Main external executable functionality: command-line, front-end and analysis execution.

Main internal functionality: analysis of the program by abstract interpretation via constraint solving.

Interactive server mode using JSON-RPC.

Analysis specification signatures.

Construction of a constraint system from an analysis specification and CFGs. Transformatons of analysis specifications as functors.

MCP analysis specification.

Registry of dynamically activatable analyses. Analysis specification modules for the dynamic product.

Memory access metadata module for MCP.

Queries and their result lattices.

Events.

Analysis result output.

Perform queries on the constraint system solution.

Autotuning of the configuration based on syntactic heuristics.

Automatically turning on analyses required to ensure soundness based on a given specification (e.g., SV-COMP specification) or programming idioms (e.g., longjmp) in the analyzed code, but only when it is possible to do so automatically. This does not fully exempt from the need for manual configuration.

Non-relational value analysis aka base analysis (base).

Symbolic expression equalities analysis (var_eq).

Symbolic variable - logical expression equalities analysis (condvars).

Analysis that tracks which variables hold the results of calls to math library functions (tmpSpecial).

C-2PO: A Weakly-Relational Pointer Analysis for C based on 2 Pointer Logic. The analysis can infer equalities and disequalities between terms which are built from pointer variables, with the addition of constants and dereferencing. (c2po)

Analysis of disjoint heap regions for dynamically allocated memory (region).

Analysis of unescaped (i.e. thread-local) heap locations (mallocFresh).

Helper analysis to be path-sensitive in failed dynamic memory allocations (malloc_null). It is not soundness critical, it only causes certain paths to be kept separate.

An analysis for the detection of memory leaks (memLeak).

An analysis for the detection of use-after-free vulnerabilities (useAfterFree).

An analysis for the detection of out-of-bounds memory accesses (memOutOfBounds).

Mutex locking and unlocking analysis (mutexEvents).

Basic lockset analyses.

An analysis tracking the type of a mutex (pthreadMutexType).

Must lockset and protecting lockset analysis (mutex).

May lockset analysis and analysis of double locking (maylocks).

Symbolic lockset analysis for per-element (field or index) locking patterns (symb_locks).

Deadlock analysis (deadlock).

Analysis for generating ghost variables corresponding to mutexes (mutexGhosts).

Multi-threadedness analysis (threadflag).

Current thread ID analysis (threadid).

Created threads and their uniqueness analysis (thread).

Joined threads analysis (threadJoins).

May-happen-in-parallel (MHP) analysis for memory accesses (mhp).

Thread returning analysis which abstracts a thread's call stack by a boolean, indicating whether it is at the topmost call stack frame or not (threadreturn).

Data race analysis (race).

Non-relational thread-modular value analyses for Base.

Escape analysis for thread-local variables (escape).

Must received signals analysis for Pthread condition variables (pthreadSignals).

Must have waited barriers for Pthread barriers (pthreadBarriers).

Promela extraction analysis for Pthread programs (extract-pthread).

Must active and have passed pthreadOnce calls (pthreadOnce).

Analysis of active setjmp buffers (activeSetjmp).

Analysis of variables modified since setjmp (modifiedSinceSetjmp).

Analysis of active longjmp targets (activeLongjmp).

Taint analysis of variables that were modified between setjmp and longjmp and not yet overwritten. (poisonVariables).

Analysis of variable-length arrays (VLAs) in scope (vla).

Simple intraprocedural integer constants analysis example (constants).

Simple intraprocedural integer signs analysis template (signs).

Simple interprocedural taint analysis template (taint).

Simplest possible analysis with unit domain (unit).

Analysis of assert results (assert).

Termination analysis for loops and goto statements (termination).

Call String analysis call_string and/or Call Site analysis call_site. The call string limitation for both approaches can be adjusted with the "callString_length" option. By adding new implementations of the CallstringType, additional analyses can be added.

Analysis of initialized local variables (uninit).

Path-sensitive analysis according to values of arbitrary given expressions (expsplit).

Helper analysis to be path-sensitive in set of taken branches.

Call stack analyses (stack_trace, stack_trace_set, stack_loc).

Analysis of memory accesses (access).

Family of analyses which provide symbolic locations for special library functions. Provides symbolic heap locations for dynamic memory allocations and symbolic thread identifiers for thread creation (mallocWrapper, threadCreateWrapper).

Taint analysis of variables modified in a function (taintPartialContexts).

Unassume analysis (unassume).

Stateless symbolic comparison expression analysis (expRelation).

Analysis of assume_abort_if_not-style functions (abortUnless).

CIL's GoblintCil.Ptranal for function pointer evaluation (ptranal).

Remembers the abstract address value of each parameter at the beginning of each function by adding a ghost variable for each parameter. Used by the c2po analysis.

This lifter takes an analysis that only works for single-threaded code and allows it to run on multi-threaded programs by returning top when the code might be multi-threaded.

Various simple and old analysis lifters.

Analysis lifter for longjmp and setjmp support.

Cycle detection in the context-sensitive dynamic function call graph of an analysis.

Lifts a Spec with the context gas variable. The gas variable limits the number of context-sensitively analyzed function calls in a call stack. For every function call the gas is reduced. If the gas is zero, the remaining function calls are analyzed without context-information

Standard widening delay with counters.

Widening token for WideningTokenLifter.

Widening tokens are a generic and dynamic mechanism for delaying widening.

Full domain of Base analysis.

Domain for weakly relational pointer analysis C-2PO.

Lockset domains.

Symbolic lockset domain.

Deadlock domain.

Multi-threadedness flag domains.

May-happen-in-parallel (MHP) domain.

Domain for escaped thread-local variables.

Domains for extraction of Pthread programs.

Memory accesses and their manipulation.

Domain for memory accesses.

Symbolic lvalue equalities domain.

Domains for disjoint heap regions.

Call stack domains.

QCheck properties for lattice properties.

QCheck properties for abstract operations.

QCheck properties for IntDomain.

Detection of suitable C preprocessor.

Input program from a real-world project using a compilation database.

Output of ARG as GraphML.

SV-COMP tasks and results.

SV-COMP specification strings and files.

Utilities for witness generation and witness invariants.

YAML witness generation and validation.

YAML witness format types.

Ghost variables for YAML witnesses.

SARIF output of Messages.

SARIF format types.

SARIF rule definitions for Goblint.

Abstract reachability graph.

Analysis specification transformation for ARG construction.

Construction of ARGs from constraint system solutions.

Violation checking in an ARG.

ARG path feasibility checking using weakest precondition and Z3 (not installed!).

Finite automaton for matching an infeasible ARG path.

Path-sensitive analysis using an ObserverAutomaton.

Experimental analysis refinement.

Signatures and registry for transformations.

Dead code elimination transformation (remove_dead_code).

Transformation for instrumenting the program with computed invariants as assertions (assert).

Transformation for evaluating expressions on the analysis results (expeval). Hack for Gobview.

Intermediate data directory.

Process pool for running processes in parallel.

Timeout utilities.

Date and time utilities.

Exception utilities.

Creation of CIL CFGs.

Syntactic loop unrolling.

Basic analysis utilities.

Special variable for return value.

Analyses.Spec.branch refinement for Base analysis.

Thread-modular value analysis utilities for BasePriv and RelationPriv.

Precision comparison.

Signatures for precision comparison.

BasePriv precision comparison.