How many temporary variables Frama-C WP plugin can handle?

Question

I was trying to generate weakest precondition of a particular program where there are total 44 temporary variables are present. Values of 2 temporary variables are assumed. All other variables are derived from these two variables. Also, there are 2 input variables. Here is a segment of my code.

void main(int err1_10, int err2_10){
    int x_mkfirm1,x_mkfirm2;
    int dist_00=0, dist_10=5, a00=0, a01=0, a10=-1, a11=0, b00=1,b10=0, u=2;
    int K_00=-1, K_01=1, x0_00=0,x0_10=3;
    int x1_00,x2_00,x3_00,....,x20_00;
    int x1_10,x2_10,x3_10,....,x20_10;
    x0_00=x0_00+dist_00;
    x0_10=x0_10+dist_10;
    u=-K_00*x0_00-K_01*x0_10;
    x1_00=a00*x0_00+a01*x0_10+u*b00;
    x1_10=a10*x0_00+a11*x0_10+u*b10;
    u=-K_00*x1_00-K_01*x1_10;
    ...........................
    ........................... 
}

The generated weakest precondition comes in terms of x4_10 and so on. There is no mention of x1_00, x1_00 till x3's. Also the inputs are not present in the generated weakest precondition. The output message of frama-c wp shows Alt-Ergo:0 (interruped: 1). Is there any restriction on number of variables?

Answer 1

WP tends to rename variables, thus it's normal that you don't see exactly the same names in the proof obligations than in the original C source. Moreover, from what I see from your code, many of your intermediate variables are in fact constant. This will normally be simplified away by WP before sending the proof obligation to theorem provers. You should just see the resulting value.

Regarding the fact that your proof obligation cannot be discharged by Alt-Ergo, it is basically impossible to answer without having the exact file. There are just too many possibilities, from an error in the spec or the code to having non-linear computations that are generally out of reach for automated theorem provers. Having many intermediate variables is unlikely to play a very important role here, though.