Frama-c WP and preconditions
I have two questions regarding preconditions and Frama-c wp :
- How does Frama-c prove preconditions ?
- When does Frama-c try to prove preconditions ?
I'm asking these questions because sometimes frama-c wp doesn't even attempt the proof, sometimes it succeeds in proving the precondition and sometimes it fails for example here in the first screenshot the proof wasn't tried
But in this second screenshot we attempted the proof and we failed
I'm assuming that the main function had its effect on that, but is it the full picture ? are preconditions subject of proof only when the function is main ?
As a preliminary, just let me precise that there will be no definite answer to the questions "How/When does Frama-C prove preconditions". More precisely, this is highly dependent on the plug-in(s) you're using. Since you mention WP, I will focus on it.
In the general case, pre-conditions of a function f are supposed to hold at each call site (that's where the notion of function contract comes from: f guarantees that the post-conditions hold when it returns only to callers that can guarantee that the pre-conditions hold before the call). Hence, if you don't have any call to f in the functions you choose to prove, no proof of the preconditions will be attempted.
Now, there's an exception for the main function (or more precisely the function designated by the -main option of Frama-C, which defaults to main), as it is supposed to be the entry point of the program, and usually not called anywhere else, an attempt is made to check that the initial program state (where all global variables are equal to their initial value, and formals can have any value) respect the precondition. Note that option -lib-entry indicates that the assumption about global variables having their initial value should not hold, and in that case WP will not attempt to prove the preconditions of the main function, since it cannot make any assumption about its calling context. As an example, the following code:
int X = 1;
/*@ requires X == 1;
ensures \result == 1;
*/
int f() { return X; }
will give 2 (valid) proof obligations with frama-c -wp -main f file.c, and only 1 with frama-c -wp -main f -libentry file.c
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?