CODEWITHSUNDEEP
cframa-c
Mahdi Talebi
Mahdi Talebi

Reputation: 23

Frama-c Assertion

Recently I have been working with frama-c and I have faced a problem which is a bit confusing.

I have written a very simple program in frama-c which is this:

void main(void)
{
    int a = 3;
    int b = 4;
    /*@ assert a == b;*/
}

I expect frama-c to say the assertion is not valid which in GUI this is shown by red bullet, but instead frama-c says the assertion is not valid according to value (under hypothesis), which is shown by orange-red bullet.

My question is why would frama-c say the assertion is not valid under hypothesis?

What are the possible hypotheses?

I am asking this because my program is very simple and I can't find any hypothesis or dependency in my program which is related to the assertion and I guess frama-c should just say the assertion is not valid.

Upvotes: 2

Views: 507

Answers (2)

byako
byako

Reputation: 3422

An alternative way to see the dependencies of a property proven under hypotheses is to use the Report plugin, on the command-line:

$ frama-c -val c.c -then -report

[report] Computing properties status...

--------------------------------------------------------------------------------
--- Properties of Function 'main'
--------------------------------------------------------------------------------

[  Alarm  ] Assertion (file c.c, line 5)
            By Value, with pending:
             - Unreachable program point (file c.c, line 5)

--------------------------------------------------------------------------------
--- Status Report Summary
--------------------------------------------------------------------------------
     1 Alarm emitted
     1 Total
--------------------------------------------------------------------------------

The pending information lists all the properties required to finish the proof. For statutes emitted by the Value/Eva plugin, the only dependences emitted will always be reachability ones.

(This is actually misleading: the status of the n th property actually depends on the statuses for the properties k with k < n. This would generate a dependency graph too big, so those dependencies are not tracked.)

Upvotes: 0

anol
anol

Reputation: 8953

If you have graphviz configured with your Frama-C installation (i.e. it was available when Frama-C was configured, either manually or via opam), you can double-click the property in the Properties panel, and a window should open with the following dependency graph for the property:

Property dependency graph for <code>assert a == b;</code>

In it, we can see all the hypotheses used by a property, and so we see that the "under hypotheses" mentioned is that of the reachability of the assertion. Eva (value plug-in) computes an over-approximation of reachable states, so it cannot prove that a given state is reachable, only that it is unreachable.

Currently, the only plug-in which can definitely prove reachability statuses is PathCrawler. However, in practice this is rarely an issue.

Upvotes: 2

Related Questions