2021-01-22 20:16 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001117Frama-CPlug-in > wppublic2012-11-06 21:23
ReporterJochen 
Assigned Topherrmann 
PrioritynormalSeveritytweakReproducibilityalways
StatusclosedResolutionfixed 
Product VersionFrama-C Nitrogen-20111001 
Target VersionFixed in VersionFrama-C Oxygen-20120901 
Summary0001117: addr_eq versus = and <> in generated axioms access_update, access_update_neq
DescriptionI ran "frama-c -wp -cpp-command 'gcc -C -E -I.' -pp-annot -wp-rte -wp-proof alt-ergo -no-unicode -wp-warnings -wp-out ./out ftest.c" on the attached program and inspected the generated file "out/store_ftest_post_1_po_ergo.why".

In the proof obligation for c-source line 14, the update operator a[i<-v] is used with e.g. addr_shift(s_0,0) substituted for i. In the axioms access_update and access_update_neq, arguments at position i are compared by built-in equality (and disequality <>).

However, terms starting with "addr_shift" are usually compared by "addr_eq", e.g. in the translation of lemma l.

I suggest to check whether the mentioned axioms should be weakened to:

axiom access_update : (forall a:'a1 farray.(forall i:int.(forall j:int.(forall v:'a1.(addr_eq(i,j) -> a[i<-v][j]=v)))))
axiom access_update_neq : (forall a:'a1 farray.(forall i:int.(forall j:int.(forall v:'a1.((not addr_eq(i,j)) -> (a[i<-v][j]=a[j]))))))

If not, I suggest to check whether addr_eq is in fact the same as =, and to drop the former for sake of simplicity.
TagsNo tags attached.
Attached Files
  • c file icon ftest.c (243 bytes) 2012-03-12 11:04 -
    /*@ lemma l:
        \forall int* b; \forall integer i,j;
    	&b[i] == &b[j] ==> i == j;
    */
    
    struct _str {
        int a;
        int b;
    };
    
    /*@ 
        requires \valid(s);
        ensures s->a == 0;
    */
    void ftest(struct _str *s) {
        s->a = 0;
        s->b = 0;
    }
    
    
    
    c file icon ftest.c (243 bytes) 2012-03-12 11:04 +

-Relationships
+Relationships

-Notes

~0002766

correnson (manager)

Actually, there is no reason for keeping addr_eq instead of (=).
Weakening the access-update axioms is not permitted by the usage of build-in array theory in alt-ergo.
Also, I must mention that we are refactoring the models of WP and such cleaning is in progress.

~0002768

pherrmann (reporter)

addr_eq is replaced by (=) as of svn 17556.
+Notes

-Issue History
Date Modified Username Field Change
2012-03-12 11:04 Jochen New Issue
2012-03-12 11:04 Jochen Status new => assigned
2012-03-12 11:04 Jochen Assigned To => correnson
2012-03-12 11:04 Jochen File Added: ftest.c
2012-03-14 09:37 correnson Note Added: 0002766
2012-03-14 09:37 correnson Status assigned => acknowledged
2012-03-14 10:09 correnson Status acknowledged => assigned
2012-03-14 10:09 correnson Assigned To correnson => pherrmann
2012-03-14 17:24 pherrmann Note Added: 0002768
2012-03-14 17:24 pherrmann Status assigned => resolved
2012-09-19 17:15 signoles Fixed in Version => Frama-C Oxygen-20120901
2012-09-19 17:16 signoles Status resolved => closed
2012-11-06 21:23 signoles Resolution open => fixed
+Issue History