4

I'm new to Frama-c and I'd like to understand what is the problem with this simple example :

/*@ requires \valid(array+(0..length-1))
@ ensures \forall integer k; 0 <= k < length ==> array[k] == 0;
@ assigns array[0..length-1];
*/
void fill(int array[], int length){
    /*@ loop invariant 0 <= i <= length;
    @ loop invariant \forall integer k; 0 <= k < i ==> array[k] == 0;
    @ loop assigns i, array[0..i-1];
    @ loop variant length - i;
    */
    for(int i = 0; i < length; i++){
        array[i] = 0;
    }
}

In this example, Frama-c (WP + Value) won't prove the assign clause in the function contract and I can't understand why. Any help will be appreciated =)

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
roo
  • 149
  • 9
  • why? Isn't it ok? I just want to fill an array of int (declared statically) with zeros... Isn't int * array[] an array of int pointers?? Anyway it doesn't do the trick :/ – roo May 23 '13 at 10:32
  • I don't see what you mean. Even with this signature fill(int * array, int length), the problem is still here... – roo May 23 '13 at 11:25
  • @EliasVanOotegem In C, arrays are passed by reference. The function is fine, and the specifications are fine. The Value plug-in does not prove the “assigns” because it does not aim to do this (it only uses “assigns” clauses as a source of information, and only for library functions without source code). I thought WP would prove it. Roo, what automatic provers do you have installed? – Pascal Cuoq May 23 '13 at 12:54
  • Since `length` is passed as `int` I would add the precondition that `length` is `≥0` or `>0` though (whichever you prefer). – Pascal Cuoq May 23 '13 at 12:55
  • @PascalCuoq: My bad, I've googled Frama-C, and _now_ I know what this question is about. That's why I commented, and not set about writing a lengthy answer. I got the impression there was more to this than I initially thought... – Elias Van Ootegem May 23 '13 at 13:02
  • @PascalCuoq : adding the preconditions length >= 0 or length > 0 doesn't solve the problem (isn't it implied by the precondition \valid(array+(0..length-1))??). I have Alt-Ergo. – roo May 23 '13 at 14:16

1 Answers1

3

This can be proven (with alt-ergo 0.95.1) if you weaken your loop assigns.

@ loop assigns i, array[0..length-1];

The precondition i >= 0 is also needed, because it is not implied by \valid(array+(0..length-1). array+(0..length-1) is a valid set of locations with length <= 0, although an empty one.

The fact that your original loop assigns does not imply your precondition is a limitation of the current version of the WP plugin.

byako
  • 3,372
  • 2
  • 21
  • 36
  • Hi Boris, thanks for your answer. I knew that I could prove it by weakening the loop assigns but I wanted to know why it doesn't work with a stronger but correct clause. Thanks for the explanations! – roo May 24 '13 at 09:40
  • If you like Boris's answer, you should mark it as accepted (the checkmark under the voting buttons). – Daniel H Jun 25 '14 at 05:42