2

Frama-C community. My name is Maurizio Martignano (www.spazioit.com).

I perform independent SW validation and verification for ESA missions and am currently involved with a European Space Agency project that tries to collect a set of Static Analysis tools and offer them in a pre-packaged ready-to-use form, for use in "blind" analysis - that is, looking at the code as-is (with no analyser-specific annotations of any kind).

I am unsure if Frama-C fits this model - and my preliminary results with open-source codebases seem to confirm that the tool can't be used with "as-is" codebases.

Here's what I did...

I took as test bench the Crazyflie system: https://github.com/bitcraze/crazyflie-firmware.

It's build toolset is available here: https://launchpad.net/gcc-arm-embedded/+download.

From the Makefile, I constructed the following script (frama-c-abalyze.sh), which is supposed to called from within the "src" folder.

    #frama-c -c11 -kernel-msg-key pp -kernel-warn-error=-annot-error  -cpp-extra-args="-DUSE_RADIOLINK_CRTP -DENABLE_UART -DARM_MATH_CM4 -D__FPU_PRESENT=1 -D__TARGET_FPU_VFP -DBOARD_REV_D -DESTIMATOR_NAME=anyEstimator -DCONTROLLER_NAME=ControllerTypeAny -DPOWER_DISTRIBUTION_TYPE_stock -Ilib/FreeRTOS/include -Ilib/FreeRTOS/portable/GCC/ARM_CM4F -Isrc -Iconfig -Ihal/interface -Imodules/interface -Iutils/interface -Idrivers/interface -Iplatform -I../vendor/CMSIS/CMSIS/Include -Idrivers/bosch/interface -Ilib/STM32F4xx_StdPeriph_Driver/inc -Ilib/CMSIS/STM32F4xx/Include -Ilib/STM32_USB_Device_Library/Core/inc -Ilib/STM32_USB_OTG_Driver/inc -Ideck/interface -Ideck/drivers/interface -Iutils/interface/clockCorrection -Iutils/interface/tdoa -Iutils/interface/lighthouse -I../vendor/libdw1000/inc -Ilib/FatFS -Ilib/vl53l1 -Ilib/vl53l1/core/inc -DSTM32F4XX -DSTM32F40_41xxx -DHSE_VALUE=8000000 -DUSE_STDPERIPH_DRIVER" $*
    frama-c -c11 -kernel-msg-key pp -kernel-warn-error=-annot-error  -no-cpp-frama-c-compliant -no-frama-c-stdlib -cpp-command="arm-none-eabi-gcc -E -DUSE_RADIOLINK_CRTP -DENABLE_UART -DARM_MATH_CM4 -D__FPU_PRESENT=1 -D__TARGET_FPU_VFP -DBOARD_REV_D -DESTIMATOR_NAME=anyEstimator -DCONTROLLER_NAME=ControllerTypeAny -DPOWER_DISTRIBUTION_TYPE_stock -mcpu=cortex-m4 -mthumb -mfloat-abi=hard -mfpu=fpv4-sp-d16 -Ilib/FreeRTOS/include -Ilib/FreeRTOS/portable/GCC/ARM_CM4F -Isrc -Iconfig -Ihal/interface -Imodules/interface -Iutils/interface -Idrivers/interface -Iplatform -I../vendor/CMSIS/CMSIS/Include -Idrivers/bosch/interface -Ilib/STM32F4xx_StdPeriph_Driver/inc -Ilib/CMSIS/STM32F4xx/Include -Ilib/STM32_USB_Device_Library/Core/inc -Ilib/STM32_USB_OTG_Driver/inc -Ideck/interface -Ideck/drivers/interface -Iutils/interface/clockCorrection -Iutils/interface/tdoa -Iutils/interface/lighthouse -I../vendor/libdw1000/inc -Ilib/FatFS -Ilib/vl53l1 -Ilib/vl53l1/core/inc -DSTM32F4XX -DSTM32F40_41xxx -DHSE_VALUE=8000000 -DUSE_STDPERIPH_DRIVER %1 > %2" $*

The first line calls Frama-C with its own include files and preprocessor. The second line call Frama-C with the build system include files and preprocessors.

Using the second line and applying it to all the *.c files in the "src" folder which also appear in the Makefile I got many Frama-C "compilation errors", e.g. "syntax error", "invalid user input", "User Error".

On top of that, I tried to call the "val" plugin on a file that did not show any "compilation" error, e.g."./modules/src/log.c". I used commands like:

    ./frama-c-analyze.sh -rte -val -main logTask modules/src/log.c
    ./frama-c-analyze.sh -rte -val -main logTOCProcess modules/src/log.c
    ./frama-c-analyze.sh -rte -val -main logControlProcess modules/src/log.c

applying this type of command to all the functions in the file.

The output I managed to get had inside lines like the following:

    [value:alarm] modules/src/log.c:771: Warning: 
      assertion 'rte,mem_access' got status unknown.
    [value:alarm] modules/src/log.c:771: Warning: 
      out of bounds read. assert \valid_read(&ops->variable);
    [value:alarm] modules/src/log.c:772: Warning:

I found this type of output not very informative, and sort of false positive.

Did I do something wrong? Am I missing something? Did I need to use Frama-C include and "enrich" the code with ACLS annotations?

Thank you very much in advance, Maurizio

Maurizio Martignano
  • 21
  • 1
  • Welcome to Stackoverflow! I'm afraid that your question is a bit too broad for the site (see [the FAQ](https://stackoverflow.com/help/mcve)). You might want to post it on the [mailing list](mailto:frama-c-discuss@lists.gforge.inria.fr)). As a rule of thumb, setting up an appropriate context for analyzing a whole application can indeed be challenging. The following posts from Frama-C blog can help: https://frama.link/uSEFqz2B, https://frama.link/msy_yu0Y and https://frama.link/5z6CQuUV – Virgile Oct 29 '18 at 14:08
  • You started by addressing the Frama-C community - but this community is broader then that. Presumably there is a project specific site for that community? Better to remove that intro so that you are addressing the SO community - where no introduction is required - just ask the question.. – Clifford Oct 29 '18 at 15:22

0 Answers0