Main external executable functionality: command-line, front-end and analysis execution.

Main internal functionality: analysis of the program by abstract interpretation via constraint solving.

Interactive server mode using JSON-RPC.

Construction and output of CFGs.

Analysis specification and constraint system signatures.

Construction of a constraint system from an analysis specification and CFGs. Transformatons of analysis specifications as functors.

MCP analysis specification.

Registry of dynamically activatable analyses. Analysis specification modules for the dynamic product.

Memory access metadata module for MCP.

Queries and their result lattices.

Events.

Perform queries on the constraint system solution.

Queries for constraint variables related to semantic elements.

Autotuning of the configuration based on syntactic heuristics.

Non-relational value analysis aka base analysis (base).

Symbolic expression equalities analysis (var_eq).

Symbolic variable - logical expression equalities analysis (condvars).

Analysis that tracks which variables hold the results of calls to math library functions (tmpSpecial).

Analysis of disjoint heap regions for dynamically allocated memory (region).

Analysis of unescaped (i.e. thread-local) heap locations (mallocFresh).

Path-sensitive analysis of failed dynamic memory allocations (malloc_null).

An analysis for the detection of memory leaks (memLeak).

An analysis for the detection of use-after-free vulnerabilities (useAfterFree).

An analysis for the detection of out-of-bounds memory accesses (memOutOfBounds).

Mutex locking and unlocking analysis (mutexEvents).

Basic lockset analyses.

An analysis tracking the type of a mutex (pthreadMutexType).

Must lockset and protecting lockset analysis (mutex).

May lockset analysis and analysis of double locking (maylocks).

Symbolic lockset analysis for per-element (field or index) locking patterns (symb_locks).

Deadlock analysis (deadlock).

Multi-threadedness analysis (threadflag).

Current thread ID analysis (threadid).

Created threads and their uniqueness analysis (thread).

Joined threads analysis (threadJoins).

May-happen-in-parallel (MHP) analysis for memory accesses (mhp).

Thread returning analysis which abstracts a thread's call stack by a boolean, indicating whether it is at the topmost call stack frame or not (threadreturn).

Data race analysis (race).

Non-relational thread-modular value analyses for Base.

Escape analysis for thread-local variables (escape).

Must received signals analysis for Pthread condition variables (pthreadSignals).

Promela extraction analysis for Pthread programs (extract-pthread).

Analysis of active setjmp buffers (activeSetjmp).

Analysis of variables modified since setjmp (modifiedSinceLongjmp).

Analysis of active longjmp targets (activeLongjmp).

Taint analysis of variables that were modified between setjmp and longjmp and not yet overwritten. (poisonVariables).

Analysis of variable-length arrays (VLAs) in scope (vla).

Simple intraprocedural integer constants analysis example (constants).

Simple intraprocedural integer signs analysis template (signs).

Simple interprocedural taint analysis template (taint).

Simplest possible analysis with unit domain (unit).

Analysis of assert results (assert).

Analysis of correct file handle usage (file).

Termination analysis for loops and goto statements (termination).

Analysis of initialized local variables (uninit).

Path-sensitive analysis according to values of arbitrary given expressions (expsplit).

Call stack analyses (stack_trace, stack_trace_set, stack_loc).

Analysis using finite automaton specification file (spec).

Analysis of memory accesses (access).

Family of analyses which provide symbolic locations for special library functions. Provides symbolic heap locations for dynamic memory allocations and symbolic thread identifiers for thread creation (mallocWrapper, threadCreateWrapper).

Taint analysis of variables modified in a function (taintPartialContexts).

Unassume analysis (unassume).

Stateless symbolic comparison expression analysis (expRelation).

Analysis of assume_abort_if_not-style functions (abortUnless).

Boolean domains.

Set domains.

Map domains.

Trie domains.

Abstract domains for collections of elements from disjoint unions of domains. Formally, the elements form a cofibered domain from a discrete category.

Abstract domains with Hoare ordering.

Partitioning domains.

Domain alternatives chosen by a runtime flag.

Abstract domains for C integers.

Abstract domains for C floating-point numbers.

Domains for mvalues: simplified lvalues, which start with a GoblintCil.varinfo. Mvalues are the result of resolving pointer dereferences in lvalues.

Domains for variable offsets, i.e. array indices and struct fields.

Domains for addresses/pointers.

Abstract domains for C structs.

Abstract domains for C unions.

Abstract domains for C arrays.

Domains for setjmp and longjmp analyses, and setjmp buffers.

Full domain of Base analysis.

Domain for a single Base analysis value.

Queries within ValueDomain.

Mutex attribute type domain.

Lockset domains.

Symbolic lockset domain.

Deadlock domain.

Multi-threadedness flag domains.

Thread ID domains.

Domains for thread sets and their uniqueness.

May-happen-in-parallel (MHP) domain.

Domain for escaped thread-local variables.

Domains for extraction of Pthread programs.

Domains for GoblintCil.lval.

Memory accesses and their manipulation.

Domain for memory accesses.

Symbolic lvalue equalities domain.

Domains for disjoint heap regions.

Domains for file handles.

Call stack domains.

Domains for mvalue maps.

Domains for finite automaton specification file analysis.

QCheck properties for lattice properties.

QCheck properties for abstract operations.

QCheck properties for IntDomain.

Comparison of CIL files.

Comparison of CIL ASTs.

Comparison of CFGs.

Combination of CIL files using comparison results.

Tracking of maximum CIL IDs in use.

Serialization/deserialization of incremental analysis data.

Special maps used for incremental comparison.

Incremental/interactive terminating top-down solver, which supports space-efficiency and caching (td3).

Warrowing top-down solver (topdown). Simpler version of Td3 without terminating, space-efficiency and incremental.

Terminating top-down solver (topdown_term). Simpler version of Td3 without space-efficiency and incremental.

Terminating top-down solver, which supports space-efficiency and caching (topdown_space_cache_term). Simpler version of Td3 without incremental.

Deprecated top-down solver (topdown_deprecated).

Two-phased terminating SLR3 solver (slr3tp).

Terminating SLR3 solver (slr3t). Simpler version of SLRphased without phases.

Various SLR solvers.

(effectWConEq).

Worklist solver (WL).

Various simple/old solvers and solver utilities.

Solver, which delegates at runtime to the configured solver.

Extra constraint system evaluation pass for warning generation, verification, pruning, etc.

Fixpoint iteration solvers local to a single transfer function (don't use a constraint system).

Statistics for solvers.

Box operator for warrowing solvers.

Detection of suitable C preprocessor.

Input program from a real-world project using a compilation database.

Input program from a real-world project using a Makefile.

SV-COMP tasks and results.

SV-COMP specification strings and files.

Invariants for witnesses.

Invariant manipulation related to CIL transformations.

Utilities for witness generation and witness invariants.

Abstract reachability graph.

Analysis specification transformation for ARG construction.

Construction of ARGs from constraint system solutions.

Output of ARG as GraphML.

Streaming GraphML output.

YAML witness generation and validation.

YAML witness format types.

Widening tokens are a generic and dynamic mechanism for delaying widening.

Violation checking in an ARG.

ARG path feasibility checking using weakest precondition and Z3 (not installed!).

Finite automaton for matching an infeasible ARG path.

Path-sensitive analysis using an ObserverAutomaton.

Experimental analysis refinement.

SARIF output of Messages.

SARIF format types.

SARIF rule definitions for Goblint.

Signatures and registry for transformations.

Dead code elimination transformation (remove_dead_code).

Transformation for instrumenting the program with computed invariants as assertions (assert).

Transformation for evaluating expressions on the analysis results (expeval). Hack for Gobview.

Intermediate data directory.

Unified interface for integer types.

Unified interface for floating-point types.

Process pool for running processes in parallel.

Timeout utilities.

Date and time utilities.

Creation of CIL CFGs.

Syntactic loop unrolling.

Kinds of memory accesses.

Library function descriptor (specification).

Library function descriptor DSL.

Hard-coded database of library function specifications.

Basic analysis utilities.

Integer and floating-point option and attribute handling.

Goblint-specific C attribute handling.

Analyses.Spec.branch refinement for Base analysis.

Thread-modular value analysis utilities for BasePriv and RelationPriv.

Widening threshold utilities.

OCaml implementations of vectors and matrices.

Precison comparison.

Signatures for precision comparison.

BasePriv precison comparison.