1FRAMA-C(1) General Commands Manual FRAMA-C(1)
4
8 frama-c[.byte] - a static analyzer for C programs
9 frama-c-gui[.byte] - the graphical interface of frama-c
11
13 frama-c [ options ] files
14
16 frama-c is a suite of tools dedicated to the analysis of source code
17 written in C. It gathers several analysis techniques in a single col‐
18 laborative framework. This framework can be extended by additional
19 plugins placed in the $FRAMAC_PLUGIN directory. The command
20 frama-c --plugins
22 will provide the full list of the plugins that are currently installed.
24 frama-c-gui is the graphical user interface of frama-c. It features
26 the same options as the command-line version.
27 frama-c.byte and frama-c-gui.byte are the OCaml bytecode versions of
29 the command-line and graphical user interface respectively.
30 By default, Frama-C recognizes .c files as C files needing pre-process‐
32 ing and .i files as C files having been already pre-processed. Some
33 plugins may extend the list of recognized files. Pre-processing can be
34 customized through the -cpp-command and -cpp-extra-args options.
35
37 Syntax
38 Options taking an additional parameter can also be written under the
39 form
40 -option=param
42 This form is mandatory when param starts with a dash (`-').
44 Most options that take no parameter have a corresponding
46 -no-option
48 option which has the opposite effect.
50 Help options
52 -help gives a short usage notice.
53 -kernel-help
55 prints the list of options recognized by Frama-C's kernel
56 -verbose n
58 sets verbosity level. Defaults to 1. Setting it to 0 will out‐
59 put less progress messages. This level can also be set on a
60 per-plugin basis, with option -plugin-verbose n. Verbosity
61 level of the kernel can be controlled with option -kernel-ver‐
62 bose n.
63 -debug n
65 sets debugging level. Defaults to 0, meaning no debugging mes‐
66 sages. This option has the same per-plugin (and kernel) spe‐
67 cializations as -verbose.
68 -quiet sets verbosity and debugging level to 0.
70 Options controlling Frama-C's kernel
72 -absolute-valid-range min-max
73 considers that all numerical addresses in the range min-max are
74 valid. Bounds are parsed as OCaml integer constants. By
75 default, all numerical addresses are considered invalid.
76 -add-path p1[,p2[...,pn]]
78 adds directories p1 through pn to the list of directories in
79 which plugins are searched.
80 [-no]-aggressive-merging
82 merges function definitions modulo renaming. Defaults to no.
83 [-no]-allow-duplication
85 allows duplication of small blocks during normalization of tests
86 and loops. Otherwise, normalization uses labels and gotos.
87 Bigger blocks and blocks with non-trivial control flow are never
88 duplicated. Defaults to yes.
89 [-no]-annot
91 reads ACSL annotations. This is the default. Annotations are
92 pre-processed by default. Use -no-pp-annot if you don't want to
93 expand macros in annotations.
94 -big-ints-hex max
96 integers larger than max are displayed in hexadecimal (by
97 default, all integers are displayed in decimal).
98 -check performs integrity checks on the internal AST (for developers
100 only).
101 [-no]-asm-contracts
103 generates contracts for assembly code written according to gcc's
104 extended syntax. Defaults to yes.
105 [-no]-asm-contracts-auto-validate
107 automatically marks contracts generated from asm as valid.
108 Defaults to no.
109 -c11 enables (partial) C11 compatibility, e.g. typedef redefinitions.
111 Defaults to no.
112 [-no]-collapse-call-cast
114 allows implicit cast between the value returned by a function
115 and the lvalue it is assigned to. Otherwise, a temporary vari‐
116 able is used and the cast is made explicit. Defaults to yes.
117 [-no]-constfold
119 folds all syntactically constant expressions in the code before
120 analyses. Defaults to no.
121 -const-readonly
123 variables with const qualifier must be actually constant.
124 Defaults to yes. The opposite option is -unsafe-writable.
125 [-no]-continue-annot-error
127 when analyzing an annotation, the default behavior (the -no ver‐
128 sion of this option) when a typechecking error occurs is to
129 reject the source file as is the case for typechecking errors
130 within the C code. With this option on, the typechecker will
131 only output a warning and discard the annotation but type‐check‐
132 ing will continue (errors in C code are still fatal, though).
133 Deprecated: use -kernel-warn-key annot-error instead.
134 -cpp-command cmd
136 uses cmd as the command to pre-process C files. Defaults to the
137 CPP environment variable or to
138 gcc -C -E -I.
140 if it is not set. If unset, the command is built as follows:
142 CPP -o
144 %1 and %2 can be used into the CPP string to mark the position of and
146 respectively. Note that this option is often better replaced by
147 -cpp-extra-args.
148 -cpp-extra-args args
150 gives additional arguments to the pre-processor. Pre-processing
151 annotations is done in two separate pre-processing stages. The
152 first one is a normal pass on the C code which retains macro
153 definitions. These are then used in the second pass during
154 which annotations are pre-processed. args are used only for the
155 first pass, so that arguments that should not be used twice
156 (such as additional include directives or macro definitions)
157 must thus go there instead of -cpp-command.
158 [-no]-cpp-frama-c-compliant
160 indicates that the chosen preprocessor complies to some Frama-C
161 requirements, such as accepting the same set of options as GNU
162 cpp, and accepting architecture-specific options such as
163 -m32/-m64. Default values depend on the installed preprocessor
164 at configure time. See also -pp-annot.
165 [-no]-autoload-plugins
167 when on, load all the dynamic plugins found in the search path
168 (see -print-plugin-path for more information on the default
169 search path). Otherwise, only plugins requested by -load-module
170 will be loaded. Defaults to on.
171 -enums repr
173 choose the way the representation of enumerated types is deter‐
174 mined. frama-c -enums help gives the list of available options.
175 Default is gcc-enums.
176 -float-digits n
178 when outputting floating-point numbers, display n digits.
179 Defaults to 12.
180 -float-flush-to-zero
182 floating point operations flush to zero.
183 -float-hex
185 display floats as hexadecimal.
186 -float-normal
188 display floats with the standard OCaml routine.
189 -float-relative
191 display float intervals as [ lower_bound++width ].
192 [-no]-frama-c-stdlib
194 adds -I$FRAMAC_SHARE/libc to the options given to the cpp com‐
195 mand. If -cpp-frama-c-compliant is not false, also adds -nostd‐
196 inc to prevent an inconsistent mix of system and Frama-C header
197 files. Defaults to yes.
198 -implicit-function-declaration action
200 warns or aborts when a function is called before it has been
201 declared. action can be one of ignore, warn, or error.
202 Defaults to warn.
203 Deprecated: use -kernel-warn-key typing:implicit-function-declaration
204 instead.
205 -initialized-padding-locals
207 implicit initialization of locals sets padding bits to 0. If
208 false, padding bits are left uninitialized. Defaults to yes.
209 -inline-calls f1,...,fn
211 syntactically inlines calls to functions f1,...,fn. Use @inline
212 to select all functions with attribute inline. Recursive func‐
213 tions are inlined only at the first level. Calls via function
214 pointers are not inlined.
215 -journal-disable
217 do not output a journal of the current session. See -jour‐
218 nal-enable.
219 -journal-enable
221 on by default, dumps a journal of all the actions performed dur‐
222 ing the current Frama-C session in the form of an OCaml script
223 that can be replayed with -load-script. The name of the script
224 can be set with the -journal-name option.
225 -journal-name name
227 sets the name of the journal file (without the .ml extension).
228 Defaults to frama_c_journal.
229 -json-compilation-database path
231 use path as a JSON compilation database (see
232 <https://clang.llvm.org/docs/JSONCompilationDatabase.html> for
233 more information): each file preprocessed by Frama-C will
234 include corresponding -I and -D flags according to the specifi‐
235 cations in path. If path is a directory, use <path>/com‐
236 pile_commands.json. Disabled by default.
237 [-no]-keep-comments
239 tries to preserve comments when pretty-printing the source code.
240 Defaults to no.
241 [-no]-keep-switch
243 when -simplify-cfg is set, keeps switch statements. Defaults to
244 no.
245 -keep-unused-specified-functions
247 see -remove-unused-specified-functions.
248 -keep-unused-types
250 see -remove-unused-types.
251 -kernel-log kind:file
253 copies log messages from the Frama-C's kernel to file. kind
254 specifies which kinds of messages to be copied (e.g. w for
255 warnings, e for errors, etc.). See -kernel-help for more
256 details. Can also be set on a per-plugin basis, with option
257 -<plugin>-log.
258 -kernel-msg-key k1,...,kn
260 controls the emission of messages based on categories. Use
261 -kernel-msg-key help to get a list of available categories, and
262 -kernel-msg-key=“*” to control all categories. To disable a
263 category, add a - before its name; to enable a category, simply
264 add its name, with an optional + before it. For instance, -ker‐
265 nel-msg-key=-k1,k2 will disable messages from category k1 and
266 enable those from category k2. Can also be set on a per-plugin
267 basis, with option -<plugin>-msg-key. Note that each plugin has
268 its own set of categories.
269 -kernel-warn-key k1=a1,...,kn=an
271 controls the emission of warnings based on categories: for each
272 warning category k, associate action a. Use -kernel-warn-key
273 help to get a list of available warning categories and their
274 currently associated actions. The following actions can be set
275 per category: active (warn), feedback, error, abort, once, feed‐
276 back-once, err-once. Omitting the action is equivalent to set‐
277 ting it to active. Warning categories can also be set on a
278 per-plugin basis, with option -<plugin>-warn-key.
279 [-no]-lib-entry
281 indicates that the entry point is called during program execu‐
282 tion. This implies in particular that global variables cannot
283 be assumed to have their initial values. The default is
284 -no-lib-entry: the entry point is also the starting point of the
285 program and globals have their initial value.
286 -load file
288 loads the (previously saved) state contained in file.
289 -load-module SPEC
291 dynamically load OCaml plug-ins, modules and scripts. Each SPEC
292 can be an OCaml source or object file, with or without exten‐
293 sion, or a Findlib package. Loading order is preserved and
294 additional dependencies can be listed in *.depend files.
295 -load-script SPEC
297 alias for option -load-module.
298 -machdep machine
300 uses machine as the current machine-dependent configuration
301 (size of the various integer types, endiandness, ...). The list
302 of currently supported machines is available through option
303 -machdep help. Default is x86_32.
304 -main f
306 sets f as the entry point of the analysis. Defaults to main.
307 By default, it is considered as the starting point of the pro‐
308 gram under analysis. Use -lib-entry if f is supposed to be
309 called in the middle of an execution.
310 -obfuscate
312 prints an obfuscated version of the code (where original identi‐
313 fiers are replaced by meaningless ones) and exits. The corre‐
314 spondence table between original and new symbols is kept at the
315 beginning of the result.
316 -ocode file
318 redirects pretty-printed code to file instead of standard out‐
319 put.
320 [-no]-orig-name
322 During the normalization phase, some variables may get renamed
323 when different variables with the same name can co-exist (e.g. a
324 global variable and a formal parameter). When this option is
325 on, a message is printed each time this occurs. Defaults to no.
326 [-no]-pp-annot
328 pre-processes annotations. This is currently only possible when
329 using gcc (or GNU cpp) pre-processor. The default is to
330 pre-process annotations when the default pre-processor is iden‐
331 tified as GNU or GNU-like. See also -cpp-frama-c-compliant.
332 [-no]-print
334 pretty-prints the source code as normalized by CIL. Defaults to
335 no.
336 [-no]-print-libc
338 expands #include directives in the pretty-printed CIL code for
339 files in the Frama-C standard library. Defaults to no.
340 -print-libpath
342 outputs the directory where the Frama-C kernel library is
343 installed.
344 -print-path
346 alias of -print-share-path.
347 -print-plugin-path
349 outputs the directory where Frama-C searches its plugins (can be
350 overridden by the FRAMAC_PLUGIN variable and the -add-path
351 option).
352 -print-share-path
354 outputs the directory where Frama-C stores its data (can be
355 overridden by the FRAMAC_SHARE variable).
356 [-no]-remove-exn
358 transforms throw and try/catch statements into normal C func‐
359 tions. Defaults to no, unless the input source language has an
360 exception mechanism.
361 -remove-inlined f1,...,fn
363 removes inlined functions f1,...,fn from the AST, which must
364 have been given to -inline-calls. Note: this option does not
365 check if the given functions were fully inlined.
366 -remove-projects p1,...,pn
368 removes the given projects p1,...,pn. @all_but_current removes
369 all projects but the current one.
370 -remove-unused-specified-functions
372 keeps function prototypes that have an ACSL specification but
373 are not used in the code. This is the default. Functions hav‐
374 ing the attribute FRAMAC_BUILTIN are always kept.
375 -remove-unused-types
377 remove types and struct/union/enum declarations that are not
378 referenced anywhere else in the code. This is the default. Use
379 -keep-unused-types to keep these definitions.
380 -safe-arrays
382 for multidimensional arrays or arrays that are fields inside
383 structs, assumes that all accesses must be in bound (set by
384 default). The opposite option is -unsafe-arrays.
385 -save file
387 saves Frama-C's state into file after analyses have taken place.
388 -session s
390 sets s as the directory in which session files are searched.
391 [-no]-set-project-as-default
393 the current project becomes the default one (and so future -then
394 sequences are applied on it). Defaults to no.
395 [-no]-simplify-cfg
397 removes break, continue and switch statements before analyses.
398 Defaults to no.
399 [-no]-simplify-trivial-loops
401 simplifies trivial loops such as do ... while (0) loops.
402 Defaults to yes.
403 -then allows one to compose analyses: a first run of Frama-C will
405 occur with the options before -then and a second run will be
406 done with the options after -then on the current project from
407 the first run.
408 -then-last
410 like -then, but the second group of actions is executed on the
411 last project created by a program transformer.
412 -then-on prj
414 similar to -then except that the second run is performed in
415 project prj. If no such project exists, Frama-C exits with an
416 error.
417 -then-replace
419 like -then-last, but also removes the previous current project.
420 -time file
422 appends user time and date in the given file when Frama-C exits.
423 -typecheck
425 forces typechecking of the source files. This option is only
426 relevant if no further analysis is requested (as typechecking
427 will implicitly occur before the analysis is launched).
428 -ulevel n
430 syntactically unroll loops n times before the analysis. This
431 can be quite costly and some plugins (e.g. Eva) provide more
432 efficient ways to perform the same thing. See their respective
433 manuals for more information. This can also be activated on a
434 per-loop basis via the loop pragma unroll directive. A nega‐
435 tive value for n will inhibit such pragmas.
436 [-no]-ulevel-force
438 ignores UNROLL loop pragmas disabling unrolling.
439 [-no]-unicode outputs ACSL formulas with UTF-8 characters. This is the
441 default. When given the -no-unicode option, Frama-C will use the ASCII
442 version instead. See the ACSL manual for the correspondence.
443 -unsafe-arrays
445 see -safe-arrays.
446 [-no]-unspecified-access
448 checks that read/write accesses occurring in an unspecified
449 order (according to the C standard's notion of sequence points)
450 are performed on separate locations. With -no-unspeci‐
451 fied-access, assumes that it is always the case (this is the
452 default).
453 -version
455 outputs the version string of Frama-C.
456 -warn-decimal-float freq
458 warns when a floating-point constant cannot be exactly repre‐
459 sented (e.g. 0.1). freq can be one of none, once, or all.
460 Deprecated: use -kernel-warn-key parser:decimal-float=once (and vari‐
461 ants) instead.
462 [-no]-warn-left-shift-negative
464 generate alarms for signed left shifts on negative values.
465 Defaults to yes.
466 [-no]-warn-right-shift-negative
468 generate alarms for signed right shifts on negative values.
469 Defaults to no.
470 [-no]-warn-signed-downcast
472 generates alarms when signed downcasts may exceed the destina‐
473 tion range. Defaults to no.
474 [-no]-warn-signed-overflow
476 generates alarms for signed operations that overflow. Defaults
477 to yes.
478 [-no]-warn-unsigned-downcast
480 generates alarms when unsigned downcasts may exceed the destina‐
481 tion range. Defaults to no.
482 [-no]-warn-unsigned-overflow
484 generates alarms for unsigned operations that overflow.
485 Defaults to no.
486 [-no]-warn-invalid-bool
488 generates alarms for reads of trap representations of _Bool
489 lvalues. Defaults to yes.
490 Plugin-specific options
492 For each plugin, the command
493 frama-c -plugin-help
495 will give the list of options that are specific to the plugin.
497
499 0 Successful execution
500 1 Invalid user input
502 2 User interruption (kill or equivalent)
504 3 Unimplemented feature
506 4 5 6 Internal error
508 125 Unknown error
510 Exit statuses greater than 2 can be considered as a bug (or a feature
512 request for the case of exit status 3) and may be reported on Frama-C's
513 BTS (see below).
514
516 It is possible to control the places where Frama-C looks for its files
517 through the following variables.
518 FRAMAC_LIB
520 The directory where kernel's compiled interfaces are installed.
521 FRAMAC_PLUGIN
523 The directory where Frama-C can find standard plugins. If you
524 wish to have plugins in several places, use -add-path instead.
525 FRAMAC_SHARE
527 The directory where Frama-C data (e.g. its version of the stan‐
528 dard library) is installed.
529
531 Frama-C user manual: http://frama-c.com/download/frama-c-user-man‐
532 ual.pdf
533 Frama-C homepage: http://frama-c.com
535 Frama-C BTS: http://bts.frama-c.com
537 2019-07-29 FRAMA-C(1)