0001461: assigns, loop assigns and loop invariant
In the following (admittedly contrived) example, the assigns of g is not proved by WP (in fact it is reduced to false by Qed), although it is correct from ACSL semantics: as long as the loop invariant states that x still has its old value, the fact that it is mentioned in the loop assigns should not impede its absence in the assigns. --- test.c int x; /*@ assigns \nothing; */ int g() { /*@ loop assigns i,x; loop invariant x == \at(x,Pre); */ for (int i = 0; i<2; i++); return x; }
This is known limitation of the WP. Assigns are verified with a stronger method than necessary: WP checks that all effects are included in the assigns specified, which is sufficient but not necessary. The workaround is to modify the contract with: /*@ assigns x; ensures x ==\old(x); */ int g() { /*@ loop assigns i,x; loop invariant x == \at(x,Pre); */ for (int i = 0; i<2; i++); return x; } An evolution of the WP may infer automatically this workaround.
Feature wish: infer workaround.
Feature wish