roo
Reputation: 159
Unable to prove assign clause - Frama-C
I'm new to Frama-c and I'd like to understand what is the problem with this simple example :
/*@ requires \valid(array+(0..length-1))
@ ensures \forall integer k; 0 <= k < length ==> array[k] == 0;
@ assigns array[0..length-1];
*/
void fill(int array[], int length){
/*@ loop invariant 0 <= i <= length;
@ loop invariant \forall integer k; 0 <= k < i ==> array[k] == 0;
@ loop assigns i, array[0..i-1];
@ loop variant length - i;
*/
for(int i = 0; i < length; i++){
array[i] = 0;
}
}
In this example, Frama-c (WP + Value) won't prove the assign clause in the function contract and I can't understand why. Any help will be appreciated =)
Upvotes: 5
Views: 1228
Answers (1)
byako
Reputation: 3422
This can be proven (with alt-ergo 0.95.1) if you weaken your loop assigns.
@ loop assigns i, array[0..length-1];
The precondition i >= 0 is also needed, because it is not implied by \valid(array+(0..length-1). array+(0..length-1) is a valid set of locations with length <= 0, although an empty one.
The fact that your original loop assigns does not imply your precondition is a limitation of the current version of the WP plugin.
Upvotes: 4
Related Questions
- Frama-C: unexpected error with _Bool values
- Frama-c fails to prove verify.c from Allan Blanchard's tutorial
- Syntax error when trying to use inductive predicate
- How to prove this assigns clause, part 2?
- Frama-c Assertion
- Unable to verify assign clause - Frama-C
- Frama-C is proving invalid assertions
- Assigns clause for local variables in Frama-C
- Why does frama-c yield a syntax error on this?
- Existential quantified assertion fails