Module Goblint_lib

Main external executable functionality: command-line, front-end and analysis execution.

Main internal functionality: analysis of the program by abstract interpretation via constraint solving.

Interactive server mode using JSON-RPC.

Analysis specification and constraint system signatures.

Construction of a constraint system from an analysis specification and CFGs. Transformatons of analysis specifications as functors.

MCP analysis specification.

Registry of dynamically activatable analyses. Analysis specification modules for the dynamic product.

Memory access metadata module for MCP.

Queries and their result lattices.

Events.

Analysis result output.

Perform queries on the constraint system solution.

Autotuning of the configuration based on syntactic heuristics.

Automatically turning on analyses required to ensure soundness based on a given specification (e.g., SV-COMP specification) or programming idioms (e.g., longjmp) in the analyzed code, but only when it is possible to do so automatically. This does not fully exempt from the need for manual configuration.

Non-relational value analysis aka base analysis (base).

Abstract relational integer value analysis.

Relational integer value analysis using Apron domains (apron).

Relational integer value analysis using an OCaml implementation of the affine equalities domain (affeq).

Relational integer value analysis using an OCaml implementation of the linear two-variable equalities domain (lin2vareq).

Symbolic expression equalities analysis (var_eq).

Symbolic variable - logical expression equalities analysis (condvars).

Analysis that tracks which variables hold the results of calls to math library functions (tmpSpecial).

Analysis of disjoint heap regions for dynamically allocated memory (region).

Analysis of unescaped (i.e. thread-local) heap locations (mallocFresh).

Path-sensitive analysis of failed dynamic memory allocations (malloc_null).

An analysis for the detection of memory leaks (memLeak).

An analysis for the detection of use-after-free vulnerabilities (useAfterFree).

An analysis for the detection of out-of-bounds memory accesses (memOutOfBounds).

Mutex locking and unlocking analysis (mutexEvents).

Basic lockset analyses.

An analysis tracking the type of a mutex (pthreadMutexType).

Must lockset and protecting lockset analysis (mutex).

May lockset analysis and analysis of double locking (maylocks).

Symbolic lockset analysis for per-element (field or index) locking patterns (symb_locks).

Deadlock analysis (deadlock).

Multi-threadedness analysis (threadflag).

Current thread ID analysis (threadid).

Created threads and their uniqueness analysis (thread).

Joined threads analysis (threadJoins).

May-happen-in-parallel (MHP) analysis for memory accesses (mhp).

Thread returning analysis which abstracts a thread's call stack by a boolean, indicating whether it is at the topmost call stack frame or not (threadreturn).

Data race analysis (race).

Non-relational thread-modular value analyses for Base.

Relational thread-modular value analyses for RelationAnalysis, i.e. ApronAnalysis and AffineEqualityAnalysis.

Escape analysis for thread-local variables (escape).

Must received signals analysis for Pthread condition variables (pthreadSignals).

Promela extraction analysis for Pthread programs (extract-pthread).

Analysis of active setjmp buffers (activeSetjmp).

Analysis of variables modified since setjmp (modifiedSinceSetjmp).

Analysis of active longjmp targets (activeLongjmp).

Taint analysis of variables that were modified between setjmp and longjmp and not yet overwritten. (poisonVariables).

Analysis of variable-length arrays (VLAs) in scope (vla).

Simple intraprocedural integer constants analysis example (constants).

Simple intraprocedural integer signs analysis template (signs).

Simple interprocedural taint analysis template (taint).

Simplest possible analysis with unit domain (unit).

Analysis of assert results (assert).

Termination analysis for loops and goto statements (termination).

Call String analysis call_string and/or Call Site analysis call_site. The call string limitation for both approaches can be adjusted with the "callString_length" option. By adding new implementations of the CallstringType, additional analyses can be added.

Analysis of initialized local variables (uninit).

Path-sensitive analysis according to values of arbitrary given expressions (expsplit).

Call stack analyses (stack_trace, stack_trace_set, stack_loc).

Analysis of memory accesses (access).

Family of analyses which provide symbolic locations for special library functions. Provides symbolic heap locations for dynamic memory allocations and symbolic thread identifiers for thread creation (mallocWrapper, threadCreateWrapper).

Taint analysis of variables modified in a function (taintPartialContexts).

Unassume analysis (unassume).

Stateless symbolic comparison expression analysis (expRelation).

Analysis of assume_abort_if_not-style functions (abortUnless).

CIL's GoblintCil.Ptranal for function pointer evaluation (ptranal).

Various simple and old analysis lifters.

Analysis lifter for longjmp and setjmp support.

Cycle detection in the context-sensitive dynamic function call graph of an analysis.

Lifts a Spec with the context gas variable. The gas variable limits the number of context-sensitively analyzed function calls in a call stack. For every function call the gas is reduced. If the gas is zero, the remaining function calls are analyzed without context-information

Widening tokens are a generic and dynamic mechanism for delaying widening.

Analysis specification transformation for ARG construction.

Full domain of Base analysis.

Signatures for relational value domains.

Apron domains.

OCaml implementation of the affine equalities domain.

OCaml implementation of the linear two-variable equality domain.

Lockset domains.

Symbolic lockset domain.

Deadlock domain.

Multi-threadedness flag domains.

May-happen-in-parallel (MHP) domain.

Domain for escaped thread-local variables.

Domains for extraction of Pthread programs.

Memory accesses and their manipulation.

Domain for memory accesses.

Symbolic lvalue equalities domain.

Domains for disjoint heap regions.

Call stack domains.

QCheck properties for lattice properties.

QCheck properties for abstract operations.

QCheck properties for IntDomain.

Detection of suitable C preprocessor.

Input program from a real-world project using a compilation database.

SV-COMP tasks and results.

SV-COMP specification strings and files.

Utilities for witness generation and witness invariants.

Abstract reachability graph.

Construction of ARGs from constraint system solutions.

Output of ARG as GraphML.

Streaming GraphML output.

YAML witness generation and validation.

YAML witness format types.

Violation checking in an ARG.

ARG path feasibility checking using weakest precondition and Z3 (not installed!).

Finite automaton for matching an infeasible ARG path.

Path-sensitive analysis using an ObserverAutomaton.

Experimental analysis refinement.

SARIF output of Messages.

SARIF format types.

SARIF rule definitions for Goblint.

Signatures and registry for transformations.

Dead code elimination transformation (remove_dead_code).

Transformation for instrumenting the program with computed invariants as assertions (assert).

Transformation for evaluating expressions on the analysis results (expeval). Hack for Gobview.

Intermediate data directory.

Process pool for running processes in parallel.

Timeout utilities.

Date and time utilities.

Exception utilities.

Creation of CIL CFGs.

Syntactic loop unrolling.

Basic analysis utilities.

Special variable for return value.

Analyses.Spec.branch refinement for Base analysis.

Thread-modular value analysis utilities for BasePriv and RelationPriv.

OCaml implementations of vectors and matrices.

Precision comparison.

Signatures for precision comparison.

BasePriv precision comparison.

RelationPriv precision comparison.

ApronDomain precision comparison.