2

I am trying to use Frama-c to check some properties of a C function that I have. The function is quite large and there are some intermediate variables that I need to check. (I am following this and this manual)

My program has the following structure:

  1. There are 15 return statements spread throughout the program.

  2. The variables I need to check are assigned values at several places in the program, depending on the path of the program.

    my_function(){
intermediate var 1=xx;
//@assert var 1>some_value;
intermediate var 2=yy;

return var 4;

intermediate var 1=xx;
//@assert var 1>some_value;
return var 4;

intermediate var 2=xx;            
intermediate var 1=yy;
//@assert var 1>some_value;

return var 4;
}

Explanation: I need to check certain properties related to var 1, var 2 and var 4. I tried 2 approaches.

  1. use assert whenever var 1 is set as above.

Problem with this was that Frama-C checks only the first assert.

  1. use annotations in the beginning. 

    /*@ requires \valid(var 1);
   ensures var 1 > some_value;
 */

In this case, Frama-C returns an error.

Question: How can I check the properties for intermediate problems? Is there a sample program?

*I haven't included my original function as it is very long.

Kirk Sanders
  • 23
  • 3
  • Your question is not clear. First of all, it would help if you told us which kind of analysis you intend to do. Given that you provide a link to the WP plug-in manual, I can imagine that it's the one that you want to use, what stating that explicitly in the question would be better. Second, the code that you have provided is not valid C (e.g. `intermediate var 1` is not a variable declaration. `int var_1` is). You should give a [mcve](https://stackoverflow.com/help/mcve), this would help us in providing an accurate answer (similarly for "Frama-C returns an error": you should be more specific). – Virgile Sep 24 '18 at 17:37
  • "Problem with this was that Frama-C checks only the first assert". The description does not match Frama-C's intended behavior, so I'm afraid there is something unclear here. Trying to produce a small executable example, as mentioned by @Virgile, should help clarify it. In most cases, simply trying to reproduce the issue in a small case will result in better understanding the issue, if not solving it altogether. If you want examples of usage of Frama-C/WP, the excellent [ACSL by example](https://github.com/fraunhoferfokus/acsl-by-example) should provide plenty. – anol Sep 25 '18 at 12:24

1 Answers1

0

As Virgile has mentioned, your question is not very clear, but I assume you are trying to validate some properties of var1 and var2. This book provides some nice examples and I think the following should help you.

int abs(int val){
    int res;
    if(val < 0){
    //@ assert val < 0 ;
    res = - val;
    //@ assert \at(val, Pre) >= 0 ==> res == val && \at(val, Pre) < 0 ==> res == -val;
    } else {
    //@ assert !(val < 0) ;
    res = val;
    //@ assert \at(val, Pre) >= 0 ==> res == val && \at(val, Pre) < 0 ==> res == -val;

    }    
    return res;
}

The author has used the concept of Hoare triples in this scenario, where you check (assert) a certain property by asserting its requirements (pre-condition) for a property and check if a property holds after the corresponding statements are executed.

Hope this helps.

Nht_e0
  • 140
  • 4
  • 15