Module Goblint_lib

Main external executable functionality: command-line, front-end and analysis execution.

Main internal functionality: analysis of the program by abstract interpretation via constraint solving.

Interactive server mode using JSON-RPC.

Analysis specification signatures.

Construction of a constraint system from an analysis specification and CFGs. Transformatons of analysis specifications as functors.

MCP analysis specification.

Registry of dynamically activatable analyses. Analysis specification modules for the dynamic product.

Memory access metadata module for MCP.

Queries and their result lattices.

Events.

Analysis results.

Perform queries on the constraint system solution.

Autotuning of the configuration based on syntactic heuristics.

Automatically turning on analyses required to ensure soundness based on a given specification (e.g., SV-COMP specification) or programming idioms (e.g., longjmp) in the analyzed code, but only when it is possible to do so automatically. This does not fully exempt from the need for manual configuration.

Non-relational value analysis aka base analysis (base).

Abstract relational integer value analysis.

Relational integer value analysis using Apron domains (apron).

Relational integer value analysis using an OCaml implementation of the affine equalities domain (affeq).

Relational integer value analysis using an OCaml implementation of the linear two-variable equalities domain (lin2vareq).

Symbolic expression equalities analysis (var_eq).

Symbolic variable - logical expression equalities analysis (condvars).

Analysis that tracks which variables hold the results of calls to math library functions (tmpSpecial).

C-2PO: A Weakly-Relational Pointer Analysis for C based on 2 Pointer Logic. The analysis can infer equalities and disequalities between terms which are built from pointer variables, with the addition of constants and dereferencing. (c2po)

Analysis of disjoint heap regions for dynamically allocated memory (region).

Analysis of unescaped (i.e. thread-local) heap locations (mallocFresh).

Helper analysis to be path-sensitive in failed dynamic memory allocations (malloc_null). It is not soundness critical, it only causes certain paths to be kept separate.

An analysis for the detection of memory leaks (memLeak).

An analysis for the detection of use-after-free vulnerabilities (useAfterFree).

An analysis for the detection of out-of-bounds memory accesses (memOutOfBounds).

Mutex locking and unlocking analysis (mutexEvents).

Basic lockset analyses.

An analysis tracking the type of a mutex (pthreadMutexType).

Must lockset and protecting lockset analysis (mutex).

May lockset analysis and analysis of double locking (maylocks).

Symbolic lockset analysis for per-element (field or index) locking patterns (symb_locks).

Deadlock analysis (deadlock).

Analysis for generating ghost variables corresponding to mutexes (mutexGhosts).

Multi-threadedness analysis (threadflag).

Current thread ID analysis (threadid).

Created threads and their uniqueness analysis (thread).

Joined threads analysis (threadJoins).

May-happen-in-parallel (MHP) analysis for memory accesses (mhp).

Thread returning analysis which abstracts a thread's call stack by a boolean, indicating whether it is at the topmost call stack frame or not (threadreturn).

Data race analysis (race).

Non-relational thread-modular value analyses for Base.

Relational thread-modular value analyses for RelationAnalysis, i.e. ApronAnalysis and AffineEqualityAnalysis.

Escape analysis for thread-local variables (escape).

Must received signals analysis for Pthread condition variables (pthreadSignals).

Must have waited barriers for Pthread barriers (pthreadBarriers).

Promela extraction analysis for Pthread programs (extract-pthread).

Must active and have passed pthreadOnce calls (pthreadOnce).

Analysis of active setjmp buffers (activeSetjmp).

Analysis of variables modified since setjmp (modifiedSinceSetjmp).

Analysis of active longjmp targets (activeLongjmp).

Taint analysis of variables that were modified between setjmp and longjmp and not yet overwritten. (poisonVariables).

Analysis of variable-length arrays (VLAs) in scope (vla).

Simple intraprocedural integer constants analysis example (constants).

Simple intraprocedural integer signs analysis template (signs).

Simple interprocedural taint analysis template (taint).

Simplest possible analysis with unit domain (unit).

Analysis of assert results (assert).

Termination analysis for loops and goto statements (termination).

Call String analysis call_string and/or Call Site analysis call_site. The call string limitation for both approaches can be adjusted with the "callString_length" option. By adding new implementations of the CallstringType, additional analyses can be added.

Analysis of initialized local variables (uninit).

Path-sensitive analysis according to values of arbitrary given expressions (expsplit).

Helper analysis to be path-sensitive in set of taken branches.

Call stack analyses (stack_trace, stack_trace_set, stack_loc).

Analysis of memory accesses (access).

Family of analyses which provide symbolic locations for special library functions. Provides symbolic heap locations for dynamic memory allocations and symbolic thread identifiers for thread creation (mallocWrapper, threadCreateWrapper).

Taint analysis of variables modified in a function (taintPartialContexts).

Unassume analysis (unassume).

Stateless symbolic comparison expression analysis (expRelation).

Analysis of assume_abort_if_not-style functions (abortUnless).

CIL's GoblintCil.Ptranal for function pointer evaluation (ptranal).

Remembers the abstract address value of each parameter at the beginning of each function by adding a ghost variable for each parameter. Used by the c2po analysis.

This lifter takes an analysis that only works for single-threaded code and allows it to run on multi-threaded programs by returning top when the code might be multi-threaded.

Various simple and old analysis lifters.

Analysis lifter for longjmp and setjmp support.

Cycle detection in the context-sensitive dynamic function call graph of an analysis.

Lifts a Spec with the context gas variable. The gas variable limits the number of context-sensitively analyzed function calls in a call stack. For every function call the gas is reduced. If the gas is zero, the remaining function calls are analyzed without context-information

Standard widening delay with counters.

Widening token for WideningTokenLifter.

Widening tokens are a generic and dynamic mechanism for delaying widening.

Full domain of Base analysis.

Signatures for relational value domains.

Apron domains.

OCaml implementation of the affine equalities domain.

OCaml implementation of the affine equalities domain.

OCaml implementation of the linear two-variable equality domain.

Domain for weakly relational pointer analysis C-2PO.

Lockset domains.

Symbolic lockset domain.

Deadlock domain.

Multi-threadedness flag domains.

May-happen-in-parallel (MHP) domain.

Domain for escaped thread-local variables.

Domains for extraction of Pthread programs.

Memory accesses and their manipulation.

Domain for memory accesses.

Symbolic lvalue equalities domain.

Domains for disjoint heap regions.

Call stack domains.

QCheck properties for lattice properties.

QCheck properties for abstract operations.

QCheck properties for IntDomain.

Detection of suitable C preprocessor.

Input program from a real-world project using a compilation database.

Analysis result output.

XSLT analysis result output.

Output of ARG as GraphML.

SV-COMP tasks and results.

SV-COMP specification strings and files.

Utilities for witness generation and witness invariants.

YAML witness generation and validation.

YAML witness format types.

YAML witness format version.

Ghost variables for YAML witnesses.

SARIF output of Messages.

SARIF format types.

SARIF rule definitions for Goblint.

Abstract reachability graph.

Analysis specification transformation for ARG construction.

Construction of ARGs from constraint system solutions.

Violation checking in an ARG.

ARG path feasibility checking using weakest precondition and Z3 (not installed!).

Finite automaton for matching an infeasible ARG path.

Path-sensitive analysis using an ObserverAutomaton.

Experimental analysis refinement.

Signatures and registry for transformations.

Dead code elimination transformation (remove_dead_code).

Transformation for instrumenting the program with computed invariants as assertions (assert).

Transformation for evaluating expressions on the analysis results (expeval). Hack for Gobview.

Intermediate data directory.

Process pool for running processes in parallel.

Timeout utilities.

Date and time utilities.

C code highlighting.

Exception utilities.

Creation of CIL CFGs.

Syntactic loop unrolling.

Basic analysis utilities.

Special variable for return value.

Analyses.Spec.branch refinement for Base analysis.

Thread-modular value analysis utilities for BasePriv and RelationPriv.

CIL utilities for relational analyses.

Precision comparison.

Signatures for precision comparison.

BasePriv precision comparison.

RelationPriv precision comparison.

ApronDomain precision comparison.