Frama-C API - Dom

Greatest element.

Inclusion test.

Semi-lattice structure.

widen h t1 t2 is an over-approximation of join t1 t2. Assumes is_included t1 t2

Over-approximation of the intersection of two abstract states (called meet in the literature). Used only to gain some precision when interpreting the complete behaviors of a function specification. Can be very imprecise without impeding the analysis: meet x y = `Value x is always sound.

Domains can optionally provide a context to be used by value abstractions when evaluating expressions. This can be safely ignored for most domains. Defined as unit (no context) by Domain_builder.Complete.

Numerical values to which the expressions are evaluated.

Abstract memory locations associated to left values.

The origin is used by the domain combiners to track the origin of a value. An abstract domain can always use a dummy type unit for origin, or use it to encode some specific information about a value.

Query function for compound expressions: extract_expr ~oracle context t exp returns the known value of exp by the state t. See above for more details on queries.

Query function for lvalues: extract_lval ~oracle context t lval loc returns the known value stored at the location loc of the left value lval. See above for more details on queries.

backward_location state lval typ loc v reduces the location loc of the lvalue lval, so that only the locations that may have value v are kept. The returned location must be included in loc, but it is always sound to return loc itself. Also returns the value that may have the returned location, if not bottom. Defined by Domain_builder.Complete with no reduction.

Given a reduction expr = value, provides more reductions that may be performed. Defined by Domain_builder.Complete with no reduction.

Returns the current context to be used by value abstractions for the evaluation of expressions or lvalues. Defined by Domain_builder.Complete with no context.

update valuation t updates the state t with the values of expressions and the locations of lvalues available in the valuation record.

assign kinstr lv expr v valuation state is the transfer function for the assignment lv = expr for state. It must return the state where the assignment has been performed.

• kinstr is the statement of the assignment, or Kglobal for the initialization of a global variable.
• when the kinstr is a function call, expr is the special variable in !Eval.call.return.
• v carries the value being assigned to lv, i.e. the value of the expression expr. v also denotes the kind of assignment: Assign for the default assignment of the value, or Copy for the exact copy of a location if the right expression expr is a lvalue.
• valuation is a cache of all sub-expressions and locations computed for the evaluation of lval and expr; it can also be used to reduce the state.

Transfer function for an assumption. assume stmt expr bool valuation state returns a state in which the boolean expression expr evaluates to bool.

• stmt is the statement of the assumption.
• valuation is a cache of all sub-expressions and locations computed for the evaluation and the reduction of expr; it can also be used to reduce the state.

start_call stmt call recursion valuation state returns an initial state for the analysis of a called function. In particular, this function should introduce the formal parameters in the state, if necessary.

• stmt is the statement of the call site;
• call represents the call: the called function and the arguments;
• recursion is the information needed to interpret a recursive call. It is None if the call is not recursive.
• state is the abstract state at the call site, before the call;
• valuation is a cache for all values and locations computed during the evaluation of the function and its arguments.

On recursive calls, recursion contains some substitution of variables to be applied on the domain state to prevent mixing up local variables and formal parameters of different recursive calls. See Eval.recursion for more details. This substitution has been applied on values and expressions in call, but not in the valuation given as argument. If the domain uses some information from the valuation on a recursive call, it must apply the substitution on it.

finalize_call stmt call ~pre ~post computes the state after a function call, given the state pre before the call, and the state post at the end of the called function.

• stmt is the statement of the call site;
• call represents the function call and its arguments.
• recursion is the information needed to interpret a recursive call. It is None if the call is not recursive.
• pre and post are the states before and at the end of the call respectively.

Called on the Frama_C_domain_show_each directive. Prints the internal properties inferred by the domain in the state about the expression exp. Can use the valuation resulting from the cooperative evaluation of the expression. Defined by Domain_builder.Complete but prints nothing.

logic_assign None loc state removes from state all inferred properties that depend on the memory location loc. If the first argument is not None, it contains the logical clause being interpreted and the pre-state in which the terms of the clause are evaluated. The clause can be an assigns, allocates or frees clause. loc is then the memory location concerned by the clause.

Evaluates a predicate to a logical status in the current state. The logic_environment contains the states at some labels and the potential variable for \result. Defined by Domain_builder.Complete: all predicates are Unknown.

reduce_by_predicate env state pred b reduces the current state by assuming that the predicate pred evaluates to b. env contains the states at some labels and the potential variable for \result. Defined by Domain_builder.Complete with no reduction.

Interprets an ACSL extension. Defined by Domain_builder.Complete as the identity.

Introduces a list of variables in the state. At this point, the variables are uninitialized. Globals and formals of the 'main' will be initialized by initialize_variable and initialize_variable_using_type. Local variables remain uninitialized until an assignment through assign. The formal parameters of a call enter the scope through start_call.

Removes a list of local and formal variables from the state. The first argument is the englobing function.

The initial state with which the analysis start.

initialize_variable lval loc ~initialized init_value state initializes the value of the location loc of lvalue lval in state with: – bits 0 if init_value = Zero; – any bits if init_value = Top. The boolean initialized is true if the location is initialized, and false if the location may be not initialized.

Initializes a variable according to its type. The variable can be:

• a global variable on lib-entry mode.
• a formal parameter of the 'main' function.
• the return variable of a function specification.

relate bases state returns the set of bases in relation with bases in state — i.e. all bases (other than bases) whose value may affect the properties inferred on bases in state. For a non-relational domain, it is always sound to return empty. For a relational domain, it is always sound to return top, but this disables the MemExec cache.

filter bases state returns a state that must contain exactly the same properties about bases as state. All properties about other bases can be removed from the state. If S' = filter B S, S' must satisfy proj(γ(S'), B) = proj(γ(S), B). Defined by Domain_builder.Complete as the identity, which is sound but decreases the performance of the MemExec cache. If you implement filter, you must also provide a sound implementation of reuse.

reuse bases ~current_input ~previous_output returns a state equal to current_input, except that all properties about bases must be replaced by the ones in previous_output. It must be exact to ensure that the MemExec cache does not impact the analysis precision. reuse is only applied to re-interpret a code <C> already analyzed with an equivalent initial state. current_input is the new input state for the analysis of <C>, and previous_output was the final state of the former analysis of <C>. See below for details. Defined by Domain_builder.Complete with a naive implementation which is only sound when filter is implemented as the identity.

project bases state returns an over-approximation of the projection of state on bases. If S' = project B S, S' must satisfy proj(γ(S), B) ⊆ γ(S'). Defined by Domain_builder.Complete by always returning top.

overwrite bases ~on ~by returns a state equal to on, except that all properties about bases are replaced by the ones in by. Unlike reuse, overwrite can compute an over-approximation, but cannot use any assumption about state on. State by is the result of a projection on bases bases. A sound but imprecise implementation can remove all properties about bases from state on (and ignore state by). More formally, this function must compute an over-approximation of proj(γ(on), complement(bases)) ∩ proj(γ(by), bases), where complement(bases) are all memory bases other than bases.

Category for the messages about the domain. Created by Domain_builder.Complete using the domain name.

This function is called after the analysis. The argument is the state computed at the return statement of the main function. The function can also access all states stored in the Store module during the analysis. If the analysis aborted, this function is not called. Defined by Domain_builder.Complete as doing nothing.

Storage of the states computed by the analysis. Automatically built by Domain_builder.Complete.

Tests whether a key belongs to the module.

For a key of type k key:

• if the values of type t contain a subpart of type k from a module identified by the key, then get key returns an accessor for it.
• otherwise, get key returns None.

For a key of type k key:

• if the values of type t contain a subpart of type k from a module identified by the key, then set key v t returns the value t in which this subpart has been replaced by v.
• otherwise, set key _ is the identity function.