Frama-C-discuss mailing list archives

This page gathers the archives of the old Frama-C-discuss archives, that was hosted by Inria's gforge before its demise at the end of 2020. To search for mails newer than September 2020, please visit the page of the new mailing list on Renater.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frama-c-discuss] Warnings for call to memcpy()... why?

Subject: [Frama-c-discuss] Warnings for call to memcpy()... why?
From: virgile.prevosto at m4x.org (Virgile Prevosto)
Date: Fri, 19 Jul 2019 17:53:11 +0200
In-reply-to: <91d4bd3b-f440-215d-5dfd-1b94d790e71c@proteancode.com>
References: <2e187c1a-d6d6-3738-df66-1ed684eaea4d@proteancode.com> <8c6794c5-fbbb-0597-1ddc-eec34e682c70@proteancode.com> <CA+yPOVhRq4+e6rZCGFTUdHTzDQ5r4kLdUvSLMUgfntnsKyKogw@mail.gmail.com> <91d4bd3b-f440-215d-5dfd-1b94d790e71c@proteancode.com>

Hello again,

Le ven. 19 juil. 2019 Ã  17:14, Roderick Chapman <rod at proteancode.com> a
Ã©crit :

> On 19/07/2019 13:13, Virgile Prevosto wrote:
>
> Generally speaking, WP is quite bad at handling memcpy and other functions
> of its ilk
>
> OK. In that case, what is the preferred and correct method for performing
> assignment of a whole array in Frama-C?
>

I'd say that encapsulating memcpy into a dedicated well-typed function with
an appropriate contract should let you contain the problem: you will not be
able to prove the contract (as a matter of fact, only the prototype of the
wrapper matters, its definition can be put on another .c file which can be
ignored by Frama-C WP[1]) but you will be able to use it in the main proof.
For instance, with unsigned char, you'd end up with the following
(untested):

/*@ requires \valid(d+(0 .. n-1));
       requires \valid_read(s+(0 .. n-1));
        requires \separated(d+(0 .. n-1), s+(0 .. n-1)
        assigns d[0 .. n-1];
        ensures \forall integer i; 0<= i < n ==> d[i] == s[i];
*/
void uc_memcpy(unsigned char d, unsigned char s, size_t n);

int f (...) {
...
uc_memcpy(new_array, old_array, size);
...
}

Obviously, if you use memcpy over arrays of several distinct types, you'll
need one specialized version for each type, which will quickly become quite
tedious. As said before, this would probably be much more easily handled by
a code transformation performed by a script/plugin, but unfortunately this
script does not exist yet.

Best regards,
-- 
E tutto per oggi, a la prossima volta
Virgile
[1] Eva or E-ACSL would probably need to have the definition as well,
though.
-------------- section suivante --------------
Une piÃ¨ce jointe HTML a Ã©tÃ© nettoyÃ©e...
URL: <http://lists.gforge.inria.fr/pipermail/frama-c-discuss/attachments/20190719/03131f33/attachment-0001.html>

Follow-Ups:
- [Frama-c-discuss] Warnings for call to memcpy()... why?
  - From: rod at proteancode.com (Roderick Chapman)

References:
- [Frama-c-discuss] Warnings for call to memcpy()... why?
  - From: rod at proteancode.com (Roderick Chapman)
- [Frama-c-discuss] Warnings for call to memcpy()... why?
  - From: virgile.prevosto at m4x.org (Virgile Prevosto)
- [Frama-c-discuss] Warnings for call to memcpy()... why?
  - From: rod at proteancode.com (Roderick Chapman)

Prev by Date: [Frama-c-discuss] Warnings for call to memcpy()... why?
Next by Date: [Frama-c-discuss] Warnings for call to memcpy()... why?
Previous by thread: [Frama-c-discuss] Warnings for call to memcpy()... why?
Next by thread: [Frama-c-discuss] Warnings for call to memcpy()... why?
Index(es):
- Date
- Thread