cbmc - Man Page
Bounded Model Checker for C/C++ and Java programs
Synopsis
cbmc [--property property-id] file.c ...
cbmc [--show-properties] file.c ...
cbmc [--all-properties] file.c ...
cbmc [--no-standard-checks] file.c ...
cbmc [--no-standard-checks] [--pointer-check] file.c ...
cbmc [--no-bounds-check] file.c ...
goto-cc [-I include-path] [-c] file.c [-o outfile.o]
goto-instrument infile outfile
Only the most useful options are listed here; see below for the remainder.
Description
cbmc generates traces that demonstrate how an assertion can be violated, or proves that the assertion cannot be violated within a given number of loop iterations. CBMC can read C/C++ source-code directly, or a GOTO binary generated by goto-cc. Java programs are given as class or JAR files. Without any further options, cbmc checks all properties (automatically generated or user-specified) found in the program. If any of the properties can be violated, a counterexample is printed and the analysis is aborted. The analysis can be restricted to a particular property with the --property option. The verification result for all properties can be obtained by means of the --all-properties option.
goto-cc(1) reads source code, and generates a GOTO binary. Its command-line interface is designed to mimic that of gcc(1). Note in particular that goto-cc(1) distinguishes between compiling and linking phases, just as gcc does. cbmc expects a GOTO binary for which linking has been completed.
goto-instrument(1) reads a GOTO binary, performs a given program transformation, and then writes the resulting program as GOTO binary on disc.
The usual flow is to (1) translate source into a GOTO binary using goto-cc, then (2) perform instrumentation with goto-instrument, and finally (3) perform the analysis with cbmc.
Options
Standard Checks
From version 6.0 onwards, cbmc, goto-analyzer and some other tools apply some checks to the program by default (called the "standard checks"), with the aim to provide a better user experience for a non-expert user of the tool. These checks are:
- --pointer-check
enable pointer checks
- --bounds-check
enable array bounds checks
- --undefined-shift-check
check shift greater than bit-width
- --div-by-zero-check
enable division by zero checks for integer division
- --float-div-by-zero-check
enable division by zero checks for floating-point division
- --pointer-primitive-check
checks that all pointers in pointer primitives are valid or null
- --signed-overflow-check
enable signed arithmetic over- and underflow checks
- --malloc-may-fail
allow malloc calls to return a null pointer
- --malloc-fail-null
set malloc failure mode to return null
- --unwinding-assertions
generate unwinding assertions (cannot be used with --cover)
These checks can all be deactivated at once by using the --no-standard-checks flag like in the header example, or individually, by prepending a no- before the flag, like so:
- --no-pointer-check
disable pointer checks
- --no-bounds-check
disable array bounds checks
- --no-undefined-shift-check
do not perform check for shift greater than bit-width
- --no-div-by-zero-check
disable division by zero checks
- --no-pointer-primitive-check
do not check that all pointers in pointer primitives are valid or null
- --no-signed-overflow-check
disable signed arithmetic over- and underflow checks
- --no-malloc-may-fail
do not allow malloc calls to fail by default
- --no-unwinding-assertions
do not generate unwinding assertions
If an already set flag is re-set, like calling --pointer-check when default checks are already on, the flag is simply ignored.
Analysis options
- --no-standard-checks
disable the standard (default) checks applied to a C/GOTO program (see above for more information)
- --show-properties
show the properties, but don't run analysis
- --symex-coverage-report f
generate a Cobertura XML coverage report in f
- --property id
only check one specific property
- --trace
give a counterexample trace for failed properties
- --stop-on-fail
stop analysis once a failed property is detected (implies --trace)
- --localize-faults
localize faults (experimental)
C/C++ frontend options
- --preprocess
stop after preprocessing
- --test-preprocessor
stop after preprocessing, discard output
- -I path
set include path (C/C++)
- --include file
set include file (C/C++)
- -D macro
define preprocessor macro (C/C++)
- --c89, --c99, --c11
set C language standard (default: c11)
- --cpp98, --cpp03, --cpp11
set C++ language standard (default: cpp98)
- --unsigned-char
make "char" unsigned by default
- --round-to-nearest, --round-to-even
rounding towards nearest even (default)
- --round-to-plus-inf
rounding towards plus infinity
- --round-to-minus-inf
rounding towards minus infinity
- --round-to-zero
rounding towards zero
- --no-library
disable built-in abstract C library
- --max-nondet-tree-depth N
limit size of nondet (e.g. input) object tree; at level N pointers are set to null
- --min-null-tree-depth N
minimum level at which a pointer can first be NULL in a recursively nondet initialized struct
- --function name
set main function name
Platform options
- --arch arch
Set analysis architecture, which defaults to the host architecture. Use one of: alpha, arm, arm64, armel, armhf, hppa, i386, ia64, mips, mips64, mips64el, mipsel, mipsn32, mipsn32el, powerpc, ppc64, ppc64le, riscv64, s390, s390x, sh4, sparc, sparc64, v850, x32, x86_64, or none.
- --os os
Set analysis operating system, which defaults to the host operating system. Use one of: freebsd, linux, macos, netbsd, openbsd, solaris, hurd, or windows.
- --i386-linux, --i386-win32, --i386-macos, --ppc-macos, --win32, --winx64
Set analysis architecture and operating system.
- --LP64, --ILP64, --LLP64, --ILP32, --LP32
Set width of int, long and pointers, but don't override default architecture and operating system.
- --16, --32, --64
Equivalent to --LP32, --ILP32, --LP64 (on Windows: --LLP64).
- --little-endian
allow little-endian word-byte conversions
- --big-endian
allow big-endian word-byte conversions
- --gcc
use GCC as preprocessor
Program representations
- --show-parse-tree
show parse tree
- --show-symbol-table
show loaded symbol table
- --show-goto-functions
show loaded goto program
- --list-goto-functions
list loaded goto functions
- --validate-goto-model
enable additional well-formedness checks on the goto program
- --validate-ssa-equation
enable additional well-formedness checks on the SSA representation
Program instrumentation options
- --bounds-check
enable array bounds checks
- --pointer-check
enable pointer checks
- --memory-leak-check
enable memory leak checks
- --memory-cleanup-check
Enable memory cleanup checks: assert that all dynamically allocated memory is explicitly freed before terminating the program.
- --div-by-zero-check
enable division by zero checks
- --signed-overflow-check
enable signed arithmetic over- and underflow checks
- --unsigned-overflow-check
enable arithmetic over- and underflow checks
- --pointer-overflow-check
enable pointer arithmetic over- and underflow checks
- --conversion-check
check whether values can be represented after type cast
- --undefined-shift-check
check shift greater than bit-width
- --float-overflow-check
check floating-point for +/-Inf
- --nan-check
check floating-point for NaN
- --enum-range-check
checks that all enum type expressions have values in the enum range
- --pointer-primitive-check
checks that all pointers in pointer primitives are valid or null
- --retain-trivial-checks
include checks that are trivially true
- --error-label label
check that label is unreachable
- --no-built-in-assertions
ignore assertions in built-in library
- --no-assertions
ignore user assertions
- --no-assumptions
ignore user assumptions
- --assert-to-assume
convert user assertions to assumptions
- --cover CC
create test-suite with coverage criterion CC, where CC is one of assertion[s], assume[s], branch[es], condition[s], cover, decision[s], location[s], or mcdc
- --cover-failed-assertions
do not stop coverage checking at failed assertions (this is the default for --cover assertions)
- --show-test-suite
print test suite for coverage criterion (requires --cover)
- --mm MM
memory consistency model for concurrent programs (default: sc)
- --malloc-may-fail
allow malloc calls to return a null pointer
- --malloc-fail-assert
set malloc failure mode to assert-then-assume
- --malloc-fail-null
set malloc failure mode to return null
- --string-abstraction
track C string lengths and zero-termination
- --reachability-slice
remove instructions that cannot appear on a trace from entry point to a property
- --reachability-slice-fb
remove instructions that cannot appear on a trace from entry point through a property
- --full-slice
run full slicer (experimental)
- --drop-unused-functions
drop functions trivially unreachable from main function
Semantic transformations
- --nondet-static
add nondeterministic initialization of variables with static lifetime
BMC options
- --paths [strategy]
explore paths one at a time
- --show-symex-strategies
list strategies for use with --paths
- --show-goto-symex-steps
show which steps symex travels, includes diagnostic information
- --show-points-to-sets
show points-to sets for pointer dereference. Requires --json-ui.
- --program-only
only show program expression
- --show-byte-ops
show all byte extracts and updates
- --depth nr
limit search depth
- --max-field-sensitivity-array-size M
maximum size M of arrays for which field sensitivity will be applied to array, the default is 64
- --no-array-field-sensitivity
deactivate field sensitivity for arrays, this is equivalent to setting the maximum field sensitivity size for arrays to 0
- --show-loops
show the loops in the program
- --unwind nr
unwind all loops at most nr times
- --unwindset [T:]L:B,...
unwind loop L with a bound of B, optionally restricted to thread T, and overriding what may be set as default unwinding via --unwind (use --show-loops to get the loop IDs)
- --incremental-loop L
check properties after each unwinding of loop L (use --show-loops to get the loop IDs)
- --unwind-min nr
start incremental-loop after nr unwindings but before solving that iteration. If for example it is 1, then the loop will be unwound once, and immediately checked. Note: this means for min-unwind 1 or 0 all properties are checked.
- --unwind-max nr
stop incremental-loop after nr unwindings
- --ignore-properties-before-unwind-min
do not check properties before unwind-min when using incremental-loop
- --show-vcc
show the verification conditions
- --slice-formula
remove assignments unrelated to property
- --unwinding-assertions
generate unwinding assertions (which are enabled by default; overrides --no-unwinding-assertions when both of these are given); cannot be used with --cover
- --partial-loops
permit paths that execute loops only partially (up to the given unwinding bound) and then continue beyond the loop even when the loop condition would still hold (such paths may be spurious, resulting in false alarms)
- --no-self-loops-to-assumptions
do not simplify while(1){} to assume(0)
- --symex-complexity-limit N
how complex (N) a path can become before symex abandons it. Currently uses guard size to calculate complexity.
- --symex-complexity-failed-child-loops-limit N
how many child branches (N) in an iteration are allowed to fail due to complexity violations before the loop gets blacklisted
- --graphml-witness filename
write the witness in GraphML format to filename
- --symex-cache-dereferences
enable caching of repeated dereferences
Backend options
- --object-bits n
number of bits used for object addresses
- --sat-solver solver
use specified SAT solver
- --external-sat-solver cmd
command to invoke SAT solver process
- --no-sat-preprocessor
disable the SAT solver's simplifier
- --dimacs
generate CNF in DIMACS format
- --beautify
beautify the counterexample (greedy heuristic)
- --smt1
use default SMT1 solver (obsolete)
- --smt2
use default SMT2 solver (Z3)
- --bitwuzla
use Bitwuzla
- --boolector
use Boolector
- --cprover-smt2
use CPROVER SMT2 solver
- --cvc3
use CVC3
- --cvc4
use CVC4
- --cvc5
use CVC5
- --mathsat
use MathSAT
- --yices
use Yices
- --z3
use Z3
- --fpa
use theory of floating-point arithmetic
- --refine
use refinement procedure (experimental)
- --refine-arrays
use refinement for arrays only
- --refine-arithmetic
refinement of arithmetic expressions only
- --max-node-refinement
maximum refinement iterations for arithmetic expressions
- --incremental-smt2-solver cmd
Use the incremental SMT backend where cmd is the command to invoke the SMT solver of choice.
Example invocations:
--incremental-smt2-solver 'z3 -smt2 -in' (use the Z3 solver).
--incremental-smt2-solver 'cvc5 --lang=smtlib2.6 --incremental' (use the CVC5 solver).Note that:
The solver name must be in the "PATH" or be an executable with full path.
The SMT solver should accept incremental SMTlib v2.6 formatted input from the stdin.
The SMT solver should support the QF_AUFBV logic.- --outfile filename
output formula to given file
- --dump-smt-formula filename
output smt incremental formula to the given file
- --write-solver-stats-to json-file
collect the solver query complexity
- --refine-strings
use string refinement (experimental)
- --string-printable
restrict to printable strings (experimental)
- --arrays-uf-never
never turn arrays into uninterpreted functions
- --arrays-uf-always
always turn arrays into uninterpreted functions
- --show-array-constraints
show array theory constraints added during post processing. Requires --json-ui.
User-interface options
- --xml-ui
use XML-formatted output
- --xml-interface
bi-directional XML interface
- --json-ui
use JSON-formatted output
- --json-interface
bi-directional JSON interface
- --trace-json-extended
add rawLhs property to trace
- --trace-show-function-calls
show function calls in plain trace
- --trace-show-code
show original code in plain trace
- --trace-hex
represent plain trace values in hex
- --compact-trace
give a compact trace
- --stack-trace
give a stack trace only
- --flush
flush every line of output
- --export-symex-ready-goto filename
export the symex ready version of the goto-model into the given filename
- --verbosity #
verbosity level
- --timestamp [monotonic|wall]
Print microsecond-precision timestamps. monotonic: stamps increase monotonically. wall: ISO-8601 wall clock timestamps.
Environment
All tools honor the TMPDIR environment variable when generating temporary files and directories. Furthermore note that the preprocessor used by cbmc will use environment variables to locate header files.
Bugs
If you encounter a problem please create an issue at https://github.com/diffblue/cbmc/issues
See Also
Copyright
2001-2016, Daniel Kroening, Edmund Clarke
Referenced By
goto-analyzer(1), goto-cc(1), goto-diff(1), goto-harness(1), goto-instrument(1), goto-synthesizer(1), memory-analyzer(1), symtab2gb(1).