Meaning of \\old in ACSL post-conditions

匆匆过客 提交于 2019-12-06 02:41:54

You are verifying some tricky memory manipulations for a “newbie”.

The ACSL construct \old does not work exactly like you think it does.

First, \old(handle) in a post-condition is the same as handle, because handle is a parameter. A contract is intended to be used from the point of view of callers. Even if the function wait modified handle (which would be unusual but is possible), its contract would still be intended to relate values passed as argument by the caller and the state returned by the function to the caller.

In short, in an ACSL post-condition, parameter always means \old(parameter) (even if the function modifies parameter like a local variable).

Second, the rule above is only for parameters. For global variables and memory accesses, the post-condition is considered to apply to the post-state, as you would expect from its name. The construct \old(handle)->data that you wrote, and that is equivalent to handle->data, means “the field .data that the old value of handle points to in the new state”, so that the post-condition handle->data == \old(handle)->data is a tautology and probably not what you intended.

From the context, it appears that you intended handle->data == \old(handle->data) instead, which means "the field .data that the old value of handle points to in the new state is equal to the field .data that the old value of handle points to in the old state”. With that change, all the assertions in your program get proved for me (using Alt-Ergo 0.93).

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!