0

I'm trying to prove a simple matrix transpose in Frama-C. I currently have:

#define N 3
void transpose_matrix(int [N][N], int, int, int[N][N]);
int main()
{
        int r=N;
        int c=N;
/* Storing element of matrix entered by user in array a[][]. */
        int a[N][N]={
                {1,1,1},
                {2,2,2},
                {3,3,3}
               };


       int trans[N][N];
       transpose_matrix(a,r,c,trans);
    return 0;
}

/*@
requires 0 < r <= N;
requires 0 < c <= N;
*/

void transpose_matrix(int a[N][N], int r, int c, int trans[N][N]){
        int  i,j;
/* Finding transpose of matrix a[][] and storing it in array trans[][]. */
/*@
loop invariant 0 <= i < r;
loop assigns r;
loop variant r - i;
*/
        for(i=0; i<r; ++i)
/*@
loop invariant 0 <= j < c;
loop assigns c, trans[0..c-1][0..r-1];
loop variant c - j;
*/
                for(j=0; j<c; ++j)
                {
                        trans[j][i]=a[i][j];
                }
return;

}

But I don't know how to take this to the next level and actually prove something simple about my function (like transpose(transpose a) = a).

I asked a similar question a little while back and the answer seemed to be "you can't, that's not what Frama-C is for". Is that really the case? Or could I build up a proof which actually tested the correctness of my algorithm as I could in PlusCal or Coq?

Christina Burge
  • 21
  • 2
  • 1
    This is indeed more or less the same question as https://stackoverflow.com/questions/61070376/verifying-matrix-transpose-function-in-frama-c?rq=1 and the answer will be the same: it is currently not possible to express the specification `transpose(transpose(m)) == m`. Even though this looks simple, this is not something that can be expressed as a function contract. – Virgile Apr 28 '20 at 07:06
  • 1
    Does this answer your question? [Verifying matrix transpose function in FRAMA-C](https://stackoverflow.com/questions/61070376/verifying-matrix-transpose-function-in-frama-c) – Virgile Apr 28 '20 at 07:06
  • Thanks again! I thought that maybe since I'd understood a little more, I'd be able to perhaps build up a solution from what Frama-C *can* do, but if I can't that's fine, I'll stick to other methods! I did look at the link you posted (it was one of the first things I found online about this topic), I just wondered if it was possible to go beyond that! – Christina Burge Apr 28 '20 at 15:57
  • 1
    As mentioned in my answer to your previous question, your best bet for now would be to simulate what RPP would do: i.e. have a wrapper function with the two calls to transpose (and all necessary intermediate parameters), and make a contract on this wrapper function. – Virgile Apr 28 '20 at 16:41

0 Answers0