Questions tagged [frama-c]

Frama-C is an Open Source suite of tools dedicated to the analysis of C source code.

Frama-C offers ready-to-use analyses for C programs: call graph, value analysis, functional dependencies, Program Dependence Graph, runtime monitoring, etc. It also allows the verification of functional properties, temporal logic, and much more. Results can be expressed in plain text, in SARIF, or in Frama-C's graphical interface.

Each analysis is implemented as a plug-in, and plug-ins inside the platform can use the results of one another. Frama-C is Open Source and extensible: new analyses can be implemented in OCaml as additional plug-ins that take advantage of existing ones. They communicate using the ACSL specification language, which also enables describing what the program is supposed to do.

Most provided analyses in Frama-C are sound: used within a delimited perimeter, all the behaviors that can happen at run-time are included in the behaviors statically predicted by Frama-C. Notwithstanding the possibility of bugs, plug-ins must be used as documented for the property to hold. This makes it possible to use Frama-C for the formal verification of C programs.

447 questions

votes

2 answers

Error while installing libgnomecanvas in MacOS Ventura (Frama-C pre-requisite) using brew on terminal

I am trying to install Frama-C in MacOS Ventura, which has as pre-requisite the installation of libgnomecanvas, but I get an error when installing by using brew. When I use brew install libgnomecanvas I obtain the following error: Error:…

macos homebrew frama-c

asked Feb 21 '23 at 15:43

DavidSanan

votes

1 answer

How to specify variable bounds in a clean way?

/*@ requires 0 <= lb < N_LOG_BLOCKS && 0 <= lp < N_PAGE ; requires ( 1 <= h_clean_counter + l_clean_counter <= N_PHY_BLOCKS ); requires 0 <= h_act_block_index_p < N_PHY_BLOCKS && 0 <= h_act_page_p < N_PAGE; requires 0 <=…

frama-c

asked Sep 28 '22 at 09:44

Yu-Fang Chen

votes

2 answers

Why can small size of array be proved, but can't large one?

I tried to prove a example from frama-c-wp-tutorial That example is at Sect.6.2.4, but I modified some code. #include #include #include #define size 150 /*@ axiomatic Counter{ logic integer…

frama-c

asked Sep 20 '22 at 17:49

蔡登瑞

votes

1 answer

Frama-C: Creating a ghost field in a non-ghost structure

My goal is to create a ghost field in a non-ghost structure. What I understand from the ACSL manual (v.1.17) is, that this is possible in ACSL: If a structure has ghost fields, the sizeof of the structure is the same as the structure without ghost…

frama-c acsl

asked Aug 01 '22 at 08:00

jobnz

votes

1 answer

How do I declare a logic variable?

I have implemented the example code in chapter 4.17.7 in the Developer Manual. The example is a copy visitor that adds an assertion for each division in the program, stating that the divisor is not zero. The code is as follows: open Cil_types …

frama-c

asked Jul 23 '22 at 21:14

Hovig

votes

1 answer

Why does WP care about main?

In the following minimal example (slightly altered from Allan Blanchard's excellent tutorial -- section 3.2.3.3 Side Effects): int h = 42; /*@ requires \valid(a) && \valid(b); requires \valid_read(a) && \valid_read(b); ensures *a == \old(*b)…

frama-c

asked Jun 30 '22 at 07:53

Stephen Gaito

votes

1 answer

Frama-C Prove While Loop with "/*@ ensures"

I am a newbie at Frama-C and I am trying to validate a C code. The code is very basic but somehow I can not validate it. In summary, I am trying to prove If that function or loop has ever run. For that, I give a variable a value (4) in the…

c loops verification frama-c acsl

asked Jun 23 '22 at 13:52

Uğur B

votes

1 answer

Frama-C: Array accesses with non-deterministic sizes

I have been trying to reason about a loop over a dinamically-allocated array with a non-deterministic size, but I haven't been able to convince Frama-C/Eva of the\validity of memory that is returned by malloc. After boiling it down to: #include…

frama-c

asked Feb 14 '22 at 21:11

hpacheco

votes

1 answer

Does Frama-C catch the UB of reading uninitialised stack variables?

I'm exploring Frama-C and tried this example, which according to the manual (on page 83) should be Handled (CWE-457), and the RTE manual 2.7 (do ints have a trap representation? http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2091.htm) should be…

c verification frama-c

asked Jan 21 '22 at 15:38

Dhruv Makwana

votes

1 answer

Why are solvers timing out on a trivial bitmask function?

Getting started with frama-c and decided to prove a trivial bitmask function worked as intended. /*@ requires width > 0 && width <= 64 ; assigns \nothing ; ensures \result > 0 ; ensures \result == (1 << width) - 1 ; */ uint64_t…

frama-c

asked Jan 02 '22 at 05:42

montytyper

votes

3 answers

Whether Compiler generates a Implicitly converted code before creating an object code?

I installed frama-c in my system. What it does it, it converts all my code into more expanded form with all the implicit conversions of C.. (E.g) //My Actual Code if(opTab ==NULL || symTab ==NULL || intermediateFile==NULL || sourceCode ==NULL) { …

c compiler-construction implicit-conversion frama-c

asked Aug 04 '11 at 18:40

Muthu Ganapathy Nathan

3,199
16
47
77

votes

0 answers

Dynamic linking error when using ppx_compare

In my own Frama-C plugin, I would like to use ppx_compare for generation of compare functions. After adding the following line to my plugin's Makefile: PLUGIN_REQUIRES = ppx_compare the plugin is successfully compiled and installed, but running…

frama-c

asked Apr 15 '21 at 14:45

Tom

votes

1 answer

Function call in a "if" clause to ACSL

Consider the following code int f(int a, int b){ return 0; } /*@ ensures (f(2,3)== 0) ==> \result == 2; */ int g() { if (f(2,3) == 0) return 2; return 0; } The response of frama-c to the following code is the following…

static-analysis frama-c

asked Mar 23 '21 at 09:00

GeePi

votes

0 answers

Frama-c - Problem with proving "assigns" until strlen

I have a problem with proving assigns after calling other function that assigns until strlen. Below is a simple example with a call to a function from standard library. The function contract is basically a copy from strcpy requirements. #include…

frama-c

asked Mar 09 '21 at 18:29

Vlad Yaglamunov

votes

1 answer

Frama-c fails to prove verify.c from Allan Blanchard's tutorial

I am trying to learn frama-c from Allan Blanchard's tutorial and I have had trouble verifying the installation as suggested in the tutorial. The author provides a C file with ACSL annotations, all of which frama-c is supposed to be able to prove.…

frama-c

asked Feb 14 '21 at 20:09

Petros Tzathas

Prev 1 2 3

…

29 30 Next