0002501: error in generated proof obligation - Frama-C Bug Tracking System

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0002501

Frama-C

Plug-in > wp

public

2020-03-10 11:44

2020-03-16 12:32

Reporter

jens

Assigned To

AllanBlanchard

Priority

normal

Severity

major

Reproducibility

always

Status

assigned

Resolution

open

Platform

Linux, macOS

OS Version

Product Version

Frama-C 20-Calcium

Target Version

Fixed in Version

Summary

0002501: error in generated proof obligation

Description

The attached file 'issue.c' contains a simplified (but still not very small) example of an issue I have within ACSL by Example. There is lemma R_2 for the logic function R. The definition of R uses the logic function F contained in the axiomatic block A. When trying to verify R_2 with the command line below I obtain the message [Why3 Error] anomaly: Failure("Can't find 'L_F' in why3 namespace") frama-c -wp -wp-prover alt-ergo -wp-prover native:coq issue.c [kernel] Parsing issue.c (with preprocessing) [wp] Warning: native support for coq is deprecated, use tip instead [wp] 2 goals scheduled [wp] [Failed] Goal typed_lemma_R_2 Alt-Ergo 2.3.1: Failed [Why3 Error] anomaly: Failure("Can't find 'L_F' in why3 namespace") Coq: Unknown [wp] [Cache] found:1 [wp] Proved goals: 1 / 2 Qed: 0 Coq: 0 (unknown: 1) Alt-Ergo 2.3.1: 1 (10ms) (23) (cached: 1) (failed: 1) When looking at the generated verification condition with Coq I found the following: The generated hypothesis 'FixL_R' uses of course the function 'L_F'. However, the necessary import clause 'Require Import A_A.' comes only AFTER the definition of 'FixL_R'.

Additional Information

There is a work-around by calling the helper function 'Fix' in the definition of R (see the comment in the code). The problem also "disappears' if lemma 'R_1' is removed (but I don't have this option). While looking at this problem, I noticed that in general coq definitions and import clauses are interspersed in the verification conditions...

Tags

No tags attached.

Attached Files

issue.c [^] (857 bytes) 2020-03-10 11:44 [Show Content] [Hide Content]

/*@
  axiomatic A
  {
    logic integer
    F(int* a, integer m, integer n, int v) =
      (n <= m) ? 
       0 : ((0 <= F(a, m, n-1, v) < n-m-1) ?
         F(a, m, n-1, v) : ((a[n-1] != v) ? n-m-1 : n-m));
  }

  logic integer
  Fix(int* a, integer x, integer n, int v) = x + F(a, x, n, v);

  logic integer
  R(int* a, integer n, int v, integer p) =
    \let c = n;
    \let x = R(a, n, v, p-1) + 1;
      p < 0 ? -1 : // 0 <= p
        (n <= 0 ? 0 : // 0 < n
          p < c ? x + F(a, x, n, v) : n
          //p < c ? Fix(a, x, n, v) : n
        );

  lemma R_1:
    \forall int *a, v, integer n, p;
      \let x = R(a, n, v, p-1) + 1;
      0 <= n      ==>
      0 <= p < n  ==> 
      R(a, n, v, p) == x + F(a, x, n, v);

  lemma R_2:
    \forall int *a, v, integer i, n, p;
      0 < n       ==>
      0 <= p < n  ==>
      0 <= R(a, n, v, p);
*/

Relationships

Notes
There are no notes attached to this issue.

Issue History
Date Modified	Username	Field	Change
2020-03-10 11:44	jens	New Issue
2020-03-10 11:44	jens	Status	new => assigned
2020-03-10 11:44	jens	Assigned To	=> correnson
2020-03-10 11:44	jens	File Added: issue.c
2020-03-16 12:32	correnson	Assigned To	correnson => AllanBlanchard