Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] Internal state represented by ghost variable not provable

Subject: [Frama-c-discuss] Internal state represented by ghost variable not provable
From: anne.pacalet at free.fr (Anne Pacalet)
Date: Wed, 16 Apr 2014 08:46:36 +0200
In-reply-to: <alpine.LNX.2.03.1404152138470.718@dordowsky.de>
References: <alpine.LNX.2.03.1404152138470.718@dordowsky.de>

Hi,

The problem is that you want for instance to prove:
  ensures no_btn_press == \old(no_btn_press) + 1;

\old(no_btn_press) refers to no_btn_press when calling the function.

Then, you immediately do : //@ ghost no_btn_press = presscnt;
So now, there is no relation between \old(no_btn_press)
and the current value of no_btn_press.

I think that what you want is rather :
  //@ assert no_btn_press == presscnt;
at that point.

With this assertion, you will be able to prove everything,
but this assertion since it depend on the calling context
(nothing tells that no_btn_press is not modified elsewhere...).

Hope this helps,

Anne.

Follow-Ups:
- [Frama-c-discuss] Internal state represented by ghost variable not provable
  - From: frank at dordowsky.de (Frank Dordowsky)

References:
- [Frama-c-discuss] Internal state represented by ghost variable not provable
  - From: frank at dordowsky.de (Frank Dordowsky)

Prev by Date: [Frama-c-discuss] Internal state represented by ghost variable not provable
Next by Date: [Frama-c-discuss] Internal state represented by ghost variable not provable
Previous by thread: [Frama-c-discuss] Internal state represented by ghost variable not provable
Next by thread: [Frama-c-discuss] Internal state represented by ghost variable not provable
Index(es):
- Date
- Thread