---- Boogie options --------------------------------------------------------
Multiple .bpl files supplied on the command line are concatenated into one
Boogie program.
/proc: : limits which procedures to check
/noResolve : parse only
/noTypecheck : parse and resolve only
/print: : print Boogie program after parsing it
(use - as to print to console)
/printWithUniqueIds : print augmented information that uniquely
identifies variables
/printUnstructured : with /print option, desugars all structured statements
/printDesugared : with /print option, desugars calls
/overlookTypeErrors : skip any implementation with resolution or type
checking errors
/loopUnroll:
unroll loops, following up to n back edges (and then some)
/soundLoopUnrolling
sound loop unrolling
/printModel:
0 (default) - do not print Z3's error model
1 - print Z3's error model
2 - print Z3's error model plus reverse mappings
4 - print Z3's error model in a more human readable way
/printModelToFile:
print model to instead of console
/mv: Specify file where to save the model in BVD format
/enhancedErrorMessages:
0 (default) - no enhanced error messages
1 - Z3 error model enhanced error messages
/printCFG: : print control flow graph of each implementation in
Graphviz format to files named:
..dot
---- Inference options -----------------------------------------------------
/infer:
use abstract interpretation to infer invariants
The default is /infer:i"
// This is not 100% true, as the /infer ALWAYS creates
// a multilattice, whereas if nothing is specified then
// intervals are isntantiated WITHOUT being embedded in
// a multilattice
+ @"
are as follows (missing means all)
i = intervals
c = constant propagation
d = dynamic type
n = nullness
p = polyhedra for linear inequalities
t = trivial bottom/top lattice (cannot be combined with
other domains)
j = stronger intervals (cannot be combined with other
domains)
or the following (which denote options, not domains):
s = debug statistics
0..9 = number of iterations before applying a widen (default=0)
/noinfer turn off the default inference, and overrides the /infer
switch on its left
/checkInfer instrument inferred invariants as asserts to be checked by
theorem prover
/interprocInfer
perform interprocedural inference (deprecated, not supported)
/contractInfer
perform procedure contract inference
/instrumentInfer
h - instrument inferred invariants only at beginning of
loop headers (default)
e - instrument inferred invariants at beginning and end
of every block (this mode is intended for use in
debugging of abstract domains)
/printInstrumented
print Boogie program after it has been instrumented with
invariants
---- Debugging and general tracing options ---------------------------------
/trace blurt out various debug trace information
/traceTimes output timing information at certain points in the pipeline
/tracePOs output information about the number of proof obligations
(also included in the /trace output)
/log[:method] Print debug output during translation
/break launch and break into debugger
---- Verification-condition generation options -----------------------------
/liveVariableAnalysis:
0 = do not perform live variable analysis
1 = perform live variable analysis (default)
2 = perform interprocedural live variable analysis
/noVerify skip VC generation and invocation of the theorem prover
/verifySnapshots
verify several program snapshots (named .v0.bpl
to .vN.bpl) using verification result caching
/verifySeparately
verify each input program separately
/removeEmptyBlocks:
0 - do not remove empty blocks during VC generation
1 - remove empty blocks (default)
/coalesceBlocks:
0 = do not coalesce blocks
1 = coalesce blocks (default)
/vc: n = nested block (default for /prover:Simplify),
m = nested block reach,
b = flat block, r = flat block reach,
s = structured, l = local,
d = dag (default, except with /prover:Simplify)
doomed = doomed
/traceverify print debug output during verification condition generation
/subsumption:
apply subsumption to asserted conditions:
0 - never, 1 - not for quantifiers, 2 (default) - always
/alwaysAssumeFreeLoopInvariants
usually, a free loop invariant (or assume
statement in that position) is ignored in checking contexts
(like other free things); this option includes these free
loop invariants as assumes in both contexts
/inline: use inlining strategy for procedures with the :inline
attribute, see /attrHelp for details:
none
assume (default)
assert
spec
/printInlined
print the implementation after inlining calls to
procedures with the :inline attribute (works with /inline)
/lazyInline:1
Use the lazy inlining algorithm
/stratifiedInline:1
Use the stratified inlining algorithm
/fixedPointEngine:
Use the specified fixed point engine for inference
/recursionBound:
Set the recursion bound for stratified inlining to
be n (default 500)
/inferLeastForUnsat:
Infer the least number of constants (whose names
are prefixed by ) that need to be set to
true for the program to be correct. This turns
on stratified inlining.
/smoke Soundness Smoke Test: try to stick assert false; in some
places in the BPL and see if we can still prove it
/smokeTimeout:
Timeout, in seconds, for a single theorem prover
invocation during smoke test, defaults to 10.
/causalImplies
Translate Boogie's A ==> B into prover's A ==> A && B.
/typeEncoding:
how to encode types when sending VC to theorem prover
n = none (unsound)
p = predicates (default)
a = arguments
m = monomorphic
/monomorphize
Do not abstract map types in the encoding (this is an
experimental feature that will not do the right thing if
the program uses polymorphism)
/reflectAdd In the VC, generate an auxiliary symbol, elsewhere defined
to be +, instead of +.
---- Verification-condition splitting --------------------------------------
/vcsMaxCost:
VC will not be split unless the cost of a VC exceeds this
number, defaults to 2000.0. This does NOT apply in the
keep-going mode after first round of splitting.
/vcsMaxSplits:
Maximal number of VC generated per method. In keep
going mode only applies to the first round.
Defaults to 1.
/vcsMaxKeepGoingSplits:
If set to more than 1, activates the keep
going mode, where after the first round of splitting,
VCs that timed out are split into pieces and retried
until we succeed proving them, or there is only one
assertion on a single path and it timeouts (in which
case error is reported for that assertion).
Defaults to 1.
/vcsKeepGoingTimeout:
Timeout in seconds for a single theorem prover
invocation in keep going mode, except for the final
single-assertion case. Defaults to 1s.
/vcsFinalAssertTimeout:
Timeout in seconds for the single last
assertion in the keep going mode. Defaults to 30s.
/vcsPathJoinMult:
If more than one path join at a block, by how much
multiply the number of paths in that block, to accomodate
for the fact that the prover will learn something on one
paths, before proceeding to another. Defaults to 0.8.
/vcsPathCostMult:
/vcsAssumeMult:
The cost of a block is
( + *) *
(1.0 + *)
defaults to 1.0, defaults to 0.01.
The cost of a single assertion or assumption is
currently always 1.0.
/vcsPathSplitMult:
If the best path split of a VC of cost A is into
VCs of cost B and C, then the split is applied if
A >= *(B+C), otherwise assertion splitting will be
applied. Defaults to 0.5 (always do path splitting if
possible), set to more to do less path splitting
and more assertion splitting.
/vcsDumpSplits
For split #n dump split.n.dot and split.n.bpl.
Warning: Affects error reporting.
/vcsCores:
Try to verify VCs at once. Defaults to 1.
/vcsLoad: Sets vcsCores to the machine's ProcessorCount * f,
rounded to the nearest integer (where 0.0 <= f <= 3.0),
but never to less than 1.
---- Prover options --------------------------------------------------------
/errorLimit:
Limit the number of errors produced for each procedure
(default is 5, some provers may support only 1)
/timeLimit:
Limit the number of seconds spent trying to verify
each procedure
/errorTrace:
0 - no Trace labels in the error output,
1 (default) - include useful Trace labels in error output,
2 - include all Trace labels in the error output
/vcBrackets:
bracket odd-charactered identifier names with |'s. is:
0 - no (default with non-/prover:Simplify),
1 - yes (default with /prover:Simplify)
/prover: use theorem prover , where is either the name of
a DLL containing the prover interface located in the
Boogie directory, or a full path to a DLL containing such
an interface. The standard interfaces shipped include:
SMTLib (default, uses the SMTLib2 format and calls Z3)
Z3 (uses Z3 with the Simplify format)
Simplify
ContractInference (uses Z3)
Z3api (Z3 using Managed .NET API)
/proverOpt:KEY[=VALUE]
Provide a prover-specific option (short form /p).
/proverLog:
Log input for the theorem prover. Like filenames
supplied as arguments to other options, can use the
following macros:
@TIME@ expands to the current time
@PREFIX@ expands to the concatenation of strings given
by /logPrefix options
@FILE@ expands to the last filename specified on the
command line
In addition, /proverLog can also use the macro '@PROC@',
which causes there to be one prover log file per
verification condition, and the macro then expands to the
name of the procedure that the verification condition is for.
/logPrefix:
Defines the expansion of the macro '@PREFIX@', which can
be used in various filenames specified by other options.
/proverLogAppend
Append (not overwrite) the specified prover log file
/proverWarnings
0 (default) - don't print, 1 - print to stdout,
2 - print to stderr
/proverMemoryLimit:
Limit on the virtual memory for prover before
restart in MB (default:100MB)
/restartProver
Restart the prover after each query
/proverShutdownLimit
Time between closing the stream to the prover and
killing the prover process (default: 0s)
/platform:,
ptype = v11,v2,cli1
location = platform libraries directory
Simplify specific options:
/simplifyMatchDepth:
Set Simplify prover's matching depth limit
Z3 specific options:
/z3opt: specify additional Z3 options
/z3multipleErrors
report multiple counterexamples for each error
/useArrayTheory
use Z3's native theory (as opposed to axioms). Currently
implies /monomorphize.
/useSmtOutputFormat
Z3 outputs a model in the SMTLIB2 format.
/z3types generate multi-sorted VC that make use of Z3 types
/z3lets: 0 - no LETs, 1 - only LET TERM, 2 - only LET FORMULA,
3 - (default) any
/z3exe:
path to Z3 executable
CVC4 specific options:
/cvc4exe:
path to CVC4 executable
");
}
}
}