Expand description
Function specification system for external/library function modeling.
This module provides a pluggable system for describing the behavior of external functions (libc, POSIX, user libraries) that cannot be analyzed directly. Specs are used by various analyses:
- PTA: Memory allocation, aliasing, pointer returns
- Nullness: Pre/post-conditions on pointer validity
- Taint: Sources, sinks, sanitizers, propagation rules
- Interval: Numeric return bounds
§Spec Format
Specs are defined in YAML files with version “1.0”:
version: "1.0"
specs:
- name: malloc
role: allocator
returns:
pointer: fresh_heap
nullness: maybe_null
params:
- index: 0
semantic: allocation_size§Name Matching
- Exact:
name: malloc - Glob:
name: "glob:str*" - Regex:
name: "regex:^mem(cpy|set|move)$"
§Discovery Order
Specs are loaded from multiple paths (later overrides earlier per-function):
<binary>/../share/saf/specs/*.yaml— shipped defaults~/.saf/specs/*.yaml— user global./saf-specs/*.yaml— project local$SAF_SPECS_PATH/*.yaml— explicit override
§Example
use saf_core::spec::{SpecRegistry, FunctionSpec, Role};
// Load from default paths
let registry = SpecRegistry::new(); // Empty for now
// Programmatic construction
let mut registry = SpecRegistry::new();
let mut spec = FunctionSpec::new("my_alloc");
spec.role = Some(Role::Allocator);
registry.add(spec).unwrap();
if let Some(spec) = registry.lookup("my_alloc") {
assert_eq!(spec.role, Some(Role::Allocator));
}Modules§
- analyzed 🔒
- Layered spec registry combining YAML-authored specs with analysis-derived facts.
- derived 🔒
- Analysis-derived function specifications.
- pattern 🔒
- Name pattern matching for function specifications.
- registry 🔒
- Spec registry for loading and querying function specifications.
- schema 🔒
- YAML schema parsing and validation for function specifications.
- types 🔒
- Type definitions for function specifications.
Structs§
- Analyzed
Spec Registry - A layered spec registry that combines immutable YAML-authored specs with mutable analysis-derived overlays.
- Computed
Bound - A computed return bound: return interval depends on an argument property.
- Derived
Spec - Analysis-derived specification for a function.
- Function
Spec - A function specification describing external/library function behavior.
- Param
Spec - Per-parameter specification.
- Return
Spec - Return value specification.
- Spec
File - A spec file containing multiple function specifications.
- Spec
Registry - A registry of function specifications.
- Taint
Propagation - A single taint propagation rule.
- Taint
Spec - Taint propagation specification.
Enums§
- Bound
Mode - How a return value is bounded by an argument property.
- Lookup
Result - Result of looking up a function in the analyzed registry.
- Name
Pattern - A name pattern for matching function names.
- Nullness
- Nullness requirements and guarantees for pointers.
- Pattern
Error - Errors that can occur when parsing patterns.
- Pointer
- Describes what a returned pointer points to.
- Registry
Error - Errors that can occur when loading the registry.
- Role
- High-level role of a function for analysis purposes.
- Schema
Error - Errors that can occur when parsing spec files.
- Taint
Location - A location in taint propagation rules.
Constants§
- CURRENT_
VERSION - The current spec file format version.