-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarification on meaning of \valid #74
Comments
Something has to be modified into the ACSL manual about the definition of
|
I mostly agree with @pbaudin . I have two remarks:
With the caveat that ACSL has support for talking about (un)specified values (through |
@yakobowski I'm not sure I'm following you. if |
You're right, I got confused. I remembered that we determined that indeterminate values were partitioned between non-initialized + dangling + trap representations, but this is completely unrelated to unspecified values. This means that the fix is easier though. Just mention that reading a |
It seems to me there are at least 4 different classes of pointer values one would like to specify with predicates. These may not be the appropriate names, but here is the idea... Valid: can be used in pointer arithmetic, equality and inequality. Cannot necessarily be used as argument of dereference operator. Allocated: Valid + points to allocated memory. I.e., all sizeof(T) bytes are inside a live object. Readable: Allocated + the bytes represent a valid, non-trap, value of the type. Hence *p can be read. Writeable: Allocated + T is not const-qualified, so you can assign to *p. Example of not valid: Is there some way to express each of these in ACSL? |
[Note: I corrected a typo for "Readable", I initially wrote Let's start by the end.
That's
That's supposed to be ACSL has no way to talk about other trap representations because no modern architecture has them.
That's
That one is trickier, and is insufficiently axiomatized in ACSL right now. (Although things like "past-one" pointers can be described using To give you a datapoint, the Eva plugins emits warnings on pointers such as |
Thanks, Boris. |
And what is about alignment? |
@sfsiegel Unfortunately, the current
This is why I put [1] And so, in practice, To give an example:
@khoroshilov ACSL does not currently impose alignment requirement on pointers, which is a known defect indeed. |
Please see issue #83 |
I have a question about the meaning of \valid. The ACSL manual says "A pointer p is said to be valid if *p is guaranteed to produce a definite value according to the C standard", and "\valid{L}(s) holds if and only if dereferencing any p ∈ s is safe at label L, both for reading from *p and writing to it."
In the following code, is p valid?
int main() {
int x, *p = &x;
//@ assert \valid(p);
}
According to the C Standard, the value of x is "indeterminate" and an attempt to read *p results in undefined behavior, because x might hold a "trap representation" which does "not represent a value of the object type".
So it sounds like *p is not guaranteed to produce a definite value, and certainly dereferencing p is not safe for reading. But I'm pretty sure that the intention is that p should be valid and Frama-C+WP says the assertion holds.
Quotes from C Standard (2018)...
"If an object that has automatic storage duration is not initialized explicitly, its value is indeterminate." (6.7.9 (10))
"Certain object representations need not represent a value of the object type. If the stored value of an object has such a representation and is read by an lvalue expression that does not have character type, the behavior is undefined. ... Such a representation is called a trap representation". (6.2.6.1(5))
"Thus, an automatic variable can be initialized to a trap representation without causing undefined behavior, but the value of the variable cannot be used until a proper value is stored in it." (footnote 50)
The text was updated successfully, but these errors were encountered: