2

Consider this small C file:

#include <stdio.h>

void f(void) {
    puts(NULL);
}

I'm running the WP and RTE plugins of Frama-C like this:

frama-c-gui puts.c -wp -rte -wp-rte

I would expect this code to generate a proof obligation of valid_read_string(NULL); or similar, which would be obviously unprovable. However, to my surprise, no such thing happens. Is this a deficiency in the ACSL specification of the standard library?

Maya
  • 1,490
  • 12
  • 24

1 Answers1

2

Basically yes. You can see in the version of stdio.h that is bundled with Frama-C that the specification for puts is

/*@ assigns *stream \from s[..]; */
extern int fputs(const char * restrict s,
     FILE * restrict stream);

i.e. the bare minimum, an assigns clause (plus a from clause for Eva). Preconditions on s and stream. Adding a precondition on s would be easy; things are more complex for stream since you need a model for the various objects of type FILE.

byako
  • 3,372
  • 2
  • 21
  • 36
  • But wouldn't this be a soundness hole? – Maya Apr 25 '19 at 11:00
  • It is. However, to guarantee the soundness of your analysis, you are supposed to review all the contracts of the functions for which you have no body. You should catch insufficient preconditions at this stage. Adding specifications to all the functions of the standard library is a daunting task, and the Frama-C team does so as time permits. Functions with preconditions are usually soundly modeled (although bugs may remain); but functions with only assigns are not. – byako Apr 25 '19 at 13:14