I have a problem with proving assigns after calling other function that assigns until strlen. Below is a simple example with a call to a function from standard library. The function contract is basically a copy from strcpy requirements.
#include <string.h>
/*@
requires valid_string_src: valid_read_string(src);
requires room_string: \valid(dest+(0..strlen(src)));
requires separation:
\separated(dest+(0..strlen(src)), src+(0..strlen(src)));
assigns dest[0..(strlen(src))];
*/
void mycpy(char *dest, const char *src) {
strcpy(dest, src);
}
Frama-c fails to prove assigns for mycpy even though it matches assigns of the strcpy:
Goal Assigns ... (exit):
Let a_0 = « dest@L1 + 0 ».
Let x_0 = L_strlen(µ:Mchar@L1, src@L1).
Let x_1 = 1 + x_0.
Let x_2 = L_strlen(Mchar_0, src@L1).
Assume {
Have: 0 <= x_2.
Type: is_sint8_chunk(µ:Mchar@L1).
(* Heap *)
Type: (region(dest@L1.base) <= 0) /\ (region(src@L1.base) <= 0) /\
linked(µ:Malloc@L1) /\ sconst(µ:Mchar@L1).
(* Goal *)
When: !invalid(µ:Malloc@L1, a_0, 1 + x_2).
Stmt { L1: }
(* Pre-condition *)
Have: P_valid_read_string(µ:Malloc@L1, µ:Mchar@L1, src@L1) /\
valid_rw(µ:Malloc@L1, a_0, x_1) /\
separated(a_0, x_1, « src@L1 + 0 », x_1).
}
Prove: x_2 <= x_0.
--------------------------------------------------------------------------------
Prover Alt-Ergo 2.3.3: Timeout (Qed:6ms) (10s) (cached).
The full context of the goal shows that it tries to prove: L_strlen(Mchar_0, src@L1) <= L_strlen(µ:Mchar@L1, src@L1). However, there is no information about Mchar_0.
What is this µ:Mchar@L1 and Mchar_0? How do I prove this assigns?
Frama-c version: 22.0 (Titanium).
