: EVALUATION_ORDER:
	agree that there is a problem.
	moreover, it deals with an undocumented command line argument (but sami has documentation addition pending)
	the logic was altered in line with intent, hopefully avoids this warning
	my_category: defect_was_fixed
pmap.c:314: write_write_order: In "arg2 = (arg2 ? arg2++ : arg1)", "arg2" is written in "arg2" (the assignment left-hand side) and written in "arg2 ? arg2++ : arg1" but the order in which the side effects take place is undefined because there is no intervening sequence point.



	pwdx -------------------------------------------------------------------------
Error: STRING_NULL:
	static buffer is initialized to 0
	it is +1 larger than size passed to readlink
	was fixed in previous analysis
	my_category: avoidable_false_positive
pwdx.c:86: string_null_argument: Function "readlink" does not terminate string "*buf".
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:92: string_null: Passing unterminated string "s" to "printf".



	slabtop ----------------------------------------------------------------------
Error: MISSING_BREAK:
	intentional fall through after setting return code
	no change made
	my_category: possibly_filter_out_?
slabtop.c:314: unterminated_case: This case (value 104) is not terminated by a 'break' statement.
slabtop.c:316: fallthrough: The above case falls through to this one.

Error: TAINTED_SCALAR:
	read limited to single byte signed 'char'
	ultimately passed to toupper() function (and glibc safely indexes into array sized at 384 bytes)
	my_category: avoidable_false_positive (out of step with current glibc implementation)
slabtop.c:387: tainted_data_argument: Calling function "read" taints argument "c".
slabtop.c:389: tainted_data: Passing tainted variable "c" to a tainted sink.
slabtop.c:233: data_index: Using tainted variable "(int)c" as an index to pointer "*__ctype_toupper_loc()".



	sysctl -----------------------------------------------------------------------
Error: TOCTOU:
	the pathlength between these two events cannot be reduced further
	instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
	my_category: avoidable_false_positive
sysctl.c:149: fs_check_call: Calling function "stat" to perform check on "tmpname".
sysctl.c:168: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.

Error: TOCTOU:
	the pathlength between these two events cannot be reduced further
	instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
	my_category: avoidable_false_positive
sysctl.c:327: fs_check_call: Calling function "stat" to perform check on "tmpname".
sysctl.c:345: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.



	tload ------------------------------------------------------------------------
Error: TAINTED_STRING:
	altered perror call to provide an untainted string
	my_category: defect_was_fixed
tload.c:89: tainted_string: Passing tainted string "argv[optind]" to a function that cannot accept tainted data.



	top --------------------------------------------------------------------------
Error: FORWARD_NULL:
	cpus cannot be NULL without fp also being NULL
	the very next 'if (!fp)' ensures cpus will be allocated
	my_category: avoidable_false_positive
top.c:1790: assign_zero: Assigning: "cpus" = 0.
top.c:1807: var_deref_op: Dereferencing null variable "cpus".

Error: OVERRUN_STATIC:
	This "error" is centered around the following code:
	      f = w->pflgsall[i + w->begpflg];
	      w->procflgs[i] = f;
	   #ifndef USE_X_COLHDR
	      if (P_MAXPFLGS < f) continue;
	   #endif
	      h = Fieldstab[f].head;

	The enum P_MAXPFLGS is strictly a fencepost and can *never* appear in the arrays pflgsall or procflgs.
	Thus it (39th element) cannot be used in referencing Fieldstab.
	However, two enums of higher value (X_XON=40 and X_XOF=41) *can* appear in those arrays.
	But the test against the fencepost ensures that those two enums are *never* used in referencing Fieldstab.

	When the analyzer sees the conditional using '<' and not '<=' it reports a false positive.

	i'm tired of explaining this so the program was changed to accommodate the tool's deficiency
	my_category: unavoidable_false_positive_but_patched_anyway
top.c:1417: overrun-local: Overrunning static array "Fieldstab", with 39 elements, at position 39 with index variable "f".

Error: TAINTED_SCALAR:
	the index is used subordinate to a case statement ensuring a value between '1' and '4'
	my_category: avoidable_false_positive
top.c:2442: tainted_data_argument: Calling function "chin" taints argument "ch".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:2452: tainted_data: Using tainted variable "ch - 49" as an index into an array "Winstk".

Error: TAINTED_SCALAR:
	the index is used subordinate to as case statement ensuring a value between '1' and '4'
	my_category: avoidable_false_positive
top.c:2719: tainted_data_argument: Calling function "chin" taints argument "ch".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:2720: tainted_data: Passing tainted variable "ch" to a tainted sink.
top.c:2452: data_index: Using tainted variable "ch - 49" as an index to array "Winstk".

Error: TAINTED_SCALAR:
	buf tainted by chin is zero terminated
	single char is ultimately passed to isprintf() function (and glibc safely indexes into array sized at 384 bytes)
	my_category: avoidable_false_positive (out of step with current glibc implementation)
top.c:972: tainted_data_return: Function "keyin" returns tainted data.
top.c:912: tainted_data_argument: Function "chin" taints argument "buf".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:926: return_tainted_data: Returning tainted variable "buf[0]".
top.c:972: var_assign: Assigning: "key" = "keyin", which taints "key".
top.c:1001: tainted_data: Using tainted variable "(int)key" as an index to pointer "*__ctype_b_loc()".



	vmstat -----------------------------------------------------------------------
Error: FORWARD_NULL:
	partition made non-null with optarg for -p where statMode |= PARTITIONSTAT
	if no optarg then program exits with usage
	thus call to diskpartition_format will be with non-null pointer
	my_category: avoidable_false_positive
vmstat.c:593: assign_zero: Assigning: "partition" = 0.
vmstat.c:669: var_deref_model: Passing null variable "partition" to function "diskpartition_format", which dereferences it.
vmstat.c:301: deref_parm_in_call: Function "strcmp" dereferences parameter "partition_name". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)



	watch ------------------------------------------------------------------------
Error: TAINTED_STRING:
	even though the environment variable COLUMNS might begin tainted, from my analysis, the tool is totally mistaken
	strtol actually untaints data in the form of 't' and 'endptr' then the environment variable COLUMNS is potentially purified with -1
	my_category: avoidable_false_positive
watch.c:95: tainted_string_return_content: "getenv" returns tainted string content.
watch.c:95: var_assign: Assigning: "s" = "getenv("COLUMNS")", which taints "s".
watch.c:100: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
watch.c:100: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
watch.c:101: var_assign_var: Assigning: "incoming_cols" = "(int)t". Both are now tainted.
watch.c:102: var_assign_var: Assigning: "width" = "incoming_cols". Both are now tainted.
watch.c:103: vararg_transitive: Call to "snprintf" with tainted argument "width" taints "env_col_buf".
watch.c:104: tainted_string: Passing tainted string "env_col_buf" to a function that cannot accept tainted data.

Error: TAINTED_STRING:
	even though the environment variable LINES might begin tainted, from my analysis, the tool is totally mistaken
	strtol actually untaints data in the form of 't' and 'endptr' then the environment variable LINES is potentially purified with -1
	my_category: avoidable_false_positive
watch.c:108: tainted_string_return_content: "getenv" returns tainted string content.
watch.c:108: var_assign: Assigning: "s" = "getenv("LINES")", which taints "s".
watch.c:113: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
watch.c:113: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
watch.c:114: var_assign_var: Assigning: "incoming_rows" = "(int)t". Both are now tainted.
watch.c:115: var_assign_var: Assigning: "height" = "incoming_rows". Both are now tainted.
watch.c:116: vararg_transitive: Call to "snprintf" with tainted argument "height" taints "env_row_buf".
watch.c:117: tainted_string: Passing tainted string "env_row_buf" to a function that cannot accept tainted data.



	proc/readproc ----------------------------------------------------------------
Error: DEADCODE:
	the tool does not understand gperf and the pseudo case labels preceded by goto
	the following code snippets illustrate the deficiency:
	   goto *(&&base + entry.offset);
	      ...
	   case_Threads:
	     Threads = strtol(S,&S,10);
	     continue;
	my_category: avoidable_false_positive
proc/readproc.c:387: dead_error_condition: On this path, the condition "Threads" cannot be true.
proc/readproc.c:115: const: After this line, the value of "Threads" is equal to 0.
proc/readproc.c:115: assignment: Assigning: "Threads" = "0L".
proc/readproc.c:388: dead_error_begin: Execution cannot reach this statement "P->nlwp = Threads;".

Error: STRING_NULL:
	read is asked to retrieve -1 bytes than passed capacity:  num_read = read(fd, ret, cap - 1);
	file2str does indeed null terminate sbuf:                 ret[num_read] = '\0';
	my_category: avoidable_false_positive
proc/readproc.c:1193: string_null_argument: Function "file2str" does not terminate string "*sbuf".
proc/readproc.c:514: string_null_argument: Function "read" fills array "*ret" with a non-terminated string.
proc/readproc.c:1197: string_null: Passing unterminated string "sbuf" to a function expecting a null-terminated string.
proc/readproc.c:447: string_null_sink_parm_call: Passing parameter "S" to "strchr" which expects a null-terminated string.



	ps/output --------------------------------------------------------------------
Error: MISSING_BREAK:
	intentional fall through
	my_category: possibly_filter_out_?
ps/output.c:1983: unterminated_default: The default case is not terminated by a 'break' statement.
ps/output.c:1984: fallthrough: The above case falls through to this one.

Error: UNINIT:
	the first member is initialized in the very next statement, sufficient for bsearch callback
	   key.spec = findme;
	my_category: avoidable_false_positive
ps/output.c:1737: var_decl: Declaring variable "key" without initializer.
ps/output.c:1739: uninit_use_in_call: Using uninitialized value "key": field "key".flags is uninitialized when calling "bsearch".

Error: UNINIT:
	the first member is initialized in the very next statement, sufficient for bsearch callback
	   key.spec = findme;
	my_category: avoidable_false_positive
ps/output.c:1745: var_decl: Declaring variable "key" without initializer.
ps/output.c:1747: uninit_use_in_call: Using uninitialized value "key": field "key".head is uninitialized when calling "bsearch".



	ps/parser --------------------------------------------------------------------
Error: RESOURCE_LEAK:
	intentional omission
	abexit shortly
	my_category: avoidable_false_positive
ps/parser.c:1021: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1021: var_assign: Assigning: "pidnode" =  storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK:
	intentional omission
	abexit shortly
	my_category: avoidable_false_positive
ps/parser.c:1025: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1025: var_assign: Assigning: "grpnode" =  storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK:
	intentional omission
	abexit shortly
	my_category: avoidable_false_positive
ps/parser.c:1029: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1029: var_assign: Assigning: "sidnode" =  storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.



	ps/sortformat ----------------------------------------------------------------
Error: UNREACHABLE:
	the tool does not understand the following 'label' usage (nor do i - perhaps some obscure compiler/platform warning/quirk)
	   goto unknown;
	      ...
	   if(0) unknown:  err=errbuf;
	my_category: unavoidable_false_positive_?
ps/sortformat.c:312: unreachable: This code cannot be reached: "if (0){
  unknown:
  err = ...".