Main library.
Framework
module Maingoblint : sig ... end
Main external executable functionality: command-line, front-end and analysis execution.
Main internal functionality: analysis of the program by abstract interpretation via constraint solving.
Interactive server mode using JSON-RPC.
CFG
Control-flow graphs (CFGs) are used to represent each function.
Construction and output of CFGs.
Specification
Analyses are specified by domains and transfer functions. A dynamic composition of analyses is combined with CFGs to produce a constraint system.
Master control program (MCP) is the analysis specification for the dynamic product of activated analyses.
MCP analysis specification.
Registry of dynamically activatable analyses. Analysis specification modules for the dynamic product.
MCP allows activated analyses to query each other during the analysis. Query results from different analyses for the same query are met for precision.
Queries and their result lattices.
MCP allows activated analyses to emit events to each other during the analysis.
Results
The following modules help query the constraint system solution using semantic information.
Perform queries on the constraint system solution.
Queries for constraint variables related to semantic elements.
Configuration
Runtime configuration is represented as JSON. Options are specified and documented by the JSON schema src/common/util/options.schema.json
.
Autotuning of the configuration based on syntactic heuristics.
Analyses
Analyses activatable under MCP.
Value
Analyses related to values of program variables.
module Base : sig ... end
Non-relational value analysis aka base analysis (base
).
module VarEq : sig ... end
Symbolic expression equalities analysis (var_eq
).
Symbolic variable - logical expression equalities analysis (condvars
).
Analysis that tracks which variables hold the results of calls to math library functions (tmpSpecial
).
Heap
Analyses related to the heap.
Analysis of disjoint heap regions for dynamically allocated memory (region
).
Analysis of unescaped (i.e. thread-local) heap locations (mallocFresh
).
Path-sensitive analysis of failed dynamic memory allocations (malloc_null
).
An analysis for the detection of memory leaks (memLeak
).
An analysis for the detection of use-after-free vulnerabilities (useAfterFree
).
An analysis for the detection of out-of-bounds memory accesses (memOutOfBounds
).
Concurrency
Analyses related to concurrency.
Locks
Analyses related to locking.
Mutex locking and unlocking analysis (mutexEvents
).
module MutexTypeAnalysis : sig ... end
An analysis tracking the type of a mutex (pthreadMutexType
).
Must lockset and protecting lockset analysis (mutex
).
May lockset analysis and analysis of double locking (maylocks
).
Symbolic lockset analysis for per-element (field or index) locking patterns (symb_locks
).
Deadlock analysis (deadlock
).
Threads
Analyses related to threads.
Multi-threadedness analysis (threadflag
).
Current thread ID analysis (threadid
).
Created threads and their uniqueness analysis (thread
).
Joined threads analysis (threadJoins
).
May-happen-in-parallel (MHP) analysis for memory accesses (mhp
).
Thread returning analysis which abstracts a thread's call stack by a boolean, indicating whether it is at the topmost call stack frame or not (threadreturn
).
Other
Data race analysis (race
).
Non-relational thread-modular value analyses for Base
.
Escape analysis for thread-local variables (escape
).
Must received signals analysis for Pthread condition variables (pthreadSignals
).
Promela extraction analysis for Pthread programs (extract-pthread
).
Longjmp
Analyses related to longjmp
and setjmp
.
Analysis of active setjmp
buffers (activeSetjmp
).
Analysis of variables modified since setjmp
(modifiedSinceLongjmp
).
Analysis of active longjmp
targets (activeLongjmp
).
Taint analysis of variables that were modified between setjmp
and longjmp
and not yet overwritten. (poisonVariables
).
Analysis of variable-length arrays (VLAs) in scope (vla
).
Tutorial
Analyses for didactic purposes.
Simple intraprocedural integer constants analysis example (constants
).
module Signs : sig ... end
Simple intraprocedural integer signs analysis template (signs
).
module Taint : sig ... end
Simple interprocedural taint analysis template (taint
).
Simplest possible analysis with unit domain (unit
).
Other
Analysis of assert
results (assert
).
Analysis of correct file handle usage (file
).
Termination analysis for loops and goto
statements (termination
).
Analysis of initialized local variables (uninit
).
Path-sensitive analysis according to values of arbitrary given expressions (expsplit
).
Call stack analyses (stack_trace
, stack_trace_set
, stack_loc
).
module Spec : sig ... end
Analysis using finite automaton specification file (spec
).
Helper
Analyses which only support other analyses.
Analysis of memory accesses (access
).
Family of analyses which provide symbolic locations for special library functions. Provides symbolic heap locations for dynamic memory allocations and symbolic thread identifiers for thread creation (mallocWrapper
, threadCreateWrapper
).
module TaintPartialContexts : sig ... end
Taint analysis of variables modified in a function (taintPartialContexts
).
Unassume analysis (unassume
).
Stateless symbolic comparison expression analysis (expRelation
).
Analysis of assume_abort_if_not
-style functions (abortUnless
).
Domains
Domains used by analysis specifications and constraint systems are lattices.
Besides lattice operations, their elements can also be compared and output (in various formats). Those operations are specified by Printable.S
.
General
Standard general-purpose domains and domain functors.
module DisjointDomain : sig ... end
Abstract domains for collections of elements from disjoint unions of domains. Formally, the elements form a cofibered domain from a discrete category.
module HoareDomain : sig ... end
Abstract domains with Hoare ordering.
Domain alternatives chosen by a runtime flag.
Analysis-specific
Domains for specific analyses.
Value
Non-relational
Domains for Base
analysis.
Numeric
module IntDomain : sig ... end
Abstract domains for C integers.
module FloatDomain : sig ... end
Abstract domains for C floating-point numbers.
Addresses
Memory locations are identified by mvalues, which consist of a variable and an offset. Mvalues are used throughout Goblint, not just the Base
analysis.
Addresses extend mvalues with NULL
, unknown pointers and string literals.
module Mval : sig ... end
Domains for variable offsets, i.e. array indices and struct fields.
module AddressDomain : sig ... end
Domains for addresses/pointers.
Complex
module StructDomain : sig ... end
Abstract domains for C structs.
module UnionDomain : sig ... end
Abstract domains for C unions.
module ArrayDomain : sig ... end
Abstract domains for C arrays.
module JmpBufDomain : sig ... end
Domains for setjmp
and longjmp
analyses, and setjmp
buffers.
Combined
These combine the above domains together for Base
analysis.
Relational
Domains for RelationAnalysis
.
Concurrency
module ConcDomain : sig ... end
Domains for thread sets and their uniqueness.
May-happen-in-parallel (MHP) domain.
module EscapeDomain : sig ... end
Domain for escaped thread-local variables.
module PthreadDomain : sig ... end
Domains for extraction of Pthread programs.
Other
module Lval : sig ... end
Memory accesses and their manipulation.
module AccessDomain : sig ... end
Domain for memory accesses.
module MusteqDomain : sig ... end
Symbolic lvalue equalities domain.
module RegionDomain : sig ... end
Domains for disjoint heap regions.
module FileDomain : sig ... end
Domains for file handles.
module SpecDomain : sig ... end
Domains for finite automaton specification file analysis.
Testing
Modules related to (property-based) testing of domains.
QCheck properties for abstract operations.
Incremental
Incremental analysis is for analyzing multiple versions of the same program and reusing as many results as possible.
Combination of CIL files using comparison results.
Tracking of maximum CIL IDs in use.
Serialization/deserialization of incremental analysis data.
Special maps used for incremental comparison.
Solvers
Generic solvers are used to solve (side-effecting) constraint systems.
Top-down
The top-down solver family.
Incremental/interactive terminating top-down solver, which supports space-efficiency and caching (td3
).
Warrowing top-down solver (topdown
). Simpler version of Td3
without terminating, space-efficiency and incremental.
Terminating top-down solver (topdown_term
). Simpler version of Td3
without space-efficiency and incremental.
Terminating top-down solver, which supports space-efficiency and caching (topdown_space_cache_term
). Simpler version of Td3
without incremental.
Deprecated top-down solver (topdown_deprecated
).
SLR
The SLR solver family.
Two-phased terminating SLR3 solver (slr3tp
).
Terminating SLR3 solver (slr3t
). Simpler version of SLRphased
without phases.
Other
Various simple/old solvers and solver utilities.
Solver, which delegates at runtime to the configured solver.
module PostSolver : sig ... end
Extra constraint system evaluation pass for warning generation, verification, pruning, etc.
Fixpoint iteration solvers local to a single transfer function (don't use a constraint system).
Box operator for warrowing solvers.
I/O
Various input/output interfaces and formats.
Front-end
The following modules handle program input.
Detection of suitable C preprocessor.
Input program from a real-world project using a compilation database.
Input program from a real-world project using a Makefile.
Witnesses
Witnesses are an exchangeable format for analysis results.
SV-COMP tasks and results.
SV-COMP specification strings and files.
Invariants for witnesses.
Invariant manipulation related to CIL transformations.
Utilities for witness generation and witness invariants.
GraphML
Automaton-based GraphML witnesses used in SV-COMP.
module MyARG : sig ... end
Abstract reachability graph.
Analysis specification transformation for ARG construction.
Construction of ARGs from constraint system solutions.
Output of ARG as GraphML.
Streaming GraphML output.
YAML
Entry-based YAML witnesses to be used in SV-COMP.
YAML witness generation and validation.
YAML witness format types.
Widening tokens are a generic and dynamic mechanism for delaying widening.
Violation
Experimental generation of violation witness automata or refinement with observer automata.
Violation checking in an ARG.
ARG path feasibility checking using weakest precondition and Z3
(not installed!).
Finite automaton for matching an infeasible ARG path.
Experimental analysis refinement.
SARIF
module Sarif : sig ... end
SARIF rule definitions for Goblint.
Transformations can be activated to transform the program using analysis results.
Signatures and registry for transformations.
Dead code elimination transformation (remove_dead_code
).
Transformation for instrumenting the program with computed invariants as assertions (assert
).
Transformation for evaluating expressions on the analysis results (expeval
). Hack for Gobview.
Utilities
Intermediate data directory.
General
Unified interface for integer types.
Unified interface for floating-point types.
Process pool for running processes in parallel.
CIL
Syntactic loop unrolling.
Library specification
For more precise analysis of C standard library, etc functions, whose definitions are not available, custom specifications can be added.
Kinds of memory accesses.
Library function descriptor (specification).
Library function descriptor DSL.
Hard-coded database of library function specifications.
Analysis-specific
Basic analysis utilities.
Integer and floating-point option and attribute handling.
module ContextUtil : sig ... end
Goblint-specific C attribute handling.
Widening threshold utilities.
OCaml implementations of vectors and matrices.
Precision comparison
Signatures for precision comparison.
Library extensions
OCaml library extensions which are completely independent of Goblint.
See Goblint_std
.
Standard library
OCaml standard library extensions which are not provided by Batteries
.
Other libraries
External library extensions.