<files/>
.
Files that do not require preprocessing must now be specified
in preprocessor configurations with the additional tag
<use-internal-preprocessor>no</use-internal-preprocessor>
.<use-internal-preprocessor/>
is no longer allowed
directly inside of the <preprocess/>
tag. It can now only be
specified inside of individual preprocessor configurations, i.e. within <config/>
tags.<comment-mode>AAL|patterns</comment-mode>
.use-relative-paths=yes|no
for items
in the top-level tag <files/>
is now deprecated.&
in conditions.__ASTREE_modify
on arrays
when the array index is an enumerator.control_flow_anomaly
alarms about non-returning functionsno-partition-functions
specifies a list of functions
that are excluded from automatic partitioning.warn-on-unsigned-integer-lshift-range
for controlling
warnings about overflows in unsigned left shifts.precise-multiple-return-function
applies automatic
state-machine partitioning to functions with multiple returns.
The option is only available in astree-cxx
mode to enable
a more precise analysis of such functions when using the clang-based
C/C++ frontend.analysis-timeout
specifies a timeout
after which the analyzer starts a soft shutdown, collecting partial, unsound results.shutdown-timeout
allows specifying an additional timeout
for the soft shutdown initiated by the option analysis-timeout
.warn-on-integer-lshift-range
.
Existing analysis projects that enabled this option must now enable
the two options warn-on-unsigned-integer-lshift-range
and
warn-on-signed-integer-lshift-range
.__ASTREE_partition_ranges
directive
to generate more appropriate partitions for small integer intervals.__ASTREE_octagon_pack
can now also be used
in global scope, i.e. outside of function bodies.__ASTREE_octagon_pack
now also accepts variables of pointer type, used as arrays, and simple
C expressions appearing as array indices in directive access paths.
For example:
void f(int x, int *arr, int n) { __ASTREE_octagon_pack((x, arr[0:n - 1])); .. }
__ASTREE_modify
and __ASTREE_initialize
directives no longer accept arguments of the form ptr[]
where ptr
is a pointer. Such arguments should be replaced
by ptr[lb..ub]
where lb
and ub
are
appropriate bounds for accessing ptr
.__ASTREE_known_range
directive now supports
slice syntax when used with arrays and pointers, e.g. arr[0:2]
or ptr[3:5]
.__ASTREE_octagon_pack
and __ASTREE_boolean_pack
to choose a variable from an
out-of-scope function when addressing it using the var@function_name
syntax.invalid_pointer_arithmetics
in array and field accesses now cut NULL
and INVALID
pointer values to prevent them from causing subsequent alarms.shift_argument
when the ABI value bits_of_byte
is set to 16 bits.field_overflow_upon_dereference
for bit-fields./VERYSILENT
to the installer.astree
, astree-cxx
, rulechecker
) now triggers
an error message.__ASTREE_partition_expr
directive.arithmetic_overflow_unpredictable
.±∞
when keep-float-specials=yes
) and with unpredictable result
(floating-point exception raised when keep-float-specials=no
).
To this end, it now reports the latter as class A alarms using the new alarm key
arithmetic_overflow_unpredictable
.[<lb>:<ub>]
for specifying
array slices in Astrée directives. In contrast to the
[<lb>..<ub>]
syntax for array slices,
the new syntax works not only with plain constants for
lb
and ub
, but also with arbitrary
constant expressions or even variables, if supported by the directive.<model>_pcf.c
file
required for the analysis, the toolbox now takes into account
the output folder configuration.The toolbox no longer generates
deprecated <coverage-ignore>
DAX elements.
legacy-alarm-annotation
)
informs about suppress or comment directives that, for reasons of backwards compatibility,
are applied to alarms with new alarm keys introduced in later releases.scope
option for rule check configurations
that controls whether a configuration applies to all the contents
of the selected files or only to code that appears inside or outside
of designated code blocks, respectively. The new RuleChecker option
designated-block-comment
specifies the comment pattern
that identifies designated code blocks.object-definition-without-extern
by the new check global-object-declaration
in rule
X.F.30.dynamic_cast_in_constructor
(M2008.12.1.1, AUTOSAR.12.1.1M)typeid_in_constructor
(M2008.12.1.1, AUTOSAR.12.1.1M)cast-pointer-to-intptr
and cast-pointer-void-to-intptr
,
split off from the checks cast-pointer-to-integer
, cast-pointer-void-to-integer
and associated with the same rules (M2008.5.2.9, AUTOSAR.5.2.9M)include-guard-pragma-once
(CERT.PRE.6,
M2008.16.2.3, AUTOSAR.16.2.3M,
M202x-DRAFT.000207), split from the check include-guard-missing
to warn about usage of #pragma once
as include guard. To allow
the usage of #pragma once
for certain rules, you can now deselect
the new check.macro-function-like
(AUTOSAR.16.0.1A,
CERT.PRE.0, M.19.7, M2008.16.0.4,
M2008.16.2.1, M2012.D.4.9)
into the two checks macro-function-like
and macro-function-like-strict
.
This enables configuring whether function-like macros with __LINE__
,
__FILE__
, __func__
, or the operators #
or ##
shall be regarded as rule violations or not.unknown-component
(A.5.7)
that warns about unknown component names used in the option component-pairs-under-observation
.__ASTREE_absolute_address
directive
does not fit into the addressable memory, the directive is now ignored and a violation
of the check invalid-directive
is reported.function_name_usage
(M2008.8.4.4, AUTOSAR.8.4.4M)
when function identifiers are not subject to pointer decay.parameter-name-match
(AUTOSAR.8.4.2M, M.16.4,
M2008.8.4.2, M2012.8.3,
M202x-DRAFT.000149). The check no longer reports
unnamed parameters as a conflict.parameter-name-match
(AUTOSAR.8.4.2M,
M.16.4, M2008.8.4.2,
M2012.8.3, M202x-DRAFT.000149).precedence-pp
warns about missing parentheses
in expressions evaluated by the preprocessor. This removes false negatives
for the rules AUTOSAR.5.0.2M, M.12.1,
M2008.5.0.2, and M2012.12.1.
parameter-name-match
(AUTOSAR.8.4.2M, M.16.4,
M2008.8.4.2, M2012.8.3,
M202x-DRAFT.000149) to remove false negatives
regarding different parameter names in different translation units
when at least one translation unit is C++.parameter-missing-const
(CERT.DCL.0, CERT.DCL.13,
M.16.7, M2012.8.13).
It no longer warns about parameters passed to __astree_bzero
,
__astree_memcpy
, or __ASTREE_trash
.uninitialized-local-read
(CERT.EXP.33, CWE.456,
CWE.457, CWE.665,
CWE.824, CWE.908,
ISO17961.uninitref, M.9.1,
M2012.9.1)
when taking the address of an array that is part of a struct.incompatible-object-pointer-conversion
(A.1.11,
CERT.MSC.40, M.1.1,
M2012.D.2.1, M2012.1.1)
pointer-qualifier-cast-const
(CERT.EXP.5,
CERT.EXP.40, M.11.5,
M2012.11.8)
pointer-qualifier-cast-volatile
(M.11.5, M2012.11.8)
return-reference-local
(CERT.DCL.30, CERT.ARR.30,
ISO17961.addrescape, M.17.6,
M2012.18.6),
which erroneously warned about values taken from objects of struct types,
if a preceding assignment to another field of that struct stored
a pointer to a local variable.evaluation-order
(A.4.1, CERT.EXP.10,
CERT.EXP.30, M.12.2,
M2012.1.3, M2012.13.2)
that could occur when implicitly taking the address of an array.pointer-cast-alignment
no longer warns
about null pointer constants.return-implicit
(CERT.MSC.37, M.16.8,
M2012.17.4, X.F.41).
It no longer warns about asm functions.return-value-type
(X.F.39)
to ignore conversions that only affect type qualifiers.multiple-instructions-per-line
(X.F.1).
It now ignores statements stemming from macro invocations.parameter-name-match
(M.16.4, M2012.8.3)
are now reported at the parameter declaration and not the function name.function-pointer-cast
(M2012.11.1)
which did not warn about casts changing qualifiers in parameter types.type-compatibility-link
and type-compatibility
(A.1.1, CERT.DCL.40,
CERT.MSC.40, ISO17961.funcdecl,
M.1.1, M.8.4,
M2012.D.2.1, M2012.1.1)
which in some cases did not report declarations
with different use of volatile qualifiers in typedefs.include-characters
,
include-characters-backslash
, and
include-characters-sline
(M.19.2, M2012.20.2)
are no longer reported for code that is excluded
by preprocessor directives (e.g. using #if 0 ... #endif
).octal_escape_sequence
(M2008.2.13.2, AUTOSAR.2.13.2M),
float_suffix
(M2008.2.13.4, AUTOSAR.2.13.4M),
long_suffix
(M2008.2.13.4, AUTOSAR.2.13.4M),
digit_separator_placement
(AUTOSAR.13.6.1A), and
hexadecimal_lower_case_digit
(AUTOSAR.2.13.5A)
for literals used within macro expansions.conditional_as_sub_expression
(AUTOSAR.5.16.1A)
and unary_assign_separation
(AUTOSAR.5.2.10M,
M2008.5.2.10)
constructor_call_statement
(AUTOSAR.6.2.2A),
function_return_unused
(AUTOSAR.0.1.2A,
M2008.0.1.7), and
error_information_unused
(AUTOSAR.0.3.2M,
CERT-CPP.ERR.33C, M2008.0.3.2).forward-parameter
(AUTOSAR.8.4.6A),
move-forwarding-reference
(AUTOSAR.18.9.2A),
forward-rvalue-reference
(AUTOSAR.18.9.2A),
and consume-parameter
(AUTOSAR.8.4.5A).expensive-to-copy
(AUTOSAR.8.4.7A)
no longer warns about parameters of non-copy-constructible types.array-argument-to-pointer-decay
(AUTOSAR.5.2.12M, M2008.5.2.12)
now also warns about non-identifier expressions
of array type that are subject to pointer decay.precedence
(M2008.5.0.2, AUTOSAR.5.0.2M)
to follow the more precise descriptions used in M202x-DRAFT and M2012.
In particular, expressions with different operators but of the same precedence
no longer require explicit parentheses, e.g. a + b - c
no longer violates this check.member-function-missing-const
and
member-function-missing-static
(M2008.9.3.3, AUTOSAR.9.3.3M)
no longer report violations for templated methods when the body
uses dependent calls that cannot be resolved without instantiation.
This removes false positives for these checks. For instantiations
of templated methods, all violations are reported as before.functional-cast
(M2008.5.2.4, M202x-DRAFT.000089)
when the type is a deduced template specialization and the expression
thus constitutes an object construction and not a functional cast.unused-local-variable
(M2008.0.1.3, AUTOSAR.0.1.3M,
M202x-DRAFT.000003)
when C++17 structured bindings are used.unused-local-variable
(M2008.0.1.3, AUTOSAR.0.1.3M,
M202x-DRAFT.000003)
within the scope of not instantiated templates.enum-usage-overloaded-operator
no longer reports enum usage in operator()
and operator,
.
This removes false positives with respect to a revised
interpretation of AUTOSAR.4.5.1A.enum-usage
no longer reports enum usage in the operators ?:
and ,
.
This removes false positives with respect to a revised interpretation
of M2008.4.5.2 and AUTOSAR.4.5.1A.member-function-missing-static
(M2008.9.3.3, AUTOSAR.9.3.3M)
with virtual functions.undefined-extern
(AUTOSAR.3.2.2M, AUTOSAR.3.2.4M,
CERT-CPP.DCL.60, M2008.3.2.2,
M2008.3.2.4) with constexpr
static data members.c-style-cast
(AUTOSAR.5.2.2A, M2008.5.2.4).
It no longer reports the use of non-type template arguments as cast.check_precedence
(AUTOSAR.5.0.2M, M2008.5.0.2).logop-postfix-operand
(M2008.5.2.1).--id <analysis-id>
<function>
of the XML report file
has been extended by the new optional attribute “tu=pX
”
to indicate that a function has internal linkage and is the instance
in the translation unit represented by preprocessed file pX
.stderr
.<variable/>
in XML report files
has been extended by the new attributes has_read_write_datarace
and has_write_write_datarace
that indicate whether a variable
is involved in a read-write or write-write data race.--preprocess-only
allows
running only the preprocessing without running the subsequent analysis.
The option is useful in conjunction with --export
for creating AAF files in batch mode. These AAF files then contain
the analysis setup plus all preprocessed and original source files.
The actual analysis can be performed later, possibly on different
machines, by importing the AAFs and triggering the analysis.__builtin_va_list
and the following GCC builtin functions:
#define
directive in which the filter matched.asm
specifier (asm macros).-include <file>
and maps it to an auto-include
in the generated preprocessor configuration._Atomic
and _Thread_local
in the C frontend.__ASTREE_comment
directive
in the C++ analysis mode to remove parse errors such as
frontend_clang: arguments to ASTREE directive cannot be parsed
NvM
and Dem
.
Stubbing these modules is no longer necessary.std::deque::const_iterator
from std::deque::iterator
in the more abstract STL stubs to remove
false alarms about definite runtime errors.tgmath.h
header
of the C stub library.error()
function in the OSEK/AUTOSAR stubs
are now reported as definite run-time errors, stopping the analysis for the
corresponding contexts. This generally results in more efficient and precise analyses.
The old behavior, i.e. continuing with the analysis without reporting an error,
can be restored by defining the preprocessor macro KEEP_OSEKSTUB_ERRORS
in the preprocessor settings for the OSEK/AUTOSAR stubs.qualify
.The test cases qk_filter_expressions_directives
,
qk_filter_pragma_asm
,
qk_option_warn_on_integer_lshift_ranges
,
and qk_option_remove_analysis_files
have been removed from the Astrée QSK.
Two test cases have been renamed:
The test cases
qk_aal_comment_pattern_basic
and
qk_option_remove_analysis_files
have been removed from the RuleChecker QSK.
The test case include-guard-missing
has been extended to C.
ID | Short summary for 23.04 | Status in 23.10 | Status in 24.10 |
---|---|---|---|
2304-00298 | If a process may run in several phases, the analysis may fail to consider some possible values. | persists | fixed |
2304-01422 | __ASTREE_partition_ranges may fail to cover all possible floating point values when used with several intervals whose integer bounds relate in a specific way. | persists | fixed |
2304-05631 | Intermediate values written by non-realtime processes may not be considered by realtime processes with the same priority. | fixed | fixed |
2304-11071 | C++ analysis may silently stop contexts in which the evaluation of __ASTREE_partition_expr fails. | fixed | fixed |
2304-11615 | Upon activating the Interpolation domain, conversion-overflow alarms may be missing. | persists | fixed |
2304-17206 | Under specific circumstances, a comparison between pointers converted to integers may be unsound. | persists | fixed |
2304-21244 | With a specific combination of option settings, the Equality domain may miss some of the possible values. | persists | fixed |
2304-21667 | In two specific scenarios, the Interpolation domain may remove actually possible values and justified alarms about overflows. | persists | fixed |
2304-27280 | Analysis of C++ code may fail to alarm about invalid pointer subtraction under specific circumstances. | persists | fixed |
2304-31291 | With the option cut-write-to-const=yes , the effect of __ASTREE_modify on constant bytes is not propagated in certain scenarios. | fixed | fixed |
2304-32124 | The option exclude-signed-in-unsigned-overflows may hide conversion-overflow alarms for expressions that contain casts from signed to unsigned and then to enum. | persists | fixed |
2304-37864 | The Gauge domain may miss some of the incoming values for a variable assigned in a loop. | persists | fixed |
2304-41330 | With anonymous structs or unions, alignment and size of types may be wrong for C code (C++ not affected). | fixed | fixed |
2304-42241 | Effects of other processes may not be fully considered when a separately-analyzed function enters a critical section but does not leave it. | fixed | fixed |
2304-47889 | When using the Octagon domain, the analysis may fail to take some possible rounding errors into account. | fixed | fixed |
2304-51344 | When the alignment of the underlying type of a bitfield is different from the size of that type, the analysis may compute a wrong layout under specific circumstances. | persists | fixed |
2304-54870 | For variables with absolute addresses, misaligned dereferences may not be reported under certain circumstances. | persists | fixed |
2304-58263 | The Octagon domain computes wrong bounds for divisions in which the dividend is an integer > 9007199254740992 (253 ). | persists | fixed |
2304-61346 | Analysis uses C99 scoping of iteration- and selection-statements when language version is set to C90. | persists | fixed |
2304-65218 | Tainting is not propagated through certain expressions and statements. | persists | fixed |
2304-69013 | Under specific circumstances, the C frontend may assume wrong types in parameter type lists. | persists | fixed |
2304-71355 | With the non-default ABI setting enum_preferred_sign=unsigned , enumerators get wrong type. | fixed | fixed |
2304-75228 | Writing to an array element using a tainted index does not taint the written array elements. | persists | fixed |
2304-79444 | Global assertion failures on smashed integer arrays may lead to missing values. | fixed | fixed |
2304-81360 | Initializers for volatile array elements or volatile struct and union members may be ignored in certain cases. | persists | fixed |
2304-85245 | Five additional scenarios for known issue 2304-55218 when the option track-taint-hues is combined with certain directives. | persists | fixed |
2304-91367 | Invalid pointer comparison alarms may be missing when comparing two null pointers in arithmetic expressions. | persists | fixed |
2304-95261 | Taints may not be propagated between asynchronous processes when using memcpy or copy assignment. | persists | fixed |
If you cannot upgrade to a more recent release for any reason, please write to support@absint.com with any issue IDs of interest to receive further details, code examples, tell-tale symptoms, and known workarounds.