Frama-C-discuss mailing list archives
This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Frama-c-discuss] Documentation of \valid
- Subject: [Frama-c-discuss] Documentation of \valid
- From: Claude.Marche at inria.fr (Claude Marche)
- Date: Fri, 13 Nov 2009 09:13:17 +0100
- In-reply-to: <FC0686BB6178BC43B9DC035287A11A720DBD57FBC9@SI-MBX12.de.bosch.com>
- References: <FC0686BB6178BC43B9DC035287A11A720DBD57FB8C@SI-MBX12.de.bosch.com> <A4D9A80C-4F63-4879-9B09-D22780EFCF8D@cea.fr> <FC0686BB6178BC43B9DC035287A11A720DBD57FBC9@SI-MBX12.de.bosch.com>
Hollas Boris (CR/AEY1) wrote:
> Hello,
>
>
>>> The documentation states "\valid(s) holds if and only if
>>> dereferencing any p \in s is safe." However, it's not clear what
>>> dereferencing means wrt structs.
>>>
>> If p is a pointer to struct B,
>>
>> \valid(p) means that it is safe to do
>>
>> struct B s;
>> s = *p;
>>
>> in your program. It's not really different from validity for
>> a pointer to int or char.
>>
>
> It's not different if we assume that Frama-C treats a struct as a type, ie knows the internal representation of B - in the same way it knows about int and char.
>
Which is indeed a valid assumption. Frama-C treats a struct as a type.
(On the other hand, I agree that the Jessie plugin does not support well
passing a struct by value.)
> In this example, Jessie can't verify memory safety:
>
> typedef int arr3[3];
>
> /*@ requires \valid(a);
> */
> foo(arr3 a) {
> a[2] = 0;
> }
>
> In this case, arr3 is not treated as type of ist own, ie an array of type int[3].
As said by Virgile, in this context a is indeed of type int* and not
int[3]. You need to put
requires \valid(a+(0..2));
> I feel that this is conceptually different to the struct example.
>
Yes: struct are passed by value, i.e copied on the stack, whereas array
are not, only their address is passed.
> Regards,
> Boris
>
> _______________________________________________
> Frama-c-discuss mailing list
> Frama-c-discuss at lists.gforge.inria.fr
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/frama-c-discuss
>
--
Claude March? | tel: +33 1 72 92 59 69
INRIA Saclay - ?le-de-France | mobile: +33 6 33 14 57 93
Parc Orsay Universit? | fax: +33 1 74 85 42 29
4, rue Jacques Monod - B?timent N | http://www.lri.fr/~marche/
F-91893 ORSAY Cedex |
- Follow-Ups:
- [Frama-c-discuss] Documentation of \valid
- From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1))
- [Frama-c-discuss] Documentation of \valid
- References:
- [Frama-c-discuss] Documentation of \valid
- From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1))
- [Frama-c-discuss] Documentation of \valid
- From: Pascal.Cuoq at cea.fr (Pascal Cuoq)
- [Frama-c-discuss] Documentation of \valid
- From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1))
- [Frama-c-discuss] Documentation of \valid
- Prev by Date: [Frama-c-discuss] Documentation of \valid
- Next by Date: [Frama-c-discuss] Frama-C vs Ada/SPARK
- Previous by thread: [Frama-c-discuss] Documentation of \valid
- Next by thread: [Frama-c-discuss] Documentation of \valid
- Index(es):