Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] Some information on invariant needs

  • Subject: [Frama-c-discuss] Some information on invariant needs
  • From: hollas at informatik.htw-dresden.de (Boris Hollas)
  • Date: Thu, 04 Oct 2012 11:19:01 +0200
  • In-reply-to: <CAC3Lx=YxVLEad-GW=FPszgZn7UUvu5_abe7koF_sk35+D_owKg@mail.gmail.com>
  • References: <CAC3Lx=YxVLEad-GW=FPszgZn7UUvu5_abe7koF_sk35+D_owKg@mail.gmail.com>
Hello,

I have a plugin that adds weak type invariants as pre- and 
postconditions of all functions that have a parameter of this type.

For example, you can write

typedef unsigned char admin_level;

//@ type invariant admin_level_ti(admin_level al) = 0 <= al <= 2;

Then, a function such as

int foo(admin_level al)

will have new pre- and postconditions.

Or you can write

typedef struct {
    unsigned char AES_key[32];
    unsigned char validity;
} key_t;

typedef struct {
   key_t keys[2];
} keys_t;

//@ type invariant keys_ti(keys_t *k) = (k->keys[0].validity == GOOD ==> 
  k->keys[1].validity == BAD)&& (k->keys[1].validity == GOOD ==> 
k->keys[0].validity == BAD);

Note that type invariants work on types, not on individual variables. So 
you can't uses them for the global variables in your examples.

However, arrays are not fully supported.
-- 
Best regards,
Boris