Frama-C should warn for this program: struct S { int x; int y; }; struct T { int z; struct S s; }; union U { struct S f ; struct T g; } u; main(){ u.f = u.g.s; return 0; } 3: If the value being stored in an object is read from another object that overlaps in any way the storage of the first object, then the overlap shall be exact and the two objects shall have qualified or unqualified versions of a compatible type; otherwise, the behavior is undefined.
Partially fixed in Nitrogen (alarm emitted when the lvalues are known precisely enough).
Compatibility of types is never tested, but then effectives types are mostly ignored by Value everywhere. The current detection is done only when the lvalue is "larger enough" (strictly larger than an int). The effect of relaxing this condition must be evaluated.
Two updates from a PhD student currently very busy writing slides (or not): - the case where both locations are imprecise (=intervals) is not handled at all - due to changes in EVA (option -val-warn-copy-indeterminate), this alarm is no longer emitted most of the time.