diff --git a/Changelog b/Changelog
index caecef4485410d82e88530db1a693ce59cab75a7..fee19c92ad3331064da81ab7e51661f676f17fa1 100644
--- a/Changelog
+++ b/Changelog
@@ -17,6 +17,12 @@
Open Source Release <next-release>
##################################
+-! RTE [2021-04-16] -rte-initialized takes a set of functions as
+ parameter (defaults to none)
+- RTE [2021-04-16] No more initialization warnings for full structures
+ and unions reads. Initialization warnings for other
+ types *without* trap representation. Refer to the
+ documentation for more details.
-* Kernel [2021-04-16] Pretty prints array formals in their original form.
Fixes pub/frama-c#392
o! Kernel [2021-04-13] Removed deprecated function Filepath.pretty
diff --git a/doc/rte/rte.tex b/doc/rte/rte.tex
index 228c049928b7299a356944ebcf38e546b939b0ae..bcb27b675a6a94c0e78e7086a2330f7834c6ade2 100644
--- a/doc/rte/rte.tex
+++ b/doc/rte/rte.tex
@@ -7,6 +7,9 @@
\newcommand{\optnodowncast}{\mbox{\lstinline|-rte-no-downcast|}}
\newcommand{\rte}{\textsf{RTE}\xspace}
\newcommand{\framac}{\textsf{Frama-C}\xspace}
+\newcommand{\acsl}{\textsf{ACSL}\xspace}
+\newcommand{\gcc}{\textsf{Gcc}\xspace}
+\newcommand{\clang}{\textsf{Clang}\xspace}
\tableofcontents
@@ -48,7 +51,7 @@ implementation choice. Also note that annotations are dependent of the {\it
machine dependency} used on Frama-C command-line, especially the size of
integer types.
-The C language ISO standard \cite{standardc99} will be referred to as \cnn{}
+The C language ISO standard \cite{standardc99} will be referred to as \cnn{}
(of which specific paragraphs are cited, such as \mbox{6.2.5.9}).
%%\section{Generated Annotations}
@@ -96,14 +99,14 @@ and thus has domain \lstinline|[-2147483648,2147483647]|, and that \lstinline|x|
is an \lstinline|int|, the expression \lstinline|x+1| performs a signed integer
overflow, and therefore has an undefined behavior, if and only if \lstinline|x|
equals \lstinline|2147483647|. This is independent of the fact that for most
-(if not all) C compilers and 32-bits architectures, one will get
+(if not all) C compilers and 32-bits architectures, one will get
\lstinline|x+1 = -2147483648| and no runtime error will happen. But by strictly
-conforming to
+conforming to
the C standard, one cannot assert that the C compiler will not in fact generate
code provoking a runtime error in this case, since it is allowed to do so.
-%% In fact, for an expression such as \lstinline|x/y| (for \lstinline|int x,y|),
-%% the execution will most likely result in a floating point exception
-%% when \lstinline|x = -2147483648, y = -1| (the result is \lstinline|2147483648|, which overflows).
+%% In fact, for an expression such as \lstinline|x/y| (for \lstinline|int x,y|),
+%% the execution will most likely result in a floating point exception
+%% when \lstinline|x = -2147483648, y = -1| (the result is \lstinline|2147483648|, which overflows).
Also note that from a security analysis point of view, an undefined behavior
leading to a runtime error classifies as a denial of service (since the program
terminates), while a signed integer overflow may very well lead to buffer
@@ -122,7 +125,7 @@ by making such wide-ranging and easily checkable assumptions. {\bf Therefore
representation.}
%% value analysis makes the same assumption; also see value analyse manual 4.4.1
-%% Frama-C is not intended to work on non ISO conforming inputs (?),
+%% Frama-C is not intended to work on non ISO conforming inputs (?),
%% but conforming programs may still produce undefined behaviors. Well ...
\section{Other annotations generated}
@@ -277,7 +280,7 @@ int main(void) {
\end{listing-nonumber}
\smallskip
-is in fact equivalent to:
+is in fact equivalent to:
\smallskip
\begin{listing-nonumber}
@@ -312,7 +315,7 @@ whenever the result falls outside the range \lstinline|[-128,127]|. Thus, with
a single annotation, the \rte{} plug-in prevents both an undefined behavior
(signed overflow) and an implementation defined behavior (signed downcasting).
Note that the annotation for signed downcasting always entails the annotation
-for signed overflow.
+for signed overflow.
\subsection{Unary minus}
@@ -430,7 +433,7 @@ z = x >> y;
\section{Left-values access}
-Dereferencing a pointer is an undefined behavior if:
+Dereferencing a pointer is an undefined behavior if:
\begin{itemize}
\item the pointer has an invalid value: null pointer, misaligned address for the
@@ -443,7 +446,7 @@ Dereferencing a pointer is an undefined behavior if:
\end{itemize}
The \rte{} plug-in generates annotations to prevent this type of undefined
-behavior in a systematic way. It does so by deferring the check to the ACSL
+behavior in a systematic way. It does so by deferring the check to the \acsl{}
built-in predicate \lstinline|valid(p)|: \lstinline|valid(s)| (where
\lstinline|s| is a set of terms) holds if and only if dereferencing any
$\lstinline|p| \in \lstinline|s|$ is safe (i.e. points to a safely allocated
@@ -511,7 +514,7 @@ int main(void) {
}
\end{listing-nonumber}
-% Note that in the call \lstinline|f(tab)|, the implicit conversion from array \lstinline|tab| to a pointer to the beginning of the array
+% Note that in the call \lstinline|f(tab)|, the implicit conversion from array \lstinline|tab| to a pointer to the beginning of the array
% \lstinline|&tab[0]| introduces a pointer dereferencing and thus the annotation \lstinline|\valid((int*) tab)|, which is equivalent to
% \lstinline|\valid(&tab[0])|.
@@ -576,7 +579,7 @@ offers a way to generate assertions preventing unsigned arithmetic operations to
overflow ({\it i.e.} involving computation of a modulo).
Operations which are considered by \rte{} regarding unsigned overflows are
-addition, subtraction, multiplication. Negation (unary minus), left shift.
+addition, subtraction, multiplication. Negation (unary minus), left shift.
and right shift are not considered. The generated assertion requires the result
of the operation (in non-modular arithmetic) to be less than the maximal
representable value of its type, and nonnegative (for subtraction).
@@ -594,7 +597,7 @@ unsigned int f(unsigned int a, unsigned int b) {
}
\end{listing-nonumber}
-To generate assertions w.r.t. unsigned overflows, options
+To generate assertions w.r.t. unsigned overflows, options
\lstinline|-warn-unsigned-overflow| must be used. Here is the resulting
file on a 32 bits target architecture (\lstinline|-machdep x86_32|):
\begin{listing-nonumber}
@@ -681,7 +684,7 @@ int f(float v) {
\section{Expressions not considered by \rte{}}
An expression which is the operand of a \lstinline|sizeof| (or
-\lstinline|__alignof|, a GCC operator parsed by Cil) is ignored by \rte{}, as
+\lstinline|__alignof|, a \gcc{} operator parsed by Cil) is ignored by \rte{}, as
are all its sub-expressions. This is an approximation, since the operand of
\lstinline|sizeof| may sometimes be evaluated at runtime, for instance on
variable sized arrays: see the example in \cnn{} paragraph \mbox{6.5.3.4.7}.
@@ -710,7 +713,7 @@ preprocessing:
\begin{listing-nonumber}
typedef unsigned long size_t;
-/* compiler builtin:
+/* compiler builtin:
void *__builtin_alloca(unsigned int); */
size_t fsize3(int n)
{
@@ -738,6 +741,60 @@ int main(void)
\end{example}
+\section{Initialization}
+
+Reading an uninitialized value can be an undefined behavior in the two following
+cases:
+
+\begin{itemize}
+\item \mbox{ISO C11 6.3.2.1}\footnote{here we use C11 as it is clearer than C99}
+ a variable whose address is never taken is read before being initialized,
+\item a memory location that has never been initialized is read and it happens
+ that it was a trap representation for the type used for the access.
+\end{itemize}
+
+More generally, reading an uninitialized location always results in an
+indeterminate value (\mbox{6.7.9.10}). Such a value is either an unspecified
+value or a trap representation. Only reading a trap representation is an
+undefined behavior (\mbox{6.2.6.1.5}). It corresponds to the second case above.
+
+However for (most) types that do not have trap representation, reading an
+unspecified value is generally not a desirable behavior. Thus, \rte{} is
+stricter than the ISO C on many aspects and delegates one case of undefined
+behavior to the use of compiler warnings. We now detail the chosen tradeoff.
+
+If a value of a fundamental type (integers, floating point types, pointers, or
+a typedef of those) is read, it must be initialized except if it is a formal
+parameter or a global variable. We exclude formal parameters as its
+initialization status must be checked at the call point (\rte{} generates an
+annotation for this). We exclude global variables as they are initialized by
+default and any value stored in this variable must be initialized (\rte{}
+generates an annotation for this).
+
+As structures and unions never have trap representation, they can (and they are
+regularly) be manipulated while being partially initialized. Consequently,
+\rte{} does not require initialization for reads of a full union or structure
+(while reading fields with fundamental types is covered by the previous paragraph).
+As a consequence, the case of structures and unions \textit{whose address is
+ never taken, and being read before being initialized} is \textbf{not} covered
+by \rte{}. It is worth noting that
+this particular case is efficiently detected by a compiler warning (see
+\lstinline{-Wuninitialized} on \gcc{} and \clang{} for example) as it only
+requires local reasoning that is easy for compilers (but not that simple to
+express in \acsl{}).
+
+If you really need \rte{} to cover the previous case, please contact the
+Frama-C team.
+
+Finally, there are some cases when reading uninitialized values via a type that
+cannot have trap representation (for example \lstinline{unsigned char}) should
+be allowed, for example writing a \lstinline{memcpy} function. In this case, one
+can exclude this function from the range of function annotated with
+initialization properties by removing them from the set of functions to annotate
+(e.g. \lstinline{-rte-initialized="@all,-f"}). Note that the excluded functions
+must preserve the initialization of globals, as no assertions are generated for
+them.
+
\section{Undefined behaviors not covered by \rte{}}
One should be aware that \rte{} only covers a small subset of all possible
@@ -753,22 +810,16 @@ considered:
producing a value outside of the representable range (\cnn{} 6.3.1.5)
\item Conversion between two pointer types produces a result that is incorrectly
aligned (\cnn{} 6.3.2.3)
-\item Use of a variable with automatic storage duration before its
- initialization (\cnn{} 6.7.8.10): such a variable has an indeterminate value
-%% technically, not an undefined behavior (does not appear in the list of undefined behavior in
-%% the relevant ANSI C ISO annex), but can as well be considered as one ;
-%% not treated by plug-in because too many annotations would be generated
-%% unless some dataflow analysis is performed
\end{itemize}
%% \Section{Others}
%% ISO 6.3.1.3 / 6.3.1.4 / 6.3.1.5
%% convert an integer type to another signed integer type that cannot represent its value: implementation defined.
%% convert a real floating type to an integer: if the value of the integral part cannot be represented by the integer type, undefined.
-%% convert an integer to a real floating type :
-%% if the value being converted is outside the range of values that can be represented,
-%% undefined (does not happen with IEEE floating types, event if real floating = float and integer type = unsigned long long).
-%% If in range but not exact, round to nearest higher or nearest lower representable value (implementation defined).
+%% convert an integer to a real floating type :
+%% if the value being converted is outside the range of values that can be represented,
+%% undefined (does not happen with IEEE floating types, event if real floating = float and integer type = unsigned long long).
+%% If in range but not exact, round to nearest higher or nearest lower representable value (implementation defined).
%% Value analysis rounds to nearest lower silently (?).
%% demote a real floating type to another and procuce a value outside the range = undefined
@@ -800,7 +851,7 @@ unsigned overflows\\
unsigned integer downcast\\
\hline
\lstinline|-warn-signed-overflow| & boolean (true) & Generate annotations for
-signed overflows \\
+signed overflows \\
\hline
\lstinline|-warn-signed-downcast| & boolean (false) & Generate annotations for
signed integer downcast \\
@@ -836,24 +887,32 @@ invalid pointer arithmetic \\
\hline
\lstinline|-rte| & boolean (false) & Enable \rte{} plug-in \\
\hline
-\lstinline|-rte-div| & boolean (false) & Generate annotations for division by
+\lstinline|-rte-div| & boolean (true) & Generate annotations for division by
zero \\
\hline
-\lstinline|-rte-shift| & boolean (false) & Generate annotations for left and right shift value out of bounds \\
-\hline
-\lstinline |-rte-mem| & boolean (false) & Generate annotations for validity of
-left-values access \\
-\hline
\lstinline |-rte-float-to-int| & boolean (true) & Generate annotations for
casts from floating-point to integer \\
\hline
-\lstinline |-rte-trivial-annotations| & boolean (true) & Generate all annotations even when they trivially hold \\
+\lstinline |-rte-initialized| & set of function (none) & Generate annotations
+for initialization for the given set of functions \\
\hline
-\lstinline |-rte-warn| & boolean (true) & Emit warning on broken annotations \\
+\lstinline |-rte-mem| & boolean (true) & Generate annotations for validity of
+left-values access \\
+\hline
+\lstinline |-rte-pointer-call| & boolean (true) & Generate annotations for
+validity of calls via function pointers \\
+\hline
+\lstinline|-rte-shift| & boolean (true) & Generate annotations for left and
+right shift value out of bounds \\
\hline
\lstinline |-rte-select| & set of function (all) & Run plug-in on a subset of C
functions \\
\hline
+\lstinline |-rte-trivial-annotations| & boolean (false) & Generate all
+annotations even when they trivially hold \\
+\hline
+\lstinline |-rte-warn| & boolean (true) & Emit warning on broken annotations \\
+\hline
\end{tabular}
\caption{\rte{} options} \label{options}
\end{center}
diff --git a/src/plugins/rte/flags.ml b/src/plugins/rte/flags.ml
index 36198afe973c165629266594f7690e1093b2c23f..d452b81ad736a37d46dcded3d3a4e97cfbe09dd5 100644
--- a/src/plugins/rte/flags.ml
+++ b/src/plugins/rte/flags.ml
@@ -26,7 +26,7 @@
type t = {
remove_trivial: bool;
- initialized: bool;
+ initialized: Kernel_function.Set.t ;
mem_access: bool;
div_mod: bool;
shift: bool;
@@ -44,9 +44,10 @@ type t = {
bool_value: bool;
}
-let all = {
+let all () = {
remove_trivial = true;
- initialized = true;
+ initialized =
+ Globals.Functions.fold Kernel_function.Set.add Kernel_function.Set.empty;
mem_access = true;
div_mod = true;
shift = true;
@@ -66,7 +67,7 @@ let all = {
let none = {
remove_trivial = false;
- initialized = false;
+ initialized = Kernel_function.Set.empty;
mem_access = false;
div_mod = false;
shift = false;
@@ -87,7 +88,7 @@ let none = {
(* Which annotations should be added,
from local options, or deduced from the options of RTE and the kernel *)
-let option (get : unit -> bool) = function None -> get () | Some flag -> flag
+let option get = function None -> get () | Some flag -> flag
let default
?remove_trivial
diff --git a/src/plugins/rte/flags.mli b/src/plugins/rte/flags.mli
index f294c8f49d5b3a34650919af663909c3ec8d8cd8..b36711a37e01b07ee90e856f2847359654c8d673 100644
--- a/src/plugins/rte/flags.mli
+++ b/src/plugins/rte/flags.mli
@@ -28,7 +28,7 @@
a category of alarms will be visited or not. *)
type t = {
remove_trivial: bool;
- initialized: bool;
+ initialized: Kernel_function.Set.t ;
mem_access: bool;
div_mod: bool;
shift: bool;
@@ -49,7 +49,7 @@ type t = {
(** Defaults flags are taken from the Kernel and RTE plug-in options. *)
val default :
?remove_trivial:bool ->
- ?initialized:bool ->
+ ?initialized:Kernel_function.Set.t ->
?mem_access:bool ->
?div_mod:bool ->
?shift:bool ->
@@ -67,10 +67,10 @@ val default :
?bool_value:bool ->
unit -> t
-(** All flags set to [true]. *)
-val all : t
+(** All flags set to [true], [@all] for [initialized] *)
+val all : unit -> t
-(** All flags set to [false]. *)
+(** All flags set to [false], [empty] for [initialized] *)
val none : t
(* -------------------------------------------------------------------------- *)
diff --git a/src/plugins/rte/options.ml b/src/plugins/rte/options.ml
index 3b962761670da3de9b97e252709370605e9f1781..2e5b4d55f5bcf4ebc6b571d5a95459e2ac1ba08c 100644
--- a/src/plugins/rte/options.ml
+++ b/src/plugins/rte/options.ml
@@ -64,11 +64,13 @@ module DoFloatToInt =
(* annotates local variables and pointers read (aside from globals) initialization *)
module DoInitialized =
- False
+ Kernel_function_set
(struct
let option_name = "-rte-initialized"
- let help = "when on, annotates local variables and pointers \
- reads with initialization tests"
+ let arg_name = "fct"
+ let help = "for each function in 'fct', annotates reads of non struct or \
+ union values from local variables and pointers with \
+ initialization tests, see documentation for more details"
end)
(* annotates invalid memory access (undefined behavior) *)
diff --git a/src/plugins/rte/options.mli b/src/plugins/rte/options.mli
index 9dea4f6c0af9730d05bff45e197441555317dfa7..d2d78c6e139f56faf130d6bc25c0ebfb93421905 100644
--- a/src/plugins/rte/options.mli
+++ b/src/plugins/rte/options.mli
@@ -27,7 +27,7 @@ module Enabled: Parameter_sig.Bool
module DoShift : Parameter_sig.Bool
module DoDivMod : Parameter_sig.Bool
module DoFloatToInt : Parameter_sig.Bool
-module DoInitialized : Parameter_sig.Bool
+module DoInitialized : Parameter_sig.Kernel_function_set
module DoMemAccess : Parameter_sig.Bool
module DoPointerCall : Parameter_sig.Bool
diff --git a/src/plugins/rte/register.ml b/src/plugins/rte/register.ml
index 984734d10d4f48c9efec18dca89db440091b85c0..75b8dba172cb181233de116ec621dbbb86fb436c 100644
--- a/src/plugins/rte/register.ml
+++ b/src/plugins/rte/register.ml
@@ -28,7 +28,7 @@
function *)
let do_all_rte kf =
let flags =
- { Flags.all with
+ { (Flags.all ()) with
Flags.signed_downcast = false;
unsigned_downcast = false; }
in
@@ -38,7 +38,7 @@ let do_all_rte kf =
function *)
let do_rte kf =
let flags =
- { Flags.all with
+ { (Flags.all ()) with
Flags.unsigned_overflow = false;
signed_downcast = false;
unsigned_downcast = false; }
diff --git a/src/plugins/rte/rte.ml b/src/plugins/rte/rte.ml
index a18ad38795dd189971f39328df512a561bc61a45..b1d99f4d05903c1c5a1271ab1f66c6c8792fe92f 100644
--- a/src/plugins/rte/rte.ml
+++ b/src/plugins/rte/rte.ml
@@ -106,50 +106,22 @@ let lval_assertion ~read_only ~remove_trivial ~on_alarm lv =
(* assertion for lvalue initialization *)
let lval_initialized_assertion ~remove_trivial:_ ~on_alarm lv =
- let rec check_array_initialized default off typ in_struct l =
- match off with
- | NoOffset ->
- begin
- match typ with
- | TComp({cstruct = false; cfields; cname} ,_,_) ->
- (match cfields with
- | None ->
- Options.fatal
- "Access to an object of undefined union %a"
- Printer.pp_varname cname
- | Some [] -> () (* empty union, supported by gcc with size 0.
- Trivially initialized. *)
- | Some l ->
- let llv =
- List.map
- (fun fi -> Cil.addOffsetLval (Field (fi, NoOffset)) lv) l
- in
- if default then
- on_alarm ~invalid:false (Alarms.Uninitialized_union llv))
- | _ ->
- if default then
- on_alarm ~invalid:false (Alarms.Uninitialized lv)
- end
- | Field (fi, off) ->
- (* Mark that we went through a struct field, then recurse *)
- check_array_initialized default off fi.ftype true l
- | Index (_e, off) ->
- match Cil.unrollType typ with
- | TArray (bt, Some _size, _, _) ->
- check_array_initialized true off bt in_struct l
- | TArray (bt, None, _, _) -> check_array_initialized true off bt in_struct l
- | _ -> assert false
- in
-
+ let typ = Cil.typeOfLval lv in
match lv with
- | Var vi , off ->
- let loc = fst vi.vdecl in
- let ignored_cases = vi.vglob || vi.vformal || vi.vtemp in
- check_array_initialized (not ignored_cases) off vi.vtype false loc
- | (Mem e as lh), off ->
- let loc = fst e.eloc in
- if not (Cil.isFunctionType (Cil.typeOfLval lv)) then
- check_array_initialized true off (Cil.typeOfLhost lh) false loc
+ | Var vi, NoOffset ->
+ (** Note: here [lv] has structure/union type or fundamental type.
+ We exclude structures and unions. And for fundamental types:
+ - globals (initialized and then only written with initialized values)
+ - formals (checked at function call)
+ - temporary variables (initialized during AST normalization)
+ *)
+ if not (vi.vglob || vi.vformal || vi.vtemp)
+ && not (Cil.isStructOrUnionType typ)
+ then
+ on_alarm ~invalid:false (Alarms.Uninitialized lv)
+ | _ ->
+ if not (Cil.isFunctionType typ || Cil.isStructOrUnionType typ) then
+ on_alarm ~invalid:false (Alarms.Uninitialized lv)
(* assertion for unary minus signed overflow *)
let uminus_assertion ~remove_trivial ~on_alarm exp =
diff --git a/src/plugins/rte/visit.ml b/src/plugins/rte/visit.ml
index aaa5dc814d71be46decfdcb5cae92da1f7ed51f9..d7778383f58cd0e596b43f7e09d75669a43adb54 100644
--- a/src/plugins/rte/visit.ml
+++ b/src/plugins/rte/visit.ml
@@ -51,7 +51,8 @@ class annot_visitor kf flags on_alarm = object (self)
r
method private do_initialized () =
- flags.Flags.initialized && not (Generator.Initialized.is_computed kf)
+ Kernel_function.Set.mem kf flags.Flags.initialized
+ && not (Generator.Initialized.is_computed kf)
method private do_mem_access () =
flags.Flags.mem_access && not (Generator.Mem_access.is_computed kf)
@@ -149,7 +150,7 @@ class annot_visitor kf flags on_alarm = object (self)
(Rte.lval_assertion ~read_only:Alarms.For_writing) ret
- method private check_uchar_assign dest src =
+ method private check_assigned dest =
if self#do_mem_access () then begin
Options.debug "lval %a: validity of potential mem access checked\n"
Printer.pp_lval dest;
@@ -157,20 +158,11 @@ class annot_visitor kf flags on_alarm = object (self)
(Rte.lval_assertion ~read_only:Alarms.For_writing)
dest
end;
- begin match src.enode with
- | Lval src_lv ->
- let typ1 = Cil.typeOfLval src_lv in
- let typ2 = Cil.typeOfLval dest in
- let isUChar t = Cil.isUnsignedInteger t && Cil.isAnyCharType t in
- if isUChar typ1 && isUChar typ2 then
- self#mark_to_skip_initialized src_lv
- | _ -> ()
- end ;
Cil.DoChildren
(* assigned left values are checked for valid access *)
method! vinst = function
- | Set (lval,exp,_) -> self#check_uchar_assign lval exp
+ | Set (lval,_,_) -> self#check_assigned lval
| Call (ret_opt,funcexp,argl,_) ->
(* Do not emit alarms on Eva builtins such as Frama_C_show_each, that should
have no effect on analyses. *)
@@ -207,8 +199,8 @@ class annot_visitor kf flags on_alarm = object (self)
let do_call lv _e _args _loc = self#treat_call lv in
Cil.treat_constructor_as_func do_call v f args kind loc;
Cil.DoChildren
- | Local_init (v,AssignInit (SingleInit exp),_) ->
- self#check_uchar_assign (Cil.var v) exp
+ | Local_init (v,AssignInit (SingleInit _),_) ->
+ self#check_assigned (Cil.var v)
| Local_init (_,AssignInit _,_)
| Asm _ | Skip _ | Code_annot _ -> Cil.DoChildren
@@ -309,7 +301,8 @@ class annot_visitor kf flags on_alarm = object (self)
self#generate_assertion
(Rte.lval_assertion ~read_only:Alarms.For_reading) lval
end;
- if self#do_initialized () && not (self#must_skip_initialized lval) then begin
+ if self#do_initialized ()
+ && not (self#must_skip_initialized lval) then begin
Options.debug
"exp %a is an lval: initialization of potential mem access checked"
Printer.pp_exp exp;
@@ -460,7 +453,8 @@ let annotate ?flags kf =
let (|||) a b = a || b in
let open Generator in
let open Flags in
- if comp Initialized.accessor flags.initialized |||
+ if comp Initialized.accessor
+ (not @@ Kernel_function.Set.is_empty flags.initialized) |||
comp Mem_access.accessor flags.mem_access |||
comp Pointer_value.accessor flags.pointer_value |||
comp Pointer_call.accessor flags.pointer_call |||
diff --git a/tests/rte/initialized-ignore-fct.i b/tests/rte/initialized-ignore-fct.i
new file mode 100644
index 0000000000000000000000000000000000000000..af2e03209b9f14dba64a1a48c7c00dd2a8fa6f0a
--- /dev/null
+++ b/tests/rte/initialized-ignore-fct.i
@@ -0,0 +1,13 @@
+/* run.config
+ OPT: -rte -rte-initialized="@all" -print
+ OPT: -rte -rte-initialized="@all,-f1" -print
+*/
+
+int f1(void){
+ int i = 0 ;
+ return i ;
+}
+int f2(void){
+ int i = 0 ;
+ return i ;
+}
diff --git a/tests/rte/initialized.c b/tests/rte/initialized.c
index 87354bc7e8de9438179420a6d19255e5f179eaa1..ea9c6ed25e034a6a793d9bb3ddcc78d1bd87009e 100644
--- a/tests/rte/initialized.c
+++ b/tests/rte/initialized.c
@@ -1,5 +1,5 @@
/* run.config
- OPT: -rte -rte-initialized -warn-signed-overflow -print
+ OPT: -rte -rte-initialized="@all" -warn-signed-overflow -print
*/
struct R {
@@ -32,9 +32,9 @@ int g()
}
/* Formals */
-int f (struct P*** pppp, struct P** ppp, struct P* pp, struct P p, struct P p2,
+int f (struct P*** pppp, struct P** ppp, struct P* pp, struct P p, struct P p2,
int v, struct Q q, int *i, int *j, int i0, int i1, int i2, int i3, int i4, double f_0)
-{
+{
i0 = 0;
i1 = 1;
i2 = 2;
@@ -62,7 +62,7 @@ int f (struct P*** pppp, struct P** ppp, struct P* pp, struct P p, struct P p2,
v = p.id[3];
v = pp->id[3];
-
+
v = *i;
v = pp->val;
v = pp->id[3];
@@ -134,7 +134,7 @@ int main() {
v = p.id[3];
v = pp->id[3];
-
+
v = *i;
v = pp->val;
v = pp->id[3];
@@ -163,6 +163,9 @@ int main() {
v = p.val;
v = p.tq[i0][i1].v;
+ /** Note: Frama-C is stricter than ISO C : potential indeterminate values are
+ * considered as alarms even for types without trap representation.
+ */
c1 = c2;
unsigned char c3 = c2;
return v;
diff --git a/tests/rte/initialized_union.c b/tests/rte/initialized_union.c
index 9f7b960688c1a9ace5860925922cd5b8e7dc032c..666907264d3d2227cd1ab0c80ac51d140e3cae86 100644
--- a/tests/rte/initialized_union.c
+++ b/tests/rte/initialized_union.c
@@ -1,6 +1,6 @@
/* run.config
- OPT: -rte -rte-initialized -warn-signed-overflow -print
- OPT: -cpp-extra-args="-DEMPTY" -machdep gcc_x86_64 -rte -rte-initialized -warn-signed-overflow -print
+ OPT: -rte -rte-initialized="@all" -warn-signed-overflow -print
+ OPT: -cpp-extra-args="-DEMPTY" -machdep gcc_x86_64 -rte -rte-initialized="@all" -warn-signed-overflow -print
*/
union U {
diff --git a/tests/rte/oracle/initialized-ignore-fct.0.res.oracle b/tests/rte/oracle/initialized-ignore-fct.0.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..2e8fc2c9c5ed4fa0f973424cb95004144bee5499
--- /dev/null
+++ b/tests/rte/oracle/initialized-ignore-fct.0.res.oracle
@@ -0,0 +1,19 @@
+[kernel] Parsing tests/rte/initialized-ignore-fct.i (no preprocessing)
+[rte] annotating function f1
+[rte] annotating function f2
+/* Generated by Frama-C */
+int f1(void)
+{
+ int i = 0;
+ /*@ assert rte: initialization: \initialized(&i); */
+ return i;
+}
+
+int f2(void)
+{
+ int i = 0;
+ /*@ assert rte: initialization: \initialized(&i); */
+ return i;
+}
+
+
diff --git a/tests/rte/oracle/initialized-ignore-fct.1.res.oracle b/tests/rte/oracle/initialized-ignore-fct.1.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..4367d54cd9afdc56c95470bd8ad584c50deb5a66
--- /dev/null
+++ b/tests/rte/oracle/initialized-ignore-fct.1.res.oracle
@@ -0,0 +1,18 @@
+[kernel] Parsing tests/rte/initialized-ignore-fct.i (no preprocessing)
+[rte] annotating function f1
+[rte] annotating function f2
+/* Generated by Frama-C */
+int f1(void)
+{
+ int i = 0;
+ return i;
+}
+
+int f2(void)
+{
+ int i = 0;
+ /*@ assert rte: initialization: \initialized(&i); */
+ return i;
+}
+
+
diff --git a/tests/rte/oracle/initialized.res.oracle b/tests/rte/oracle/initialized.res.oracle
index 9293f495cd76f9f487024c6ea026e2786dd966a9..826e38c81816d703d4685746dcc89fc59638112d 100644
--- a/tests/rte/oracle/initialized.res.oracle
+++ b/tests/rte/oracle/initialized.res.oracle
@@ -85,9 +85,10 @@ int f(struct P ***pppp_0, struct P **ppp_0, struct P *pp_0, struct P p_0,
/*@ assert rte: index_bound: i3_0 < 5; */
/*@ assert rte: initialization: \initialized(&p_0.id[i3_0]); */
p_0.id[i1_0] = p_0.id[i3_0];
+ /*@ assert rte: initialization: \initialized(&p_0.next); */
/*@ assert rte: mem_access: \valid_read(p_0.next); */
- /*@ assert rte: initialization: \initialized(p_0.next); */
struct P np = *(p_0.next);
+ /*@ assert rte: initialization: \initialized(&p_0.next); */
struct P *npp = p_0.next;
/*@ assert rte: initialization: \initialized(&npp); */
p_0.next = npp;
@@ -189,6 +190,7 @@ int f(struct P ***pppp_0, struct P **ppp_0, struct P *pp_0, struct P p_0,
\initialized(&((p_0.nexts[i1_0][i2_0])->nexts[i3_0][*i_0])->id[i4_0]);
*/
v_0 = ((p_0.nexts[i1_0][i2_0])->nexts[i3_0][*i_0])->id[i4_0];
+ /*@ assert rte: initialization: \initialized(&p_0.q.v); */
v_0 = p_0.q.v;
/*@ assert rte: index_bound: 0 ≤ i4_0; */
/*@ assert rte: index_bound: i4_0 < 12; */
@@ -225,6 +227,7 @@ int f(struct P ***pppp_0, struct P **ppp_0, struct P *pp_0, struct P p_0,
/*@ assert rte: mem_access: \valid_read(&pp_0->tq[i3_0][i1_0].v); */
/*@ assert rte: initialization: \initialized(&pp_0->tq[i3_0][i1_0].v); */
v_0 = pp_0->tq[i3_0][i1_0].v;
+ /*@ assert rte: initialization: \initialized(&p_0.znexts); */
/*@ assert rte: mem_access: \valid_read(p_0.znexts + i0_0); */
/*@ assert rte: initialization: \initialized(p_0.znexts + i0_0); */
/*@ assert rte: mem_access: \valid_read(*(p_0.znexts + i0_0) + i1_0); */
@@ -243,7 +246,6 @@ int f(struct P ***pppp_0, struct P **ppp_0, struct P *pp_0, struct P p_0,
/*@ assert rte: index_bound: i0_0 < 10; */
/*@ assert rte: index_bound: 0 ≤ i1_0; */
/*@ assert rte: index_bound: i1_0 < 11; */
- /*@ assert rte: initialization: \initialized(&p_0.tq[i0_0][i1_0]); */
q_0 = p_0.tq[i0_0][i1_0];
/*@ assert rte: index_bound: 0 ≤ i0_0; */
/*@ assert rte: index_bound: i0_0 < 10; */
@@ -258,6 +260,7 @@ int f(struct P ***pppp_0, struct P **ppp_0, struct P *pp_0, struct P p_0,
/*@ assert rte: mem_access: \valid_read(&pp_0->val); */
/*@ assert rte: initialization: \initialized(&pp_0->val); */
v_0 = pp_0->val;
+ /*@ assert rte: initialization: \initialized(&p_0.val); */
v_0 = p_0.val;
/*@ assert rte: index_bound: 0 ≤ i0_0; */
/*@ assert rte: index_bound: i0_0 < 10; */
@@ -329,9 +332,10 @@ int main(void)
/*@ assert rte: index_bound: i3 < 5; */
/*@ assert rte: initialization: \initialized(&p.id[i3]); */
p.id[i1] = p.id[i3];
+ /*@ assert rte: initialization: \initialized(&p.next); */
/*@ assert rte: mem_access: \valid_read(p.next); */
- /*@ assert rte: initialization: \initialized(p.next); */
struct P np = *(p.next);
+ /*@ assert rte: initialization: \initialized(&p.next); */
struct P *npp = p.next;
/*@ assert rte: initialization: \initialized(&p.id[3]); */
v = p.id[3];
@@ -422,6 +426,7 @@ int main(void)
\initialized(&((p.nexts[i1][i2])->nexts[i3][*i])->id[i4]);
*/
v = ((p.nexts[i1][i2])->nexts[i3][*i])->id[i4];
+ /*@ assert rte: initialization: \initialized(&p.q.v); */
v = p.q.v;
/*@ assert rte: index_bound: 0 ≤ i4; */
/*@ assert rte: index_bound: i4 < 12; */
@@ -456,6 +461,7 @@ int main(void)
/*@ assert rte: mem_access: \valid_read(&pp->tq[i3][i1].v); */
/*@ assert rte: initialization: \initialized(&pp->tq[i3][i1].v); */
v = pp->tq[i3][i1].v;
+ /*@ assert rte: initialization: \initialized(&p.znexts); */
/*@ assert rte: mem_access: \valid_read(p.znexts + i0); */
/*@ assert rte: initialization: \initialized(p.znexts + i0); */
/*@ assert rte: mem_access: \valid_read(*(p.znexts + i0) + i1); */
@@ -472,7 +478,6 @@ int main(void)
/*@ assert rte: index_bound: i0 < 10; */
/*@ assert rte: index_bound: 0 ≤ i1; */
/*@ assert rte: index_bound: i1 < 11; */
- /*@ assert rte: initialization: \initialized(&p.tq[i0][i1]); */
q = p.tq[i0][i1];
/*@ assert rte: index_bound: 0 ≤ i0; */
/*@ assert rte: index_bound: i0 < 10; */
@@ -485,6 +490,7 @@ int main(void)
/*@ assert rte: mem_access: \valid_read(&pp->val); */
/*@ assert rte: initialization: \initialized(&pp->val); */
v = pp->val;
+ /*@ assert rte: initialization: \initialized(&p.val); */
v = p.val;
/*@ assert rte: index_bound: 0 ≤ i0; */
/*@ assert rte: index_bound: i0 < 10; */
@@ -492,7 +498,9 @@ int main(void)
/*@ assert rte: index_bound: i1 < 11; */
/*@ assert rte: initialization: \initialized(&p.tq[i0][i1].v); */
v = p.tq[i0][i1].v;
+ /*@ assert rte: initialization: \initialized(&c2); */
c1 = c2;
+ /*@ assert rte: initialization: \initialized(&c2); */
unsigned char c3 = c2;
return v;
}
diff --git a/tests/rte/oracle/initialized_union.0.res.oracle b/tests/rte/oracle/initialized_union.0.res.oracle
index 550af6851cec53470d701c3d2f199ed35c5a03e1..49509af6ee58a9fe8f75d941276db39f1cc397b2 100644
--- a/tests/rte/oracle/initialized_union.0.res.oracle
+++ b/tests/rte/oracle/initialized_union.0.res.oracle
@@ -30,37 +30,15 @@ int main(void)
struct S s1;
struct S s2;
u_local1.c = (char)1;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u_local1.c) ∨ \initialized(&u_local1.i) ∨
- \initialized(&u_local1.f);
- */
u_local2 = u_local1;
/*@ assert rte: initialization: \initialized(&u_local1.i); */
u2_local1.i2 = u_local1.i;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u2_local1.i1) ∨ \initialized(&u2_local1.i2);
- */
u2_local2 = u2_local1;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u_local1.c) ∨ \initialized(&u_local1.i) ∨
- \initialized(&u_local1.f);
- */
u3_local1.u = u_local1;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u3_local1.u) ∨ \initialized(&u3_local1.u2);
- */
u3_local2 = u3_local1;
+ /*@ assert rte: initialization: \initialized(&u_global.f); */
double f = u_global.f;
s1.u.c = (char)'a';
- /*@ assert
- rte: initialization_of_union:
- \initialized(&s1.u.c) ∨ \initialized(&s1.u.i) ∨
- \initialized(&s1.u.f);
- */
s2.u = s1.u;
__retres = 0;
/*@ assert rte: initialization: \initialized(&__retres); */
diff --git a/tests/rte/oracle/initialized_union.1.res.oracle b/tests/rte/oracle/initialized_union.1.res.oracle
index ce2e6dd9cf59727c30be247f90aff0adf9574e0d..d738022aa908c028e71c4adee346f0bedab6ec46 100644
--- a/tests/rte/oracle/initialized_union.1.res.oracle
+++ b/tests/rte/oracle/initialized_union.1.res.oracle
@@ -34,37 +34,15 @@ int main(void)
struct S s1;
struct S s2;
u_local1.c = (char)1;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u_local1.c) ∨ \initialized(&u_local1.i) ∨
- \initialized(&u_local1.f);
- */
u_local2 = u_local1;
/*@ assert rte: initialization: \initialized(&u_local1.i); */
u2_local1.i2 = u_local1.i;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u2_local1.i1) ∨ \initialized(&u2_local1.i2);
- */
u2_local2 = u2_local1;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u_local1.c) ∨ \initialized(&u_local1.i) ∨
- \initialized(&u_local1.f);
- */
u3_local1.u = u_local1;
- /*@ assert
- rte: initialization_of_union:
- \initialized(&u3_local1.u) ∨ \initialized(&u3_local1.u2);
- */
u3_local2 = u3_local1;
+ /*@ assert rte: initialization: \initialized(&u_global.f); */
double f = u_global.f;
s1.u.c = (char)'a';
- /*@ assert
- rte: initialization_of_union:
- \initialized(&s1.u.c) ∨ \initialized(&s1.u.i) ∨
- \initialized(&s1.u.f);
- */
s2.u = s1.u;
union empty e1 = e;
__retres = 0;