2

Getting started with frama-c and decided to prove a trivial bitmask function worked as intended.

/*@ requires width > 0 && width <= 64 ;
    assigns \nothing ;
    ensures \result > 0 ;
    ensures \result == (1 << width) - 1 ;
*/
uint64_t gen_mask(uint64_t width) {
    if (width >= 64)
        return 0xffffffffffffffff;
    else
        return ((uint64_t)1 << width) - 1;
}

Unfortunately even the obvious statement that result > 0 times out with both alt-ego and z3 provers.

[wp] [Alt-Ergo 2.4.1] Goal typed_gen_mask_ensures : Timeout (Qed:2ms) (10s)
[wp] [Alt-Ergo 2.4.1] Goal typed_gen_mask_ensures_2 : Timeout (Qed:2ms) (10s)

What's wrong with my specification? The provers only have to check 64 cases even if they brute-force it, so they shouldn't be timing out.

montytyper
  • 21
  • 2
  • `uint64_t width` looks to me like 2^64 cases. You can narrow that down to 256 cases using `uint8_t width` instead, which is all you really need for this input argument. –  Jan 03 '22 at 09:07
  • I assumed the requires constraint would limit the search space to just 1-64 inclusive. Does it not? – montytyper Jan 03 '22 at 21:32
  • Yes, the precondition does limit the number of cases to 64, when running WP or other Frama-C plug-ins. In the general case, however, I think @bbbbbbbbb's remark is useful: if you don't need more than a `uint8_t`, it's often better to reduce the type to the minimum necessary (but then again, implicit C conversions can have surprising effects in some cases, so it's not _always_ better). – anol Jan 04 '22 at 07:02

1 Answers1

3

By default, WP does not apply all strategies; this could lead to state space explosion in the general case, and it's not obvious which strategies to automatically enable in which cases.

In your example in particular, the Range strategy is the one which performs splitting of the 64 cases, and it can be enabled in the command line via option -wp-auto wp:range.

In the graphical interface, in the WP Goals tab, if you double-click the unproven goal, the rightmost panel will list some tactics to be applied via the "Play" buttons next to them. This can help find out about other tactics and strategies that you can enable in WP.

Frama-C GUI screenshot of the WP Goals' tactics panel

anol
  • 8,264
  • 3
  • 34
  • 78
  • 1
    To be more complete: WP always models integers via mathematical integers and not bitvectors, because it is, by far, the most common use of integers in programs verified with WP. Furthermore, SMT solvers are generally lost with formulae that contain both bitwise operations and classical arithmetic operations. Thus, in WP, support for bitwise operations is provided via additional lemmas and tactical as @anol said. – Ksass'Peuk Jan 03 '22 at 12:20