Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] verifying overflow in x++

  • Subject: [Frama-c-discuss] verifying overflow in x++
  • From: dak at (Damien Karkinsky)
  • Date: Fri, 26 Apr 2013 16:20:57 +0100


I had a simple function with the following contract:


uint16_t x;

  assigns x;

  behavior A:
  assumes x < 65535;
  ensures x == \old(x) + 1;

  behavior B:
  assumes x == 65535;
  ensures x == 0;
void f();

void f(){

void main(){

I cannot verify the post condition for behaviour B. WP states
Goal store_f_B_post_2:
  forall x_0:int.
  is_uint16(x_0) ->
  (x_0 = 65535) ->
  (let x_1 = as_uint16(65536) in
   (x_1 = 0))

I suppose  as_uint16(65536) = 0  is not derived to be the case.

Would any one care to comment? Is that a bug?

Thank you and all the best


Dr. Damien Karkinsky

Safety-Critical Systems Consultant

Adelard LLP. (

Exmouth House, 3-11 Pine Street, London, EC1R 0JH

tel: +44(0)20-7832-5854   mob: +44(0)779-568-1233