Assertion on pointer to array

Question

I have defined the following function which is well proved by frama-c:

//ensures array <= \result < array+length && *\result == element;
/*@
  requires 0 < length;
  requires \valid_read(array + (0 .. length-1));

  assigns  \nothing;

  behavior in:
    assumes \exists int off ; 0 <= off < length && array[off] == element;
    ensures *\result == element;

  behavior notin:
    assumes \forall int off ; 0 <= off < length ==> array[off] != element;
    ensures \result == 0;

  disjoint behaviors;
  complete behaviors;
*/
int* search(int* array, int length, int element){
   int *tmp;
  /*@
    loop invariant 0 <= i <= length;
    loop invariant \forall int j; 0 <= j < i ==> array[j] != element;
    loop assigns i;
    loop variant length-i;
  */ 
  for(int i = 0; i < length; i++)
  {
    if(array[i] == element) 
    {
        tmp = &array[i];
        //@ assert *tmp==element;
    }
    else
    {
        tmp = 0;    
    }
  }
  return tmp;
}

and I use it in the following main entry:

int main(){
  int arr[5]={1,2,3,4,5};
  int *p_arr;

  p_arr = search(arr,5,4);
  //@ assert *p_arr==30;

  return 0
}

I am wondering why frama-c give the assertion "//@ assert *p_arr==30;" as true, I do not understand.

Thanks

Answer 1

Using the command line only, I saw some problems in your code:

• tmp is missing in the loop assigns;
• you need to:
  • either add a break in the then branch of the seach function (then you would return the pointer on the first element that match)
  • or initialize tmp = 0 at the beginning of the function and remove the else branch in the loop (then you would return a pointer on the last occurrence).

I didn't try the GUI, but it seems strange that you say that your example is:

well proved by frama-c

I suggest that you use the command line to begin with.

Answer 2

Ok now I correct my code as follow:

//ensures array <= \result < array+length && *\result == element;
/*@
  requires 0 < length;
  requires \valid_read(array + (0 .. length-1));

  assigns  \nothing;

  behavior in:
    assumes \exists int off ; 0 <= off < length && array[off] == element;
    ensures *\result == element;

  behavior notin:
    assumes \forall int off ; 0 <= off < length ==> array[off] != element;
    ensures \result == 0;

  disjoint behaviors;
  complete behaviors;
*/
int* search(int* array, int length, int element){

  /*@
    loop invariant 0 <= i <= length;
    loop invariant \forall int j; 0 <= j < i ==> array[j] != element;
    loop assigns i;
    loop variant length-i;
  */ 
  for(int i = 0; i < length ; i++)
  {
    if(array[i] == element) 
    {
        return &array[i];
    }
  }
  return 0;
}

and add the following assertion:

int main()
{
    int arr[5] = {1,2,3,4,5};
    int *ptr;

    ptr = search(arr,5,3);
    //@ assert *ptr==3;

}

then run: frama-c -wp -rte myfile.c and got the result:

[wp] Proved goals:   65 / 65
     Qed:            35  (1.00ms-6ms-24ms)
     Alt-Ergo:       30  (16ms-30ms-94ms) (132)

If I set another assertion :

int main()
    {
        int arr[5] = {1,2,3,4,5};
        int *ptr;

        ptr = search(arr,5,3);
        //@ assert *ptr==5;

    }

Then I get the output:

[wp] [Alt-Ergo] Goal typed_main_assert_2 : Timeout (Qed:4ms) (10s)
[wp] Proved goals:   64 / 65
     Qed:            35  (1.00ms-4ms-10ms)
     Alt-Ergo:       29  (16ms-28ms-109ms) (132) (interrupted: 1)

So the assertion is "unknown" as we expected and if we run frama-c-gui the bullet is orange.

So that's working fine , take care about wrong axiomatic stuff ! Thank you Anne for your help.