-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsound handling of access type arguments #20
Comments
Hi @tobycmurray, thanks for a detailed report. I confirm this is a bug and it is still present in the current development version of GNATprove. We will look into it. |
No worries. I’d be curious to know: does the SPARK RM forbid this case? Is this just a missing check in the tools, or a deeper issue? |
This is just a missing check in the tool, not a deeper issue. The wrongly implemented rule is SPARK RM 6.4.2(2):
http://docs.adacore.com/spark2014-docs/html/lrm/subprograms.html#anti-aliasing |
OK here is another issue, demonstrated by the attached (which I admit is not quite as minimal as I'd hoped to get it but I've run out of time... sorry). The problem here appears to be the The inconsistency in |
What I get on this code is:
Then, when I remove problematic Post contracts with 'Old I get:
Finally, after adding SPARK_Mode to person.adb body, I get:
This I guess is what you expected, right? A small procedural tip: I suggest you to report issues by email to report@adacore.com, where they will be immediately seen by all SPARK & GNAT engineers. Also, this will allow us to better track progress on fixing the problem, if necessary. |
Ah, my apologies. I see the issue was that I didn't have I did not get the warning about violating SPARK RM 3.10(13)). But possibly this is because I am running the 2019 release? Anyway, sorry for the noise and thanks for looking at it. I'll remember the tip about the reporting by email for future. |
No worries, you are welcome :) If you are specifically interested in playing with access types, then I strongly recommend you to focus on Community Edition 2020, as have fixed a lot of bugs and holes in this area since Community Edition 2019. PS If you are experimenting with SPARK for anything more than toy example, and if this is related to your academic activities, then I encourage you to have look at https://www.adacore.com/academia |
This issue has been fixed in the development version of GNATprove, which now emits a message (in the extended output format, which was recently implemented):
I am closing the issue. Thanks again for reporting it! |
In GNAT Community Edition 2019, the SPARK Prover appears to be missing certain alias checks needed to prevent unsoundness when handling certain uses of access types. The following is a minimal example that demonstrates the issue.
The following program
main.adb
, when run, violates the assert, which is proved by the SPARK ProverThe project file
default.gpr
is trivial:To reproduce, on the command line: (noting that I have anonymised some of the output)
The version of gnatprove I am running is simply the Mac OS 64-bit binary package:
The text was updated successfully, but these errors were encountered: