3

I want to use the result from the analysis of Value plugin in Frama-C (batch mode) for further evaluation of variables in functions. However, the output seems to be large with lots of [value] tags, what I need is only the part from [value] ====== VALUES COMPUTED ====== with computed values at the end of each function. Does Frama-C support the options that allow me to do that?

Pascal Cuoq
  • 79,187
  • 7
  • 161
  • 281
Trúc Nguyễn Lâm
  • 371
  • 2
  • 9

1 Answers1

3

You may find that the command-line options frama-c -no-val-show-initial-state -no-val-show-progress … make the output more to your taste.

When using the latter option, you may appreciate -val-print-callstacks, which prints each time a message is emitted the call-stack the message corresponds to, since that context is no longer available from the previous lines in the log.

For illustration, the development version of Frama-C at the time of answering shows the messages below by default:

int x;

/*@ assigns x; */
void f(void);

void g(int y) {
  f();
  x += y;
}

int main(void) {
  g(1);
}

Analyzing with frama-c -val t.c:

[value] Analyzing a complete application starting at main
[value] Computing initial state
[value] Initial state computed
[value] Values of globals at initialization
  x ∈ {0}
[value] computing for function g <- main.
        Called from t.c:12.
[value] computing for function f <- g <- main.
        Called from t.c:7.
[value] using specification for function f
t.c:3:[value] warning: no \from part for clause 'assigns x;' of function f
[value] Done for function f
t.c:8:[kernel] warning: signed overflow. assert x+y ≤ 2147483647;
[value] Recording results for g
[value] Done for function g
[value] Recording results for main
[value] done for function main
[value] ====== VALUES COMPUTED ======
[value] Values at end of function g:
  x ∈ [-2147483647..2147483647]
[value] Values at end of function main:
  x ∈ [-2147483647..2147483647]
  __retres ∈ {0}

Analyzing with frama-c -val t.c -no-val-show-initial-state -no-val-show-progress:

[value] Analyzing a complete application starting at main
[value] Computing initial state
[value] Initial state computed
[value] using specification for function f
t.c:3:[value] warning: no \from part for clause 'assigns x;' of function f
t.c:8:[kernel] warning: signed overflow. assert x+y ≤ 2147483647;
[value] done for function main
[value] ====== VALUES COMPUTED ======
[value] Values at end of function g:
  x ∈ [-2147483647..2147483647]
[value] Values at end of function main:
  x ∈ [-2147483647..2147483647]
  __retres ∈ {0}

And adding the option -val-show-callstack means that for the alarm at line 8, the context is shown as below:

t.c:8:[kernel] warning: signed overflow. assert x+y ≤ 2147483647;
                  stack: g :: t.c:12 <- main
Pascal Cuoq
  • 79,187
  • 7
  • 161
  • 281
  • Could you please tell me is there any option to set FramaC value analysis **not** to check for the validity of buffer overflow, division by 0 or other implicit assertions? Since I just only want to known the value of variables in the end. – Trúc Nguyễn Lâm Feb 24 '15 at 23:15
  • 1
    @TrúcNguyễnLâm This is not possible. The analysis **has** to assume that these things do not happen. What is the value of `x` after `y = 0; x = 100 / y;`? What is the value of `z` after `int *p = 0; z = *p;`? These errors must be separated from real results. But you can ignore the messages and look only at the values if you want. In fact, many “derived analysis” do this and provide results that apply only to defined executions of the program. A Perl script should be enough to separate them. – Pascal Cuoq Feb 24 '15 at 23:25