| View Issue Details [ Jump to Notes ] [ Related Changesets ] | [ Issue History ] [ Print ] |
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000612 | Frama-C | Documentation > ACSL | public | 2010-10-18 17:48 | 2014-02-12 16:55 |
|
| Reporter | Jochen | |
| Assigned To | virgile | |
| Priority | normal | Severity | text | Reproducibility | N/A |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | Frama-C Boron-20100401 | |
| Target Version | Frama-C Carbon-20101201-beta1 | Fixed in Version | Frama-C Carbon-20101201-beta1 | |
|
| Summary | 0000612: Mention that invariant does not hold after for-loop |
| Description | The ACSL-1.4 reference, available from http://frama-c.com/acsl.html, [^] explains on p.35-36 where the invariant of a for-loop shall hold as follows: ``The predicate I holds ... right after the initialization expression ...; for a for (init; c; step) s loop, I must be preserved by the side-effects of c followed by s followed by step''.
While this is possibly the most compact explanation, it is based on the transformation of "for (init;c;step) s" into "init; while (1) { int C=c; if(!C) break; s; step; }", which seems to be rather unusual. As a consequence, the for-loop invariant does not hold after normal termination, if c has side-effects (cf. attached demonstration program).
This unexpected fact should be mentioned in the ACSL reference. |
| Tags | No tags attached. |
|
| Attached Files |  ftest.c [^] (1,103 bytes) 2010-10-18 17:48 [Show Content] [Hide Content]
/*
* This program demonstrates that a loop invariant need not hold after
* normal termination of a for-loop, if its condition has side-effects.
*
* The global variable j is treated in the same way as
* the local (to main()) variable i:
* both are initialized to 0 (line 41, 46),
* and then incremented repeatedly in the loop (line 34/46, 46).
*
* In fact, the invariant j==i can be proven (line 44).
*
* However, right after the loop, an unsatisfiable obligation of the form
* "(...something satisfiable...) ==> i+1 == i"
* is generated for the assert in line 48.
*
* In fact, "i=5 j=6" is printed to stdout,
* when the #include and the printf is uncommented.
*/
//#include <stdio.h>
static int j;
/*@ requires j < 100;
assigns j;
ensures j == \old(j) + 1;
ensures \result == x;
*/
static int f(int x)
{
++j;
return x;
}
int main(void)
{
int i;
j = 0;
/*@ loop variant 5 - i;
loop invariant 0 <= i <= 5;
loop invariant j == i;
*/
for (i=0; f(i)<5; ++i)
;
/*@ assert j == i; */
//printf("i=%d j=%d\n",i,j);
return 0;
}
|
|
Relationships 
Relationships