Frama-C-discuss mailing list archives
This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Frama-c-discuss] Documentation of \valid
- Subject: [Frama-c-discuss] Documentation of \valid
- From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1))
- Date: Mon, 16 Nov 2009 10:53:53 +0100
- In-reply-to: <4AFD151D.7090600@inria.fr>
- References: <FC0686BB6178BC43B9DC035287A11A720DBD57FB8C@SI-MBX12.de.bosch.com> <A4D9A80C-4F63-4879-9B09-D22780EFCF8D@cea.fr> <FC0686BB6178BC43B9DC035287A11A720DBD57FBC9@SI-MBX12.de.bosch.com> <4AFD151D.7090600@inria.fr>
>>>>> The documentation states "\valid(s) holds if and only if
>>>>> dereferencing any p \in s is safe." However, it's not clear what
>>>>> dereferencing means wrt structs.
>>>>>
>>>> If p is a pointer to struct B,
>>>>
>>>> \valid(p) means that it is safe to do
>>>>
>>>> struct B s;
>>>> s = *p;
>>>>
>>>> in your program. It's not really different from validity for
>>>> a pointer to int or char.
>>>>
>>>
>>> It's not different if we assume that Frama-C treats a struct as a type, ie knows the internal representation of B - in the same way it knows about int and char.
>>>
>>Which is indeed a valid assumption. Frama-C treats a struct as a type.
>>(On the other hand, I agree that the Jessie plugin does not support well
>>passing a struct by value.)
>>> In this example, Jessie can't verify memory safety:
>>>
>>> typedef int arr3[3];
>>>
>>> /*@ requires \valid(a);
>>> */
>>> foo(arr3 a) {
>>> a[2] = 0;
>>> }
>>>
>>> In this case, arr3 is not treated as type of ist own, ie an array of type int[3].
>>As said by Virgile, in this context a is indeed of type int* and not
>>int[3]. You need to put
>>
>> requires \valid(a+(0..2));
>>> I feel that this is conceptually different to the struct example.
>>>
>>Yes: struct are passed by value, i.e copied on the stack, whereas array
>>are not, only their address is passed.
In the struct example I've give, the struct is also passed by reference:
struct A {
int x;
int y;
};
struct B {
struct A a;
int z;
};
/*@ requires \valid(p);
*/
void foo(struct B *p) {
p->a.x = 0;
p->z = 0;
}
My point is that I feel that Jessie treats the types arr3 (array of length 3) and B (struct) differently and that this is not obvious from the ACSL documentation. There are numerous examples how to annotate arrays, but no similar example for a struct. My proposal is to include the struct example in the documentation in 2.3.4 to explain this point.
Regards,
Boris
- Follow-Ups:
- [Frama-c-discuss] Documentation of \valid
- From: Claude.Marche at inria.fr (Claude Marche)
- [Frama-c-discuss] Documentation of \valid
- References:
- [Frama-c-discuss] Documentation of \valid
- From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1))
- [Frama-c-discuss] Documentation of \valid
- From: Pascal.Cuoq at cea.fr (Pascal Cuoq)
- [Frama-c-discuss] Documentation of \valid
- From: Boris.Hollas at de.bosch.com (Hollas Boris (CR/AEY1))
- [Frama-c-discuss] Documentation of \valid
- From: Claude.Marche at inria.fr (Claude Marche)
- [Frama-c-discuss] Documentation of \valid
- Prev by Date: [Frama-c-discuss] using library function in frama-C
- Next by Date: [Frama-c-discuss] Documentation of \valid
- Previous by thread: [Frama-c-discuss] Documentation of \valid
- Next by thread: [Frama-c-discuss] Documentation of \valid
- Index(es):