0

I am new to frama-c. I did some tutorials and would like to build a tiny real world application. I didn't get far, because I ran into a warning that bugs me.

This is the program I would like to verify:

#include <unistd.h>

/*@
  assigns __fc_fds[0];
  ensures \result == 0;
*/
int main()
{
  char s[] = "hello\n";
  (void)write(1, (const void*)s, 6);
  return 0;
}

I run the following command to verify it:

frama-c -wp -wp-rte -wp-timeout 1 main.c

Then I get the warning, that does not make sense to me.

[kernel] Parsing main2.c (with preprocessing)
[rte:annot] annotating function main
[wp] 6 goals scheduled
[wp] Proved goals:    6 / 6
  Qed:             6  (0.51ms-1ms-2ms)
[wp] FRAMAC_SHARE/libc/unistd.h:1158: Warning:
  Memory model hypotheses for function 'write':
  /*@
     behavior wp_typed:
       requires \separated(buf + (..), (int volatile *)__fc_fds + (..));
     */
  extern ssize_t write(int fd, void const *buf, size_t count);
Cosinus
  • 534
  • 4
  • 10

1 Answers1

1

Formal analysis tools make hypotheses about the programs they analyze. It can be because of the language, or because some reasonable assumptions can make verification far easier.

In the case of WP, the latter is particularly important as it can change the situation from "impossible to verify anything" to "everything is proved automatically". In particular, WP has a best effort alias analysis that allows assuming that some memory locations are separated in order to produce efficient formulas. This analysis is optimistic in the sense that it tries to keep global variables and memory pointed by the different pointers separated unless it finds some clues that it might not be the case (for example: the address of a global variable is taken, or it is compared to the value of a pointer, etc). However, one must be aware of this kind of assumptions, in order to verify that they indeed hold (or that they do not and in this case, one should add the potential aliases in the specification). These assumptions are currently generated in a "best effort" fashion since it is definitely not reasonable to list everything, so it tries to list what is "important".

For example, here, WP has assumed that the pointer to buf and the array __fc_fds used by Frama-C to model the file descriptors are separated memory locations. Which is true in the call of your function main since your buffer (s) is indeed not __fc_fds.

Ksass'Peuk
  • 538
  • 2
  • 12
  • Thanks for your answer. So what is the correct way forward, so that this warning does not show up? – Cosinus Oct 03 '22 at 09:47
  • This warning is necessary so that you can check that your code verifies the hypotheses (in particular, in a certification process, justifying that they are verified is important). If you do not want to, you can add `-wp-no-warn-memory-model`. A useful option is `-wp-check-memory-model`, it allows to automatically add these hypotheses as `requires` to the function so that WP can check that they are verified. Again, there are added in a best effort fashion, thus they might not be exactly expressed in a way that leads to efficient proof. – Ksass'Peuk Oct 03 '22 at 11:15
  • Ah, is that sort of a manual thing, that needs to be done afterwards? – Cosinus Oct 03 '22 at 12:29
  • Currently, this is indeed how users generally proceed. Ideally, the option `-wp-check-memory-model` should generate all necessary hypotheses to automatically verify everything (although entry points would still need manual review at some point, or at least a way to specify what's expected), but this is currently not available. – Ksass'Peuk Oct 03 '22 at 12:44