Strange behaviour of programs with contract #22

jesper-amilon · 2024-09-05T12:15:27Z

This contract verifies as safe, but it seems it should not, since the assertion in main() does not follow from the post-condition for foo(). If you change the contract to "ensures x >= 0", it seems to verify.
int x;
/*@
ensures x > 0;
*/
void foo(){
x =2;
}

void main() {
foo();
assert(x == 2);
}

zafer-esen · 2024-09-11T08:50:45Z

TriCera shows that the post-condition holds when verifying foo, but uses the method body in main rather than the weaker postcondition, which allows the verification of the assertion. Essentially, the ensures clause is currently equivalent to an assert statement at the end of its method body.

The expected behaviour would be to use the provided contracts rather than the method body at call sites. This would also be a step in the direction of modular verification in TriCera.

jesper-amilon · 2024-09-11T14:44:14Z

Ideally maybe the user could specify with a comman-line flag if tricera should verify modularly or not when seeing a contract.

zafer-esen added the bug Something isn't working label Sep 11, 2024

zafer-esen added the enhancement New feature or request label Sep 11, 2024

zafer-esen mentioned this issue Sep 11, 2024

Verifying programs with ACSL contracts but without implementations. #23

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strange behaviour of programs with contract #22

Strange behaviour of programs with contract #22

jesper-amilon commented Sep 5, 2024

zafer-esen commented Sep 11, 2024

jesper-amilon commented Sep 11, 2024

Strange behaviour of programs with contract #22

Strange behaviour of programs with contract #22

Comments

jesper-amilon commented Sep 5, 2024

zafer-esen commented Sep 11, 2024

jesper-amilon commented Sep 11, 2024