frama-c

Dynamic array with Frama-C and Eva

情到浓时终转凉″ 提交于 2019-12-11 06:59:07
问题 In https://stackoverflow.com/a/57116260/946226 I learned how to verify that a function foo that operates on a buffer (given by a begin and end pointer) really only reads form it, but creating a representative main function that calls it: #include <stddef.h> #define N 100 char test[N]; extern char *foo(char *, char *); int main() { char* beg, *end; beg = &test[0]; end = &test[0] + N; foo(beg, end); } but this does not catch bugs that only appear when the buffer is very short. I tried the

How do I prove code with a real axiomatic in Frama-C

血红的双手。 提交于 2019-12-11 06:10:58
问题 I have changed the int type to float in the "Inner Product" code from the ACSL-by-Example book (the code with int type worked for me) and now I am not able to prove the loop invariant inner . I have added some checks for inf and NaN without any success. #include "limits.h" /*@ predicate Unchanged{K,L}(float* a, integer first, integer last) = \forall integer i; first <= i < last ==> \at(a[i],K) == \at(a[i],L); predicate Unchanged{K,L}(float* a, integer n) = Unchanged{K,L}(a, 0, n); lemma

Install and run frama-C in Windows 7

删除回忆录丶 提交于 2019-12-11 03:57:02
问题 I have tried to run the Frama-C on windows 7, but it didn't work. I have read all the tips and comments you wrote here, but still not working. Can someone explain the installation process is a clear and simple way, and I will grateful? 回答1: The easiest install for Windows 7 is to use the Windows binary installer for the Boron release (http://frama-c.com/download/frama-c-Boron-20100401.exe). If you do install this version, you will still need to install the gcc-preprocessor in order for frama

Frama-C anagram function behavior verification

六月ゝ 毕业季﹏ 提交于 2019-12-11 03:32:08
问题 I wrote a C function that checks if two given strings (C-style) are anagrams or not. I try to verify it with Frama-C but it cannot validate the final behaviors of the function (other specifications are valid). The first one goes to timeout (even with very high timeout values in WP) and the second is unknown. Here is the code: #include <string.h> //@ ghost char alphabet[26] = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x'

SMT prover yields 'unknown' despite strong proven assertions

天大地大妈咪最大 提交于 2019-12-11 03:26:17
问题 Suppose we have the following C annotated code: #define L 3 int a[L] = {0}; /*@ requires \valid(a+(0..(L - 1))); ensures \forall int j; 0 <= j < L ==> (a[j] == j); */ int main() { int i = 0; /*@ loop assigns i, a[0..(i-1)]; loop invariant inv1: 0 <= i <= L; loop invariant inv2: \forall int k; 0 <= k < i ==> a[k] == k; */ while (i < L) { a[i] = i; i++; } /*@ assert final_progress: \forall int k; 0 < k < L ==> a[k] == a[k-1] + 1; assert final_c: a[2] == a[1] - 1; */ return 0; } Why Alt-Ergo/Z3

Checking C code for invalid memory access with Frama-C

戏子无情 提交于 2019-12-11 01:38:06
问题 I am given this C code (the details of the code, including possible bugs, are not very relevant): int read_leb128(char **ptr, char *end) { int r = 0; int s = 0; char b; do { if ((intptr_t)*ptr >= (intptr_t)end) (exit(1)); b = *(*ptr)++; r += (b & (char)0x7f) << s; s += 7; } while (b & (char)0x80); return r; } and I want to throw some formal methods at it to rule out dangerous bugs. In particular, I would like a assurance that this function does not modify any value besides *ptr and only reads

How customize machine dependency in Frama-C?

天大地大妈咪最大 提交于 2019-12-10 16:36:48
问题 I have got a 16-bit MPU wich is different from x86_16 in size of size_t , ptrdiff_t etc. Can anybody give me details and clear instructions about how to customise machine dependency in Frama-C for my MPU? 回答1: There is currently no way to do that directly from the command line: you have to write a small OCaml script that will essentially define a new Cil_types.mach (a record containing the necessary information about your architecture) and register it through File.new_machdep . Assuming you

what's the meaning of the circle node in pdgs which is generated by frama-c

佐手、 提交于 2019-12-06 11:51:51
I use frama-c tool to analyse the code below. int main (int argc, char *argv[]) { int i,a; for (i = 0; i < 100; i += 1) { a=0; if (a==0) { continue; } else { break; } } return 0; } the cmd is frama-c -pdg -dot-pdg graph main.c My question is about the control dependence. what's the circle node means? I try to explain the "while" node, maybe it stand for one time loop , because a loop start from "i<100",so there a control dependence ("i<100" ------o "while" ). Is what I guess right ? but what is the "break" node mean? I guess that node "goto __Cont;" is related to the "break;" statement in the

Meaning of \\old in ACSL post-conditions

匆匆过客 提交于 2019-12-06 02:41:54
I am a newbie user of Frama-C and have a few questions regarding assertions over pointers. Consider the C fragment below involving: two related data structures Data and Handle, s.t. Handle has a pointer to Data; a 'state' field in Data indicating whether some hypothetical operation has completed three functions: init(), start_operation() and wait(); a main() function using the above, and containing 6 assertions (A1-A6) Now, why is it that A5 and A6 cannot be asserted with the WP verifier ("frama-c -wp file.c") Shouldn't they hold due to the last "ensures" clause on start_operation()? What am I

Understanding Frama-C slicer results

时光总嘲笑我的痴心妄想 提交于 2019-11-29 11:12:53
I'd like to know if it's possible to do some kind of forward conditioned slicing with Frama-C and I'm playing with some examples to understand how one could achieve this. I've got this simple example which seems to result in an imprecise slice and I can't understand why. Here is the function I'd like to slice : int f(int a){ int x; if(a == 0) x = 0; else if(a != 0) x = 1; return x; } If I use this specification : /*@ requires a == 0; @ ensures \old(a) == a; @ ensures \result == 0; */ then Frama-C returns the following slice (which is precise), using "f -slice-return" criterion and f as entry
订阅 frama-c