Frama-C and ACSL implementation on C stack

Question

i have some trouble to implement the precondition and postcondition in ACSL into my code.

I'd like to complete an exercise, i have implemented a stack (like the informal specification in the comment) and now i need to implement the precondition and postcondition like in the informal specification. The trouble i have is that i have tried to write the ACSL part and tried to compile frama-C with my implementation but it's not working, all the lines are with the red dots.

I don't understand why it's not working but it's really probable that i'm not able to write ACSL code.

There is someone can help me? if someone can write some example on my stack implementation it would greatly help to me.

Thanks a lot advance

Code i wrote, the file Stack.h is the implementation of the Stack, i wrote a simply linear main.c to prove the correctness (in test case) of the code. The informal specific of the exercise is the comment before the code of stack.h

File Stack.h :

/*  create_stack

    Inputs: none
    Outputs: S (a stack)
    Preconditions: none
    Postconditions: S is defined and empty

destroy_stack

    Inputs: S (a stack)
    Outputs: S' (i.e. S changed)
    Preconditions: none
    Postconditions: S' is undefined. All resources (e.g. memory)   allocated to S have been released. No stack operation can be performed on S'.

is_empty

    Inputs: S (a stack)
    Outputs: is_empty (boolean)
    Preconditions: none
    Postconditions: is_empty is true iff S is empty.

top

    Inputs: S (a stack)
    Outputs: E (a stack element)
    Preconditions: S is not empty
    Postconditions: E is the top element on S (S is unchanged)

 pop

    Inputs: S (a stack)
    Outputs: S' (i.e. S is changed)
    Preconditions: S is not empty
    Postconditions: Because S is not empty, it consist of two parts: a top element T and a stack R of remaining elements. S'=R.

push

    Inputs: S (a stack) and V (a value)
    Outputs: S' (i.e. S changed)
    Preconditions: V is of appropriate type for an element of S
    Postconditions: S' has V as its top element and S as its remaining */

#define STACK_MAX 100

struct Stack {
int     data[STACK_MAX];
int     size;
};
typedef struct Stack Stack;


Stack *Stack_Init()
{
Stack *S = malloc(sizeof(Stack));   //alloco la memoria per il puntatore
assert(S != NULL);          //controllo che non sia null
S->size = 0;            //inizializzo il puntatore
return S;               //ritorno il puntatore
}

void Stack_Destroy(Stack *S)
{
free(S);
}

int Stack_Is_Empty(Stack *S)
{
if (S->size == 0) 
return 1;
else 
return 0; 
}

int Stack_Top(Stack *S)
{

return S->data[S->size-1];      //restituisco l'elemento in testa
}

void Stack_Pop(Stack *S)
{

    S->size--;
}

void Stack_Push(Stack *S, int d)
{
if (S->size < STACK_MAX)
    S->data[S->size++] = d;
else
    fprintf(stderr, "Error: stack full\n");
}

File main.c :

    #include <stdio.h>
    #include <assert.h>
    #include <stdlib.h>
    #include "stack.h"

    int main (){

    struct Stack* S = Stack_Init();  //chiamo la funzione che mi ritorna il puntatore alla memoria di una struttura Stack inizializzata a 0 con dim massima 100
    int p;
    printf("che elemento vuoi inserire?\n");
    scanf("%d", &p);
    Stack_Push(S,p);
    printf("inseriscine un altro \n");
    scanf("%d", &p);
    Stack_Push(S,p);
    printf("l'elemento che ora è in testa è %d \n", Stack_Top(S));
    printf("togliamone uno\n");
    Stack_Pop(S);
    printf("l'elemento che ora è in testa è %d \n", Stack_Top(S));
    printf("lo stack e vuoto ? \n %d \n", Stack_Is_Empty(S));
    printf("togliamone un altro\n");
    Stack_Pop(S);
    printf("ora lo stack e vuoto ? \n %d \n", Stack_Is_Empty(S));
    printf("distruggiamo lo stack \n");
    Stack_Destroy(S);

    return 0;
    }