Abstract
Frama-C is a source code analysis platform that aims at conducting verification of industrial-size C programs. It provides its users with a collection of plug-ins that perform static analysis, deductive verification, and testing, for safety- and security-critical software. Collaborative verification across cooperating plug-ins is enabled by their integration on top of a shared kernel and datastructures, and their compliance to a common specification language. This foundational article presents a consolidated view of the platform, its main and composite analyses, and some of its industrial achievements.
Similar content being viewed by others
References
Ayache N, Amadio R, Régis-Gianas Y (2012) Certifying and reasoning on cost annotations in C programs. In: 17th International workshop on formal methods for industrial critical systems (FMICS 2012)
Adelard LLP Simple concurrency analysis plugin for Frama-C. https://bitbucket.org/adelard/simple-concurrency/
Assaf M, Signoles J, Totel E, Tronel F (2013) Program transformation for non-interference verification on programs with pointers. In: (eds) The 28th IFIP TC-11 international information security and privacy conference (SEC 2013). Springer, Berlin, pp 231–244
Bishop P, Bloomfield R, Cyra L (2013) Combining testing and proof to gain high assurance in software: a case study. In: Proceedings of IEEE international symposium on software reliability engineering (ISSRE)
Bonichon R, Cuoq P (2011) A mergeable interval map. Studia Informatica Universalis 9(1): 5–37
Burdy L, Cheon Y, Cok DR, Ernst MD, Kiniry JR, Leavens GT, Leino KRM, Poll E (2005) An overview of JML tools and applications. Softw Tools Technol Transf 7(3): 212–232
Barnett M, Evan Chang B-Y, DeLine R, Jacobs B, Rustan K, Leino M (2006) Boogie: A modular reusable verifier for object-oriented programs. In: Proceedings of 4th international symposium on formal methods components and objects (FMCO 2005), volume 4111 of LNCS. Springer, Berlin
Bouajjani A, Dragoi C, Enea C, Sighireanu M (2011) On inter-procedural analysis of programs with lists and data. In: The 32nd ACM SIGPLAN conference on programming language design and implementation (PLDI, 2011), ACM, pp 578–589
Botella B, Delahaye M, Hong-Tuan-Ha S, Kosmatov N, Mouy P, Roger M, Williams N (2009) Automating structural testing of C programs: experience with PathCrawler. In: The 4th international workshop on automation of software test (AST 2009), IEEE Computer Society, pp 70–78
Baudin P, Filliâtre J-C, Hubert T, Marché C, Monate B, Moy Y, Prevosto V (2013) ACSL: ANSI/ISO C specification language, v1.6, April 2013. http://frama-c.com/acsl.html
Bardin S, Herrmann P (2011) OSMOSE: automatic structural testing of executables. Softw Test Verif Reliab 21(1): 29–54
Beyer D, Henzinger TA, Jhala R, Majumdar R (2007) The software model checker Blast: applications to software engineering. Int J Softw Tools Technol Transf 9(5–6): 505–525
Berthomé P, Heydemann K, Kauffmann-Tourkestansky X, Lalande J-F (2010) Attack model for verification of interval security properties for smart card C codes. In: The 5th ACM SIGPLAN workshop on programming languages and analysis for security (PLAS 2010), ACM, pp 1–12
Bardin S, Herrmann P, Védrine F (2011) Refinement-based CFG reconstruction from unstructured programs. In: The 12th international conference on verification, model checking, and abstract interpretation (VMCAI, 2011), volume 6538 of LNCS. Springer, pp 54–69
Black Paul E (2014) SATE V Ockham sound analysis criteria. http://samate.nist.gov/SATE5Workshop.html
Beckman NE, Nori AV, Rajamani SK, Simmons RJ, Tetali S, Thakur AV (2010) Proofs from tests. IEEE Trans Softw Eng 36(4): 495–508
Bornat R (2000) Proving pointer programs in Hoare logic. In: The 5th international conference on mathematics of program construction (MPC, 2000), volume 1837 of LNCS. Springer
Burstall RM (1972) Some techniques for proving correctness of programs which alter data structures. Mach Intell 7: 23–50
Conchon S et al The Alt-Ergo automated theorem prover http://alt-ergo.lri.f..
Cousot P, Cousot R (1977) Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: The 4th symposium on principles of programming languages (POPL, 1977), pp 238–252
Cousot P, Cousot R, Feret J, Mauborgne L, Miné A, Monniaux D, Rival X (2005) The ASTRÉE analyzer. In: The 14th European symposium on programming (ESOP 2005), part of the joint European conferences on theory and practice of software (ETAPS, 2005), volume 3444 of LNCS. Springer, Berlin pp 21–30
Chebaro O, Cuoq P, Kosmatov N, Marre B, Pacalet A, Williams N, Yakobowski B (2013) Behind the scenes in SANTE: a combination of static and dynamic analyses. Autom Softw Eng. Published online
Cuoq P, Doligez D (2008) Hashconsing in an incrementally garbage-collected system: a story of weak pointers and hashconsing in OCaml 3.10.2.. In: Proceedings of the ACM SigPlan ML workshop, pp 13–22
Cuoq P, Delmas D, Duprat S, Moya Lamiel V (2012) Fan-C, a Frama-C plug-in for data flow verification. In: The embedded real-time software and systems congress (ERTS2 2012)
Cuoq P, Doligez D, Signoles J (2011) Lightweight typed customizable unmarshaling. In: ACM SIGPLAN Workshop on ML. ACM
Cuoq P, Hilsenkopf P, Kirchner F, Labbé S, Thuy N, Yakobowski B (2012) Formal verification of software important to safety using the Frama-C tool suite. In: The 8th international conference on nuclear plant instrumentation and control (NPIC, 2012)
Cruanes S, Hamon G, Owre S, Shankar N (2013) Tool integration with the evidential tool bus. In: Proceedings of verification, model-checking and abstract interpretation (VMCAI), volume 7737 of LNCS, pp 275–294
Cok David R, Kiniry Joseph R (2004) ESC/Java2: uniting ESC/Java and JML. In: The international workshop on construction and analysis of safe, secure and interoperable smart devices (CASSIS, 2004), volume 3362 of LNCS. Springer, pp 108–128
Chatzieleftheriou G, Katsaros P (2011) Test-driving static analysis tools in search of C code vulnerabilities. In: COMPSAC workshops. IEEE Computer Society, pp 96–103
Chebaro O, Kosmatov N, Giorgetti A, Julliand J (2012) Program slicing enhances a verification technique combining static and dynamic analysis. In: The ACM symposium on applied computing (SAC, 2012), ACM, pp 1284–1291
Comar C, Kanig J, Moy Y (2012) Integrating formal program verification with testing. In: Proceedings of ERTS, 2012
Clang Static Analyzer. http://clang-analyzer.llvm.org/
Ceara D, Mounier L, Potet M-L (2010) Taint dependency sequences: a characterization of insecure execution paths based on input-sensitive cause sequences. In: The 3rd international conference on software testing, verification and validation workshops (ICSTW, 2010), pp 371–380
Coq Development Team (2011) The Coq proof assistant reference manual, v8.3 edition. http://coq.inria.fr/
Clarke LA, Rosenblum DS (2006) A historical perspective on runtime assertion checking in software development. ACM SIGSOFT Softw Eng Notes 31(3): 25–37
Csallner C, Smaragdakis Y (2004) JCrasher: An automatic robustness tester for Java. Softw—Pract Exp 34(11): 1025–1050
Csallner C, Smaragdakis Y (2006) Dynamically discovering likely interface invariants. In: The 28th ACM/IEEE international conference on software engineering (ICSE, 2006), Emerging Results Track, ACM, pp 861–864
Correnson L, Signoles J (2012) Combining analyses for C programverification. In: The 17th internationalworkshop on formal methods for industrial critical systems (FMICS, 2012)
Cuoq P, Signoles J, Baudin P, Bonichon R, Canet G, Correnson L, Monate B, Prevosto V, Puccetti A (2009) Experience report: OCaml for an industrial-strength static analysis framework. In: The 14th ACM SIGPLAN international conference on functional programming (ICFP, 2009), ACM, pp 281–286
Cuoq P, Yakobowski B, Prevosto V (2013) Frama-C’s value analysis plug-in, fluorine-20130601 edition. June, http://frama-c.com/download/frama-c-value-analysis.pdf
Delmas D, Duprat S, Moya Lamiel V, Signoles J (2010) Taster, a Frama-C plug-in to encode coding standards. In: The embedded real-time software and systems congress (ERTS2)
Dross C, Efstathopoulos P, Lesens D, Mentré D, Moy Y (2014) Rail, space, security: three case studies for spark 2014. In: Proceedings of ERTS, 2014
Dijkstra EW (1968) A constructive approach to program correctness. BIT Numerical Mathematics Springer, Berlin
Demange D, Jensen T, Pichardie D (2010) A provably correct stackless intermediate representation for java bytecode. In: The 8th Asian symposium on programming languages and systems (APLAS, 2010), volume 6461 of LNCS. Springer, pp 97–113
Delahaye M, Kosmatov N, Signoles J (2013) Common specification language for static and dynamic analysis of C programs. In: The 28th annual ACM symposium on applied computing (SAC), ACM, pp 1230–1235
Dahlweid M, Moskal M, Santen T, Tobies S, Schulte W (2009) VCC: Contract-based modular verification of concurrent C. In: ICSE Companion, IEEE Computer Society, pp 429–430
Demay J-C, Totel E, Tronel F (2009) SIDAN: a tool dedicated to software instrumentation for detecting attacks on non-control-data. In: CRiSIS
Elberzhager F, Münch J, Tran Ngoc Nha V (2012) A systematic mapping study on the combination of static and dynamic quality assurance techniques. Inform Softw Technol 54(1): 1–15
Ernst Michael D, Perkins Jeff H, Guo Philip J (2007) Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. The Daikon system for dynamic detection of likely invariants. Sci Comput Program 69(1–3): 35–45
Filliâtre Jean-Christophe (2000) Hash consing in an ML framework. Research Report 1368, LRI, Université Paris Sud
Filliâtre J-C (2003) Why: a multi-language multi-prover verification tool. Research Report 1366, LRI, Université Paris Sud
Floyd RW (1967) Assigning meanings to programs. In: Proceedings of the American Mathematical Society Symposia on Applied Mathematics, vol 19
Filliâtre J-C, Marché C (2007) The why/krakatoa/caduceus platform for deductive program verification. In: CAV, volume 4590 of LNCS. Springer, pp 173–177
Ferrante J, Ottenstein K.J, Warren J.D (1987) The program dependence graph and its use in optimization. ACM Trans Program Lang Syst 9(3): 319–349
Filliâtre J-C, Paskevich A (2013) Why3—where programs meet provers. In: The 22nd European symposium on programming (ESOP, 2013), volume 7792 of LNCS. Springer
Godefroid P, de Halleux J, Nori Aditya V, Rajamani Sriram K, Schulte W, Tillmann N, Levin Michael Y (2008) Automating software testing using program analysis. IEEE Softw 25(5): 30–37
Giorgetti A, Groslambert J, Julliand J, Kouchnarenko O (2008) Verification of class liveness properties with Java Modeling Language. IET Softw 2(6)
Gulavani Bhargav S, Henzinger Thomas A, Kannan Y, Nori Aditya V, Rajamani Sriram K (2006) SYNERGY: a new algorithm for property checking. In: The 14th ACM SIGSOFT international symposium on foundations of software engineering (FSE 2006), ACM, pp 117–127
Gmp: Gnu multiple precision arithmetic library. http://gmplib.org/
Gastin P, Oddoux D (2001) Fast LTL to Büchi automata translation. In: The 13th international conference on computer aided verification (CAV, 2001), volume 2102 of LNCS. Springer, pp 53–65
Granger P (1991) Static analysis of linear congruence equalities among variables of a program. In: TAPSOF, volume 493 of LNCS. Springer, pp 169–192
Groslambert J, Stouls N (2009) Vérification de propriétés LTL sur des programmes C par génération d’annotations. In: Approches Formelles dans l’Assistance au Développement de Logiciels (AFADL 2009), in French
Heintze N, Jaffar J, Voicu R (2000) A framework for combining analysis and verification. In: The 27th symposium on principles of programming languages (POPL 2000)
Herms P, Marché C, Monate B (2012) A certified multi-prover verification condition generator. In: The 4th international conference on verified software: theories, tools, experiments (VSTTE 2012), volume 7152 of LNCS. Springer, pp 2–17
Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10)
Horwitz S, Reps T, Binkley D (1988) Interprocedural slicing using dependence graphs. In: The ACM SIGPLAN conference on programming language design and implementation (PLDI 1988), volume 23–7, pp 35–46
Herrmann P, Signoles J (2013) Annotation generation: Frama-C’s RTE plug-in, April. http://frama-c.com/download/frama-c-rte-manual.pdf
IEEE Std 754-2008 (2008) IEEE standard for floating-point arithmetic. Technical report. http://dx.doi.org/10.1109/IEEESTD.2008.4610935
ISO/IEC JTC1/SC22/WG14 (2007) 9899:TC3: programming languages—C. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf
Jobredeaux R, Wang Timothy E, Feron Eric M (2011) Autocoding Control Software with Proofs I: annotation translation. In: Proceedings of the IEEE/AIAA digital avionics systems conference (DASC)
Johannes K, Rod C, Cyrille C, Jerome G, Yannick M, Emyr R (2014) Explicit assumptions—a prenup for marrying static and dynamic program verification. In: Proceedings of TAP, 2014, To appear
Kosmatov N. Online version of PathCrawler. http://pathcrawler-online.com/
Kosmatov N (2010) Artificial intelligence applications for improved software engineering development: new prospects, chapter XI: Constraint-Based Techniques for Software Testing. IGI Global
Kosmatov N, Petiot G, Signoles J (2013) An optimized memory monitoring for runtime assertion checking of C programs. In: The 4th international conference on runtime verification (RV 2013), volume 8174 of LNCS. Springer, pp 167–182
Kosmatov N, Signoles J (2013) A lesson on runtime assertion checking with Frama-C. In: The 4th international conference on runtime verification (RV, 2013), volume 8174 of LNCS. Springer, pp 386–399
Leroy X, Blazy S (2008) Formal verification of a C-like memory model and its uses for verifying program transformations. J Automa Reason 41(1): 1–31
Leroy X, Doligez D, Frisch A, Garrigue J Rémy Didier, Vouillon Jéróme (2013) The OCaml system release 4.01. INRIA, 2013. http://caml.inria.fr/pub/docs/manual-ocaml-4.01/
Leino KRM (2008) This is Boogie 2. Micros Res
Marre B, Arnould A (2000) Test sequences generation from Lustre descriptions: GATeL. In: The 15th IEEE international conference on automated software engineering (ASE 2000). IEEE Computer Society, pp 229–237
MathWorks. Polyspace. http://www.mathworks.com/products/polyspace
Meyer B (1997) Object-oriented software construction. Prentice Hall, New Jersey
Miné Antoine (2012) Static analysis of run-time errors in embedded real-time parallel c programs. Log Methods Comput Sci 8(1): –
Marché C, Moy Y (2012) The Jessie plug-in for deduction verification: In: Frama-C, version 2.30. INRIA, 2012. http://krakatoa.lri.fr/jessie.pd.
Mauborgne L, Rival X (2005) Trace partitioning in abstract interpretation based static analyzers. In: Sagiv M (ed) European symposium on programming (ESOP’05), volume 3444 of lecture notes in computer science. Springer, pp 5–20
Necula GC, Mcpeak S, Rahul SP, Weimer W (2002) CIL: intermediate language and tools for analysis and transformation of C programs. In: The international conference on compiler construction (CC 2002), volume 2304 of LNCS. Springer, pp 213–228
Pratikakis P, Foster Jeffrey S, Hicks M (2011) Locksmith: practical static race detection for c. ACM Trans Program Lang Syst 33(1): 3
Pariente D, Ledinot E. Formal verification of industrial C code using Frama-C: a case study. In: FoVeOOS
Pnueli A (1977) The temporal logic of programs. In: The 18th annual symposium on foundations of computer science (FOCS 1977). IEEE Computer Society, pp 46–57
Randimbivololona F, Souyris J, Baudin P, Pacalet A, Raguideau J, Schoen D (1999) Applying formal proof techniques to avionics software: a pragmatic approach. In: The wold congress on formal methods in the development of computing systems (FM 1999), volume 1709 of LNCS. Springer, pp 1798–1815
Rushby J (2005) An evidential tool bus. In: Formal methods and software engineering, ICFEM, volume 3785 of LNCS
Smaragdakis Y, Csallner C (2007) Combining static and dynamic reasoning for bug detection. In: The first international conference on tests and proofs (TAP 2007), volume 4454 of LNCS. Springer, pp 1–16
Signoles J, Correnson L, Prevosto V (2013) Frama-C plug-in development guide, April. http://frama-c.com/download/plug-in-developer.pdf
Signoles J (2009) Foncteurs impératifs et composés: la notion de projet dans Frama-C. In: JFLA, volume 7.2 of Studia Informatica Universalis (in French)
Signoles J (2013) E-ACSL: executable ANSI/ISO C specification language. Version 1.7 http://frama-c.com/download/e-acsl/e-acsl.pdf
Signoles J (2014) Comment un chameau peut-il écrire un journal? In JFLA (in French)
Stouls N, Prevosto V (2011) Aoraï plug-in tutorial, version Nitrogen-20111001, October 2011. http://frama-c.com/download/frama-c-aorai-manual.pdf
Schimpf J, Shen K (2011) ECLiPSe - from LP to CLP. Theory Pract Log Program 12(1–2): 127–156
Tschannen J, Furia CA Nordio M, Meyer B (2011) Usable verification of object-oriented programs by combining static and dynamic techniques. In: The 9th international conference on software engineering and formal methods (SEFM 2011)
Wikipedia. Dining philosophers problem. http://en.wikipedia.org/wiki/Dining_philosophers_problem
Williams N, Marre B, Mouy P, Roger M (2005) PathCrawler: automatic generation of path tests by combining static and dynamic analysis. In: The 5th European dependable computing conference on dependable computing (EDCC 2005), volume 3463 of LNCS, Springer, pp 281–292
Author information
Authors and Affiliations
Corresponding author
Additional information
George Eleftherakis, Mike Hinchey, and Michael Butler
This work was partly supported by ANR projects U3CAT and Veridyc, FUI9 project Hi-Lite, and FP7 project STANCE. An earlier version of this work was presented at the conference SEFM 2012.
With Patrick Baudin, François Bobot, Richard Bonichon, Bernard Botella, Omar Chebaro, Loïc Correnson, Pascal Cuoq, Zaynah Dargaye, Philippe Herrmann, Matthieu Lemerre, Claude Marché, Benjamin Monate, Yannick Moy, Anne Pacalet, Armand Puccetti, Muriel Roger, Nicolas Stouls and Nicky Williams.
Rights and permissions
About this article
Cite this article
Kirchner, F., Kosmatov, N., Prevosto, V. et al. Frama-C: A software analysis perspective. Form Asp Comp 27, 573–609 (2015). https://doi.org/10.1007/s00165-014-0326-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-014-0326-7