package frama-c

  1. Overview
  2. Docs
Platform dedicated to the analysis of source code written in C

Install

Dune Dependency

frama-c.com Readme Edit opam file Versions (23)

Authors

  1. M
    Michele Alberti
  2. T
    Thibaud Antignac
  3. G
    Gergö Barany
  4. P
    Patrick Baudin
  5. N
    Nicolas Bellec
  6. T
    Thibaut Benjamin
  7. A
    Allan Blanchard
  8. L
    Lionel Blatter
  9. F
    François Bobot
  10. R
    Richard Bonichon
  11. V
    Vincent Botbol
  12. Q
    Quentin Bouillaguet
  13. D
    David Bühler
  14. Z
    Zakaria Chihani
  15. L
    Loïc Correnson
  16. J
    Julien Crétin
  17. P
    Pascal Cuoq
  18. Z
    Zaynah Dargaye
  19. B
    Basile Desloges
  20. J
    Jean-Christophe Filliâtre
  21. P
    Philippe Herrmann
  22. M
    Maxime Jacquemin
  23. F
    Florent Kirchner
  24. A
    Alexander Kogtenkov
  25. R
    Remi Lazarini
  26. T
    Tristan Le Gall
  27. J
    Jean-Christophe Léchenet
  28. M
    Matthieu Lemerre
  29. D
    Dara Ly
  30. D
    David Maison
  31. C
    Claude Marché
  32. A
    André Maroneze
  33. T
    Thibault Martin
  34. F
    Fonenantsoa Maurica
  35. M
    Melody Méaulle
  36. B
    Benjamin Monate
  37. Y
    Yannick Moy
  38. P
    Pierre Nigron
  39. A
    Anne Pacalet
  40. V
    Valentin Perrelle
  41. G
    Guillaume Petiot
  42. D
    Dario Pinto
  43. V
    Virgile Prevosto
  44. A
    Armand Puccetti
  45. F
    Félix Ridoux
  46. V
    Virgile Robles
  47. J
    Jan Rochel
  48. M
    Muriel Roger
  49. J
    Julien Signoles
  50. N
    Nicolas Stouls
  51. K
    Kostyantyn Vorobyov
  52. B
    Boris Yakobowski

Maintainers

  1. F
    frama-ci-bot@frama-c.com

Sources

frama-c-29.0-Copper.tar.gz
sha256=d2fbb3b8d0ff83945872e9e6fa258e934a706360e698dae3b4d5f971addf7493

doc/frama-c-wp.core/Wp/MemVal/Make/index.html

Module MemVal.MakeSource

Parameters

module _ : Value

Signature

Model Definition

Sourceval configure : unit -> WpContext.rollback

Initializers to be run before using the model. Typically push Context values and returns a function to rollback.

Given an automaton, return a vertex's binder. Currently used by the automata compiler to bind current vertex. See StmtSemantics.

Sourceval datatype : string

For projectification. Must be unique among models.

Computes the memory model partitionning of the memory locations. This function typically adds new elements to the partition received in input (that can be empty).

Memory model chunks.

Sourcemodule Heap : Qed.Collection.S with type t = Chunk.t

Chunks Sets and Maps.

Sourcemodule Sigma : Sigs.Sigma with type chunk = Chunk.t and module Chunk = Heap

Model Environments.

Sourcetype loc

Representation of the memory location in the model.

Sourcetype chunk = Chunk.t
Sourcetype sigma = Sigma.t
Sourcetype domain = Sigma.domain
Sourcetype segment = loc Sigs.rloc

Reversing the Model

Sourcetype state

Internal (private) memory state description for later reversing the model.

Sourceval state : sigma -> state

Returns a memory state description from a memory environement.

Sourceval lookup : state -> Lang.F.term -> Sigs.mval

Try to interpret a term as an in-memory operation located at this program point. Only best-effort shall be performed, otherwise return Mvalue.

Recognized Cil patterns:

  • Mvar x,[Mindex 0] is rendered as *x when x has a pointer type
  • Mmem p,[Mfield f;...] is rendered as p->f... like in Cil
  • Mmem p,[Mindex k;...] is rendered as p[k]... to catch Cil Mem(AddPI(p,k)),...

Try to interpret a sequence of states into updates.

The result shall be exhaustive with respect to values that are printed as Sigs.mval values at post label via the lookup function. Otherwise, those values would not be pretty-printed to the user.

Sourceval apply : (Lang.F.term -> Lang.F.term) -> state -> state

Propagate a sequent substitution inside the memory state.

Sourceval iter : (Sigs.mval -> Lang.F.term -> unit) -> state -> unit

Debug

Sourceval pretty : Format.formatter -> loc -> unit

pretty printing of memory location

Memory Model API

Sourceval vars : loc -> Lang.F.Vars.t

Return the logic variables from which the given location depend on.

Sourceval occurs : Lang.F.var -> loc -> bool

Test if a location depend on a given logic variable

Sourceval null : loc

Return the location of the null pointer

Sourceval literal : eid:int -> Cstring.cst -> loc

Return the memory location of a constant string, the id is a unique identifier.

Return the location of a C variable.

Sourceval pointer_loc : Lang.F.term -> loc

Interpret an address value (a pointer) as an abstract location. Might fail on memory models not supporting pointers.

Sourceval pointer_val : loc -> Lang.F.term

Return the adress value (a pointer) of an abstract location. Might fail on memory models not capable of representing pointers.

Return the memory location obtained by field access from a given memory location.

Return the memory location obtained by array access at an index represented by the given term. The element of the array are of the given c_object type.

Sourceval base_addr : loc -> loc

Return the memory location of the base address of a given memory location.

Sourceval base_offset : loc -> Lang.F.term

Return the offset of the location, in bytes, from its base_addr.

Sourceval block_length : sigma -> Ctypes.c_object -> loc -> Lang.F.term

Returns the length (in bytes) of the allocated block containing the given location.

Cast a memory location into another memory location. For cast ty loc the cast is done from ty.pre to ty.post. Might fail on memory models not supporting pointer casts.

Sourceval loc_of_int : Ctypes.c_object -> Lang.F.term -> loc

Cast a term representing an absolute memory address (to some c_object) given as an integer, into an abstract memory location.

Sourceval int_of_loc : Ctypes.c_int -> loc -> Lang.F.term

Cast a memory location into its absolute memory address, given as an integer with the given C-type.

Sourceval domain : Ctypes.c_object -> loc -> domain

Compute the set of chunks that hold the value of an object with the given C-type. It is safe to retun an over-approximation of the chunks involved.

Sourceval is_well_formed : sigma -> Lang.F.pred

Provides the constraint corresponding to the kind of data stored by all chunks in sigma.

Return the value of the object of the given type at the given location in the given memory state.

Sourceval load_init : sigma -> Ctypes.c_object -> loc -> Lang.F.term

Return the initialization status at the given location in the given memory state.

Return a set of equations that express a copy between two memory state.

copied sigma ty loc1 loc2 returns a set of formula expressing that the content for an object ty is the same in sigma.pre at loc1 and in sigma.post at loc2.

Sourceval copied_init : sigma Sigs.sequence -> Ctypes.c_object -> loc -> loc -> Sigs.equation list

Return a set of equations that express a copy of an initialized state between two memory state.

copied sigma ty loc1 loc2 returns a set of formula expressing that the initialization status for an object ty is the same in sigma.pre at loc1 and in sigma.post at loc2.

Return a set of formula that express a modification between two memory state.

stored sigma ty loc t returns a set of formula expressing that sigma.pre and sigma.post are identical except for an object ty at location loc which is represented by t in sigma.post.

Return a set of formula that express a modification of the initialization status between two memory state.

stored_init sigma ty loc t returns a set of formula expressing that sigma.pre and sigma.post are identical except for an object ty at location loc which has a new init represented by t in sigma.post.

Return a set of formula that express that two memory state are the same except at the given set of memory location.

This function can over-approximate the set of given memory location (e.g it can return true as if the all set of memory location was given).

Sourceval is_null : loc -> Lang.F.pred

Return the formula that check if a given location is null

Sourceval loc_eq : loc -> loc -> Lang.F.pred
Sourceval loc_lt : loc -> loc -> Lang.F.pred
Sourceval loc_neq : loc -> loc -> Lang.F.pred
Sourceval loc_leq : loc -> loc -> Lang.F.pred

Memory location comparisons

Sourceval loc_diff : Ctypes.c_object -> loc -> loc -> Lang.F.term

Compute the length in bytes between two memory locations

Return the formula that tests if a memory state is valid (according to acs) in the given memory state at the given segment.

Sourceval frame : sigma -> Lang.F.pred list

Assert the memory is a proper heap state preceeding the function entry point.

Allocates new chunk for the validity of variables.

Sourceval initialized : sigma -> segment -> Lang.F.pred

Return the formula that tests if a memory state is initialized (according to acs) in the given memory state at the given segment.

Sourceval invalid : sigma -> segment -> Lang.F.pred

Returns the formula that tests if the entire memory is invalid for write access.

Manage the scope of variables. Returns the updated memory model and hypotheses modeling the new validity-scope of the variables.

Given a pointer value p, assumes this pointer p (when valid) is allocated outside the function frame under analysis. This means separated from the formals and locals of the function.

Sourceval included : segment -> segment -> Lang.F.pred

Return the formula that tests if two segment are included

Sourceval separated : segment -> segment -> Lang.F.pred

Return the formula that tests if two segment are separated

OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events OCaml Planet Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct