0001117: addr_eq versus = and <> in generated axioms access_update, access_update_neq

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0001117

Frama-C

Plug-in > wp

public

2012-03-12 11:04

2012-11-06 21:23

Reporter

Jochen

Assigned To

pherrmann

Priority

normal

Severity

tweak

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Frama-C Nitrogen-20111001

Target Version

Fixed in Version

Frama-C Oxygen-20120901

Summary

0001117: addr_eq versus = and <> in generated axioms access_update, access_update_neq

Description

I ran "frama-c -wp -cpp-command 'gcc -C -E -I.' -pp-annot -wp-rte -wp-proof alt-ergo -no-unicode -wp-warnings -wp-out ./out ftest.c" on the attached program and inspected the generated file "out/store_ftest_post_1_po_ergo.why". In the proof obligation for c-source line 14, the update operator a[i<-v] is used with e.g. addr_shift(s_0,0) substituted for i. In the axioms access_update and access_update_neq, arguments at position i are compared by built-in equality (and disequality <>). However, terms starting with "addr_shift" are usually compared by "addr_eq", e.g. in the translation of lemma l. I suggest to check whether the mentioned axioms should be weakened to: axiom access_update : (forall a:'a1 farray.(forall i:int.(forall j:int.(forall v:'a1.(addr_eq(i,j) -> a[i<-v][j]=v))))) axiom access_update_neq : (forall a:'a1 farray.(forall i:int.(forall j:int.(forall v:'a1.((not addr_eq(i,j)) -> (a[i<-v][j]=a[j])))))) If not, I suggest to check whether addr_eq is in fact the same as =, and to drop the former for sake of simplicity.

Tags

No tags attached.

Attached Files

ftest.c [^] (243 bytes) 2012-03-12 11:04 [Show Content] [Hide Content]

/*@ lemma l:
    \forall int* b; \forall integer i,j;
	&b[i] == &b[j] ==> i == j;
*/

struct _str {
    int a;
    int b;
};

/*@ 
    requires \valid(s);
    ensures s->a == 0;
*/
void ftest(struct _str *s) {
    s->a = 0;
    s->b = 0;
}

Relationships

Notes
(0002766) correnson (manager) 2012-03-14 09:37	Actually, there is no reason for keeping addr_eq instead of (=). Weakening the access-update axioms is not permitted by the usage of build-in array theory in alt-ergo. Also, I must mention that we are refactoring the models of WP and such cleaning is in progress.

(0002768) pherrmann (reporter) 2012-03-14 17:24	addr_eq is replaced by (=) as of svn 17556.

Issue History
Date Modified	Username	Field	Change
2012-03-12 11:04	Jochen	New Issue
2012-03-12 11:04	Jochen	Status	new => assigned
2012-03-12 11:04	Jochen	Assigned To	=> correnson
2012-03-12 11:04	Jochen	File Added: ftest.c
2012-03-14 09:37	correnson	Note Added: 0002766
2012-03-14 09:37	correnson	Status	assigned => acknowledged
2012-03-14 10:09	correnson	Status	acknowledged => assigned
2012-03-14 10:09	correnson	Assigned To	correnson => pherrmann
2012-03-14 17:24	pherrmann	Note Added: 0002768
2012-03-14 17:24	pherrmann	Status	assigned => resolved
2012-09-19 17:15	signoles	Fixed in Version	=> Frama-C Oxygen-20120901
2012-09-19 17:16	signoles	Status	resolved => closed
2012-11-06 21:23	signoles	Resolution	open => fixed