Master Parisien de Recherche en Informatique 2010–2011 Proof Assistants
TD/TP 8 – Verifying Imperative Programs 2011-02-15
The goal is to verify some C functions from a string-manipulation library by using Frama-C + Jessie + Why for computing weakest preconditions and Alt-Ergo for checking them. The tools can be run withframa-c -jessie file.c.
Complete the specification of these functions. Use Alt-Ergo on the generated verification conditions. Fix the implementation of the functions if needed. Add some other functions and their specification.
/* @
a x i o m a t i c s t r i n g {
l o g i c i n t e g e r s t r l e n _ { L }( c h a r * src );
a x i o m s t r l e n _ i n s i d e { L }:
\ f o r a l l c h a r * src ; \ f o r a l l i n t e g e r x ; 0 <= x < s t r l e n _ ( src ) == > src [ x ] != 0;
a x i o m s t r l e n _ e n d { L }:
\ f o r a l l c h a r * src ; src [ s t r l e n _ ( src )] == 0;
}
*/
/* @
r e q u i r e s \ v a l i d _ r a n g e ( src , 0 , s t r l e n _ ( src ));
e n s u r e s \ r e s u l t == s t r l e n _ ( src );
*/
int s t r l e n (c h a r * src ) {
int res = 0;
/* @ l o o p i n v a r i a n t 0 <= res && res <= s t r l e n _ ( src );
l o o p v a r i a n t s t r l e n _ ( src ) - res ; */
for (; src [ res ]; ++ res );
r e t u r n res ; }
v o i d s t r c a t (c h a r * dst , c o n s t c h a r * src ) {
dst += s t r l e n ( dst );
for (; * src ; ++ src , ++ dst ) * dst = * src ;
* dst = 0;
}
Remarks:
• C strings are usually represented by a pointer to their first character, and they extend till character0inclusive.
• The \valid_range(p, i, j) predicate states that pointer p is inside an allocated memory block big enough for all the pointersp+i . . . p+j to be valid.
• Typeintegeris the type of unbounded integers (Z) while typeintis the type of machine integers; they can overflow.
1
