1FRAMA-C(1) FRAMA-C(1)
2
6 frama-c - a static analyzer for C programs
7 frama-c-gui - the graphical interface of frama-c
9
11 frama-c [ options ] files
12
14 frama-c is a suite of tools dedicated to the analysis of source code
15 written in C. It gathers several analysis techniques in a single col‐
16 laborative framework. This framework can be extended by additional
17 plugins placed in the $FRAMAC_PLUGIN directory. The command
18 frama-c --plugins
20 will provide the full list of the plugins that are currently installed.
22 frama-c-gui is the graphical user interface of frama-c. It features
24 the same options as the command-line version.
25 ivette is a new, Electron-based graphical user interface for frama-c.
27 It also features the same options as the command-line version.
28 By default, Frama-C recognizes .c files as C files needing pre-process‐
30 ing and .i files as C files having been already pre-processed. Some
31 plugins may extend the list of recognized files. Pre-processing can be
32 customized through the -cpp-command and -cpp-extra-args options.
33
35 Syntax
36 Options taking an additional parameter can also be written under the
37 form
38 -option=param
40 This form is mandatory when param starts with a dash (`-').
42 Most options that take no parameter have a corresponding
44 -no-option
46 option which has the opposite effect.
48 Help options
50 -help gives a short usage notice.
51 -kernel-help
53 prints the list of options recognized by Frama-C’s kernel
54 -explain
56 prints a help message for each other option given on the command
57 line
58 -verbose n
60 sets verbosity level. Defaults to 1. Setting it to 0 will out‐
61 put less progress messages. This level can also be set on a
62 per-plugin basis, with option -plugin-verbose n. Verbosity lev‐
63 el of the kernel can be controlled with option -kernel-verbose
64 n.
65 -debug n
67 sets debugging level. Defaults to 0, meaning no debugging mes‐
68 sages. This option has the same per-plugin (and kernel) spe‐
69 cializations as -verbose.
70 -quiet sets verbosity and debugging level to 0.
72 Options controlling Frama-C’s kernel
74 -absolute-valid-range min-max
75 considers that all numerical addresses in the range min-max are
76 valid. Bounds are parsed as OCaml integer constants. By de‐
77 fault, all numerical addresses are considered invalid.
78 -add-symbolic-path p1:n1[,p2:n2[...,pn:nn]]
80 replaces each path pi with the name ni when displaying file lo‐
81 cations in messages.
82 [-no]-aggressive-merging
84 merges function definitions modulo renaming. Defaults to no.
85 [-no]-allow-duplication
87 allows duplication of small blocks during normalization of tests
88 and loops. Otherwise, normalization uses labels and gotos.
89 Bigger blocks and blocks with non-trivial control flow are never
90 duplicated. Defaults to yes.
91 [-no]-annot
93 reads ACSL annotations. This is the default. Annotations are
94 pre-processed by default. Use -no-pp-annot if you don’t want to
95 expand macros in annotations.
96 [-no]-ast-diff
98 computes AST differences between a loaded session (loaded with
99 -load) and the current sources. These can then be used by plug-
100 ins supporting incremental analyses.
101 -autocomplete p1,...,pn
103 lists the options of plugins p1,...,pn in a format suitable for
104 autocompletion scripts.
105 -big-ints-hex max
107 integers larger than max are displayed in hexadecimal (by de‐
108 fault, all integers are displayed in decimal).
109 -check performs integrity checks on the internal AST (for developers
111 only).
112 [-no]-asm-contracts
114 generates contracts for assembly code written according to gcc’s
115 extended syntax. Defaults to yes.
116 [-no]-asm-contracts-auto-validate
118 automatically marks contracts generated from asm as valid. De‐
119 faults to no.
120 [-no]-collapse-call-cast
122 allows implicit cast between the value returned by a function
123 and the lvalue it is assigned to. Otherwise, a temporary vari‐
124 able is used and the cast is made explicit. Defaults to yes.
125 [-no]-constfold
127 folds all syntactically constant expressions in the code before
128 analyses. Defaults to no.
129 -const-readonly
131 variables with const qualifier must be actually constant. De‐
132 faults to yes. The opposite option is -unsafe-writable.
133 [-no]-continue-annot-error
135 when analyzing an annotation, the default behavior (the -no ver‐
136 sion of this option) when a typechecking error occurs is to re‐
137 ject the source file as is the case for typechecking errors
138 within the C code. With this option on, the typechecker will
139 only output a warning and discard the annotation but type‐check‐
140 ing will continue (errors in C code are still fatal, though).
141 Deprecated: use -kernel-warn-key annot-error instead.
142 -cpp-command cmd
144 uses cmd as the command to pre-process C files. Defaults to the
145 CPP environment variable or to
146 gcc -C -E -I.
148 if it is not set. If unset, the command is built as follows:
150 CPP -o
152 %1 and %2 can be used into the CPP string to mark the position of and
154 respectively. Note that this option is often better replaced by -cpp-
155 extra-args.
156 -cpp-extra-args args
158 gives additional arguments to the pre-processor. Pre-processing
159 annotations is done in two separate pre-processing stages. The
160 first one is a normal pass on the C code which retains macro
161 definitions. These are then used in the second pass during
162 which annotations are pre-processed. args are used only for the
163 first pass, so that arguments that should not be used twice
164 (such as additional include directives or macro definitions)
165 must thus go there instead of -cpp-command.
166 -cpp-extra-args-per-file file1:args1,...,filen:argsn
168 like -cpp-extra-args, but the arguments only apply to the speci‐
169 fied files.
170 [-no]-cpp-frama-c-compliant
172 indicates that the chosen preprocessor complies to some Frama-C
173 requirements, such as accepting the same set of options as GNU
174 cpp, and accepting architecture-specific options such as
175 -m32/-m64. Default values depend on the installed preprocessor
176 at configure time. See also -pp-annot.
177 [-no]-autoload-plugins
179 when on, load all the dynamic plugins found in the search path
180 (see -print-plugin-path for more information on the default
181 search path). Otherwise, only plugins requested by -load-plugin
182 will be loaded. Defaults to on.
183 -enums repr
185 choose the way the representation of enumerated types is deter‐
186 mined. frama-c -enums help gives the list of available options.
187 Default is gcc-enums.
188 -float-digits n
190 when outputting floating-point numbers, display n digits. De‐
191 faults to 12.
192 -float-flush-to-zero
194 floating point operations flush to zero.
195 -float-hex
197 display floats as hexadecimal.
198 -float-normal
200 display floats with the standard OCaml routine.
201 -float-relative
203 display float intervals as [ lower_bound++width ].
204 [-no]-frama-c-stdlib
206 adds -I$FRAMAC_SHARE/libc to the options given to the cpp com‐
207 mand. If -cpp-frama-c-compliant is not false, also adds -nostd‐
208 inc to prevent an inconsistent mix of system and Frama-C header
209 files. Defaults to yes.
210 -implicit-function-declaration action
212 warns or aborts when a function is called before it has been de‐
213 clared. action can be one of ignore, warn, or error. Defaults
214 to warn.
215 Deprecated: use -kernel-warn-key typing:implicit-function-declaration
216 instead.
217 -initialized-padding-locals
219 implicit initialization of locals sets padding bits to 0. If
220 false, padding bits are left uninitialized. Defaults to yes.
221 -inline-calls f1,...,fn
223 syntactically inlines calls to functions f1,...,fn. Use @inline
224 to select all functions with attribute inline. Recursive func‐
225 tions are inlined only at the first level. Calls via function
226 pointers are not inlined.
227 -json-compilation-database path
229 use path as a JSON compilation database (see
230 <https://clang.llvm.org/docs/JSONCompilationDatabase.html> for
231 more information): each file preprocessed by Frama-C will in‐
232 clude corresponding -I and -D flags according to the specifica‐
233 tions in path. If path is a directory, use <path>/compile_com‐
234 mands.json. Disabled by default.
235 [-no]-keep-comments
237 tries to preserve comments when pretty-printing the source code.
238 Defaults to no.
239 [-no]-keep-switch
241 when -simplify-cfg is set, keeps switch statements. Defaults to
242 no.
243 -keep-unused-specified-functions
245 see -remove-unused-specified-functions.
246 -keep-unused-types
248 see -remove-unused-types.
249 -kernel-log kind:file
251 copies log messages from the Frama-C’s kernel to file. kind
252 specifies which kinds of messages to be copied (e.g. w for warn‐
253 ings, e for errors, etc.). See -kernel-help for more details.
254 Can also be set on a per-plugin basis, with option -<plug‐
255 in>-log.
256 -kernel-msg-key k1,...,kn
258 controls the emission of messages based on categories. Use
259 -kernel-msg-key help to get a list of available categories, and
260 -kernel-msg-key=“*” to control all categories. To disable a
261 category, add a - before its name; to enable a category, simply
262 add its name, with an optional + before it. For instance, -ker‐
263 nel-msg-key=-k1,k2 will disable messages from category k1 and
264 enable those from category k2. Can also be set on a per-plugin
265 basis, with option -<plugin>-msg-key. Note that each plugin has
266 its own set of categories.
267 -kernel-warn-key k1=a1,...,kn=an
269 controls the emission of warnings based on categories: for each
270 warning category k, associate action a. Use -kernel-warn-key
271 help to get a list of available warning categories and their
272 currently associated actions. The following actions can be set
273 per category: active (warn), feedback, error, abort, once, feed‐
274 back-once, err-once. Omitting the action is equivalent to set‐
275 ting it to active. Warning categories can also be set on a per-
276 plugin basis, with option -<plugin>-warn-key.
277 [-no]-lib-entry
279 indicates that the entry point is called during program execu‐
280 tion. This implies in particular that global variables cannot
281 be assumed to have their initial values. The default is -no-
282 lib-entry: the entry point is also the starting point of the
283 program and globals have their initial value.
284 -load file
286 loads the (previously saved) state contained in file.
287 -load-library library_1,...,library_n
289 dynamically load libraries. Loading order is preserved. Li‐
290 braries are loaded between plugins and modules.
291 -load-module SPEC_1,...,SPEC_n
293 dynamically load modules. Each can be an object file, with or
294 without extension, or a Findlib package. Loading order is pre‐
295 served, but after plugins and libraries.
296 -load-plugin plugin_1,...,plugin_n
298 dynamically load plugins. Loading order is preserved. Plugins
299 are loaded before libraries and modules.
300 -machdep machine
302 uses machine as the current machine-dependent configuration
303 (size of the various integer types, endiandness, ...). The list
304 of currently supported machines is available through option
305 -machdep help. Default is x86_64.
306 -main f
308 sets f as the entry point of the analysis. Defaults to main.
309 By default, it is considered as the starting point of the pro‐
310 gram under analysis. Use -lib-entry if f is supposed to be
311 called in the middle of an execution.
312 -obfuscate
314 prints an obfuscated version of the code (where original identi‐
315 fiers are replaced by meaningless ones) and exits. The corre‐
316 spondence table between original and new symbols is kept at the
317 beginning of the result.
318 -ocode file
320 redirects pretty-printed code to file instead of standard out‐
321 put.
322 [-no]-orig-name
324 During the normalization phase, some variables may get renamed
325 when different variables with the same name can co-exist (e.g. a
326 global variable and a formal parameter). When this option is
327 on, a message is printed each time this occurs. Defaults to no.
328 [-no]-pp-annot
330 pre-processes annotations. This is currently only possible when
331 using gcc (or GNU cpp) pre-processor. The default is to pre-
332 process annotations when the default pre-processor is identified
333 as GNU or GNU-like. See also -cpp-frama-c-compliant.
334 [-no]-print
336 pretty-prints the source code as normalized by CIL. Defaults to
337 no.
338 -print-cpp-commands
340 outputs the preprocessing commands for all input files.
341 -print-config-json
343 outputs extensive Frama-C configuration data in JSON format.
344 [-no]-print-libc
346 expands #include directives in the pretty-printed CIL code for
347 files in the Frama-C standard library. Defaults to no.
348 -print-libpath
350 outputs the directory where the Frama-C kernel library is in‐
351 stalled.
352 -print-path
354 alias of -print-share-path.
355 -print-plugin-path
357 outputs the directory where Frama-C searches its plugins.
358 -print-share-path
360 outputs the directory where Frama-C stores shareable files
361 (e.g. standard library, machdeps, shared Makefiles).
362 [-no]-remove-exn
364 transforms throw and try/catch statements into normal C func‐
365 tions. Defaults to no, unless the input source language has an
366 exception mechanism.
367 -remove-inlined f1,...,fn
369 removes inlined functions f1,...,fn from the AST, which must
370 have been given to -inline-calls. Note: this option does not
371 check if the given functions were fully inlined.
372 -remove-projects p1,...,pn
374 removes the given projects p1,...,pn. @all_but_current removes
375 all projects but the current one.
376 -remove-unused-specified-functions
378 keeps function prototypes that have an ACSL specification but
379 are not used in the code. This is the default. Functions hav‐
380 ing the attribute FRAMAC_BUILTIN are always kept.
381 -remove-unused-types
383 remove types and struct/union/enum declarations that are not
384 referenced anywhere else in the code. This is the default. Use
385 -keep-unused-types to keep these definitions.
386 -safe-arrays
388 for multidimensional arrays or arrays that are fields inside
389 structs, assumes that all accesses must be in bound (set by de‐
390 fault). The opposite option is -unsafe-arrays.
391 -save file
393 saves Frama-C’s state into file after analyses have taken place.
394 -session s
396 sets s as the directory in which session files are searched.
397 [-no]-set-project-as-default
399 the current project becomes the default one (and so future -then
400 sequences are applied on it). Defaults to no.
401 [-no]-simplify-cfg
403 removes break, continue and switch statements before analyses.
404 Defaults to no.
405 [-no]-simplify-trivial-loops
407 simplifies trivial loops such as do ... while (0) loops. De‐
408 faults to yes.
409 -then allows one to compose analyses: a first run of Frama-C will oc‐
411 cur with the options before -then and a second run will be done
412 with the options after -then on the current project from the
413 first run.
414 -then-last
416 like -then, but the second group of actions is executed on the
417 last project created by a program transformer.
418 -then-on prj
420 similar to -then except that the second run is performed in
421 project prj. If no such project exists, Frama-C exits with an
422 error.
423 -then-replace
425 like -then-last, but also removes the previous current project.
426 -time file
428 appends user time and date in the given file when Frama-C exits.
429 -typecheck
431 forces typechecking of the source files. This option is only
432 relevant if no further analysis is requested (as typechecking
433 will implicitly occur before the analysis is launched).
434 -ulevel n
436 syntactically unroll loops n times before the analysis. This
437 can be quite costly and some plugins (e.g. Eva) provide more ef‐
438 ficient ways to perform the same thing. See their respective
439 manuals for more information. This can also be activated on a
440 per-loop basis via the loop pragma unroll directive. A nega‐
441 tive value for n will inhibit such pragmas.
442 [-no]-ulevel-force
444 ignores UNROLL loop pragmas disabling unrolling.
445 [-no]-unicode outputs ACSL formulas with UTF-8 characters. This is the
447 default. When given the -no-unicode option, Frama-C will use the ASCII
448 version instead. See the ACSL manual for the correspondence.
449 -unsafe-arrays
451 see -safe-arrays.
452 [-no]-unspecified-access
454 checks that read/write accesses occurring in an unspecified or‐
455 der (according to the C standard’s notion of sequence points)
456 are performed on separate locations. With -no-unspecified-ac‐
457 cess, assumes that it is always the case (this is the default).
458 -version
460 outputs the version string of Frama-C.
461 -warn-decimal-float freq
463 warns when a floating-point constant cannot be exactly repre‐
464 sented (e.g. 0.1). freq can be one of none, once, or all.
465 Deprecated: use -kernel-warn-key parser:decimal-float=once (and vari‐
466 ants) instead.
467 [-no]-warn-invalid-pointer
469 generate alarms for invalid pointer arithmetic. Defaults to no.
470 [-no]-warn-left-shift-negative
472 generate alarms for signed left shifts on negative values. De‐
473 faults to yes.
474 [-no]-warn-right-shift-negative
476 generate alarms for signed right shifts on negative values. De‐
477 faults to no.
478 [-no]-warn-pointer-downcast
480 generates alarms when the downcast of a pointer may exceed the
481 destination range. Defaults to yes.
482 [-no]-warn-signed-downcast
484 generates alarms when signed downcasts may exceed the destina‐
485 tion range. Defaults to no.
486 [-no]-warn-signed-overflow
488 generates alarms for signed operations that overflow. Defaults
489 to yes.
490 [-no]-warn-unsigned-downcast
492 generates alarms when unsigned downcasts may exceed the destina‐
493 tion range. Defaults to no.
494 [-no]-warn-unsigned-overflow
496 generates alarms for unsigned operations that overflow. De‐
497 faults to no.
498 [-no]-warn-invalid-bool
500 generates alarms for reads of trap representations of _Bool
501 lvalues. Defaults to yes.
502 Plugin-specific options
504 For each plugin, the command
505 frama-c -plugin-help
507 will give the list of options that are specific to the plugin.
509
511 0 Successful execution
512 1 Invalid user input
514 2 User interruption (kill or equivalent)
516 3 Unimplemented feature
518 4 5 6 Internal error
520 125 Unknown error
522 Exit statuses greater than 2 can be considered as a bug (or a feature
524 request for the case of exit status 3) and may be reported on Frama-C’s
525 BTS (see below).
526
528 It is possible to control the places where Frama-C looks for its files
529 through the following variables.
530 FRAMAC_LIB
532 The directory where kernel’s compiled interfaces are installed.
533 FRAMAC_SHARE
535 The directory where Frama-C data (e.g. its version of the stan‐
536 dard library) is installed.
537
539 Frama-C user manual: https://frama-c.com/download/frama-c-user-manu‐
540 al.pdf
541 Frama-C homepage: https://frama-c.com
543 Frama-C BTS: https://git.frama-c.com/pub/frama-c/issues
5452023-05-12 FRAMA-C(1)