Frama-C-discuss mailing list archives
This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Frama-c-discuss] how does Frama-C infer missing invariants?
- Subject: [Frama-c-discuss] how does Frama-C infer missing invariants?
- From: siegel at udel.edu (Stephen Siegel)
- Date: Thu, 24 Oct 2013 10:03:57 -0400
The simple program below is verified by Frama-C+Jessie+AltErgo. What is a little surprising is that it still verifies if you leave out the "loop invariant i<=n;" for the inner loop. I think I remember reading somewhere that Frama-C can infer some invariants and frame conditions automatically. I assume something like that is going on here, but I don't remember where I read about it and would like to understand how it works. I spend a bit of time making my students do Hoare logic proofs like this by hand, and drill into them that anything you want to "know" after the loop terminates had better be in the loop invariant, but then they use Frama-C and see that isn't true!
-Steve
/*@ requires n>=0 && m>=0; */
void f(int n, int m) {
int i=0;
/*@ loop invariant i<=n;
@ loop variant n-i;
@*/
while (i<n) {
int j=0;
/*@ loop invariant j<=m;
@ loop invariant i<=n;
@ loop variant m-j;
@*/
while (j<m) { j++; }
//@ assert j==m;
i++;
}
//@ assert i==n;
}
- Follow-Ups:
- [Frama-c-discuss] how does Frama-C infer missing invariants?
- From: moy at adacore.com (Yannick Moy)
- [Frama-c-discuss] how does Frama-C infer missing invariants?
- Prev by Date: [Frama-c-discuss] Problems with Nitrogen/Fluorine
- Next by Date: [Frama-c-discuss] Verification conditions left unproven by automatic prover
- Previous by thread: [Frama-c-discuss] Array problem - Jessie plugin
- Next by thread: [Frama-c-discuss] how does Frama-C infer missing invariants?
- Index(es):