2021-03-03 02:33 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002497Frama-CPlug-in > wppublic2020-02-03 11:39
Assigned Tocorrenson 
Product VersionFrama-C 20-Calcium 
Target VersionFixed in Version 
Summary0002497: quantifiers over logic types do not restrict to valid instances

When I quantify over an unsigned char, the resulting formula uses the is_uint8 predicate to ensure that it only considers valid uint8s. However, if I define a logic type that contains an unsigned char, there is no corresponding is_ predicate for the logic type:

> //@ type logic_type_with_u8 = value(unsigned char);

This type is represented in the generated formula as an unbounded int rather than an unsigned char. This means that quantifying over the logic type includes more values than are allowed - for example, `\forall logic_type_with_u8 l` has to prove that the predicate is true even for values that won't fit in a u8.

As a concrete example, I expect the following to hold, but it does not:

> lemma u8_is_valid: \forall logic_type_with_u8 n; \exists unsigned char u; n == value(u);

Steps To ReproduceDownload file logic_type_is_valid.c and run with WP:

> frama-c -wp logic_type_is_valid.c

The lemma in this file should hold, but does not.
Additional InformationPS. I could not test on the latest version from git - how do I get (read-only) access to the git repository?
TagsNo tags attached.
Attached Files
  • c file icon logic_type_is_valid.c (167 bytes) 2020-01-30 19:40 -
      type logic_type_with_u8
        = value(unsigned char);
      lemma u8_is_valid:
        \forall logic_type_with_u8 n;
        \exists unsigned char u;
          n == value(u);
    c file icon logic_type_is_valid.c (167 bytes) 2020-01-30 19:40 +




amosr (reporter)

From what I can tell, this is only incomplete rather than unsound – I can't figure out a way to prove "there exists some logic_type_with_u8 such that its u8 is 256".


correnson (manager)

Yes indeed, you are right, there _is_ something missing here. And I'm afraid this can lead to soundness issues,
at least regarding ACSL expected semantics.

-Issue History
Date Modified Username Field Change
2020-01-30 19:40 amosr New Issue
2020-01-30 19:40 amosr Status new => assigned
2020-01-30 19:40 amosr Assigned To => correnson
2020-01-30 19:40 amosr File Added: logic_type_is_valid.c
2020-01-30 19:48 amosr Note Added: 0006934
2020-02-03 11:39 correnson Note Added: 0006935
+Issue History