Reputation: 1270
Use possibly invalid pointer in ACSL dependencies
I need to write an ACSL specification for the dependencies of a function that takes a pointer as input, and uses its content when the pointer in not NULL. I think that this specification is correct:
/*@ behavior p_null:
assumes p == \null;
assigns \result from \nothing;
behavior p_not_null:
assumes p != \null;
assigns \result from *p;
*/
int f (int * p);
but I would rather avoid the behaviors, but I don't know if this is correct (and equivalent) :
//@ assigns \result from p, *p;
int f (int * p);
Can I use *p in the right part of the \from even if p might be NULL ?
Upvotes: 1
Views: 126
Answers (1)
Reputation: 10148
Yes you can. the right part of the from indicates which locations might contribute to the value of \result, but f does not need to read from *p to compute \result (and it should better avoid it if p is NULL of course).
As a side note, the question could have also been raised for the assigns clause of the p_not_null behavior, as p!=\null does
not imply \valid(p) in C.
Nevertheless, the contract without behavior is slightly less precise than the one with behaviors, which states that when p is NULL a constant value is returned, and when p is not null, only the content of *p is used (the assigns clause without behavior allows to return e.g. *p+(int)p, or even (int)p).
Upvotes: 2
Related Questions
- Frama-C/E-ACSL Error including header files with wrapper script
- Frama-C does not recognize valid memory access from bitwise-ANDed index
- Frama-C with Eva plugin - Unsupported ACSL construct
- Frama-c: Function calls and static variables
- ACSL list example in the documentation generate a bad sounding warning
- ACSL Logic Struct Declarations Not Working as in Reference Manual
- Frama-C warning: Missing assigns clause (assigns 'everything' instead)
- Error compiling E-ACSL FRAMA-C
- How to force a memory location to be valid in ACSL?
- ACSL set logic / frama-c syntax error