Frama-C-discuss mailing list archives
This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- Subject: [Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- From: tjoppen at acc.umu.se (Tomas Härdin)
- Date: Mon, 26 Nov 2018 12:47:10 +0100
- In-reply-to: <3DE0B5BB-6F83-4196-A86F-9F350F0D643F@cea.fr>
- References: <1542798108.10255.6.camel@acc.umu.se> <3DE0B5BB-6F83-4196-A86F-9F350F0D643F@cea.fr>
mån 2018-11-26 klockan 11:38 +0100 skrev Loïc Correnson:
> Hi Tomas,
> Thanks a lot for sharing your experience !
> I'm just wondering how you stressed WP with strings :-)
There's a number of things, but what caused me the most grief was
tokenizing a string like "foo bar doot" into char terms[128][128],
using strcspn().
I was actually able to get so far as strcspn() either giving me zero
length (if at end of string, or a space), or a proper string, and loop
variant strlen(remaning_string) always decreasing, assigns clauses
being fulfilled.. All that good stuff. But as soon as I assign
terms[][] it gets massively confused.
I've tried things like putting \separated loop invariants for all char*
involved, only ever assigning terms[0][0] = 0 (so I can at least say
valid_string((char*)terms)) and other stuff. WP is even able to reason
that \separated indeed holds, until I go assigning terms. And yes, I
have loop assigns ((char*)terms)[0..(sizeof(terms)-1)];
Just a simple thing like strcspn(str, " ") thinking " " can alias str
despite str being char * restrict.
> because, basically, modelling for string literals are supposed to be
> fairly implemented, eg:
>
> $ less str.i
> void foo() {
> Â char *a = "abc";
> Â char *b = "abc";
> Â char *c = "def";
> Â //@ assert \valid_read(a+(0..3));
> Â //@ assert !\valid(a+(0..3));
> Â //@ assert \separated({a,b},c);
> Â //@ assert \forall integer k; 0 <= k <= 3 ==> a[k] == b[k];
> }
> $ frama-c -wp str.i
> [kernel] Parsing str.i (no preprocessing)
> [wp] Warning: Missing RTE guards
> [wp] 4 goals scheduled
> [wp] Proved goals:Â Â Â Â 4 / 4
> Â Qed:Â Â Â Â Â Â Â Â Â Â Â Â Â 0Â Â (0.49ms-1ms-1ms)
> Â Alt-Ergo:Â Â Â Â Â Â Â Â 4Â Â (18ms-24ms) (51)
>
> (\separated(a,b) can not be proved, it is compiler dependent).
Indeed, but char a[4] = "abc", b[4] = "abc" should work.
> So, if you faced problems with strings, there might be some bug
> somewhere that we should investigate !
Perhaps I can come up with a minimal example..
/Tomas
- References:
- [Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- From: tjoppen at acc.umu.se (Tomas Härdin)
- [Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- From: loic.correnson at cea.fr (Loïc Correnson)
- [Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- Prev by Date: [Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- Next by Date: [Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- Previous by thread: [Frama-c-discuss] I wrote a blog post about my experiences with Frama-C so far
- Next by thread: [Frama-c-discuss] JFLA 2019 : 1er appel à participation
- Index(es):