0

I'm trying to test WP plugin with Alt-Ergo on a fairly complex function. Unfortunately, I am not able to figure out what's wrong with the "basic" behavior given below.

This behavior should be true because there is no other place tenumRMode is updated except the first conditional statement's else section.

The wierd thing is that if I comment some lines arbitrarily I always get "valid" from Alt-ergo.

Any comments?

/*@ behavior basic:
      @  assumes fRrValue == 0;
      @  ensures tenumRMode == SS_A_MODE;
      @
    */


[formal_verification]$ frama-c -wp -wp-rte -wp-bhv=basic foo.c -wp-out t  -lib-entry -main foo -wp-model ref -wp-timeout=50 -wp-fct=foo -wp-out t
[kernel] preprocessing with "gcc -C -E -I.  foo.c"
[wp] Running WP plugin...
[rte] annotating function foo
[wp] Collecting axiomatic usage
[wp] Collecting variable usage
[wp] 1 goal scheduled
[wp] [Alt-Ergo] Goal typed_ref_foo_basic_post : Unknown (Qed:20ms)





typedef unsigned char BOOL;
#define TRUE 1
#define FALSE 0

typedef unsigned char uint8;
typedef unsigned short int uint16;
typedef unsigned long  uint32;

uint16 F_MIN_R = 15;

const uint8 RESP_STATE = 30;


typedef enum
{
        RESP_MODE,
        SS_A_MODE
}tenumMode;

tenumMode tenumRMode;


BOOL gbCaMStatus;
BOOL gbCaaStatus;
uint8 mnPb;
BOOL mbApLYRange;
BOOL mbApLRange;
float gfApYLineSlope;
float gfApYLineConst;
float gfApRLineSlope;
float gfApRLineConst;
float mfAp;
uint16 almC;
uint16  nApLYL = 0;
uint16  nApLRL = 0;
uint16  Ap_Y_L_Ui = 0;
uint16  Ap_R_L_Ui = 0;
float   fCaValue=0.0;
float   fRrValue = 0.0;
uint16  nCaLYL=0;
uint16  nCaLRL=0;


/*@ behavior basic:
  @  assumes fRrValue == 0;
  @  ensures tenumRMode == SS_A_MODE;
  @
*/

void foo()
{

        float   mfNewAp = 0;
        BOOL    bYAp = FALSE;
        BOOL    bRAp = FALSE;
        BOOL    bApAlmC = FALSE;

        if (fRrValue != 0)
        {
            /* Some code here */
        }
        else
        {
                if (mnPb == 1)
                {
                        mfAp = RESP_STATE;
                        mnPb = 2;
                }

                tenumRMode = SS_A_MODE;
        }

        if ( (mfAp >= F_MIN_R) &&
                 ((gbCaMStatus == TRUE) && (gbCaaStatus == FALSE)) )
        {
                bApAlmC = TRUE;
                almC = 1;
        }
        else
        {
              almC = 0;
        }


        if ( (bApAlmC == TRUE)
                 && (mfAp < nApLYL)
                 && (fCaValue >= nCaLYL) )
        {
                float fmultval = 0;

                fmultval = gfApYLineSlope*fCaValue;

                mfNewAp = fmultval + gfApYLineConst;

                if (mfAp >= mfNewAp)
                        bYAp = TRUE;
                else
                        bYAp = FALSE;

                Ap_Y_L_Ui = (uint16)mfNewAp;
        }


        if ((bApAlmC == TRUE) && (fCaValue > (float)nCaLYL))
        {
                        mfNewAp = ((gfApYLineSlope*fCaValue) + gfApYLineConst);
                        if (mfNewAp < (float)nApLYL);
                                Ap_Y_L_Ui = (uint16)mfNewAp;
        }

        else if ((bApAlmC == TRUE) && (fCaValue <= (float)nCaLYL))
                Ap_Y_L_Ui = F_MIN_R;

        if ( (bApAlmC == TRUE) && (fCaValue >= nCaLRL) )
        {
                float fmultval = 0;

                fmultval = gfApRLineSlope*fCaValue;

                mfNewAp = fmultval + gfApRLineConst;


                if (mfAp >= mfNewAp)
 bRAp = TRUE;
                else
                        bRAp = FALSE;

                Ap_R_L_Ui = (uint16)mfNewAp;
        }
        else if ( (bApAlmC == TRUE) && (fCaValue < nCaLRL) )
                Ap_R_L_Ui = F_MIN_R;

        if ( (mfAp >= nApLYL)
                 || ((bApAlmC == TRUE) && (fCaValue < nCaLYL))
                 || ((bYAp == TRUE)
                         && (gbCaMStatus == TRUE)  && (gbCaaStatus == FALSE)  ) )
        {
                mbApLYRange = TRUE;
        }
        else
                mbApLYRange = FALSE;

        if ( (mfAp >= nApLRL)
                 || ((bApAlmC == TRUE) && (fCaValue < nCaLRL))
                 || ((bRAp == TRUE)
                        && (gbCaMStatus == TRUE) && (gbCaaStatus == FALSE) )  )
        {
            /* Some code here */
        }
}
user3150318
  • 49
  • 4

1 Answers1

1

Which versions of Alt-ergo and Frama-C are you using ? I tried your example using Frama-C Oxygen-20120901 and Alt-Ergo version 0.95.2 (installed via OPAM) and I got:

$ frama-c -wp -wp-rte -lib-entry -main foo foo.c -wp-bhv=basic
[kernel] preprocessing with "gcc -C -E -I. foo.c"
[wp] Running WP plugin...
[wp] Collecting axiomatic usage
foo.c:51:[wp] warning: [get_strategies] no behaviors found
foo.c:51:[wp] warning: [get_strategies] no behaviors found
[rte] annotating function foo
[wp] 1 goal scheduled
[wp] [Alt-Ergo] Goal store_foo_basic_post : Unknown

When I tried directly Alt-Ergo (v. 0.95.2), I got:

$ alt-ergo store_foo_basic_post_po_ergo.why
File "store_foo_basic_post_po_ergo.why", line 1220, characters 22-24:syntax error

The VC is proved after fixing the syntax erros by hand. I think Alt-Ergo v. >= 0.95 is not compatible with Frama-C Oxygen. BTW, I don't know way OPAM had'nt installed the latest version of Frama-C on my computer (i.e. Fluorine-20130601)

-- Regards

iguerNL
  • 464
  • 2
  • 8
  • 1
    Alt-Ergo -version show 0.95.2; Frama-c -version shows Fluorine-20130601. – user3150318 Jan 11 '14 at 13:28
  • I don't why Frama-C Oxygen + A-E 0.95.2 prove the VC (by hand, after fixing the syntax errors) but Frama-C Fluorine + A-E 0.95.2 say "I don't know". I'll try to compare the two VCs – iguerNL Jan 11 '14 at 13:52
  • I tried to reduce the size of the program. The sad story is that if I comment out any statement after the first if-else block, the result is valid. Unfortunately, this program cannot be reduced further, I think, to demonstrate the problem. – user3150318 Jan 13 '14 at 14:08