Frama-C - Get function input value through command line - static-analysis

Analysing the code below on GUI, it is possible check the input values of the function div0.
int div0(int x, int y)
{
return (x/y);
}
int main()
{
int res;
int a = 4;
int b = 2;
res = div0(a,b);
return 0;
}
Is it possible get this value through command line?

The simplest approach in your case is to insert calls to Frama_C_show_each, which is a special Frama-C builtin function that prints the internal Eva state for the given expressions, each time the interpreter passes through the program point. For instance:
int div0(int x, int y)
{
Frama_C_show_each_div0(x, y);
return (x/y);
}
Running frama-c -eva on the modified program will print:
[eva] file.c:3: Frama_C_show_each_div0: {4}, {2}
You can choose the suffix after Frama_C_show_each for each line you want. For instance, if you prefer to print each variable separately:
int div0(int x, int y)
{
Frama_C_show_each_x(x);
Frama_C_show_each_y(y);
return (x/y);
}
Will print instead:
[eva] file.c:3: Frama_C_show_each_x: {4}
[eva] file.c:4: Frama_C_show_each_y: {2}
For a more complex situation, or to avoid modifying the source code, other alternatives are possible, but they may require writing some OCaml code, either to modify Eva directly, or to add e.g. a new abstract domain which will print the expressions. But it's overkill for simple cases.
By the way, if you want your code to still compile normally, simply protect the call to Frama_C_show_each with #ifdef __FRAMAC__ guards:
int div0(int x, int y)
{
#ifdef __FRAMAC__
Frama_C_show_each_div0(x, y);
#endif
return (x/y);
}

Related

Rascal: Can a Function return a Function

The Rascal documentation has an example of a function that takes a function as an argument:
int f(int x, int (int) multi){ return multi(x); }
Conversely, what is the syntax for a function that returns a function?
I couldn't find an example and tried things along the line:
(int (int)) f() {return (int y) {return y;}}
but got syntax errors in the repl.
Here is an example:
int two(int n) = 2 * n;
int(int) g() = two;
Function two multiplies by 2 and g returns the function two.
Observe that the return type of g is int(int), a type describing a function which returns an int and has one int argument.
A similar effect can be achieved by an inline definition:
int(int) g() = int(int n) { return 2 * n; };
You can also use this same notation inside other functions. For instance, you could create a function which multiplies two numbers:
int mult(int n, int m) = n * m;
If you use it, you would get what you would expect:
rascal>mult(3,4);
int: 12
You can instead return a function that essentially partially applies this function as follows:
int(int) multBy(int n) {
return int(int m) {
return mult(n,m);
};
}
int (int) (int)
So, this returns a function that takes an int and returns an int (int), i.e., a function that takes an int and returns an int. You can then use it as so:
rascal>multBy3 = multBy(3);
int (int)
rascal>multBy3(4);
int: 12
You can find more examples in some of our (many) files with tests:
lang::rascal::tests::basic::Functions
lang::rascal::tests::functionality::FunctionComposition
Thanks for your question, we have more documentation to do!
The short answer to my failed attempt is:
leave out the outermost parens in the return type of f
add the return type int of the anonymous function that is returned by f
don't forget the semi after f's return statement
That gives:
int (int) f() { return int (int y) { return y; } ; }

Function taking std::initializer_list

I came across a function a colleague had written that accepted an initializer list of std::vectors. I have simplified the code for demonstration:
int sum(const std::initializer_list<std::vector<int>> list)
{
int tot = 0;
for (auto &v : list)
{
tot += v.size();
}
return tot;
}
Such a function would allow you call the function like this with the curly braces for the initializer list:
std::vector<int> v1(50, 1);
std::vector<int> v2(75, 2);
int sum1 = sum({ v1, v2 });
That looks neat but doesn't this involve copying the vectors to create the initializer list? Wouldn't it be more efficient to have a function that takes a vector or vectors? That would involve less copying since you can move the vectors. Something like this:
int sum(const std::vector<std::vector<int>> &list)
{
int tot = 0;
for (auto &v : list)
{
tot += v.size();
}
return tot;
}
std::vector<std::vector<int>> vlist;
vlist.reserve(2);
vlist.push_back(std::move(v1));
vlist.push_back(std::move(v2));
int tot = sum2(vlist);
Passing by initializer list could be useful for scalar types like int and float, but I think it should be avoided for types like std::vector to avoid unnecessary copying. Best to use std::initializer_list for constructors as it intended?
That looks neat but doesn't this involve copying the vectors to create the initializer list?
Yes, that is correct.
Wouldn't it be more efficient to have a function that takes a vector or vectors?
If you are willing to move the contents of v1 and v2 to a std::vector<std::vector<int>>, you could do the samething when using std::initializer_list too.
std::vector<int> v1(50, 1);
std::vector<int> v2(75, 2);
int sum1 = sum({ std::move(v1), std::move(v2) });
In other words, you can use either approach to get the same effect.

Why there are two different answer in same compare template function

When I try to implement a template to compare two variables' value.
When I try passing string as parameters then the program couldn't compare the value right.
However when I add two same variables this code get me a right result.
Just as the picture shows.
You passed it a const char * pointer to compare and that will compare the pointer addresses, not the contents with '>'. As these are from different objects/strings, you have no way to know which will be first or last in memory, and it may vary from compile to compile, or even potentially run to run.
As you had the std::string local variable, I assume you intended to pass that, which does have comparison operators to compare the contents. If you want to pass a string literal as an std::string to such a template function, you must do it explicitly, such as:
Max<std::string>("a", "b"); // K is std::string, so both parameters will use the implicit constructor
Max(std::string("a"), std::string("b")); // Explicitly construct strings
If you do want Max to work with char pointers, you might overload or specialise it to use say strcmp, which does compare the contents.
template<class T> T Max(T x, T y)
{
return x > y ? x : y;
}
template<> const char* Max(const char *x, const char *y)
{
return strcmp(x, y) > 0 ? x : y;
}
template<> char* Max(char *x, char *y)
{
return strcmp(x, y) > 0 ? x : y;
}

Lambda syntax with algorithms

I read here and also here and examples on cpluplus.com
And I still don't understand how it works
what confuses me at most how lambdas work with _if algorithms like copy_if that they don't reference containers in the body
std::vector<int> foo = {25,15,5,-5,-15};
std::vector<int> bar (foo.size());
// copy only positive numbers:
auto it = std::copy_if (foo.begin(), foo.end(), bar.begin(), [](int i)
{return !(i<0);} )
doesn't reference vector object foo in the body. so how it performs the desired action?
Additionally, I don't understand what is the difference beetween capturing a variable and passing as parameter
I also tried my own example:
vector<unsigned long>v2(10);
for(unsigned long i=0;i<v2.size();i++)
v2[i]=10-i;
v2.erase(remove_if(v1.begin(), v1.end(),[](unsigned long n) {
return n%2==1; } ),v2.end());//remove odd numbers
It compiles (MVS 2010 with Intel Composer 14) but produces rubbish and assertion error.
If you look at std::copy_if source code, you should see how that works.
Essentially what copy_if does is this:
void copy_if(It1 f1, It1 l1, It2 f2, Pred pred) {
for (; f1 != l1; ++f1) {
if (pred(*f1)) {
*f2 = *f1;
++f2;
}
}
}
It does not know about containers, nor does it have to. The pair of iterators (f1, l1) specify a range where the items are copied from, the iterators contain all the knowledge about how to get to the element. The iterator f2 specifies the starting point of the destination range. If the destination range is not big enough woul will have a buffer overflow bug. The predicate is a function that indicates whether to copy an element or not. It does not have to know anything about the container, it just needs to be able to tell copy_if whether an element being visited should be copied or not.
Difference between capturing a variable and passing as argument should be explained by the following snippets. This lambda
int captured = 42;
auto functor = [captured](int x) { return x%2 == 0; };
essentially means this:
int captured = 42;
struct Blah
{
Blah(int c) : captured_(c) { }
bool operator()(int x) const { return x%2 == 0; }
int captured_;
} functor(captured);
You're erasing from vector v2 using iterators from container v1. This is expected to.give you crap results - it's undefined behaviour.

Which Frama-C version is best suited to develop a slicing plugin?

I want to explore Frama-C to apply Assertion-based Slicing (using ACSL notation).
I have found that there are several different versions of Frama-C with some different features.
My question is which version is best suited to develop a a slicing plugin to Frama-C and to manipulate the AST created by Frama-C.
There already is a slicing plug-in in Frama-C (in all versions).
This plug-in uses the results of the value analysis plug-in, which assumes the properties written inside ACSL assertions (after having attempted to verify them).
So, depending on what you call “assertion-based slicing” (and be aware that the article that comes up first in Google is behind a paywall), what you propose to do may already exists as a Frama-C plug-in (and one that works pretty well as of the last two or three Frama-C versions).
To answer your question anyway, the best version to use is the latest one, which is Fluorine 20130601 as of this writing.
Example of existing slicing features in Frama-C:
$ cat t.c
int f(unsigned int x)
{
int y;
/*# assert x == 0 ; */
if (x)
y = 9;
else
y = 10;
return y;
}
$ frama-c -sparecode t.c -main f
...
t.c:4:[value] Assertion got status unknown.
...
/* Generated by Frama-C */
int f(unsigned int x)
{
int y;
/*# assert x ≡ 0; */
;
y = 10;
return (y);
}
Is the above what you have in mind when you speak of “assertion-based slicing”?
Note: Frama-C's option -sparecode is a slicing option for the criterion “preserve all results of the program”. It still removes any statement that is without consequences, such as y=3; in y=3; y=4;, and being based on Frama-C's value analysis, it removes anything that is considered unreachable or without consequences because of the value analysis' results.
Another example to illustrate:
$ cat t.c
int f(unsigned int x)
{
int y;
int a, b;
int *p[2] = {&a, &b};
/*# assert x == 0 ; */
a = 100;
b = 200;
if (x)
y = 9;
else
y = 10;
return y + *(p[x]);
}
$ frama-c -sparecode t.c -main f
...
t.c:6:[value] Assertion got status unknown.
...
/* Generated by Frama-C */
int f(unsigned int x)
{
int __retres;
int y;
int a;
int *p[2];
p[0] = & a;
/*# assert x ≡ 0; */
;
a = 100;
y = 10;
__retres = y + *(p[x]);
return (__retres);
}

Resources