Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] Status of global invariant in Jessie, WP and Value Analysis?

  • Subject: [Frama-c-discuss] Status of global invariant in Jessie, WP and Value Analysis?
  • From: virgile.prevosto at cea.fr (Virgile Prevosto)
  • Date: Thu, 08 Dec 2011 09:50:17 +0100
  • In-reply-to: <CAC3Lx=Y-vLYLcqaWCBrTnTf10VtqqDORrV9eeXkhqYt-gy+-HA@mail.gmail.com>
  • References: <CAC3Lx=aPPQOx6_pVXvyvy2qwCmzTPK8iJpk8rqR05R=Dr7AVbA@mail.gmail.com> <4EDF715E.5010601@cea.fr> <CAC3Lx=Y-vLYLcqaWCBrTnTf10VtqqDORrV9eeXkhqYt-gy+-HA@mail.gmail.com>
On 07/12/2011 15:36, David MENTRE wrote:
> I still have questions on the practicality of strong invariants.
> Besides simple typing invariant (e.g. a variable is in a certain
> range), is there any practical use of a strong invariant if there is
> no way to group a set of statements as an "atomic" construct?
>

Agreed. This idea (which is not unlike the expose method described by 
Boris Hollas) would be to use a ghost boolean (Yes, I know, support of 
ghost code should be improved too) that would control where the 
invariant can be broken. Your example would then become

"""
int access_count = 0;
int locked = 0;

//@ ghost _Bool inv_holds = 1;

// not necessary, but will ensures that the strong invariant holds at
// the boundaries of functions (i.e. it can only be broken temporarily
// inside a given function).
//@ global invariant inv_holds;

//@ strong global invariant
      inv_holds ==>
        access_count>  3<==>  locked == 1;

     //@ ghost inv_holds = 0;
     account_count++;
     locked = 1;
     //@ ghost inv_holds = 1;

-- 
E tutto per oggi, a la prossima volta
Virgile