Frama-C-discuss mailing list archives
This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Frama-c-discuss] Problems with value analysis
- Subject: [Frama-c-discuss] Problems with value analysis
- From: Julien.Signoles at cea.fr (Julien Signoles)
- Date: Tue, 15 Dec 2009 09:53:46 +0100
- In-reply-to: <20091214180352.5f2263e2@is010235>
- References: <FC0686BB6178BC43B9DC035287A11A720DBE850BF3@SI-MBX12.de.bosch.com> <20091214180352.5f2263e2@is010235>
Hello, Virgile Prevosto a ?crit : > Le lun. 14 d?c. 2009 15:55:09 CET, > "Hollas Boris (CR/AEY1)" <Boris.Hollas at de.bosch.com> a ?crit : > >> - function set is invoked by set( &Ctx, -1, 0 ) in main(), which causes an out of bound access in set(). This is reported for the location in set(), where the out of bound accesss actually happens, but where it is not caused. How can the user discover the origin of the bug? > > I have to admit that there is currently no easy to do it (note however > that the value analysis itself can not decide by itself where the bug > really is. It might have been better at spotting that the pre-condition > of set was not fulfilled, though). However, value analysis gives an > overview of the call stack each time it enters a function, such as > > [value] computing for function set <-main. > Called from file.c:26. > > (if you're using the gui, it is available in the console tab at the > bottom of the window). This is quite helpful for following the flow of > the program. > In your case, since we're dealing with a true alarm which is > always happening and causes an abrupt termination of the whole > analysis, there's an additional possibility, and it goes with the > answers to your second question: Just my 2 cents in addition to the Virgile's answer... Discovering the origin of the bug is mostly an human process, but some Frama-C plug-ins like Datascope and Slicing can help you a little bit via the Frama-C GUI. The first one shows you the statement that may contribute to the erroneous value (here the occurrence of 'idx' at line 16). The second one can display the line of code which may contribute to the error. I illustrate the use of the slicing on your small example. - run "frama-c-gui -val foo.c" on your example - right click on the buggy statement and select "Slicing" - right click again on the same statement, select "Slicing", then "Slice lval" - enter "idx" in the dialog box (why idx? because the assertion generated by the value analysis tells you that idx should belong to [0;100], while you can see that its value is -1 by clicking on 'idx' at the buggy statement: a wrong value for idx is the origin of the out of bound access) - the green code is the only one which may contribute to the out of bound access Hope this helps, Julien
- References:
- [Frama-c-discuss] Problems with value analysis
- From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1))
- [Frama-c-discuss] Problems with value analysis
- From: virgile.prevosto at cea.fr (Virgile Prevosto)
- [Frama-c-discuss] Problems with value analysis
- Prev by Date: [Frama-c-discuss] problem with verify a list
- Next by Date: [Frama-c-discuss] problem with verify a list
- Previous by thread: [Frama-c-discuss] Problems with value analysis
- Next by thread: [Frama-c-discuss] arithmetic overflow unsigned int
- Index(es):