Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] [Jessie] Assert clause not proved

  • Subject: [Frama-c-discuss] [Jessie] Assert clause not proved
  • From: nnarai at (Nanci Naomi)
  • Date: Wed, 9 Oct 2013 14:35:36 -0300
  • In-reply-to: <>
  • References: <> <> <> <>

Thank you for your replies. We used the ghost variables and the VCs were
proved in our reduced code version.

However, there are several similar assignments in our legacy code and we
included the ghost variables and the assert clauses to all of them. After
that, the frama-c analysis seems to run slowly, Gappa does not prove some
assert clauses (External prover call failed) and Alt-Ergo proves them, but
it was necessary to enlarge the time limit to avoid time out. We set the
time limit to 300s and there are some not proved assert clauses yet.

According to Claude, the ghost variables is a heavy solution. Is not
possible to use ghost variables several times?

Are there other solution?

We are only verifying a legacy code and we do not intend to modify it.


Nanci, Luciana and Rovedy

Nanci Naomi

Treat the Earth well.  It was not given to you by your parents,
it was loaned to you by your children. (Kenyan proverb)

On Wed, Oct 9, 2013 at 2:32 PM, Rovedy Aparecida Busquim e Silva <
rovedy at> wrote:

> ---------- Forwarded message ----------
> From: Claude March? <Claude.Marche at>
> Date: 2013/10/8
> Subject: Re: [Frama-c-discuss] [Jessie] Assert clause not proved
> To: frama-c-discuss at
> Le 08/10/2013 07:40, Guillaume Melquiond a ?crit :
> > On 04/10/2013 15:50, Rovedy Aparecida Busquim e Silva wrote:
> >
> >> The attached source code is a simplified version of the program we are
> >> trying to prove.
> >> Basically, M and L are struct type variables.
> >>
> >> L.M1 is equal to 0.0 and we tried to state this in the requires clause
> >> with the BOUND define. Is it correct?
> >
> > I don't see anything wrong with the specification. In fact, if you
> > replace field M.x1 by some float variable Mx1, it will go through.
> >
> >> We want to prove that M.x1 and result variable are equal to 0.0 too,
> >> but the assert clauses are not proved. What is wrong?
> >
> > Gappa can prove the arithmetic properties, but it does not support field
> > accesses. SMT solvers support them, but they cannot cope with the
> > arithmetic. Thus you are stuck, since none of the tools is powerful
> enough.
> This analysis is unfortunately correct, but fortunately the conclusion
> is too pessimistic.
> This is indeed an issue that I realized before on float arrays, and I
> implemented a solution in Jessie so that Gappa can prove the goals.
> Unfortunately the same treatment should have been done to structs, but
> wasn't.
> Still, there is a workaround, but using temporary scalar variables to
> help the provers. A solution is attached. It is heavy but I have no
> simpler solution to propose. In an ideal world there should exists a SMT
> solver able to handle the theory of floats natively. (This may happen in
> the future !)
> - Claude
> --
> Claude March?                          | tel: +33 1 72 92 59 69
> INRIA Saclay - ?le-de-France           |
> Universit? Paris-sud, Bat. 650         |
> F-91405 ORSAY Cedex                    |
> _______________________________________________
> Frama-c-discuss mailing list
> Frama-c-discuss at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>