Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] specification question

  • Subject: [Frama-c-discuss] specification question
  • From: dmentre at linux-france.org (David MENTRE)
  • Date: Tue, 18 Aug 2015 10:12:01 +0200
  • In-reply-to: <CAGSRWbgPO0BCmhrUR1=K-LEfQ=g-FyKQknDMTv_N0cSzeD_U7w@mail.gmail.com>
  • References: <CAGSRWbgPO0BCmhrUR1=K-LEfQ=g-FyKQknDMTv_N0cSzeD_U7w@mail.gmail.com>
Hello,

Le 18/08/2015 06:06, Tim Newsham a écrit :
> It uses fscanf, which frama-c doesn't know too much about.

Just #include <stdio.h>, with Frama-C Sodium you'll have properly 
annotated headers by default.

   frama-c-gui -val -main readUInt tim-fprintf.c


> It definitely doesn't know that *retp will be assigned if fscanf
> returns 1.  Can I inform it of that fact by adding annotations to
> my function?

Always.

>  What sort of annotations would be appropriate
> to let it know that when readUInt returns 1 the value of *retp will
> be assigned to with an unspecified value?

Probably something like (not tested):

  ensures \result == 1 ==> \initialized(retp);

In Frama-C header __fc_builtin.h you also have "Frama_C_entropy_source" 
that you can use as source of randomness. See __fc_builtin.h for 
examples of use.

Best regards,
david

-------------- next part --------------
#include <stdio.h>

static int
readUInt(FILE *fp, unsigned int *retp)
{
    if(fscanf(fp, "%u", retp) == 1)
        return 1;
    return 0;
}