Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] trouble debugging assertions

Hello Tim,

Le 18/08/2015 09:48, Tim Newsham a écrit :
>    ok = auth(buf,sz,& pay,& paysz);
>    /*@ assert ok ≡ 0 ∨ \initialized(pay+(0 .. paysz-1)); */ ;
>    if (ok) {
>      /*@ assert \initialized(pay+(0 .. paysz-1)); */ ;
>      i = (unsigned int)0;
>      while (i < paysz) {
>        /*@ assert Value: initialisation: \initialized(pay+i); */
>        printf("%d\n",(int)*(pay + i));
>        i ++;
>      }
>    }
>
> here all the assertions are evaluated as valid except
> for the one before the printf.  This is odd because the
> assertion above it says that pay[0..paysz-1] is valid
> and the value analysis knows that i is less than paysz
> at the printf. So why can't it discover that
> \initialized(pay+i) from \initialized(pay+(0..paysz-1)) ?

Probably because slevel is too low. Try to increase it (-slevel option) 
to the value found in paysz.

In loops, by default Value analysis is only considering one possible 
path (you have as many paths as turns in the loop) and thus applies the 
Widening operator of Abstract Analysis theory which, most of the time, 
results in (correct but) not precise enough values.

I posted some explanation on slevel in June of last year:
 
http://lists.gforge.inria.fr/pipermail/frama-c-discuss/2014-June/004493.html

(apparently the mailing list archive mangled the UTF8 characters.)

Best regards,
david