Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] jessie: Unbound variable failure if unsigned char* arguments used


2010/12/3 Alexey Khoroshilov <khoroshilov at>:

>> frama-c -jessie -jessie-atp pvs memcpy.c
> [kernel] preprocessing with "gcc -C -E -I. ?-dD memcpy.c"
> [jessie] Starting Jessie translation
> [jessie] Producing Jessie files in subdir memcpy.jessie
> [jessie] File memcpy.jessie/memcpy.jc written.
> [jessie] File memcpy.jessie/memcpy.cloc written.
> [jessie] Calling Jessie tool in subdir memcpy.jessie
> Generating Why function memcpy
> [jessie] Calling VCs generator.
> WHYLIB=/usr/local/lib/why why -pvs -dir pvs -pvs-preamble "IMPORTING
> why at jessie" ?-split-user-conj -explain -locs memcpy.loc
> /usr/local/lib/why/why/jessie_bitvectors.why why/memcpy.why
> File "why/memcpy.why", line 678, characters 33-71:
> Unbound variable unsigned_char_P_dst_1_alloc_table
> make: *** [pvs/memcpy_why.pvs] Error 1
> [jessie] user error: Jessie subprocess failed: make -f memcpy.makefile pvs
> If someone replaces 'unsigned char*' with 'char*', jessie works well.

Your file contains:

void* memcpy(unsigned char *dst, const unsigned char* src, size_t len)

The type void* does not really make sense to Jessie, so it is
interpreted as a char* instead. To see this, type:

frama-c -jessie memcpy.c -jessie-debug 1

struct char_P *memcpy(struct unsigned_char_P *dst ,
                      struct unsigned_char_P *src , size_t len )

This means that there is a heterogeneous pointer cast in your example,
and these are precisely unsupported by Jessie.

If you don't mind this slight change, use the prototype below instead:

unsigned char* memcpy(unsigned char *dst, const unsigned char* src, size_t len)


PS: Also, please note that your example shows the separation
hypotheses made by default by Jessie. Simplify proves all the
generated proof obligations for your contract after the change.
If Jessie was not making these hypotheses (for instance with #pragma
SeparationPolicy(none)), then the contract should not be verifiable,
because it does not hold when the pointers are aliased. Simplify fails
to prove an invariant, which is reassuring.