Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] Some information on invariant needs

  • Subject: [Frama-c-discuss] Some information on invariant needs
  • From: hollas at informatik.htw-dresden.de (Boris Hollas)
  • Date: Fri, 05 Oct 2012 19:59:37 +0200
  • In-reply-to: <CAC3Lx=ZsgBZJsHEMuCYt7jmJb+y16EYWQBMOmF-FPaD6Ucg+vQ@mail.gmail.com>
  • References: <CAC3Lx=YxVLEad-GW=FPszgZn7UUvu5_abe7koF_sk35+D_owKg@mail.gmail.com> <506D5485.5020501@informatik.htw-dresden.de> <CAC3Lx=ZsgBZJsHEMuCYt7jmJb+y16EYWQBMOmF-FPaD6Ucg+vQ@mail.gmail.com>
On 05.10.2012 16:56, David MENTRE wrote:
>> Note that type invariants work on types, not on individual variables. So you
>> can't uses them for the global variables in your examples.
>
> But the same approach could be used to annotate each function's pre
> and post-condition with the logic formula corresponding to the global
> invariant. An added condition would be to verify that the initial

That's indeed what happens, however only for the functions's formal 
parameters. This avoids unnecessary contracts. Global variables used by 
a function would have to be considered as auxiliary parameters, which 
requires more work.

I think that invariants are very useful and that weak invariants are 
easier to use than strong invariants. For the latter, see how this is 
handled in Spec# and Vcc.

-- 
Best regards,
Boris