2

The ACSL implementation (Version 1.11 Implementation in Aluminium-20160501) lists \NearestEven as a rounding mode (page 23). However, it doesn't appear to be still available at runtime. When I ran the following code:

/*@   requires 0x1p-967 <= C <= 0x1p970;
  @   ensures \result == \round_double(\NearestEven, (x+y)/2) ;
  @ */

double average(double C, double x, double y) {
  if (C <= abs(x))
    return x/2+y/2;
  else
    return (x+y)/2;
}

using the following command: frama-c -wp -wp-rte -wp-prover coq avg.c, I get: [wp] user error: Builtin \NearestEven not defined. None of the other rounding modes was available either.

Any suggestions?

1 Answers1

0

The manual you refer to indicates what is supported by Frama-C's kernel. This does not imply that all plugins (or even any plugin) know how to deal with such a construction. In your particular case, WP indeed does not support \NearestEven.

With -wp-model +float, you might be able to work on a goal such as \result == (double)((x+y)/2), which will very probably use nearest even for the rounding involved by the cast to double (but I have to admit that the paragraph on Float arithmetic model in WP's manual is a bit succinct). This will of course not work if you want to use another rounding mode, for which I think only the Jessie plugin, if there is a version compatible with Aluminium somewhere, will be able to do something.

Note that for handling such proofs, you'll need to resort to Gappa and/or Coq. The prover used in WP by default (Alt-Ergo) is unlikely to discharge much proof obligations related to floating-point computations.

Virgile
  • 9,724
  • 18
  • 42
  • Thanks! Is Jessie plugin still supported? The Aluminium version of frama-c doesn't appear to come with Jessie and I tried all the way back to Nitrogen and didn't see it either. The Jessie [webpage](http://krakatoa.lri.fr/) doesn't make it clear where to get it either. –  Jul 12 '16 at 13:57
  • I'm pretty unsure of the exact status. Sources of [why3](http://why3.lri.fr/) show a `jessie3` directory with a minimalistic support of C. I guess that you have to restrict to what Why3 supports directly, i.e. plain references and arrays, without any alias, no gotos, etc.. If you're mainly interested with floating-point accuracy, this fragment might be sufficient, though. However, jessie3 is apparently not installed by the corresponding opam package. I haven't checked whether you can easily install it by compiling why3 directly. – Virgile Jul 12 '16 at 14:10