I'm yet again perplexed by a simple verification exercise, this time in Frama-C (Sodium) using the WP plugin, since I couldn't get Jessie to work on the uni workstations (in process of being installed by admin staff/team.) I have been reading 'ACSL by example' and the manual. Though I would think this example to be simple enough to get right very quickly. After using Dafny and Whiley to verify the same algorithm perhaps my has become a bit tainted.
#include <stdio.h>
// A linear search over a sorted array looking for a given element.
/*@ requires len > 0;
@ requires \valid( ls+ ( 0..(len - 1) ) );
@ requires \forall size_t k; 0 <= k < (len - 1) ==> ls[k] <= ls[k + 1];
@ assigns \nothing;
@ behavior found:
@ assumes \exists size_t k; 0 <= k < len && ls[k] == item;
@ ensures \result >= 0;
@ behavior nfound:
@ assumes \forall size_t k; 0 <= k < len ==> ls[k] != item;
@ ensures \result == -1;
@ complete behaviors found, nfound;
@ disjoint behaviors found, nfound;
*/
int search( int ls[], const size_t len, int item )
{
size_t i = 0;
/*@ loop invariant 0 <= i <= len;
@ loop invariant \forall size_t k; 0 <= k < i ==> ls[k] != item;
@ loop assigns i;
@ loop variant len - i;
*/
while ( i < len )
{
if ( ls[i] == item )
return i;
++i;
}
return -1;
}
int main()
{
int src[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
if ( search( src, 10, 5 ) >= 0 ) printf( "found item" );
else printf( "no item found" );
}
and the output I get when trying to verify this is:
$ frama-c -pp-annot -wp -wp-rte -wp-timeout 100 search.c
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing search.c (with preprocessing)
/tmp/ppannot97a491.c:1:0: warning: "__STDC_VERSION__" redefined
#define __STDC_VERSION__ 201112L
^
<built-in>: note: this is the location of the previous definition
/tmp/ppannot97a491.c:2:0: warning: "__STDC_UTF_16__" redefined
#define __STDC_UTF_16__ 1
^
<built-in>: note: this is the location of the previous definition
/tmp/ppannot97a491.c:3:0: warning: "__STDC_UTF_32__" redefined
#define __STDC_UTF_32__ 1
^
<built-in>: note: this is the location of the previous definition
[wp] Running WP plugin...
[wp] Collecting axiomatic usage
[rte] annotating function main
[rte] annotating function search
[wp] 20 goals scheduled
[wp] [Qed] Goal typed_main_call_search_pre : Valid
[wp] [Qed] Goal typed_main_call_search_pre_2 : Valid
[wp] [Alt-Ergo] Goal typed_search_complete_found_nfound : Valid (10ms) (19)
[wp] [Alt-Ergo] Goal typed_search_loop_inv_preserved : Valid (17ms) (21)
[wp] [Alt-Ergo] Goal typed_search_disjoint_found_nfound : Valid (13ms) (19)
[wp] [Qed] Goal typed_search_loop_inv_established : Valid
[wp] [Qed] Goal typed_search_loop_inv_2_established : Valid
[wp] [Alt-Ergo] Goal typed_main_call_search_pre_3 : Valid (383ms) (93)
[wp] [Alt-Ergo] Goal typed_search_loop_inv_2_preserved : Valid (17ms) (33)
[wp] [Qed] Goal typed_search_loop_assign : Valid
[wp] [Alt-Ergo] Goal typed_search_assert_rte_mem_access : Valid (50ms) (89)
[wp] [Alt-Ergo] Goal typed_search_assert_rte_unsigned_overflow : Valid (13ms) (30)
[wp] [Qed] Goal typed_search_assign_part1 : Valid
[wp] [Qed] Goal typed_search_assign_part2 : Valid
[wp] [Qed] Goal typed_search_assign_part3 : Valid
[wp] [Qed] Goal typed_search_assign_part4 : Valid
[wp] [Qed] Goal typed_search_loop_term_decrease : Valid (3ms)
[wp] [Qed] Goal typed_search_loop_term_positive : Valid
[wp] [Alt-Ergo] Goal typed_search_nfound_post : Valid (17ms) (33)
[wp] [Alt-Ergo] Goal typed_search_found_post : Unknown (54.3s)
[wp] Proved goals: 19 / 20
Qed: 11 (3ms-3ms)
Alt-Ergo: 8 (10ms-383ms) (93) (unknown: 1)
This puzzled me for a while, but after an attempt at a Coq proof, I figured out that the reason why you can't prove the found behavior is simply that ... it is not correct. Namely, for len > INT_MAX and an item which is not found in the INT_MAX first cells of the array but appears somewhere later, the result, as seen as an int will be negative.
Well, technically, this is implementation defined, as stated in C99, 6.3.1.3§3:
Otherwise, the new type is signed and the value cannot be represented in it; either the result is implementation-defined or an implementation-defined signal is raised.
If you add the option -warn-signed-downcast to your command line, you will see a new RTE-generated assertion which is not proved:
/*@ assert rte: signed_downcast: i ≤ 2147483647; */
Then the post-condition of the found behavior gets proved, under the hypothesis that said assertion holds.