Added registering variables to analysis and new tests

Ronald Judin · Ronald Judin · commit d663309dc3bc · 2026-01-16T13:53:41.000+02:00
diff --git a/src/analyses/base.ml b/src/analyses/base.ml
@@ -2759,6 +2759,34 @@ struct
           set_many ~man st ((eval_lv ~man st lv, (Cilfacade.typeOfLval lv), VD.Address addr) :: blob_set)
         | _ -> st
       end
+    (* TODO: Rethink OCamlParam's placement *)
+    | OCamlParam {param1; param2; param3; param4; param5}, _ ->
+      begin match param1 with
+        | Some p1 ->
+          let _ = eval_rv ~man st p1 in
+          begin match param2 with
+            | Some p2 ->
+              let _ = eval_rv ~man st p2 in
+              begin match param3 with
+                | Some p3 ->
+                  let _ = eval_rv ~man st p3 in
+                  begin match param4 with
+                    | Some p4 ->
+                      let _ = eval_rv ~man st p4 in
+                      begin match param5 with
+                        | Some p5 ->
+                          let _ = eval_rv ~man st p5 in
+                          st
+                        | _ -> st
+                      end
+                    | _ -> st
+                  end
+                | _ -> st
+              end
+            | _ -> st
+          end
+        | _ -> st
+      end
     | Calloc { count = n; size }, _ ->
       begin match lv with
         | Some lv -> (* array length is set to one, as num*size is done when turning into `Calloc *)
diff --git a/src/analyses/ocaml.ml b/src/analyses/ocaml.ml
@@ -170,10 +170,57 @@ struct
     (* caller_state *)
     let desc = LibraryFunctions.find f in
     match desc.special arglist with
-    (* TODO: Add a source function that registers variables and add the non-buggy Bagnall code to the test. *)
+    | OCamlParam params ->
+      (* Variables are registered with a Param macro. *)
+      (* TODO: Which pattern below do the params in fact match? Does it vary? *)
+      (* The function extract_varinfo is from AI - the code can be shortened when we know what the params are. *)
+      let rec extract_varinfo (e: Cil.exp): varinfo option = match e with
+        (* Direct variable lvalue *)
+        | Lval (Var v, _) -> Some v
+        (* Dereferenced pointer - try to extract from inner expression *)
+        | Lval (Mem inner, _) -> extract_varinfo inner
+        (* Address of variable *)
+        | AddrOf (Var v, _) -> Some v (* TODO: Maybe this is the only thing a param can be. *)
+        (* Address of dereferenced - try to extract from inner *)
+        | AddrOf (Mem inner, _) -> extract_varinfo inner
+        (* Array start of variable *)
+        | StartOf (Var v, _) -> Some v
+        (* Array start of dereferenced *)
+        | StartOf (Mem inner, _) -> extract_varinfo inner
+        (* Type cast - extract from inner expression *)
+        | CastE (_, inner) -> extract_varinfo inner
+        (* Unary operations - extract from operand *)
+        | UnOp (_, inner, _) -> extract_varinfo inner
+        (* Real/imaginary parts *)
+        | Real inner | Imag inner -> extract_varinfo inner
+        (* Binary operations - try both operands *)
+        | BinOp (_, e1, e2, _) ->
+          (match extract_varinfo e1 with
+           | Some v -> Some v
+           | None -> extract_varinfo e2)
+        (* Size and alignment - may contain var info in the type *)
+        | SizeOfE inner | AlignOfE inner -> extract_varinfo inner
+        (* Constants, SizeOf, AlignOf, SizeOfStr, AddrOfLabel - no varinfo *)
+        | Const _ | SizeOf _ | AlignOf _ | SizeOfStr _ | AddrOfLabel _ -> None
+        (* Question conditional *)
+        | Question (cond, e1, e2, _) ->
+          (match extract_varinfo cond with
+           | Some v -> Some v
+           | None ->
+             (match extract_varinfo e1 with
+              | Some v -> Some v
+              | None -> extract_varinfo e2))
+      in
+      List.fold_left (fun state param -> 
+          match param with
+          | Some e -> 
+            (match extract_varinfo e with
+             | Some v -> D.add_r v state
+             | None -> state)
+          | None -> state) caller_state [params.param1; params.param2; params.param3; params.param4; params.param5]
     | OCamlAlloc size_exp ->
       (* Garbage collection may trigger here and overwrite unregistered variables *)
-      let _ = M.info "Garbage collection triggers" in (match lval with
+      let _ = M.debug "Garbage collection triggers" in (match lval with
           | Some (Var v, _) -> D.add_a v (D.after_gc caller_state)
           | _ ->
             (* if not (List.for_all (exp_accounted_for caller_state) arglist) then let _ = M.warn "GC might delete value" in D.empty () else *) D.empty ()
@@ -185,7 +232,7 @@ struct
         | _ -> caller_state
       else
       if is_sink f then (* Warns if unaccounted variables reach the function. Empties the state of unregistered variables. *)
-        let _ = M.info "Garbage collection triggers" in match lval with
+        let _ = M.debug "Garbage collection triggers" in match lval with
         | Some (Var v, _) -> D.add_a v (D.after_gc caller_state)
         | _ ->
           (* if not (List.for_all (exp_accounted_for caller_state) arglist) then let _ = M.warn "GC might delete value" in D.empty () else *)
diff --git a/src/util/library/libraryDesc.ml b/src/util/library/libraryDesc.ml
@@ -48,6 +48,8 @@ type special =
   | Alloca of Cil.exp
   | Malloc of Cil.exp
   | OCamlAlloc of Cil.exp
+  (* TODO: Rethink OCamlParam's placement and make the params a list. *)
+  | OCamlParam of { param1: Cil.exp option; param2: Cil.exp option; param3: Cil.exp option; param4: Cil.exp option; param5: Cil.exp option; }
   | Calloc of { count: Cil.exp; size: Cil.exp; }
   | Realloc of { ptr: Cil.exp; size: Cil.exp; }
   | Free of Cil.exp
diff --git a/src/util/library/libraryFunctions.ml b/src/util/library/libraryFunctions.ml
@@ -1243,9 +1243,15 @@ let legacy_libs_misc_list: (string * LibraryDesc.t) list = LibraryDsl.[
 [@@coverage off]
 
 let ocaml_descs_list: (string * LibraryDesc.t) list = LibraryDsl.[
-    ("caml_copy_double", unknown [drop "nptr" []]);
+    ("caml_copy_double", special [drop "nptr" []] (OCamlAlloc (GoblintCil.integer 1)));
     (* Eeskuju: ("malloc", special [__ "size" []] @@ fun size -> Malloc size); *)
     ("caml_alloc_small", special [__ "wosize" []; __ "tag" []] @@ fun wosize tag -> OCamlAlloc wosize);
+    ("__goblint_caml_param0", special [] @@ OCamlParam {param1 = None; param2 = None; param3 = None; param4 = None; param5 = None});
+    ("__goblint_caml_param1", special [__ "param" []] @@ fun param -> OCamlParam {param1 = Some param; param2 = None; param3 = None; param4 = None; param5 = None});
+    ("__goblint_caml_param2", special [__ "param1" []; __ "param2" []] @@ fun param1 param2 -> OCamlParam {param1 = Some param1; param2 = Some param2; param3 = None; param4 = None; param5 = None});
+    ("__goblint_caml_param3", special [__ "param1" []; __ "param2" []; __ "param3" []] @@ fun param1 param2 param3 -> OCamlParam {param1 = Some param1; param2 = Some param2; param3 = Some param3; param4 = None; param5 = None});
+    ("__goblint_caml_param4", special [__ "param1" []; __ "param2" []; __ "param3" []; __ "param4" []] @@ fun param1 param2 param3 param4 -> OCamlParam {param1 = Some param1; param2 = Some param2; param3 = Some param3; param4 = Some param4; param5 = None});
+    ("__goblint_caml_param5", special [__ "param1" []; __ "param2" []; __ "param3" []; __ "param4" []; __ "param5" []] @@ fun param1 param2 param3 param4 param5 -> OCamlParam {param1 = Some param1; param2 = Some param2; param3 = Some param3; param4 = Some param4; param5 = Some param5});
   ]
 [@@coverage off]
 
diff --git a/tests/regression/90-ocaml/01-bagnall.c b/tests/regression/90-ocaml/01-bagnall.c
@@ -2,8 +2,6 @@
 
 // Buggy code from https://github.com/xavierleroy/pringo/issues/6 where value v is not registered.
 
-// putchar from the standard library is marked as a sink
-
 #include <stdint.h>
 #include <string.h>
 #include <caml/mlvalues.h>
@@ -25,22 +23,22 @@ struct LXM_state { uint64_t a; uint64_t x[2]; uint64_t s; };
 CAMLprim value pringo_LXM_copy(value v)
 {
   value res = caml_alloc_small(Wsizeof(struct LXM_state), Abstract_tag);
-  memcpy(LXM_val(res), LXM_val(v), sizeof(struct LXM_state));
+  memcpy(LXM_val(res), LXM_val(v), sizeof(struct LXM_state)); // WARN
   return res;
 }
 
 CAMLprim value pringo_LXM_copy_correct(value v)
 {
   CAMLparam1(v);
   value res = caml_alloc_small(Wsizeof(struct LXM_state), Abstract_tag);
-  memcpy(LXM_val(res), LXM_val(v), sizeof(struct LXM_state));
+  memcpy(LXM_val(res), LXM_val(v), sizeof(struct LXM_state)); // NOWARN
   CAMLreturn(res);
 }
 
 CAMLprim value pringo_LXM_init_unboxed(uint64_t i1, uint64_t i2,
                                        uint64_t i3, uint64_t i4)
 {
-  value v = caml_alloc_small(Wsizeof(struct LXM_state), Abstract_tag);
+  value v = caml_alloc_small(Wsizeof(struct LXM_state), Abstract_tag); // NOWARN
   struct LXM_state * st = LXM_val(v);
   st->a = i1 | 1;    /* must be odd */
   st->x[0] = i2 != 0 ? i2 : 1; /* must be nonzero */
diff --git a/tests/regression/90-ocaml/02-floatops.c b/tests/regression/90-ocaml/02-floatops.c
@@ -0,0 +1,162 @@
+// PARAM: --set "ana.activated[+]" ocaml --set "mainfun[+]" "UNARY_OP" --set "mainfun[+]" "BINARY_OP" --set "mainfun[+]" "atof_double" --set "mainfun[+]" "atof_float" --set "mainfun[+]" "max_float" --set "mainfun[+]" "smallest_float" --set "mainfun[+]" "pi_float" --disable warn.imprecise --set "exp.extraspecials[+]" printInt
+
+// Code from stubs.c in src/common/cdomains/floatOps that should be correct despite missing CAMLparam, as discussed in https://github.com/goblint/analyzer/issues/1371.
+
+/* A small definition of the LXM state so sizeof works - from AI */
+//struct LXM_state { uint64_t a; uint64_t x[2]; uint64_t s; };
+
+/* Minimal macros to mimic expected behaviour */
+#define Wsizeof(ty) ((sizeof(ty) + sizeof(value) - 1) / sizeof(value))
+#define LXM_val(v) ((struct LXM_state *) Data_abstract_val(v))
+
+#define CAMLparam1(x) __goblint_caml_param1(&x)
+#define CAMLreturn(x) return (x) // From AI - CAMLreturn needs some variable named caml__frame, which is not available in our mock CAMLparam1, so we mock the return as well.
+
+
+#define _GNU_SOURCE // necessary for M_PI to be defined
+#include <stdio.h>
+#include <math.h>
+#include <float.h>
+#include <fenv.h>
+#include <assert.h>
+#include <caml/mlvalues.h>
+#include <caml/alloc.h>
+
+// Order must match with round_mode in floatOps.ml
+enum round_mode
+{
+    Nearest,
+    ToZero,
+    Up,
+    Down
+};
+
+static void change_round_mode(int mode)
+{
+    switch (mode)
+    {
+    case Nearest:
+        fesetround(FE_TONEAREST);
+        break;
+    case ToZero:
+        fesetround(FE_TOWARDZERO);
+        break;
+    case Up:
+        fesetround(FE_UPWARD);
+        break;
+    case Down:
+        fesetround(FE_DOWNWARD);
+        break;
+    default:
+        // Assert ignored to focus on the OCaml stubs.
+        assert(0); // FAIL
+        break;
+    }
+}
+
+#define UNARY_OP(name, type, op)                                 \
+    CAMLprim value name##_##type(value mode, value x)            \
+    {                                                            \
+        /* No need to use CAMLparam to keep mode and x as GC roots,
+           because next GC poll point is at allocation in caml_copy_double.
+           We have already read their values by then. */         \
+        int old_roundingmode = fegetround();                     \
+        change_round_mode(Int_val(mode));                        \
+        volatile type r, x1 = Double_val(x);                     \
+        r = op(x1);                                              \
+        fesetround(old_roundingmode);                            \
+        return caml_copy_double(r); /* NOWARN */                              \
+        /* No need to use CAMLreturn because we don't use CAMLparam. */ \
+    }
+
+UNARY_OP(sqrt, double, sqrt);
+UNARY_OP(sqrt, float, sqrtf);
+UNARY_OP(acos, double, acos);
+UNARY_OP(acos, float, acosf);
+UNARY_OP(asin, double, asin);
+UNARY_OP(asin, float, asinf);
+UNARY_OP(atan, double, atan);
+UNARY_OP(atan, float, atanf);
+UNARY_OP(cos, double, cos);
+UNARY_OP(cos, float, cosf);
+UNARY_OP(sin, double, sin);
+UNARY_OP(sin, float, sinf);
+UNARY_OP(tan, double, tan);
+UNARY_OP(tan, float, tanf);
+
+#define BINARY_OP(name, type, op)                                \
+    CAMLprim value name##_##type(value mode, value x, value y)   \
+    {                                                            \
+        /* No need to use CAMLparam to keep mode, x and y as GC roots,
+           because next GC poll point is at allocation in caml_copy_double.
+           We have already read their values by then. */         \
+        int old_roundingmode = fegetround();                     \
+        change_round_mode(Int_val(mode));                        \
+        volatile type r, x1 = Double_val(x), y1 = Double_val(y); \
+        r = x1 op y1;                                            \
+        fesetround(old_roundingmode);                            \
+        return caml_copy_double(r); /* NOWARN */                              \
+        /* No need to use CAMLreturn because we don't use CAMLparam. */ \
+    }
+
+BINARY_OP(add, double, +);
+BINARY_OP(add, float, +);
+BINARY_OP(sub, double, -);
+BINARY_OP(sub, float, -);
+BINARY_OP(mul, double, *);
+BINARY_OP(mul, float, *);
+BINARY_OP(div, double, /);
+BINARY_OP(div, float, /);
+
+CAMLprim value atof_double(value mode, value str)
+{
+    // No need to use CAMLparam to keep mode and str as GC roots,
+    // because next GC poll point is at allocation in caml_copy_double.
+    // We have already read their values by then.
+    const char *s = String_val(str);
+    volatile double r;
+    int old_roundingmode = fegetround();
+    change_round_mode(Int_val(mode));
+    r = atof(s);
+    fesetround(old_roundingmode);
+    return caml_copy_double(r); // NOWARN
+    // No need to use CAMLreturn because we don't use CAMLparam.
+}
+
+CAMLprim value atof_float(value mode, value str)
+{
+    // No need to use CAMLparam to keep mode and str as GC roots,
+    // because next GC poll point is at allocation in caml_copy_double.
+    // We have already read their values by then.
+    const char *s = String_val(str); // Despite not being a value, this is a pointer into the OCaml heap and needs to be checked against GC. Doubles are also pointers.
+    volatile float r;
+    int old_roundingmode = fegetround(); // NOWARN
+    change_round_mode(Int_val(mode)); // This makes a copy of the mode and no problems will arise.
+    r = (float)atof(s);
+    fesetround(old_roundingmode);
+    return caml_copy_double(r); // NOWARN
+    // No need to use CAMLreturn because we don't use CAMLparam.
+}
+
+// These are only given for floats as these operations involve no rounding and their OCaml implementation (Float module) can be used
+
+CAMLprim value max_float(value unit)
+{
+    // No need to use CAMLparam to keep unit as GC root,
+    // because we don't use it.
+    return caml_copy_double(FLT_MAX); // NOWARN
+    // No need to use CAMLreturn because we don't use CAMLparam.
+}
+
+CAMLprim value smallest_float(value unit)
+{
+    // No need to use CAMLparam to keep unit as GC root,
+    // because we don't use it.
+    return caml_copy_double(FLT_MIN); // NOWARN
+    // No need to use CAMLreturn because we don't use CAMLparam.
+}
+
+CAMLprim value pi_float(value unit)
+{
+    return caml_copy_double(M_PI); // NOWARN
+}
diff --git a/tests/regression/90-ocaml/03-demimarie.c b/tests/regression/90-ocaml/03-demimarie.c
@@ -0,0 +1,51 @@
+// PARAM: --set "ana.activated[+]" ocaml --set "mainfun[+]" "caml_gc_counters" --set "mainfun[+]" "caml_gc_counters_correct" --disable warn.imprecise --set "exp.extraspecials[+]" printInt
+
+// OCaml code fixed by Demi Marie Obenour in https://github.com/ocaml/ocaml/pull/13370, before and after the fix.
+
+/* Minimal macros to mimic expected behaviour */
+#define Wsizeof(ty) ((sizeof(ty) + sizeof(value) - 1) / sizeof(value))
+#define LXM_val(v) ((struct LXM_state *) Data_abstract_val(v))
+
+#define CAMLparam0() __goblint_caml_param0()
+#define CAMLparam1(x) __goblint_caml_param1(&x)
+#define CAMLreturn(x) return (x) // From AI - CAMLreturn needs some variable named caml__frame, which is not available in our mock CAMLparam1, so we mock the return as well.
+
+
+CAMLprim value caml_gc_counters(value v)
+{
+  CAMLparam0 ();   /* v is ignored */
+  CAMLlocal1 (res);
+
+  /* get a copy of these before allocating anything... */
+  double minwords = caml_gc_minor_words_unboxed();
+  double prowords = (double)Caml_state->stat_promoted_words;
+  double majwords = Caml_state->stat_major_words +
+                    (double) Caml_state->allocated_words;
+
+  res = caml_alloc_3(0,
+    caml_copy_double (minwords),
+    caml_copy_double (prowords),
+    caml_copy_double (majwords)); // WARN
+  CAMLreturn (res);
+}
+
+CAMLprim value caml_gc_counters_correct(value v)
+{
+  CAMLparam0 (); /* v is ignored */
+  CAMLlocal3 (minwords_, prowords_, majwords_);
+
+  /* get a copy of these before allocating anything... */
+  double minwords = caml_gc_minor_words_unboxed();
+  double prowords = (double)Caml_state->stat_promoted_words;
+  double majwords = Caml_state->stat_major_words +
+                    (double) Caml_state->allocated_words;
+
+  minwords_ = caml_copy_double(minwords);
+  prowords_ = caml_copy_double(prowords);
+  majwords_ = caml_copy_double(majwords);
+  v = caml_alloc_small(3, 0);
+  Field(v, 0) = minwords_;
+  Field(v, 1) = prowords_;
+  Field(v, 2) = majwords_;
+  CAMLreturn(v);
+}
