Frama-C order function
up vote
1
down vote
favorite
I am trying to prove the correctness of my sorting function 'order' with Frama-C with the ACSL language. I have an additional 'swap' function to permute two values of my array 't'.
EDIT :
I updated my code.
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
requires i<l && j<l && i>=0 && j>=0;
assigns t[i], t[j];
ensures t[j] == old(t[i]);
ensures t[i] == old(t[j]);
*/
void swap(int *t, int l, int i,int j){
int tmp;
tmp = t[i];
t[i] = t[j];
t[j] = tmp;
return;
}
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
ensures forall integer k; (0 <= k < l-1) ==> t[k] <= t[k+1];
*/
void order(int *t, int l) {
int i;
int j;
/*@
loop assigns i, t[0 .. l-1];
loop invariant 0<=i<l && i>=0;
loop invariant forall integer k; (0 <= k<=i) ==> t[k] <= t[k+1];
loop variant l-i;
*/
for (i=0;i<l;i++) {
/*@
loop assigns j, t[0 .. l-1];
loop invariant i<=j<l && i>=0 && j>=0;
loop invariant forall integer k; (0 <= k <= j) ==> (t[k] <= t[k+1]);
loop variant l-j;
*/
for (j=i; j<l; j++) {
if (t[i] > t[j]){
/*@ assert t[i] > t[j] && i<l && j<l && i>=0 && j>=0 ; */
swap(t, l, i, j);
/*@ assert t[i] < t[j] && i<l && j<l && i>=0 && j>=0 ; */
}
}
}
}
Thanks for your help!
c frama-c
asked Nov 10 at 10:24
Ilan
408
add a comment |
up vote
1
down vote
favorite
I am trying to prove the correctness of my sorting function 'order' with Frama-C with the ACSL language. I have an additional 'swap' function to permute two values of my array 't'.
EDIT :
I updated my code.
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
requires i<l && j<l && i>=0 && j>=0;
assigns t[i], t[j];
ensures t[j] == old(t[i]);
ensures t[i] == old(t[j]);
*/
void swap(int *t, int l, int i,int j){
int tmp;
tmp = t[i];
t[i] = t[j];
t[j] = tmp;
return;
}
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
ensures forall integer k; (0 <= k < l-1) ==> t[k] <= t[k+1];
*/
void order(int *t, int l) {
int i;
int j;
/*@
loop assigns i, t[0 .. l-1];
loop invariant 0<=i<l && i>=0;
loop invariant forall integer k; (0 <= k<=i) ==> t[k] <= t[k+1];
loop variant l-i;
*/
for (i=0;i<l;i++) {
/*@
loop assigns j, t[0 .. l-1];
loop invariant i<=j<l && i>=0 && j>=0;
loop invariant forall integer k; (0 <= k <= j) ==> (t[k] <= t[k+1]);
loop variant l-j;
*/
for (j=i; j<l; j++) {
if (t[i] > t[j]){
/*@ assert t[i] > t[j] && i<l && j<l && i>=0 && j>=0 ; */
swap(t, l, i, j);
/*@ assert t[i] < t[j] && i<l && j<l && i>=0 && j>=0 ; */
}
}
}
}
Thanks for your help!
c frama-c
asked Nov 10 at 10:24
Ilan
408
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I am trying to prove the correctness of my sorting function 'order' with Frama-C with the ACSL language. I have an additional 'swap' function to permute two values of my array 't'.
EDIT :
I updated my code.
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
requires i<l && j<l && i>=0 && j>=0;
assigns t[i], t[j];
ensures t[j] == old(t[i]);
ensures t[i] == old(t[j]);
*/
void swap(int *t, int l, int i,int j){
int tmp;
tmp = t[i];
t[i] = t[j];
t[j] = tmp;
return;
}
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
ensures forall integer k; (0 <= k < l-1) ==> t[k] <= t[k+1];
*/
void order(int *t, int l) {
int i;
int j;
/*@
loop assigns i, t[0 .. l-1];
loop invariant 0<=i<l && i>=0;
loop invariant forall integer k; (0 <= k<=i) ==> t[k] <= t[k+1];
loop variant l-i;
*/
for (i=0;i<l;i++) {
/*@
loop assigns j, t[0 .. l-1];
loop invariant i<=j<l && i>=0 && j>=0;
loop invariant forall integer k; (0 <= k <= j) ==> (t[k] <= t[k+1]);
loop variant l-j;
*/
for (j=i; j<l; j++) {
if (t[i] > t[j]){
/*@ assert t[i] > t[j] && i<l && j<l && i>=0 && j>=0 ; */
swap(t, l, i, j);
/*@ assert t[i] < t[j] && i<l && j<l && i>=0 && j>=0 ; */
}
}
}
}
Thanks for your help!
c frama-c
asked Nov 10 at 10:24
Ilan
408
I am trying to prove the correctness of my sorting function 'order' with Frama-C with the ACSL language. I have an additional 'swap' function to permute two values of my array 't'.
EDIT :
I updated my code.
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
requires i<l && j<l && i>=0 && j>=0;
assigns t[i], t[j];
ensures t[j] == old(t[i]);
ensures t[i] == old(t[j]);
*/
void swap(int *t, int l, int i,int j){
int tmp;
tmp = t[i];
t[i] = t[j];
t[j] = tmp;
return;
}
/*@
requires valid (t+ (0..(l-1)));
requires l > 0;
ensures forall integer k; (0 <= k < l-1) ==> t[k] <= t[k+1];
*/
void order(int *t, int l) {
int i;
int j;
/*@
loop assigns i, t[0 .. l-1];
loop invariant 0<=i<l && i>=0;
loop invariant forall integer k; (0 <= k<=i) ==> t[k] <= t[k+1];
loop variant l-i;
*/
for (i=0;i<l;i++) {
/*@
loop assigns j, t[0 .. l-1];
loop invariant i<=j<l && i>=0 && j>=0;
loop invariant forall integer k; (0 <= k <= j) ==> (t[k] <= t[k+1]);
loop variant l-j;
*/
for (j=i; j<l; j++) {
if (t[i] > t[j]){
/*@ assert t[i] > t[j] && i<l && j<l && i>=0 && j>=0 ; */
swap(t, l, i, j);
/*@ assert t[i] < t[j] && i<l && j<l && i>=0 && j>=0 ; */
}
}
}
}
Thanks for your help!
c frama-c
c frama-c
asked Nov 10 at 10:24
Ilan
408
asked Nov 10 at 10:24
Ilan
408
edited Nov 12 at 14:03
asked Nov 10 at 10:24
Ilan
408
asked Nov 10 at 10:24
Ilan
408
asked Nov 10 at 10:24
Ilan
408
408
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
3
down vote
As always when using WP, it is crucial that all functions called by the function under proof are equipped with a contract with assigns clauses. Furthemore, all loops of said function under proof must have a loop assigns clause. If this is not the case, WP will conclude that any part of the memory state might be modified by the call (resp. the loop), so that it won't be able to say anything meaningful after the corresponding instruction.
Thus, at the very minimum, you should add/replace the existing clause by:
- in the contract of
swap, a clauseassigns t[i], t[j];
- in the loop annotation of the outer loop, a clause
loop assigns i, t[0 .. l-1];
- in the loop annotation of the inner loop, a clause
loop assigns j, t[i .. l-1];
As as side note regarding loop assigns:
- they must describe all the potential modifications from the first entry into the loop up to the current step (hence
t[i], t[j]is not sufficient, as there might have been other swaps occuring before the currentj). - the index of the loop (here
iandj) must be part of the loop assigns, although it is very easy to overlook it and wonder why WP is not happy.
Note that there might be others issues with your annotations, but these are the most obvious ones, and having appropriate assigns clauses is probably the single most important thing to have before attempting to prove deeper functional properties.
answered Nov 12 at 10:42
Virgile
6,719931
thanks for your reply. It was very helpful for a beginner like me. I'm now stuck with my loop invariant.
– Ilan
Nov 12 at 14:07
1
It would have been better if you had asked a new question rather than heavily editing your code, making the answer inaccurate. Sincejis declared at the beginning of the function instead of directly in the innerfor, it must be in theloop assignsof the outer loop, as it is in scope there. There are various problems with your invariants. First, you should be very careful about your uses of<and<=and your bounds. Second, your invariants are two weak: one of them must indicate that all elements after i are greater than all elements before i.
– Virgile
Nov 14 at 9:33
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53238004%2fframa-c-order-function%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
As always when using WP, it is crucial that all functions called by the function under proof are equipped with a contract with assigns clauses. Furthemore, all loops of said function under proof must have a loop assigns clause. If this is not the case, WP will conclude that any part of the memory state might be modified by the call (resp. the loop), so that it won't be able to say anything meaningful after the corresponding instruction.
Thus, at the very minimum, you should add/replace the existing clause by:
- in the contract of
swap, a clauseassigns t[i], t[j];
- in the loop annotation of the outer loop, a clause
loop assigns i, t[0 .. l-1];
- in the loop annotation of the inner loop, a clause
loop assigns j, t[i .. l-1];
As as side note regarding loop assigns:
- they must describe all the potential modifications from the first entry into the loop up to the current step (hence
t[i], t[j]is not sufficient, as there might have been other swaps occuring before the currentj). - the index of the loop (here
iandj) must be part of the loop assigns, although it is very easy to overlook it and wonder why WP is not happy.
Note that there might be others issues with your annotations, but these are the most obvious ones, and having appropriate assigns clauses is probably the single most important thing to have before attempting to prove deeper functional properties.
answered Nov 12 at 10:42
Virgile
6,719931
thanks for your reply. It was very helpful for a beginner like me. I'm now stuck with my loop invariant.
– Ilan
Nov 12 at 14:07
1
It would have been better if you had asked a new question rather than heavily editing your code, making the answer inaccurate. Sincejis declared at the beginning of the function instead of directly in the innerfor, it must be in theloop assignsof the outer loop, as it is in scope there. There are various problems with your invariants. First, you should be very careful about your uses of<and<=and your bounds. Second, your invariants are two weak: one of them must indicate that all elements after i are greater than all elements before i.
– Virgile
Nov 14 at 9:33
add a comment |
up vote
3
down vote
As always when using WP, it is crucial that all functions called by the function under proof are equipped with a contract with assigns clauses. Furthemore, all loops of said function under proof must have a loop assigns clause. If this is not the case, WP will conclude that any part of the memory state might be modified by the call (resp. the loop), so that it won't be able to say anything meaningful after the corresponding instruction.
Thus, at the very minimum, you should add/replace the existing clause by:
- in the contract of
swap, a clauseassigns t[i], t[j];
- in the loop annotation of the outer loop, a clause
loop assigns i, t[0 .. l-1];
- in the loop annotation of the inner loop, a clause
loop assigns j, t[i .. l-1];
As as side note regarding loop assigns:
- they must describe all the potential modifications from the first entry into the loop up to the current step (hence
t[i], t[j]is not sufficient, as there might have been other swaps occuring before the currentj). - the index of the loop (here
iandj) must be part of the loop assigns, although it is very easy to overlook it and wonder why WP is not happy.
Note that there might be others issues with your annotations, but these are the most obvious ones, and having appropriate assigns clauses is probably the single most important thing to have before attempting to prove deeper functional properties.
answered Nov 12 at 10:42
Virgile
6,719931
thanks for your reply. It was very helpful for a beginner like me. I'm now stuck with my loop invariant.
– Ilan
Nov 12 at 14:07
1
It would have been better if you had asked a new question rather than heavily editing your code, making the answer inaccurate. Sincejis declared at the beginning of the function instead of directly in the innerfor, it must be in theloop assignsof the outer loop, as it is in scope there. There are various problems with your invariants. First, you should be very careful about your uses of<and<=and your bounds. Second, your invariants are two weak: one of them must indicate that all elements after i are greater than all elements before i.
– Virgile
Nov 14 at 9:33
add a comment |
up vote
3
down vote
up vote
3
down vote
As always when using WP, it is crucial that all functions called by the function under proof are equipped with a contract with assigns clauses. Furthemore, all loops of said function under proof must have a loop assigns clause. If this is not the case, WP will conclude that any part of the memory state might be modified by the call (resp. the loop), so that it won't be able to say anything meaningful after the corresponding instruction.
Thus, at the very minimum, you should add/replace the existing clause by:
- in the contract of
swap, a clauseassigns t[i], t[j];
- in the loop annotation of the outer loop, a clause
loop assigns i, t[0 .. l-1];
- in the loop annotation of the inner loop, a clause
loop assigns j, t[i .. l-1];
As as side note regarding loop assigns:
- they must describe all the potential modifications from the first entry into the loop up to the current step (hence
t[i], t[j]is not sufficient, as there might have been other swaps occuring before the currentj). - the index of the loop (here
iandj) must be part of the loop assigns, although it is very easy to overlook it and wonder why WP is not happy.
Note that there might be others issues with your annotations, but these are the most obvious ones, and having appropriate assigns clauses is probably the single most important thing to have before attempting to prove deeper functional properties.
answered Nov 12 at 10:42
Virgile
6,719931
As always when using WP, it is crucial that all functions called by the function under proof are equipped with a contract with assigns clauses. Furthemore, all loops of said function under proof must have a loop assigns clause. If this is not the case, WP will conclude that any part of the memory state might be modified by the call (resp. the loop), so that it won't be able to say anything meaningful after the corresponding instruction.
Thus, at the very minimum, you should add/replace the existing clause by:
- in the contract of
swap, a clauseassigns t[i], t[j];
- in the loop annotation of the outer loop, a clause
loop assigns i, t[0 .. l-1];
- in the loop annotation of the inner loop, a clause
loop assigns j, t[i .. l-1];
As as side note regarding loop assigns:
- they must describe all the potential modifications from the first entry into the loop up to the current step (hence
t[i], t[j]is not sufficient, as there might have been other swaps occuring before the currentj). - the index of the loop (here
iandj) must be part of the loop assigns, although it is very easy to overlook it and wonder why WP is not happy.
Note that there might be others issues with your annotations, but these are the most obvious ones, and having appropriate assigns clauses is probably the single most important thing to have before attempting to prove deeper functional properties.
answered Nov 12 at 10:42
Virgile
6,719931
answered Nov 12 at 10:42
Virgile
6,719931
answered Nov 12 at 10:42
Virgile
6,719931
answered Nov 12 at 10:42
Virgile
6,719931
6,719931
thanks for your reply. It was very helpful for a beginner like me. I'm now stuck with my loop invariant.
– Ilan
Nov 12 at 14:07
1
It would have been better if you had asked a new question rather than heavily editing your code, making the answer inaccurate. Sincejis declared at the beginning of the function instead of directly in the innerfor, it must be in theloop assignsof the outer loop, as it is in scope there. There are various problems with your invariants. First, you should be very careful about your uses of<and<=and your bounds. Second, your invariants are two weak: one of them must indicate that all elements after i are greater than all elements before i.
– Virgile
Nov 14 at 9:33
add a comment |
thanks for your reply. It was very helpful for a beginner like me. I'm now stuck with my loop invariant.
– Ilan
Nov 12 at 14:07
1
It would have been better if you had asked a new question rather than heavily editing your code, making the answer inaccurate. Sincejis declared at the beginning of the function instead of directly in the innerfor, it must be in theloop assignsof the outer loop, as it is in scope there. There are various problems with your invariants. First, you should be very careful about your uses of<and<=and your bounds. Second, your invariants are two weak: one of them must indicate that all elements after i are greater than all elements before i.
– Virgile
Nov 14 at 9:33
thanks for your reply. It was very helpful for a beginner like me. I'm now stuck with my loop invariant.
– Ilan
Nov 12 at 14:07
thanks for your reply. It was very helpful for a beginner like me. I'm now stuck with my loop invariant.
– Ilan
Nov 12 at 14:07
1
1
It would have been better if you had asked a new question rather than heavily editing your code, making the answer inaccurate. Since
j is declared at the beginning of the function instead of directly in the inner for, it must be in the loop assigns of the outer loop, as it is in scope there. There are various problems with your invariants. First, you should be very careful about your uses of < and <= and your bounds. Second, your invariants are two weak: one of them must indicate that all elements after i are greater than all elements before i.– Virgile
Nov 14 at 9:33
It would have been better if you had asked a new question rather than heavily editing your code, making the answer inaccurate. Since
j is declared at the beginning of the function instead of directly in the inner for, it must be in the loop assigns of the outer loop, as it is in scope there. There are various problems with your invariants. First, you should be very careful about your uses of < and <= and your bounds. Second, your invariants are two weak: one of them must indicate that all elements after i are greater than all elements before i.– Virgile
Nov 14 at 9:33
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53238004%2fframa-c-order-function%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
