This is a really early frama-c question so sorry about that but I've been at it for a few hours and I can't get a really simple function to verify. I know it's complaining about the function process and it was written purposefully poorly but I had hoped specifying that the memory had to be valid over the processing range would be enough to satisfy Alt-Ergo. Where have I gone wrong?
The code:
#include <string.h>
extern int getStr(char *pStr, size_t len);
#define MAX_STR_LEN 25
/*@ requires \valid(a) && \valid(b);
@ ensures A: *a == \old(*b) ;
@ ensures B: *b == \old(*a) ;
@ assigns *a,*b ;
@*/
void swap(char *a, char *b)
{
int tmp;
tmp = *a;
*a = *b;
*b = tmp;
return;
}
/* @ requires \valid(pStr+(0..1))
@ assigns pStr[1];
*/
void process(char *pStr)
{
pStr[1] = pStr[0];
}
void main()
{
char string[MAX_STR_LEN];
size_t size = getStr(string, MAX_STR_LEN);
swap(&string[0], &string[1]);
process(string);
}
Frama-c's response:
adam@blackbox:~/Programming/framatest$ frama-c -wp -wp-rte main.c
[kernel] Parsing main.c (with preprocessing)
main.c:31:[kernel] warning: Neither code nor specification for function getStr, generating default assigns from the prototype
[rte] annotating function main
[rte] annotating function process
[rte] annotating function swap
[wp] 12 goals scheduled
[wp] [Alt-Ergo] Goal typed_process_assert_rte_mem_access_2 : Unknown (Qed:0.62ms) (63ms)
[wp] [Alt-Ergo] Goal typed_process_assert_rte_mem_access : Unknown (Qed:0.78ms) (62ms)
[wp] Proved goals: 10 / 12
Qed: 7 (0.13ms-2ms-9ms)
Alt-Ergo: 3 (4ms-6ms) (21) (unknown: 2)
