Verification issue using the Jessie plug-in and Frama-C -
i'm new frama-c , want learn acsl syntax properly. have dummy example , jessie plug-in cannot verify line nr 9 , 12. missing something? function verified (equal) check if 2 arrays (a , b) have same values or not @ each index:
/*@ requires \valid_range(a,0,n-1); requires \valid_range(b,0,n-1); requires n >= 0; requires >= 0 && <= n; assigns i; behavior all_equal: assumes == n; ensures \result == 1; behavior some_not_equal: assumes != n; ensures \result == 0; */ int equal(int a[], int n, int b[], int i) { /*@ loop invariant 0 <= <= n; loop assigns i; loop variant n-i; */ (i = 0; < n; i++) { if (a[i] != b[i]) return 0; } return 1; }
there couple of incorrect things here:
behavior all_equal: assumes == n; ensures \result == 1; behavior some_not_equal: assumes != n; ensures \result == 0; in assumes clause, variables evaluated in pre-state of function. meaning if have 2 equal arrays of size n, , assuming i 0 (which not be, see next explanation), i == n fail except when array of size 0
another thing: seem using i variable loop control, setting 0 @ start of loop, in annotations i, in pre-state of program, between 0 , n. in conjunction said 1 of reasons why jessie isn't able prove this.
finally, main reason cannot prove because missing essential loop invariant, 1 guarantees both arrays, array indexes previous current iteration, equal:
loop invariant loop invariant \forall integer k; 0 <= k < ==> a[k] == b[k]; with invariant can specify behaviors better. correct solution problem be:
/*@ requires \valid_range(a,0,n-1); requires \valid_range(b,0,n-1); requires n >= 0; behavior all_equal: assumes \forall integer k; 0 <= k < n ==> a[k] == b[k]; ensures \result == 1; behavior some_not_equal: assumes \exists integer k; 0 <= k < n && a[k] != b[k]; ensures \result == 0; */ int equal(int a[], int n, int b[]) { int = 0; /*@ loop invariant 0 <= <= n; loop invariant \forall integer k; 0 <= k < ==> a[k] == b[k]; loop assigns i; loop variant n-i; */ (i = 0; < n; i++) { if (a[i] != b[i]) return 0; } return 1; }
Comments
Post a Comment