Module Goblint_libSource
Framework
Sourcemodule Maingoblint : sig ... end Main external executable functionality: command-line, front-end and analysis execution.
Main internal functionality: analysis of the program by abstract interpretation via constraint solving.
Interactive server mode using JSON-RPC.
CFG
Control-flow graphs (CFGs) are used to represent each function.
module Node : sig ... endCFG node. Corresponds to a program point between program statements.
module Edge : sig ... endCFG edge. Corresponds to a (primitive) program statement between program points (and their states).
module MyCFG : sig ... endConstruction and output of CFGs.
Specification
Analyses are specified by domains and transfer functions. A dynamic composition of analyses is combined with CFGs to produce a constraint system.
Global flags for analysis state.
Master control program (MCP) is the analysis specification for the dynamic product of activated analyses.
MCP analysis specification.
Registry of dynamically activatable analyses. Analysis specification modules for the dynamic product.
MCP allows activated analyses to query each other during the analysis. Query results from different analyses for the same query are met for precision.
Queries and their result lattices.
MCP allows activated analyses to emit events to each other during the analysis.
Results
The following modules help query the constraint system solution using semantic information.
Perform queries on the constraint system solution.
Queries for constraint variables related to semantic elements.
Configuration
Runtime configuration is represented as JSON. Options are specified and documented by the JSON schema src/util/options.schema.json.
Hooks which run after the runtime configuration is fully loaded.
Autotuning of the configuration based on syntactic heuristics.
src/util/options.schema.json low-level access.
Analyses
Analyses activatable under MCP.
Value
Analyses related to values of program variables.
module Base : sig ... endNon-relational value analysis aka base analysis (base).
module VarEq : sig ... endSymbolic expression equalities analysis (var_eq).
Symbolic variable - logical expression equalities analysis (condvars).
Analysis that tracks which variables hold the results of calls to math library functions (tmpSpecial).
Heap
Analyses related to the heap.
Analysis of disjoint heap regions for dynamically allocated memory (region).
Analysis of unescaped (i.e. thread-local) heap locations (mallocFresh).
Path-sensitive analysis of failed dynamic memory allocations (malloc_null).
An analysis for the detection of memory leaks (memLeak).
An analysis for the detection of use-after-free vulnerabilities (useAfterFree).
Concurrency
Analyses related to concurrency.
Locks
Analyses related to locking.
Mutex locking and unlocking analysis (mutexEvents).
module MutexTypeAnalysis : sig ... endAn analysis tracking the type of a mutex (pthreadMutexType).
Must lockset and protecting lockset analysis (mutex).
May lockset analysis and analysis of double locking (maylocks).
Symbolic lockset analysis for per-element (field or index) locking patterns (symb_locks).
Deadlock analysis (deadlock).
Threads
Analyses related to threads.
Multi-threadedness analysis (threadflag).
Current thread ID analysis (threadid).
Created threads and their uniqueness analysis (thread).
Joined threads analysis (threadJoins).
May-happen-in-parallel (MHP) analysis for memory accesses (mhp).
Thread returning analysis which abstracts a thread's call stack by a boolean, indicating whether it is at the topmost call stack frame or not (threadreturn).
Other
Data race analysis (race).
Non-relational thread-modular value analyses for Base.
Escape analysis for thread-local variables (escape).
Must received signals analysis for Pthread condition variables (pthreadSignals).
Promela extraction analysis for Pthread programs (extract-pthread).
Longjmp
Analyses related to longjmp and setjmp.
Analysis of active setjmp buffers (activeSetjmp).
Analysis of variables modified since setjmp (modifiedSinceLongjmp).
Analysis of active longjmp targets (activeLongjmp).
Taint analysis of variables that were modified between setjmp and longjmp and not yet overwritten. (poisonVariables).
Analysis of variable-length arrays (VLAs) in scope (vla).
Tutorial
Analyses for didactic purposes.
Simple intraprocedural integer constants analysis example (constants).
module Signs : sig ... endSimple intraprocedural integer signs analysis template (signs).
module Taint : sig ... endSimple interprocedural taint analysis template (taint).
Simplest possible analysis with unit domain (unit).
Other
Analysis of assert results (assert).
Analysis of correct file handle usage (file).
Analysis of initialized local variables (uninit).
Termination analysis of loops using counter variables (term).
Path-sensitive analysis according to values of arbitrary given expressions (expsplit).
Call stack analyses (stack_trace, stack_trace_set, stack_loc).
module Spec : sig ... endAnalysis using finite automaton specification file (spec).
Helper
Analyses which only support other analyses.
Analysis of memory accesses (access).
Family of analyses which provide symbolic locations for special library functions. Provides symbolic heap locations for dynamic memory allocations and symbolic thread identifiers for thread creation (mallocWrapper, threadCreateWrapper).
module TaintPartialContexts : sig ... endTaint analysis of variables modified in a function (taintPartialContexts).
Unassume analysis (unassume).
Stateless symbolic comparison expression analysis (expRelation).
Analysis of assume_abort_if_not-style functions (abortUnless).
Domains
Domains used by analysis specifications and constraint systems are lattices.
Besides lattice operations, their elements can also be compared and output (in various formats). Those operations are specified by Printable.S.
Signature for comparable and outputtable elements. Functors for common printables.
Signature for lattices. Functors for common lattices.
General
Standard general-purpose domains and domain functors.
module DisjointDomain : sig ... endAbstract domains for collections of elements from disjoint unions of domains. Formally, the elements form a cofibered domain from a discrete category.
module HoareDomain : sig ... endAbstract domains with Hoare ordering.
Domain alternatives chosen by a runtime flag.
Analysis-specific
Domains for specific analyses.
Value
Non-relational
Domains for Base analysis.
Numeric
module IntDomain : sig ... endAbstract domains for C integers.
module FloatDomain : sig ... endAbstract domains for C floating-point numbers.
Addresses
Memory locations are identified by mvalues, which consist of a variable and an offset. Mvalues are used throughout Goblint, not just the Base analysis.
Addresses extend mvalues with NULL, unknown pointers and string literals.
module Mval : sig ... endDomains for mvalues: simplified lvalues, which start with a GoblintCil.varinfo. Mvalues are the result of resolving pointer dereferences in lvalues.
Domains for variable offsets, i.e. array indices and struct fields.
module AddressDomain : sig ... endDomains for addresses/pointers.
Complex
module StructDomain : sig ... endAbstract domains for C structs.
module UnionDomain : sig ... endAbstract domains for C unions.
module ArrayDomain : sig ... endAbstract domains for C arrays.
module JmpBufDomain : sig ... endDomains for setjmp and longjmp analyses, and setjmp buffers.
Combined
These combine the above domains together for Base analysis.
Relational
Domains for RelationAnalysis.
Concurrency
module ConcDomain : sig ... endDomains for thread sets and their uniqueness.
May-happen-in-parallel (MHP) domain.
module EscapeDomain : sig ... endDomain for escaped thread-local variables.
module PthreadDomain : sig ... endDomains for extraction of Pthread programs.
Other
Printables and domains for some common types.
module Lval : sig ... endDomains for GoblintCil.lval.
Memory accesses and their manipulation.
module AccessDomain : sig ... endDomain for memory accesses.
module MusteqDomain : sig ... endSymbolic lvalue equalities domain.
module RegionDomain : sig ... endDomains for disjoint heap regions.
module FileDomain : sig ... endDomains for file handles.
module SpecDomain : sig ... endDomains for finite automaton specification file analysis.
Testing
Modules related to (property-based) testing of domains.
QCheck properties for abstract operations.
Incremental
Incremental analysis is for analyzing multiple versions of the same program and reusing as many results as possible.
Combination of CIL files using comparison results.
Tracking of maximum CIL IDs in use.
Serialization/deserialization of incremental analysis data.
Special maps used for incremental comparison.
Solvers
Generic solvers are used to solve (side-effecting) constraint systems.
Top-down
The top-down solver family.
Incremental/interactive terminating top-down solver, which supports space-efficiency and caching (td3).
Warrowing top-down solver (topdown). Simpler version of Td3 without terminating, space-efficiency and incremental.
Terminating top-down solver (topdown_term). Simpler version of Td3 without space-efficiency and incremental.
Terminating top-down solver, which supports space-efficiency and caching (topdown_space_cache_term). Simpler version of Td3 without incremental.
Deprecated top-down solver (topdown_deprecated).
SLR
The SLR solver family.
Two-phased terminating SLR3 solver (slr3tp).
Terminating SLR3 solver (slr3t). Simpler version of SLRphased without phases.
Other
Various simple/old solvers and solver utilities.
Solver, which delegates at runtime to the configured solver.
module PostSolver : sig ... endExtra constraint system evaluation pass for warning generation, verification, pruning, etc.
Fixpoint iteration solvers local to a single transfer function (don't use a constraint system).
Box operator for warrowing solvers.
I/O
Various input/output interfaces and formats.
Messages (e.g. warnings) from the analysis.
Nested tracing system for debugging.
Front-end
The following modules handle program input.
Detection of suitable C preprocessor.
Input program from a real-world project using a compilation database.
Input program from a real-world project using a Makefile.
Witnesses
Witnesses are an exchangeable format for analysis results.
SV-COMP tasks and results.
SV-COMP specification strings and files.
Invariants for witnesses.
Invariant manipulation related to CIL transformations.
Utilities for witness generation and witness invariants.
GraphML
Automaton-based GraphML witnesses used in SV-COMP.
module MyARG : sig ... endAbstract reachability graph.
Analysis specification transformation for ARG construction.
Construction of ARGs from constraint system solutions.
Output of ARG as GraphML.
Streaming GraphML output.
YAML
Entry-based YAML witnesses to be used in SV-COMP.
YAML witness generation and validation.
YAML witness format types.
Widening tokens are a generic and dynamic mechanism for delaying widening.
Violation
Experimental generation of violation witness automata or refinement with observer automata.
Violation checking in an ARG.
ARG path feasibility checking using weakest precondition and Z3 (not installed!).
Finite automaton for matching an infeasible ARG path.
Experimental analysis refinement.
SARIF
module Sarif : sig ... endSARIF rule definitions for Goblint.
Transformations can be activated to transform the program using analysis results.
Signatures and registry for transformations.
Dead code elimination transformation (remove_dead_code).
Transformation for instrumenting the program with computed invariants as assertions (assert).
Transformation for evaluating expressions on the analysis results (expeval). Hack for Gobview.
Utilities
Time measurement of computations.
Intermediate data directory.
General
Unified interface for integer types.
Unified interface for floating-point types.
Lazy evaluation with a fixed function. Allows marshaling.
Lazy type which can be reset to a closure.
Process pool for running processes in parallel.
Terminal color utilities.
CIL
Printables for CIL types.
Custom GoblintCil.varinfo management.
Syntactic loop unrolling.
Library specification
For more precise analysis of C standard library, etc functions, whose definitions are not available, custom specifications can be added.
Kinds of memory accesses.
Library function descriptor (specification).
Library function descriptor DSL.
Hard-coded database of library function specifications.
Analysis-specific
Basic analysis utilities.
Integer and floating-point option and attribute handling.
module ContextUtil : sig ... endGoblint-specific C attribute handling.
Widening threshold utilities.
OCaml implementations of vectors and matrices.
Precision comparison
Signatures for precision comparison.
Build info
Goblint git version info.
Library extensions
OCaml library extensions which are completely independent of Goblint.
Standard library
OCaml standard library extensions which are not provided by Batteries.
module GobGc : sig ... endOther libraries
External library extensions.
module GobZ : sig ... end