frama-cprogram-slicing

What does the message "unreachable entry point" mean?


I have a file containing several ACSL assertions (file.c):

#include <stdio.h>
#include <stdlib.h>

void foo()    {
  int a=0;
  //@ assert(a==0);
}

void print(const char* text)   {
    int a=0;
    //@ assert(a==0);
    printf("%s\n",text);
}

int main (int argc, const char* argv[])    {
    const char* a1 = argv[2];

    print(a1);
    foo();

    if (!a1)
      //@ assert(!a1);
        return 0;
    else
        return 1;
}

I want to slice for all assertions with the command:

frama-c -slice-assert @all file.c -then-on 'Slicing export' -print -ocode slice.c

However, the slice does not look as expected (in fact it does not contain any of the functions contained in the files):

/* Generated by Frama-C */
typedef unsigned int size_t;
/*@ ghost extern int __fc_heap_status __attribute__((__FRAMA_C_MODEL__)); */

/*@
axiomatic dynamic_allocation {
  predicate is_allocable{L}(size_t n) 
    reads __fc_heap_status;

  }
 */
void main(void)
{
  char const *a1;
  return;
}

Instead I get output like this:

file.c:16:[kernel] warning: out of bounds read. assert \valid_read(argv+2);
[value] Recording results for main
[value] done for function main
file.c:16:[value] Assertion 'Value,mem_access' got final status invalid.
[slicing] making slicing project 'Slicing'...
[slicing] interpreting slicing requests from the command line...
[pdg] computing for function foo
[pdg] warning: unreachable entry point (sid:1, function foo)
[pdg] Bottom for function foo
[slicing] bottom PDG for function 'foo': ignore selection
[pdg] computing for function main
file.c:21:[pdg] warning: no final state. Probably unreachable...
[pdg] done for function main
[pdg] computing for function print
[pdg] warning: unreachable entry point (sid:5, function print)
[pdg] Bottom for function print
[slicing] bottom PDG for function 'print': ignore selection

What it going wrong here, in particular, what does unreachable entry point? Observation: If I change argv[2] to argv[1] I don't have these problems (but still get the warning in the first line).


Solution

  • The slicing needs to compute the PDG (Program Dependent Graph) which use the Value analysis results. The warning unreachable entry point means that, in the context you give, the function foo is not reachable (ie. it is called from unreachable statements).

    Difficult to tell you more without an example...


    EDIT:

    In the ouput that you provided, notice the lines:

    file.c:16:[kernel] warning: out of bounds read. assert \valid_read(argv+2);
    

    and

    file.c:16:[value] Assertion 'Value,mem_access' got final status invalid.
    

    When the Value analysis meet an invalid property, it cannot go further. Because here the alarm comes from the first statement, everything else become unreachable. The invalid property is \valid_read(argv+2); since the default for the input context is to have a width of 2 for argv. This can be fixed either by using the option -context-width 3, or by using another entry point for the analysis (and specify it with -main my_main) that take no argument, define argc and argv explicitly, and call the real main with them.

    An advice would be to use the slicing only after having checked if the Value analysis results are ok. You can run it alone with the -val option, and adjust other options if needed.