假设我们有以下带注释的C代码:
int a[3] = {0};
/*@ requires \valid(a+(0..2));
assigns a[0..2];
ensures \forall int j; 0 <= j < 3 ==> (a[j] == j); */
int main() {
int i = 0;
/*@ loop assigns i, a[0..(i-1)];
loop invariant inv1: 0 <= i <= 3;
loop invariant inv2:
\forall int k; 0 < k <= i ==> a[k-1] == k-1; */
while (i < L) {
a[i] = i;
i++;
}
//@ assert final_i: i == 3;
//@ assert final_a: a[1] == 1;
}
Z3和Alt-ergo都无法证明断言final_a和post条件; Z3也不能证明循环不变;
Alt-Ergo的输出:
# ~/queue $ frama-c -wp -wp-prover alt-ergo test2.c
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing test2.c (with preprocessing)
[wp] Running WP plugin...
[wp] Collecting axiomatic usage
[wp] warning: Missing RTE guards
[wp] 14 goals scheduled
[wp] [Qed] Goal typed_main_pre : Valid
[wp] [Qed] Goal typed_main_loop_inv_inv1_established : Valid
[wp] [Qed] Goal typed_main_loop_inv_inv2_established : Valid
[wp] [Qed] Goal typed_main_assert_final_i : Valid
[wp] [Alt-Ergo] Goal typed_main_loop_inv_inv1_preserved : Valid (Qed:1ms) (14ms) (15)
[wp] [Qed] Goal typed_main_loop_assign_part1 : Valid
[wp] [Alt-Ergo] Goal typed_main_loop_inv_inv2_preserved : Valid (45ms) (51)
[wp] [Qed] Goal typed_main_loop_assign_part2 : Valid
[wp] [Qed] Goal typed_main_loop_assign_part3 : Valid
[wp] [Qed] Goal typed_main_assign_part1 : Valid
[wp] [Qed] Goal typed_main_assign_part3 : Valid
[wp] [Alt-Ergo] Goal typed_main_assign_part2 : Valid (20ms) (12)
[wp] [Alt-Ergo] Goal typed_main_assert_final_a : Unknown (3.5s)
[wp] [Alt-Ergo] Goal typed_main_post : Timeout (Qed:1ms)
[wp] Proved goals: 12 / 14
Qed: 9 (0ms-1ms)
Alt-Ergo: 3 (14ms-45ms) (51) (interrupted: 1) (unknown: 1)
Z3的输出:
$ frama-c -wp -wp-prover z3 test2.c
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing test2.c (with preprocessing)
[wp] Running WP plugin...
[wp] Collecting axiomatic usage
[wp] warning: Missing RTE guards
[wp] 14 goals scheduled
[wp] [Qed] Goal typed_main_pre : Valid
[wp] [Qed] Goal typed_main_loop_inv_inv1_established : Valid
[wp] [Qed] Goal typed_main_loop_inv_inv2_established : Valid
[wp] [Qed] Goal typed_main_assert_final_i : Valid
[wp] [z3] Goal typed_main_loop_inv_inv1_preserved : Valid (20ms)
[wp] [Qed] Goal typed_main_loop_assign_part1 : Valid
[wp] [Qed] Goal typed_main_loop_assign_part2 : Valid
[wp] [Qed] Goal typed_main_loop_assign_part3 : Valid
[wp] [Qed] Goal typed_main_assign_part1 : Valid
[wp] [z3] Goal typed_main_assert_final_a : Unknown (356ms)
[wp] [Qed] Goal typed_main_assign_part3 : Valid
[wp] [z3] Goal typed_main_post : Unknown (911ms)
[wp] [z3] Goal typed_main_assign_part2 : Valid (10ms)
[wp] [z3] Goal typed_main_loop_inv_inv2_preserved : Unknown (1.3s)
[wp] Proved goals: 11 / 14
Qed: 9
z3: 2 (10ms-20ms) (unknown: 3)
缺少什么?
答案 0 :(得分:0)
如果您将inv2
循环不变量更改为:
loop invariant inv2:
\forall int k; 0 <= k < i ==> a[k] == k;
..然后Alt-Ergo能够证明final_a断言和main()后置条件。