WP plug-in

The WP plug-in implements a weakest precondition calculus for ACSL annotations through C programs.

For each code annotation, this technique generates a bundle of proof obligations, ie. mathematical first-order logic formula that can be submit to automated theorem provers like Alt-Ergo or interactive proof assistants like Coq. Other provers are also supported via the Why platform.

Tutorial Example

Consider the following short C function:

// File swap.c:

/*@ requires \valid(a) && \valid(b);
  @ ensures A: *a == \old(*b) ;
  @ ensures B: *b == \old(*a) ;
  @ assigns *a,*b ;
  @*/
void swap(int *a,int *b)
{
  int tmp = *a ;
  *a = *b ;
  *b = tmp ;
  return ;
}
To run the WP on this simple example, you may use: 
# frama-c -wp -wp-rte -wp-proof alt-ergo swap.c
[kernel] preprocessing with "gcc -C -E -I.  swap.c"
[wp] Running WP plugin...
[wp] Collecting axiomatic usage
[rte] annotating function swap
[wp] 9 goals scheduled
[wp] [Qed] Goal typed_swap_post_B : Valid
[wp] [Qed] Goal typed_swap_assert_rte_mem_access_2 : Valid
[wp] [Qed] Goal typed_swap_assert_rte_mem_access_4 : Valid
[wp] [Qed] Goal typed_swap_assign_part1 : Valid
[wp] [Alt-Ergo] Goal typed_swap_assert_rte_mem_access : Valid (15)
[wp] [Alt-Ergo] Goal typed_swap_post_A : Valid (13)
[wp] [Alt-Ergo] Goal typed_swap_assert_rte_mem_access_3 : Valid (15)
[wp] [Alt-Ergo] Goal typed_swap_assign_part2 : Valid (20)
[wp] [Alt-Ergo] Goal typed_swap_assign_part3 : Valid (20)

Requirements

Supported provers (to be installed separately):

User Manual and Tutorial

For more details about the WP plug-in, including installation instructions, please consult the WP manual and use the Frama-C mailing lists
WP Plug-in Manual