Changelog

Frama-C Changelog

Future Release [git]

Frama-C General

New Features

[Kernel] Introduce \plugin:: prefix for ACSL extensions, unknown extensions can be safely ignored when the plug-in that handles them is not available
[Kernel] Systematically abort when a function is redeclared with an incompatible type, instead of trying to finish type-checking, preventing misleading error msgs after the first report. IncompatibleDeclHook has thus been removed from the API.
[Kernel] Avoid ambiguous pretty-printing when C labels match the name of an ACSL built-in label (fix #1359)

Bug Fixes

[Kernel] When an array is declared with a fixed length l, raise an error if l * sizeof(elem) > SIZE_MAX
[Kernel] Accept conditional expr whose 2d and 3d operands have type void, as per C11 6.5.15§3

Developers Only

[Kernel] Db is now mostly empty, the only remaining value is Db.Main.extend which is deprecated and replaced by Boot.Main.extend. Features related to asynchronous interactions are now handled in module Async
[Kernel] Merged AST nodes TCastE and TLogic_coerce
[Kernel] More coherent naming of functions determining if a symbol is a Frama-C built-in.
[Kernel] Refactor current location handling mechanism
[Kernel] Annotations.{fold,iter}_behaviors now pass full behaviors to the iterated function. To iter on fragments split by behavior and emitter, use {fold,iter}_behaviors_by_emitter.

Plugin E-ACSL

[E-ACSL] remove option -e-acsl-version.

Plugin Variadic

Make sure that generated functions have fresh names

Plugin WP

[WP] wp_nullable_args is renamed \wp::nullable_args to follow kernel changes
[WP] Introduce counter examples via the new option -wp-counter-examples. Also introduce an ACSL extension to create probes on terms for counter examples.

Copper Release [29.0]

Plugin E-ACSL

[E-ACSL] fix TLS segment start address and size

Nickel Release [28.1]

Frama-C General

[Kernel] Fix Cil.isConstant on lvalues with offset.

Plugin Ivette

Fix Ivette shell wrapper on macOS.

Plugin WP

[WP] Fix interactive prover startup.

Nickel Release [28.0]

Frama-C General

New Features

[Kernel] Fix #846 (printing ACSL attribute in ghost code)
[Kernel] New options -generated-spec-mode and -generated-spec-custom for configuring how default specifications are generated
[Kernel] Remove options -no-type and -no-obj and related functions.

Developers Only

[Kernel] Expose Cil functions for type compatibility
[Kernel] Remove Dynamic.Unloadable exception, useless since the move from dynamic to static API for plug-ins.
[Kernel] New mechanism for generating default specifications

Plugin Alias

New alias plugin that implements a points-to analysis and an alias analysis based on Steensgaard's algorithm. For these purposes it presents a more efficient (albeit less precise) alternative to Eva. See src/plugins/alias/README.md.

Plugin E-ACSL

[E-ACSL] Generate more efficient code for arithmetic calculations. This is achieved by appraising more precisely the possible values an arithmetic variable can take. This allows in many cases for native computations instead of generating slower GMP code. Introduces new flags: -e-acsl-widening-*

Plugin Eva

New Features

Print less messages unless -eva-show-progress is set.
Adds warning key "garbled-mix" to all log messages related to garbled mix (degenerated imprecise values).
Support evaluation of simple \let bindings in ACSL terms and predicates.
Optimization of the multidim domain.

Bug Fixes

Fix convergence issue on dynamic memory allocation in some loops.
Fix unsound behavior on goto or switch statements skipping local variable declarations: initialization alarms about such variables are now properly emitted.

Developers Only

Remove deprecated API Db.Value.

Plugin WP

[GUI] Basic WP goals component for Ivette
[TIP] Activation of Strategies
[WP] ACSL extension 'proof' for proof resolution hints
[WP] ACSL extension 'strategy' for proof strategies
[WP] New option -wp-strategy s,... for default strategies
[WP] New option -wp-tactic to search for tactics
[WP] New option -wp-status to print unproved goals
[WP] New option -wp-script=mode (see also -wp-cache-env)
[WP] New option -wp-no-strategy-engine to deactivate strategies
[WP] Option -wp-prop extended to lemma and function names
[WP] Tactic Absurd now also applies to proof goal
[WP] Tactic Compute (new, generalize Definition and Split)
[WP] Fixed cache for interactive provers
[WP] New option -wp-memlimit for provers
[WP] Sequent simplification now applies to lemmas
[WP] Removed options -wp-frama-c-stdlib-terminate, -wp-declarations-terminate and -wp-definitions-terminate. Use -generated-spec-* to disable generation of terminates (or exits)
[WP] WP generates exits and terminates specification on all functions, using the mechanism provided by the Frama-C kernel
[WP] Ensure compatibility with Why3 1.7.0

Cobalt Release [27.1]

Frama-C General

[Kernel] New frama-c-script wrapper for make_machdep.py

Frama-C GUI

[Gui] Fixes freeze when a plugin aborts during splash screen
[Gui] Fixes crash related to tags and undefined types

Plugin Ivette

Fixes crash with multiple instances

Cobalt Release [27.0]

Frama-C General

[Kernel] New machdep mechanism, based on YAML files. A new make_machdep.py script allows automatic machdep creation from a C11-compatible (cross-)compiler.
[Kernel] Deprecate option -c11 (now enabled by default).
[Kernel] Add support for C11's _Generic. Modifies Cabs AST.

Frama-C GUI

[Gui] Remove GTK2 bindings. Only support GTK3 as of now.

Plugin Aorai

Allows comments in .ya automata files.
Supports specification about floating-point variables.

Plugin E-ACSL

[e-acsl-gcc] arguments to options -e/--cpp-flags now overload the default values set by e-acsl-gcc instead of being ignored.

Plugin Eva

New Features

Better partitioning splits on ACSL predicates.
Fixes performance issues on programs with too many function calls (more than 20000 callsites).
Better display of large integer sets for high values of the -eva-ilevel parameter.
When possible, Eva shows the name of enumeration tags instead of their integer values, in the log and the GUI.
The octagon domain can now infer relations between any lvalues of integer or pointer types.

Bug Fixes

Fixes unsoundness of the bitwise domain on shifts and casts on big-endian architectures.
Fixes a soundness bug of the equality domain when the same equality holds in two programs paths, but involving a pointer pointing to different variables in the two paths.
Fixes interpretation of Eva annotations at the end of a block, and of multiple split annotations after a function call.

Plugin Ivette

New Features

Shows information about C types in the Inspector.
Better display of dead and non-terminating statements.
Improves function filtering in the left sidebar.
The values table can show the logical status of ACSL predicates, and the values of C lvalues in these predicates.
The values table shows values of function parameters.
The values table shows the status of uninitialized and escaping variables.
New callgraph component.

Bug Fixes

Custom views are correctly saved and reloaded.
Ends properly frama-c process when Ivette is closed.

Plugin WP

[WP] new option -wp-why3-extra-config for providing additional Why3 configuration files
[WP] Upgrade to Why3 1.6.0
[WP] renamed option -wp-split-depth into -wp-split-cnf
[WP] new option -wp-split-conj to split conjunctive goals
[WP] new option -wp-split-switch to split switches
[WP] fix option -wp-split to only split conditions
[WP] Default timeout set to 2s
[WP] new warning against unions (see -wp-warn-key "union")

Iron Release [26.1]

Frama-C General

[Logic] Accept \ghost attribute in logic annotations (#2638)
[Logic] Fix issue in pretty-printing ranges (#2639)

Plugin WP

[WP] Fixes 'terminates' goals generation when some 'terminates' or 'decreases' clauses are missing.

Iron Release [26.0]

Frama-C General

New Features

[Kernel] Remove journalisation.
[Kernel] Improve error message for invalid options -D/-I/-U.
[Kernel] -version prints a newline, -print-version does not.
[Kernel] Support for ghost VLA and calls to builtins with ghost arguments.
[Kernel] 'calls' ACSL extension is now registered in the kernel and not WP

Developers Only

[Configure] Removed autoconf and configure
[Makefile] Removed Makefile, Frama-C is now built using Dune 3.x

Plugin Aorai

Remove support for LTL and Promela input formats

Plugin E-ACSL

New Features

[E-ACSL] Improve typing precision of variables appearing in comparisons.
[E-ACSL] Add support for functions returning a rational.

Bug Fixes

[E-ACSL] Fix wrong cast from pointer to integer (#1119).
[E-ACSL] Fix typing of recursive predicates (#198).
[E-ACSL] Fix assign clause and result as extra argument for functions returning a structure (#1139).
[E-ACSL] Fix clashing name when a function with contract and a logic function have the same name (#204).

Plugin Eva

New Features

Avoid false alarms of partially overlapping lvalue assignments when writing a struct array from itself.
Improved precision: arguments of calls interpreted by an Eva builtin or with an ACSL specification can now be reduced in the caller. This is especially useful on C asserts.
Numerors now needs MLMPFR 4.1.0+bugfix2
The octagon domain can infer relations on the integer conversion of floating-point variables.

Bug Fixes

Fixes a possible crash when -eva-subdivide-non-linear and relational domains are enabled.
Fixes a crash on recursive functions with an ACSL specification without assigns clause.

Developers Only

Deprecate Db.Value API: use the new Eva API instead.

Plugin From

Removed Db.From API: use the From API instead.

Plugin Ivette

In the AST component, the user can fold/unfold ACSL specifications, and preconditions are now shown at call sites.
New component 'Eva States' that prints the internal Eva domain states at a given statement for the selected marker.
Fixes some issues in the data dependency graphs generated by the Dive plugin in the 'Dive Dataflow' component.
The installation of Frama-C provides an installation script for Ivette: run 'ivette' once to finalize its installation.
After an Eva analysis with taint, the taint status of lvalues is shown in the Inspector component and in Dive graphs.

Plugin Pdg

Removed from Db. Use proper Pdg API instead.

Plugin WP

[Cmd] Improves the WP JSON report provided by -wp-report-json
[WP] 'calls' ACSL extension moved into the kernel; option -wp-dynamic marked as obsolete
[WP] Upgrade to Why3 1.5.1

Manganese Release [25.0]

Frama-C General

Bug Fixes

[Kernel] Reject array whose size is too big with a proper error message instead of a crash (fixes #2590)
[Kernel] Reject array whose size is too big with a proper error message instead of a crash (fixes #2590)
[Kernel] Reject programs using unsupported vector_size attribute (fixes #2573)
[Kernel] Fix list of potential types for decimal integer literal constants
[Logic] Fix type of expressions whose value are functions

Developers Only

[Kernel] Integer.pretty does not have the optional argument hexa anymore. Use Integer.pretty_hex or Integer.pp_hex if you want to print integers in hexadecimal format.
[Kernel] Remove unused AST node Dcustom_annot and field fpadding_in_bits. Do not cache size of types in the AST but in a dedicated table.
[Kernel] Removed obsolete AST nodes IndexPI and Info
[Kernel] Remove State_selection.Static (deprecated since 10 years, use directly State_selection instead)
[Kernel] New visitor functions visitFramacFileFunctions and visitCilFileFunctions to visit only function definitions, for better performance.
[Kernel] Known compiler builtins are no longer hardcoded in OCaml, but defined via JSON files (in share/compliance).
[Kernel] Prototype of AST comparison between two versions of the same program, via the new option -ast-diff.

Plugin E-ACSL

New Features

[E-ACSL] Add Linux's pthread concurrency support.
[E-ACSL] Improve translation of `\at()` terms and predicates (#108).
[runtime] Improve runtime debug logs: the %a modifier now outputs in hexadecimal, the debug logs now all end in new lines, the trace now outputs to stderr.

Bug Fixes

[E-ACSL] Now the same Frama-C options are used when parsing the user sources and the E-ACSL's RTL.
[E-ACSL] Add support for VDSO segment on Linux.
[E-ACSL] Fix crash when binding a lambda-abstraction to a local variable (#189).
[E-ACSL] Fix crash when creating an axiomatic with an existing name in E-ACSL's RTL (#161).
[E-ACSL] Fix normalization of global annotations that may lead to crashes (#195).
[E-ACSL] Fix wrong cast of pointer to integer (#1119).
[E-ACSL] Fix crash for quantifications over enum types (#199).
[e-acsl-gcc] Fix e-acsl-gcc.sh detection of failures in subcommands.
[e-acsl-gcc] Fix e-acsl-gcc.sh bash autocompletion script and install it at a standard location.
[runtime] Fix default stack size: E_ACSL_STACK_SIZE is now correctly used by the runtime, the default values have been adjusted to what was effectively used.

Plugin Eva

Fixes stack overflow errors on very large C functions.
Improve the multidim abstract domain: it is now more precise and more robust, it is able to infer simple array invariants on some loops without unrolling, and has a new option -eva-multidim-disjunctive-invariants to infer structures disjunctive invariants.
New API to run the analysis and access its results, intended to replace the old API in Db.Value. It is more precise as it uses all available domains to evaluate values and locations. See file Eva.mli for more details.

Plugin WP

New Features

[TIP] Extended Split tactic: can split in hypotheses, can split conjunctions into multiple hypotheses.
[TIP] New tactic Clear: remove hypothesis
[TIP] New tactic Mod-Mask: rewrite bitmask into/from modulo
[WP] Removed legacy WP engine and option -wp-legacy
[WP] Weakened loop invariant verification (in particular for check loop invariant)
[WP] Supported decreases clause
[WP] Supported general variant measure
[WP] Removed deprecated "native:alt-ergo" prover
[WP] Removed deprecated "native:coq" prover
[WP] New option -wp-smoke-dead-local-init, smoke tests on local variables initialization
[WP] New option -wp-fct-timeout, used to customize the provers timeout per function
[WP] Upgrade to Why3 1.5

Bug Fix

[WP] Fixed loop invariant order

Chromium Release [24.0]

Frama-C General

New Features

[ACSL] better type checks for volatile clauses
[Kernel] 0-sized flexible array members only available in gcc_* machdeps, that now also support FAM in nested struct.
[Kernel] Support for C11's _Static_assert
[Libc] Frama-C's libc #define _STDC_NO_COMPLEX as mandated by ISO C11 for libraries without support for complex numbers

Bug Fix

[Kernel] Fixes crashes on C integer constants overflowing ocaml integers.

Developers Only

[Kernel] New module Cil_builder, simplifies C and ACSL code generation.
[Ptests] Add new PLUGIN directive and new predefined macros.

Plugin E-ACSL

New Features

[E-ACSL] Support for \sum.
[E-ACSL] Correct monitoring of code depending on libc function calls that write memory locations (#157).
[E-ACSL] Support for \prod and \numof.
[E-ACSL] Add option -e-acsl-assert-print-data (--assert-print-data in e-acsl-gcc.sh) to print data contributing to a failed assertion along with the error message. Add option --external-print-value in e-acsl-gcc.sh to provide a custom implementation of __e_acsl_print_value().

Bug Fixes

[E-ACSL] Do not translate contracts of E-ACSL built-ins.
[E-ACSL] Fix pointer address on memory annotations with range indices (#148).
[E-ACSL] Fix literal string replacements in function arguments during a local initialization.
[E-ACSL] Fix a crash that occured when using certain combinations of nested blocks and annotations.
[E-ACSL] Fix crash when using some built-in labels (#173).
[E-ACSL] Fix crash when raising some user errors (#170).
[E-ACSL] Fix crash occurring when two or more successive logic coercions were done in a term (#172).
[E-ACSL] Fix incorrect evaluation of quantified predicates when a strict guard overlaps with the type of the bound variable (unlikely in practice) (#149).
[E-ACSL] Fix unsound reuse of previously typed recursive functions (#177)
[E-ACSL] Fix translation order of the default behavior's requires clauses. They are now translated before the evaluation of the assumes clauses of the other behaviors.
[E-ACSL] Fix code generation of properties proven invalid with a previous analysis (#166).

Plugin Eva

New Features

Support for ACSL predicate \is_infinite.
New taint analysis via an experimental taint domain. New annotations //@ taint … (for statements) and //@ taints … (in function contracts) to initiate taint on lvalues. Tainted properties can then be seen in the future GUI Ivette.
New annotation dynamic_split, similar to split, but separates the analysis w.r.t. the current value of an expression instead of the value it had at the annotation point: the partition can be changed at an assignment to ensure that the expression always evaluates to a singleton in each analysis state.
Annotations split and dynamic_split can be applied to logic predicates (in addition to terms).
New experimental multidim domain to improve analysis precision on arrays of structures and multidimensional arrays.
Reduction of "garbled mix" values by \valid and \valid_read ACSL predicates.
New \tainted predicate to evaluate if the value of an expression is tainted according to the taint domain.
Removes the maximum limit of option -eva-ilevel.
Improves the symbolic-locations domain precision.
Improves the precision of the octagon domain on unsigned variables.
On a SIGINT signal (Ctrl-C), the analysis is stopped but partial results are saved if option -save is set.
Supports the evaluation of ACSL set comprehension.
New options to allow states partitioning to survive function returns: -eva-interprocedural-split for disjunctions from split annotations, and -eva-interprocedural-history for disjunctions from the -eva-partition-history option.

Bug Fixes

Fixes a crash in the octagon domain.
Fixes a soundness bug of the bitwise domain with the memexec cache.
Fixes a soundness bug in the octagon domain on integer downcasts wrapping around.
Always checks the arguments of builtin calls for alarms about initialization, escaping pointers and special floating-point values, unless -eva-warn-copy-indeterminate is set.
Always emits alarms about initialization, escaping pointers and special floating-point values for the arguments of calls to functions without body (or whose body is not analyzed), even when -eva-warn-copy-indeterminate is unset.

Developers Only

Changes the Domain_builder.Complete functor to automatically build more abstract domain functions.

Plugin Variadic

translates printf/scanf calls even if formatting string is not constant, warning that it will assume arguments match the format.
Create a fallback specialisation if there is an error while translating a variadic call so that no variadic call are left in the AST after Variadic.

Plugin WP

[TIP] Generalized Overflow tactic
[WP] Removes -wp-overflows option (unsound)
[WP] Adds an experimental support of "terminates" clauses. Adds the options -wp-declaration-terminate and -wp-frama-c-stdlib to claim that external functions terminates. Adds -wp-definitions-terminate option to claim that defined function terminates. Adds -wp-variant-with-terminates to verify loop variants under the termination hypothesis.
[WP] -wp-smoke-tests detects incoherent assumes when no requires are specified, can be disabled with new option -wp-smoke-dead-assumes

Vanadium Release [23.1]

Plugin E-ACSL

[E-ACSL] Fix crash occurring when two or more successive logic coercions were done in a term (#172).
[E-ACSL] Fix crash when raising some user errors (#170).
[E-ACSL] Fix crash when using some built-in labels (#173).
[E-ACSL] Fix crash when encountering a GMP value in a loop variant (#169).

Plugin WP

[WP] Fix a crash related to opaque structures memory typing

Vanadium Release [23.0]

Frama-C General

New Features

[ACSL] New admit annotations to express hypotheses to be admitted but not verified by Frama-C.
[Kernel] Allow -add-symbolic-path to survive saves/loads and invert argument order (path:name).
[Kernel] Set default machdep to x86_64 (was x86_32); allow setting machdep via environment variable FRAMAC_MACHDEP.
[Libc] Remove obsolete attribute FRAMA_C_MODEL in the libc. Fixes #877.
[Libc] In math.h specifications, new behaviors for cases creating NaN or infinite values. These behaviors are allowed or forbidden according to the -warn-special-float option.

Bug Fixes

[Kernel] Raise an error if trying to merge a tentative definition with a proper definition during linking
[Kernel] Pretty prints array formals in their original form. Fixes pub/frama-c#392
[Kernel] Do not crash on _Alignof(void): accept or properly reject, depending on machdep. Fixes pub/frama-c#2551
[Logic] The assigns clause can't mention const locations anymore. Fixes #855.

Developers Only

[Kernel] Extract builtin-related functions from module Cil to module Cil_builtins. Code can be updated using `bin/migration_scripts/titanium2vanadium.sh`.
[Kernel] Make cfields list optional. None means undefined, empty struct allowed only in specific machdeps. removed cdefined field
[Kernel] Avoid triggering warning 16 (unerasable optional argument). Implies changing some labeled functions' signatures.
[Kernel] Change the type of the measure from string to logic_info in the variant AST node.
[Kernel] Filepath directories functions now return Filepath.Normalized.t, Frama-C configuration and plugin configuration getters updated accordingly
[Kernel] Removed deprecated function Filepath.pretty
[Ptests] Add new EXIT directive.
[Ptests] Modify MODULE directive.
[Ptests] FILTER directive reads the standard input and can be chained.

Plugin Aorai

New option for tracking last N states of the automaton. Easier analysis of instrumented code with Eva.

Plugin E-ACSL

New Features

[E-ACSL] Update e-acsl-gcc.sh so that the library dlmalloc can be compiled and used from sources.
[E-ACSL] Add RTL support for Windows.
[E-ACSL] Add support for `check` and `admit` annotations (#142).
[E-ACSL] Add support for multiple binders in guarded quantifications (#127).
[E-ACSL] Add support for loop variant.
[e-acsl-gcc] Do not load Frama-C plugins when retrieving share and plugins paths (#104).
[e-acsl-gcc] Deactivate Variadic translation when using incompatible option --validate-format-strings (#104).
[e-acsl-gcc] Remove obsolete options from documentation and bash completion script (#104).
[e-acsl-gcc] Try to find Frama-C binary in script or development directory if not present in PATH (#104).

Bug Fixes

[E-ACSL] Fix crash when comparing two structs, which is currently unsupported (#139).
[E-ACSL] Fix crash when running another analysis after E-ACSL caused by E-ACSL breaking some internal kernel invariant (#145).
[E-ACSL] Fix wrong computation of the base pointer when calling \valid predicate leading to undetected array overflows.
[E-ACSL] Restore behavior of option -e-acsl-no-valid broken since Titanium (included).
[Makefile] Fix dependencies in bytecode-only compilation.
[runtime] Fix integration of contracts from the runtime library into Frama-C (#999).
[runtime] Fix the end address of the memory segments in the RTL layouts.
[runtime] Fix incorrect check on program arguments when the main function takes no arguments (#151).
[runtime] Fix backtrace output on failed assertion (#151).

Plugin Eva

New Features

Allow using Eva directives Frama_C_show_each and Frama_C_dump_each in ghost code.
Better interpretation of logical operators && and || (useful when option -keep-logical-operators is enabled).
Improved automatic widening thresholds (widen hints): use constant modulo as threshold, and infer thresholds globally for global variables.
New "audit mode" to track file checksums, correctness options and enabled warnings, via options -audit-prepare and -audit-check.
Slightly more precise evaluation of ACSL quantifiers.
Improved automatic loop unroll (-eva-auto-loop-unroll option) of loops with goto or continue statements, or assigning constant values to loop variants.
Partial support for recursion: new option -eva-unroll-recursive-calls to precisely analyze the n first recursive calls, before using the function specification to interpret the remaining calls. The unsound option -eva-ignore-recursive-calls has been removed.

Bug Fix

Fixes a crash when subdividing the evaluation of pointer expressions (via option -eva-subdivide-non-linear).

Developers Only

New signature for builtins, that are now registered via Eva.mli instead of Db.Value.

Plugin Metrics

Add json output in addition to text and html.

Plugin RTE

-rte-initialized takes a set of functions as parameter (defaults to none)
No more initialization warnings for full structures and unions reads. Initialization warnings for other types *without* trap representation. Refer to the documentation for more details.
Remove spurious assert when comparing function pointer to NULL (fixes #940)

Plugin WP

New Features

[TIP] New tactic: Induction
[TIP] New tactic: Sequence unrolling
[WP] Removed option -wp-bits (now always enabled)
[WP] Improved -wp-unfold-assigns <depth> Now recursively applies to all compounds
[WP] New internal WP engine, fixing many issues related to control flow graph and local variable scoping. Support for stmt contracts has been removed. Support for looping gotos has been removed. Altough unsound, the legacy engine is still accessible via -wp-legacy option.
[WP] Section « Limitation & Roadmap » added to the WP manual.

Bug Fix

[WP] Fixes opaque structures handling

Titanium Release [22.0]

Frama-C General

[ACSL] Allows for axiomatic blocks-like extensions
[Dev] Support for OCamlGraph 2.0.0
[Kernel] Support for C11's _Noreturn function specifier
[Kernel] New option -explain, which provides help messages for options used on the command line.
[Kernel] Support for C11's _Thread_local storage specifier
[Kernel] OCaml version greater than or equal to 4.08.1 required.
[Kernel] Add option -print-cpp-commands, to print the preprocessing commands used by Frama-C.
[Kernel] Option -permissive now allows non-existent option names.
[Kernel] New option -autocomplete p1, ..., pn that list the options of plug-ins p1, ..., pn in a format suitable for autocompletion scripts.
[Kernel] Add option -print-config-json, to output Frama-C configuration data in JSON format.
[Logic] Introduce check-only annotations for requires, ensures, loop invariant and lemmas
[Logic] '\from' now accepts '&v' expressions

Plugin Aorai

Ya automata can set auxiliary variables during a transition, and use such variables in subsequent guards.

Plugin E-ACSL

New Features

[E-ACSL] Add support to create GMP rational from GMP integer (#120).
[E-ACSL] Add support of bitwise operators (#33).
[E-ACSL] Add support for logical array comparison (#99).
[E-ACSL] Remove option -e-acsl-check.
[E-ACSL] Remove option -e-acsl-prepare-ast.
[E-ACSL] Deprecate -e-acsl-full-mmodel in favor of -e-acsl-full-mtracking.
[E-ACSL] Support of complete and disjoint behavior (#92 and #27).
[E-ACSL] Add support for the `\separated` predicate. (#31)
[E-ACSL] Support for Variadic generated functions in the AST (#128).
[e-acsl-gcc] Deprecate --full-mmodel in favor of --full-mtracking.

Bug Fixes

[E-ACSL] Fix support of VLA memory tracking (#119).
[E-ACSL] Decrease the number of allocated blocks when one block is freed.
[E-ACSL] Fix translation of trange (incorrect length).
[E-ACSL] Fix unstable order of generated globals (#124).
[E-ACSL] Fix crash that may occur when translating properties that have been proved valid by another plug-in (#106).
[E-ACSL] Fix a soundness bug when translating a range with a logic variable.
[E-ACSL] Fix soundness bug when checking initialization of a chunk of heap memory block.
[runtime] Fix wrong value returned for the stack size in the segment memory model (#126).

Plugin Eva

New Features

Supports the ACSL mathematical operator \abs
New option -eva-alloc-builtin to configure uniformly the behavior of allocation builtins, instead of providing several builtins with different behaviors for malloc/calloc/realloc.
New annotation eva_allocate to configure the behavior of an allocation builtin for a call, overriding the global option.
New builtins for trigonometric functions acos, asin and atan (and their single-precision version acosf, asinf, atanf).
Improved automatic loop unroll (-eva-auto-loop-unroll option) on loops with several exit conditions, conditions using equality operators, temporary variables introduced by the Frama-C normalization or goto statements.
Deprecates legacy options aliases -val-* in favor of option names -eva-*.

Bug Fix

Improved string builtins on wide strings: crash fixed, better performance, misaligned pointers now considered invalid.

Plugin MdR

Update Sarif output to 2.1.0 + prettier URI

Plugin Metrics

Distinguish between undefined but specified functions and functions with neither definition nor specification.

Plugin Slicing

Better handling of invalid command line options.

Plugin Variadic

Don't print generated function name but print original name and a comment with the generated name so that the printed code is compilable.

Plugin WP

[WP] Supports the \initialized ACSL predicate
[WP] New option -wp-cache-print
[WP] Option -wp-cache-env now defaults to false
[WP] Removed debug keys "no-xxx-info" (subsumed by "shell")
[WP] Support for generalized @check ACSL annotations
[WP] Hypotheses: assigned memory locations
[WP] New experimental option: -wp-check-memory-model Insert function contracts for model hypotheses
[WP] New option -wp-interactive-timeout <seconds>
[WP] New option -wp-interactive <mode>
[WP] Added support for Why3 Coq interactive prover
[WP] Added support for Why3 interactive prover (Coq)
[WP] New tactic Bit-Test range
[WP] Hypotheses: out pointers (\result + written pointers)
[WP] New warning "pedantic-assigns". WP needs precise 'assigns ... \from ...' specification about out pointers (\result and assigned pointers) to generate precise proof hypotheses.

Scandium Release [21.1]

Plugin WP

[WP] Fixes Coq region function
[WP] Fixes MemTyped structure loader for wp-rte

Scandium Release [21.0]

Frama-C General

New Features

[ACSL] Make conversion from C ptr to logic array explicit
[Kernel] -constfold now takes into account value of const globals
[Kernel] checks that ghost code does not modify the normal control flow of the non-ghost program
[Kernel] support for ghost else blocks
[Kernel] Add option -cpp-extra-args-per-file
[Kernel] New option -warn-pointer-downcast (activated by default), to warn when a conversion between pointer and integer might provoke a loss of precision.
[Kernel] New option -warn-invalid-pointer (disabled by default) to warn on invalid pointer arithmetics resulting in a pointer that does not point to an object or one past an object.
[Kernel] Report user errors when keys are not bound to a value for command-line options that require pairs of key:value as arguments. Such keys were silently ignored.

Bug Fixes

[Doc] Fixes internal refs in generated pdfs (fixes #2505)
[Kernel] fixes issue that could prevent loading plug-ins on Windows installation
[Kernel] Fixes #818 (term generated for downcast alarms)
[Kernel] Fixes #823 (-load-module/-load-script now accept spaces in filename)
[Kernel] Reject labels at end of blocks.
[Kernel] Accept UCN-encoded unicode char in ACSL (fixes #849)

Developers Only

[ACSL] Add possibility for ACSL extensions to alter the sequence of untyped terms they receive from the parser. Make also possible to customize the short pretty printer of extensions.
[Kernel] Removed FCBuffer, FCMap and FCSet. Use directly OCaml stdlib modules Buffer, Map and Set instead.
[Kernel] Deprecated: - Logic_typing.register_*_extension - Cil_printer.register_*_extension - Cil.register_behavior_extension Use Acsl_extension.register_* instead
[Kernel] Plug-ins specific dirs now use Filepath instead of mere strings.

Frama-C GUI

[Gui] Fix order of globals in the source panel.

Plugin E-ACSL

New Features

[E-ACSL] Improve verdict messages emitted by e_acsl_assert.
[E-ACSL] Call `__e_acsl_memory_init` only if the memory model analysis is running.
[E-ACSL] Call E-ACSL's free functions for globals in a separate function at the end of main.

Bug Fixes

[E-ACSL] Fix bug with compiler built-ins.
[E-ACSL] Fix typing bug in presence of variable-length arrays that may lead to incorrect generated code.
[E-ACSL] Fix '1386' and #91 about the tracking of variables declared inside the body of switches.
[E-ACSL] Fix #105 about misplaced `__e_acsl_delete_block` in presence of gotos to return statements.
[E-ACSL] Fix automatic deactivation of plug-in Variadic when E-ACSL is directly called from Frama-C without using e-acsl-gcc.sh.
[E-ACSL] Fix a soundness bug (#14) when initializing rationals from integers.
[E-ACSL] Fix #13: bug when mixing integers and floats in annotations while -e-acsl-gmp-only is activated.

Plugin Eva

New Features

Subdivisions can now be enabled locally: - through the new option -eva-subdivide-non-linear-function that overrides the global option for the given functions; - via /*@ subdivide N; */ annotations on specific statements.
Adds consistency checks on return and parameters types between a builtin and the replaced C function.
Renamed option -eva-malloc-functions into -eva-alloc-functions. Also contains calloc and realloc by default.
Supports the logic evaluation of quantifiers introducing mathematical variables (integer or real).
New option "-eva-domains <d1>,<d2>,..." to enable several domains at once. The list of available domains is given in the help message of the option.
Slightly better heuristics for the subdivision of evaluations (option -eva-subdivide-non-linear).
Evaluates the logic predicate memchr_off, used in Frama-C libc specifications.
deprecate options -eva-*-domain in favor of -eva-domains
Supports the ACSL extended quantifiers \min and \max.
Emits alarm on pointer downcast when option is on
Emits alarm on invalid pointers when option is on
New experimental builtins for dynamic allocation Frama_C_*alloc_imprecise: faster convergence, but very imprecise.
New option -eva-domains-function to enable domains only on given functions. Argument <d:f> enables the domain [d] on function [f], while <d:f+> also enables it on all functions called from [f]. <d:f-> disables [d] from function [f].
Fixes the Memexec cache on functions with logical annotations about variables unused in the C body of the function.

Bug Fix

Fixes the evaluation of logic predicates involving empty sets.

Developers Only

Simplifies abstract domain signature by removing the Transfer functor.

Plugin Instantiate

New plug-in Instantiate, to create function specializations for specific plug-ins and functions (e.g. malloc, memcpy, memset), to overcome limitations due to their specifications.

Plugin RTE

Emits alarm on invalid pointers when option is on
Emits alarm on pointer downcast when option is on

Plugin WP

[TIP] Extends bitwise tactics to dis-equalities
[TIP] Refactor structure of session directory (remove models)
[TIP] Specification of JSON script format
[TIP] Create session directory only on demand
[WP] Additional lemmas about logical shift compositions
[WP] Additional lemma about remainder (mod)
[WP] Limit the number of splits (see -wp-max-split)
[WP] Emit a warning when no goal is generated
[WP] Checks for inconsistent requires (-wp-smoke-tests)
[WP] Added option -wp-run-all-provers
[WP] Fix drivers in different projects
[WP] Control splitting with -wp-max-split <n>
[WP] Extended frame conditions with global C-types
[WP] Extended frame conditions to pointers inside compound
[WP] Move frame conditions to Type section for better filtering
[WP] Update scripts with FRAMAC_WP_SCRIPT=update and -wp-prover script
[WP] Specify cache mode with FRAMAC_WP_CACHE=<mode> (-wp-cache-env)
[WP] Fixes handling of LoopCurrent in loop invariants
[WP] Why3 prover full-names use ':' instead of ','
[WP] Why3 prover version fallback
[WP] Fixed scope problem on block outgoing edge
[WP] Added support for invalid-pointer predicate
[WP] Added smoke tests for dead loop (-wp-smoke-dead-loop)
[WP] Added smoke tests for dead code (-wp-smoke-dead-code)
[WP] Added smoke tests for dead call (-wp-smoke-dead-call)
[WP] Removed option -wp-check
[WP] Full support for Why3 IEEE float library

Calcium Release [20.0]

Frama-C General

New Features

[ACSL] Support for ghost parameters
[Kernel] Improve placeholders handling in -cpp-command
[Kernel] OCaml version greater than or equal to 4.05.0 required.
[Kernel] Add -keep-unused-types normalization option
[Kernel] Supports macro INFINITY and NAN.
[Kernel] More stringent verifications on the use of ghost variable in non ghost-code. Fixes #2421
[Libc] Remove obsolete (and forcing cpp error) builtins.h

Bug Fixes

[Kernel] fixes dangling ref when removing unused static local
[Kernel] Fixed sequence of -removed-projects and -then options.
[Kernel] Fixes a rare but critical bug which occured when Frama-C internally switched the current project in presence of >2 projects and destroyed the old current project at about the same time: the Frama-C internal state became inconsistent and lead to unsound computations and crashes. It may be revealed to the end-user when using a long sequence of -then-replace (at least 3 of them).
[Kernel] Fixes Hptmap on keys with id greater than 2^28.
[Makefile] Fixes #2378 - bytecode only compilation (patch contributed by madroach) and use -thread where needed.

Developers Only

[Kernel] removes AST constructors TCoerce, TCoerceE, PLCoercion, PLCoercionE, Psubtype and PLsubtype
[Kernel] Types in Properties are now records and not tuples
[Kernel] Functions over visitor's behaviors have been moved from Cil into a new module Visitor_behavior. Apply the migration script potassium2calcium.sh to update your plug-ins automatically.
[Ptests] Add new MODULE directive for compiling and loading an auxiliary OCaml module for a test

Plugin Config

ocp-indent 1.7.0 is now used for indentation

Plugin E-ACSL

[E-ACSL] Support of rational numbers and operations.
[E-ACSL] Deactivate the unsound support of real numbers (that are not rationals). They were previously unsoundly converted to floating point numbers.

Plugin Eva

New Features

Supports ACSL floating-point comparison operators eq_float, le_float, eq_double, le_double, etc.
Evaluates ACSL predicates \is_plus_infinity and \is_minus_infinity.
New octagon domain inferring relations of the form l ≤ ±X±Y ≤ e between pairs of integer variables X and Y. Enabled with option -eva-octagon-domain. Only infers relations between pairs of scalar variables occuring in a same instruction. Intra-procedural by default; octagons can be propagated through function calls with option -eva-octagon-through-calls.
New option -eva-auto-loop-unroll N to unroll all loops whose number of iterations can be easily bounded by <N>.
In the summary, fixes the total number of functions (and thus the computed analysis coverage).
In the summary, fixes the number of alarms by category when the RTE plugin is used, and do not count logical properties in dead code as proven.

Bug Fix

Fixes the reduction by the negation of \initialized and \dangling predicates on imprecise lvalues.

Developers Only

Dynamic registration of abstract values and domains: developers of new domains no longer need to modify Eva's engine.

Plugin MdR

New plug-in Markdown-Report (MdR) for markdown and SARIF outputs

Plugin Sparecode

Removed from Db. Use proper Sparecode API instead.

Plugin WP

New Features

[GUI] Updated panel for provers, models, cache, etc.
[Qed] Transform (some) boolean quantifications into variable assignments
[TIP] Using all selected Why-3 provers for proof search
[WP] Improving Cint simplifier and quantifier introduction
[WP] Use native Why3 API (now requires why3 at compile time)
[WP] Default -wp-prover <p> changed to <why3:p> (including default alt-ergo)
[WP] Default -wp-init-const changed to true
[WP] Default -wp-extensional changed to true
[WP] Removed -wp-depth
[WP] Removed -wp-why-lib
[WP] Removed -wp-why3
[WP] Removed -wp-include
[WP] Renamed -wp-init-alias into -wp-alias-init
[WP] Renamed -wp-why-opt into -wp-why3-opt
[WP] Deprecated & Renamed -wp-hints into -wp-coq-hints
[WP] Deprecated & Renamed -wp-tryhints into -wp-coq-tryhints
[WP] Deprecated & Renamed -wp-tactic into -wp-coq-tactic
[WP] Deprecated & Renamed -wp-update-script into -wp-update-coq-script
[WP] Deprecated & Renamed -wp-script into -wp-coq-script
[WP] Deprecated native alt-ergo & coq output, see -wp-prover option
[WP] New cache mechanism for why3 provers, see -wp-cache option

Developers Only

[Qed] More secure API for quantifier management

Potassium Release [19.0]

Frama-C General

New Features

[ACSL] Clarifies which C variables are in scope under a \at(·,L) (#575)
[ACSL] Add check annotation, similar to assert except that it does not introduce additional hypotheses on the program state
[Kernel] Improved precision of integer abstract bitwise operators.
[Kernel] Add statement attributes (sattr) to the AST. They are not printed by default, use -kernel-msg-key printer:attrs
[Kernel] Add attributes for loop statements to allow distinguishing between for, while and dowhile loops.
[Libc] Ask clang not to warn about unknown FRAMA_C_MODEL attribute when pre-processing frama-c's libc
[Libc] Better specs and removal of half-implemented ifdef that tried to take various POSIX versions into account

Bug Fixes

[ACSL] Accept C identifiers that happen to be ACSL keywords in volatile and reads clauses
[Kernel] Fixes #553 - pretty-printing of basic asm template
[Kernel] Fixes AST integrity check wrt volatile accesses
[Kernel] Better detection of invalid goto in presence of VLA (fixes #499)
[Kernel] Avoid crashing on one-letter attributes. Fixes #2432
[Makefile] Do not attempt to install .cmx on bytecode-only architectures. Patch by M. Dogguy backported from Debian package

Developers Only

[Kernel] New functions for retrieving major and minor version
[Kernel] Integer API moving closer to Zarith
[Kernel] When registering extended ACSL annotations, one must now indicate whether they should have a status.

Frama-C GUI

[Gui] Compatibility with lablgtk3 and improved handling of some widgets

Plugin Aorai

Fixes #586: avoid removing the initial state of the automaton

Plugin E-ACSL

New Features

[E-ACSL] Predicates with empty quantifications directly generate \true or \false instead of nested loops.
[E-ACSL] New option -e-acsl-functions to monitor only annotations in a white list of functions.
[E-ACSL] New option -e-acsl-instrument to instrument only a specified set of functions. It may lead to incorrect verdicts.
[E-ACSL] Support for logic functions and predicates without labels.
[runtime] The behavior of __e_acsl_assert now depends on the runtime value of the global variable __e_acsl_sound_verdict: if 0, it means that its verdict is possibly incorrect.

Bug Fixes

[runtime] Fix overlap of TLS with other memory segments for large memory spaces.
[runtime] Fix initialization of the E-ACSL runtime in presence of multiple calls to its initializer (for instance, if the main is a recursive function).

Plugin Eva

New Features

Improved precision on nested loops (by postponing the widening on inner loops according to -eva-widening-period).
Ignore annotations with "no_eva" tag
New warning category for detecting loops without 'unroll' directive
New option -eva-precision to globally configure the analysis from 0 (fast but imprecise) to 11 (accurate but slow). A precision of 5 is often a reasonable trade-off. This meta-option automatically sets up other options that can also be overriden.
Prints an analysis summary at the end, outlining the analysis coverage and the number of errors, warnings and emitted alarms. It can be disabled with the option -eva-msg-key=-summary
Loop unroll annotations now accept non-constant but bounded expressions as the maximum number of unrollings to perform.
New option -eva-partition-history N to delay the join of abstract states for up to N merging points, thus keeping these states separate longer. Useful when a reasoning depends on the path taken to reach a control point, but can increase the analysis time exponentially in N.
The new annotation /*@ split exp; */ enumerates the possible values of an expression and continues the analysis for each of these value separately, until a /*@ merge exp; */ is encountered. It is also possible to maintain this partitioning at all times with the option -eva-partition-value exp.

Bug Fix

Fixes -eva-split-return on uninitialized or escaping function returns when -eva-warn-copy-indeterminate is disabled.

Plugin Inout

Fix performance issue when initializing large arrays.
Fixes operational input on const local initialization

Plugin Obfuscator

Also obfuscate formals in function pointer types. Fixes #2433.
Obfuscate logic types and logic constructors.

Plugin RTE

fixes a crash when visiting variable declarations
RTE has a static API

Plugin WP

[Qed] New simplifications for validity and ranges
[Qed] Extends simplifications for lsl,lsr and div
[TIP] New tacticals for validity and ranges
[TIP] New tactical Congruence (divisions and products)
[TIP] Fix bug that makes the TIP wrongly reuse previous results
[TIP] New Strategies for bitwise and congruence operations
[TIP] Auto-Search mode from the GUI
[TIP] Fix wrong reconciliation of sub-scripts during replay
[TIP] Extend bitwise-eq auto-strategy on hypotheses
[WP] Auto filter properties with name "no_wp:"
[WP] Filter out some variables from separation
[Wp] Fix soundness bug when assigning non-valid ranges
[Wp] Option -wp-unfold-assigns for proving assigns of aggregates field by field
[Wp] Option -wp-print-separation changed into -wp-warn-separation
[Wp] Auto-Search mode, see -wp-auto
[Wp] New floating-point model
[Wp] Now -wp-dynamic is set by default (annotation @calls)
[Wp] Better naming convention, consistent with report-classify
[Wp] Support for @check ACSL annotations
[Wp] Support for Why3 1.* and Coq 8.{7-9}
[Wp] Removed option -wp-bool-range
[Wp] Now requires -warn-invalid-bool
[Wp] Fixes -wp-simplify-is-cint simplifier

Argon Release [18.0]

Frama-C General

New Features

[ACSL] Introduce extensions to global annotations and better characterization of each extension kind. See development guide for more information
[Kernel] New option -remove-inlined to remove function(s) after -inline-calls, add category @inline to refer to all functions with inline attribute (for both options).
[Kernel] Fix compilation on OpenBSD patch contributed by madroach. Fixes #2379
[Kernel] Remove option -const-writable: const globals are unconditionally constants
[Kernel] Introduce Filepath dataype for more consistent normalization of filenames
[Kernel] New options -warn-left-shift-negative (enabled by default) and -warn-right-shift-negative (disabled by default), to control the emission of alarms on shifts on negative integers.
[Kernel] New warning (disabled by default) when multiple side effects are unsequenced (CERT-EXP10-C recommandation). Fixes #492
[Kernel] New option -warn-invalid-bool, to warn when reading trap representations of type _Bool.
[Kernel] More ergonomic command-line options for governing warning categories statuses.
[Kernel] Log.error and Log.failure will eventually make Frama-C exit with a non-zero status. Fixes #552

Bug Fixes

[ACSL] introduce ACSL operators \le_double, \ge_double, ... in addition to \le_float, \ge_float, ... Remove overloading of \le_float that made it accept double as arguments. Fixes #502
[ACSL] Avoid removing cast of void ptr used as argument of function expecting a ptr with known size. Fixes #432
[Kernel] Respect relative order of labels and ACSL annots. Fixes #524
[Kernel] Do not allow compound assignments to const variables Fixes #384
[Kernel] Add attribute to allow writing into const lvals in specific (aka C++ constructors and mutable fields) circumstances. Fixes #2395.
[Kernel] Rejects sizeof of an incomplete type. Fixes #560.
[Kernel] Consider that asm can change content of pointers used as inputs when generating assigns clauses. Fixes #458
[Kernel] Fixes parsing of compound initializers with anonymous fields. Fixes #2384

Developers Only

[Kernel] Remove completely outdated module Dataflow. Deprecated since 3+ years. Use Dataflow2 instead.
[Ptests] Do not keep oracles for empty stderr. Fixes #402

Plugin Constant Propagation

Removing Db API for Constant Propagation plug-in. Calls to !Db.Constant_Propagation should be replaced by calls to Constant_Propagation.Api.

Plugin E-ACSL

New Feature

[E-ACSL] Support for ranges in memory builtins (\valid, \initialized, etc).

Bug Fixes

[E-ACSL] Fix bug #2305 about taking the address of a bitfield.
[E-ACSL] Support for \at on purely logic variables. Fix bug #1762 about out-of-scope variables when using \old.
[E-ACSL] Fix bug #2386 about incorrect typing when performing pointer subtraction.
[E-ACSL] Fix bug #2406 about monitoring of variables with incomplete types.
[E-ACSL] Fix typing bug in quantifications when the guards of the quantifier variable cannot be represented into its type.
[runtime] Fix bug #2405 about memory initialization in presence of GCC constructors.

Plugin Eva

New Features

New propagation strategy that allows unrolling loops even when the slevel has been exceeded. Unroll the N first loop iterations via the global option -eva-min-loop-unrolling N or via specific code annotations /*@ loop unroll N; */. The new strategy may affect analyses even without loop unrolling.
Renamed option -wlevel into -eva-widening-delay. New option -eva-widening-period to control the number of iterations between two widenings.
Improved precision of string builtins for strlen, strchr and memchr.
The variables from the frama-c libc are no longer shown in the initial state print.
When a cvalue builtin is used, other domains use the frama-c libc specification to interpret the call without losing too much information.
Release all builtins, including memset and memcpy, as open-source.
New option -eva-report-red-statuses listing in a csv file the properties invalid for some states of the analysis (as in the "Red Alarms" panel of the GUI).
The debug category "garbled-mix" becomes a warning category. Better track of garbled mix created by specification.
Rename plug-in shortname from 'value' to 'eva'. Eva is now properly named Eva in all logs, in the GUI, and as the emitter of the alarms.
All options of Eva start with -eva. Aliases to previous option names preserve backward compatibility.
Fixes the alarms on subtractions and comparisons of pointers on weak bases (created by allocations in loops).
Supports the ACSL functions \min and \max.
Better reduction of floating-point values cast into integer types when an alarm is emitted.
Reduction of values leading to division by zero alarms, when possible.
Remove option -val-warn-left-shift-negative, and comply with kernel option -warn-[left|right]-shift-negative.
Some fixes and improvements of the equality domain.
Fix the gauges domain on weak bases.
Warn about currently unsupported specifications of some libc functions.
ACSL predicates with a "no_eva" tag are now ignored.
Remove option -obviously-terminates.
New experimental domain "numerors" inferring absolute and relative errors of floating-point computations. Enabled by the option -eva-numerors-domain. Does not handle loops for now.
The memexec cache is now fully compatible with all abstract domains provided by Eva. However, the binding to the Apron domains disable memexec.
Improved performances when the symbolic locations domain and the memexec cache are enabled.
Enable the memexec cache by default. It can be disabled by option -eva-no-memexec.

Bug Fix

Deprecate option -val-warn-builtin-override in favor of warning category builtins:override.

Plugin Metrics

Add option -metrics-used-files, to help identify unnecessary files given in the command line

Plugin RTE

Remove option -rte-precond.
Stop generating spurious \initialized alarms. Fixes #429

Plugin WP

[Qed] Added more simplifications for invertible functions
[Qed] Added builtin simplification on array operations
[TIP] Extends tactical 'Split' to distribution of qualitifiers
[Wp] Added more simplifications on list operations
[Wp] Use functional havoc instead of a predicate in Typed model
[Wp] Option -wp-warn-separation changed into -wp-warn-memory-model Adding memory model hypotheses related to pointer validity
[Wp] Added support for ACSL \offset construct

Chlorine-20180502 Release [17.1]

Frama-C General

[Libc] Fix C++ compatibility for Frama-Clang plug-in

Chlorine-20180501 Release [17.0]

Frama-C General

New Features

[Kernel] Make some typechecking warnings controllable with -kernel-msg-key keys.
[Kernel] Option -warn-not-finite-float renamed into -warn-special-float and extended (accepts non-finite/nan/none).
[Kernel] Alarms Logic_memory_access and Valid_string, that were only emitted by Eva builtins, are removed.
[Kernel] Added option -json-compilation-database to help with preprocessing. Requires yojson during Frama-C compilation.
[Kernel] Better renaming of variables in case of name collision.
[Kernel] introduce warning categories, with various possible behaviors. Refactor management of debug categories
[Kernel] deprecate option -continue-annot-error in favor of warning category annot-error
[Kernel] More possible statuses for warning categories. Fixes #486
[Kernel] Deprecate option -warn-decimal-float in favor of warning category parser:decimal-float
[Kernel] Added option -inline-calls for syntactic inlining
[Logic] Ghost code now supports /@ ... @/ annotations
[Typing] Support for CERT EXP46-C

Bug Fixes

[ACSL] Reinforce rejection of implicit casts from array types to pointer types in the arguments of ACSL built-in constructs related to memory blocks and pointer dereferencing.
[ACSL] Reinforce rejection of void* pointer types in the arguments of ACSL built-in constructs related to memory blocks and pointer dereferencing.
[Kernel] Clean up typechecking environment when dropping side-effects (in sizeof et al.). Fixes #430
[Kernel] Handle anonymous struct/union init. Fixes #376
[Kernel] Avoid crash when re-declaring a function with formals after it has been called without any. Fixes #454
[Typing] Stronger checks w.r.t. implicit conversions in function pointers (must have compatible types) and assignments (modifiable lvalues). Fixes #479

Developers Only

[Kernel] Old Cil.isCharType renamed as Cil.isAnyCharType. New Cil.isCharType is now only true for plain char, neither signed nor unsigned. Derived functions (isCharPtr et al.) also updated
[Kernel] Keep information about syntactic scope of local static variables. Accessed through Globals.Syntactic_search.find_in_scope.
[Kernel] Never or rarely used Log functions have been removed or deprecated
[Kernel] Change Cil.typeHasAttributeDeep into Cil.typeHasAttributeMemoryBlock. Fixes #489
[Lib] New Rich_text module to create message with tags
[Logic] properly reset logic environment in case of typing errors. Fixes #326

Frama-C GUI

[Gui] Added Preferences menu (shortcut: Ctrl+P) to set themes for property bullets and external source editor
[Gui] The preconditions of a function call can now be displayed before the call statement itself (click on status bullets with '+' or '-' to unfold/fold them)

Plugin E-ACSL

New Features

[E-ACSL] New option -e-acsl-validate-format-strings to detect format string errors in printf-like functions.
[E-ACSL] New option -e-acsl-replace-libc-functions to replace a few libc functions by built-ins that efficiently detects when they are incorrectly called.
[E-ACSL] Support for let binding.

Bug Fixes

[E-ACSL] Restore behavior of option -e-acsl-valid broken since Phosphorus (included).
[E-ACSL] Fix 'segmentation fault' of the generated monitor whenever the main has a precondition depending on the memory model.
[E-ACSL] Fix a crash when translating a postcondition that should generate a local variable (bts #2339).
[E-ACSL] Fix incorrect typing in presence of comparison operators (may only be visible when directly analyzing the E-ACSL's generated code with Frama-C without pretty-printing it).
[E-ACSL] Correct support of variable-length array (fix bug #1834).
[e-acsl-gcc] Several files may be given to e-acsl-gcc.sh (as specified).
[runtime] E-ACSL aborted when run on a machine with a low hard limit on the stack size.
[runtime] Function __e_acsl_offset now returns size_t.

Plugin Eva

New Features

New panel "Red alarms" in the GUI that shows all red statuses emitted for some states during the analysis. They are not completely invalid, but should often be investigated first.
Various improvements in the handling of floating-point variables: evaluation of \is_finite, computation of the bits of a floating-point range, etc
In the log, messages on preconditions are now reported with the location of the call site.
New builtins for the single-precision mathematical functions fmodf, cosf, sinf and atan2f.
New option -val-skip-stdlib-specs, set by default. When analyzing the body of a function from Frama-C's standard library, specifications will be skipped.
Eva complies with option -warn-special-float, and propagates or warns on NaN and infinite values accordingly.
Fix a crash when using -val-stop-at-nth-alarm.
Evaluate the preconditions of the functions for which a builtin is used; builtins do not emit alarms anymore.
The Simple_memory functor lets builtins interpret C functions from the value of arguments to the result value.
New function post_analysis in abstract domains, called at the end of the analysis.
Renamed option -val-malloc-returns-null to -val-alloc-returns-null, which also applies to realloc builtins.
The subdivision of evaluations (through the option -val-subdivide-non-linear) can subdivide the values of several lvalues simultaneously (on expressions such as x*x - 2*x*y + y*y).
Warn about unsupported allocates clauses.
By default, do not emit pointer_comparable alarms for non pointer operations. Always compute {0;1} for non pointer comparisons involving incomparable addresses.
Shifts of addresses now create garbled mixes (as any other arithmetic operation).
Removed *_alloced_return base created for functions without body that return pointers. Such bases were imprecise and could be unsound in corner cases.
When an lvalue lv is assigned or leaves the scope, the equality domain tries to replace lv by an equal term (if any) in the expressions depending on lv (instead of removing them).
Equalities can be propagated through function calls. New options -eva-equality-through-calls[-function] to decide (globally or by function) which ones are kept from the caller.
deprecate option -val-warn-on-alarms in favor of warning category alarm
Fix a soundness bug in the equality domain: do not infer incorrect equalities between incomparable pointers, or between -0. and +0.
Avoid enumeration on values with too many bases — fixes a performance issue.
In the logic, interpret the ACSL function \sign and the constructors \Positive and \Negative.
Fix the initialization of local volatile variables, which can always have any value.
Initialization of volatile pointers now keeps the base addresses of the pointer (with arbitrary offsets).
Interpret the logic constants \pi and \e.
Added scripts and templates to help automate case studies (in $FRAMAC_SHARE/analysis-scripts)

Bug Fixes

Fix bug in the handling of non-explicitly volatile fields inside volatile structs or unions
Fix bugs in builtins for cos and sin. The results may be less precise than previously

Developers Only

Option -all-rounding-modes has been removed
The Fval module now supports NaN and infinite values. Major API changes in Fval, Ival and Cvalue.V (regarding casts, mostly)

Plugin Impact

Removing Db API for Impact plug-in. Calls to !Db.Impact should be replaced by calls to Impact.Register.

Plugin Metrics

When the value coverage is computed, also shows the total number of statements by function in the filetree of the Gui.

Plugin Occurrence

Removing Db API for Occurrence plug-in. Calls to !Db.Occurrence should be replaced by calls to Occurrence.Register.

Plugin RTE

Do not emit spurious 'idx < 0' assert on gcc-style FAM. Fixes #393

Plugin Users

Removing Db API for Users plug-in. Calls to !Db.Users should be replaced by calls to Users.Users_register.

Plugin WP

[Qed] New simplifications for validirt and ranges
[Qed] Extends simplifications for lsl,lsr and div
[Qed] Transforms some quantifications into let constructs
[TIP] New tacticals for validity and ranges
[TIP] New tactical Congruence (divisions and products)
[TIP] Fix bug that makes the TIP wrongly reuse previous results
[TIP] New Strategies for bitwise and congruence operations
[TIP] Auto-Search mode from the GUI
[TIP] Fix wrong reconciliation of sub-scripts during replay
[TIP] Extend bitwise-eq auto-strategy on hypotheses
[WP] Fix soundness bug when assigning non-valid ranges
[WP] Option -wp-unfold-assigns for proving assigns of aggregates field by field
[WP] Option -wp-print-separation changed into -wp-warn-separation
[WP] Auto-Search mode, see -wp-auto
[WP] Upgrade to Why-3 0.88.3
[WP] Upgrade to Coq 8.7.1
[WP] Upgrade to Alt-Ergo 2.0.0
[WP] Filter out some variables from separation
[WP] Allow backtracking when using strategies (-wp-auto-backtrack)
[WP] Better handling of \null and (void *)0L
[WP] Experimental support for _Bool range (-wp-bool-range)
[WP] Add the missing ACSL math builtins (see manual)

Sulfur-20171101 Release [16.0]

Frama-C General

New Features

[ACSL] Explicitely disallow /* and */ in ACSL annotations. Allows to re-use logic parser for parsing annotations in external files that can use /* ... */ as comments. As a consequence, expressions like y/*p are thus rejected, but this was already the case when -pp-annot is activated (default for .c files) and can be fixed easily in y / *p (as it is pretty-printed)
[Kernel] qualifiers are dropped from the return type of functions, as they make no real sense
[Kernel] Added option -print-return to inline gotos to return
[Kernel] Composite types are now required to have equal tags as per the C standard; no more support for isomorphic structs.
[Kernel] Fix invalid eids on code generated through loop unrolling

Bug Fixes

[Kernel] stop removing const attribute on local variables. Fixes #301
[Kernel] Parser now handle mixed concatenation of string and wstring. Fixes #1467
[Kernel] Fix unmarshalling of save files that contain more than 4Gb of uncompressed data. Patch from TIS-interpreter.
[Kernel] Strip bitfield attribute when performing integral promotions on bitfields of size short or char. Fixes incorrect attributes on the resulting expression.
[Kernel] Fix various typos in source code and user messages. Patch by Debian. Fixes #2323
[Kernel] Fixes configure script on bytecode only architecture. Initial version of the patch by Debian. Fixes #2325
[Kernel] More thorough checks on l-values with function type. Non-sensical expressions are now rejected at parsing type.

Developers Only

[ACSL] Refactor handling of logic labels in AST
[Kernel] Completely separate types between Cil_types and Logic_ptree, removing needless polymorphism
[Kernel] Remove needless repetition of declared logic labels in Tapp and Papp nodes. Fixes #274
[Kernel] sizeof() and alignof() applied to a function can now be rejected when the compiler does not support this construct, depending on the fields sizeof_fun and alignof_fun of the machdep
[Makefile] add gui-byte target to only build bytecode GUI

Frama-C GUI

[Gui] In the filetree, the filter menu appears on a right click on the header, while a left click sorts the tree.

Plugin Callgraph

Option -cg-init-roots replaced by -cg-service-roots (almost equivalent); new options -cg-function-pointers (ignore function pointers; unsound) and -cg-roots (compute subgraphs).

Plugin E-ACSL

New Features

[E-ACSL] New detection of temporal errors in E-ACSL through -e-acsl-temporal-validity (disabled by default).
[e-acsl-gcc] Add --stack-size and --heap-size options to e-acsl-gcc.sh allowing to change the default sizes of the respective shadow spaces.
[e-acsl-gcc] Add --keep-going option to e-acsl.gcc.sh allowing a program to continue execution after an assertion failure.
[e-acsl-gcc] Add --rt-verbose option to e-acsl.gcc.sh.
[e-acsl-gcc] Add --weak-validity option to e-acsl.gcc.sh.
[e-acsl-gcc] Add --temporal option to e-acsl.gcc.sh.
[e-acsl-gcc] Add --fail-with-code option to e-acsl.gcc.sh.
[e-acsl-gcc] Add --free-valid-address option to e-acsl.gcc.sh.

Bug Fix

[E-ACSL] Fix bug #2303 about unnamed formals in annotated functions.

Plugin Eva

New Features

More precise evaluation of \initialized and \dangling predicates.
New directive Frama_C_domain_show_each prints the internal properties about the arguments inferred by each available domain whose log category is enabled.
Frama_C_dump_each prints the state of each available domain whose log category is enabled.
Removes all effects of the special functions Frama_C_[dump|show]_each on the analyses: no alarms are emitted and the states are never reduced on these calls.
The subdivision of the evaluation of non-linear expressions (through the -val-subdivide-non-linear option) also applies to the new evaluations requested by the equality domain.
New sign domain for demonstration purposes only.
Better handling of function alloca(), via builtin Frama_C_alloca.
In the GUI, the "Values" panel displays the values computed by using the properties inferred by all enabled domains.
Emits overflow alarms on unsigned left shift when -warn-unsigned-overflow is enabled.
Fixed memory leak with option -val-subdivide-non-linear
Fix soundness (resp. precision) bug on big-endian (resp. little-endian) architectures. This bug triggered on low-level code, typically when using bitfields
Various precision improvements in the interpretation of the behaviors of a specification.
The backward propagation tries to reduce integer values by considering separately the bounds of their intervals.
Uses assigns clauses to over-approximate the effects of assembly statements. Warns if no assigns clause is provided.

Bug Fixes

Fix soundness bug in string builtins where some invalid offsets did not generate alarms.
Fix missing alarms when downcasting pointer values.
Fix a crash when downcasting pointer values with the option -val-warn-signed-converted-downcast enabled.
The cvalue states saved after each statement are now properly deleted when an Eva parameter is changed in the GUI.
Fix performance issue with the equality domain.
Fixes a soundness bug where a loop invariant could be wrongly proved correct in some marginal cases.
Fixes an optimization issue where the reduction by a loop invariant just after widenings could impede the convergence.
Fixes a performance issue in offsetmaps, that occured when reading or copying values smaller than cells in large arrays.
Fix bug in the handling of non-explicitly volatile fields inside volatile structs or unions
Fix bugs when evaluating \ìnitialized, \dangling and \separated on addresses of bitfields

Developers Only

Abstract domains have to provide a log category and a function show_expr that prints the internal properties inferred about an expression.
The argument ~with_alarms for functions of Db.Value is now optional, and will be removed in a later version.
New functor in domains/simple_memory.ml to build a complete domain from a value abstraction. The abstract states link each scalar variable of a program to an abstract value.
In abstract domains, compute_using_specification is replaced by logic_assign, that interprets one \assigns clause. Complete specification are now interpreted through successive calls to evaluate_predicate, reduce_by_predicate and logic_assign.

Plugin Metrics

In the Gui, shows the percentage and the number of dead statements (when computed) for each function of the filetree.

Plugin Report

Removing Db API for Report plug-in. Calls to !Db.Report.print should be replaced by calls to Report.Register.print.

Plugin RTE

add option -rte-initialized to generate assertions over read accesses to potentially uninitialized locations.
Fix bounds of alarms emitted when downcasting to bitfields (issue '2314')
Emits overflow alarms on unsigned left shift when -warn-unsigned-overflow is enabled.
add -warn-not-finite-float for checking that infinite and NaN floats are not produced.

Plugin Scope

Removing Db API for Scope plug-in. Calls to !Db.Scope should be replaced by calls to Scope.

Plugin Slicing

Fix invalid eids on code generated through option -slicing-level >= 2
Removing Db API for Slicing plug-in. Calls to !Db.Slicing should be replaced by calls to Slicing.Api.
Removing deprecated '-slice-option' and related !Db.Slicing.Projet.print_exported_project. Minor changes into !Db.Slicing.Projet.extract.

Plugin Sparecode

Rename option -rm-unused-globals to -sparecode-rm-unused-globals.

Plugin WP

New Features

[TIP] New tactical Rewrite (two apply equalities)
[TIP] New tactical Bitwised, BitRange and Shift
[TIP] New tactical Ratio (divisions and products)
[TIP] New tactical Overflow (to cope with modulus)
[TIP] Options -wp-time-{extra|margin} for more stability
[WP] More simplifications wrt integer domains
[WP] Reduction of equalities with logic functions
[WP] Option -wp-overflows to add explicit assumptions
[WP] Option -wp-prenex to normalize nested binders
[WP] New simplification for ground terms (-wp-ground)
[WP] New simplification of unused variables (-wp-parasite)
[WP] New simplification logic functions (-wp-reduce)
[WP] Improved model and simplifications of logical shifts
[WP] Support for LoopCurrent and LoopEntry

Bug Fix

[GUI] Fixed bug when running prover from the TIP

Phosphorus-20170501 Release [15.0]

Frama-C General

New Features

[Kernel] Stricter verification for extern, static and inline specifiers (support for CERT DCL-36-C coding rule)
[Kernel] New option -no-autoload-plugins (equivalent to old -no-dynlink); mostly for internal use.
[Kernel] New option -print-machdep (help group).
[Kernel] Bash completion for Frama-C options. See #154.
[Kernel] New option -print-libc, to expand include directives for files in the Frama-C stdlib (no longer expanded by default).
[Kernel] Zarith library is now required
[Kernel] Better handling of VLA (use explicit function calls to mark deallocation of VLA at appropriate program points)
[Kernel] Explicit AST nodes to mark local variables initialization.
[Kernel] Dynlink is now mandatory, no degraded static mode.

Bug Fixes

[Cil] Pointer subtractions with arguments of incompatible types are now refused. The resulting expression is typed as ptrdiff_t instead of int.
[Kernel] Fixed some issues with #pragma pack() behavior, in both GCC and MSVC machdeps. Also fixed some related issues with __aligned__ and __packed__ attributes (including bts #2249).
[Kernel] Fixes oneret normalization in presence of statement contract and absence of return. See #255 and #2235.
[Kernel] Fix crash when loading a saved file without a plug-in which has previously emitted a status with a tuning parameter.

Developers Only

[Kernel] Utility API for checking volatile attribute in Cil.

Frama-C GUI

[Gui] Signature change for constructor Pretty_source.PVDecl

Plugin Callgraph

Fixes inverted callers/callee in indirect calls

Plugin E-ACSL

New Features

[e-acsl-gcc] Remove precond rte option from e-acsl-gss.sh.
[e-acsl-gcc] Add --check option to e-acsl-gcc.sh which allows to check the integrity of the generated AST before instrumentation.
[e-acsl-gcc] Remove --print|-p option from e-acsl-gcc.sh
[runtime] The (much more efficient) shadow memory model is now used by default.

Bug Fixes

[E-ACSL] Fix bug with typing of unary and binary operations in a few cases: the generated code might have overflowed.
[E-ACSL] Fix bug #2252 about pointer arithmetic with negative offsets.
[E-ACSL] Fix bug with goto which points to a labeled statement which must be instrumented.
[E-ACSL] Fix crash with casts from non-integral terms to integral types (bts #2284).
[E-ACSL] Correct support of stdin, stdout and stderr in annotations.
[E-ACSL] Fix bts #1740 about incorrect monitoring of memory properties when early exiting a block through goto, break or continue.
[runtime] Fix backtrace when the failed instrumented programs do not require memory model.

Plugin Eva

New Features

New (internal) mechanism to handle C functions' return values. Messages now mention \result<foo> for the value returned by 'foo'.
Option -val-show-progress is now unset by default
Activate option -remove-redundant-alarms by default.
New option -val-builtins-list
Renamed dynamic allocation builtins for improved consistency. In particular, Frama_C_alloc_size becomes Frama_C_malloc_fresh.

Bug Fixes

Unsound support for recursion, through option -val-ignore-recursive-calls. The support of recursion through the use of 'assigns' clauses, previously available in Value, was unsound and has been removed
Fix bug #2277. The initial state of the analysis now depends on all relevant options, including kernel options -warn-...
Fixes a crash with the -val-subdivide-non-linear option, on subdivisions of evaluations involving pointer values.
Fixes a crash when backward-propagating an imprecise value on a 32-bits floating point addition. A non-single precision value was erroneously returned.
Perform widening in the symbolic locations domain.
Fix widening in the gauges domain, in particular with nested loops and pointers that change base address through iterations

Developers Only

Functions Db.Value.fun_set_args and Db.Value.globals_set_initial_state are now compatible with Eva.
Incompatible API changes in module Cvalue.Model. Functions named 'unspecified' have been renamed into 'indeterminate', and some arguments have been removed.

Plugin Inout

Option -inout-callwise is now always active, and will be removed in a later version
Prevent formal variables of functions with only a specification from leaking into results

Plugin Metrics

Programmatic API for some functions via Metrics.mli.

Plugin Obfuscator

Fix typo in help message (bts #2269).

Plugin Rte

Remove option -rte-all.

Plugin Scope

Fix bug in the functions of Db.Scope in presence of alarms refering to volatile memory locations, or to variables that leave scope. Also impacts Eva option -remove-redundant-alarms

Plugin Value

Support for the legacy value analysis has been abandoned, Eva is now always active. Option -no-eva has been removed.
Widen hints directives @widen_hints now accept arbitrary l-values (evaluated at analysis time) in place of variables.

Plugin Variadic

Change of command line argument names for the plugin Variadic. The new names are more expressive and avoid confusions with the plugin Value. Use -variadic-translation or -variadic-no-translation instead of -va or -no-va.
The plugin is now enabled by default. Use the option -variadic-no-translation to keep the original behaviour. The specification generated for the fprintf function family is now more accurate.

Plugin WP

New Features

[GUI] Interactive Proof Engine
[GUI] Pretty-print of memory side effects
[Qed] Improved simplifiers
[Qed] Mutualized type inference in Term
[Qed] Negation of forall-exists qualitifers
[Qed] Add E_fun constructor for neutral and absorbent
[Qed] Transforms some quantifications into let constructs
[WP] Fix volatile access (see -wp-no-volatile)
[WP] Warn against access to volatile l-values
[WP] Simplification of ACSL sequences
[WP] Improved Sequent API (Conditions)
[WP] Fixed bug #2246 (unsound switch)
[WP] Improved sequent simplifier
[WP] Deprecated Dynamic API
[WP] Extensible Proof Engine
[WP] Generated HTML API (make wp-doc-api)
[WP] Improved filtering (prevents loss of init clauses)
[WP] Improved comparison of logic compounds
[WP] Fix bug on negative 0x float constants
[WP] Trivial simplification for truncate
[WP] Remove support for generalized invariants (-wp-invariants)
[WP] Extract inductive predicates as Inductive in Coq

Developers Only

[Ergo] Update qualif tests to Alt-Ergo 1.30

Silicon-20161101 Release [14.0]

Frama-C General

New Features

[Cil] Conversions between a bit-field lvalue and the (integral) type of the bitfield are now always made explicit through casts; the attribute FRAMA_C_BITFIELD_SIZE is present on the type of the cast if needed.
[Kernel] OCaml version greater than or equal to 4.02.3 required.
[Kernel] OCamlGraph is no longer packaged within Frama-C, and must be installed to build Frama-C from source
[Kernel] Deprecated Pretty_utils.sfprintf, use Format.asprintf instead.
[Kernel] Support for C11 redefinition of typedefs
[Kernel] Fix bug that may occur when modifying several times command line-options taking functions as argument (issue #109)
[Kernel] Fix major bug in the backward dataflow of module Dataflows
[Libc] Implementations of some functions of the standard library are now available in share/libc/*.c
[Libc] New file share/libc/string.c, with simple implementations for C99 functions defined in string.h. Duplicate implementations were removed from share/libc.c.
[Libc] Functions in share/libc.c have been inlined into the proper .c files under share/libc
[Logic] Refactoring of ACSL extensions + allow extensions in loop annotations

Bug Fixes

[Kernel] Side-effect free instructions such as 'e;' are now translated as 'tmp = e;' instead of 'if (e) {}' (which was incorrect when e did not have a scalar type)
[Kernel] Scripts that use Gtk can again be loaded using option -load-script (bug report: http://stackoverflow.com/questions/38677256/)
[Kernel] Fix bug #2239 about unsoundness of callgraph's services computation (bug introduced in Frama-C Magnesium).
[Kernel] Fix bug when pretty printing an ACSL term "divisor / *p" (bts #2250).
[Makefile] Fix compilation of plug-ins which depends on another plug-ins when compiled outside Frama-C.

Developers Only

[Kernel] Functions Integer.pgcd and Integer.ppcm are now guaranteed to return a positive result.
[Kernel] Fixes merging of contract when using Annotations.add_code_annot
[Kernel] Remove class Filecheck.check from API. Use Filecheck.check_ast that provides the correct encapsulation.
[Kernel] Suppress return_stmt field of kernel_function type. Use Kernel_function.find_return instead.
[Kernel] Rename some types of the logic AST for more coherence
[Makefile] Warnings and warn-error are activated only if a file .for_devel is present along side the Makefile (also for plugins)

Frama-C GUI

[Gui] Different filters for user assertions and RTEs are now available.

Plugin Eva

New Features

Support for options -warn-signed-downcast and -warn-unsigned-downcast.
Improvements to option -val-subdivide-non-linear on expressions such as x*x+y*y, or t[i*i].
Improvements to option -val-subdivide-non-linear for high number of subdivisions
Various improvements to experimental Apron domain
More systematic backward-propagation between actual parameters and formals
New experimental Gauges domain, that relates integer variable to loop counters.

Bug Fixes

Setting option -val-warn-copy-indeterminate now forces lvalue copies to perform a full evaluation. This includes converting the copied value to the proper type, and emitting alarms if it is indeterminate. This option should not be set for memcpy-like functions, or for functions that copy bits of pointers
fix performance bug in the equality domain, especially visible on programs with many local variables.
Fix bug in equality domain, after assignements lv = e where the modified locations intersect those involved in computing lv
Prevent incorrect reductions on memory locations with volatile qualifier
Fix bug in the bitwise domain, on some applications of the & and | operators
Fix soundness bug on statements with RTE or programmatically-added user assertions (bts #2258). This leads to minor changes in the way states are propagated when all slevel has been consumed. Also, consolidated states now return the abstraction before any reduction by assertions or alarms.

Plugin From

Removed options -experimental-path-deps and -experimental-mem-deps.

Plugin Nonterm

overall increase in precision, especially on compound statements (if, switch, loops...). Verbosity has been decreased
New options -nonterm-ignore f1,..,fn (to ignore calls to functions f1,..,fn) and -nonterm-dead-code (to warn about syntactically dead code)

Plugin Rte

New option -rte-pointer-call, to generate annotations for calls through function pointers

Plugin Scope

Fix bug that might lead to unsoundness and / or looping in 'Datascope' functionality (#235)

Plugin Value

New Features

Builtins are now available for malloc: Frama_C_alloc_size (one new base each time, may diverge) and Frama_C_alloc_by_stack (one base by stack, may end up performing weak updates).
New message key final-states, that can be used to deactivate the printing of the abstract states at the end of each function
New option -val-warn-on-alarms, which governs whether alarms are printed as warnings or text.
New message key 'garbled-mix', to track garbled mix generated during the analysis
Several warnings emitted by Value are now properly prefixed by [value] instead of [kernel]
API changes in modules Lmap and Cvalue.Model. All occurrences of `Map in returned value should be replaced by `Value
Pointers to functions with an incompatible type are now handled in a more stringent manner. Previously, arguments with incompatibles types but equal size were reported with an orange status. Now, any mismatch (e.g. int/float or signed/unsigned) causes a red alarm.
New option -val-flamegraph, to dump information about analysis times as a Flamegraph
Option -val-show-time has been removed. Options -val-show-perf or -val-flamegraph offer more information
Do not compute the sizeof of a function when evaluating a function call through a pointer. This avoids some warnings in MSVC mode.
valid_string and valid_read_string predicates are now evaluated by Value
New builtins for string-related functions: Frama_C_strlen, Frama_C_strchr, Frama_C_strnlen, Frama_C_memchr and Frama_C_rawmemchr
Extended support for syntactic widening hints (@widen_hints - see the Value user manual for more details)
Option -val-warn-copy-indeterminate is now set by default. See command-line help if you want to deactivate it.
New (experimental) option -val-builtins-auto, to automatically replace known C functions by builtins. Will be set by default in Phosphorus.

Bug Fixes

Fix crash when extracting bits of a long double value. (Issue 92 on TIS-interpreter, reported by ch3root.).
Option -val-show-initial-state has been removed. Instead, -value-msg-key=-initial-state can be used
Garbled mix created when analyzing assigns / from clauses are now tagged as having "Library function" origin
Option -val-show-perf now properly takes into account the time taken by the main function itself (without its callees)
Frama_C_cos and Frama_C_sin builtins are now precise by default. The former Frama_C_cos / Frama_Csin_precise have been removed

Plugin WP

[WP] Fix -wp-rte with respect to models and kernel options
[WP] Use cint and cfloat models by default
[WP] Use kernel options -warn-xxx in cint model
[WP] Simplification of arithmetics models
[WP] Unified variable usage for all models

Silicon-20161101 Release [0.8]

Plugin E-ACSL

New Features

[E-ACSL] Re-implementation of the type system which improves the efficiency of the generated code over integers.
[E-ACSL] New option -e-acsl-builtins which allows to declare pure C functions which can be used in logic function application.

Bug Fixes

[configure] Added --enable-optimized-rtl option to configure
[E-ACSL] Fix bug #1395 about recursive functions.
[E-ACSL] Fix bug #2191 about complicate structs and literate string.
[E-ACSL] Add monitoring support for aligned memory allocation via posix_memalign and aligned alloc functions.
[E-ACSL] Enable reporting of stack traces during assertion failures in instrumented programs.
[e-acsl-gcc] Add an e-acsl-gcc.sh option (--rte|-a) allowing to annotate the source program with memory-safety assertions prior to instrumentation.
[e-acsl-gcc] Add an e-acsl-gcc.sh option (--print--models) allowing to print the names of the supported memory models.
[e-acsl-gcc] Removed --production|-P, --no-stdlib|-N and --debug-log|-D options of e-acsl-gcc.sh.
[e-acsl-gcc] Added --rt-debug feature to e-acsl-gcc.sh. --enable-optimized-rtl configure option removed
[e-acsl-gcc] Added --rte-select feature to e-acsl-gcc.sh.
[Makefile] Fix 'make clean' in tests.
[Makefile] Fix 'make install' when executed within Frama-C.
[runtime] Fix several bugs related to incorrect partial initialization of tracked memory blocks in the E-ACSL memory model library.
[runtime] Improve performance of Patricia Trie memory model.
[runtime] Add custom implementation of malloc for use with E-ACSL runtime library (via jemalloc library).
[runtime] Add local version of GMP library customized for use with E-ACSL runtime library.

Aluminium-20160502 Release [13.0]

Frama-C General

New Features

[ACSL] Add notation '{ x, y, z }' for defining sets.
[ACSL] Add built-in operators for lists.
[ACSL] New predicate \valid_function, requiring the compatibility between the type of the pointer and the function being pointed.
[Cil] Typing within comparisons is now more strict, or made more explicit through casts.
[Cil] Double pointer casts on the NULL pointer are now simplified.
[Cil] Add support for parsing digraphs.
[Cil] Incorrect return statements (return void on non-void functions and vice-versa) now generate errors instead of warnings.
[Cil] Better handling of C99 flexible array members (FAMs). Static initialization of FAMs (a GCC extension) is no longer supported.
[Cil] Changes in the handling of incomplete structs and zero-length arrays. Initialization of incomplete (completely undefined) structs is now duly rejected. Several compiler extensions to the C99 standard (empty initializers, zero-length arrays, etc.) now require a GCC or MSVC machdep (e.g. -machdep gcc_x86_32).
[Cil] Operator ! applied to constant expression is no longer simplified when not required.
[Cil] Add proper support for empty aggregate initializers in GCC mode.
[Kernel] New option -set-project-as-default.
[Kernel] New option -remove-projects.
[Kernel] New options -then-last and -then-replace.
[Kernel] The untyped AST is no longer removed by basic program transformations such as loop unrolling.
[Kernel] Option -warn-undeclared-callee changed to -implicit-function-declaration, which receives an argument (ignore, warn or error) specifying what to do when an undeclared function is called.
[Kernel] Option -collect-messages is obsolete and will be removed in a future version; messages are now always collected.
[Kernel] Automatic generation of assigns from GCC's extended asm.
[Kernel] Registering twice the same machdep is now accepted.
[Kernel] New option -<plugin>-log to copy the output of plug-ins into one or several text files (described in the User Manual).
[Makefile] Target 'make rebuild' has been renamed into 'make clean-rebuild'.

Bug Fixes

[ACSL] Fixes example of logic label use. Fixes bug #2203.
[ACSL] Fixes implicit logic label generation on recursive definitions. Fixes bug #2158.
[ACSL] Fixes precedence uncompliance within ACSL Manual of some bitwise operators and more aggressive checks of consistent relation chains.
[Kernel] Comments are preserved even when loops are unrolled. Fixes issue #2176.
[Kernel] Avoid comment duplications on generated code.
[Kernel] do not crash when loading statuses depending from non existing parameter. Fixes issue #2181.
[Libc] Fix specifications of memchr and strncpy.
[Logic] Meaningless assigns clauses are now rejected more aggressively. Fixes bug #1790.

Developers Only

[Cil] Buggy record Cil.miscState has been removed. Customization must be done directly in Cil_printer.state.
[Kernel] API change for function Alarms.register. See .mli for details.
[Kernel] Removed function State_selection.list_state_union. Use State_selection.of_list or State_selection.list_union instead.
[Kernel] Several incompatible changes in module Property.
[Kernel] Do not raise Invalid_arg and Failure exn but use custom exceptions instead. Prevents warning 52 in OCaml 4.03.0 Functions raising new exceptions are: - Db.From.find_deps_term_no_transitivity_state - Db.Interp.*
[Makefile] Get rid of FRAMAC_MAKE variable. Use FRAMAC_INTERNAL instead for distinguishing internal and external mode.
[Makefile] New option PLUGIN_EXTRA_DIRS for multi-dir plugins.
[Ptests] New EXEC: directive.

Frama-C GUI

[Gui] Refactor GUI Helpers. (Toolbox and (partially) Gtk_helper moved to Wutil,Widget, Wform, Wtext and Wtable).
[Gui] Signature change for function Design.register_source_highlighter; the first argument of the callback has now type Design.reactive_buffer, which can be coerced back to a GSourceView2.source_buffer using method buffer.

Plugin Eva

New Features

More aggressive reductions in complex conditions such as if(a+3 < 10).
Improvements to backward propagation, on memory accsses and bitwise operations.
Experimental domain dedicated to storing and learning information from syntactic equalities (option -eva-equality-domain).
New experimental domain that improves precision on bitwise operations, for example on pointers. Activated by option -eva-bitwise-domain.

Bug Fix

Fixed some bugs related to 0. vs. -0. in conditions.

Plugin From

Option -from-verify-assigns takes into account direct and indirect dependencies.

Plugin LoopAnalysis

New plug-in 'LoopAnalysis' which estimates loop bounds and -slevel-function parameters. Invoked using option -loop.

Plugin Metrics

Fix list of undefined functions; functions that are never called were not reported.
Fix option -metrics-value-cover when option -metrics-libc is not set.
Global variables defined in Frama-C standard library are no longer counted when option -metrics-libc is not set.

Plugin Nonterm

New plug-in 'nonterm' for detection of definite non-termination based on Value.

Plugin RTE

Fix unsoundness for overflows on binary operations when one or two operands were constant.
Fix unsoundness on unary minus expressions when option -rte-trivial-annotations is active.

Plugin Sparecode

Fix crash when an entire function becomes spare. (issue #157).

Plugin Value

New Features

Better precision for calls through function pointers when multiple functions are possible. The abstract state now contains the information of which function was called.
During the evaluation of ACSL 'assert', intermediate statuses (e.g. True, then Unknown, then True) are now reported in the console.
New option -val-warn-undefined-pointer-comparison.
Better propagation strategy for nested loops. Results are usually much more predictable (and often more precise) when the loops are not fully unrolled by slevel.
Widening hints now includes signed and unsigned limits for the bitsize of the value being widened, but does not include arbitrary limits anymore. The convergence is generally faster but results may be more or less precises depending on the case.
Support for \valid_function predicate during evaluation.
Distinguish direct and indirect dependencies in 'from' clauses to compute the effecst of an 'assigns/from' clause. See section 7.2 of the manual.
Messages on ACSL predicates with Unknown/Invalid status are now emitted with a 'warning' severity, consistently with the emission of alarms. 'True' statuses are hidden if option -val-show-progress is unset.
Informative messages about inactive behaviors are now emitted only at verbosity level 2.
Support for evaluation of predicate \valid_read_string on constant strings.

Bug Fixes

The preconditions of functions overridden by builtins no longer receive an 'Unreachable status for calls within dead code: the specification is ignored everywhere. Fixes bug #1956.
Reimplementation of all the upper layers of the plugin. Compatibility with the legacy version is almost complete, save for some text messages and a few functions of the API. Use option -no-eva to switch back to the legacy version. Changelog entries labelled 'Eva' refer to this new version. Entries labelled 'Value' apply to both versions.
Take into account 'volatile' qualifiers on struct typedefs, which were previously ignored. Fixes issue #102.
Evaluation of ACSL ranges takes into account option -safe-arrays. In particular t[..] remains within the bounds of t. Fixes bug #1639.
Fix crashes when analysing a function (without a body) that returns an empty struct, or a pointer to an empty struct. Bugs reported by TrustInSoft.
Fix handling of functions without a body that return a pointer. The pointer was aligned on an incorrect frontier.

Developers Only

Functions filter_le_ge_lt_gt_* have been renamed into backward_comp_*. Evaluation and reduction functions for comparisons now use and return dedicated types, in Abstract_interp.Comp.
Base.base_max_offset has been removed. Part of its functionality is still available via Base.valid_range, whose return type is now more expressive.
API change in functor Lmap.Make.

Plugin Variadic

New plug-in 'Variadic' which translates variadic functions, calls and macros to allow analyses to handle them more easily. Invoked using the -va option.

Aluminium_20160502 Release [1.0]

Plugin WP

[Caveat] Separation Hypotheses with -wp-print-separation
[Coq] Support for Proof General 4.3
[Coq] Fixed bug #2214 (coq realbase)
[WP] New options to set prover commands
[WP] Added support for built-in ACSL lists
[WP] Exported OCaml API via Wp.mli
[WP] Strict parsing of -wp-model (stop on error)
[WP] Removed alias '-wp-log' (use '-wp-msg-key' instead)
[WP] Added support for ACSL let-predicate
[WP] Now follows '-safe-arrays' when refining 'p+(..)'
[WP] Fix behavior on ASM code
[WP] Support for Alt-Ergo 1.01
[WP] Support for Coq 8.5
[WP] Support for Why3 0.86
[WP] Support for why3 0.87 (and ide)

Magnesium-20151002 Release [12.0]

Frama-C General

New Features

[Cil] Function Printer.change_printer now allows composing printers, and is called Printer.update_printer.
[Cil] Fix incorrect simplifications of '!E' to 0 when E is either an enum with value 0 (bug #2090), or an expression whose value wraps.
[Cil] Parsing no longer accepts structures containing incomplete types. Fixes bug #2091.
[Doc] Fixed typo in the manual (Thx Mihaela Sighireanu).
[Kernel] Add new suffix '.ci' for pre-processed files containing ACSL annotations to be pre-processed.
[Kernel] Added -no-tty option to disable terminal capabilities
[Kernel] macro __FRAMAC__ is defined when pre-processing C files in Frama-C.
[Kernel] Removed option -no-dynlink.
[Kernel] New ACSL predicate \valid_read_string in share/libc/__fc_string_axiomatic.h.
[Kernel] Special functions CEA_ have been removed.
[Kernel] New API for backward dataflow propagation in file Dataflows.
[Kernel] Reformulated help messages. Option -help is more concise. Option -version only prints version number. Options -print-xxx uniformized. New options -plugins, -print-config.
[Kernel] Dynamic now rely on Findlib. Small changes in API. Option -load-module can now load any Findlib package and its dependencies as well.
[Kernel] New option -custom-char-annot for changing the character introducing ACSL annotations (instead of '@').
[Kernel] Removed support for OCaml 3.12.1
[Libc] Most .c and .h files under /share have been merged into /share/libc. Inclusions of builtin.h should be replaced by __fc_builtin.h.
[Makefile] Dynamic plug-ins are now declared as Findlib packages. Use variables PLUGIN_REQUIRES and PLUGIN_DEPENDENCIES. Loading a plug-in automatically loads all necessary dependencies. Plugin "MyPlugin" is register under "frama-c-myplugin" package.

Bug Fixes

[Cil] Fix iterators on C99 designated initializers.
[Cil] Disallow all incomplete types for struct fields Fixes bug #1672.
[Cil] Switch statements in which some cases are not constant expressions are now completely disallowed, as per the C standard.
[Cil] Fix parsing of packing directives of the form '#pragma pack(push, N)'.
[Cil] Better typing of '?' operator. Fixes bug #2117.
[Cil] Cil transformation can introduce assertion to ensure that size expressions in an array declarations evaluated at program execution time are positive and do not overflow.
[Cil] Fix bug #1553, related to nested initialisations of structures containing pointers.
[Kernel] Fix clearing of old statuses and hypotheses when a new status is emitted or an annotation is removed.
[Libc] Added ACSL specifications to some standard library functions, including read, write and realloc. Fixes bug #1939.
[Libc] Fix bug in the specifications of readir, opendir, closedir and fopen functions, that would cause incorrect analysis in -lib-entry-mode.
[Libc] Removed obsolete file machine.h (along with other similar files) from the Frama-C share folder. Fixes bug #2171
[Logic] Better overloading resolution. Fixes bug #2098.
[Logic] Correct handling of string and char constant in logic pre-processing. Fixes bug #2101.
[Logic] Fix typing bug when converting into a term an expression containing a pointer subtraction.

Developers Only

[Kernel] Fixed bug #2012 about combining Ast.is_last_decl and Kernel_function.get_global.
[Kernel] Function Integer.two_power now raises an exception for overly big arguments.
[Kernel] AST change: split GVarDecl into GVarDecl and GFunDecl
[Kernel] Remove long-obsoleted functions Cfg.computeCFGInfo Cfg.printCfgFilename, and Cfg.printCfgChannel.
[Kernel] Remove support of plug-ins without .mli. Fixes bug #1825.
[Kernel] Ival.Float_abstract renamed to Fval. Fval.inject_r now may raise Fval.Non_finite instead of the old Float_abstract.Bottom.
[Kernel] Modules Dataflow is deprecated, and will be removed in Aluminium. Module Dataflow2 offers a very similar but simpler API.
[Logic] Functions Db.Properties.Interp.lval and Db.Properties.Interp.expr have been renamed (into term_lval and term, respectively), and have a new signature.
[Ptests] New LOG: directive.

Frama-C GUI

New Features

[Gui] Variables are now left- and right- clickable in the 'information' panel.
[Gui] Internal ids (for statements, code annotations, etc.) are now hidden by default. Start the GUI in debug mode if you want to see them.
[Gui] When a call statement is selected, the statuses of the preconditions of the called functions are displayed in the 'information' panel.

Bug Fix

[Gui] Filenames in the GUI file tree (top-left panel) are now sorted correctly. Fixes bug #2173.

Developers Only

[Gui] Constructor Pretty_source.PTermLval now has an additional argument, the property in which the term appears.
[Gui] Minor API changes regarding Design.reactive_buffer. Some values that used to have an option type are now guaranteed to be present.

Plugin Callgraph

Remove Cil.Callgraph, Db.Syntactic_callgraph and Db.Semantic_callgraph which are all replaced by the single plug-in Callgraph. See Changelog_detailled.md for further detail about this change.
New plug-in callgraph which merges the old Syntactic_callgraph and Semantic_callgraph plug-ins (now removed). Either this plug-in uses Value if already computed, or computes the syntactic callgraph otherwise. This new plug-in unifies the behavior of its two ancestors. In particular, the edges of callgraph computed with the help of Value are now directed in the same way as the syntactic callgraph (was reversed before) and so the computed services are now equivalent. Also, the uncalled functions are now displayed by default. For plug-in developers, the callgraph is easily accessible via an API (bts #755).

Plugin Defs

L-values for which defs are queried are now evaluated only for the callstacks that are currently active, resulting in possibly less locations.

Plugin Impact

Removed function Db.Impact.slice, that was actually unrelated to Impact. You can use the functions contained in Db.Slicing.Select, in particular Db.Slicing.Select.select_stmt, to obtain the same result.

Plugin Inout

The inputs of an instruction whose evaluation always fail include the sub-expressions for which evaluation succeeds.

Plugin Metrics

Fix computation of global cyclomatic complexity. Fixes bug #2089.
New category 'Extern global variables', that can be used to check whether some files are missing.
Functions from Frama-C standard library are now hidden by default.

Plugin Parsing

Black-list gcc's builtin macros for logic pre-processing to avoid warnings for duplication. Fixes bug #2161.

Plugin Report

Reports in csv format now honor option -report-specialized (previously, preconditions at a callsite were always skipped).
New option -report-proven to control the display of proven properties.
New export format (.csv), through option -report-csv.

Plugin Scope

Assertions previously removed by -remove-redundant-alarms are now marked as proven, but remain in the AST.

Plugin Value

New Features

Support for \subset predicate.
Improvements to option -subdivide-float-var, when subdividing may avoid the emission of an alarm.
New option -val-initialization-padding-globals to specify how padding bits should be initialized. Option -initialized-padding-globals is deprecated.
Improved reduction by assertions of the form \initialized(&t[0..N]) when N is above -plevel.
Option -subdivide-float-var has been renamed into -val-subdivide-non-linear, and has now an effect on non-linear integer expressions.
Local variables that are in scope but not yet initialized are now present in the environment.
In synthetic results, for local variables that are not those of the current function, the approximated values encompass only the callstacks for which the variables were in scope in one of the callers.
Faster treatment of imprecise struct copying and left shifts in the logic.
Fix bug in -memexec-all option in presence of instructions where evaluation was guaranteed to fail.
Terms involving l-values that are bit-fields are now correctly handled.
In -lib-entry mode, functions pointers no longer force the generation of dummy functions. Instead, they are initialized to NULL. Fixes bug #2104.
New GUI panel 'Values', that displays nearly all the information previously available under the 'Information' panel.
Added built-ins for mathematical functions: atan2, fmod, pow, expf, logf, log10f, powf, sqrtf, floor, floorf, ceil, ceilf, round, roundf, trunc, truncf.
Improved reduction by predicate \initialized when the left argument is a range of locations.
Functions call using a function pointer are now treated more leniently when too many arguments are supplied. An alarm is emitted, but execution continues with the right number of arguments.
Option -val-split-return-auto now always split between NULL/non-NULL pointers.
The semantics of copying a lvalue has been changed when a type mismatch occurs between the destination and the copied value. A bitwise reinterpretation of the value to the destination type is now performed during the copy.
Do not emit pointer_comparable alarms on valid pointer comparisons involving objects of size 0.
Float operations that are guaranteed to lead to +/-infty (e.g. x = FLT_MAX*10.) now stop propagation. Previous behavior was to continue with an imprecise value for x.
Garbled mix origins now include at most one source location.
All plugins that depend on Value, plus Value itself are now dynamic. Custom plugins must specify in their Makefile the plugins they depend on (e.g. PLUGIN_DEPENDENCIES:=Inout Value).
WIDEN_HINTS directive are now cumulative with automatically inferred bounds. Fixes bug #876.
The alarms raised when evaluating a global initializer that leads to an undefined behavior are now marked with an "Invalid" status.
Assertions containing \at(P, L), where L is a C label, can now be evaluated. Evaluation is done once Value has run; thus, it ignores option -slevel.

Bug Fixes

Fix incorrect initialization of padding bits. Option -initialized-padding was ignored in some cases.
Fix initial state in which some volatile qualifiers for nested types were ignored.
In -lib-entry mode, allow the generation of initial states with 0-sized bitfields.
Pointer comparisons using relational operators (<, >=, etc) between a pointer and NULL is now flagged as undefined.
Check the validity of the operands of the ACSL operators /, %, << and >> when evaluating a predicate.
pointer_comparable alarms are now emitted with arguments properly cast to void* or void (*)().

Developers Only

Removed function Cvalue.V.min_and_max_float. Use Cvalue.V.project_ival and Ival.min_and_max_float.
Remove duplicate values Ival.singleton_zero and Ival.singleton_one. Use script sodium2magnesium.sh for automatic migration.

Magnesium_20151002 Release [0.9]

Plugin WP

New Features

[Caveat] New 'Caveat' memory model.
[Coq] Inductive if-then-else construct.
[Qed] Factorization of core equalities (-wp-core).
[Qed] Automatic introduction of existentials.
[Qed] Aggressive ite-lifting.
[Qed] More aggressive filtering and pruning (-wp-filter).
[Qed] More simplifications on strict inequalities.
[Qed] Fold constant expressions in goals.
[Report] Support for CVC4 reporting.
[Typed] Named shift operators (better triggers).
[WP] Now accept patterns in drivers.
[WP] Support for \subset.
[WP] Options -wp-*-vars to tune memory model detection.
[WP] More lemmas for bitwise operations.
[WP] New integer model '+rg'.
[WP] Simplifications of 'is_cint' with quantifiers.
[WP] Summarize initializers (-wp-init-summarize-array).
[WP] Improved -wp-check mode.
[WP] -wp-simplify-forall of quantifier guards (unsound).
[WP] -wp-simplify-type remove some most type constraints (sound, incomplete).
[WP] Refactoring of compound objects modeling.
[WP] Added solver mean time to console output.
[WP] Quiet output on TTY (see -tty kernel option).
[WP] Handle global constants (-wp-init-const).
[WP] Added support for float-classification. (\is_NaN, \is_finite, \is_infinite, \is_plus_infinity, \is_minus_infinity).

Bug Fixes

[Hoare] Fixed incorrect partial assignments in compound objects.
[WP] Fixed bug #1828 (separation of locals/formals/heap).
[WP] Fixed bug #1785 (fixed pre-condition with Clang).
[WP] Fix bugs with -wp-extern-arrays.
[WP] Fix sharing bug in proof obligation output.
[WP] Improved typing for alt-ergo let-bindings.
[WP] Fixed bug #1683 (duplicate Qed results).
[WP] Fixed bool-prop conversions.
[WP] Fixed bug #2079 (incorrect pointer arithmetics).
[WP] Fixed bug #1683 (multiply reported Qed proofs).
[WP] Fixed bug #2126 (0-shift rewriting).
[WP] Fixed bug #2127 (unsigned inequality).
[WP] Fixed bug #2078 (ill typed PO with void*).
[WP] Fixed bug #2144 (lost \result after explicit assignment).
[WP] Fixed bug #2141 (incorrect simplification of 'x%1').
[WP] Fixed bug #2110 (wrong premisses for structs assigns).
[WP] Fixed bug #2040 (wrong label Here in assumes).
[WP] Fixed bug #2082 (crash with \is_infinite).

Magnesium_20151002 Release [0.6]

Plugin E-ACSL

New Feature

[e-acsl-gcc] Add a convenience script e-acsl-gcc.sh for small runs of the E-ACSL plugin.

Bug Fixes

[E-ACSL] Fix bug #1817 about incorrect initialization of literal strings in global arrays with compound initializers.
[e-acsl-gcc] Add an e-acsl-gcc.sh option allowing to skip compilation of original sources.
[Makefile] Fix installation with custom --prefix.
[runtime] Fix a crash occuring when using a recent libc while GMP headers provided by E-ACSL are used.
[runtime] Fix bug in the memory model that caused the tracked size of heap memory be computed incorrectly.

Sodium-20150201 Release [11.0]

Frama-C General

New Features

[Cil] Values extracted from initializers of const variables are now accepted as arguments of directives pragma loop UNROLL.
[Cil] Frama-C's x86 default machdeps no longer assume that the compiler is GCC. Some typing extensions and builtin are thus deactivated. If you want a GCC-centric analysis, use the gcc-prefixed machdeps.
[Cil] Option -pp-annot should be much faster when parsing files with many ACSL annotations.
[Cil] Default preprocessing command now includes Frama-C's standard library, and when possible sets option '-nostdinc'. See options -frama-c-stdlib and -cpp-gnu-like.
[Kernel] add instructions for downloading the manuals
[Kernel] require ocamlgraph version 1.8.5
[Kernel] Nicer error message in case of code incompatibility when loading a plug-in.
[Kernel] New option -const-readonly (set by default), that asserts that 'const' variables must never be written.
[Kernel] New way to handle command line options which accepts sets of values. Values may be prefixed by '+' or '-' to add/remove them and categories of values prefixed by '@' are available as well (for instance @all).
[Kernel] New option '-then-last', which behaves like '-then-on' on the last project created by a program transformer.
[Kernel] Improve pretty-printing of some loops.
[Kernel] Tests are added to the distrib (make tests).
[Logic] New builtin functions \min and \max of type Set(Integer) -> Int
[Logic] New logic label "Init", that refers to the state just after the initialization of globals.
[Logic] The ACSL predicate '\specified', which has been renamed to '!\dangling_contents' is now supported.
[Logic] The ACSL parser now ignores /*@{ and /*@} comments, to avoid conflicting with Doxygen.

Bug Fixes

[Cil] Fix erroneous integral promotion of type 'char' on architectures where 'char' is unsigned.
[Cil] Variables __FC_MACHDEP_FOO_BAR are now automatically positioned when setting a non-standard machdep and using Frama-C's standard library.
[Configure] fix for autoconf < 2.67 when checking ability of default pre-processor to keep comments
[Configure] use the gcc from the configure for compiling c files
[Kernel] Fix bug #1765 (spelling errors).
[Kernel] allow dynamically loaded module to start with a lower-case letter. Fixes #1276.
[Kernel] -load-module M now works fine if M uses the API of another plug-in (bts #1824).
[Logic] The ACSL parser accepts qualifiers in logic C types.
[Makefile] Do not install ZArith with Frama-C anymore.

Developers Only

[Cil] The ikind for Cil.kinteger64 is now optional.
[Cil] Modifications in some fields of type Cil_types.mach. Function File.new_machdep has a simpler type.
[Cil] The field 'vlogic' of type Cil_types.varinfo has been replaced by the field 'vsource', to avoid confusion with logic variables. The value of the new field is the negation of the previous one.
[Cil] Variables are created with a field 'vgenerated' set to 'false' by default. Only Cil should position this field to 'true'.
[Cil] Field 'vgenerated' of type Cil_types.varinfo has been replaced by the field 'vtemp' to emphasize the fact that it should only be set to true for temp variables generated during elaboration.
[Kernel] A new bunch of functors are available to define command line collections.
[Logic] Annotations.{iter,fold}_all_code_annot are now by default sorted. Use ~sorted:false in case of efficiency issues.
[Makefile] Fixed compilation bug for plug-ins with both a GUI and a non-empty API (bug #1798).

Frama-C GUI

[Gui] Logic l-values inside function specifications can now be selected
[Gui] New option -gui-project to run the GUI in a given project.
[Gui] C expressions can now be selected through the source panel.

Plugin From

New option -from-verify-assigns to give assigns/from clauses of function with bodies a validity status.
Major performance improvements on big analyses.

Plugin Inout

Remove undocumented option -access-path

Plugin Report

New option -report-callsite-preconditions.
More consistent behavior when option -report-untried is not set.
Better reporting of reachability statuses; do not coalesce unproven reachability assertions with other alarms.

Plugin Rte

Very big floating-point constants that are converted to an integer are now reported as overflowing in only one direction

Plugin Semantic Constant

New Features

Folding Floating-point constants can now be propagated.
Folding Generate nicer constants for integers and pointers
Folding New option -scf-project-name.
Folding Reducing the number of introduced casts; feature issue #1697.
Folding Reducing the number of introduced casts; feature #1787.

Bug Fix

Folding Fix crashes and/or multiple declations when a global was referenced in the constant-folded project earlier than in the original one.

Plugin Slicing

Fix issues about slicing calls to the main function and journalization (bug #1684).
Fix crashes about multiple slicing pragma inside a function (bug #1768).

Plugin Value

New Features

Option -val-after-results is now always active by default, and can no longer be unset
Instructions whose execution is guaranteed to fail are now displayed in the GUI
Alarms when converting integers to floating-point are now reported only for the range that overflows
Preconditions of functions that are never called are now also marked as dead at each call-site.
Alarms are now re-evaluated at the end of the analysis. If their truth value is 'Valid' or 'Invalid', this more precise status is used, instead of the previous 'Unknown' one.
Improve precision of &.
File-scope and formal const variables are read-only. Any possibility of writing there is treated as alarm.
Complete rewrite of the modules Int_Intervals and Offsetmap_bitwise; both are now implemented with the same datastructure as Offsetmap. Many performance improvements. Many changes in the API of module Offsetmap_bitwise. Few changes in Int_Intervals, but the englobing module Lattice_Interval_Set has been removed.
When option -val-callstack-results is set, the GUI now displays a callstacks-wide consolidation of the possibles values for expressions and terms. Previously, the potentially less precise summary state was used.
The GUI now showns the value of logic l-values inside function specifications. They are evaluated in the pre-state of the function, before the evaluation of preconditions.
Improved widening on variables that are used to access an array
Improved pretty-printing of variables containing pointers.
Improve conversion of float values that have been written as integers (through low-level memory accesses)
Option -val-split-return can now be used to split between NULL / non-NULL pointers
More systematic emission of message 'operation [...] incurs a loss of precision', signaling an arithmetic operation on a pointer address. This message is now emitted by Value itself.
The arguments of an invalid shift operation are now reduced so that they belong to the proper range.
Message 'extracting bits of a pointer' is no longer emitted, as it was redundant with the warnings about garbled mix.
Better precision when a scalar value is written through a garbled mix.
Reduce arguments of a function according to the possible values of the formal at the end of the call.
Arguments of functions that give rise to an alarm are now reduced when possible.
Indeterminate bits copied when option -val-warn-copy-indeterminate is active now cause a reduction in the source location.
Logic ranges are now evaluated using a dedicated lattice. Results are almost always more precise, and the analysis faster.
Per-callstack results are now always computed. Option -val-callstack-results is deprecated.
Option -slevel-merge-after-loop renamed to -val-slevel-merge-after-loop. Now takes a set of kernel functions as an argument.
Removed message "assigning non-deterministic value from the first time".
Accesses to '*(foo *)p' may now reduce p according to the validity of the access, when useful.
Accesses to locations that contain garbled mix now cause the garbled mix to be reduced to the set of valid locations.
Special functions CEA_ are deprecated. Use Frama_C_show_each or Frama_C_dump_each instead.

Bug Fixes

Dividing an integer value by a memory address requires the address to be comparable to NULL.
Fix evaluation of '/' in the logic, that silently ignored the presence of the value 0 in the divisor.
Text-only alarms that used the '\defined' predicate (to warn about dereferencing pointers to out-of-scope variables) are now emitted with the '\dangling_contents predicate.
When for missing '\from' clause for '\result' when result is used in a postcondition. Fixes bug #1908.
Fix bug when writing precise values at too many locations in packed arrays.
Improved precision for variables that are reduced (but not written) during a call memorized by option -memexec-all

Developers Only

Major API change in directories src/ai and src/memory_state. Functions no longer take ~with_alarms arguments. Instead, they return booleans, that indicate an alarm occurred.
Function Cvalue.Model.find does *not* signal its result is indeterminate anymore. Use function Cvalue.Model.find_unspecified instead.
Multiple low-level functions have been removed from modules Cvalue.V and Cvalue.Model, and are no longer available.
Argument ~conflate_bottom to Cvalue.Model.find is now optional. The documentation has been updated to better explain its meaning.
Some functions of modules Offsetmap, Lmap, Cvalue.V_Offsetmap and Cvalue.Model now require a separate Locations.Location_Bits.t and (integer) size, instead of a Locations.location. This avoids errors when the case was Int_Base.Top.
Functions find_base and find_base_or_default in modules Lmap and Cvalue.Model now return an optional type, to account for invalid bases (that may not be present in the map).
Improve and clarify the return conventions of modules Offsetmap, Lmap, Cvalue.V_Offsetmap and Cvalue.Model, by returning three cases: `Bottom, `Top and `Map. The latter case indicates the operation succeeded precisely'.
API of module Cvalue.V_Or_Uninitialized is now type-safe. Replace all occurrences of 'get_flags v' by 'v'.
Most iterators of module Lmap and Cvalue.Model now accept only the non-bottom and non-top cases.
Value 'empty' is no longer exported in module Offsetmap. The API should prevent any accidental creation.
Garbled mix (constructor Top in modules Location_Bits/Bytes) now explicitly mention the NULL base.
Remove experimental support for periodic bases.

Sodium_20150201 Release [0.8]

Plugin WP

New Features

[Cmd] Added option -wp-filename-truncation to truncate proof obligation filenames.
[Typed] Simplification of assigns and separated.
[WP] Some improvements on bitwise operators.
[WP] Next to the new way the kernel handles command line options, -wp-include +dir has to be replaced by -wp-include ++dir. Forward and backward compatibilities are broken.
[WP] Drivers for min/max.

Bug Fix

[GUI] Fixed bug #1688 (recover results from cmdline).

Sodium_20150201 Release [0.5]

Plugin E-ACSL

New Features

[E-ACSL] Compatibility with new Frama-C Sodium option -frama-c-stdlib.
[E-ACSL] Search .h in the E-ACSL memory model by default (easier to use declarations like __memory_size).
[E-ACSL] Support of \freeable. Thus illegal calls to free (e.g. double free) are detected.

Bug Fixes

[E-ACSL] Add a missing cast when translating an integral type used in a floating point/real context in an annotation.
[E-ACSL] Fix bugs #1636 and #1837 about scoping of literal strings.
[E-ACSL] Fix bug when using fopen.
[E-ACSL] Fix types of \block_length and \offset.

Developers Only

[E-ACSL] Export a minimal API for other plug-ins.

Neon-20140301 Release [10.0]

Frama-C General

New Features

[Configure] New option --disable-local-ocamlgraph to disable the use of the OcamlGraph version provided by Frama-C.
[Journal] By default, the journal is now generated into the Frama-C session directory.
[Kernel] Support parsing and printing "asm goto" from gcc 4.6. Added a component to Cil_types.Asm constructor.
[Kernel] The annotation 'loop pragma UNROLL "done", n;' disables the unrolling of the annoted loop. Option -ulevel-force has to to used for enabling the transformation of such a loop. This pragma is introduced by the unrolling process in order to prevent unrolling on source code obtained by a previous frama-C run.
[Kernel] Better strategy when -save is set and Frama-C crashes (bts #1388).
[Kernel] Renamed argument ~cache of functions cached_fold into ~cache_name. The previous integer is no longer used.
[Kernel] An 'unknown' local status is set on assigns generated from the C prototype of leaf functions
[Kernel] Add -aggressive-merging option to merge two inline functions if they are equal modulo alpha conversion.
[Kernel] Support for static evaluation of the __builtin_compatible_p GCC specific function.
[Kernel] Generate more aggressive assigns clauses for unspecified library functions that arguments with type pointer to void or char
[Kernel] Support for binary literal constants in C and in logic denoted by '0[bB][01]+' (common ISO/C extension).
[Kernel] "-machdep help" now specifies the default machdep (bts #1558).
[Kernel] FRAMAC_PLUGIN may now specify a list of comma-separated directories instead of a single one.
[Kernel] Assigns clauses generated by the kernel for functions with neither a specification nor a body receive an 'Unknown' status.
[Logic] Improve localisation of error messages during logic typing.

Bug Fixes

[Cil] Do not pretty-print while(1) into while(c) when the 'break' branch is not reduced to a single break, or contains an annotation
[Cil] Fixes issue #1589 (do not drop access to volatile lvals in pure expressions).
[Kernel] Fix pretty-printing of comments in ghost code (bts #1378 and #1404).
[Kernel] Fix incorrect dot output of consolidation graph of property statuses.
[Kernel] Fix consolidation algorithm of property statuses which possibly occurs on cycles involving an unproved property (bts #1443).
[Kernel] implicit annotation status is not lost through code transformations anymore. Fixes bug #1442
[Kernel] more informative error message. Fixes bug #1352
[Kernel] Tmp vars created during typecheck all have a description. Fixes bug #1387
[Kernel] designated initializers are correctly pretty-printed. Fixes issue #1457
[Kernel] More clever merge of function contracts. Fixes issue #1455
[Kernel] Fixes binding of formals when linking static prototypes. Fixes issue #1475
[Kernel] Fixes issue #1451 about -unicode which was not taken into account by -load-script.
[Kernel] Reject identifiers in the same namespace and same scope, according to C standard's rules. fixes bug #1330.
[Kernel] Statements with a label attached to them are never erased during elaboration. Fixes #1502.
[Kernel] Correctly distinguish typenames and declared identifiers in declarations. Fixes #1500
[Kernel] Do not generate invalid assigns clauses when some formals are pointers to arrays
[Kernel] Do not consider array variable as read lval in unspecified sequence. It can't be written anyway. Fixes #1519
[Kernel] Do not fail on nested ternary operators whose value is dropped, as in #1503
[Kernel] Fixes loop unrolling having in their body 'switch' with 'continue' stmts.
[Kernel] The parsed value could be wrong and the warning for inexact decimal floating-point constants be wrongly omitted for constants smaller than the smallest subnormal.
[Kernel] Fix bug which may occur when pretty printing range of terms.
[Kernel] Fixed parsing bug with decimal single-precision floating-point literals representing numbers above MAX_FLOAT.
[Kernel] Fix typing of variadic arguments.
[Kernel] Fix -machdep help in presence of other actions (bts #1643).
[Logic] Conversion from C array to pointers do not lose cast on pointed types. Fixes issue #1469
[Logic] Disallow cyclic logic type definitions
[Logic] Accept struct with same name as typedef in specs. Fixes #1518
[Logic] Do not remove labels out of scope of annotations too quickly. Fixes #1536
[Logic] -check checks that C and associated logic variable agree on their type. transfer completion of type up to associated logic var and term when needed. Fixes #1538
[Logic] do not cast an enum value toward its associated integral type when comparing to an enum constant. Fixes #1546
[Logic] Support for _Bool in ACSL formulas
[Project] Fix messages about projects.

Developers Only

[Cil] Rename function sizeOf_int into bytesSizeOf.
[Cil] Statements containing calls to va_start can now be printed outside of a function
[Cil] Terms containing ACSL keywords are now properly parsed by function Logic_lexer.lexpr
[Doc] Fix ugly display of documentation of dynamic plug-ins API (bts #1394).
[Kernel] adding a category do not set debugging level to 1. Conversely debug ~dkey "..." (without ~level) will output "..." if dkey is requested by the user, even if debugging level is 0.
[Kernel] Add hook builders for hooks that can have dependencies. See src/lib/hook.mli
[Kernel] Add hooks to register transformation to be performed on a freshly computed AST. See src/kernel/file.mli
[Kernel] Added StringList.append_{before,after} for manipulating options (both static and dynamic API)
[Kernel] Added hooks when registering/removing a property
[Kernel] Cil.mkEmptyStmt gets a valid_sid argument in order to generate valid statements.
[Kernel] Fixed buggy function Property.location.
[Kernel] Alpha.{new,register}AlphaName: transform labelled argument 'undolist' with option type into optional argument.
[Kernel] Plug-ins may now have their own session directory in which they can generate project-dependent files during a Frama-C session.
[Kernel] Plug-ins may now have their own configuration directory in which they can generate configuration files during a Frama-C session.
[Kernel] parameters can be preserved across project creation through copy visitor (do_not_reset_on_copy function). fixes do_not_projectify and do_not_reset_on_copy status of Kernel's options.
[Kernel] Plug-ins may now have a non-empty .mli interface. It deprecates the old way to register them through module Db or Dynamic (this last one may remain useful for mutually recursive plug-ins).
[Kernel] For building a datatype, you now need to use smart constructors provided in Structural_descr.
[Kernel] Removed Db.Dominators. Use the Dominators kernel module instead.
[Kernel] Changes to the signatures in lattice_type: top and bottom are now optional, a join_and_is_included function is required, and Upper_Semi_Lattice was renamed to Join_Semi_Lattice.
[Kernel] The module Parameter_sig now contains the signatures of command line options (was in module Plugin).
[Kernel] Parameter is now called Typed_parameter.
[Kernel] The module Parameter_customize now contains the functions to customize command line options (was in module Plugin).
[Kernel] The module Parameter_state now contains the functions to select group of parameters (was in module Plugin).
[Lib] Filepath.normalize can replace paths by a symbolic name.
[Logic] Better specification and more checks on Annotations.{add,remove}_* functions (fixes bug #1635).
[Makefile] Split Makefile.common in two parts in order to include generic rules (new Makefile.generic file) at the end of main Makefile, so specialized patterns will be considered first in make < v3.82
[Ptests] add the possibility to define macros in configurations. See developer documentation.
[Ptests] Use ptests.opt whenever possible.

Frama-C GUI

[Gui] the configuration file .frama-c-gui.config is now put in the GUI config directory and named frama-c-gui.config.

Plugin From

New Features

Slowndowns in the analyses can be mitigated using higher values for option -memory-footprint
Better precision when querying information about a zone that has the same dependencies as its neighbors.
Separately compute data dependencies and indirect (address, control) dependencies with option -show-indirect-deps
Fix possibly invalid dependencies for functions that return partially-written structs.

Bug Fixes

Position the 'and SELF' flag when an assigns clause z1 and z2 overlap in an assigns clause z1 \from z2 .
Fix incorrect dependencies with code of the form 'f(); x = 1; f();' when f assigns a value with a right-hand side that depends on x.

Developers Only

Results of From cannot be intercepted by Log.add_listener anymore. Use Db.From.{pretty,display} to print them.

Plugin Impact

More generic dynamic function impact_statement_gui. The set of nodes impacted can now be filtered by a memory zone.

Plugin Inout

Inputs of an instruction whose evaluation fails now include the sub-expressions for which evaluation succeeds

Plugin Metrics

More precise information about coverage
ACSL statistics

Plugin Obfuscator

New Features

Print the category which each symbol belongs to (bts #1566).
Obfuscate labels (bts #1562).
Obfuscate (most of) logical constructs (bts #1563).
Handle literal strings in a separate dictionary (bts #1564).
Warn about unobfuscated symbols.
New option -obfuscator-dictionary to generate the dictionary into a file.
New option -obfuscator-string-dictionary to generate the dictionary of literal strings into a separated file.

Bug Fix

Now properly handle option -ocode.

Plugin PDG

Function Db.Pdg.find_stmt_and_blocks_nodes returns a correct result on partially dead composite statements

Plugin Pdg

Fix possible non-termination during the computation of the control dependencies (bug #1436)
Shorter output when outputting results
Results of Pdg cannot be intercepted by Log.add_listener anymore. Use Db.Pdg.get and Db.Pdg.pretty instead.

Plugin Report

New option -report-untried

Plugin RTE

Better normalization when using -rte-precond.
Remove limitation about alarms which do not fit into 64 bits (bts #1391).

Plugin Rte

No assertions are generated for unsigned left-shift that may overflow, regardless of whether -warn-unsigned-overflow is set. Fixes issue #1555.

Plugin Scope

Option -inout-callwise can be used to improve the precision of computations, including the effects of option -remove-redundant-alarms. Option -calldeps is no longer necessary
Functions registered in Db now return Stmt.Hptset values instead of Stmt.Set

Plugin Semantic Constant

Folding Fixes error when folding fct pointer resulting in two distinct kf for the same function.

Plugin Slicing

New Features

Better slicing of complex logical assertions (bug #690).
-slice-calls main only selects the calls to the main function, nothing more.

Bug Fixes

Fix crash in presence of assertions involving sizeof(t), where t is an array. Fixes similar bug with option -remove-redudant-alarms
Slicing on a composite statement containing dead code now works properly
Slicing is now compatible with option -val-use-spec

Plugin Syntactic_callgraph

Remove option -cg-services-only which was unused since a while.

Plugin Value

New Features

Frama_C_show_foo functions now display struct arguments in extenso.
Distinguish unreachable state and invalid location when printing the value of a l-value in the GUI
Basic support for \inter logical predicate (treated as an union).
Evaluation of \base_addr, \offset and \block_length logic predicates.
Preliminary support on \forall and \exists quantification when the introduced variables have a C type.
Assertions on dead code now get a "true because unreachable" status.
The name of an evaluated property is now displayed in the log message. Fixes wish #1415.
Option -memory-footprint now accepts much bigger arguments. The size allocated to each cache is multiplied by 2 between each increment.
Better documentation of module Hptmap. Some incompatible API changes.
Better widening bound for signed 32 bits integers
Fewer and better widening bounds for pointer addresses: try the frontier of the block
Warn for missing '\from' or 'assigns \result \from' clauses. Fixes wish #1448
More aggressive evaluation of \initialized(p) when p points to a memory zone containing both bottom and non-bottom values
Value analysis can now be aborted while keeping intermediate results, by sending SIGUSR1 to Frama-C
Degeneration points are now shown in the GUI
Syntactic loops (ie. 'for', 'while' and 'do ... while') are now always used to perform widening, regardless of whether they are reducible
Evaluation of left-values such as t[i][j] or p->arr[i] is now more precise when the total number of locations to read or write is less than the value of -plevel option
No alarms are emitted for overflowing unsigned left shift operations.
Pointer subtraction now requires that the pointers refer to the same allocated block, and returns the pointwise difference between the corresponding offsets. Use -no-val-warn-pointer-subtraction to obtain the previous behavior.
The option -val-left-shift-negative-alarms has been renamed into -val-warn-left-shift-negative
Passing a struct containing uninitialized fields or padding bits to a function without a body no longer raises an alarm.
Copies of non-struct left-values that contain indeterminate bits can now be reported using option -val-warn-copy-indeterminate.
Improve precision of bitwise conversion from floating-point value to integers
Experimental option -slevel-merge-after-loop
Volatile pointers are now modeled as the base addresses that are stored into the pointer, shifted by an unspecified offset.
Display information about temporaries when emitting an alarm
Ensure convergence in presence of some non-natural loops
Improve precision of treatment of: if ((int)floatvar == intexpr)
Improve precision of treatment of x = e1 & e2;
Replace mostly-inoperant option -memory-footprint by an environment variable FRAMA_C_MEMORY_FOOTPRINT
Fix spurious messages about integer overflow when an arithmetic operation is guaranteed to result in an undefined behavior.
For functions for which only the specification is available, non-invalid statuses are no longer reported when evaluating a postcondition. Invalid statuses are reported, and usually indicate a specification error.

Bug Fixes

Failure during a memory zone copy is now properly notified. Alarms were emitted, but a non-bottom result was simultaneously returned.
Fix crash when the creation of the initial state encounters a completely invalid compound initializer.
Fix crash when evaluating \valid(p->off) when p is NULL or a valid pointer, and p->off is itself only partially valid (bug #1486).
Fixed bug involving the conversion to float of a double expression e s.t. 0 < fabs(e) <= 0x1.0p-150.
Prevent GUI crashes when options -no-results or -obviously-terminates are set and some functions have ACSL preconditions
Ensures that sqrt(-0.) is -0., even with buggy MSVC runtime. Fixes bug #1396
Fix potentially invalid source line number in origin of Merge garbled mix values.
Fix rare crash during widening operation in C union intensive code
Fix possible unsoundness in presence of &. (unsoundness never observed in practice)
Fix crash on analyses involving very imprecise pointers and a partially valid absolute memory range
Fix missing read/written zones and dependencies when accessing a completely imprecise pointer (garbled mix) and using option -absolute-valid-range. Impacts the results of plugins Inout, From, Pdg, Impact and Slicing.
Fixed spurious warning about floating-point values containing addresses.
Remove support for ACSL \inter operator, which could lead to unsoundness with predicates involving the empty set (fixes bug #1624)
Fix potential unsoundness in the operation testing the inclusion of two memory states (never observed in practice)
Fix bug when writing imprecisely in a struct containing a 1-bit wide bitfield (bug #1671)

Developers Only

Remove functions Cvalue.Model.pretty_without_null and Db.Value.display_globals. Function Db.Value.display is now a reference to the real function. Removed last argument of Cvalue.Model.pretty_filter.
Results of Value cannot be intercepted by Log.add_listener anymore. Use Db.Value.display to print them
Do not crash when printing arrays or structs containing abstract structs (bug #1416).
API change in module Base. Use script bin/fluorine2neon.sh for automatic migration.
Function Cvalue.Model.find_unspecified now requires one additional argument ~conflate_bottom
Fix bug in which two distinct memory states could be erroneously made equal
Minor signature change for widening functions
Function Map_Lattice.Make requires a new argument
Type Base.string_id is now concrete. No more need for function Base.cstring_of_string_id
Functions previously required by some functors in directories src/ai and src/memory_state are no longer needed. Use script bin/fluorine2neon.sh for partially automatic migration.
Harmonisation and simplifications of functions related to memory states in Cvalue.Model. Different functions are now available for updating, refining and creating a state

Neon_20140301 Release [0.8]

Plugin WP

New Features

[Driver] Refactoring of prover external libraries. (consult driver section in manual).
[GUI] Consistent icons with status.
[GUI] Edition of current proof script (right-click).
[WP] More type constraints in typed memory model.
[WP] Clever assigns everything with formals and locals.
[WP] Better integration with Why-3 and Coq.
[WP] Many improvements on bitwise operators.
[WP] Many improvements on reals and floats.

Bug Fixes

[WP] Major speed-up for huge functions.
[WP] Important bug-fix in CFG (missing hyps in goals).

Neon_20140301 Release [0.4.1]

Plugin E-ACSL

New Features

[E-ACSL] Remove a spurious warning when an annotated function is first declared, then defined.
[E-ACSL] Remove spurious warnings when using type real numbers.

Bug Fixes

[E-ACSL] Fix bug #1700 about non-ISO empty struct.
[E-ACSL] Fix bug #1715 about -e-acsl-full-mmodel which generates incorrect code.
[E-ACSL] Fix bug #1716 with annotations in while(1).
[E-ACSL] Fix bug #1717 about instrumentation of labeled statements.
[E-ACSL] Fix bug #1692 about wrong localisation of some messages.
[E-ACSL] Fix bug #1782 about incorrect URL in the documentation.
[E-ACSL] Fix bug #1695 about using some part of the (Frama-C) libc which prevents linking of the generated C code.
[E-ACSL] Fix bug #1836 about one-off error when computing the block which a pointer points to.
[E-ACSL] Fix bug #1831 about argc and argv.
[E-ACSL] Fix bug #1696 by clarifying the manual.
[E-ACSL] Fix bug #1818 about initialization of globals.
[E-ACSL] Fix bug #1838 about memset.

Neon_20140301 Release [0.4]

Plugin E-ACSL

[E-ACSL] Fix bug #1634 occuring in presence of static addresses.
[E-ACSL] Fix incorrectness which may occur in presence of aliasing.
[E-ACSL] Some loop invariants were tagged as "assertions".

Fluorine-20130601 Release [9.2]

Plugin Value

Add missing C library files.

Fluorine_20130601 Release [0.3]

Plugin E-ACSL

New Features

[E-ACSL] Fewer unknown locations.
[E-ACSL] Support of loop invariants.
[E-ACSL] Use GMP still less often.
[E-ACSL] More precise message for unsupported contract clauses.
[runtime] Improve ACSL contracts of the E-ACSL C library.

Bug Fixes

[E-ACSL] Fix -e-acsl-debug n, with n >= 2.
[E-ACSL] Fix bug when generating RTEs on the E-ACSL generated project.
[E-ACSL] Fix crash with typedef on pointer types.
[E-ACSL] Fix bug when mixing -e-acsl-prepare and running E-ACSL in another project (bts #1473).
[E-ACSL] Fix bug when monitored global variables have initializers (bts #1478).
[E-ACSL] Fix bug which may occur with divisions and modulos.

Fluorine-20130501 Release [9.1]

Frama-C General

[Kernel] Fixed Type.pp_ml_name for polymorphic types with 3 and 4 type variables (bug #1127).
[Makefile] Fixed installation directory of the doc in plug-in's Makefile (bug #1278).

Plugin RTE

Fix off-by-one error in alarms on overflowing unsigned unary minuses.

Plugin Value

Better precision for ^ (bitwise xor) operator when applied on intervals of positive integers
Catch evaluation errors when selecting a logic l-value in the GUI.

Fluorine_20130501 Release [0.7]

Plugin WP

[Provers] Fixed various bugs with drivers and provers.
[Typed] Better trigger generation for arrays with Alt-Ergo.
[Typed] Fixed bug on address differences and offsets.
[WP] Fixed various bugs on floats.

Fluorine-20130401 Release [9.0]

Frama-C General

New Features

[Cil] The type of fields that are bit-fields now carry an informative attribute FRAMA_C_BITFIELD_SIZE.
[Cil] Handles interpretation of linemarker ending by // and cleanup file paths.
[Kernel] Assumptions and axioms now get consolidated status "Considered valid" instead of "Valid".
[Kernel] Option -enums for choosing representation of enums.
[Kernel] When printing the AST, display the emitter name of generated annotations and also the origin of annotations corresponding to an alarm.
[Kernel] Better frama-c.top (fixed issue #1287).
[Kernel] Syntactic constant folding is done once by AST (fixed bug #1306).
[Kernel] The level of verbose is at least the level of debug.
[Kernel] Print signed downcast alarms as 'signed_downcast'
[Kernel] Signed downcast alarms are no longer emitted by default. Use option -warn-signed-downcast to activate them.
[Kernel] Signed overflow alarms are now emitted by default.
[Logic] Extended syntax for naming terms and predicates ("string":pred and "string":term are now allowed).
[Logic] Improved merge strategy for assigns, and report the presence of different assigns clauses between two files.

Bug Fixes

[Kernel] Fixed bug with Type.pp_ml_name for pairs, triples and quadruples which can lead to incorrect journal generation (new occurrence of bts #1127).
[Kernel] Do not attempt to merge unrelated anonymous enum that have been given the same name by Cil (fixes #1283).
[Kernel] Do not print help of negative options when the positive one is invisible (fixed #1295).
[Kernel] Fixed discrepancy between compare_type and hash_type. Added new datatype TypNoUnroll.
[Kernel] Fixed bug #1347 about accessing to a consolidated status of a property which depends on removed hypotheses.
[Kernel] Add lv_kind field to trace origin of logic variables. Cil_const.make_logic_var is deprecated in favor of specialized.
[Kernel] Ghost status is appropriately propagated in statements (instead of only instructions) and pretty-printed accordingly. Fixes issue #1328.
[Logic] Fixes various type-checking issues in presence of polymorphism and implicit conversions (including #1146).
[Makefile] Compile OcamlGraph less often: fixes issue #1343.

Developers Only

[Cil] Remove unused 'alignof_char_array' machdep field.
[Cil] Renamed function Cil.alignOf_int into bytesAlignOf.
[Cil] Clean up registering of new machdeps. Some machdep options have been integrated into Cil_types.mach, or removed from Cil.theMachine (as they were already in Cil_types.mach).
[Cil] Remove Cil pretty-printer. Use module Printer instead. The script bin/oxygen2fluorine.sh may be used to automatically convert your code.
[Kernel] Fixed consistency check of descriptor when building polymorphic datatypes (fixed bts #1277).
[Kernel] Provide Datatype.triple and Datatype.quadruple (bts wish #1277).
[Kernel] Optional argument 'reorder' to File.* functions creating an AST in a new project from a visitor.
[Kernel] Fixes incorrect visitor behavior with JustCopy (issue #1282).
[Kernel] New API for module Alarms.
[Kernel] New function 'get' for projectified counters.
[Kernel] Renamed Kernel_function.self to Kernel_function.auxiliary_kf_stmt_state to avoid confusion.
[Kernel] Get rid of useless rooted_code_annotation datatype.
[Kernel] New function Annotations.model_fields.
[Kernel] Signature change for constructor LReal.
[Kernel] Remove unintuitive ?prj argument from Cil visitors, and first argument of Visitor.generic_frama_c_visitor. Information is now stored inside the type Cil.visitor_behavior.
[Kernel] Added TLogic_coerce constructor to mark explicitly a conversion from a C type to a logical one (in particular floating point -> real and integral -> integer). Fixes issue #1309.
[Kernel] Various types whose names started by t_ in PDG/slicing related modules are now unprefixed.
[Kernel] Remove Cilutil's pretty printing helpers. Use Pretty_utils' ones instead.
[Kernel] Reorganize AST's pretty-printers. You must now use module Printer. Use the script oxygen2fluorine.sh to upgrade your plug-in.
[Kernel] Module Cilutil has been removed. Previously used list functions can now be found in Extlib (use script oxygen2fluorine.sh for migration). Functions related to configuration files are now Cilconfig.
[Kernel] Added type modules Cil_datatype.Wide_string and Datatype.List_with_collections.
[Kernel] Added pp_field and pp_model_field in Printer_api.
[Kernel] New methods videntified_term and videntified_predicate for the visitor.
[Kernel] Remove method is_annot_before from visitors (it return only 'true').
[Kernel] Visitor no longer crashes when a non-function global is replaced by a list containing at least one function or prototype (fixes bug #1349).
[Kernel] redesign of message categories. See detailed changelog for more information.
[Kernel] Must register keywords introducing new clauses of ACSL contracts. Fixes issue #1358.
[Logic] Change Property_status.Consolidation_graph.dump now takes a formatter instead of a file name.
[Makefile] Fix installation directory of API documentation (fixed bts #1278).

Frama-C GUI

[Gui] In some cases, after a crash of an analyzer, the GUI was not fully restored, became inconsistent and could crash.

Plugin Aorai

Adds locations modified by Aorai to existing loop assigns (fixes issue #1290).

Plugin From

Fix rare bug in presence of involved control-flow graphs and non-terminating calls.
Fix absence of effect of option -calldeps after a save/load cycle.

Plugin Impact

Prevent crash when a caller or callee function has been imprecisely analyzed.
Prevent crash when considering a function with an unreachable first statement.
Function Db.Impact.compute_pragmas now returns a list of statements.

Plugin Inout

Fix absence of effect option -inout-callwise after a save/load cycle.
Indirect reads (for example 'p' for '*p') are now automatically added to inputs when evaluating assigns.

Plugin Metrics

Global variables both declared and defined were counted twice.
Option -value-metrics now report a correct location for function referenced by an initializer. Fixes #1361.

Plugin Obfuscator

Hide variables that do not appear in the output from the dictionary.

Plugin Pdg

Ignore inline asm statements (previous behavior was to generate Top Pdgs).
InCtrl nodes are no longer displayed in Dot graphs.
Fix display for control dependencies in PDG graphs.

Plugin Rte

New Features

Remove option -rte-print. Use -print instead.
Generate Value-compatible alarms and annotations.
Removed options -rte-signed, rte-unsigned-ov, -rte-downcast and -rte-unsigned-downcast. They are replaced by -warn-signed-overflow, -warn-unsigned-overflow, -warn-signed-downcast and -warn-unsigned-downcast respectively.

Bug Fix

Added missing alarm for casts from overly large floating-point numbers to integer. Fixes #1318.

Developers Only

Export function "exp_annotations" to get RTEs of a C expression as annotations.

Plugin Scope

Prevent crash in defs computation when a lvalue is a formal.

Plugin Slicing

Fix incorrectness in presence of assertions involving \initialized predicate. User predicates are no longer treated.
Fix options -slice-assert and -slice-threat (-threat did nothing, -assert selected all alarms).
Remove no longer used ~ai argument.
Alarms are now removed in the generated project (regardless of option -slicing-keep-annotations).

Plugin Sparecode

Alarms are now ignored during the analysis.
RTE or Value-generated alarms are now removed in the generated project.

Plugin Value

New Features

Reduce more aggressively on accesses *p where p is imprecise but contains only one valid value.
New option -val-callstack-results to record and display in GUI the results split by callstacks.
More precise line numbers for statuses of assertions and loop invariants.
Improve handling of conditionals when option -val-ilevel is used.
Evaluation of assigns now include indirect reads (ie 'assigns *p' depends on p) automatically.
More agressive analysis of statements with improperly sequenced accesses when option -unspecified-access is used.
More aggressive reduction in presence of write through partially invalid pointers. Warn if the pointer is completely invalid.
Alarms emitted by Value are no longer evaluated during analysis (unlike user assertions).
Value more aggressive evaluation of construct '//@ for b: assert p' when b is guaranteed to be active. Harmonize behaviors-related messages.
Improved support for abstract structs.
Improve reduction by conditions that involve '&' and '|' operators.
Suppress superfluous warning when passing as argument a struct that contains pointers.
Offsets in misaligned values that repeat themselves are now always printed relatively to the beginning of the binding.
Renamed options -initialized-padding-globals and -no-no-results into -uninitialized-padding-globals and -val-store-results respectively.
Improved support for va_arg variadic macro.
Option -val-ignore-recursive-calls now uses the assigns clauses of the recursive function to treat the call.
Emit proper alarms for completely imprecise floating-point values, and for casts from float to int.
Removed option -val-signed-overflow-alarms. Use -warn-signed-overflow instead.
Signed overflows now cause an alarm. Option -no-warn-signed-overflow can be used to get 2's complement.
Consolidated states are now stored before 'assert' clauses are evaluatued.
Optionally warn against unsigned overflows according to option -warn-unsigned-overflow.
The first element of a -lib-entry allocated array, or of an array passed as an argument to main, is now valid regardless of option -valid-context-pointers.
Better precision for postconditions in functions with multiple return analyzed without slevel.
The location in which the result of a call is stored is now evaluated before the call. A warning is emitted if this location has changed after the call.
Highlight non-terminating calls.

Bug Fixes

Fix "Semantic level unrolling superposing up to" messages. The number displayed was sometimes lower than the actual number of superposed states.
A bug causing the number of superposed states to be slightly underestimated has been fixed. As a result, it may be necessary to up the -slevel argument a little bit for existing proof scripts.
Correct potentially incorrect reduction on l-values of the form *(p+off) or *(p-off).
Fix soundness bugs for comparisons with logic constants that are not representable as 64 bits double.
Fix evaluation of logic constant characters above 127.
Option -absolute-valid-range can now be changed between two executions of Value.
Various changes in the way undefined functions returning pointers are handled.
Ignore 'const' qualifier on extern globals in lib-entry mode. Previously, those globals were initialized to 0.
Fix erroneous casting operating when interpreting logic casts.
Fix validities of degenerate variables, which were too big considering the size of the memory.
Improved again support for abstract structs.
In -lib-entry mode, void* fields or pointers now point to something potentially valid.
Initial state of Value does not depend on -main option, but depends on -context-<...>.
Fix incorrect reduction in integers containing pointers address when option -warn-signed-overflow is set.
Option -memexec is now correct in presence of RTE alarms.
Fixed misleading "after statement" state on statements followed by an assertion.
Fix incorrectness of option -remove-redundant-alarms in presence of '\initialized(...)' alarms.
Fix incorrect interpretation of \valid{L}(P) when L is not Here label.

Developers Only

Remove various instances of Top_Param, which were all equal to Base.SetLattice.
Builtins must now warn if their results should not be cached (signature change in Db.Value.builtin_result).
Removed Base.All validity. Use big validities with unknown flag instead. Improved signature of Base.Unknown.
Renamed Locations.valid_enumerate_bits into Locations.enumerate_valid_bits.
Generic types of Value are now in Value_types (previously Value_aux). Implies a signature change for Db.Value.register_builtin. Value_aux.accept_base is now in Db.Semantic_Callgraph.

Fluorine_20130401 Release [0.7]

Plugin WP

New Features

[Cmd] Using -wp-prover instead of -wp-proof (kept for compatibility).
[Cmd] Added option -wp-skip-fct to exclude functions.
[Cmd] Removed now useless options -wp-huge, -wp-dot, -wp-trace.
[GUI] New Why3 provers selection, added -wp-detect to force detection.
[Typed] Extensions of Typed model (unsafe-casts).
[Why] 3 Why3 output (-wp-proof why3:xxx).
[WP] Drivers for linking ACSL symbols to external libs (-wp-driver).
[WP] 'Typed' becomes the default model.
[WP] 'Store' and 'Runtime' models abandoned.
[WP] Experimental float and machine-integer models.
[WP] New interface to model selection (unique -wp-model option).
[WP] New simplification engine (specific options).
[WP] Added support for string literals (-wp-literals).

Bug Fix

[Makefile] Fixed bug #1385 about ocamllex.opt.

Fluorine_20130401 Release [0.2]

Plugin E-ACSL

New Features

[E-ACSL] Use GMP arithmetics only when required (i.e. mostly never in practice).
[E-ACSL] Support of bitwise complementation.
[E-ACSL] Nicer generated variable names.
[E-ACSL] Continue to convert the other pre/post-conditions even if one fails.
[E-ACSL] Support of \base_addr.
[E-ACSL] Support of \offset.
[E-ACSL] Support of \block_length.
[E-ACSL] Support of \initialized.
[E-ACSL] Support of \valid.
[E-ACSL] Support of floats in annotations. Approximate reals by floats.
[E-ACSL] Prevent runtime errors in annotations, except uninitialized variables.
[E-ACSL] Support of \valid_read.
[E-ACSL] Support of ghost variables and statements.
[E-ACSL] Support of undefined function with a contract.
[E-ACSL] New option -e-acsl-valid. By default, valid annotation are not translated anymore.
[runtime] Function e_acsl_assert now consistent with standard assert.
[runtime] Improve ACSL spec of E-ACSL' C library.

Bug Fixes

[E-ACSL] Fix bug with conditional and GMP integers.
[E-ACSL] Fix bug with negation and GMP integers.
[E-ACSL] Fix bug with boolean.
[E-ACSL] Fix bug with lazy operators in term position.
[E-ACSL] Fix bug with very long ACSL integer constants.
[E-ACSL] Fix bug with complex term left-values.
[E-ACSL] Fix bug when translating a postcondition of a function where the init state is the same than the final state (bts #1300).
[Makefile] Fix compilation bug when configuring with --enable-external.

Oxygen-20120901 Release [8.0]

Frama-C General

New Features

[Cil] In debug mode, pretty-print numerical constants instead of displaying the source file strings.
[Cil] Functions returning a value cannot let control flow falling through the closing '}' Fixes #685.
[Cil] New option -warn-undeclared-callee for calls to functions that have not been previously declared.
[Journal] Better journalisation of command line options setting a list of arguments (e.g. -slevel-function): avoid quadratic complexity in the generated code (fixed bts #1123).
[Kernel] Adding supports for clause allocates and frees and their version for loops.
[Kernel] Sets generated assigns clauses into the default behavior.
[Kernel] Adding some more supports for built-in related to memory blocks.
[Kernel] Support for model fields
[Kernel] Keep all prototypes with a spec, even if not referenced.
[Kernel] New option -<plugin>-share for plug-ins to customize their specific share directories.
[Kernel] Use Zarith whenever possible (bts #983).
[Kernel] when printing help, display the name of the opposite boolean option (bts #1085).
[Kernel] Consolidation from call-site preconditions to original precondition now handle calls through function pointers
[Kernel] improve 'reachable' properties.
[Kernel] New option -keep-unused-specified-functions.
[Kernel] A negative value given to -ulevel option hides all UNROLL_LOOP pragmas.
[Kernel] linker checks that the ghost status of two merged declaration is the same, and raises an error otherwise.
[Kernel] C constant expressions are now allowed as UNROLL level into loop pragmas.
[Kernel] The annotation 'loop pragma UNROLL "completly", n;' unroll 'n' times the annoted loop and then add it a clause 'loop invariant \false;'. The remaining loop should be death code.
[Kernel] All globals with attribute FC_BUILTIN are preserved even if unused.
[Kernel] Remove useless negative options -no-help, -no-version, -no-print-share-path, -no-print-lib-path and -no-print-plugin-path.
[Logic] Better label inference in axiomatics (see bts #1068).
[Logic] LoopEntry and LoopCurrent built-in labels.
[Logic] Cleaner generated assertions in presence of multiple pointer casts.
[Logic] Better error messages when parsing logic.
[Project] Accept to load inconsistent project by setting to default the inconsistent states and their dependencies.

Bug Fixes

[Cil] Fail when encountering a lvalue of type void (#1013).
[Cil] Go to new line more often when printing sequence of statements. Fixes issues #1021.
[Cil] Correct sharing bug on widening pragmas. Fixes #1090.
[Cil] Improve label positions in presence of loop unrolling (bug #1100).
[Cil] Preserve typedefs on global variables with an initializer
[Cil] Better propagatation of volatile, const and restrict type qualifiers through typedefs on arrays
[Journal] Fixed bug #1080: better generated journal in case of missing internal data preventing it of being runable.
[Journal] Fixed bts #932 about journalization of dynamic plug-ins in some corner cases.
[Kernel] Better linking behavior (fixes #672).
[Kernel] Link error aborts Frama-C (fixes #990).
[Kernel] empty list in complete/disjoint is expanded by logic type-checker to the list of behavior name of current contract. Fixes issue #1006. See bts comments for the differences that can appear in the treatment of specs.
[Kernel] keep track of local variables even in presence of annotation + do not silently lose statement contract. Fixes issue #1009.
[Kernel] Fixed bug about property statuses and setting parameters after -load (statuses were not cleared when required).
[Kernel] Initialization of locals is correct for all sizes; uses bzero to 0 + contract (directly validated by Kernel)
[Kernel] Fixed bug #1135 and bug #1139 about loop unrolling.
[Kernel] Fixes issue in loop unrolling and annotations.
[Kernel] Strict checking of type compatibility when merging an already called prototype without arg list and a full prototype (fixes issue #728, #109).
[Kernel] Introduce more temporaries for a call [lv = f()] if the return type of f and the type of lv do not match. Fix issue #1024.
[Kernel] Fixed bug with Type.pp_ml_name for generic sets which can lead to incorrect journal generation (bts #1127).
[Kernel] Fix graph of consolidation statuses when several properties get the same name.
[Kernel] Fixes bug #840 (inaccurate position in presence of -pp-annot).
[Kernel] Fixed bug with save/load: loading a file <f>, then quitting Frama-C can no longer modify <f> (bts #1269).
[Kernel] Fixed #1267 (adds explicit casts for default argument promotions).
[Kernel] Do not accept spurious '}'. Fixes bts #1273.
[Kernel] Fixed missing undefined behavior for multiple write accesses (fixes bts #1059).
[Kernel] Fine tuning AST dependencies. See developer guide.
[Kernel] Identical messages emitted in two different projects will now be visible in both projects. Fix bug #1104.
[Logic] Fixes issue #1005 (earlier detection of duplicated axiom name avoids Kernel.fatal).
[Logic] Fixes sizeof("string_literal") in logic.
[Logic] Fixed bts #1253: IndexPI and PlusPI are equivalent.

Developers Only

[Cil] Add method pFile in printers. Signature change for Cil.d_file (but you should use !Ast_printer.d_file).
[Cil] Fixed off-by-one error in foldLeftCompound ~implicit:true.
[Cil] Ast changed: Unrool_level renamed into Unroll_specs and its argument becomes a list for next evolutions.
[Cil] Fixed bts #1254: incorrect documentation of Cil.d_plaininit.
[Cil] Remove type Cil_type.typeSig. Use the functions in Cil_datatype.Typ and Cil_datatype.Logic_typ to compare types.
[Cil] Split constants of logic and C (fixes bts #745).
[Kernel] Logic_preprocess.file takes an additional parameter, as gcc pre-processor treats differently .c and .cxx files, and this must be reflected in annotation pre-processing.
[Kernel] Plugin.Register defines a new option -plugin-debug-category that allows to enable debugging for sub-categories of messages (See Log.set_debug_keys for more info).
[Kernel] New File.init_from_project function.
[Kernel] Added Property.location function.
[Kernel] Kernel.CppExtraArgs now gets type Plugin.String_list and not Plugin.String_set (fixed bts #1132).
[Kernel] Plugin.set_optional_help is now deprecated.
[Kernel] Fix implementation of Datatype.Triple and Datatype.Quadruple (bts #1133).
[Kernel] Kernel.Functions.get does not silently create a kernel function if it does not already exist. This behavior is kept for Cil builtins.
[Kernel] New API for Annotations which merges old Annotations, Globals.Annotations and operations of Kernel_function over function contracts.
[Kernel] Remove module Inthash. Use Datatype.Int.Hashtbl instead, or directly carbon2nitrogen.sh migration script.
[Kernel] Correct (albeit slow) hash function for terms and term lvalues.
[Kernel] Hook for handling for loop components in Cabs.
[Kernel] -check verifies if vdefined flag is coherent with status of variable in Globals tables and AST. Fixes one of the issues of #1241.
[Kernel] Add function [stmt_can_reach] to the arguments of Dataflow.Backwards, which is used to speed up the analysis. See dataflow.mli for good possible values.
[Kernel] Changes in interface of StringHashtbl options.
[Kernel] API of dynamic plug-ins is now documented as well as static plug-ins (fixed bts #171).
[Kernel] Operations that silently mutate AST should now call Ast.mark_as_changed to clear states depending on it (fixes #1244).
[Kernel] Fixed bts #1250: setting formals of visited function is not delayed until fill_global_tables anymore.
[Kernel] Remove obsolete constructors Cabs.TRANSFORMER and Cabs.EXPRTRANSFORMER and related parsing rules.
[Kernel] Datatype with structural comparison for exp and lval fixes bts #1263.
[Kernel] Correct hash function for Sets created by Datatype.Make_with_collections or Datatype.With_collections.
[Kernel] Improve signature of State_builder.Set_ref.
[Makefile] Fixed bug #1082 about wrong link in generated code documentation.
[Makefile] 'make doc' did not work when GUI disabled (bts #1014).
[Makefile] Fix bug #1145 about PLUGIN_LINK_GUI_OFLAGS.
[Makefile] Use ocamldoc.opt whenever possible.
[Makefile] plugin is distributed iff PLUGIN_DISTRIBUTED and PLUGIN_ENABLE are not 'no' (instead of PLUGIN_DISTRIBUTED == yes).
[Makefile] Added variables PTESTS_OPTS and PLUGIN_PTESTS_OPTS to pass options to ptests through make tests. See dev manual.

Frama-C GUI

[Gui] Display global annotations in the filetree.
[Gui] Add filters for properties' consolidated statuses.
[Gui] Removing 'add assert before' from contextual menu. Uses ACSL_Importer plugin for such a feature.
[Gui] Display all properties in 'Properties' panel, including generated ones without location.
[Gui] Fixed bugs when the consolidation graph cannot be displayed (fixed bts #1122).

Plugin Aorai

Aorai gets a real Dataflow analysis for contract generation + various logic simplifications.

Plugin From

Better precision for code of the form 'if (c) stop(); else y = x+1;', where stop does not terminate
More sharing between identical values when printing results.
Major precision improvements when evaluating library functions whose assigns contains ranges.
The interpretation of explicit assigns clauses for library function "assigns *p \from x;" was wrong: every possible location was assumed to have been overwritten.

Plugin Impact

Complete rewrite. Improved precision and computation time. Fixes wishes #5 and #6.

Plugin Inout

Major precision improvements when evaluating library functions whose assigns contains ranges.
Option -inout-callwise to compute callsite-wise operational inputs. Improves precision of -inout, of the "Modifies" clause in the gui, and of the slicing.
Operational inputs are now more precise for function with only an ACSL prototype.
Better precision for 'if' in which only a side is reachable.
Option -inout-callwise restarts Value when it is newly set

Plugin Metrics

Fixes count of pointer accesses.

Plugin Occurrence

Results can be filtered to display only occurrences in read or write positions.
Fix bug where some occurrences were silently ignored in big asts; improve performance.

Plugin Pdg

Improve precision in presence of provably dead code branches. Fixes issue #1194.
Rename option -dot-pdg into -pdg-dot
Improve performance, typically on arrays of structs.
Option -pdg did nothing if -pdg-print was not set.

Plugin Report

Display unreachable properties in a special way; identify unreachable statement more clearly.

Plugin Rte

New Features

Emit \valid_read alarms instead of \valid for read accesses.
Reuse behaviors names when -rte-precond is used on fonctions with multiple behaviors.
Generate simpler assertions for accesses to arrays, and discard trivial ones; improve ordering of assertions. Honor option -unsafe-arrays.
Rename option -rte-const into -rte-no-trivial-annotations (set by default).

Bug Fix

Prevent generation of incorrect alarms on statements whose order of execution is not completely specified.

Plugin Scope

Improved computation of defs. Statements are categorized between direct and indirect accesses.
Improve precision of Defs computation (wish #1079).

Plugin Slicing

No more blank between -slicing-project-name and -slicing-exported-project-postfix (from #1249 entry).
More precise slicing when -calldeps is used (fixes wish #107).

Plugin Syntactic_callgraph

Fix bug #989 about difference of display between GUI and dot output.
Fix tricky bug while computing services when a cycle depends on another cycle (most part of the fix is actually in OcamlGraph itself).

Plugin Value

New Features

Improve evaluation of logic when option -val-signed-overflow-alarms is active.
Improve interpretation of ACSL annotations in presence of typedefs.
Evaluate more precisely statements of the form if (*p == 1) {...} when *p is reused within the if block. This also improves the handling of switches.
New option -no-val-left-shift-negative-alarms to treat left shift of negative integers as defined.
Better evaluation of \initialized predicate when only some parts of the location are initialized.
New builtin Frama_C_assert. Take advantage of existing assertions with "#define assert Frama_C_assert".
Suppressed confusing message "all target addresses were invalid. This path is assumed to be dead.".
After emitted an alarm \initialized(lv), the value analysis tries to remember that lv is initialized. This suppresses redundant alarms that were emitted further on.
Minor improvements related to single-precision floating-point handling.
In index out-of-bounds alarms, do not generate 'assert 0 <= i' part when 'i' is always greater than 0.
During evaluation, reduce indexes that are detected as out-of_bounds.
Reduce more aggressively invalid pointers: { p->f1 = v1; p->f2 = v2 } will usually raise at most one alarm.
FRAMA_C_MALLOC_INDIVIDUAL modelization now properly treats allocated blocks as uninitialized.
Aesthetic fix: do not display {{ &NULL }} and {{ &"foo" + {2} }} but rather {{ NULL }} and {{ "foo" + {2} }}.
Improve precision for code with pointer casts (fixes bug #1074).
Assertions of the form \valid(p+i) and \valid(&p->f) are now used to reduce p whenever possible.
Evaluation of \separated predicate
New message for functions with only a specification. Changed old message for functions with neither code nor specification to "No code nor specification for function ...".
Improved handling of *(p+i) (or equivalently p[i]) when p is a known pointer and i is unknown.
Improved handling of conditions involving the conversion to int of a floating-point variable.
Support for \valid_read predicate; evaluation of \at(p,Pre) and \initialized{Pre}(...).
Errors during evaluation in the logic are now reported.
Old "Evaluate expression" menu in the GUI replaced by "Evaluate ACSL term"; value of term lval is now displayed. Evaluations that may fail are flagged.
Allow comparison of invalid pointers in the logic.
New option -val-ilevel, to change the frontier between sets of integers and intervals.
Add bzero builtin. A precise destination and size are required (wish #915).
Position call-site statuses for function preconditions, instead of the previous global status.
More thorough checks for calls through a function pointer: warn when the function type and the pointer are not compatible, and stop when they cannot be reconciled.
Statutes 'Invalid' are now positioned on 'for behav:' assertions even when 'behav' is not the only active behavior.
Assertions such as \valid(p) now evaluate to Invalid when p is not initialized or an escaping address.
Warn when 'assigns *p' points to a completely invalid location.
Clarified message about completely indeterminate memory.
Print misaligned values in a simpler way. Fixes wish #1271.

Bug Fixes

Fixed spurious alarm \valid(p) in *p = e; when e is completely invalid. Soundness was not affected (the alarm for whatever made e invalid was present).
Fixed crash when a library function is called in a state where the function's precondition cannot be true.
Improve warnings and evaluation in presence of possibly infinite floats (fixes #997).
Generate correct assertions when using memcpy builtin. Fix #1000.
Fixed #1001: do not warn for unsigned shifts, do not end propagation on signed left shift of an address.
Prevent potentially incorrect assertions from being emitted when the result a call must be cast. Fixes #997 and #1024.
Fixed soundness bugs involving lval = lval; assignments targeting literal strings and automatically created S_... memory zones.
Fix wrong hash function, which could cause memory overuse and worse.
Evaluate ACSL && and || when they appear as terms (fixes bug #1072).
Allocate a finite space for malloc builtins; fixes some bugs when a pointer refers to a non-yet allocated space.
Fix crashes and/or missing alarms when evaluating *p=(cast)f() with p invalid (bug #1097).
Fix bug in evaluation of pointers to start of array.
Fixed bug where user assertions accessing uninitialized variables got the wrong status.
Handle 'assigns *p' where p has a typedef type
Fix incorrect initialization of volatile fields or globals in presence of initializers (bts #1112).
Fix possible typing bugs when evaluating logic expressions with non-integral types (bts #1175).
Re-emit alarms when Value options are changed and an analysis is restarted.
Better time and space complexity for initialization of big arrays in -lib-entry mode (bts #1026).
In lib-entry mode, honor 'const' attributes that appear deep inside the type (bts #759).
Calls (*p)() where p resolves to both valid functions and invalid addresses are now properly handled.
Fix crash when an undeclared function returned a pointer to a function that was later called.
Fix crash when evaluating *((int*)0+x)=v when the NULL base is invalid.

Developers Only

shift_left and shift_right functions now take an optional signedness boolean in addition to the optional size.
Moved contents of memory_state/Abstract_value into ai/Lattice_Interval_Set. Use bin/nitrogen2oxygen for automatic migration.
Lmap.paste_offsetmap now handles imprecise destinations.
Fix option -absolute-valid-range being reset by project copies.
Made type Ival.tt private.
Rename Db.Value.assigns_to_zone_inputs_state to Db.Value.assigns_inputs_to_zone. Add new functions Db.Value.assigns_outputs_to_zone and Db.Value.assigns_inputs_to_locations.
Signature change for function Db.Value.register_builtin: builtins can now return multiple states.

Oxygen_20120901 Release [0.6]

Plugin WP

New Features

[Cmd] Extended support for external libraries: Options -wp-coq-lib, -wp-why-lib and now -wp-alt-ergo-lib.
[Cmd] Extended selection language: -wp-prop [+|-][@]id to add or remove property category or name.
[GUI] Graphical version of Alt-Ergo (altgr-ergo) can be launched from the 'Proof Obligation Panel'.
[WP] Limited support for triggers in axioms and lemmas.
[WP] Better elimination of let constructs for -wp-norm Eqs option.
[WP] Enhanced statistics for -wp-report (see manual).
[WP] Truncating too long log filenames.
[WP] Experimental simplifier with new 'Typed' model (see manual).

Bug Fixes

[Coq] Better translation in Coq for floats and reals (fixed bugs #1174 and #1176).
[WP] Fixed issue about -ulevel option (bug #1244).

Developers Only

[WP] Enhanced Ocaml API (see manual). Old bindings are preserved, but now emit a deprecated warning.

Nitrogen-20111001 Release [7.0]

Frama-C General

New Features

[Cil] Enumerated constants are kept in the AST.
[Cil] Implement precise dataflow on switch constructs. As side effect, improve precision of value analysis.
[Cil] Fixed #720 (incorrect simplification of switch).
[Cil] Support for &"constant_string" in parser.
[Cil] Normalization of lval: T+1 ==> &T[1] when T is in fact an array (implies *(T+1) ==> T[1])
[Cil] Pretty-printing lval and term_lval the same way
[Cil] Cache results of offsets computations.
[Cil] Add support for GCC specific cast from field of union to union
[Kernel] Exit status on unknown error is now 125. 127 and 126 are reserved for the shell by POSIX.
[Kernel] Better error message when plug-in crashes on loading (bts #737).
[Kernel] Big integers can now be displayed using hexadecimal notation.
[Kernel] \at(p,Old) is pretty-printed as \old(p).
[Kernel] Some messages may be printed several time for the same line if they refer to different columns.
[Kernel] Better handling of comments with -keep-comments and new API. See Cabshelper.Comments and Globals.get_comments_*
[Kernel] Better pretty printing of lists of any elements
[Kernel] Current pragmas no longer give rise to code annotations (as they do not contain anything that can be proven).
[Kernel] Improve space complexity of function stmt_can_reach.
[Kernel] New kind of command-line parameter, for commands that do heavy output. Used for Value, Pdg and Metrics.
[Logic] Added support for bitwise operators --> and <--> into ACSL formula.

Bug Fixes

[Cil] Fixed bug #725 (type-checking && operator).
[Cil] Fix bugs #780 and #791: use ids unique between projects for varinfos, statements and expressions.
[Cil] Fix bug #785: promotion between long long and an unsigned same-sized type.
[Cil] Fixes wrong precedence of not in predicate when pretty-printing.
[Cil] Fixes bug #771 (spurious warning for read/write accesses in undefined order).
[Cil] Fixes bug #832 (spurious warning for read/write accesses in undefined order)
[Cil] Fixes bug #857 (problem with some C enum value and Ocaml 32 bits 3.11.0).
[Cil] Correct obscure Cil bug linked to the removal of trivial unspecified sequences or blocks. Fixes bug #882.
[Cil] Fix conversion bug for f(i++) or f(++i) when i has size less than int, and f expects an int (bug #911).
[Cil] Fix merging bug (#948).
[Cil] Correctly handle casts in switch. Fixes #961.
[Configure] Fix bug #262: --disable-plugin works for external plugins compiled from within Frama-C kernel.
[Kernel] Bug fixed in pretty printer. (incorrect precedences leading to missing parenthesis).
[Kernel] Bug fixed in File.create_project_from_visitor potentially impacted programs transformation.
[Kernel] Fixed bug #775. Large octal and hexadecimal constants are now correctly typed.
[Kernel] Fixed bug #770 and #769, part 1. Fixed typo in anonFieldName (was annonFieldName).
[Kernel] Fix bug #769: merging issue for declared struct.
[Kernel] Fix 'make clean' of plug-ins.
[Kernel] Support for GCC packed and aligned attributes and for GCC pack pragmas. Fixes #719.
[Kernel] Fixed typing of bitfields whose size is equal to the size of int (bugs #823, #817).
[Kernel] Support GCC like typing of enums.
[Kernel] Fixed macros in limit.h.
[Kernel] Correct syntactic loop unrolling in presence of switch. Fixes bug #861.
[Kernel] Add parameter ~declarations to Globals.FileIndex.get_functions. Prevent duplication bug in properties navigator of the GUI.
[Kernel] Fixes visitor bug + properly refresh ids of properties in code transformation (in particular loop unrolling).
[Kernel] Fixes various performance issues when parsing very large functions. Fixes #965.
[Kernel] New exception for Ast.UntypedFiles.get when no untyped AST is available. Fixes #954.
[Kernel] Treat long bitfields the same way as gcc and clang. Fixes #959.
[Kernel] Do not normalize Pre in Old, especially where Old is not allowed.
[Kernel] Warn when the plug-in specified by -load-module or -load-script is not found (used to remain silent)
[Logic] Fixed bug #714 about lexing ACSL characters and strings.
[Logic] Fixed bug #744 (comparison between arithmetic types is done in the smallest possible type).
[Logic] \at(t,L) when t is a C array is now a logic array whose content is the one of t at L, not the address of the first element of t (which stays the same between L and Here anyway). partial fix of bug #761.
[Logic] Fix bug #501: volatile clauses are handled by the kernel.
[Logic] Fix bug #761: adding \old in ensures clause for parameters does not capture terms in associated offset.
[Logic] Fixed issue with -pp-annot (fix bug #691 and #812).
[Logic] Fixed overloading resolution (fixes bug #655).
[Logic] can have a local binding for a predicate (even a constant one) without spurious warnings from typechecker. (fixes #848)
[Logic] Normalization of assigns clause: \result and \exit_status only appear if a \from is specified. Fixes #557, #845
[Logic] Fixed issue #866 (merging specs included twice)
[Logic] Fixes bug #887 (merging logic constants).
[Logic] Fixes bug #885 (wrong insertion of cast).
[Logic] Fix bug #501: volatile clauses relative to partially volatile lvalues are handled by the kernel.
[Project] Fix sharing bug when copying project.

Developers Only

[Cil] /Logic New functions Clexer.is_c_keyword and Logic_lexer.is_acsl_keyword.
[Cil] AST changed: 'a before_after type is deleted. All annotations are now attached before.
[Cil] AST changed: removing Told and Pold constructs.
[Cil] Remove incorrect Cil_const.Build_Counter; use State_builder.SharedCounter instead.
[Cil] Various smart constructors and ast helper functions.
[Cil] Support for large constants in programs. My_bigint is now used instead of Int64.t in the AST. Fixes #858.
[Cil] Improve performances of Cil_datatype.Typ.{compare, equal, hash}.
[Cil] Removing types about validity status from the AST. Use module Property_status instead.
[Kernel] module Service_graph: function entry_point in input and output of functor Make now returns an option type.
[Kernel] Bts #729: calling function Plugin.is_visible (resp. Plugin.is_invisible) forces to display (resp. prevents from displaying) the corresponding parameters in an help message.
[Kernel] Extlib.temp_file_cleanup_at_exit and Extlib.temp_dir_cleanup_at_exit may now raise exception Temp_file_error. They may raise an unspecified exception before.
[Kernel] Change semantics of ChangeDoChildrenPost for vstmt_aux. See developer's manual for more precision.
[Kernel] Fixed bug #727 (visiting a GFun spec in frama-c visitor was not done in the appropriate context).
[Kernel] New function File.create_rebuilt_project_from_visitor
[Kernel] Remove several kernel functions: Ast_info.pretty_vname: use Cil_datatype.Varinfo.pretty_vname Cil.print_utf8: use module Parameters.UseUnicode- Clexer.keep_comment: use module Parameters.PrintComments Cabshelper.continue_annot_error_set: Cabshelper.continue_annot_error_set: use Parameters.ContinueOnAnnotError.off all Cil, Cilmsg and CilE functions for pretty printing: use Kernel ones instead.
[Kernel] Following items are now deprecated: function Kernel_function.pretty_name: use Kernel_function.pretty module UseUnicode: use module Unicode.
[Kernel] Makefile.plugin and .dynamic more robust wrt external plugins (can make doc clean depend more easily; fixes bug #754, improves bug #742).
[Kernel] get rid of bin/sed_inplace (use ISED from share/Makefile.common where needed, which was the recommended way from the beginning).
[Kernel] Alternative signature for dataflow initial state. A few IntHash replaced by Stmt.Hashtbl.
[Kernel] Removed type Log.source. From now on all locations have type Lexing.position.
[Kernel] Fix bug #790: AST integrity checker issue.
[Kernel] Remove Db_types module. All types are now in Cil_types. Moved type Alarms.t to Cil_types.alarm.
[Kernel] Kernel now accepts declarations as main entry point.
[Kernel] Kernel_function.find_return may now raise exception Kernel_function.No_Statement.
[Kernel] Module Parameters is dead. Each module corresponding to a parameters is moved to Kernel. Module Parameters.Dynamic is now Dynamic.Parameter while Parameters.get_selection_context is now Plugin.get_selection_context. You can use the script bin/carbon2nitrogen to perform the translation (almost) automatically.
[Kernel] New function File.new_machdep in order to register a new machdep dynamically.
[Kernel] Cil_datatype.LogicLabel implemented
[Kernel] Structural_descr.pack is now a private type. Use smart constructors instead.
[Kernel] New function Dynamic.is_plugin_present.
[Kernel] Most types of module Property are now private. Use smart constructors instead.
[Kernel] Remove Kernel_datatype (merge with Cil_datatatype).
[Kernel] new function Kernel_function.set_spec which must be called whenever the spec of a kf is modified.
[Kernel] Remove function CilE.update_gotos.
[Kernel] New way for handling abstract type in the type library.
[Kernel] Fix dynamic access to function [is_default] of parameters.
[Kernel] Dynamic.load_module searches in plugin path as advertised in its documentation
[Kernel] Exporting Property_status.self state
[Kernel] Ensures that a unique kf is generated per function in each project, avoid using kf for project A in project B.
[Kernel] Modification of Log.print_on_console. No more based on Format.kfprintf to avoid deadlock when error are raised by plugin pretty printers.
[Kernel] Adding option ~dkey to Log.debug functions. See Log.Messages for details.
[Kernel] Properties_status is now called Property_status. Fully new interface.
[Kernel] Add IPLemma, IPNotacsl and IPConjunction as new constructors of Property.t; remove IPBehavior.
[Kernel] Annotations.replace and Globals.Annotations.replace_all are removed.
[Kernel] Signature of Plugin renamed for consistency. Use carbon2nitrogen for automatic translation.
[Kernel] Add Kernel.Unicode.without_unicode, which applies a function without upsetting the Unicode option in the gui.
[Kernel] Getters of Dynamic.Parameter now get an extra argument of type unit. May improve efficiency a lot.
[Kernel] Export datatype Varinfo.Hptset. Signature change in functor Abstract_interp.Make_Hashconsed_Lattice_Set.
[Kernel] Add parameter ~with_locals to Db.accept_base (prior this, ~with_locals was implicitly false)
[Kernel] Quadruple datatype.
[Kernel] Map_common_interface to have a merge function for Ocaml < 3.12.
[Kernel] Copy visitor creates new kf before visiting a function, allowing to use it for creating Property.t items in the new project during visit (fixes #942).
[Logic] Implementation of statement contracts for function behaviors.
[Logic] Add possibility to cast integer to C integral type when type-checking (Changes parameter of Logic_typing.Make)
[Logic] Fixes bug #751 (Cil.lconstant now returns terms of type integer and not int).
[Makefile] Add target to launch the tests of a specific dynamic internal plugin from Frama-C's main Makefile.
[Ptests] Ptests adds filename of current test before the options given to frama-c (see #736).

Frama-C GUI

New Features

[Gui] Hide empty plugins columns in the filetree. Add support for hiding globals entirely.
[Gui] Automatically show the main function at launch.
[Gui] Menu to configure what is displayed in the filetree.
[Gui] Add history for navigating source code.
[Gui] Support to display the state of the absolute memory.
[Gui] Double-clicking on a warning now displays the pretty-printed source location
[Gui] Improve labels under the icons of the toolbar. Smart constructors in Menu_manager now require a label and a tooltip.

Developers Only

[Gui] Signature change for Filetree#append_pixbuf_column.
[Gui] Signature change for Filetree#add_select_function, Filetree#select_global and Menu_manager.entry. Deprecate Design.apply_on_selected.
[Gui] Menu_manager now support check menus and toggle buttons

Plugin Aorai

New Features

Deterministic automata.
Automaton is handled by contract of leaf functions.

Bug Fixes

State names used as enum constant are checked to be admissible fresh C identifiers.
Fix issue in translation of guards + better error messages.
Existing assigns are augmented with the locations corresponding to the instrumentation of the automaton.
Generation of loop invariant for intermediate counter + fixes various issues

Developers Only

Redefinition of internal structures before enabling Ya extensions for sequences

Plugin Dataflow

Improve precision of backwards dataflow algorithm and of postdominators on 'if' with a missing branch

Plugin Dominators

,Postdominators No feedback by default. Use -dominators-verbose 2 or -postdominators-verbose 2 if you need it.

Plugin From

Display results function by function, instead of as one big block (may lower memory consumption considerably).
Fix #781: handling of function calls with an implicit cast for the assignment of the result.
Display name of called function when displaying results of option -calldeps.
Minor interface changes in From. Replace some meaningless kinstr by stmt, and make the callbacks lazy.

Plugin Impact

Correct a journalisation bug in gui mode.
Bug fixed when plug-in `Security_slicing' cannot be loaded or is incompatible with Impact.
Bug fixed with '-impact-pragma f' on an unknown function f.

Plugin Inout

New Features

Improved precision of the computation of operational inputs in presence of function calls.
Improved messages in presence of recursive calls
Correctness in presence of recursive calls. See issue #733.
Operational inputs and outputs are now more precise for library functions: assigns clause are evaluated at each call.

Developers Only

Db.InOutContext becomes Db.Operational_inputs.
Interface change. Non_contextual renamed to Cumulative_analysis.

Plugin Metrics

New command-line options to compute the functions potentially called from a given function, and the percentage of functions analyzed by the value analysis.
Improves efficiency of metrics computation.

Plugin Occurrence

Better pretty-printing: do not display internal ids anymore.
Fixed bug when journalising.

Plugin Pdg

Pdg can now be saved on disk.
Improved time and space complexity on big functions.
Better precision in the dependencies. Fix bug #787, #789 and #802 : infinite loops creation in slicing.
Fix bug #787 but leads to less precise dependencies.

Plugin Postdominators

Add Db.PostdominatorsValue: postdominators taking into account value analysis results

Plugin Rte

No longer position 'Don't know' statuses
Correct plug-in name for dynamically registered RTE functions.
Option -rte-precond is not entailed by -rte-all anymore (precontion annotations must now be required explicitly).

Plugin Scope

"Show Defs" is now an interprocedural analysis.

Plugin Security_slicing

Fixed bug #768 about exception raised when analysing variadic functions. A warning is now emitted: the function is ignored by the analyzer, thus the result is potentially incorrect.

Plugin Semantic Constant

Folding All options are prefixed by "scf". Use -scf-help for the details. Fixed #946. Compatibility is preserved thanks to option aliases.

Plugin Slicing

New Feature

Option -slice-print is now deprecated: use instead <normal slicing command> -then-on 'Slicing export' -print

Bug Fixes

Fixed bug #709: missing statements in sliced program.
Fixed bug #774: journalisation works again.
Fix bug #786: missing label in sliced program.
Fix bug #799: missing label in sliced program.
Fix incorrect simplification of single-statement block in presence of label.
Use correct function during generation of sliced project. Fixes #950.

Plugin Syntactic Callgraph

Fixed issue #723: syntactic callgraph does not require an entry point anymore. If no entry point, services are less precise yet.

Plugin Users

Calls to this plug-in are now written in the journal.

Plugin Value

New Features

Uniformized message displayed when no information is available for a function.
Take Flush-To-Zero possibility into account for single-precision floats.
Improved informative messages about addresses of locals escaping their scope.
Improved option -subdivide-float-var when used without -all-rounding-modes. Improvement marginal for double computations and significant for float ones.
Each precondition can get a specific validity status.
Use hash-consed sets of statements, making many analyses faster and leaner for large functions or idioms that make functions large at normalization (e.g. large initialized local arrays).
Improved results for operation % by zero. Removed message about binary operators raising exceptions.
Option -val-after-results to control the recording of post-statement states. Active by default in the GUI.
Alarms may pretty print the abstract value culprit for the potential violation. This is particularly informative for certain alarms.
New option -no-val-show-progress
More aggressive state reduction when emitting pointer_comparable assertions. Use option -undefined-pointer-comparison-propagate-all if you liked the old behavior better.
Literal strings are now read-only.
Emit \pointer_comparable alarm for unspecified. equality test between literal strings such as "foo" == "foo".
New builtin Frama_C_dump_each_file, which dumps the entire memory state into successive files.
Option -val-builtin: experimental support for builtins that can fail (by calling a fallback C function).
More precise when an alarm is emitted in a loop.
Postconditions containing \old are now handled.
Uses "complete behaviors" information.
Loop invariants are now used to improve analysis.
Improve behavior in presence of errors during the computation of the initial state. Allow non ISO global initializers using the value of constant globals defined earlier.
Improve handling of assigns in library functions.
Remove non-relevant variables from the 'Modifies' clauses of the GUI.
Wide strings more supported.
Better message when interpretation stops for a function argument.
Improved precision when using -all-rounding-modes.
Improved precision of &.
New informative message when not using. -val-signed-overflow-alarms "2's complement assumed for overflow"
Raised cut-off limit between sets and intervals from 7 to 8 elements.
Improved precision of if (x!=c) when the value set of x is an interval of 9 elements.
New alarm, for programs that do not respect C99 6.5.16.1:3 (overlapping assignment from lvalue to lvalue). Partially supported (not emitted in some cases).
New option -remove-redundant-alarms for removing redundant alarms. This was previously done by default. Use this option if you are going to inspect alarms emitted by Value.
Do not continue evaluating successive 'requires' or 'ensures' clauses if one of them is false.
New alarm for left shift of negative values. Minor other changes related to shift operation alarms.

Bug Fixes

Changes related to 0., +0., -0., sort of thing. Unwarranted loss of precision fixed.
Fixed representation of unknown single-precision floats in initial context (it used to be the same as for an unknown double).
Fixed crash when passing invalid argument to function, found by John Regehr using random testing (jrrt).
Fixed correctness bug involving nested structs (jrrt).
Fixed forgotten warning when passing completely undefined lvalue as argument to function. (jrrt)
Fixed bug when passing bitfield as argument to function. (jrrt)
Fixed bug when passing struct as argument to function with a big-endian target architecture.
Fixed bug #732: Synthetic results were partial when -slevel was set not high enough to unroll loops completely.
Fixed correctness bug when bitfield initializer exceeds range (bug #721) (jrrt).
Fixed crash with ACSL assertions involving floating-point variables (bug #752).
Some floating-point alarms could be printed several times. Fixed.
Fixed bug #689. Each postcondition can get a specific validity status.
Correctly emit \pointer_comparable(...) alarms.
Fix bug #798: calls to functions that return a value with latent conversion.
Fixed crash for high values of -subdivide-float-var
Fixed bug when bitfield receives the result of a function call (bug #819).
Fixed undocumented builtin is_base_aligned.
Remove some uneeded warnings when comparing function pointers with NULL. Fixes bug #855.
Much more clever when interpreting logic terms, including those containing \old (eg. formals in postconditions)

Developers Only

Minor interface changes in Value. Replace some meaningless kinstr by stmt, and make the callbacks lazy.
Defunctorized Lattice_Interval_Set.
Changed representation of bases for literal strings in preparation of related checks.
Functions valid_* now take an argument ~for_writing Pass true when the lvalue being considered is used for writing in the program. Pass false when unsure.
Add argument "exact" to Lmap.paste_offsetmap (which was preciously supposed to be always true).
Module Cvalue_type renamed to Cvalue. Module Relations_type removed. Use Cvalue instead.
Add some missing ~with_alarms arguments, notably to offsetmaps copy and paste.
Signature change in CilE: plugins that want to emit Value analysis alarms must define their own emitters.
Changed the representation of Ival.t. If an external plug-in matches "Ival.Set s", a simple fix is to add "let s = Ival.set_of_array s in" as first line of that case.

Nitrogen_20111001 Release [0.5]

Plugin WP

[Cmd] Adding support for reporting with option: -wp-report.
[Cmd] Adding support for external proof libraries. See options -wp-include, -wp-tactic, -wp-coq-lib and -wp-why-lib.
[Cmd] Adding support for multi-provers in command line.
[GUI] Changes into Gui panel.

Nitrogen_20111001 Release [0.4]

Plugin WP

New Features

[Cmd] New engine to compute proof obligations for arbitrary invariants. See option -wp-invariants.
[Cmd] Added option -wp-proof-trace to obtain more informations from provers when available (option 'Trace' in GUI).
[Cmd] Optimization of arguments passing by reference with option: -wp-byreference.
[Ergo] Alt-Ergo 0.93 now required.
[Ergo] Alt-Ergo is always used with builtin arrays. Removed option -wp-arrays.
[GUI] Removed 'Refresh' button from WP panel.
[GUI] Enhancement of Proof-Obligation panel.
[GUI] Default output directory is set to <home>-.frama-c-wp in Gui.
[GUI] New menu options to prove preconditions at one or all call sites.
[GUI] Feedback for proof of preconditions at call sites.
[Hoare] New Hoare model (now implemented on top of logic variables).
[Vampire] Support for Vampire as back-end prover.
[WP] No more logic generic pointers. Pointer arithmetics moved to memory models.
[WP] Better representation of records and unions in logic.
[WP] Alt-Ergo is now selected (and run) by default.
[WP] Handling partial initializers in C global variables.
[WP] Translation of axioms with labels (removed option -wp-axioms).
[WP] Print of formula change.
[WP] Optimization of arguments passing by reference.
[WP] Improvements of conversion between C-integers and Z-integers.
[WP] A warning is now emitted for missing assigns clauses.
[WP] Further improvement for proof of assigns clauses.

Bug Fixes

[GUI] Fixed bug #711 (cyclic dependencies).
[GUI] Fixed bug on PO status (wrong PO identification).
[Store] Better representation of pointers (issue #796).
[WP] Fixed problems with -wp-out <dir>.
[WP] In some cases, a proof attempt could silently failed. It is now properly reported.

Nitrogen_20111001 Release [0.1]

Plugin E-ACSL

[E-ACSL] First public release.

Carbon-20110201 Release [6.2]

Frama-C General

New Features

[Configure] Frama-C does not require Apron anymore (Why does for Jessie). Thus fix bug #647.
[Kernel] Improve performance on platform with dynami.c loading. Mainly impact value analysis (for developers: improve efficiency of Dynamic.get).
[Kernel] Handle errors better when they occur when exiting Frama-C. Slight semantic changes for exit code: - old code 5 is now 127; - code 5 is now: error raised when exiting Frama-C normally; - code 6: error raised when exiting Frama-C abnormally.
[Logic] Fix priority bug in parser.
[Logic] Mentioning a formal on the left-hand side of an assigns clause is now an error when type-checking logic annotations.
[Makefile] Fixed bug #638. By default, warnings are no more errors when compiling a public Frama-C distribution and plug-ins. SVN versions of Frama-C are still compiled with "-warn-error A".

Bug Fixes

[Kernel] Fixed #313. Entry point with a specification is no longer wiped out.
[Kernel] Fixed bug if an empty string is given on the command line while an option name is expected. There is now a proper error message.
[Makefile] Fixed bug #637: "make install -n" did wrongly create directories.
[Makefile] Fixed bug #660 related to a default Frama-C-compatible ocamlgraph installation under Cygwin (i.e. in a Win32 path containing the ':' character).

Developers Only

[Cil] Fixed bug #645. Ast_info.constant_expr, Cil.[zero,one,new_exp,makeZeroInit,mone,kinteger64_repr, kinteger64,kinteger,integer,constFoldBinOp,mkAddrOf, mkAddrOrStartOf,mkString,parseInt,sizeOf] no longer use an optional argument ?loc. It is now a non optional labeled argument. Previous default value of loc was ~loc:Cil_datatype.Location.unknown which is most of the time not accurate.
[Kernel] Remove API function Messages.enable_collect: please let the kernel do the job.
[Kernel] Remove Messages.disable_echo (can be done using Log module) and Messages.depend (can be done using Messages.self).
[Kernel] New function in API: Kernel_function.find_syntactic_callsites.
[Kernel] Fix bug #677. As a side-effect, function Plugin.add_alias is now deprecated and replaced by Plugin.add_aliases.
[Kernel] New syntactic context for memory accesses with user-supplied validity range.
[Logic] Refactoring of assigns and from AST representation and of Property.identified_property.

Frama-C GUI

New Features

[Gui] Gui options start by -gui and not -GUI
[Gui] Implement feature #635: display messages in the messages panel while loading a batch session in the GUI. The batch session must have been previously executed with the new option -collect-messages.
[Gui] Display more precise state after statement (http://blog.frama-c.com/index.php?post/2011/01/11/Seven-errors-game).

Bug Fixes

[Gui] Fixed 100% cpu load while external command are launched.
[Gui] Fixed bug #666. Do not display misleading "After statement".

Developers Only

[Gui] Added support for icons in Gtk_helper.Icon.

Plugin Inout

Return statement dependencies were forgotten in operational input computations. Fixed.

Plugin Report

Option -report no longer survive after -then.

Plugin Slicing

Fixed bug #673.
New options added for fixing bug #668.

Plugin Sparecode

API modified for fixing #668.

Plugin Value

New Features

Improved precision of | operator.
New alarm for float -> int cast overflows.
Added check that denormals work correctly on host computer (correction would be affected otherwise).
Improved precision of & operator.
Interpretation of ==> in ACSL annotations.
Disabled incorrect interpretation of ACSL statement contracts.
Improve performance of callbacks.
Various minor speed improvements.
More aggressive handling of if(x>e) where x has type double.
Change in initial states generated by -lib-entry Much smaller. Perhaps more representative.
Generate independent assertions for signed overflow and signed underflow. In many cases only one is generated (win!).
Is is now possible to call Frama_C_show_each without ..._x.
Changes in Frama_C_memcpy built-in. Still not perfect.

Bug Fixes

Fixed obscure crash that could happen during very imprecise analyses.
Fixed correctness bug involving pointers to signed integer pointing to memory locations containing unsigned integers or vice versa.

Developers Only

New callback for recording the state after a statement.
Renamed copy to copy_offsmap in Offsetmaps. The name "copy" clashed with Datatypes.

Plugin WP

Plug-in WP removed from kernel-releases (now an independent plug-in).

Carbon_20110201 Release [0.3]

Plugin WP

New Features

[Cmd] Clarification of -save/-then effect on WP
[Cmd] Options -wp-status-xxx to refine goal selection
[Cmd] Option -wp-warnings to display additional informations for 'Stronger' and 'Degenerated' goals.
[Cmd] Adding version in -wp-help.
[Runtime] Optimization of effect-assigns.
[WP] When -rte-precond is not used, wp generates a separate proof obligation for each call site.
[WP] New spliting algorithm. See option -wp-split. Option -wp-split-dim <n> to limit spliting up to 2**n sub-goals.

Bug Fixes

[Coq] Fixed bug #702 on Coq output with large integers.
[Coq] Fixed bug #740 for Coq on Windows. WP now uses directly coqtop -compile instead of coqc.
[GUI] Fixed incorrect property status refresh in the GUI.
[Store] Fixed bug #766 about offsets in assigns.
[WP] Proof of requires of the main entry point (bug #675).

Carbon-20101202 Release [6.1]

Plugin WP

Fixed bug #639: no more Coq compilation to shared directory.
Accessibility of all provers from gui.

Carbon_20101202 Release [0.2]

Plugin WP

[Coq] Fixed bug #639: no more compilation to shared directory.
[GUI] Accessibility of all provers from gui.

Carbon-20101201 Release [6.0]

Frama-C General

New Features

[Cil] Be less aggressive during inline function merge. Alpha equivalent function are now kept separate.
[Cil] Clean up local variables handling and pretty-printing modified pBlock method interface (unified pBlock and pInnerBlock)
[Cil] Cil normalization takes care of abrupt clauses
[Configure] Better detection of native dynlink support.
[Kernel] Feature #484 about requires into named behaviors
[Kernel] Fixed bug #548: limit.h now syntactically correct. Architectures other than x86_32 still unsupported.

Bug Fixes

[Cil] Extended grammar of pragma lines.
[Cil] Fixed bugs #451 (break outside of loop/switch) and #452 (spurious 'body of f call falls through' warnings)
[Cil] Fixed bug #440 (remove spurious block generation at parsing time that clashed with label scoping rule in ACSL)
[Cil] Fixed #542 (now raises parse error when C function call dot not provide correct number of arguments)
[Configure] Fixed bug in configuration of external plug-ins
[Configure] get rid of known_plugins.ac (fix #462)
[Configure] Always configure OcamlGraph local version (if used) when configuring Frama-C.
[Kernel] Fixed bug in handling of -cpp-command
[Kernel] Tried to fix all permissions on *.{c,h} files
[Kernel] CL options for cabs2cil flags (fix #506)
[Kernel] Fixed #620 (default assigns generation).
[Logic] fix bug #454 (multiple labels in same statement)
[Logic] Fixed wrong precedence of <==>
[Logic] Checking for loop variant position
[Logic] Fix bug #498 (behaviors within same scope must now have unique names)
[Logic] ACSL identifiers starting with a \ are not replaced by pre-processing when a macro of the same name exists (fix #541)
[Logic] Better error messages for logic parser and other fix (fix #512, #538, #553, #560)
[Logic] Fixed #549 (Arrays in the logic)
[Logic] Fixed #570 (implicit conversion to void*) and fixes issue in overloading resolution
[Logic] Priority is used for pretty printing predicates.
[Makefile] Fixed potential generation of corrupted .o
[Makefile] Fix bug #460 when using a non-local ocamlgraph
[Makefile] Fix bug #461 when installing the GUI on a bytecode-only architecture
[Makefile] Fix bug #528 when building a dynamic plug-in in a sandbox.

Developers Only

[Cil] Remove deprecated annotation_status of AAssert in the AST
[Cil] Fix bug #489: constant literal present in original source are preserved in the AST. NB: this implies that they might be explicitly cast when an integer conversion occur.
[Cil] Support for custom extension in grammar of behaviors. See Logic_typing.register_behavior_extension.
[Cil] Preliminary support for function calls in UnspecifiedSequence
[Cil] Cil.makeLocalVar now inserts the variable into one of the function's local blocks.
[Cil] global_annotation has location information
[Cil] Removed function varinfo_from_vid. You can use maps or hashtables indexed by varinfos directly instead.
[Cil] Cil and Cabs expression have now a location.
[Cil] Changed ignored pure exp hook + hook for conditional evaluation of side-effects
[Cil] Extending logic label for plugin purpose.
[Cil] Changed type of doGuard in forward dataflow
[Kernel] Ptmap (resp. Ptset) is renamed into Hptmap (Hptset)
[Kernel] Fix bug #441 (keep track of original names in AST)
[Kernel] Deprecate Globals.Functions.find_englobing_kf. Use Kernel_function.find_englobing_kf which has a much better complexity instead.
[Kernel] Added field b_extended in behaviors to support grammar extensions
[Kernel] New implementation of module Properties_status
[Kernel] Major changes in the kernel. Mainly merge the old modules Datatype and Type into a single most powerful library called Type. The API of these libraries changes.

Consequently, some other API changes. By side effect, a lot of functions of module Cilutil has been removed and replaced by their counterpart in module Cil_datatype.

The script bin/boron2carbon.sh fixes most changes automatically. Feel free to use it to upgrade your plug-in.

In the process, some minor bugs found and fixed in the Frama-C kernel.
[Kernel] File.check_file takes a new argument, allowing to describe which AST fails integrity check in case of trouble.
[Kernel] New Task module: a monadic library for calling asynchronous commands from the toplevel and the gui.
[Kernel] Remove function Globals.has_entry_point. Use Globals.entry_point instead.
[Logic] Parameterize search of field in logic typing functor in a similar way to search of other C symbols
[Logic] Fix bug #505 (Associate default label for predicates with a single label parameter and no argument)
[Project] Reimplementation of the project library (the contents of directory src/project). New API.
[Ptests] Slightly changed semantics of CMD and STDOPT. See developer manual for more info

Frama-C GUI

New Features

[Gui] Better graph display. Require ocamlgraph > 1.4
[Gui] First support for persistent GUI configuration. GtkPaned ratios, main and launcher window dimensions are saved to file frama-c-gui.config in the user's home directory.
[Gui] In expressions 't[v]', allow to select 't' (when it is a variable). To select the entire expression 't[v]', click on the ']' on the right.
[Gui] One tooltip by parameter in the launcher
[Gui] New graph viewer, requires ocamlgraph > 1.5

Bug Fixes

[Gui] Fix bug with toolbar button 'duplicate project'
[Gui] Fixed parsing of floats in frama-c-gui.config

Plugin From

Improved interpretation of assigns clauses

Plugin Inout

New Features

Improved precision of -inout with possibly invalid pointers.
New option -inout-with-formals similar to -inout but without locals and with formals
Improve option -inout-with-formals: cleanup local variables that come from out of call tree functions.
Improved precision for option -inout-with-formals
Clean local variables passed by address to callees from results of -input, -out, -deps
Improve printing of -out -input -deps

Bug Fix

Fixed bug in -inout where operational inputs of called library function were improperly inferred from assigns

Plugin Obfuscator

Option -obfuscate is now part of a new dynamic plug-in `Obfuscator' (fixed issue #265). The behaviour of this option is now journalized and may be run by other plug-ins.

Plugin Occurrence

Fix bug #550: crash when selecting an occurrence if the entry point set by "-main" is incorrect.

Plugin Security_slicing

Only use the GUI; does not require it anymore

Plugin Slicing

Fixed bug #448 about -keep-annotations option

Plugin Syntactic callgraph

Fixed bug #587: proper error message when the entry point is invalid.

Plugin Value

New Features

Optimization in the handling of library functions
More optimization of library functions
Yet more small improvements in value analysis of large programs.
Variables now uninitialized by default. Improves -deps, -input, -output when addresses of local variables are passed as arguments of called functions.
Tweak in -slevel* options. A little slower for some programs, much faster for others.
More consistent naming scheme for generating shorter names when using -lib-entry. "star_" becomes "S_".
Improved Frama_C_memcpy built-in.
Improved precision of analysis for program short s[]= {0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1};main(){return((int*)s)[u()];}
Structures passed as function arguments now precisely handled.
Abort analysis when recursion is encountered.
Clean local variables passed by address to callees from results of -val.
Lowered memory consumption slightly.
"assert(TODO)", used when a property to check in the analyzed code cannot be expressed as ACSL and the user should read the English explanation (e.g. "accessing uninitialized left-value") instead, could look unprofessional to the superficial onlooker. "assert(Ook)" will now be used instead.
Do not emit alarm for uninitialized arguments to non-library functions. Necessary for structs. Relevant messages changed a little.
Improved speed of options -slevel* for arguments in the thousands. Synthetizing results remains slow, so consider options -no-results* if you take advantage of them.
Emit alarm for uninitialized arguments to library functions.
Preliminary support for interpreting C type float as IEEE 754 single-precision.
New option named -undefined-pointer-comparison-propagate-all
Removed undocumented option -float-digits
New option -float-normal (undocumented)

Bug Fixes

Fixed bug with extern variables of incomplete type
Fixed correctness bug involving the comparison of a variable of type float or double.
Do not emit an alarm for the comparison of function addresses to NULL.
Some "Misaligned" imprecision origins were wrongly classified as "Arithmetic". Fixed.
Fixed bug involving typedefs when using option -val-signed-overflow-alarms.
Fixed performance bug that could lead to "stack overflow" error during large analyses.
Fixed memory leak.
Disappearance of non termination messages from the log. The messages were inconsistent.
Emit alarm for overflowing floating-point constants instead of crashing.
Emit proper ACSL alarm for overflowing floating-point binary and unary operators. Fixed #259.
Do not evaluate annotations right after propagation is stopped.
Fixed bug that could happen in programs casting address of floating-point type to address of integer type

Developers Only

There was one too many function called "find_ival". One was renamed to "project_ival".
Function Cvalue_type.V.is_top rebaptized is_imprecise
Renamed Int.eq into Int.equal. Removed Int.neq

Carbon_20101201 Release [0.1]

Plugin WP

[WP] New WP plugin.

Boron-20100401 Release [5.0]

Frama-C General

New Features

[Cil] Extend logic pretty printer to handle all specific clauses
[Configure] Dynamic plug-ins are now statically linked by default whenever native dynlink is not usable (bts #301).
[Configure] Compiling the GUI now requires LablGnomeCanvas.
[Kernel] Add status for all clauses
[Kernel] Clarification of the multiple accesses warning. Becomes "undefined multiple accesses in expression".
[Kernel] Better error messages when a dynamic plug-in cannot be loaded.
[Kernel] Better -*-help.
[Kernel] New option -no-dynlink in order to prevent loading of dynamic plug-ins.
[Kernel] The journal is generated only if the GUI is crashing, or if the option -journal-enable is explicitly set (fixed issue #330).
[Kernel] Backtrace when Frama-C is crashing (only if Frama-C is compiled with caml >= 3.11.0)
[Kernel] New option "-plugin-h" as an alias for option "-plugin-help"
[Kernel] Preliminary standard C library in $FRAMAC_SHARE/libc
[Logic] Better error message when using = in annotations
[Logic] ordering of clauses in contracts
[Logic] If a C typedef integer, real or boolean exists, it takes precedence over corresponding logic type. The logic type remains accessible through its utf-8 denomination.
[Logic] Support for type abbreviation in logic
[Logic] Support for "reads \nothing"
[Logic] Adding "\pi" as built-in symbol

Bug Fixes

[Cil] Bug fixed with incompatible declarations of C functions
[Cil] Fix crash in parser when double definition of variable in two different files, in some order (fixed bug #213)
[Configure] Fixed bug with -help.
[Kernel] -kernel-debug and -kernel-verbose did not work as expected (bts #343).
[Kernel] -load-script did not clean up compiled files after exiting (fixed bug #371)
[Logic] Support for abrupt clauses; Modifies AST
[Logic] Fixed bug #272 (complete behaviors wo name)
[Logic] Fixed bug #228, #327 (syntax garbage at end of contracts)
[Logic] More utf-8 identifier accepted (fixes bug #366)
[Logic] Default label is "Old" inside \old(...)
[Logic] complete/disjoint behaviors do not accept undefined behaviors anymore (fixed bug #364)
[Logic] Full support for \let (fixed bug #344)
[Logic] Arrays and pointers are distinct in the logic, as per ACSL reference. Fixes bug #396
[Makefile] Fixed bug #305: make did not terminate when all plug-ins were disabled.
[Makefile] Fixed bug #310: improve robustness against new ocaml warnings.
[Makefile] Some GUI library files was not installed
[Makefile] Fixed 'make clean' in plug-in directory (bug #407)
[Makefile] Fix bug for generating .o files through recursive calls to Make in quiet mode (VERBOSEMAKE unset)

Developers Only

[Cil] pAssigns now prints directly a whole list of assigns
[Cil] New hook after Cabs elaboration (fix bug #446)
[Configure] Improved dependencies handling (fix #54)
[Kernel] Add unique id for elements in Db.Properties.Status tables.
[Kernel] Function Db.Properties.predicate_on_stmt and Db.Properties.get_user_assert does not exist anymore.
[Kernel] Module Db.Properties.Status replaced by module Properties_status.
[Kernel] Extlib now contains various functions to replace Sys.command but with portability and efficiency in mind.
[Kernel] Use of global logic constants is now a TLval (TVar _,TNoOffset) instead of TApp(_,[])
[Kernel] Support for dynamic uses of StringSet parameters
[Kernel] New implementation of save/load with small changes in the project API. Loading is now rid of its previous allocation peak and faster.
[Kernel] Type.register is more robust but gets a modified interface (fixed issue #276)
[Kernel] Major changes in API of module Annotations: add possible dependencies from/to a single annotation of a statement
[Kernel] Log.protect is replaced by Cmdline.protect
[Kernel] Kernel_function.Set now implemented with Patricia.
[Kernel] Type changes in Db.Properties.Interp. Use ~result:None to get your plug-in to compile again.
[Kernel] Dynamic.register and Dynamic.get are more robust, but take an extra parameter
[Kernel] Slight modification of Hook API
[Project] Project.register_todo_on_clear is deprecated and replaced by Project.register_todo_before_clear

Frama-C GUI

New Features

[Gui] Assigns clauses are now localizable in GUI
[Gui] Extend type Pretty_source.localizable
[Gui] Options *-verbose, *-debug and -quiet are now settable via the launcher dialog box (bts #317).
[Gui] New shortcut buttons.
[Gui] Now possible to delete the current project.
[Gui] Drop gtksourceview 1.x dependency and replace it with gtksourceview 2.x.
[Gui] View property status in GUI. Fixed a bug on reset with strange reactive zones in default buffer.
[Gui] Now possible to save/load a single project (fixed issue #9)
[Gui] Plug-in panels can be detached with drag and drop.
[Gui] New menu entries for loading ocaml scripts and ocaml object files (fixed issue #318)
[Gui] Add a menu entry for setting C source files of the current project

Bug Fixes

[Gui] Instantaneous actions are no longer cancelable but are as fast as possible now.
[Gui] Fixed bug while choosing 'New project' if -cpp-command is set (fixed bug #374)

Developers Only

[Gui] Methods protect and full_protect of main_window_extension_points now have an additional arguments.
[Gui] New implementation for the menubar and the toolbar. API fully changed for adding an item in these bars.

Plugin Impact

In the GUI filetree, for each function, a bullet shows if some statements are highlighted

Plugin Inout

-out and -out-external now obey -inout-verbose option Generated logs re-ordered a little.

Plugin Security

No more distributed.

Plugin Security_slicing

New experimental and quite undocumented plug-in. Sub-part of the old plug-in security. Only usable through the GUI.

Plugin Slicing

Assigns clauses was missing from the sliced program (fixed bug #393)

Plugin Syntactic_callgraph

Big speedup for showing the callgraph in the GUI. Require ocamlgraph >= 1.4.
Fixed bug in services computation.

Plugin Value

New Features

Improved treatment of "assigns p[..]" clauses in -input
Handling of behavior-specific assertions now correct (albeit imprecise).
New option -all-rounding-modes (floating-point) New dependency on C99 functions to control the FPU.
Improved precision of floating-point operations
Take into account all known flush-to-zero floating-point variants. No option seems necessary for now.
Preliminary support of post-conditions for library functions.
New display option -float-relative
Clarified progress messages
Improved precision when loop index has type char or short. Fixes bug #325
Interpreting post-conditions about \result in contracts for functions that have implementations.
New option -slevel-function f:n for fine-tuning semantic unrolling.
Suppressed undocumented option -klr
New options -no-results and -no-results-function, improved replacements for undocumented option -klr
Experimental new option -subdivide-float-var
Experimental new option -val-signed-overflow-alarms

Bug Fixes

Synthetic validity status for assertions.
Some "loss of precision" messages were duplicated and failed to be localized. Fixed.
Fixed bug #372
Fixed uncaught exception that could happen in analysis of programs with floating-point operations.

Developers Only

Changed type of functions Db.Value.*_to_kernel_function. These functions now return a Kernel_function.Set.t. Use Kernel_function.Set.elements to transform this set into a list.

Beryllium-20090902 Release [4.2]

Frama-C General

New Features

[Configure] Detection of dot if required.
[Journal] Better handling of exceptions.
[Kernel] Slightly less false alarms with -warn-unspecified-order
[Makefile] Why is no longer a compilation dependency. It is required only at runtime for the experimental WP plugin.
[Makefile] Now possible to build custom binaries for plug-ins. Roughly these binaries are frama-c[.byte] + the plug-in statically-linked. The goal is called "static" in the plug-in's makefile.

Bug Fixes

[Makefile] Fixed compilation error occurring on a platform which does not support native dynlink and with ocaml >= 3.11 (bts #224).
[Makefile] Frama-C compiles even if ocamlopt is not available.
[Makefile] Fixed bug #236. Require ocamlgraph version > 1.2.
[Project] Fixed bug involving loading and options previously set while saving.

Developers Only

[Cil] Deprecated Cil.get_status. Use Db.Properties.Status.* instead.
[Cil] New pIdentifiedPredicate method in pretty-printer
[Makefile] Fixed bugs with the use of PLUGIN_EXTRA_BYTE and PLUGIN_EXTRA_OPT by plug-ins.

Frama-C GUI

[Gui] Elimination of repeated messages (bts #237).
[Gui] Release the terminal when the splash window is deleted.

Plugin Jessie

Is no longer built within Frama-C. It becomes part of Why.

Plugin Obfuscator

obfuscator does not lose links between logic and C variables anymore (bts #250). Obfuscator now gives a specific name to formal parameters.

Plugin Syntactic callgraph

Improvement of the GUI of syntactic callgraph. Require ocamlgraph > 1.2.

Plugin Syntactic_callgraph

Better implementation for computing the service graph: faster + correctly handle cycles.
-cg-services-only is not relevant anymore.

Plugin Value

Computed values not displayed on -load. Use -val-load to force display of computed values. Use -val -quiet to compute without printing results.
Stopped displaying temporary variables introduced by normalization of source code, and block-local variables.
Fixed display bug when logging the call stack introduced in Beryllium.
Improved treatment of "assigns p[..]" clauses in value analysis. Other plug-ins (outputs,...) have not had the same improvement yet.

Beryllium-20090901 Release [4.1]

Frama-C General

New Features

[Kernel] New options -kernel-help, -kernel-verbose and -kernel-debug (bts #205).
[Logic] "reads" clauses on logic functions and predicates, which disappeared with the introduction of axiomatic blocks, have been ressurrected. Beware that the semantics is slightly different from before: see ACSL document for details. It is used to automatically generate footprint axioms.

Bug Fixes

[Configure] Fixed bug with --disable-gui in configure.in
[Journal] Fix generation of invalid variable name in journal
[Kernel] Restore compatibility with ocaml 3.10.2
[Makefile] Fixed bug with static linking of plug-ins using external libraries (bts #200)
[Project] Fixed bug with save/load in multi-project contexts (bts #161)
[Project] Fixed bug causing delays with -load (bts #180)

Developers Only

[Cil] Added 2 components to Cil_types.typ to optimize bitsSizeOf. The proper way to get a default value is Cil.empty_size_cache. The added value must not be shared by types. No one should need to read this value directly.
[Project] Preliminary support for direct unmarshalling. Datatypes must define value descr. Using Unmarshal.Direct is okay for now.

Frama-C GUI

[Gui] Graphical customization now uses Gtk rc files. A default file is loaded from FRAMAC_SHARE/frama-c.rc. The end user can provide its custom FRAMAC_SHARE/frama-c-user.rc to override defaults.
[Gui] Redesign the dialog box for running analysis
[Gui] New message panel
[Gui] Possible to stop the GUI while computing analysis
[Gui] Improved display of summary information when selecting a file.

Plugin Semantic Constant

Folding Fix bad journalisation

Plugin Syntactic_callgraph

New design of the callgraph in the GUI. Frama-C now requires ocamlgraph 1.2.
New option -cg-services-only to only computes the graph of services

Plugin Value

Improved treatment of conditions involving char or short variables.
Improved integer division. Now returns best effort results when 0 is among the possible values for the divisor.

Beryllium-20090601 Release [4.0]

Frama-C General

New Features

[Configure] For each dynamic plug-in P, a new option --with-P-static is added to configure.in for linking P statically with Frama-C.
[Configure] New option -with-all-static in order to statically link all plug-ins, except those explicitly specified as dynamic (bts '430').
[Configure] better message when a plug-in isn't enable by default.
[Configure] Auto-detection of lablgtk2's custom tree model.
[Journal] Journalisation of plug-ins slicing, sparecode, impact and security done.
[Journal] Journalisation of functions with labels is now possible (bts '427').
[Journal] Operations on projects (bts '436') and code outputs are journalised.
[Journal] Option -journal-loader-run does not exist anymore. Use -load-module instead.
[Journal] Journal disabled by default in batch mode
[Kernel] New implementation of command line parsing
[Kernel] Syntax "-option-name=value" is now valid on the command line. In such a case, [value] may begin by '-', which is forbidden for the usual syntax "-option-name value".
[Kernel] Better message for errors on the command line.
[Kernel] New alias "-h" and "--help" for "-help" (bug #61).
[Kernel] Each boolean option now has an opposite.
[Kernel] New option -load-script to dynamically compile and load an ocaml script.
[Kernel] When loading a module via -load-module, the dynamically registered options are now recognized on the command line.
[Kernel] New environment variable FRAMAC_LIB
[Kernel] New options -no-type and -no-obj
[Kernel] By default, Frama-C stops on annotation errors. Option -continue-annotation-error
[Kernel] FRAMAC_DYN_PATH is now called FRAMAC_PLUGIN
[Logic] Support for concrete type definition.
[Logic] Overloaded logic symbols.

Bug Fixes

[Cil] Fixed parsing of global initializers like "(3>0)?0:1" when Cil.lowerConstants is false.
[Cil] Fixed some localization problems with frontc visitor.
[Cil] Keep track of variables that have block scope (bts '218') uninitialize them at the exit of corresponding block.
[Configure] Fixed bug with --disable-* options (except when '*' was a plug-in name).
[Configure] Fixed issues in configure and makefile if lablgtk2 is not enabled.
[Journal] Fixed bug in journalisation of non-functional values.
[Journal] Fixed bug with -disable-journal and type with no pretty-printer.
[Kernel] Frama-C has now a very early initialisation step. That's fixed minor issues with -journal-disable (bts #14 and #16).
[Logic] Fixed bug in type-checking of polymorphic functions.
[Logic] Allow \ as first letter of identifier.
[Logic] Changed \result_finite_float into \is_finite_float. Alarm generation is still untyped.
[Logic] Fixed predicate typing of \pointer_comparable.
[Logic] Fixed bugs in type unification.
[Makefile] Fixed bug in compilation of dynamic plug-ins with a GUI.
[Makefile] Fixed bug whenever all plug-ins should be static.
[Project] Fixed bug #113: loading a session containing a project p referring to another project generated a new incorrect project p.

Developers Only

[Cil] C expressions now have a unique ID. See frama-c-commits for details.
[Configure] No longer require to modify the end of configure.in when you add a new plug-in.
[Configure] Explicitly require >= OCaml 3.10.0
[Kernel] Some changes in API of module Type (bts '410'). In particular: 1) module FunTbl no longer exist. Replaced by Type.Tbl 2) Merge of pretty printer registration with type registration. No more in module Journal. Only in module Type.
[Kernel] Dynamic plug-ins can now register their own types (abstract from the outside) and operations on such types (bts '413').
[Kernel] File.pretty does not take anymore a formatter as argument. The default output is the one specified by option -ocode.
[Kernel] Type of Db.register changed in order to be able to say that a function call must never be written in the journal.
[Kernel] Dynamic plug-ins have to take care about journalisation.
[Kernel] Cil_state is now called Ast and Cil_state.file is now called Ast.get.
[Kernel] Possibility to define alias for options.
[Kernel] Moved lightweight annotation support from Jessie to Kernel. They are now available for all plugins. Support for lightweight global invariants on globals has been dropped.
[Kernel] Db.Main.extend is now of type unit -> unit
[Logic] Merge terms and tsets in the AST.
[Logic] Tresult has a type attached to it
[Makefile] New implementation of (un)verbose mode (bts '442').
[Makefile] Fixed "dist" and "bdist" targets that had been broken on 02/27.
[Makefile] Independent Makefile for dynamic plug-ins.
[Project] Remove functions Project.save and Project.load: cannot ensure their correctness.

Frama-C GUI

New Features

[Gui] Add 2 separate pages for stdout and stderr redirections .
[Gui] Code annotation and all globals are now reactive to selections (bts '359' and '387').
[Gui] Environment variables FRAMAC_MONOSPACEFONT and FRAMAC_GENERALFONT.
[Gui] Change the warning to panel to preserve decent performance. This imposes lablgtk 2.12 at least.

Bug Fixes

[Gui] Fix a bug with broken UTF-8 output on stdout (bts '420').
[Gui] Reentrancy fix with left panels.
[Gui] Fixed bug with some utf8 strings.
[Gui] Changes having to do with dependencies between computations. Hopefully less problems exist now than before.

Developers Only

[Gui] Add function Design.main_window_extension_points#help_message.
[Gui] The plug-in GUI is now packed with the core plug-in

Plugin Aorai

Aorai is now a dynamic plug-in.

Plugin From

Improved dependencies + bug fixes

Plugin Impact

New Features

Slicing after impact is now possible (bts '301').
Do not select anymore the selected statements except if they are effectively impacted themselves (bts '411').
In the GUI, highlight the selected statement in cyan.

Bug Fixes

Bug fixed in the GUI (on project switching).
In the GUI, fixed bug while the analysis raised an exception. It is now properly caught and displayed on stderr.

Plugin InOut

Add -out-external option.

Plugin Inout

-input_with_formals is now called -input-with-formals

Plugin Jessie

New Features

Jessie is now a dynamic plug-in (bts '419').
GUI mode is now the default, options -jessie-gui and -jessie-goals do not exists anymore
Option for launching jessie is now -jessie, not -jessie-analysis

Bug Fixes

Support constant sizeof and alignof in logic terms (bts '396').
proper message when \lambda is encountered (bts '7528').
fixed bugs #63 and #71 (labels and \at)
Fix bug #8, compilation of jessie with Apron
Support for loop assigns, partially fixes bug #41 see tests/jessie/bts0041-bis.c for details
Full support for loop assigns, including those implicitly generated from function's assigns, fixes bug #41
Support for label Post in assigns clauses. Fixes bug #160
Fixed contract for strchr() and strrchr() in string.h

Plugin Pdg

The functions that return nodes from an annotations now also return a list of the variables declarations nodes.

Plugin Semantic_callgraph

small change in the computation of services: the roots are now the same as the syntactic callgraph (while there is no function pointer).
new options -scg-dump and -scg-init-func consistent with the options -cg-dump and -cg-init-func of the syntactic callgraph.

Plugin Slicing

New option "-slicing-keep-annotations"

Plugin Sparecode

Selected an annotation attached to a function call made a wrong propagation in the visibility of the call (bts #3).
The generated project lost some useful parameters like the entry point (bts #10).

Plugin Syntactic_callgraph

Fixed bug when the callgraph is computed twice
Separate services are now created for callees of the entry point.

Plugin Users

Users are now computed on need while calling !Db.Users.get

Plugin Value

New Features

Improved support for state reduction on a memory read.
Minor changes in floating-point handling.
Adjustments in the appearance of some alarms
Improved results for char ones[] = "11111111"; col_ones = 1 + * (int*) ones;
Trivially redundant alarms are now automatically discharged.
Improved reduction for (ptr-ptr) expressions.

Bug Fixes

Miscellaneous fixes and tuning.
Fixed correctness bug that had a tiny chance to manifest itself when analyzing code that dereferences casted pointers.
Fixed performance bug.
Fixed bug that could appear with assignments like t[5] = t[4]; where t[4] is not a singleton.
Fixed bug with the interpretation of "==>".

Developers Only

New constructor Signed_overflow_alarm for type Alarms.t

Lithium-20081201 Release [3.1]

Frama-C General

New Features

[Kernel] Changed the definition of non-determinist functions in builtin.c. These functions no longer rely on a volatile variable. Analysis logs may change slightly as a result.
[Logic] Added support for (wide) string constants in ACSL formula.

Developers Only

[Cil] New methods for visiting compinfo, enuminfo, fieldinfo and enumitem (prevents potential misuse of copy visitor for these types).
[Cil] enum items now have their own type and are shared between declaration and use.
[Cil] New methods current_function and current_kf methods (bts '406').
[Cil] Modified typeForInsertedCast hook to take as arguments the expression and its original type in addition to the destination type.
[Makefile] Support for native compilation in Makefile.template (require ocaml >= 3.11).
[Makefile] Fixed various bugs in Makefile.template.

Frama-C GUI

[Gui] Improved consistency of some information messages.

Plugin Impact

In the GUI, new panel to manage impact analysis actions.

Plugin Jessie

Fixed bug with multiple labels in axiomatic definitions.
Added example tests/jessie/minimum_sort.c in Jessie tutorial.
Fixed problem with array in logical annotations.
Fixed problem with memory model preventing the proof of some pointer programs. The solution is to require pointers that are compared to belong to the same allocated memory block, which can be expressed in logical annotations using equality of \base_addr constructs.

Plugin Slicing

Unused global variables and types are now removed in sparecode analysis and slicing results.

Plugin Sparecode

New option -rm-unused-globals to remove unused global variables and types.

Plugin Value

Abstract structs are now supported in conjunction with option -lib-entry, and invalid to access.
Removed outdated warning about uninitialized const variables.
Introduced preliminary support for state reductions on a memory read access. This should eliminate some redundant alarms.

Lithium-20081002 Release [3.0]

Frama-C General

New Features

[Journal] Journalization available (only Cmdline and Occurrence are done yet).
[Journal] New options available -load-journal, -journal-name, -journal-disable for user management of journals.
[Kernel] Dynamic linking of plugin available (experimental).
[Kernel] Added option -warn-unspecified-order to display a warning for each unspecified sequence containing writes.
[Logic] Support for \separated.
[Logic] Basic support for sets as first-class value.
[Logic] Support for address-of operator (&) in tsets.
[Project] Projectification of machdep (bts '101').

Bug Fixes

[Logic] Fixed bug "0 can be seen as pointer to any type" (bts '338').
[Logic] Fixed typing error of pointer lval hidden by typdefs.

Developers Only

[Cil] AST changes for unspecified sequences (experimental).
[Kernel] Refined UnspecifiedSequence information.
[Ptests] Added config option STDOPT (see developer's manual for details).

Frama-C GUI

[Gui] Lower the bound on maximum number of displayed globals to 20 (bts '342').

Plugin Deps

In the GUI, the "Dependencies" contextual menu provides the old "Scope" and "Show Def" features in addition to the new "Zones" feature. These three actions can be launch together with the "All" button.

Plugin Inout

New option -input_with_formals.

Plugin Jessie

Fixed path problems with binary distributions.

Plugin Pdg

Fixed bugs for CAT/AF evaluation.

Plugin Semantic_callgraph

New option -scg-dump to dump a semantic callgraph to stdout.

Plugin Slicing

New Features

In the GUI, request related to read/write accesses to lvalues is available from the contextual submenu.
In the GUI, implemented feature request related to highlighting when the source function is called, for CAT/AF evaluation.
In the GUI, new panel to manage slicing actions.
In the GUI, slicing request related to values returned by functions is available from the contextual submenu.

Bug Fix

In the GUI, fixed bugs related to enabling/disabling conditions of the slicing submenu.

Plugin Value

New Features

Added option -no-unspecified-access to disable alarm above.
Raise alarm for undefined behavior caused by side-effects in UnspecifiedSequence (except for function calls).
Changed behavior of option -context-valid-pointers to make it more like the documentation says it is.

Bug Fixes

Fixed huge bug in the computation of the dependencies of an expression. Differences are most visible in the results of options -input and -deps, and of course all she slicing options that make use of these.
Fixed a bug introduced with the "value concatenation" feature where an imprecise value obtained by reading misaligned data would have the origin "Arithmetic" instead of "Misaligned".

Developers Only

Removed argument ~skip_base_deps from all functions in Db.Value that had one. This argument did not make sense.

Helium-20080701 Release [2.0]

Frama-C General

New Features

[Configure] ./configure will not emit so many warning when gui is not available (bts '296').
[Kernel] Do not remove unused static functions.
[Kernel] Change -lib-entry option into a boolean. "-lib-entry foo" becomes "-lib-entry -main foo"
[Logic] Support for constant predicates and functions (breaks 0-argument old syntax).
[Logic] Better error messages for logic typing errors.
[Logic] Typing of terms: implement ACSL semantics for integral/real promotions.
[Logic] Pretty printing of pointer accesses in terms and tsets are now much nicer. For example *(T+(0+i..j)) becomes T[0+i..j].
[Logic] Quantification over arrays are interpreted as quantification over pointers to be consistent with predicates and C function calls.
[Logic] \valid* predicates rejects void pointers.
[Logic] Merge predicates and logic functions when linking multiple c files.
[Logic] Enforce correct return type of logic functions.
[Logic] Typing of recursive logic functions.
[Makefile] Prefix install directories by the value of DESTDIR (patch contributed by Igor Galic).
[Project] Loading works even if the configuration while saving is not exactly equal to the one while loading.

Bug Fixes

[Kernel] -machdep was ignored (bts '309').
[Kernel] Correct promotion rules from bitfields to integers.
[Logic] Correct typing for predicates: no more dangerous promotions.
[Makefile] Fixed bug in "make distclean" (bts '308').

Developers Only

[Logic] AST changes for invariants.

Frama-C GUI

[Gui] Enforce lablgtksourceview dependency and suppressed camlp4 need.
[Gui] First rehighlight support.
[Gui] Invalidate display cache on project switching.
[Gui] Improve speed of configuration menu.

Plugin Constfold

Semantic constant folding does not introduce casts by default.
New option -cast-from-constant has been added to allows cast introductions.

Plugin Impact

Fixed bug when a function is undefined (bts '322').

Plugin Metrics

Number of syntactic calls by functions and potential entry points.
New option -metrics-dump.

Plugin Occurrence

Occurrences of a variable can be computed from any occurrence of the program (not only from its declaration).

Plugin Pdg

Improvement of the precision of interprocedural analysis (bts '179').
Fixed bug in interprocedural analysis (bts '324').

Plugin Slicing

In the GUI, slicing contextual submenu available.
Some slicing requests are available from the GUI.

Plugin Sparecode

New option -sparecode-no-annot (bts '331' and '334').

Plugin Value

Separate warnings for uninitialized and addresses escaping their scopes (these used to be grouped together as "unspecified" alarms)
Remove remaining TOP in value analysis: WELL at amx-valid-depth and for leaf functions.
New implicit context generation with a fixed width of 6 (an option will be available later).
Some partial builtin_va_start support
Removed last top from merging leaf functions returns.
New option -context-width for auto-allocated context pointer width. Defaults to 2.
Do not emit imprecision tracing warning when a lval=lval is optimized.

Hydrogen-20080502 Release [1.2]

Frama-C General

[Makefile] Fixed bug in "make clean-doc" (and "make distclean").

Frama-C GUI

[Gui] All internal options are available in the GUI preferences pannel.

Hydrogen-20080501 Release [1.1]

Frama-C General

New Feature

[Kernel] Option -no-unicode : do not print Unicode chars.

Bug Fixes

[Kernel] Various Win32 path fixes.
[Project] Inconsistent data with multiple projects and while removing projects.
[Project] Fixed bug in save/load with duplicated computations.

Developers Only

[Project] Warnings are project compliant.

Frama-C GUI

New Features

[Gui] Large improvements in reactivity
[Gui] No file selection on startup.
[Gui] Persistent position.
[Gui] Buffer memoization for speedup.
[Gui] Progress added in existing plugins.
[Gui] Project names are pairwise different in the GUI.

Bug Fixes

[Gui] Prefs/Execute bugs fixed.
[Gui] Win32 default fonts fixed.

Developers Only

[Gui] Project management redesigned for older Gtk and for the best.

Plugin Impact

Available from toplevel through -impact-pragma and -impact-print.

Plugin Scope

First release of the plug-in (bts '191').

Plugin Value

Display a warning whenever an uninitialized value causes the death of a branch.
In the GUI, function level information displayed in Information panel.

Hydrogen-20080302 Release [1.0]

Frama-C General

[Makefile] Fixed bug with GUI compilation.
[Project] Fixed bug with checksum computation during save/load.

Frama-C GUI

[Gui] GUI no longer frozen during computations.
[Gui] 'New' menu entry.

Plugin Occurrence

New option -occurrence.
First release of the plug-in.

Plugin Slicing

Fixed bug in interprocedural slicing (bts '201').

Hydrogen-20080301 Release [1.0]

Frama-C General

[Kernel] First release.