Main library.
Framework
module Maingoblint : sig ... end
Main external executable functionality: command-line, front-end and analysis execution.
Main internal functionality: analysis of the program by abstract interpretation via constraint solving.
Interactive server mode using JSON-RPC.
CFG
Control-flow graphs (CFGs) are used to represent each function.
Specification
Analyses are specified by domains and transfer functions. A dynamic composition of analyses is combined with CFGs to produce a constraint system.
Construction of a constraint system from an analysis specification and CFGs. Transformatons of analysis specifications as functors.
Master control program (MCP) is the analysis specification for the dynamic product of activated analyses.
MCP analysis specification.
Registry of dynamically activatable analyses. Analysis specification modules for the dynamic product.
MCP allows activated analyses to query each other during the analysis. Query results from different analyses for the same query are met for precision.
Queries and their result lattices.
MCP allows activated analyses to emit events to each other during the analysis.
Results
The following modules help query the constraint system solution using semantic information.
Perform queries on the constraint system solution.
Configuration
Runtime configuration is represented as JSON. Options are specified and documented by the JSON schema src/config/options.schema.json
.
Autotuning of the configuration based on syntactic heuristics.
Automatically turning on analyses required to ensure soundness based on a given specification (e.g., SV-COMP specification) or programming idioms (e.g., longjmp) in the analyzed code, but only when it is possible to do so automatically. This does not fully exempt from the need for manual configuration.
Analyses
Analyses activatable under MCP.
Value
Analyses related to values of program variables.
module Base : sig ... end
Non-relational value analysis aka base analysis (base
).
module VarEq : sig ... end
Symbolic expression equalities analysis (var_eq
).
Symbolic variable - logical expression equalities analysis (condvars
).
Analysis that tracks which variables hold the results of calls to math library functions (tmpSpecial
).
Heap
Analyses related to the heap.
Analysis of disjoint heap regions for dynamically allocated memory (region
).
Analysis of unescaped (i.e. thread-local) heap locations (mallocFresh
).
Path-sensitive analysis of failed dynamic memory allocations (malloc_null
).
An analysis for the detection of memory leaks (memLeak
).
An analysis for the detection of use-after-free vulnerabilities (useAfterFree
).
An analysis for the detection of out-of-bounds memory accesses (memOutOfBounds
).
Concurrency
Analyses related to concurrency.
Locks
Analyses related to locking.
Mutex locking and unlocking analysis (mutexEvents
).
module MutexTypeAnalysis : sig ... end
An analysis tracking the type of a mutex (pthreadMutexType
).
Must lockset and protecting lockset analysis (mutex
).
May lockset analysis and analysis of double locking (maylocks
).
Symbolic lockset analysis for per-element (field or index) locking patterns (symb_locks
).
Deadlock analysis (deadlock
).
Threads
Analyses related to threads.
Multi-threadedness analysis (threadflag
).
Current thread ID analysis (threadid
).
Created threads and their uniqueness analysis (thread
).
Joined threads analysis (threadJoins
).
May-happen-in-parallel (MHP) analysis for memory accesses (mhp
).
Thread returning analysis which abstracts a thread's call stack by a boolean, indicating whether it is at the topmost call stack frame or not (threadreturn
).
Other
Data race analysis (race
).
Non-relational thread-modular value analyses for Base
.
Escape analysis for thread-local variables (escape
).
Must received signals analysis for Pthread condition variables (pthreadSignals
).
Promela extraction analysis for Pthread programs (extract-pthread
).
Longjmp
Analyses related to longjmp
and setjmp
.
Analysis of active setjmp
buffers (activeSetjmp
).
Analysis of variables modified since setjmp
(modifiedSinceSetjmp
).
Analysis of active longjmp
targets (activeLongjmp
).
Taint analysis of variables that were modified between setjmp
and longjmp
and not yet overwritten. (poisonVariables
).
Analysis of variable-length arrays (VLAs) in scope (vla
).
Tutorial
Analyses for didactic purposes.
Simple intraprocedural integer constants analysis example (constants
).
module Signs : sig ... end
Simple intraprocedural integer signs analysis template (signs
).
module Taint : sig ... end
Simple interprocedural taint analysis template (taint
).
Simplest possible analysis with unit domain (unit
).
Other
Analysis of assert
results (assert
).
Termination analysis for loops and goto
statements (termination
).
Call String analysis call_string
and/or Call Site analysis call_site
. The call string limitation for both approaches can be adjusted with the "callString_length" option. By adding new implementations of the CallstringType, additional analyses can be added.
Analysis of initialized local variables (uninit
).
Path-sensitive analysis according to values of arbitrary given expressions (expsplit
).
Call stack analyses (stack_trace
, stack_trace_set
, stack_loc
).
Helper
Analyses which only support other analyses.
Analysis of memory accesses (access
).
Family of analyses which provide symbolic locations for special library functions. Provides symbolic heap locations for dynamic memory allocations and symbolic thread identifiers for thread creation (mallocWrapper
, threadCreateWrapper
).
module TaintPartialContexts : sig ... end
Taint analysis of variables modified in a function (taintPartialContexts
).
Unassume analysis (unassume
).
Stateless symbolic comparison expression analysis (expRelation
).
Analysis of assume_abort_if_not
-style functions (abortUnless
).
CIL's GoblintCil.Ptranal
for function pointer evaluation (ptranal
).
Analysis lifters
Transformations of analyses into extended analyses.
Various simple and old analysis lifters.
Analysis lifter for longjmp
and setjmp
support.
Cycle detection in the context-sensitive dynamic function call graph of an analysis.
module ContextGasLifter : sig ... end
Lifts a Spec
with the context gas variable. The gas variable limits the number of context-sensitively analyzed function calls in a call stack. For every function call the gas is reduced. If the gas is zero, the remaining function calls are analyzed without context-information
Widening tokens are a generic and dynamic mechanism for delaying widening.
Analysis specification transformation for ARG construction.
Domains
Domains used by analysis specifications and constraint systems are lattices.
Besides lattice operations, their elements can also be compared and output (in various formats). Those operations are specified by Printable.S
.
General
Standard general-purpose domains and domain functors.
Analysis-specific
Domains for specific analyses.
Value
Non-relational
Domains for Base
analysis.
Numeric
Addresses
Memory locations are identified by mvalues, which consist of a variable and an offset. Mvalues are used throughout Goblint, not just the Base
analysis.
Addresses extend mvalues with NULL
, unknown pointers and string literals.
Complex
Combined
These combine the above domains together for Base
analysis.
Relational
Domains for RelationAnalysis
.
Concurrency
May-happen-in-parallel (MHP) domain.
module EscapeDomain : sig ... end
Domain for escaped thread-local variables.
module PthreadDomain : sig ... end
Domains for extraction of Pthread programs.
Other
Memory accesses and their manipulation.
module AccessDomain : sig ... end
Domain for memory accesses.
module MusteqDomain : sig ... end
Symbolic lvalue equalities domain.
module RegionDomain : sig ... end
Domains for disjoint heap regions.
Testing
Modules related to (property-based) testing of domains.
QCheck properties for abstract operations.
Incremental
Incremental analysis is for analyzing multiple versions of the same program and reusing as many results as possible.
I/O
Various input/output interfaces and formats.
Front-end
The following modules handle program input.
Detection of suitable C preprocessor.
Input program from a real-world project using a compilation database.
Witnesses
Witnesses are an exchangeable format for analysis results.
SV-COMP tasks and results.
SV-COMP specification strings and files.
Utilities for witness generation and witness invariants.
GraphML
Automaton-based GraphML witnesses used in SV-COMP.
module MyARG : sig ... end
Abstract reachability graph.
Construction of ARGs from constraint system solutions.
Output of ARG as GraphML.
Streaming GraphML output.
YAML
Entry-based YAML witnesses to be used in SV-COMP.
YAML witness generation and validation.
YAML witness format types.
Violation
Experimental generation of violation witness automata or refinement with observer automata.
Violation checking in an ARG.
ARG path feasibility checking using weakest precondition and Z3
(not installed!).
Finite automaton for matching an infeasible ARG path.
Experimental analysis refinement.
SARIF
module Sarif : sig ... end
SARIF rule definitions for Goblint.
Transformations can be activated to transform the program using analysis results.
Signatures and registry for transformations.
Dead code elimination transformation (remove_dead_code
).
Transformation for instrumenting the program with computed invariants as assertions (assert
).
Transformation for evaluating expressions on the analysis results (expeval
). Hack for Gobview.
Utilities
Intermediate data directory.
General
Process pool for running processes in parallel.
CIL
Syntactic loop unrolling.
Library specification
For more precise analysis of C standard library, etc functions, whose definitions are not available, custom specifications can be added.
Analysis-specific
Basic analysis utilities.
Special variable for return value.
OCaml implementations of vectors and matrices.
Precision comparison
Signatures for precision comparison.
Library extensions
OCaml library extensions which are completely independent of Goblint.
See Goblint_std
.
Standard library
OCaml standard library extensions which are not provided by Batteries
.