Glossary¶
- ACSL
- The ANSI/ISO C Specification Language, described in the ACSL Documentation.
- Alarms
- Properties generated by TrustInSoft Analyzer and expressed in the ACSL logic language. For the program to be correct, the properties need to hold at a given point in the program. An alarm is a property that TrustInSoft Analyzer could not guarantee to be held.
- Assertion
- Local property to check at a program point.
- Assigns property
- Property that specifies an over-approximation of the data that are modified by a function. The data that are not part of the assigns properties have the same value in the pre-state and post-state.
- Contract
- See Function specification.
- Coverage analysis
The coverage reported by TrustInSoft Analyzer, expressed as:
- Function coverage: percentage of the functions.
- Statement coverage: percentage of the statements.
- Semantic statement coverage: percentage of the statements in the reachable functions.
- CWE
- The Common Weakness Enumeration is a dictionary of common software weaknesses maintained by the MITRE Corporation.
- CWE-subset
- The CWE subset covered by TrustInSoft Analyzer is described in the CWE Coverage document.
- Dependencies
- Can be specified in the right part of an
assignsproperty, after the\fromkeyword. The property states that if the function is executed with two different pre-states, but where the dependencies have the same values, then the modified data has the same value in the two post-states. - Function specification
- Function contract composed of preconditions, postconditions, and assigns properties expressed in ACSL.
- Loop invariant
Property of a loop that is verified in two steps:
- The establishment ensures that it is true before the loop.
- The preservation ensures that if it is true at the beginning of any iteration, then it is also true at the beginning of the next one.
- Precondition
- Property that must be satisfied in the pre-state. It is
defined in the function specification with the keyword
requires. - Pre-state
- The state when entering a function. The formal parameters hold the input values, but the local variables are not defined yet.
- Postcondition
- Property that must be satisfied in the post-state. It is
defined in the function specification with the keyword
ensures. - Post-state
- The state at the end of a function. The local variables don’t
exist anymore, the formal parameters have the same value than in
the pre-state (because the arguments are passed by value in
C), the
\returnpseudo-variable holds the returned value. - Slicing
- Computation of the set of program statements, the program slice, that may affect the values at some point of interest, referred to as a slicing criterion. The result is another program that is guaranteed to compile.
- State
- Refers to the memory state that holds the values of all the variables and allocated memory at that point in the program.
- TOCTOU
- The Time Of Check to Time Of Use is a class of issues caused by a race condition between the check of a condition and the use of the results of that check.
- Undefined Behavior
According to the ISO C11 standard, an undefined behavior is:
A behavior, upon use of a non-portable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements.The C FAQ defines an undefined behavior as:
Anything at all can happen; the Standard imposes no requirements. The program may fail to compile, or it may execute incorrectly (either crashing or silently generating incorrect results), or it may fortuitously perform exactly what the programmer intended.In C and C++, undefined behaviors are mainly associated to illegal operations leading to crashes such as accessing a null pointer or dividing by zero. However, they also include the interactions with compilers and their aggressive optimizations assuming that the program is not in an illegal state leading to security vulnerabilities.
- Value analysis
- Static analysis that computes an over-approximation of the states at each reachable program point using Abstract Interpretation theory.
- WP
- The Weakest Precondition calculus is a method to verify a program property. It provides a mathematical formula that ensures that the property is true on the program as long as the formula is satisfied.