Frama-C-discuss mailing list archives
This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Frama-c-discuss] String results in logical specifications
- Subject: [Frama-c-discuss] String results in logical specifications
- From: amdunn at gmail.com (Alan Dunn)
- Date: Fri, 22 May 2009 08:22:51 -0400
- In-reply-to: <20090520175635.3837fc53@is005115>
- References: <f90695ee0905130433g7040256ey5870d68dad50b48e@mail.gmail.com> <20090520175635.3837fc53@is005115>
Thanks for getting back to me. I have some further questions/comments. (Thanks for humoring a newbie.) > In theory, any C type is accepted in annotations. However, pointers > that cannot be related to an object in the "C world" (such as the > return value of your logical function) are indeed a bit problematic. > Their status is not completely clear yet. Ah - I got confused when I read the documentation from production "type-expr" in Figure 2.11 (in acsl-implementation-Lithium), which since seems to have changed names to "logic-type-expr" (in acsl_1.4) - that makes sense (though I suppose later examples should've clued me in...) >> Calling Jessie tool in subdir pam_unix_auth.jessie > > Any error message past this line should be treated as a bug: the Jessie > plugin (or the Jessie tool) is giving Why a bogus program. I'll let > better experts than me comment on this specific Why error, though. Should I be mentioning issues like this on Why-discuss (as this is the origin of the Jessie tool)? Or filing bug reports? >> >> Is there currently a good way of handling this? I can see either: >> 1) Defining a "string" axiomatic type >> 2) Folding all of my char * returning logical functions into >> predicates on two (char *)'s eg: > > Both approaches should be fine. The first one might be a bit easier to > use (you'll still have string object that you can manipulate), but I > guess it's mostly a matter of taste at this point. It would be nice to be able to return strings from logical functions and to use more properties of strings than equality, so it seems like the former is a better idea. It certainly produces easier to read assertions. However, it seems like I would then have to duplicate a lot of the functionality that C string functions (which I'm having trouble using as strcmp, for example, seems to continue to give errors along the lines of what I mentioned before) should in theory take care of for me (eg: the evident one being that I have to axiomatize the length of such a string). Not that this is necessarily difficult, but it seems it can go slowly due to further tool bugs popping up eg: I binary searched through my string axiomatization to find where the following [adunn at localhost strings]$ frama-c -jessie-analysis -jessie-behavior default -jessie-gen-goals string_test.c Parsing [preprocessing] running gcc -C -E -I. -include /usr/share/frama-c/jessie/jessie_prolog.h -dD string_test.c Cleaning unused parts Symbolic link Starting semantical analysis Starting Jessie translation Producing Jessie files in subdir string_test.jessie File string_test.jessie/string_test.jc written. File string_test.jessie/string_test.cloc written. Calling Jessie tool in subdir string_test.jessie File "jc/jc_separation.ml", line 94, characters 28-28: Uncaught exception: File "jc/jc_separation.ml", line 94, characters 28-34: Assertion failed Jessie subprocess failed: jessie -why-opt -split-user-conj -v -behavior default -locs string_test.cloc string_test.jc occurs and found that in: /*@ axiomatic Strings { @ type string; @ logic string string_of{L}(char *p); @ logic int string_length(string s); @ @ predicate prestring_sensible{L}(char *p) = @ \exists int i; i >= 0 && \valid_range(p, 0, i) && *(p + i) == (char)0; @ @ predicate prestring_length_at_least{L}(char *p, int i) = @ \valid_range(p, 0, i - 1) && (\forall int j; j <= i - 1 ==> *(p + j) != (char)0); @ @ axiom string_length_defining{L}: @ \forall char *p, int i; prestring_length_at_least{L}(p, i) <==> string_length(string_of{L}(p)) >= i; @ } @*/ (where there are more definitions, but I stopped at the first error-causing one) the part of the equivalence involving string_length and string_of is the issue (it at least processes with no errors when replaces with something trivial like 1 == 1). Regardless of whether my logic is actually correct, it would be good to be able to get to the level where I can examine the generated VCs for functions involving this string axiomatization and examine them in Coq and/or see if they can be proven with ATPs. Again, I apologize if issues like the last need to be taken directly to the Jessie crowd. Is there some better way of doing this? - Alan
- Follow-Ups:
- [Frama-c-discuss] String results in logical specifications
- From: virgile.prevosto at cea.fr (Virgile Prevosto)
- [Frama-c-discuss] String results in logical specifications
- References:
- [Frama-c-discuss] String results in logical specifications
- From: amdunn at gmail.com (Alan Dunn)
- [Frama-c-discuss] String results in logical specifications
- From: virgile.prevosto at cea.fr (Virgile Prevosto)
- [Frama-c-discuss] String results in logical specifications
- Prev by Date: [Frama-c-discuss] RE : Loop invariants with imbricated loops.
- Next by Date: [Frama-c-discuss] RE : Loop invariants with imbricated loops.
- Previous by thread: [Frama-c-discuss] String results in logical specifications
- Next by thread: [Frama-c-discuss] String results in logical specifications
- Index(es):