frama-c.1

.\" Automatically generated by Pandoc 2.14.0.2
.\"
.TH "FRAMA-C" "1" "" "2021-06-18" ""
.hy
.\"------------------------------------------------------------------------
.\"
.\"  This file is part of Frama-C documentation
.\"
.\"  Copyright (C) 2007-2021
.\"    CEA (Commissariat à l'énergie atomique et aux énergies
.\"         alternatives)
.\"
.\"  you can redistribute it and/or modify it under the terms of the
.\"  CC-BY-SA 4.0 license

.\" DO NOT EDIT THIS FILE!
.\" This man file has been generated from a Markdown file (frama-c.1.md)
.\" using pandoc 2.0 or newer. To modify this file, edit the Markdown file
.\" and run `make man/frama-c.1`.
.SH NAME
.PP
frama-c[.byte] - a static analyzer for C programs
.PP
frama-c-gui[.byte] - the graphical interface of frama-c
.SH SYNOPSIS
.PP
\f[B]frama-c\f[R] [ \f[I]options\f[R] ] \f[I]files\f[R]
.SH DESCRIPTION
.PP
\f[B]frama-c\f[R] is a suite of tools dedicated to the analysis of
source code written in C.
It gathers several analysis techniques in a single collaborative
framework.
This framework can be extended by additional plugins placed in the
\f[B]$FRAMAC_PLUGIN\f[R] directory.
The command
.RS
.PP
frama-c --plugins
.RE
.PP
will provide the full list of the plugins that are currently installed.
.PP
\f[B]frama-c-gui\f[R] is the graphical user interface of
\f[B]frama-c\f[R].
It features the same options as the command-line version.
.PP
\f[B]frama-c.byte\f[R] and \f[B]frama-c-gui.byte\f[R] are the OCaml
bytecode versions of the command-line and graphical user interface
respectively.
.PP
By default, Frama-C recognizes \f[I].c\f[R] files as C files needing
pre-processing and \f[I].i\f[R] files as C files having been already
pre-processed.
Some plugins may extend the list of recognized files.
Pre-processing can be customized through the \f[B]-cpp-command\f[R] and
\f[B]-cpp-extra-args\f[R] options.
.SH OPTIONS
.SS Syntax
.PP
Options taking an additional parameter can also be written under the
form
.RS
.PP
-\f[I]option\f[R]=\f[I]param\f[R]
.RE
.PP
This form is mandatory when \f[I]param\f[R] starts with a dash (`-').
.PP
Most options that take no parameter have a corresponding
.RS
.PP
-no-\f[I]option\f[R]
.RE
.PP
option which has the opposite effect.
.SS Help options
.TP
-help
gives a short usage notice.
.TP
-kernel-help
prints the list of options recognized by Frama-C\[cq]s kernel
.TP
-explain
prints a help message for each other option given on the command line
.TP
-verbose \f[I]n\f[R]
sets verbosity level.
Defaults to 1.
Setting it to 0 will output less progress messages.
This level can also be set on a per-\f[I]plugin\f[R] basis, with option
-\f[I]plugin\f[R]-\f[B]verbose\f[R] \f[I]n\f[R].
Verbosity level of the kernel can be controlled with option
\f[B]-kernel-verbose\f[R] \f[I]n\f[R].
.TP
-debug \f[I]n\f[R]
sets debugging level.
Defaults to 0, meaning no debugging messages.
This option has the same per-plugin (and kernel) specializations as
\f[B]-verbose\f[R].
.TP
-quiet
sets verbosity and debugging level to 0.
.SS Options controlling Frama-C\[cq]s kernel
.TP
-absolute-valid-range \f[I]min-max\f[R]
considers that all numerical addresses in the range \f[I]min-max\f[R]
are valid.
Bounds are parsed as OCaml integer constants.
By default, all numerical addresses are considered invalid.
.TP
-add-path \f[I]p1[,p2[\&...,pn]]\f[R]
adds directories \f[I]p1\f[R] through \f[I]pn\f[R] to the list of
directories in which plugins are searched.
.TP
-add-symbolic-path \f[I]p1:n1[,p2:n2[\&...,pn:nn]]\f[R]
replaces each path \f[I]pi\f[R] with the name \f[I]ni\f[R] when
displaying file locations in messages.
.TP
[-no]-aggressive-merging
merges function definitions modulo renaming.
Defaults to no.
.TP
[-no]-allow-duplication
allows duplication of small blocks during normalization of tests and
loops.
Otherwise, normalization uses labels and gotos.
Bigger blocks and blocks with non-trivial control flow are never
duplicated.
Defaults to yes.
.TP
[-no]-annot
reads ACSL annotations.
This is the default.
Annotations are pre-processed by default.
Use -no-pp-annot if you don\[cq]t want to expand macros in annotations.
.TP
-autocomplete \f[I]p1,\&...,pn\f[R]
lists the options of plugins \f[I]p1,\&...,pn\f[R] in a format suitable
for autocompletion scripts.
.TP
-big-ints-hex \f[I]max\f[R]
integers larger than \f[I]max\f[R] are displayed in hexadecimal (by
default, all integers are displayed in decimal).
.TP
-check
performs integrity checks on the internal AST (for developers only).
.TP
[-no]-asm-contracts
generates contracts for assembly code written according to gcc\[cq]s
extended syntax.
Defaults to yes.
.TP
[-no]-asm-contracts-auto-validate
automatically marks contracts generated from asm as valid.
Defaults to no.
.TP
-c11
enables (partial) C11 compatibility, e.g.\ typedef redefinitions.
Defaults to no.
.TP
[-no]-collapse-call-cast
allows implicit cast between the value returned by a function and the
lvalue it is assigned to.
Otherwise, a temporary variable is used and the cast is made explicit.
Defaults to yes.
.TP
[-no]-constfold
folds all syntactically constant expressions in the code before
analyses.
Defaults to no.
.TP
-const-readonly
variables with const qualifier must be actually constant.
Defaults to yes.
The opposite option is \f[B]-unsafe-writable\f[R].
.TP
[-no]-continue-annot-error
when analyzing an annotation, the default behavior (the \f[B]-no\f[R]
version of this option) when a typechecking error occurs is to reject
the source file as is the case for typechecking errors within the C
code.
With this option on, the typechecker will only output a warning and
discard the annotation but type\[hy]checking will continue (errors in C
code are still fatal, though).
.PD 0
.P
.PD
\f[B]Deprecated\f[R]: use \f[B]-kernel-warn-key annot-error\f[R]
instead.
.TP
-cpp-command \f[I]cmd\f[R]
uses \f[I]cmd\f[R] as the command to pre-process C files.
Defaults to the \f[B]CPP\f[R] environment variable or to
.RS
.PP
gcc -C -E -I.
.RE
.PP
if it is not set.
If unset, the command is built as follows:
.RS
.PP
CPP -o
.RE
.PP
\f[I]%1\f[R] and \f[I]%2\f[R] can be used into the \f[B]CPP\f[R] string
to mark the position of \f[I]\f[R] and \f[I]\f[R] respectively.
Note that this option is often better replaced by
\f[B]-cpp-extra-args\f[R].
.TP
-cpp-extra-args \f[I]args\f[R]
gives additional arguments to the pre-processor.
Pre-processing annotations is done in two separate pre-processing
stages.
The first one is a normal pass on the C code which retains macro
definitions.
These are then used in the second pass during which annotations are
pre-processed.
\f[I]args\f[R] are used only for the first pass, so that arguments that
should not be used twice (such as additional include directives or macro
definitions) must thus go there instead of \f[B]-cpp-command\f[R].
.TP
-cpp-extra-args-per-file \f[I]file1:args1,\&...,filen:argsn\f[R]
like \f[B]-cpp-extra-args\f[R], but the arguments only apply to the
specified files.
.TP
[-no]-cpp-frama-c-compliant
indicates that the chosen preprocessor complies to some Frama-C
requirements, such as accepting the same set of options as GNU cpp, and
accepting architecture-specific options such as -m32/-m64.
Default values depend on the installed preprocessor at configure time.
See also \f[B]-pp-annot\f[R].
.TP
[-no]-autoload-plugins
when on, load all the dynamic plugins found in the search path (see
\f[B]-print-plugin-path\f[R] for more information on the default search
path).
Otherwise, only plugins requested by \f[B]-load-module\f[R] will be
loaded.
Defaults to on.
.TP
-enums \f[I]repr\f[R]
choose the way the representation of enumerated types is determined.
\f[B]frama-c -enums help\f[R] gives the list of available options.
Default is \f[B]gcc-enums\f[R].
.TP
-float-digits \f[I]n\f[R]
when outputting floating-point numbers, display \f[I]n\f[R] digits.
Defaults to 12.
.TP
-float-flush-to-zero
floating point operations flush to zero.
.TP
-float-hex
display floats as hexadecimal.
.TP
-float-normal
display floats with the standard OCaml routine.
.TP
-float-relative
display float intervals as [ \f[I]lower_bound\f[R]++\f[I]width\f[R] ].
.TP
[-no]-frama-c-stdlib
adds \f[B]-I$FRAMAC_SHARE/libc\f[R] to the options given to the cpp
command.
If \f[B]-cpp-frama-c-compliant\f[R] is not false, also adds
\f[B]-nostdinc\f[R] to prevent an inconsistent mix of system and Frama-C
header files.
Defaults to yes.
.TP
-implicit-function-declaration \f[I]action\f[R]
warns or aborts when a function is called before it has been declared.
\f[I]action\f[R] can be one of \f[B]ignore\f[R], \f[B]warn\f[R], or
\f[B]error\f[R].
Defaults to \f[B]warn\f[R].
.PD 0
.P
.PD
\f[B]Deprecated\f[R]: use \f[B]-kernel-warn-key
typing:implicit-function-declaration\f[R] instead.
.TP
-initialized-padding-locals
implicit initialization of locals sets padding bits to 0.
If false, padding bits are left uninitialized.
Defaults to yes.
.TP
-inline-calls \f[I]f1,\&...,fn\f[R]
syntactically inlines calls to functions \f[I]f1,\&...,fn\f[R].
Use \f[B]\[at]inline\f[R] to select all functions with attribute
\f[I]inline\f[R].
Recursive functions are inlined only at the first level.
Calls via function pointers are not inlined.
.TP
-json-compilation-database \f[I]path\f[R]
use \f[I]path\f[R] as a JSON compilation database (see
<https://clang.llvm.org/docs/JSONCompilationDatabase.html> for more
information): each file preprocessed by Frama-C will include
corresponding \f[B]-I\f[R] and \f[B]-D\f[R] flags according to the
specifications in \f[I]path\f[R].
If \f[I]path\f[R] is a directory, use
\f[B]<path>/compile_commands.json\f[R].
Disabled by default.
.TP
[-no]-keep-comments
tries to preserve comments when pretty-printing the source code.
Defaults to no.
.TP
[-no]-keep-switch
when \f[B]-simplify-cfg\f[R] is set, keeps switch statements.
Defaults to no.
.TP
-keep-unused-specified-functions
see \f[B]-remove-unused-specified-functions\f[R].
.TP
-keep-unused-types
see \f[B]-remove-unused-types\f[R].
.TP
-kernel-log \f[I]kind:file\f[R]
copies log messages from the Frama-C\[cq]s kernel to file.
\f[I]kind\f[R] specifies which kinds of messages to be copied
(e.g.\ \f[B]w\f[R] for warnings, \f[B]e\f[R] for errors, etc.).
See \f[B]-kernel-help\f[R] for more details.
Can also be set on a per-plugin basis, with option
-\f[I]<plugin>\f[R]-\f[B]log\f[R].
.TP
-kernel-msg-key \f[I]k1,\&...,kn\f[R]
controls the emission of messages based on categories.
Use \f[B]-kernel-msg-key help\f[R] to get a list of available
categories, and \f[B]-kernel-msg-key=\[lq]*\[rq]\f[R] to control all
categories.
To disable a category, add a \f[B]-\f[R] before its name; to enable a
category, simply add its name, with an optional \f[B]+\f[R] before it.
For instance, \f[B]-kernel-msg-key=-k1,k2\f[R] will disable messages
from category \f[B]k1\f[R] and enable those from category \f[B]k2\f[R].
Can also be set on a per-plugin basis, with option
-\f[I]<plugin>\f[R]-\f[B]msg-key\f[R].
Note that each plugin has its own set of categories.
.TP
-kernel-warn-key \f[I]k1=a1,\&...,kn=an\f[R]
controls the emission of warnings based on categories: for each warning
category \f[I]k\f[R], associate action \f[I]a\f[R].
Use \f[B]-kernel-warn-key help\f[R] to get a list of available warning
categories and their currently associated actions.
The following actions can be set per category: \f[B]active\f[R] (warn),
\f[B]feedback\f[R], \f[B]error\f[R], \f[B]abort\f[R], \f[B]once\f[R],
\f[B]feedback-once\f[R], \f[B]err-once\f[R].
Omitting the action is equivalent to setting it to \f[B]active\f[R].
Warning categories can also be set on a per-plugin basis, with option
-\f[I]<plugin>\f[R]\f[B]-warn-key\f[R].
.TP
[-no]-lib-entry
indicates that the entry point is called during program execution.
This implies in particular that global variables cannot be assumed to
have their initial values.
The default is \f[B]-no-lib-entry\f[R]: the entry point is also the
starting point of the program and globals have their initial value.
.TP
-load \f[I]file\f[R]
loads the (previously saved) state contained in \f[I]file\f[R].
.TP
-load-module \f[I]SPEC\f[R]
dynamically load OCaml plug-ins, modules and scripts.
Each \f[I]SPEC\f[R] can be an OCaml source or object file, with or
without extension, or a Findlib package.
Loading order is preserved and additional dependencies can be listed in
*\f[B].depend\f[R] files.
.TP
-load-script \f[I]SPEC\f[R]
alias for option \f[B]-load-module\f[R].
.TP
-machdep \f[I]machine\f[R]
uses \f[I]machine\f[R] as the current machine-dependent configuration
(size of the various integer types, endiandness, \&...).
The list of currently supported machines is available through option
\f[I]-machdep help\f[R].
Default is \f[B]x86_64\f[R].
.TP
-main \f[I]f\f[R]
sets \f[I]f\f[R] as the entry point of the analysis.
Defaults to \f[B]main\f[R].
By default, it is considered as the starting point of the program under
analysis.
Use \f[B]-lib-entry\f[R] if \f[I]f\f[R] is supposed to be called in the
middle of an execution.
.TP
-obfuscate
prints an obfuscated version of the code (where original identifiers are
replaced by meaningless ones) and exits.
The correspondence table between original and new symbols is kept at the
beginning of the result.
.TP
-ocode \f[I]file\f[R]
redirects pretty-printed code to \f[I]file\f[R] instead of standard
output.
.TP
[-no]-orig-name
During the normalization phase, some variables may get renamed when
different variables with the same name can co-exist (e.g.\ a global
variable and a formal parameter).
When this option is on, a message is printed each time this occurs.
Defaults to no.
.TP
[-no]-pp-annot
pre-processes annotations.
This is currently only possible when using gcc (or GNU cpp)
pre-processor.
The default is to pre-process annotations when the default pre-processor
is identified as GNU or GNU-like.
See also \f[B]-cpp-frama-c-compliant\f[R].
.TP
[-no]-print
pretty-prints the source code as normalized by CIL.
Defaults to no.
.TP
-print-cpp-commands
outputs the preprocessing commands for all input files.
.TP
-print-config-json
outputs extensive Frama-C configuration data in JSON format.
.TP
[-no]-print-libc
expands \f[B]#include\f[R] directives in the pretty-printed CIL code for
files in the Frama-C standard library.
Defaults to no.
.TP
-print-libpath
outputs the directory where the Frama-C kernel library is installed.
.TP
-print-path
alias of \f[B]-print-share-path\f[R].
.TP
-print-plugin-path
outputs the directory where Frama-C searches its plugins (can be
overridden by the \f[B]FRAMAC_PLUGIN\f[R] variable and the
\f[B]-add-path\f[R] option).
.TP
-print-share-path
outputs the directory where Frama-C stores its data (can be overridden
by the \f[B]FRAMAC_SHARE\f[R] variable).
.TP
[-no]-remove-exn
transforms throw and try/catch statements into normal C functions.
Defaults to no, unless the input source language has an exception
mechanism.
.TP
-remove-inlined \f[I]f1,\&...,fn\f[R]
removes inlined functions \f[I]f1,\&...,fn\f[R] from the AST, which must
have been given to \f[B]-inline-calls\f[R].
Note: this option does not check if the given functions were fully
inlined.
.TP
-remove-projects \f[I]p1,\&...,pn\f[R]
removes the given projects \f[I]p1,\&...,pn\f[R].
\f[B]\[at]all_but_current\f[R] removes all projects but the current one.
.TP
-remove-unused-specified-functions
keeps function prototypes that have an ACSL specification but are not
used in the code.
This is the default.
Functions having the attribute \f[B]FRAMAC_BUILTIN\f[R] are always kept.
.TP
-remove-unused-types
remove types and struct/union/enum declarations that are not referenced
anywhere else in the code.
This is the default.
Use \f[B]-keep-unused-types\f[R] to keep these definitions.
.TP
-safe-arrays
for multidimensional arrays or arrays that are fields inside structs,
assumes that all accesses must be in bound (set by default).
The opposite option is \f[B]-unsafe-arrays\f[R].
.TP
-save \f[I]file\f[R]
saves Frama-C\[cq]s state into \f[I]file\f[R] after analyses have taken
place.
.TP
-session \f[I]s\f[R]
sets \f[I]s\f[R] as the directory in which session files are searched.
.TP
[-no]-set-project-as-default
the current project becomes the default one (and so future
\f[B]-then\f[R] sequences are applied on it).
Defaults to no.
.TP
[-no]-simplify-cfg
removes \f[B]break\f[R], \f[B]continue\f[R] and \f[B]switch\f[R]
statements before analyses.
Defaults to no.
.TP
[-no]-simplify-trivial-loops
simplifies trivial loops such as \f[B]do \&... while (0)\f[R] loops.
Defaults to yes.
.TP
-then
allows one to compose analyses: a first run of Frama-C will occur with
the options before \f[B]-then\f[R] and a second run will be done with
the options after \f[B]-then\f[R] on the current project from the first
run.
.TP
-then-last
like \f[B]-then\f[R], but the second group of actions is executed on the
last project created by a program transformer.
.TP
-then-on \f[I]prj\f[R]
similar to \f[B]-then\f[R] except that the second run is performed in
project \f[I]prj\f[R].
If no such project exists, Frama-C exits with an error.
.TP
-then-replace
like \f[B]-then-last\f[R], but also removes the previous current
project.
.TP
-time \f[I]file\f[R]
appends user time and date in the given file when Frama-C exits.
.TP
-typecheck
forces typechecking of the source files.
This option is only relevant if no further analysis is requested (as
typechecking will implicitly occur before the analysis is launched).
.TP
-ulevel \f[I]n\f[R]
syntactically unroll loops \f[I]n\f[R] times before the analysis.
This can be quite costly and some plugins (e.g.\ Eva) provide more
efficient ways to perform the same thing.
See their respective manuals for more information.
This can also be activated on a per-loop basis via the \f[B]loop pragma
unroll \f[R] directive.
A negative value for \f[I]n\f[R] will inhibit such pragmas.
.TP
[-no]-ulevel-force
ignores \f[B]UNROLL\f[R] loop pragmas disabling unrolling.
.PP
[-no]-unicode outputs ACSL formulas with UTF-8 characters.
This is the default.
When given the \f[B]-no-unicode\f[R] option, Frama-C will use the ASCII
version instead.
See the ACSL manual for the correspondence.
.TP
-unsafe-arrays
see \f[B]-safe-arrays\f[R].
.TP
[-no]-unspecified-access
checks that read/write accesses occurring in an unspecified order
(according to the C standard\[cq]s notion of sequence points) are
performed on separate locations.
With \f[B]-no-unspecified-access\f[R], assumes that it is always the
case (this is the default).
.TP
-version
outputs the version string of Frama-C.
.TP
-warn-decimal-float \f[I]freq\f[R]
warns when a floating-point constant cannot be exactly represented
(e.g.\ 0.1).
\f[I]freq\f[R] can be one of \f[B]none\f[R], \f[B]once\f[R], or
\f[B]all\f[R].
.PD 0
.P
.PD
\f[B]Deprecated\f[R]: use \f[B]-kernel-warn-key
parser:decimal-float=once\f[R] (and variants) instead.
.TP
[-no]-warn-invalid-pointer
generate alarms for invalid pointer arithmetic.
Defaults to no.
.TP
[-no]-warn-left-shift-negative
generate alarms for signed left shifts on negative values.
Defaults to yes.
.TP
[-no]-warn-right-shift-negative
generate alarms for signed right shifts on negative values.
Defaults to no.
.TP
[-no]-warn-pointer-downcast
generates alarms when the downcast of a pointer may exceed the
destination range.
Defaults to yes.
.TP
[-no]-warn-signed-downcast
generates alarms when signed downcasts may exceed the destination range.
Defaults to no.
.TP
[-no]-warn-signed-overflow
generates alarms for signed operations that overflow.
Defaults to yes.
.TP
[-no]-warn-unsigned-downcast
generates alarms when unsigned downcasts may exceed the destination
range.
Defaults to no.
.TP
[-no]-warn-unsigned-overflow
generates alarms for unsigned operations that overflow.
Defaults to no.
.TP
[-no]-warn-invalid-bool
generates alarms for reads of trap representations of _Bool lvalues.
Defaults to yes.
.SS Plugin-specific options
.PP
For each plugin, the command
.RS
.PP
frama-c -plugin-help
.RE
.PP
will give the list of options that are specific to the plugin.
.SH EXIT STATUS
.TP
0
Successful execution
.TP
1
Invalid user input
.TP
2
User interruption (kill or equivalent)
.TP
3
Unimplemented feature
.TP
4 5 6
Internal error
.TP
125
Unknown error
.PP
Exit statuses greater than 2 can be considered as a bug (or a feature
request for the case of exit status 3) and may be reported on
Frama-C\[cq]s BTS (see below).
.SH ENVIRONMENT VARIABLES
.PP
It is possible to control the places where Frama-C looks for its files
through the following variables.
.TP
FRAMAC_LIB
The directory where kernel\[cq]s compiled interfaces are installed.
.TP
FRAMAC_PLUGIN
The directory where Frama-C can find standard plugins.
If you wish to have plugins in several places, use \f[B]-add-path\f[R]
instead.
.TP
FRAMAC_SHARE
The directory where Frama-C data (e.g.\ its version of the standard
library) is installed.
.SH SEE ALSO
.PP
Frama-C user manual:
https://frama-c.com/download/frama-c-user-manual.pdf
.PP
Frama-C homepage: https://frama-c.com
.PP
Frama-C BTS: https://git.frama-c.com/pub/frama-c/issues