Formal Aspects of Computing

, Volume 27, Issue 3, pp 573–609 | Cite as

Frama-C: A software analysis perspective

  • Florent Kirchner
  • Nikolai Kosmatov
  • Virgile Prevosto
  • Julien Signoles
  • Boris YakobowskiEmail author
Original Article


Frama-C is a source code analysis platform that aims at conducting verification of industrial-size C programs. It provides its users with a collection of plug-ins that perform static analysis, deductive verification, and testing, for safety- and security-critical software. Collaborative verification across cooperating plug-ins is enabled by their integration on top of a shared kernel and datastructures, and their compliance to a common specification language. This foundational article presents a consolidated view of the platform, its main and composite analyses, and some of its industrial achievements.


Formal verification Static analysis Dynamic analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. AARG12.
    Ayache N, Amadio R, Régis-Gianas Y (2012) Certifying and reasoning on cost annotations in C programs. In: 17th International workshop on formal methods for industrial critical systems (FMICS 2012)Google Scholar
  2. Ade.
    Adelard LLP Simple concurrency analysis plugin for Frama-C.
  3. ASTT13.
    Assaf M, Signoles J, Totel E, Tronel F (2013) Program transformation for non-interference verification on programs with pointers. In: (eds) The 28th IFIP TC-11 international information security and privacy conference (SEC 2013). Springer, Berlin, pp 231–244Google Scholar
  4. BBC13.
    Bishop P, Bloomfield R, Cyra L (2013) Combining testing and proof to gain high assurance in software: a case study. In: Proceedings of IEEE international symposium on software reliability engineering (ISSRE)Google Scholar
  5. BC11.
    Bonichon R, Cuoq P (2011) A mergeable interval map. Studia Informatica Universalis 9(1): 5–37Google Scholar
  6. BCC+05.
    Burdy L, Cheon Y, Cok DR, Ernst MD, Kiniry JR, Leavens GT, Leino KRM, Poll E (2005) An overview of JML tools and applications. Softw Tools Technol Transf 7(3): 212–232CrossRefGoogle Scholar
  7. BCD+06.
    Barnett M, Evan Chang B-Y, DeLine R, Jacobs B, Rustan K, Leino M (2006) Boogie: A modular reusable verifier for object-oriented programs. In: Proceedings of 4th international symposium on formal methods components and objects (FMCO 2005), volume 4111 of LNCS. Springer, BerlinGoogle Scholar
  8. BDES11.
    Bouajjani A, Dragoi C, Enea C, Sighireanu M (2011) On inter-procedural analysis of programs with lists and data. In: The 32nd ACM SIGPLAN conference on programming language design and implementation (PLDI, 2011), ACM, pp 578–589Google Scholar
  9. BDH+09.
    Botella B, Delahaye M, Hong-Tuan-Ha S, Kosmatov N, Mouy P, Roger M, Williams N (2009) Automating structural testing of C programs: experience with PathCrawler. In: The 4th international workshop on automation of software test (AST 2009), IEEE Computer Society, pp 70–78Google Scholar
  10. BFH+13.
    Baudin P, Filliâtre J-C, Hubert T, Marché C, Monate B, Moy Y, Prevosto V (2013) ACSL: ANSI/ISO C specification language, v1.6, April 2013.
  11. BH11.
    Bardin S, Herrmann P (2011) OSMOSE: automatic structural testing of executables. Softw Test Verif Reliab 21(1): 29–54CrossRefGoogle Scholar
  12. BHJM07.
    Beyer D, Henzinger TA, Jhala R, Majumdar R (2007) The software model checker Blast: applications to software engineering. Int J Softw Tools Technol Transf 9(5–6): 505–525CrossRefGoogle Scholar
  13. BHKL10.
    Berthomé P, Heydemann K, Kauffmann-Tourkestansky X, Lalande J-F (2010) Attack model for verification of interval security properties for smart card C codes. In: The 5th ACM SIGPLAN workshop on programming languages and analysis for security (PLAS 2010), ACM, pp 1–12Google Scholar
  14. BHV11.
    Bardin S, Herrmann P, Védrine F (2011) Refinement-based CFG reconstruction from unstructured programs. In: The 12th international conference on verification, model checking, and abstract interpretation (VMCAI, 2011), volume 6538 of LNCS. Springer, pp 54–69Google Scholar
  15. Bla14.
    Black Paul E (2014) SATE V Ockham sound analysis criteria.
  16. BNR+10.
    Beckman NE, Nori AV, Rajamani SK, Simmons RJ, Tetali S, Thakur AV (2010) Proofs from tests. IEEE Trans Softw Eng 36(4): 495–508CrossRefGoogle Scholar
  17. Bor00.
    Bornat R (2000) Proving pointer programs in Hoare logic. In: The 5th international conference on mathematics of program construction (MPC, 2000), volume 1837 of LNCS. SpringerGoogle Scholar
  18. Bur72.
    Burstall RM (1972) Some techniques for proving correctness of programs which alter data structures. Mach Intell 7: 23–50zbMATHGoogle Scholar
  19. C+.
    Conchon S et al The Alt-Ergo automated theorem prover http://alt-ergo.lri.f..
  20. CC77.
    Cousot P, Cousot R (1977) Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: The 4th symposium on principles of programming languages (POPL, 1977), pp 238–252Google Scholar
  21. CCF+05.
    Cousot P, Cousot R, Feret J, Mauborgne L, Miné A, Monniaux D, Rival X (2005) The ASTRÉE analyzer. In: The 14th European symposium on programming (ESOP 2005), part of the joint European conferences on theory and practice of software (ETAPS, 2005), volume 3444 of LNCS. Springer, Berlin pp 21–30Google Scholar
  22. CCK+13.
    Chebaro O, Cuoq P, Kosmatov N, Marre B, Pacalet A, Williams N, Yakobowski B (2013) Behind the scenes in SANTE: a combination of static and dynamic analyses. Autom Softw Eng. Published onlineGoogle Scholar
  23. CD08.
    Cuoq P, Doligez D (2008) Hashconsing in an incrementally garbage-collected system: a story of weak pointers and hashconsing in OCaml 3.10.2.. In: Proceedings of the ACM SigPlan ML workshop, pp 13–22Google Scholar
  24. CDDM12.
    Cuoq P, Delmas D, Duprat S, Moya Lamiel V (2012) Fan-C, a Frama-C plug-in for data flow verification. In: The embedded real-time software and systems congress (ERTS2 2012)Google Scholar
  25. CDS11.
    Cuoq P, Doligez D, Signoles J (2011) Lightweight typed customizable unmarshaling. In: ACM SIGPLAN Workshop on ML. ACMGoogle Scholar
  26. CHK+12.
    Cuoq P, Hilsenkopf P, Kirchner F, Labbé S, Thuy N, Yakobowski B (2012) Formal verification of software important to safety using the Frama-C tool suite. In: The 8th international conference on nuclear plant instrumentation and control (NPIC, 2012)Google Scholar
  27. CHOS13.
    Cruanes S, Hamon G, Owre S, Shankar N (2013) Tool integration with the evidential tool bus. In: Proceedings of verification, model-checking and abstract interpretation (VMCAI), volume 7737 of LNCS, pp 275–294Google Scholar
  28. CK04.
    Cok David R, Kiniry Joseph R (2004) ESC/Java2: uniting ESC/Java and JML. In: The international workshop on construction and analysis of safe, secure and interoperable smart devices (CASSIS, 2004), volume 3362 of LNCS. Springer, pp 108–128Google Scholar
  29. CK11.
    Chatzieleftheriou G, Katsaros P (2011) Test-driving static analysis tools in search of C code vulnerabilities. In: COMPSAC workshops. IEEE Computer Society, pp 96–103Google Scholar
  30. CKGJ12.
    Chebaro O, Kosmatov N, Giorgetti A, Julliand J (2012) Program slicing enhances a verification technique combining static and dynamic analysis. In: The ACM symposium on applied computing (SAC, 2012), ACM, pp 1284–1291Google Scholar
  31. CKM12.
    Comar C, Kanig J, Moy Y (2012) Integrating formal program verification with testing. In: Proceedings of ERTS, 2012Google Scholar
  32. Cla.
    Clang Static Analyzer.
  33. CMP10.
    Ceara D, Mounier L, Potet M-L (2010) Taint dependency sequences: a characterization of insecure execution paths based on input-sensitive cause sequences. In: The 3rd international conference on software testing, verification and validation workshops (ICSTW, 2010), pp 371–380Google Scholar
  34. Coq11.
    Coq Development Team (2011) The Coq proof assistant reference manual, v8.3 edition.
  35. CR06.
    Clarke LA, Rosenblum DS (2006) A historical perspective on runtime assertion checking in software development. ACM SIGSOFT Softw Eng Notes 31(3): 25–37CrossRefGoogle Scholar
  36. CS04.
    Csallner C, Smaragdakis Y (2004) JCrasher: An automatic robustness tester for Java. Softw—Pract Exp 34(11): 1025–1050Google Scholar
  37. CS06.
    Csallner C, Smaragdakis Y (2006) Dynamically discovering likely interface invariants. In: The 28th ACM/IEEE international conference on software engineering (ICSE, 2006), Emerging Results Track, ACM, pp 861–864Google Scholar
  38. CS12.
    Correnson L, Signoles J (2012) Combining analyses for C programverification. In: The 17th internationalworkshop on formal methods for industrial critical systems (FMICS, 2012)Google Scholar
  39. CSB+09.
    Cuoq P, Signoles J, Baudin P, Bonichon R, Canet G, Correnson L, Monate B, Prevosto V, Puccetti A (2009) Experience report: OCaml for an industrial-strength static analysis framework. In: The 14th ACM SIGPLAN international conference on functional programming (ICFP, 2009), ACM, pp 281–286Google Scholar
  40. CYP13.
    Cuoq P, Yakobowski B, Prevosto V (2013) Frama-C’s value analysis plug-in, fluorine-20130601 edition. June,
  41. DDLS10.
    Delmas D, Duprat S, Moya Lamiel V, Signoles J (2010) Taster, a Frama-C plug-in to encode coding standards. In: The embedded real-time software and systems congress (ERTS2)Google Scholar
  42. DEL+14.
    Dross C, Efstathopoulos P, Lesens D, Mentré D, Moy Y (2014) Rail, space, security: three case studies for spark 2014. In: Proceedings of ERTS, 2014Google Scholar
  43. Dij68.
    Dijkstra EW (1968) A constructive approach to program correctness. BIT Numerical Mathematics Springer, BerlinGoogle Scholar
  44. DJP10.
    Demange D, Jensen T, Pichardie D (2010) A provably correct stackless intermediate representation for java bytecode. In: The 8th Asian symposium on programming languages and systems (APLAS, 2010), volume 6461 of LNCS. Springer, pp 97–113Google Scholar
  45. DKS13.
    Delahaye M, Kosmatov N, Signoles J (2013) Common specification language for static and dynamic analysis of C programs. In: The 28th annual ACM symposium on applied computing (SAC), ACM, pp 1230–1235Google Scholar
  46. DMS+09.
    Dahlweid M, Moskal M, Santen T, Tobies S, Schulte W (2009) VCC: Contract-based modular verification of concurrent C. In: ICSE Companion, IEEE Computer Society, pp 429–430Google Scholar
  47. DTT09.
    Demay J-C, Totel E, Tronel F (2009) SIDAN: a tool dedicated to software instrumentation for detecting attacks on non-control-data. In: CRiSISGoogle Scholar
  48. EMN12.
    Elberzhager F, Münch J, Tran Ngoc Nha V (2012) A systematic mapping study on the combination of static and dynamic quality assurance techniques. Inform Softw Technol 54(1): 1–15CrossRefGoogle Scholar
  49. EPG+07.
    Ernst Michael D, Perkins Jeff H, Guo Philip J (2007) Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. The Daikon system for dynamic detection of likely invariants. Sci Comput Program 69(1–3): 35–45CrossRefzbMATHGoogle Scholar
  50. Fil00.
    Filliâtre Jean-Christophe (2000) Hash consing in an ML framework. Research Report 1368, LRI, Université Paris SudGoogle Scholar
  51. Fil03.
    Filliâtre J-C (2003) Why: a multi-language multi-prover verification tool. Research Report 1366, LRI, Université Paris SudGoogle Scholar
  52. Flo67.
    Floyd RW (1967) Assigning meanings to programs. In: Proceedings of the American Mathematical Society Symposia on Applied Mathematics, vol 19Google Scholar
  53. FM07.
    Filliâtre J-C, Marché C (2007) The why/krakatoa/caduceus platform for deductive program verification. In: CAV, volume 4590 of LNCS. Springer, pp 173–177Google Scholar
  54. FOW87.
    Ferrante J, Ottenstein K.J, Warren J.D (1987) The program dependence graph and its use in optimization. ACM Trans Program Lang Syst 9(3): 319–349CrossRefzbMATHGoogle Scholar
  55. FP13.
    Filliâtre J-C, Paskevich A (2013) Why3—where programs meet provers. In: The 22nd European symposium on programming (ESOP, 2013), volume 7792 of LNCS. SpringerGoogle Scholar
  56. GdHN+08.
    Godefroid P, de Halleux J, Nori Aditya V, Rajamani Sriram K, Schulte W, Tillmann N, Levin Michael Y (2008) Automating software testing using program analysis. IEEE Softw 25(5): 30–37CrossRefGoogle Scholar
  57. GGJK08.
    Giorgetti A, Groslambert J, Julliand J, Kouchnarenko O (2008) Verification of class liveness properties with Java Modeling Language. IET Softw 2(6)Google Scholar
  58. GHK+06.
    Gulavani Bhargav S, Henzinger Thomas A, Kannan Y, Nori Aditya V, Rajamani Sriram K (2006) SYNERGY: a new algorithm for property checking. In: The 14th ACM SIGSOFT international symposium on foundations of software engineering (FSE 2006), ACM, pp 117–127Google Scholar
  59. GMP.
    Gmp: Gnu multiple precision arithmetic library.
  60. GO01.
    Gastin P, Oddoux D (2001) Fast LTL to Büchi automata translation. In: The 13th international conference on computer aided verification (CAV, 2001), volume 2102 of LNCS. Springer, pp 53–65Google Scholar
  61. Gra91.
    Granger P (1991) Static analysis of linear congruence equalities among variables of a program. In: TAPSOF, volume 493 of LNCS. Springer, pp 169–192Google Scholar
  62. GS09.
    Groslambert J, Stouls N (2009) Vérification de propriétés LTL sur des programmes C par génération d’annotations. In: Approches Formelles dans l’Assistance au Développement de Logiciels (AFADL 2009), in FrenchGoogle Scholar
  63. HJV00.
    Heintze N, Jaffar J, Voicu R (2000) A framework for combining analysis and verification. In: The 27th symposium on principles of programming languages (POPL 2000)Google Scholar
  64. HMM12.
    Herms P, Marché C, Monate B (2012) A certified multi-prover verification condition generator. In: The 4th international conference on verified software: theories, tools, experiments (VSTTE 2012), volume 7152 of LNCS. Springer, pp 2–17Google Scholar
  65. Hoa69.
    Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10)Google Scholar
  66. HRB88.
    Horwitz S, Reps T, Binkley D (1988) Interprocedural slicing using dependence graphs. In: The ACM SIGPLAN conference on programming language design and implementation (PLDI 1988), volume 23–7, pp 35–46Google Scholar
  67. HS13.
    Herrmann P, Signoles J (2013) Annotation generation: Frama-C’s RTE plug-in, April.
  68. IEE08.
    IEEE Std 754-2008 (2008) IEEE standard for floating-point arithmetic. Technical report.
  69. ISO07.
    ISO/IEC JTC1/SC22/WG14 (2007) 9899:TC3: programming languages—C.
  70. JWF11.
    Jobredeaux R, Wang Timothy E, Feron Eric M (2011) Autocoding Control Software with Proofs I: annotation translation. In: Proceedings of the IEEE/AIAA digital avionics systems conference (DASC)Google Scholar
  71. KCC+14.
    Johannes K, Rod C, Cyrille C, Jerome G, Yannick M, Emyr R (2014) Explicit assumptions—a prenup for marrying static and dynamic program verification. In: Proceedings of TAP, 2014, To appearGoogle Scholar
  72. Kos.
    Kosmatov N. Online version of PathCrawler.
  73. Kos10.
    Kosmatov N (2010) Artificial intelligence applications for improved software engineering development: new prospects, chapter XI: Constraint-Based Techniques for Software Testing. IGI GlobalGoogle Scholar
  74. KPS13.
    Kosmatov N, Petiot G, Signoles J (2013) An optimized memory monitoring for runtime assertion checking of C programs. In: The 4th international conference on runtime verification (RV 2013), volume 8174 of LNCS. Springer, pp 167–182Google Scholar
  75. KS13.
    Kosmatov N, Signoles J (2013) A lesson on runtime assertion checking with Frama-C. In: The 4th international conference on runtime verification (RV, 2013), volume 8174 of LNCS. Springer, pp 386–399Google Scholar
  76. LB08.
    Leroy X, Blazy S (2008) Formal verification of a C-like memory model and its uses for verifying program transformations. J Automa Reason 41(1): 1–31CrossRefzbMATHMathSciNetGoogle Scholar
  77. LDF+13.
    Leroy X, Doligez D, Frisch A, Garrigue J Rémy Didier, Vouillon Jéróme (2013) The OCaml system release 4.01. INRIA, 2013.
  78. Lei08.
    Leino KRM (2008) This is Boogie 2. Micros ResGoogle Scholar
  79. MA00.
    Marre B, Arnould A (2000) Test sequences generation from Lustre descriptions: GATeL. In: The 15th IEEE international conference on automated software engineering (ASE 2000). IEEE Computer Society, pp 229–237Google Scholar
  80. Mat.
  81. Mey97.
    Meyer B (1997) Object-oriented software construction. Prentice Hall, New JerseyzbMATHGoogle Scholar
  82. Min12.
    Miné Antoine (2012) Static analysis of run-time errors in embedded real-time parallel c programs. Log Methods Comput Sci 8(1): –Google Scholar
  83. MM12.
    Marché C, Moy Y (2012) The Jessie plug-in for deduction verification: In: Frama-C, version 2.30. INRIA, 2012.
  84. MR05.
    Mauborgne L, Rival X (2005) Trace partitioning in abstract interpretation based static analyzers. In: Sagiv M (ed) European symposium on programming (ESOP’05), volume 3444 of lecture notes in computer science. Springer, pp 5–20Google Scholar
  85. NMRW02.
    Necula GC, Mcpeak S, Rahul SP, Weimer W (2002) CIL: intermediate language and tools for analysis and transformation of C programs. In: The international conference on compiler construction (CC 2002), volume 2304 of LNCS. Springer, pp 213–228Google Scholar
  86. PFH11.
    Pratikakis P, Foster Jeffrey S, Hicks M (2011) Locksmith: practical static race detection for c. ACM Trans Program Lang Syst 33(1): 3Google Scholar
  87. PL10.
    Pariente D, Ledinot E. Formal verification of industrial C code using Frama-C: a case study. In: FoVeOOSGoogle Scholar
  88. Pnu77.
    Pnueli A (1977) The temporal logic of programs. In: The 18th annual symposium on foundations of computer science (FOCS 1977). IEEE Computer Society, pp 46–57Google Scholar
  89. RSB+99.
    Randimbivololona F, Souyris J, Baudin P, Pacalet A, Raguideau J, Schoen D (1999) Applying formal proof techniques to avionics software: a pragmatic approach. In: The wold congress on formal methods in the development of computing systems (FM 1999), volume 1709 of LNCS. Springer, pp 1798–1815Google Scholar
  90. Rus05.
    Rushby J (2005) An evidential tool bus. In: Formal methods and software engineering, ICFEM, volume 3785 of LNCSGoogle Scholar
  91. SC07.
    Smaragdakis Y, Csallner C (2007) Combining static and dynamic reasoning for bug detection. In: The first international conference on tests and proofs (TAP 2007), volume 4454 of LNCS. Springer, pp 1–16Google Scholar
  92. SC07.
    Signoles J, Correnson L, Prevosto V (2013) Frama-C plug-in development guide, April.
  93. Sig09.
    Signoles J (2009) Foncteurs impératifs et composés: la notion de projet dans Frama-C. In: JFLA, volume 7.2 of Studia Informatica Universalis (in French)Google Scholar
  94. Sig13.
    Signoles J (2013) E-ACSL: executable ANSI/ISO C specification language. Version 1.7
  95. Sig14.
    Signoles J (2014) Comment un chameau peut-il écrire un journal? In JFLA (in French)Google Scholar
  96. SP11.
    Stouls N, Prevosto V (2011) Aoraï plug-in tutorial, version Nitrogen-20111001, October 2011.
  97. SS11.
    Schimpf J, Shen K (2011) ECLiPSe - from LP to CLP. Theory Pract Log Program 12(1–2): 127–156MathSciNetGoogle Scholar
  98. TFNM11.
    Tschannen J, Furia CA Nordio M, Meyer B (2011) Usable verification of object-oriented programs by combining static and dynamic techniques. In: The 9th international conference on software engineering and formal methods (SEFM 2011)Google Scholar
  99. Wik.
    Wikipedia. Dining philosophers problem.
  100. WMMR05.
    Williams N, Marre B, Mouy P, Roger M (2005) PathCrawler: automatic generation of path tests by combining static and dynamic analysis. In: The 5th European dependable computing conference on dependable computing (EDCC 2005), volume 3463 of LNCS, Springer, pp 281–292Google Scholar

Copyright information

© British Computer Society 2015

Authors and Affiliations

  • Florent Kirchner
    • 1
  • Nikolai Kosmatov
    • 1
  • Virgile Prevosto
    • 1
  • Julien Signoles
    • 1
  • Boris Yakobowski
    • 1
    Email author
  1. 1.CEA, LISTSoftware Reliability LaboratoryGif-sur-YvetteFrance

Personalised recommendations