Frama-C-discuss mailing list archives
This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Frama-c-discuss] Enforcing assigns contract with EVA/from plugin?
- Subject: [Frama-c-discuss] Enforcing assigns contract with EVA/from plugin?
- From: boris at yakobowski.org (Boris Yakobowski)
- Date: Sat, 13 Jul 2019 14:12:07 +0200
- In-reply-to: <e951286b-b7c6-047d-4675-bc5483d92a04@proteancode.com>
- References: <65a29dda-c18d-1fe9-d05b-091522071ab8@proteancode.com> <7BFC1068-5474-441C-A6D8-1891BD7B86ED@bentobako.org> <e951286b-b7c6-047d-4675-bc5483d92a04@proteancode.com>
Hi Rod,
Well, as you discovered, Eva/From does a (partial) verification. However,
precision is limited by quite a few things, notably:
- the over-approximations inherent to abstract interpretation
- the fact that From is currently not an analysis domain of Eva, but a
plugin that runs a posteriori (in particular, this will induce a loss of
precision on 'if' statements)
Furthermore, we made no effort to say that a 'from' clause was guaranteed
to be wrong. We could probably derive this information, but not easily: the
current From plugin does not distinguish between 'may depend on' and
'always depend on'.
Also, WP used to have the ability to verify 'from' clauses, but the
implementation contained bugs and was removed. It has not been reincarnated
yet.
Finally, let me add that, for Eva, from clauses are NOT documentation. For
functions that do not have a body at all, they are the only way to get a
sound analysis in presence of pointers. I advise you to try the analysis of
the two following functions to see the difference.
//@ assigns \result \from q[..];
int * f(int *p, int **q);
void main1() {
int x = 1;
int y = 2;
int z = 3;
int *T[2] = {&x, &y};
int *p = &z;
int *r = f(p, T);
// r may point to x or y
Frama_C_show_each(r, *r);
}
//@ assigns \result \from q[1], p;
int * g(int *p, int **q);
void main2() {
int x = 1;
int y = 2;
int z = 3;
int *T[2] = {&x, &y};
int *p = &z;
int *r = g(p, T);
// r may point to x or z
Frama_C_show_each(r, *r);
}
void main() {
main1();
main2();
}
(I omitted the indirect: subclauses, that are not used by Eva, only by
Eva/From).
Hope this helps.
On Tue, Jun 11, 2019 at 2:36 PM Roderick Chapman <rod at proteancode.com>
wrote:
> On 11/06/2019 12:08, David MENTRE wrote:
>
> I would say the [eva:alarm] is precisely your error, \from part which is
> not validated.
>
> So other than serving as documentation for a human reader, do any of the
> plugins to any verification of the "from" part at all?
>
> - Rod
>
>
> _______________________________________________
> Frama-c-discuss mailing list
> Frama-c-discuss at lists.gforge.inria.fr
> https://lists.gforge.inria.fr/mailman/listinfo/frama-c-discuss
--
Boris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gforge.inria.fr/pipermail/frama-c-discuss/attachments/20190713/8c76c331/attachment.html>
- Next by Date: [Frama-c-discuss] RTE plugin with Frama-c: “-rte-unsigned-ov” is not recognized
- Next by thread: [Frama-c-discuss] RTE plugin with Frama-c: “-rte-unsigned-ov” is not recognized
- Index(es):