Unsound behavior with -rte option in Magnesium

Question

I am facing an incoherent behavior with the -rte option in Magnesium version (installed directly from ubuntu). I am wondering if someone is aware of that problem or if I am doing something wrong.

I have a program with an incorrect acces outside an array. When lauching frama-c-gui with no options and value analysis, the out-of-bounds access is detected and the corresponding annotation is displayed with an orange circle. When using the -rte option, two annotations are displayed (for the lower and upper bound of the array), and a green circle is displayed for both (which is incorrect).

/*@ assert rte: index_bound: 0 ≤ cpt; */
/*@ assert rte: index_bound: cpt < 5; */

The console says :

tableau_erreur.c:11:[value] Assertion 'rte,index_bound' got status valid.

I suspect there is a mismatch between the two annotations because they both have the same "name" : index_bound.

Also, the part of code after the loop containing the faulty access is colored in red, suggesting that the analysis correctly inferred that it is not reachable because of an error before.

Here is my program :

int main(){
  int t[5] = {1,2,3,4,5};
  int cpt =0 ;
  int tmp ;
  while  (cpt<10){
    tmp = getchar() ;
    if ( t[cpt] > tmp )
      { return 1  ;  }
    cpt++ ;
  }
  return 10 ;
}

Here is a capture of my display (using frama-c-gui -rte tableau_erreur.c).

When I do not use the -rte option the result is correct (orange circle) :

I had a look at the bug tracker but did not find trace of that. I did not manage to compile a more recent version of Frama-C to test it.

Answer 1

Update: this behavior has been fixed in the Silicon release of Frama-C (the status associated to assertion rte: index_bound: cpt < 5 remains unknown).

---

I couldn't reproduce exactly what you said, but after launching the GUI as in your command, then clicking on the "Run" button in the Value analysis panel, I got the green bullets.

This is equivalent to running frama-c-gui -rte -then -val, which also displays the green (incorrect) bullets.

Indeed this seems to be an issue even in the current Frama-C version, so a bug report is in order. Note that manually inserting an equivalent annotation (//@ assert cpt < 5;) does result in an yellow bullet, as expected. Also, unrolling the loop (with -slevel 5, for instance) also results in an yellow bullet. The issue seems to be related specifically to the usage of the RTE plug-in, but in any case it will be investigated.

On a side note, the index_bound label next to the property is not an identifier, just a label, hence not unique, and unrelated to the issue here.

Technical details: Frama-C has notions of properties and statuses, which are summarized by the bullets next to the source code, but described in more detail either through the Properties panel (you may need to modify some filters and click on the Refresh button to see them) or the Report plug-in (e.g. frama-c -val -then -report). In your example, the first iteration of the loop has a value of cpt that is 0, therefore the property acquires a valid status (green bullet), and in the last iteration (when cpt is 5) it gets a unknown status (yellow bullet). For some reason it was (incorrectly) consolidated as valid, hence the green bullet. The Value log does however display file.c:8:[value] warning: assertion 'rte,index_bound' got status unknown, which shows up in the Messages panel in the GUI. This does not explain the error, but the combination of both Messages and Properties panels is a powerful tool to diagnose issues with properties.