Feedback about value analysis degeneration
ID0001221: This issue was created automatically from Mantis Issue 1221. Further discussion may take place here.
| Id | Project | Category | View | Due Date | Updated |
|---|---|---|---|---|---|
| ID0001221 | Frama-C | Plug-in > Eva | public | 2012-06-26 | 2012-07-03 |
| Reporter | Anne | Assigned To | pascal | Resolution | no change required |
| Priority | normal | Severity | feature | Reproducibility | have not tried |
| Platform | - | OS | - | OS Version | - |
| Product Version | Frama-C Nitrogen-20111001 | Target Version | - | Fixed in Version | - |
Description :
It would be great to have more information about the reasons why the value analysis degenerates in some cases. For instance : $ frama-c -val toto.c with : int main (int argc, char * argv []) { char * s1 = argv[1]; char * s2 = argv[2]; return 0; } gives : toto.c:2:[kernel] warning: out of bounds read. assert \valid(argv+1); toto.c:3:[kernel] warning: out of bounds read. assert \valid(argv+2); [value] Recording results for main [value] done for function main [value] ====== VALUES COMPUTED ====== [value] Values for function main: NON TERMINATING FUNCTION
I know now that I have to use -context-width, but it is not easy to guess from the value analysis output, especially if we don't know if the function doesn't terminate for other reasons... Would it be possible to give the first statement where the state is BOTTOM for instance : this would be a hint.