**Authors**
Benjamin Monate
Claude Marché
Jean-Christophe Filliâtre
Pascal Cuoq
Patrick Baudin
Virgile Prevosto
Yannick Moy

**License**
CC-BY-4.0

ANSI/ISO C Specification Language Version 1.18 Implementation in Frama-C 27.0 beta Patrick Baudin, Pascal Cuoq, Jean-Christophe Filliâtre, Claude Marché, Benjamin Monate, Yannick Moy, Virgile Prevosto Work licensed under Creative Commons BY licence https://creativecommons.org/licenses/by/4.0/ © 2009-2023 CEA LIST, Inria Contents 1 Introduction 7 1.1 Organization of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2 Generalities about Annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.1 Kinds of annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.2 Parsing annotations in practice . . . . . . . . . . . . . . . . . . . . . . 8 1.2.3 About preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.2.4 About keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.3 Notations for grammars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2 Specification language 10 2.1 Lexical rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 Logic expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.1 Operators precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.4 Integer arithmetic and machine integers . . . . . . . . . . . . . . . . . 17 2.2.5 Real numbers and floating point numbers . . . . . . . . . . . . . . . . 19 2.2.6 C arrays and pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.2.7 Structures, Unions and Arrays in logic . . . . . . . . . . . . . . . . . . 22 2.3 Function contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.1 Built-in constructs \old and \result . . . . . . . . . . . . . . . . . . 25 2.3.2 Simple function contracts . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.3 Contracts with named behaviors . . . . . . . . . . . . . . . . . . . . . . 27 2.3.4 Memory locations and sets of values . . . . . . . . . . . . . . . . . . . . 30 2.3.5 Default contracts, multiple contracts . . . . . . . . . . . . . . . . . . . 32 2.4 Statement annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.4.1 Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.4.2 Loop annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.4.3 Built-in construct \at . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.4.4 Statement contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2 CONTENTS 2.5 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.5.1 Measure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.5.2 Integer measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.5.3 General measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.5.4 Recursive function calls . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.5.5 Non-terminating functions . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.5.6 Measures and non-terminating functions . . . . . . . . . . . . . . . . . 46 2.6 Logic specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.6.1 Predicate and function definitions . . . . . . . . . . . . . . . . . . . . . 46 2.6.2 Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.6.3 Inductive predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2.6.4 Axiomatic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.6.5 Polymorphic logic types . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.6.6 Recursive logic definitions . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.6.7 Higher-order logic constructions . . . . . . . . . . . . . . . . . . . . . . 50 2.6.8 Concrete logic types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2.6.9 Hybrid functions and predicates . . . . . . . . . . . . . . . . . . . . . . 52 2.6.10 Memory footprint specification: reads clause . . . . . . . . . . . . . . 55 2.6.11 Specification Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 2.7 Pointers and physical addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 2.7.1 Memory blocks and pointer dereferencing . . . . . . . . . . . . . . . . . 56 2.7.2 Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 2.7.3 Dynamic allocation and deallocation . . . . . . . . . . . . . . . . . . . 58 2.8 Sets and lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 2.8.1 Finite sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 2.8.2 Finite lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 2.9 Abrupt termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 2.10 Dependencies information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 2.11 Data invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 2.11.1 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 2.11.2 Model variables and model fields . . . . . . . . . . . . . . . . . . . . . 70 2.12 Ghost variables and statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 2.12.1 Volatile variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 2.13 Initialization and undefined values . . . . . . . . . . . . . . . . . . . . . . . . . . 77 2.14 Dangling pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 2.15 Well-typed pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 2.16 Logic attribute annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 2.17 Preprocessing for ACSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 3 CONTENTS 3 Libraries 80 3.1 Libraries of logic specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.1.1 Real numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.1.2 Finite lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.1.3 Sets and Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.2 Jessie library: logical addressing of memory blocks . . . . . . . . . . . . . . . . . 80 3.2.1 Abstract level of pointer validity . . . . . . . . . . . . . . . . . . . . . . 80 3.2.2 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.3 Memory leaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4 Conclusion 82 A Appendices 83 A.1 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 A.2 Builtin functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 A.3 Comparison with JML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 A.3.1 Low-level language vs. inheritance-based one . . . . . . . . . . . . . . . 86 A.3.2 Deductive verification vs. RAC . . . . . . . . . . . . . . . . . . . . . . 89 A.3.3 Syntactic differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 A.4 C grammar elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 A.4.1 Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 A.4.2 Literals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 A.4.3 C Type Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 A.5 Typing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 A.5.1 Rules for terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 A.5.2 Typing rules for sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 A.6 Specification Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 A.6.1 Accessing a C variable that is masked . . . . . . . . . . . . . . . . . . . 95 A.7 Illustrative example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 A.8 Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.1 Version dev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.2 Version 1.18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.3 Version 1.17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.4 Version 1.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.5 Version 1.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.6 Version 1.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.7 Version 1.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.8 Version 1.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.9 Version 1.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.10 Version 1.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 A.8.11 Version 1.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4 CONTENTS A.8.12 Version 1.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 A.8.13 Version 1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 A.8.14 Version 1.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 A.8.15 Version 1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 A.8.16 Version 1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 A.8.17 Version 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 A.8.18 Version 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Bibliography 106 List of Figures 108 Index 109 5 Foreword This document describes version 1.18 of the ANSI/ISO C Specification Language (ACSL). The language features may still evolve in the future. In particular, some features in this document are considered experimental, meaning that their syntax and semantics is not yet fixed. These features are marked with Experimental. They must also be considered advanced features, which are not needed for basic use of this specification language. Acknowledgements We gratefully thank all the people who contributed to this document: Sylvie Boldo, David Cok, Jean- Louis Colaço, Pierre Crégut, David Delmas, Catherine Dubois, Stéphane Duprat, Arnaud Gotlieb, Philippe Herrmann, Thierry Hubert, André Maroneze, Dillon Pariente, Pierre Rousseau, Julien Signoles, Jean Souyris, Asma Tafat. Funding This work has been supported by the ANR project CAT (ANR-05-RNTL-0030x), by the ANR CIFRE contract 2005/973, by the ANR project U3CAT (08-SEGI-021-xx), and ANR PICF project DEVICE-Soft (2009-CARN-006-01). 6 Introduction 1 This document is a reference manual for the ACSL implementation provided by the Frama-C frame- work [13]. ACSL is an acronym for “ANSI/ISO C Specification Language”. This is a Behavioral Interface Specification Language (BISL) [15] for specifying behavioral properties of C source code. Not all of the features mentioned in this document are currently implemented in the Frama-C kernel. Unimplemented features are signaled as in the following line: This feature is not currently supported by Frama-C1 As a summary, the features that are not currently implemented in Frama-C include in particular: – some built-in predicates and logical functions; – definition of logical types (section 2.6); – specification modules (section 2.6.11); – model variables (section 2.64); – only basic support for ghost code is provided (section 2.12); – verification of non interference of ghost code (p. 72); – specification of volatile variables (section 2.12.1); The main inspiration for this language comes from the specification language of the Caduceus tool [11, 12] for deductive verification of behavioral properties of C programs. The specification language of Caduceus is itself inspired by the Java Modeling Language (JML [21]), which aims at similar goals for Java source code: indeed it aims both at runtime assertion checking and static verification using the OpenJML tool [6, 7], where we aim at static verification and deductive verification (see Appendix A.3 for a detailed comparison between ACSL and JML). Going back further in history, the JML design was guided by the general design-by-contract principle proposed by Bertrand Meyer, originally implemented in the Eiffel language; he took his inspiration from the concepts of preconditions and postconditions on a routine, going back at least to Dijkstra, Floyd and Hoare in the late 60’s and early 70’s. In this document, we assume that the reader has a good knowledge of the ISO C programming language [17, 16] . 1.1 Organization of this document In this preliminary chapter we introduce some definitions and vocabulary, and discuss generalities about this specification language. Chapter 2 presents the specification language itself. Chapter 3 presents additional information about libraries of specifications. The appendices provide specific formal type-checking rules for ACSL annotations, the relation between ACSL and JML, and specification templates. A detailed table of contents is given on page 2. A glossary is given in Appendix A.1. 1 Additional remarks on the feature may appear in a footnote. 7 1.2. GENERALITIES ABOUT ANNOTATIONS 1.2 Generalities about Annotations In this document, we consider that specifications are given as annotations in comments written directly in C source files, so that source files remain compilable. Those comments must start with /*@ or //@ and end as usual in C. In some contexts, it is not possible to modify the source code. It is strongly recommended that a tool that implements ACSL specifications provide technical means to store annotations separately from the source. It is not the purpose of this document to describe such means. Nevertheless, some of the specifications, namely those at a global level, can be given in separate files: logical specifications can be imported (see Section 2.6.11) and a function contract can be attached to a copy of the function profile (see Section 2.3.5). 1.2.1 Kinds of annotations – Global annotations: – function contract : such an annotation is inserted just before the declaration or the definition of a function. See section 2.3. – global invariant : this is allowed at the level of global declarations. See section 2.11. – type invariant : this allows declaring structure invariants, union invariants, and invariants on type names introduced by typedef. See section 2.11. – logic specifications : definitions of logic functions or predicates, lemmas, axiomatizations by declaration of new logic types, logic functions, predicates with axioms they satisfy. Such an annotation is placed at the level of global declarations. See section 2.6 – Statement annotations: – assertion : these are allowed everywhere a C label is allowed, or just before a block closing brace. See section 2.4.1. – loop annotation (invariant, variant, assign clauses): is allowed immediately before a loop statement: for , while , do . . . while . See Section 2.4.2. – statement contract : very similar to a function contract, and placed before a statement or a block. Semantic conditions must be checked (e.g., no goto going inside, no goto going outside). See Section 2.4.4. – ghost code : regular C code, only visible from the specifications and only allowed to modify ghost variables. See section 2.12. This includes ghost braces for enclosing blocks. 1.2.2 Parsing annotations in practice In the original (University of Iowa) JML tools, parsing was done by simply ignoring //@, /*@ and */ at the lexical analysis level. This technique could modify the semantics of the code, for example: return x /*@ +1 */ ; In our language (as in the definition of JML and current JML tools, such as OpenJML), this is forbidden. Technically, the current implementation of Frama-C isolates the comments in a first step of syntax analysis, and then parses a second time. Nevertheless, the grammar and the corresponding parser must be carefully designed to avoid interaction of annotations with the code. For example, in code such as if (c) //@ assert P; c=1; the statement c=1 must be understood as the branch of the if. This is ensured by the ACSL grammar, which states that assert annotations are not statements themselves, but attached to the statement that follows, like C labels. 8 1.3. NOTATIONS FOR GRAMMARS 1.2.3 About preprocessing This document considers C source after preprocessing, except that, whereas normal preprocessing replaces all comments by white space, for the purpose of ACSL, comments specific to ACSL (cf. 2.1) are retained. Tools must decide how they handle preprocessing (what to do with annotations, whether macro substitution should be performed, etc.) Preprocessing includes interpreting C digraphs and trigraphs. As these are generally deprecated and en route to removal from the C standard, ACSL does not define uses of digraphs and trigraphs. Any tool that wishes to support such alternate syntax can preprocess the tokens into conventional tokens before passing the text to ACSL tools. 1.2.4 About keywords Additional keywords of the specification language start with a backslash, if they are used in the position of a term or a predicate (which are defined later in the document). Otherwise they do not start with a backslash (like ensures) and they remain valid identifiers. 1.3 Notations for grammars In this document, grammar rules are given in BNF form. In the grammar rules, we use the extra notations e∗ to denote repetition of zero, one or more occurrences of e, e+ for repetition of one or more occurrences of e, and e? for zero or one occurrence of e. For the sake of simplicity, we only describe annotations in the usual /*@ ... */ style of comments. One-line annotations in //@ comments are similar. Note however that two consecutive comments, regardless of their style, are considered as two independent annotations. In particular, it is not possible in general to split a multi-line annotation into several //@ comments. 9 Specification language 2 2.1 Lexical rules Specification language text is placed inside special C comments; its lexical structure mostly follows that of ANSI/ISO C. A few differences should be noted. – The at sign (@) is equivalent to a space character, except where it indicates the beginning of an ACSL annotation. – Identifiers may start with the backslash character (\). – Some UTF8 characters may be used in place of some constructs, as shown in the following table: >= ≥ 0x2265 <= ≤ 0x2264 > > 0x003E < < 0x003C \in ∈ 0x2208 != ̸ ≡ 0x2262 == ≡ 0x2261 ==> =⇒ 0x21D2 <==> ⇐⇒ 0x21D4 && ∧ 0x2227 || ∨ 0x2228 ^^ (xor) ∨ 0x22BB ! ¬ 0x00AC - (unary minus) − 0x2212 \forall ∀ 0x2200 \exists ∃ 0x2203 integer Z 0x2124 real R 0x211D boolean B 0x1D539 \pi π 0x3C0 – Comments may be put inside ACSL annotations. They use the C++ format, i.e. begin with // and extend to the end of current line. Comments beginning with /* may not be nested within ACSL comments. Nested annotations beginning with //@ are parsed as if the //@ is replaced by white space. An ACSL annotation that contains only white space (after pre-processing) is ignored. – ACSL uses some grammar elements from C, such as literals, type expressions, statements and declarations. Most of these are identified as such by C- prefixes in the figures laying out the grammar. They are described in more detail for reference in Appendix A.4. 10 2.2. LOGIC EXPRESSIONS 2.2 Logic expressions This first section presents the language of expressions one can use in annotations. These are called logic expressions in the following. They correspond to pure C expressions, with additional constructs that we will introduce progressively. literal ::= \true | \false boolean constants | integer (lexical) integer constants | real (lexical) real constants | string (lexical) string constants | character (lexical) character constants bin-op ::= + | - | * | / | % | == | != | <= | >= | > | < | && | || | ^^ boolean operations | << | >> | & | | | --> | <--> | ^ bitwise operations unary-op ::= + | - unary plus and minus | ! boolean negation | ~ bitwise complementation | * pointer dereferencing | & address-of operator term ::= literal literal constants | ident variables, function names | unary-op term | term bin-op term | term [ term ] array access | { term \with [ term ] = term } array functional modifier | term . id structure field access | { term \with . id = term } field functional modifier | term -> id | ( type-expr ) term cast | ident ( term (, term)∗ ) function application | ( term ) parentheses | term ? term : term ternary condition | \let id = term ; term local binding | sizeof ( term ) | sizeof ( C-type-expr ) | id : term syntactic naming | string : term syntactic naming poly-id ::= id ident ::= id Figure 2.1: Grammar of terms. The terminals id, C-type-name, and various literals are the same as the corresponding C lexical tokens (cf. §A.4). Figures 2.1 and 2.2 present the grammar for the basic constructs of logic expressions. In that grammar, we distinguish between predicates and terms, following the usual distinction between propositions and 11 2.2. LOGIC EXPRESSIONS rel-op ::= == | != | <= | >= | > | < pred ::= \true | \false | term (rel-op term)+ comparisons (see remark) | ident ( term (, term)∗ ) predicate application | ( pred ) parentheses | pred && pred conjunction | pred || pred disjunction | pred ==> pred implication | pred <==> pred equivalence | ! pred negation | pred ^^ pred exclusive or | term ? pred : pred ternary condition | pred ? pred : pred | \let id = term ; pred local binding | \let id = pred ; pred | \forall binders ; pred universal quantification | \exists binders ; pred existential quantification | id : pred syntactic naming | string : pred syntactic naming Figure 2.2: Grammar of predicates terms in classical first-order logic. For reference, Fig. 2.3 gives the C grammar for a C type expressions. The grammar for binders and type expressions is given separately in Figure 2.4. Although a type-name in the C grammar is actually an abstract type expression, possibly including qualifiers and pointer and array decorators, here we need to distinguish between raw type names (C-type-name) and type expressions (C-type-expr); Fig. 2.3 is adapted from the C grammar to show this distinction. A type-expr as used in Fig. 2.4 and other grammar productions can be either a logic type name or a C-type expression. Note that declarations can differ slightly between C and ACSL logic. For example, C might declare arr as int arr[], whereas in many places (e.g. Fig. 2.14), ACSL would write int[] arr. To understand the grammar, keep in mind the following distinctions: – An id is a basic alphanumeric identifier, used to denote all manner of language constructs (cf. §A.4). – A poly-id is an id to be used in a declaration or definition of that identifier, possibly with formal type or label arguments. – An ident is a reference to a previously declared programming or specification language item; syntactically it is an id possibly decorated with type arguments and memory state labels. With respect to C pure expressions, the additional constructs are as follows: Additional connectives C operators && (UTF8: ∧), || (UTF8: ∨) and ! (UTF8: ¬) are used as logical connectives. There are additional connectives ==> (UTF8: =⇒) for implication, <==> (UTF8: ⇐⇒) for equivalence and ^^ (UTF8: ∨) for exclusive or. These logical connectives all have a bitwise counterpart, either C ones like &, |, ~ and ^, or additional ones like bitwise implication --> and bitwise equivalence <-->. Quantification Universal quantification is denoted by \forall τ x1 ,. . .,xn ; e and existential quantification by \exists τ x1 ,. . .,xn ; e. Local binding \let x = e1 ;e2 introduces the name x for expression e1 ; x can then be used in expression e2 . 12 2.2. LOGIC EXPRESSIONS C-type-expr ::= C-specifier-qualifier + C-abstract-declarator ? C-type-name ::= C-declaration-specifier + C-specifier-qualifier ::= C-type-specifier | C-type-qualifier C-type-qualifier ::= const | volatile C-type-specifier ::= void | char | short | int | long | float | double | signed | unsigned a | ( struct | union | enum) ident | ident C-abstract-declarator ::= C-pointer | C-pointer C-direct-abstract-declarator | C-direct-abstract-declarator C-pointer ::= ( * C-type-qualifier ∗ )+ C-direct-abstract-declarator ::= ( C-abstract-declarator ) | C-direct-abstract-declarator ? [ C-constant-expression ] | C-direct-abstract-declarator ? ( C-parameter-type-list? ) C-parameter-type-list ::= C-parameter-declaration (, C-parameter-declaration )+ C-parameter-declaration ::= C-declaration-specifier + C-declarator | C-declaration-specifier + C-abstract-declarator | C-declaration-specifier + C-declaration-specifier ::= C-type-specifier | C-type-qualifier ? C-declarator ::= C-pointer C-direct-declarator C-direct-declarator ::= ident | ( C-declarator ) | C-direct-declarator [ C-constant-expression? ] | C-direct-declarator ( C-parameter-type-list ) | C-direct-declarator ( ident∗ ) b C-constant-expression ::= ... a ACSL does not permit declaring a new type within the type-specifier b An expression formed from constant literals Figure 2.3: The grammar of C type expressions, from the C standard 13 2.2. LOGIC EXPRESSIONS binders ::= binder (, binder)∗ binder ::= type-name variable-ident (,variable-ident)∗ type-name ::= logic-type-name | C-type-name type-expr ::= logic-type-name | C-type-expr logic-type-name ::= built-in-logic-type | id type identifier built-in-logic-type ::= boolean | integer | real variable-ident ::= id | * variable-ident | variable-ident [] | ( variable-ident ) Figure 2.4: Grammar of binders and type expressions Conditional c ? e1 : e2 . There is a subtlety here: the condition may be either a boolean term or a predicate. In case of a predicate, the two branches must be also predicates, so that this construct acts as a connective with the following semantics: c ? e1 : e2 is equivalent to (c ==> e1 ) && (! c ==> e2 ). Syntactic naming id : e is a term or a predicate equivalent to e. It is different from local naming with \let: the name cannot be reused in other terms or predicates. It is only for readability purposes. Functional modifier The composite element modifier is an additional operator related to C structure field and array accessors. The expression { s \with .id = v } denotes a structure value that is the same as the value of s, except for the field id, which is equal to v. The equivalent expression for an array is { t \with [ i ] = v }, which returns an array with the same value as t, except for the ith element whose value is v. See section 2.10 for an example use of these operators. Logic functions Applications in terms and in propositions are not applications of C functions, but of logic functions or predicates; see Section 2.6 for detail. Consecutive comparison operators The construct t1 relop1 t2 relop2 t3 · · · tk with several con- secutive comparison operators is a shortcut for (t1 relop1 t2 ) && (t2 relop2 t3 ) && · · ·. It is required that the relopi operators must be in the same “direction”, i.e. they must all belong either to {<, <=, ==} or to {>,>=,==}. Expressions such as x < y > z or x != y != z are not allowed. Furthermore the types of each of the terms being compared must be non-boolean. Note that consecutive comparison operators are allowed only in predicate position. A consecutive comparison as the conditional expression in a ternary operation could, according to the grammar, be either in term or predicate position. In such a case, the conditional expression is considered a predicate. As a term a consecutive comparison that includes less-than or greater-than operations x < y < z would be parsed as (x < y) < z which is incorrectly typed, because in logic expressions, comparisons result in boolean values. However, when equalities are involved there could be some ambiguity. Consider a < b == c. As a standard expression, this would be parsed as (a < b) == c, which would require that c be a boolean value. As a consecutive comparison, this would be interpreted as (a < b) && (b == c); this form is only type-valid if b and c have the types that can be compared. However, as integer values are implicitly converted to boolean values this parsing is also valid if a and b are integral and c is boolean. To avoid this ambiguity and to avoid a situation where the grammar depends on the types of terms, ACSL adopts the rule that expressions of the form a < b == c with 14 2.2. LOGIC EXPRESSIONS logic expressions are always interpreted as consecutive comparisons, even if they then fail a type-checking test. The conventional parsing can always be obtained by using appropriate parentheses. To enforce the same interpretation as in C expressions, one may need to add extra parenthe- ses: a == b < c is equivalent to a == b && b < c, whereas a == (b < c) is equivalent to \let x = b < c; a == x. This situation raises some issues, as in the example below. Comparison operators themselves are predicates when used in predicate position, and boolean functions when used in term position, resulting in further subtleties. Example 2.1 Let us consider the following example: int f(int a, int b) { return a < b; } – the obvious postcondition \result == a < b is not the right one because it is actually a shortcut for \result == a && a < b. – adding parentheses results in a correct post-condition \result == (a < b). Note however that there is an implicit conversion (see Sec. 2.2.3) from the int (the type of \result) to boolean (the type of (a<b)) – an equivalent post-condition, which does not rely on implicit conversion, is (\result != 0) == (a<b). Both pairs of parentheses are mandatory. – \result == (integer)(a<b) is also acceptable because it compares two integers. The cast towards integer enforces a<b to be understood as a boolean term. Notice that a cast towards int would also be acceptable. – \result != 0 <==> a < b is acceptable because it is an equivalence between two predicates. 2.2.1 Operators precedence The precedence of C operators is conservatively extended with additional operators, as shown in Figure 2.5. In this table, operators are sorted from highest to lowest priority. Operators of same priority are presented on the same line. Conditional expressions and labels There is a remaining ambiguity between the connective · · ·?· · ·:· · · and the labelling operator :. Consider for instance the expression x?y:z:t. The precedence table does not indicate whether this should be understood as x?(y:z):t or x?y:(z:t). Such a case must be considered as a syntax error, and should be fixed by explicitly adding parentheses. Labels and parsing Note also that the use of labels can subtly change the parsing of an expression, because labeled expressions have the least binding precedence. That is, once a label is seen, the parser finds the longest valid term or predicate following the label to consider as the labeled expression. For example, a && b ==> c && d parses as (a && b) ==> (c && d), but a && nm: b ==> c && d parses as a && (nm: ( b ==> (c && d))). Use parentheses liberally to avoid confusing yourself or code readers. 2.2.2 Semantics The semantics of logic expressions in ACSL is based on mathematical first-order logic [27]. In particular, it is a 2-valued logic with only total functions. Consequently, expressions are never “undefined”. This is an important design choice and the specification writer should be aware of that. (For a discussion about the issues raised by such design choices, in similar specification languages such as JML, see the comprehensive list compiled by Patrice Chalin [4, 5].) Having only total functions implies than one can write terms such as 1/0, or *p when p is null (or more generally when it points to a non-properly allocated memory cell). In particular, the predicates 1/0 == 1/0 are valid, since they are instances of the axiom ∀x, x = x of first-order logic. The *p == *p reader should not be alarmed, because there is no way to deduce anything useful from such terms. As 15 2.2. LOGIC EXPRESSIONS class associativity operators selection left [· · ·]-> . unary right ! ~ + - * & (cast) sizeof multiplicative left */% additive left +- shift left << >> comparison - < <= > >= comparison - == != bitwise and left & list repetition left *^ bitwise xor/list concatenation left ^ bitwise or left | bitwise implies right --> bitwise equiv left <--> connective and left && connective xor left ^^ connective or left || connective implies right ==> connective equiv left <==> ternary connective right · · ·?· · ·:· · · binding left \forall \exists \let naming right : Figure 2.5: Operator precedence usual, it is up to the specification designer to write consistent assertions. For example, when introducing the following lemma (see Section 2.6): /*@ lemma div_mul_identity: @ \forall real x, real y; y != 0.0 ==> y*(x/y) == x; @*/ a premise is added to require y to be non zero. 2.2.3 Typing The language of logic expressions is typed (as in multi-sorted first-order logic). Types are either C types or logic types defined as follows: – “mathematical” types: integer for unbounded, mathematical integers, real for real numbers, boolean for booleans (with values written \true and \false); – logic types introduced by the specification writer (see Section 2.6). There are implicit coercions for numeric types: – C integral types char, short, int and long, signed or unsigned, are all subtypes of type integer; – integer is itself a subtype of type real; – C types float and double are subtypes of type real. Notes: – There is a distinction between booleans and predicates. The expression x<y in term position is a boolean, and the same expression is also allowed in predicate position. – Unlike in C, in ACSL there is a distinction between booleans and integers. There is an implicit promotion from integers to booleans, thus one may write x && y instead of x != 0 && y != 0. 16 2.2. LOGIC EXPRESSIONS If the reverse conversion is needed, an explicit cast is required, e.g. (int)(x>0)+1, where \false becomes 0 and \true becomes 1. – Quantification can be made over any type: logic types and C types. Quantification over pointers must be used carefully, since it depends on the memory state where dereferencing is done (see Section 2.2.4 and Section 2.6.9). Formal typing rules for terms are given in appendix A.5. 2.2.4 Integer arithmetic and machine integers The following integer arithmetic operations apply to mathematical integers: addition, subtraction, multiplication, unary minus. The value of a C variable of an integral type is promoted to a mathematical integer. As a consequence, there is no “arithmetic overflow” in logic expressions. Division and modulo are also mathematical operations, which coincide with the corresponding C operations on C machine integers, thus following the ISO C99 conventions. In particular, these are not the usual mathematical Euclidean division and remainder. C division rounds the result towards zero. The results are not specified if the divisor is zero; otherwise if q and r are the quotient and the remainder of n divided by d then: – |d × q| ≤ |n|, and |q| is maximal for this property; – q is zero if |n| < |d|; – q is positive if |n| ≥ |d| and n and d have the same sign; – q is negative if |n| ≥ |d| and n and d have opposite signs; – q × d + r = n; – |r| < |d|; – r is zero or has the same sign as n. Example 2.2 The following examples illustrate the results of division and modulo depending on the sign of their arguments: – 5/3 is 1 and 5%3 is 2; – (-5)/3 is -1 and (-5)%3 is -2; – 5/(-3) is -1 and 5%(-3) is 2; – (-5)/(-3) is 1 and (-5)%(-3) is -2. Hexadecimal, octal, and binary constants Hexadecimal, octal and binary constants are always non-negative. Suffixes u and l for C constants are allowed but meaningless. Casts and overflows In logic expressions, casting from mathematical integers to an integral C type t (such as char, short, int, etc.) is allowed and is interpreted as follows: the result is the unique value of the corresponding type that is congruent to the mathematical result modulo the cardinal of this type, that is 28× sizeof (t) . Example 2.3 (unsigned char)1000 is 1000 mod 256, i.e., 232; however, (signed char)1000 is ((1000 + 128) mod 256) − 128, i.e., −24. To express in the logic the value of a C expression, one has to add all the necessary casts. For example, the logic expression denoting the value of the C expression x*y+z is (int)((int)(x*y)+z). Note that there is no implicit cast from integers to C integral types. Example 2.4 The declaration //@ logic int f(int x) = x+1 ; 17 2.2. LOGIC EXPRESSIONS is not allowed because x+1, which is a mathematical integer, must be cast to int. One should write either //@ logic integer f(int x) = x+1 ; or //@ logic int f(int x) = (int)(x+1) ; Quantification on C integral types Quantification over a C integral type corresponds to integer quantification over the corresponding interval. Example 2.5 Thus the formula \forall char c; c <= 1000 is equivalent to \forall integer c; CHAR_MIN <= c <= CHAR_MAX ==> c <= 1000 where the bounds CHAR_MIN and CHAR_MAX are defined in limits.h Size of C integer types The size of C types is architecture-dependent. ACSL does not enforce these sizes either, hence the semantics of terms involving such types is also architecture-dependent. The sizeof operator may be used in annotations and is consistent with its C counterpart (including that its return type is a value of type size_t, and in most cases a constant). For instance, it should be possible to verify the following code: /*@ ensures \result <= sizeof(int); */ int f() { return sizeof(char); } Constants giving maximum and minimum values of those types may be provided in a library. Enum types Enum types are also interpreted as mathematical integers. Casting an integer into an enum in the logic gives the same result as if the cast was performed in the C code. Bitwise operations Like arithmetic operations, bitwise operations apply to any mathematical integer: any mathematical inte- ger has a unique infinite 2-complement binary representation with infinitely many zeros (for non-negative numbers) or ones (for negative numbers) on the left. Bitwise operations apply to this representation. Example 2.6 – 7 & 12 == · · ·00111 & · · ·001100 == · · ·00100 == 4 – -8 | 5 == · · ·11000 | · · ·00101 == · · ·11101 == -3 – ~5 == ~· · · 00101 == · · ·111010 == -6 – -5 << 2 == · · ·11011 << 2 == · · ·11101100 == -20 – 5 >> 2 == · · ·00101 >> 2 == · · ·0001 == 1 – -5 >> 2 == · · ·11011 >> 2 == · · ·1110 == -2 18 2.2. LOGIC EXPRESSIONS 2.2.5 Real numbers and floating point numbers Floating-point constants and operations are interpreted as mathematical real numbers: a C variable of type float or double is implicitly promoted to a real. Integers are promoted to reals if necessary. The usual binary operations are interpreted as operators on real numbers, hence they never involve any rounding or overflow. Example 2.7 In an annotation, 1e+300 * 1e+300 is equal to 1e+600, even if that last number exceeds the largest representable number in double precision: there is no "overflow". 2 ∗ 0.1 is equal to the real number 0.2, and not to any floating-point approximation: there is no "rounding". Unlike the promotion of C integer types to mathematical integers, there are special float values that do not naturally map to a real number, namely the IEEE-754 special values for “not-a-number”, +∞ and −∞. See below for a detailed discussion on such special values. However, remember that ACSL’s logic has only total functions. Thus, there are implicit promotion functions real_of_float and real_of_double whose results on the 3 values above is left unspecified. In logic, real literals can also be expressed under the hexadecimal form of C99: 0xhh.hhp±dd where h are hexadecimal digits and dd is in decimal, denotes number hh.hh × 2dd , e.g. 0x1.Fp-4 is (1 + 15/16) × 2−4 . The usual operators for comparison are also interpreted as real operators. In particular, the equality operation ≡ for float (or double) expressions means equality of the real numbers they represent. Or equivalently, x ≡ y for two float variables x, y means real_of_float(x) ≡ real_of_float(y) with the mathematical equality of real numbers. Special predicates are also available to express the comparison operators of float (resp. double) numbers as in C: \eq_float, \gt_float, \ge_float, \le_float, \lt_float, \ne_float (resp. for double). Casts, infinity and NaNs Casting from a C integer type or a float type to a float or a double is as in C: the same conversion operations apply. Conversion of real numbers to float or double values depends on various possible rounding modes defined by the IEEE 754 standard [26, 28]. These modes are defined by a logic type (see section 2.6.8): /*@ type rounding_mode = \Up | \Down | \ToZero | \NearestAway | \NearestEven; */ Then rounding a real number can be done explicitly using functions logic float \round_float(rounding_mode m, real x); logic double \round_double(rounding_mode m, real x); Cast operators (float) and (double) applied to a mathematical integer or real number x are equivalent to applying the rounding functions above with the nearest-even rounding mode (which is the default rounding mode in C programs). If the source real number is too large, this may also result in one of the special values +infinity and -infinity. Example 2.8 We have (float)0.1 ≡ 13421773 × 2−27 which is equal to 0.100000001490116119384765625. Notice also that unlike for integers, suffixes f and l are meaningful, because they implicitly add a cast operator as above. This semantics of casts ensures that the float result r of a C operation e1 op e2 on floats, if there is no overflow and if the default rounding mode is not changed in the program, has the same real value as the logic expression (float)(e1 op e2 ). Notice that this is not true for the equality \eq_float of 19 2.2. LOGIC EXPRESSIONS floats: -0.0 + -0.0 in C is equal to the float number -0.0, which is not \eq_float to 0.0, which is the value of the logic expression (float)(-0.0 + -0.0). Finally, additional predicates are provided that check that their argument is a finite number, an infinite one, or a NaN: predicate \is_finite(double x); // is a finite double predicate \is_plus_infinity(double x); // is equal to +infinity predicate \is_minus_infinity(double x); // is equal to -infinity predicate \is_infinite(double x); // is equal to +infinity or -infinity predicate \is_NaN(double x); // is a NaN double \is_finite, \is_plus_infinity, \is_minus_infinity and \is_NaN are mutually exclusive predicates. All these predicates also exist for the float type. Recall that under IEEE754 rules, any comparison between two NaN values returns a false value. Consequently if a double variable d is a NaN value, then the C expression d == d and the logic expression \eq_double(d,d) will both be false, the logic expression \real_of_double(d) will be undefined, but the logic expression \real_of_double(d) == \real_of_double(d) is true, as a specific instance of the axiom x ≡ x. Sign The sign of a non-NaN floating-point can be extracted by the function \sign: /*@ type sign = \Positive | \Negative; logic sign \sign(float x); logic sign \sign(double x); */ Quantification Quantification over a variable of type real is of course the usual quantification over real numbers. Quantification over float (resp. double) types is allowed as well, and is supposed to range over all finite real numbers representable as floats (resp. doubles). In particular, this does not include NaN, +infinity and -infinity in the considered range. Mathematical functions Classical mathematical operations like exponential, sine, cosine, and such are built-in to ACSL. These are listed in Appendix §A.2. The symbol \pi refers to the real number π and \e to the base of the natural logarithm: \log(\e)==1 and \exp(1)==\e. Exact computations In order to specify properties of rounding errors, it is useful to express something about the so-called exact computations [3]: the computations that would be performed in an ideal mode where variables denote true real numbers. To express such exact computations, two special constructs exist in annotations: – \exact(x) denotes the value of the C variable x (or more generally any C left-value) as if the program were executed with ideal real numbers. – \round_error(x) is a shortcut for |x − \exact(x)| Example 2.9 Here is an example of a naive approximation of cosine [2]. 20 2.2. LOGIC EXPRESSIONS /*@ requires \abs(\exact(x)) <= 0x1p-5; @ requires \round_error(x) <= 0x1p-20; @ ensures \abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24; @ ensures \round_error(\result) <= \round_error(x) + 0x3p-24; @*/ float cosine(float x) { return 1.0f - x * x * 0.5f; } 2.2.6 C arrays and pointers Address operator, array access, pointer arithmetic and dereferencing These operators are similar to their corresponding C operators. address-of operator should be used with caution. Values in logic do not lie in C memory so it does not mean anything to talk about their “address”. Unlike in C, there is no implicit cast from an array type to a pointer type. Nevertheless, arithmetic and dereferencing over arrays lying in C memory are allowed like in C. Example 2.10 Dereferencing a C array is equivalent to an access to the first element of the array ; shifting it from i denotes the address of its ith element. int tab[10] = { 1 } ; int x ; int *p = &x; //@ requires p == &x int main(void){ //@ assert tab[0]==1 && *p == x; //@ assert *tab == 1; int *q = &tab[3]; //@ assert q+1 == tab+4; ... } Since pointers can only refer to values lying in C memory, p->s is always equivalent to (*p).s. On the contrary, t[i] is not always equivalent to *(t+i), especially for arrays not lying in C memory. Section 2.2.7 details the use of arrays as logic values. There are also differences between t and the pointer to its first element when evaluating an expression at a given program point. See Section 2.4.3 for more information. Function pointers Pointers to C functions are allowed in logic. The only possible use of them is to check for equality. Example 2.11 int f(int x); int g(int x); //@ requires p == &f || p == &g; void h(int(*p)(int)) { ... } 21 2.2. LOGIC EXPRESSIONS 2.2.7 Structures, Unions and Arrays in logic Aggregate C objects (i.e. structures, unions and arrays) are also possible values for terms in logic. They can be passed as parameters to and returned from logic functions, tested for equality, etc. like any other values. Aggregate types can be declared in logic, and their contents may be any logic types themselves. Constructing such values in logic can be performed using a syntax similar to C designated initializers. Example 2.12 Array types in logic may be declared either with or without an explicit non-negative length. The term \length denotes the length of a logic array. //@ type point = struct { real x; real y; }; //@ type triangle = point[3]; //@ logic point origin = { .x = 0.0 , .y = 0.0 }; /*@ logic triangle t_iso = { [0] = origin, @ [1] = { .y = 2.0 , .x = 0.0 } @ [2] = { .x = 2.0 , .y = 0.0 }}; @*/ /*@ logic point centroid(triangle t) = { @ .x = mean3(t[0].x,t[1].x,t[2].x); @ .y = mean3(t[0].y,t[1].y,t[2].y); @ }; @*/ //@ type polygon = point[]; /*@ logic perimeter(polygon p) = @ \sum(0,\length(p)-1,\lambda integer i;d(p[i],p[(i+1) % \length(p)])) ; @*/ Beware that because of the principle of only total functions in logic, t[i] can appear in ACSL annotations even if i is outside the array bounds. Functional updates Syntax for functional update is similar to initialization of aggregate objects. Example 2.13 Functional update of an array is done by { t_iso \with [0] = { .x = 3.0, .y = 3.0 } } Functional update of a structure is done by { origin \with .x = 3.0 } There is no particular syntax for functional update of a union. For an object of a union type, the following equality is not true { { object \with .x = 3.0 } \with .y = 2.0 } == { { object \with .y = 2.0 } \with .x = 3.0 } The equality predicate == applies to aggregate values, but it is required that they have the same type. Then equality amounts to recursively checking equality of fields. Equality of arrays of different lengths returns false. Beware that equality of unions is also equality of all fields. 22 2.2. LOGIC EXPRESSIONS C aggregate types C aggregate types (struct, union or array) naturally map to logic types, by recursively mapping their fields. Example 2.14 There is no implicit cast to type of the updated/initialized fields. struct S { int x; float y; int t[10]; }; //@ logic integer f(struct S s) = s.t[3]; //@ logic struct S g(integer n, struct S s) = { s \with .x = (int)n }; Unlike in C, all fields should be initialized: /*@ logic struct S h(integer n, int a[10]) = { @ .x = (int)n, .y = (float)0.0, .t = a @ }; @*/ Cast and conversion Unlike in C, there is no implicit conversion from an array type to a pointer type. On the other hand, there is an implicit conversion from an array of a given size to an array with unspecified size (but not the converse). Example 2.15 //@ logic point square[4] = { origin, ... }; //@ ... perimeter(square); // well-typed //@ ... centroid(square); // wrongly typed //@ ... centroid((triangle)square); // well-typed (truncation) An explicit cast from an array type to a pointer type is allowed only for arrays that lie in C memory. As in C, the result of the cast is the address of the first element of the array (see Section 2.2.6). Conversely, an explicit cast from a pointer type to an array type acts as collecting the values it points to. Subtyping and cast recursively apply to fields. Example 2.16 struct { float u,v; } p[10]; //@ assert centroid((point[3])p) == ... //@ assert perimeter((point[])p) == ... Precisely, conversion of a pointer p of type τ ∗ to a logic array of type τ [] returns a logic array t such that length(t) = (\block_length(p) − \ offset (p))/ sizeof (τ ) More generally, an explicit cast from a C aggregate of type τ to another C aggregate type is allowed in order to specify such a value conversion into logical functions or function contracts without using the addressing operator &. Example 2.17 Unlike in C, conversion of an aggregate of C type struct τ to another structure type is allowed. 23 2.3. FUNCTION CONTRACTS struct long_st { int x1,y2;}; struct st { char x,y; }; //@ ensures \result == (struct st) s; struct st from_long_st(struct long_st s) { return *(struct st *)&s; } 2.3 Function contracts function-contract a ::= requires-clause ∗ terminates-clause ? decreases-clause ? simple-clause ∗ named-behavior ∗ completeness-clause ∗ clause-kind ::= check | admit requires-clause ::= clause-kind ? requires pred ; terminates-clause ::= terminates pred ; decreases-clause ::= decreases term (for ident)? ; simple-clause ::= assigns-clause | ensures-clause | allocation-clause | abrupt-clause assigns-clause ::= assigns locations ; locations ::= locations-list | \nothing ∗ locations-list ::= location (, location) b location ::= tset ensures-clause ::= clause-kind ? ensures pred ; named-behavior ::= behavior id : behavior-body behavior-body ::= assumes-clause ∗ requires-clause ∗ simple-clause ∗ assumes-clause ::= assumes pred ; completeness-clause ::= complete behaviors (id (, id)∗ )? ; | disjoint behaviors (id (, id)∗ )? ; a empty contracts are forbidden b A ’location’ may hold a set of many memory locations Figure 2.6: Grammar of function contracts term ::= \old ( term ) old value | \result result of a function pred ::= \old ( pred ) Figure 2.7: \old and \result in terms 24 2.3. FUNCTION CONTRACTS Figure 2.6 shows a grammar for function contracts. Location denotes a memory location and is defined in Section 2.3.4. Allocation-clauses allow specifying which memory locations are dynamically allocated or deallocated by the function from the heap; they are defined later in Section 2.7.3. This section is organized as follows. First, the grammar for terms is extended with two new constructs. Then Section 2.3.2 introduces simple contracts. Finally, Section 2.3.3 defines more general contracts involving named behaviors. The decreases and terminates clauses are presented later in Section 2.5. Abrupt-clauses allow specifying what happens when the function does not return normally but exits abruptly; they are defined in Section 2.9. The grammar in Fig. 2.6 requires clauses to be written in a particular order. This order is helpful for readability, though tools may be lenient towards out-of-order clauses. 2.3.1 Built-in constructs \old and \result Post-conditions usually require referring to both the function result and values in the pre-state. Thus terms are extended with the following new constructs (shown in Figure 2.7). – \old(e) denotes the value of predicate or term e in the pre-state of the function. – \result denotes the returned value of the function. \old(e) can be used only in ensures, assigns, allocates and frees clauses, since the other clauses already refer to only one state, the pre-state. In addition, \result may not be used in the contract of a function that returns void. C function parameters are obtained by value from actual parameters that mostly remain unaltered by the function calls. For that reason, formal parameters in function contracts are defined such that they always refer implicitly to their values interpreted in the pre-state. Thus, the \old construct is not needed (but permitted) for formal parameters (in function contracts only). 2.3.2 Simple function contracts Semantics A simple function contract, having only simple clauses and no named behaviors, takes the following form: /*@ requires P1 ; requires P2 ; . . . @ assigns L1 ; assigns L2 ; . . . @ ensures E1 ; ensures E2 ; . . . @*/ The semantics of such a contract is as follows: – The caller of the function must guarantee that it is called in a state where the property P1 && P2 && ... holds. – The called function returns1 a state where the property E1 && E2 && ... holds. – All memory locations that are allocated in both the pre-state and the post-state2 and do not belong to the set L1 ∪ L2 ∪ . . . are left unchanged in the post-state. The set L1 ∪ L2 ∪ . . . itself is interpreted in the pre-state, although it is permitted to refer to the post state through \at expressions. Having multiple requires, assigns, or ensures clauses only improves readability since the contract above is equivalent to the following simplified one: 1 An ensures clause does not imply that the function will necessarily return. 2 Functions that allocate or free memory can be specified with additional clauses described in section 2.7.3. 25 2.3. FUNCTION CONTRACTS /*@ requires P1 && P2 && . . .; @ assigns L1 , L2 ,. . .; @ ensures E1 && E2 && . . .; @*/ If no requires clause is given, it defaults to \true, and similarly for an omitted ensures clause. Giving no assigns clause means that locations assigned by the function are not specified, so the caller has no information at all on this function’s side effects. See Section 2.3.5 for more details on default status of clauses. Semantics of frame conditions It is worth pointing out that there are different treatments of frame conditions (assigns statements) in various specification languages. The frame condition can follow either writes semantics or modifies semantics. – Under writes (or assigns) semantics, only those memory locations listed in a frame condition may be written to, that is, only those locations may be the target of an assignment statement or listed in the frame condition of a called function. This is true whether or not the value of the memory location changes. – Under modifies semantics, a memory location may be written to, as long as the value is restored (that is, not modified) by the end of the scope of the function contract. Under this semantics, a frame condition is a requirement on the relationship between two states — any memory location not a member of the frame condition must have the same value in its pre-state and its post-state. Confusion can arise because the words assigns and modifies are sometimes used interchangeably. In particular, ACSL uses modifies semantics, even though the frame condition is introduced by the assigns keyword.3 check and admit clauses As presented above, in their basic acceptions, requires and ensures clauses both must be checked when control reaches the corresponding point, and can be assumed to hold to continue the analysis. However if only one of these actions is needed, a clause-kind modifier can be used. check will indicate that the corresponding clause must be verified, but with a non-blocking semantics. In other words, even if the clause is found invalid, the execution should continue unhindered. Conversely, admit indicates that the corresponding clause can be readily assumed to hold, without trying to verify it. Example 2.18 The following function is given a simple contract for computing the integer square root. /*@ requires x >= 0; @ ensures \result >= 0; @ ensures \result * \result <= x; @ ensures x < (\result + 1) * (\result + 1); @*/ int isqrt(int x); The contract means that the function must be called with a nonnegative argument, and returns a value satisfying the conjunction of the three ensures clauses. Inside these ensures clauses, the use of the construct \old(x) is not necessary, even if the function modifies the formal parameter x, because function calls modify a copy of the effective parameters, and the effective parameters remain unaltered. In fact, x denotes the effective parameter of isqrt calls, which has the same value interpreted in the pre-state as in the post-state. 3 For comparison, JML and the OpenJML tool define frame conditions to have write semantics but use the keywords assigns and modifies interchangeably; however, the KeY tool for JML implements modifies semantics. Ada/SPARK’s data flow contracts effectively encode write semantics. 26 2.3. FUNCTION CONTRACTS Example 2.19 The following function is given a contract to specify that it increments the value pointed to by the pointer given as argument. /*@ requires \valid(p); @ assigns *p; @ ensures *p == \old(*p) + 1; @*/ void incrstar(int *p); The contract means that the function must be called with a pointer p that points to a safely allocated memory location (see Section 2.7 for details on the \valid built-in predicate). It does not modify any memory location but the one pointed to by p. Finally, the ensures clause specifies that the value *p is incremented by one. 2.3.3 Contracts with named behaviors The general form of a function contract may contain named behaviors (restricted to two behaviors, in the following, for readability). /*@ requires P; @ behavior b1 : @ assumes A1 ; @ requires R1 ; @ assigns L1 ; @ ensures E1 ; @ behavior b2 : @ assumes A2 ; @ requires R2 ; @ assigns L2 ; @ ensures E2 ; @*/ The names of behaviors must be distinct within the given function (or statement) contract. A behavior name may be the same as a behavior name of an enclosing contract; in this case references to the behavior name refer to the behavior in the innermost contract of those contracts in scope. The semantics of such a contract is as follows: – The caller of the function must guarantee that the call is performed in a state where the effective precondition, namely the property P && (A1 ==> R1 ) && (A2 ==> R2 ), holds. – The called function returns a state where the properties \old(Ai ) ==> Ei hold for each i. The conjunction of these properties is the effective postcondition of the contract. – For each i, if the function is called in a pre-state where Ai holds, then each memory location of that pre-state that does not belong to the set Li is left unchanged in the post-state. requires clauses in the behaviors are proposed mainly to improve readability (to avoid some duplication of formulas), since the contract above is equivalent to the following simplified one: /*@ requires P && (A1 ==> R1 ) && (A2 ==> R2 ); @ behavior b1 : @ assumes A1 ; @ assigns L1 ; @ ensures E2 ; @ behavior b2 : @ assumes A2 ; @ assigns L2 ; @ ensures E2 ; @*/ A simple contract such as 27 2.3. FUNCTION CONTRACTS /*@ requires P; assigns L; ensures E; */ is actually equivalent to a single named behavior as follows: /*@ requires P; @ behavior <unique name>: @ assumes \true; @ assigns L; @ ensures E; @*/ Similarly, global assigns and ensures clauses are equivalent to a single named behavior. More precisely, the following contract /*@ requires P; @ assigns L; @ ensures E; @ behavior b1 : . . . @ behavior b2 : . . . @ ... @*/ is equivalent to (if b1 and b2 do not have requires clauses) /*@ requires P; @ behavior <unique name>: @ assumes \true; @ assigns L; @ ensures E; @ behavior b1 : . . . @ behavior b2 : . . . @ ... @*/ Example 2.20 In the following, bsearch(t,n,v) searches for element v in array t between indices 0 and n-1. /*@ requires n >= 0 && \valid(t+(0..n-1)); @ assigns \nothing; @ ensures -1 <= \result <= n-1; @ behavior success: @ ensures \result >= 0 ==> t[\result] == v; @ behavior failure: @ assumes t_is_sorted : \forall integer k1, integer k2; @ 0 <= k1 <= k2 <= n-1 ==> t[k1] <= t[k2]; @ ensures \result == -1 ==> @ \forall integer k; 0 <= k < n ==> t[k] != v; @*/ int bsearch(double t[], int n, double v); The precondition requires array t to be allocated at least from indices 0 to n-1. The two named behaviors correspond respectively to the successful behavior and the failing behavior. Since the function is performing a binary search, it requires the array t to be sorted in increasing order: this is the purpose of the predicate named t_is_sorted in the assumes clause of the behavior named failure. See 2.4.2 for a continuation of this example. Example 2.21 The following function illustrates the importance of different assigns clauses for each behavior. 28 2.3. FUNCTION CONTRACTS /*@ behavior p_changed: @ assumes n > 0; @ requires \valid(p); @ assigns *p; @ ensures *p == n; @ behavior q_changed: @ assumes n <= 0; @ requires \valid(q); @ assigns *q; @ ensures *q == n; @*/ void f(int n, int *p, int *q) { if (n > 0) *p = n; else *q = n; } Its contract means that it may modify values pointed to by p or by q, conditionally on the sign of n. Completeness of behaviors In a contract with named behaviors, it is not required that the disjunction of the Ai is true, i.e. it is not mandatory to provide a “complete” set of behaviors. If such a condition is desired, it is possible to add the following clause to a contract: /*@ requires R; admit requires AR; check requires CR; behavior bi : . . . ... complete behaviors b1 ,. . .,bn ; @*/ It specifies that the set of behaviors b1 ,. . .,bn is complete i.e. that R && AR ==> (A1 || A2 || ... || An ) holds. Note in particular that the completeness is established under the assumption that the main requires and admit requires clauses of the contract hold, but not the check requires clause, since the latter is only used to verify that a property holds at a given point, and never as hypothesis (see section 2.3.2). The simplified version of that clause /*@ . . . @ complete behaviors; @*/ means that all named4 behaviors given in the contract should be taken into account. Similarly, it is not required that two distinct behaviors are disjoint. If desired, this can be specified with the following clause: /*@ ... @ disjoint behaviors b1 ,. . .,bn ; @*/ It means that the given behaviors are pairwise disjoint i.e. that, for all distinct i and j, R && AR ==> ! (Ai && Aj ) holds. The simplified version of that clause 4 If there is a default (unnamed) behavior, it has an assumes clause of true; including it makes the completeness assertion trivially true. 29 2.3. FUNCTION CONTRACTS /*@ ... @ disjoint behaviors; @*/ means that all named5 behaviors given in the contract should be taken into account. Multiple complete and disjoint sets of behaviors can be given for the same contract. 2.3.4 Memory locations and sets of values There are several places where one needs to describe a set of memory locations: for example, in assigns clauses of function contracts and in loop assigns clauses (see section 2.4.2). A memory location is an l-value and a set of memory locations is a tset. Moreover, the argument of an assigns clause must be a set of modifiable l-values, as described in Section A.1. More generally, we introduce syntactic constructs to denote sets of values (tsets) that are also useful for the \separated predicate (see Section 2.7.2). The terms in a tset may have any type, though the operations described below are only well-typed for certain types of tsets. For example, s1 [s2 ] as defined below is only well-typed if one of s1 and s2 is a set of arrays and the other a set of integers. tset ::= \empty empty set | tset -> id | tset . id | * tset | & tset | tset [ tset ] | tset [ range ] | ( range ) a range as a set of integers | \union ( tset (, tset)∗ ) union of location sets | \inter ( tset (, tset)∗ ) intersection of location sets | tset + tset | ( tset ) | { tset | binders (; pred)? } set comprehension | { ( term (, term )∗ )? } explicit set | term a implicit singleton pred ::= \subset ( tset , tset ) set inclusion | term \in tset set membership range ::= term? .. term? a The given term may not itself be a set Figure 2.8: Grammar for sets of memory locations Ranges The .. syntax for ranges of integers has the appearance of a binary operator but is not a binary operator with conventional precedence, because either or both operand is optional. A missing operand designates an open range, that is the range includes all integers in the negative (if the left operand is missing) or positive direction (if the right operand is missing). This range syntax is used only within parentheses to designate a set of integers (cf. Fig. 2.8 later) or within square brackets to designate a range of array indices, as shown in Figs. 2.1 and 2.8. 5 If there is a default (unnamed) behavior, it has an assumes clause of true and is thus not disjoint with other clauses. 30 2.3. FUNCTION CONTRACTS Tsets The grammar for tsets is given in Figure 2.8. Note though that tsets are actually simply terms whose type is a set. Thus, for example, the + operator is overloaded for various numeric and string types and also for sets. The constructs in Figure 2.8 are syntactically valid whatever the types of terms are, but are only type-valid when used on values that are tsets as described.6 The semantics of tset operations is given below, where s denotes any tset. – \empty denotes the empty set. – a simple term denotes a singleton set. – s->id denotes the set of x->id for each x ∈ s. – s.id denotes the set of x.id for each x ∈ s. – *s denotes the set of *x for each x ∈ s. – &s denotes the set of &x for each x ∈ s. – s1 [s2 ] denotes the set of x1 [x2 ] for each x1 ∈ s1 and x2 ∈ s2 . – t1 .. t2 denotes the set of integers between t1 and t2 , inclusive. If t1 > t2 , this is the same as \empty – \union(s1 ,. . .,sn ) denotes the union of s1 ,s2 , . . . and sn ; – \inter(s1 ,. . .,sn ) denotes the intersection of s1 ,s2 , . . . and sn ; – s1 +s2 denotes the set of x1 +x2 for each x1 ∈ s1 and x2 ∈ s2 ; – { t1 ,. . .,tn } is the set composed of the elements t1 , . . ., tn . – (s) denotes the same set as s; – { s | b ; P } denotes set comprehension, that is the union of the sets denoted by s for each value b of binders satisfying predicate P (binders b are bound in both s and P). – x \in s holds if and only if x is an element of s. The operator has the same precedence as relational predicates (e.g., <). – \subset(s1 ,s2 ) holds if and only if each element of s1 is also an element of s2 (that is, s1 is a subset of s2 ). Note that assigns \nothing is equivalent to assigns \empty; it is left for convenience. Note that in some cases there is a small ambiguity. The use of an individual variable, as in assigns x;, invokes an implicit conversion to a singleton set, to assigns {x};, but only if the value of x is not already a set of memory locations. Similarly, for example, if x is a set of memory locations but y is not a set, then assigns x,y; means assigns \union(x,{y});. If neither x and y are sets, then assigns x,y; means assigns \union({x},{y});. Example 2.22 The following function sets each cell of an array to 0. /*@ requires \valid(t+(0..n-1)); @ assigns t[0..n-1]; @ assigns *(t+(0..n-1)); @ assigns *(t+{ i | integer i ; 0 <= i < n }); @*/ void reset_array(int t[],int n) { int i; for (i=0; i < n; i++) t[i] = 0; } It is annotated with three equivalent assigns clauses, each one specifying that only the set of cells {t[0],. . .,t[n-1]} is potentially modified. Example 2.23 The following function increments each value stored in a linked list. struct list { int hd; struct list *next; 6 Resolving the restrictions on tsets during type-checking rather than parsing greatly reduces the size and complexity of the overall grammar and avoids needing to propagate meta-information along with parsing information. 31 2.4. STATEMENT ANNOTATIONS }; // reachability in linked lists /*@ inductive reachable{L}(struct list *root, struct list *to) { @ case empty{L}: \forall struct list *l; reachable(l,l) ; @ case non_empty{L}: \forall struct list *l1,*l2; @ \valid(l1) && reachable(l1->next,l2) ==> reachable(l1,l2) ; @ } */ // The requires clause forbids giving a circular list /*@ requires reachable(p,\null); @ assigns { q->hd | struct list *q ; reachable(p,q) } ; @*/ void incr_list(struct list *p) { while (p) { p->hd++ ; p = p->next; } } The assigns clause specifies that the set of possibly modified memory locations is the set of fields q->hd for each pointer q reachable from p following next fields. See Section 2.6.3 for details about the declaration of the predicate reachable. 2.3.5 Default contracts, multiple contracts A C function can be defined only once but declared several times. It is allowed to annotate each of these declarations with contracts. Those contracts are seen as a single contract with the union of the requires clauses and behaviors. On the other hand, a function may have no contract at all, or a contract with missing clauses. Missing requires and ensures clauses default to \true. If no assigns clause is given, it remains unspecified. If the function under consideration has only a declaration but no body, then it means that it potentially modifies “everything”, hence in practice it will be impossible to verify anything about programs calling that function; in other words giving it a contract is in practice mandatory. On the other hand, if that function has a body, giving no assigns clause means in practice that it is left to tools to compute an over-approximation of the sets of modified locations. 2.4 Statement annotations Annotations on C statements are of three kinds: – Assert statements are allowed before any C statement or at end of blocks. – Loop annotations (the invariant, assigns, and variant clauses) are allowed before any loop statement: while, for, and do ... while. – Statement contracts are allowed before any C statement (including a block), specifying its behavior in a manner similar to function contracts. 2.4.1 Assertions The syntax of assertions is given in Figure 2.9, as an extension of the grammar of C statements. – assert P means that P must hold in the current state (the sequence point where the assertion occurs). – check P and admit P indicate respectively that P should be checked but not block the execution, and that P can be assumed to hold without verification. See section 2.3.2 for more information. 32 2.4. STATEMENT ANNOTATIONS C-compound-statement a ::= { C-declaration∗ C-statement∗ assertion+ } b C-statement ::= assertion C-statement assertion-kind ::= assert assertion | clause-kind non-blocking assertion assertion ::= /*@ assertion-kind pred ; */ | /*@ for id (, id)∗ : assertion-kind pred ; */ a Extension to the C standard grammar for compound statements b Extension to the C standard grammar for statements Figure 2.9: Grammar for assertions – The variant for id1 ,. . .,idk : assert P associates the assertion to the named behaviors idi , each of them being a behavior identifier for the current function (or a behavior of an enclosing block as defined later in Section 2.4.4). It means that this assertion is only required to hold for the listed behaviors. 2.4.2 Loop annotations a C-statement ::= /*@ loop-annot */ C-iteration-statement loop-annot b ::= loop-clause ∗ loop-behavior ∗ loop-variant? loop-clause ::= loop-invariant | loop-assigns | loop-allocation loop-invariant ::= clause-kind ? loop invariant pred ; loop-assigns ::= loop assigns locations ; ∗ loop-behavior ::= for id (, id) : loop-clause + annotation for behavior id loop-variant ::= loop variant term ; | loop variant term for ident ; variant for relation ident a Extension of the C standard for statements b empty loop annotations are forbidden Figure 2.10: Grammar for loop annotations The syntax of loop annotations is given in Figure 2.10, as an extension of the grammar of C statements. Loop-allocation clauses allow specifying which memory locations are dynamically allocated or deallocated 33 2.4. STATEMENT ANNOTATIONS by a loop from the heap; they are defined later in Section 2.7.3. Loop invariants and loop assigns The semantics of loop invariants and loop assigns is defined as follows: a simple loop annotation of the form /*@ loop invariant I; @ loop assigns L; @*/ ... specifies that the following conditions hold. – The predicate I holds before entering the loop (in the case of a for loop, this means right after the initialization expression). – The predicate I is an inductive invariant, that is if I is assumed true in some state where the condition c is also true, and if execution of the loop body in that state ends normally at the end of the body or with a continue statement, I is true in the resulting state. If the loop condition has side effects, these are included in the loop body in a suitable way: – for a while (c) s loop, I must be preserved by the side-effects of c followed by s; – for a for(init;c;step) s loop, I must be preserved by the side-effects of c followed by s followed by step; – for a do s while (c); loop, I must be preserved by s followed by the side-effects of c. Note that if c has side-effects, the invariant might not be true at the exit of the loop: the last “step” starts from a state where I holds, performs the side-effects of c, which in the end evaluates to false and exits the loop. Likewise, if a loop is exited through a break statement, I does not necessarily hold, as side effects may occur between the last state in which I was supposed to hold and the break statement. – At any loop iteration, any location that was allocated before entering the loop and is not a member of L (interpreted in the current state, that is LoopCurrent) has the same value as before entering the loop (LoopEntry). In fact, the loop assigns clause specifies an inductive invariant for the locations that are not members of L. Loop behaviors A loop annotation preceded by for id_1,. . .,id_k: is similar to the above, but applies only for behaviors id_1,. . .,id_k of the current function, hence in particular holds only under the assumption of their assumes clauses. Remarks – The \old construct is not allowed in loop annotations. The \at form should be used to refer to another state (see Section 2.4.3). – When a loop exits with break or return or goto, it is not required that the loop invariant holds. In such cases, locations that are not members of L can be assigned between the end of the previous iteration and the exit statement. – If no loop assigns clause is given, assignments remain unspecified. It is left to tools to compute an over-approximation of the sets of assigned locations. Example 2.24 Here is a continuation of example 2.20. Note the use of a loop invariant associated to a function behavior. /*@ requires n >= 0 && \valid(t+(0..n-1)); @ assigns \nothing; @ ensures -1 <= \result <= n-1; 34 2.4. STATEMENT ANNOTATIONS @ behavior success: @ ensures \result >= 0 ==> t[\result] == v; @ behavior failure: @ assumes t_is_sorted : \forall integer k1, int k2; @ 0 <= k1 <= k2 <= n-1 ==> t[k1] <= t[k2]; @ ensures \result == -1 ==> @ \forall integer k; 0 <= k < n ==> t[k] != v; @*/ int bsearch(double t[], int n, double v) { int l = 0, u = n-1; /*@ loop invariant 0 <= l && u <= n-1; @ for failure: loop invariant @ \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u; @*/ while (l <= u ) { int m = l + (u-l)/2; // better than (l+u)/2 if (t[m] < v) l = m + 1; else if (t[m] > v) u = m - 1; else return m; } return -1; } Loop variants Optionally, a loop annotation may include a loop variant of the form /*@ loop variant m; */ where m is a term of type integer. The semantics is as follows: for each loop iteration that terminates normally or with continue, the value of m at end of the iteration must be smaller than its value at the beginning of the iteration. Moreover, its value at the beginning of the iteration must be nonnegative. Note that the value of m at loop exit might be negative. It does not compromise termination of the loop. Here is an example: Example 2.25 void f(int x) { //@ loop variant x; while (x >= 0) { x -= 2; } } It is also possible to specify termination orderings other than the usual order on integers, using the additional for modifier. This is explained in Section 2.5. General inductive invariants It is actually allowed to pose an inductive invariant anywhere inside a loop body. For example, it makes sense for a do s while (c); loop to contain an invariant right after statement s. Such an invariant is a kind of assertion, as shown in Figure 2.11. Example 2.26 In the following example, the natural invariant holds at this point (\max and \lambda are introduced later in Section 2.6.7). It would be less convenient to set an invariant at the beginning of the loop. 35 2.4. STATEMENT ANNOTATIONS assertion ::= /*@ clause-kind ? invariant pred ; */ | /*@ for id (, id)∗ : clause-kind ? invariant pred ; */ Figure 2.11: Grammar for general inductive invariants /*@ requires n > 0 && \valid(t+(0..n-1)); @ ensures \result == \max(0,n-1,(\lambda integer k ; t[k])); @*/ double max(double t[], int n) { int i = 0; double m,v; do { v = t[i++]; m = v > m ? v : m; /*@ invariant m == \max(0,i-1,(\lambda integer k ; t[k])); */ } while (i < n); return m; } More generally, loops can be introduced by gotos. As a consequence, such invariants may occur anywhere inside a function’s body. The meaning is that the invariant holds at that point, much like an assert. Moreover, the invariant must be inductive, i.e. it must be preserved across a loop iteration. Several invariants are allowed at different places in a loop body. These extensions are useful when dealing with complex control flows. Example 2.27 Here is a program annotated with an invariant inside the loop body: /*@ requires n > 0; @ ensures \result == \max(0,n-1,\lambda integer k; t[k]); @*/ double max_array(double t[], int n) { double m; int i=0; goto L; do { if (t[i] > m) { L: m = t[i]; } /*@ invariant @ 0 <= i < n && m == \max(0,i,\lambda integer k; t[k]); @*/ i++; } while (i < n); return m; } The control-flow graph of the code is as follows 36 2.4. STATEMENT ANNOTATIONS i←0 m < t[i] m ← t[i] m ≥ t[i] do inv i←i+1 i<n i≥n The invariant is inductively preserved by the two paths that go from node “inv” to itself. Example 2.28 The program int x = 0; int y = 10; /*@ loop invariant 0 <= x < 11; @*/ while (y > 0) { x++; y--; } is not correctly annotated, even if it is true that x remains smaller than 11 during the execution. This is because it is not true that the property x<11 is preserved by the execution of x++ ; y--;. A correct loop invariant could be 0 <= x < 11 && x+y == 10. It holds at loop entrance and is preserved (under the assumption of the loop condition y>0). Similarly, the following general invariants are not inductive: int x = 0; int y = 10; while (y > 0) { x++; //@ invariant 0 < x < 11; y--; //@ invariant 0 <= y < 10; } since 0 <= y < 10 is not a consequence of hypothesis 0 < x < 11 after executing y--; and 0 < x < 11 cannot be deduced from 0 <= y < 10 after looping back through the condition y>0 and executing x++. Correct invariants could be: while (y > 0) { x++; //@ invariant 0 < x < 11 && x+y == 11; y--; //@ invariant 0 <= y < 10 && x+y == 10; } 37 2.4. STATEMENT ANNOTATIONS 2.4.3 Built-in construct \at Statement annotations usually need another additional construct \at(e,id) referring to the value of the expression e in the state at label id. In particular, for a C array of int, t, \at(t,id) is a logical array whose content is the same as that of t in state at label id. It is thus very dif- ferent from \at((int *)t,id), which is a pointer to the first element of t (and stays the same between the state at id and the current state). Namely, if t[0] has changed since id, we have \at(t,id)[0] != \at((int *)t,id)[0]. The label id can be either a regular C label or a label added within a ghost statement as described in Section 2.12. This label must be declared in the same function as the occurrence of \at(e,id), but unlike gotos, more restrictive scoping rules must be respected: – the label id must occur before the occurrence of \at(e,id) in the source; – the label id must not be inside an inner block that syntactically ends before the use of the label. These rules are exactly the same rules as for the visibility of local variables within C statements (see [17], Section A11.1). Note that the \at construct must be interpreted carefully when a variable is redeclared within the body of a function. Consider the example below: Example 2.29 labels and scopes of local variables int x; int y; void m() { y = 1; x = 4; b: ; // a label can’t be directly over a declaration, hence the ’;’. //@ assert \at(x,b) == 4; int* x = &y; y = 2; c: y = 3; //@ assert \at(x,b) == 4; //@ assert *x == 3; //@ assert \at(*x,c) == 2; *x = 5; } – The assert annotation on line 8 refers to the value of x declared on line 1 and set on line 6; it is proved without difficulty. – The assert annotation on line 14 refers to the current state of *x, where x is declared on line 9, that is the assignment to y on line 12; it is also proved without difficulty. – The assert annotation on line 156 refers to the state of *x at label c, that is the assignment to y on line 5; it is also proved without difficulty. But consider the assert annotation on line 13. It references the state at label b. At that label, x refers to the declaration on line 1, not the declaration current at line 13, namely the declaration on line 9. Thus determining the value of an expression at a given label requires that the name and type resolution of the expression be performed at that label also, and may be different than the results of name and type resolution in the state in which the \at expression occurs. Default logic labels There are seven predefined logic labels: Pre, Here, Old, Post, LoopEntry, LoopCurrent and Init. \old(e) is in fact syntactic sugar for \at(e,Old). 38 2.4. STATEMENT ANNOTATIONS Table 2.1: Meaning and permitted locations of built-in labels Label Permitted locations Meaning statement annotations state where the annotation appears Here function contracts pre-state of function data invariants invocation point of the invariant function contracts pre-state of function Old statement contracts pre-state of statement Pre statement annotations pre-state of enclosing function Post assigns and ensures clauses post-state of contract LoopEntry loop annotations and loop statements state prior to first loop entry LoopCurrent loop annotations and loop statements state at beginning of current loop in- teration Init all annotations state before call to main – The label Here is visible in all statement annotations, where it refers to the state where the annotation appears; and in all contracts, where it refers to the pre-state for the requires, assumes, assigns, frees, decreases, terminates clauses and the post-state for ensures, allocates, and abrupt termination clauses. It is also visible in data invariants, presented in Section 2.11. – The label Old is visible in assigns and ensures clauses of all contracts (both for functions and for statement contracts described below in Section 2.4.4), and refers to the pre-state of this contract. – The label Pre is visible in all statement annotations, and refers to the pre-state of the function it occurs in. – The label Post is visible in assigns and ensures clauses of all contracts, and it refers to the post-state. – The label LoopEntry is visible in loop annotations and all annotations related to a statement enclosed in a loop. It refers to the state just before entering that loop for the first time –but after initialization took place in the case of a for loop, as for loop invariant (section 2.4.2). When LoopEntry is used in a statement enclosed in nested loops, it refers to the innermost loop containing that statement. – The label LoopCurrent is visible in loop annotations and all other annotations related to a statement enclosed in a loop. It refers to the state at the beginning of the current step of the loop (see section 2.4.2 for more details on what constitutes a loop step in presence of side-effects in the condition). When LoopCurrent is used in a statement enclosed in nested loops, it refers to the innermost loop containing that statement. – The label Init is visible in all statement annotations and contracts. It refers to the state just before the call to the main function, once the global data have been initialized. Inside loop annotations, the labels LoopCurrent and Here are equivalent, except inside clauses loop frees (see section 2.7.3) where Here is equivalent to LoopEntry. There is one special case regarding formal parameters. Despite any surrounding \at construct or the type of clause, formal parameters in a function contract are always interpreted in the pre-state (that is in the Old state). Note that formal parameters are not special in this regard in statement contracts. No logic label is visible in global logic declarations such as lemmas, axioms, definition of predicate or logic functions. When such an annotation needs to refer to a given memory state, it has to be given a label binder: this is described in Section 2.6.9. Example 2.30 The code below implements the famous extended Euclid’s algorithm for computing the greatest common divisor of two integers x and y, while computing at the same time the two Bézout coefficients p and q such that p × x + q × y = gcd(x, y). The loop invariant for the Bézout property needs to refer to the value of x and y in the pre-state of the function. 39 2.4. STATEMENT ANNOTATIONS term ::= \at ( term , label-id ) pred ::= \at ( pred , label-id ) label-id ::= Here | Old | Pre | Post | LoopEntry | LoopCurrent | Init | | id a a An id must be a C program label in scope Figure 2.12: Grammar for at construct /*@ requires x >= 0 && y >= 0; @ behavior bezoutProperty: @ ensures (*p)*x+(*q)*y == \result; @*/ int extended_Euclid(int x, int y, int *p, int *q) { int a = 1, b = 0, c = 0, d = 1; /*@ loop invariant x >= 0 && y >= 0 ; @ for bezoutProperty: loop invariant @ a*\at(x,Pre)+b*\at(y,Pre) == x && @ c*\at(x,Pre)+d*\at(y,Pre) == y ; @ loop variant y; @*/ while (y > 0) { int r = x % y; int q = x / y; int ta = a, tb = b; x = y; y = r; a = c; b = d; c = ta - c * q; d = tb - d * q; } *p = a; *q = b; return x; } Example 2.31 Here is a toy example illustrating tricky issues with \at and labels: int i; int t[10]; //@ ensures 0 <= \result <= 9; int any(); /*@ assigns i,t[\at(i,Post)]; @ ensures @ t[i] == \old(t[\at(i,Here)]) + 1; @ ensures @ \let j = i; t[j] == \old(t[j]) + 1; @*/ void f() { i = any(); t[i]++; } The two ensures clauses are equivalent. The simpler clause t[i] == \old(t[i]) + 1 would be wrong because in \old(t[i]), i denotes the value of i in the pre-state. 40 2.4. STATEMENT ANNOTATIONS Also, the assigns clause i,t[i] would be wrong also because again in t[i], the value of i is its value in the pre-state. Example 2.32 Here is an example illustrating the use of LoopEntry and LoopCurrent void f (int n) { for (int i = 0; i < n; i++) { /*@ assert \at(i,LoopEntry) == 0; */ int j = 0; while (j++ < i) { /*@ assert \at(j,LoopEntry) == 0; */ /*@ assert \at(j,LoopCurrent) + 1 == j; */ } } } 2.4.4 Statement contracts a C-statement ::= /*@ statement-contract */ C-statement statement-contract b ::= (for id (, id)∗ :)? requires-clause ∗ simple-clause-stmt∗ named-behavior-stmt∗ completeness-clause ∗ simple-clause-stmt ::= simple-clause | abrupt-clause-stmt named-behavior-stmt ::= behavior id : behavior-body-stmt c ∗ behavior-body-stmt ::= assumes-clause requires-clause ∗ simple-clause-stmt∗ a Extension to the C standard grammar for statements b empty contracts are forbidden c empty behavior bodies are forbidden Figure 2.13: Grammar for statement contracts The grammar for statement contracts is given in Figure 2.13. It is similar to function contracts, but without a decreases clause. Additionally, a statement contract may refer to enclosing named behaviors, with the form for id:.... Such contracts are only valid for the corresponding behaviors, in particular only under the corresponding assumes clause. Note that behaviors in statement contracts may have the same ids as enclosing function contract behaviors or enclosing statement contracts. In such cases, a use of an id (in a for construct) refers to the innermost behavior id. The ensures clause does not constrain the post-state when the annotated statement is terminated by a goto jumping out of it, by any abrupt termination of the statement that is annotated. To specify such behaviors, abrupt clauses (described in Section 2.9) need to be used. On the other hand, it is different with assigns clauses. The locations having their values modified during the path execution, starting at the beginning of the annotated statement and leading to a goto jumping out of it, should be part of its assigns clause. Example 2.33 The clause assigns \nothing; does not hold for that statement, even if the clause ensures x==\old(x); holds: /*@ assigns x; @ ensures x==\old(x); 41 2.5. TERMINATION @*/ if (c) { x++; goto L; } L: ... Allocation-clauses allow specifying which memory locations are dynamically allocated or deallocated by the annotated statement from the heap; they are defined later in Section 2.7.3. The semantics of multiple clauses or missing clauses of a given type within a behavior or in the unnamed behavior are the same as for function contracts (cf. Section 2.3.5). 2.5 Termination The property of termination concerns both loops and recursive function calls. Termination is guaranteed by attaching a measure function to each loop (an aspect already addressed in Section 2.4.2) and each recursive function. 2.5.1 Measure A measure is an expression that must be strictly decreasing according to a given well-founded relation R, at each loop iteration for loop variant, and each recursive call for decreases. More precisely, when v_cur is the value of the measure for the current loop iteration or recursive call, and v_next is the value of the measure for the next iteration or recursive call, R(v_cur, v_next) must hold. R(a, b) expresses that a is greater than b. By default, a measure is an integer expression, and measures are compared using the usual ordering over integers (Section 2.5.2). It is also possible to define measures using other domains and/or using a different ordering relation (Section 2.5.3). 2.5.2 Integer measures Functions are annotated with integer measures with the syntax //@ decreases e; and loops are annotated similarly with the syntax //@ loop variant e; where the logic expression e has type integer. For recursive calls, or for loops, this expression must decrease for the relation R defined by R(x,y) <==> x > y && x >= 0. In other words, the measure must be a decreasing sequence of integers which remain nonnegative, except possibly for the last value of the sequence (See example 2.25). Example 2.34 The clause loop variant u-l; can be added to the loop annotations of the exam- ple 2.24. The measure u-l decreases at each iteration, and remains nonnegative, except at the last iteration where it may become negative. @ ... @ loop variant u-l; */ while ... 42 2.5. TERMINATION 2.5.3 General measures More general measures on other types can be provided, using the keyword for. For functions it becomes //@ decreases e for R; and for loops //@ loop variant e for R; In those cases, the logic expression e has some type τ and R must be a relation on τ , that is a binary predicate declared (see Section 2.6 for details) as //@ predicate R(τ x, τ y) · · · Of course, to guarantee termination, it must be proved that R is a well-founded relation. Example 2.35 The following example illustrates a variant annotation using a pair of integers, ordered lexicographically. //@ ensures \result >= 0; int dummy(); //@ type intpair = (integer,integer); /*@ predicate lexico(intpair p1, intpair p2) = @ \let (x1,y1) = p1 ; @ \let (x2,y2) = p2 ; @ x1 > x2 && x1 >= 0 || @ x1 == x2 && y1 > y2 && y1 >= 0 ; @*/ //@ requires x >= 0 && y >= 0; void f(int x,int y) { /*@ loop invariant x >= 0 && y >= 0; @ loop variant (x, y) for lexico; @*/ while (x > 0 && y > 0) { if (dummy()) { x--; y = dummy(); } else y--; } } 2.5.4 Recursive function calls The precise semantics of measures on recursive calls, especially in the general case of mutually recursive functions, is given as follows. We call a set of mutually recursive functions that is a strongly connected component of the call graph a cluster. Within each cluster, each function must be annotated with a decreases clause with the same relation R (syntactically). Then, in the body of any function f of that cluster, any recursive call to a function g must occur in a state where the measure attached to g is smaller (w.r.t R) than the measure of f in the pre-state of f. This also applies when g is f itself. Example 2.36 Here are the classical factorial and Fibonacci functions: /*@ requires n <= 12; @ decreases n; 43 2.5. TERMINATION @*/ int fact(int n) { if (n <= 1) return 1; return n * fact(n-1); } //@ decreases n; int fib(int n) { if (n <= 1) return 1; return fib(n-1) + fib(n-2); } Example 2.37 This example illustrates mutual recursion: /*@ requires n>=0; decreases n; */ int even(int n) { if (n == 0) return 1; return odd(n-1); } /*@ requires x>=0; decreases x; */ int odd(int x) { if (x == 0) return 0; return even(x-1); } 2.5.5 Non-terminating functions There are cases where a function is not supposed to terminate. For instance, the main function of a reactive program might be a while(1) that indefinitely waits for an event to process. More generally, a function can be expected to terminate only if some preconditions are met. In those cases, a terminates clause can be added to the contract of the function, using the following form: //@ terminates p; Semantics in function contract The semantics of such a clause is as follows: if p holds in the pre-state of the function, then the function is guaranteed to terminate (more precisely, its termination must be proved). If such a clause is not present (and in particular if there is no function contract at all), it defaults to terminates \true; that is, the function is supposed to always terminate, which is the expected behavior of most functions. Note that nothing is specified for the case where p does not hold: the function may terminate or not. In particular, terminates \false; does not imply that the function loops forever. A possible specification for a function that never terminates is the following: /*@ terminates \false; exits \false; ensures \false; */ void f(void) { while(1); } 44 2.5. TERMINATION Example 2.38 A concrete example of a function that may not always terminate is the incr_list function of example 2.23. In fact, the following contract is also acceptable for this function: // this time, the specification accepts circular lists, but does not ensure // that the function terminates on them (as a matter of fact, it does not). /*@ terminates reachable(p,\null); @ assigns { q->hd | struct list *q ; reachable(p,q) } ; @*/ void incr_list(struct list *p) { while (p) { p->hd++ ; p = p->next; } } Semantics in statement contract The termination of statements can also be specified in statement contracts in using the same clause. When such a clause is omitted the statement contract does not add any more constraints to the termination of the related statement (and, by the way, to the statements that it contains). The semantics of a clause terminates T of a contract of a statement S is defined inductively in considering the statement Sb that is the innermost block (or compound statement such as if, ...) that has a contract with a clause terminates Tb and encloses S. This search is performed recursively, until a statement Sb is found (the body of the function can be considered for that and in such a case, the terminates clause of the function contract gives Tb). – If Tb holds in the pre-state of Sb7 then T must holds in the pre-state of S (at the beginning of each execution of S). – The statement S must terminate when T holds in its pre-state8 . By transitivity and induction, this definition implies that all statements of S must terminate when T holds in the pre-state of S. Similarly, all statements of the function must terminate when the termination condition of the function holds in its pre-state. Example 2.39 In the following source code, the function must terminate when max_run is different from 0 in pre-state. However, when it equals to 0, while it is not expected that the loop terminates, the block on lines 5–10 still must terminate and the call to the function handle_events must also terminate. unsigned max_runs = 0 ; //@ terminates max_runs > 0 ; void main_loop(void){ /*@ terminates \true ; */ { initialize_memory(); //@ loop variant n ; for(unsigned n = 10 ; n > 0 ; n--) initialize_device(n - 1); } unsigned runs = 0 ; //@ loop variant max_runs - runs ; while(1){ if(max_runs != 0 && runs >= max_runs) break ; run ++ ; 7 In this definition Sb denotes a statement as much as a function body. 8 It must terminate regardless of any other terminates clause provided for a block (or a function) that contains it. 45 2.6. LOGIC SPECIFICATIONS //@ terminates \true ; handle_events(); } } 2.5.6 Measures and non-terminating functions As mentioned at the beginning of Section 2.5, termination is guaranteed by attaching a measure function to each loop and each recursive function. Thus, when a contract specifies a terminates clause p, the measures in the corresponding code section have to be verified only when p is verified. For example, that means that for a function that may not terminate, any variant is verified: /*@ terminates \false; */ void f(void) { //@ loop variant -1 ; while(1); } More precisely, loop variants and decreases clauses are conditioned by the terminates clause of the innermost block containing it. Thus, in example 2.39, the loop variant on line 7 must always be verified since it belongs to a block that must always terminate, while the loop variant on line 13 only needs to be verified when max_runs is different from 0 in the pre-state of the function. 2.6 Logic specifications The language of logic expressions used in annotations can be extended by declarations of new logic types, and new constants, logic functions and predicates. These declarations follow the classical setting of algebraic specifications. The grammar for these declarations is given in Figure 2.14. 2.6.1 Predicate and function definitions New functions and predicates can be defined by explicit expressions, given after an equal sign. Example 2.40 The following code //@ predicate is_positive(integer x) = x > 0; /*@ logic integer get_sign(real x) = @ x > 0.0 ? 1 : ( x < 0.0 ? -1 : 0); @*/ illustrates the definition of a new predicate is_positive with an integer parameter and a new logic function sign with a real parameter returning an integer. 2.6.2 Lemmas Lemmas are user-given propositions, a facility that might help theorem provers establish validity of ACSL specifications. Example 2.41 The following lemma //@ lemma mean_property: \forall integer x,y; x <= y ==> x <= (x+y)/2 <= y; is a useful hint for a program like binary search. 46 2.6. LOGIC SPECIFICATIONS a C-external-declaration ::= /*@ logic-def + */ logic-def ::= logic-const-def | logic-function-def | logic-predicate-def | lemma-def | data-inv-def type-var ::= id type-expr ::= type-var type variable | id < type-expr (, type-expr)∗ > polymorphic type type-var-binders ::= < type-var (, type-var)∗ > poly-id ::= id type-var-binders polymorphic object identifier logic-const-def ::= logic type-expr poly-id = term ; logic-function-def ::= logic type-expr poly-id parameters = term ; logic-predicate-def ::= predicate poly-id parameters ? = pred ; parameters ::= ( parameter (, parameter)∗ ) parameter ::= type-expr id lemma-def ::= clause-kind ? lemma poly-id : pred ; a Extension to the C standard grammar for external declarations as global declarations Figure 2.14: Grammar for global logic definitions 47 2.6. LOGIC SPECIFICATIONS Of course, a complete verification of an ACSL specification has to provide a proof for each lemma. Again, check lemma can be used to indicate that the property should only be verified, but not used in other verification activities, and conversely admit lemma indicates that the property can be assumed without trying to verify it (see section 2.3.2). Note that an admit lemma is in practice equivalent to an axiom, as introduced in section 2.6.4. 2.6.3 Inductive predicates A predicate may also be defined by an inductive definition. The grammar for this style of definition is given in Figure 2.15. logic-def ::= inductive-def inductive-def ::= inductive poly-id parameters ? { indcase ∗ } indcase ::= case poly-id : pred ; Figure 2.15: Grammar for inductive definitions In general, an inductive definition of a predicate P has the form /*@ inductive P(x1 ,. . .,xn ) { @ case c1 : p1 ; ... @ case ck : pk ; @ } @*/ where each ci is an identifier and each pi is a proposition. The semantics of such a definition is that P is the least fixpoint of the cases, i.e. is the smallest predicate (in the sense that it is false the most often) satisfying the propositions p1 , . . . ,pk . With this general form, the existence of a least fixpoint is not guaranteed, so tools might enforce syntactic conditions on the form of inductive definitions. A standard syntactic restriction could be to allow only propositions pi of the form \forall y1 ,. . .,ym , h1 ==> · · · ==> hl ==> P(t1 ,. . .,tn ) where P occurs only positively in hypotheses h1 , . . . ,hl (definite Horn clauses, http://en.wikipedia. org/wiki/Horn_clause). Example 2.42 The following introduces a predicate isgcd(x,y,d), which means that d is the greatest common divisor of x and y. /*@ inductive is_gcd(integer a, integer b, integer d) { @ case gcd_zero: @ \forall integer n; is_gcd(n,0,n); @ case gcd_succ: @ \forall integer a,b,d; is_gcd(b, a % b, d) ==> is_gcd(a,b,d); @ } @*/ This definition uses definite Horn clauses, hence is consistent. Example 2.23 already introduced an inductive definition of reachability in linked-lists, and was also based on definite Horn clauses, and is thus consistent. 48 2.6. LOGIC SPECIFICATIONS 2.6.4 Axiomatic definitions Instead of an explicit definition, one may introduce an axiomatic definition for a set of types, predicates and logic functions, which amounts to declaring the expected profiles and a set of axioms. The grammar for those constructions is given in Figure 2.16. logic-def ::= axiomatic-decl axiomatic-decl ::= axiomatic id { logic-decl ∗ } logic-decl ::= logic-def | logic-type-decl | logic-const-decl | logic-predicate-decl | logic-function-decl | axiom-def logic-type-decl ::= type logic-type ; logic-type ::= id | id type-var-binders polymorphic type logic-const-decl ::= logic type-expr poly-id ; logic-function-decl ::= logic type-expr poly-id parameters ; logic-predicate-decl ::= predicate poly-id parameters ? ; axiom-def ::= axiom poly-id : pred ; Figure 2.16: Grammar for axiomatic declarations Example 2.43 The following axiomatization introduces a theory of finite lists of integers a la LISP. /*@ axiomatic IntList { @ type int_list; @ logic int_list nil; @ logic int_list cons(integer n,int_list l); @ logic int_list append(int_list l1,int_list l2); @ axiom append_nil: @ \forall int_list l; append(nil,l) == l; @ axiom append_cons: @ \forall integer n, int_list l1,l2; @ append(cons(n,l1),l2) == cons(n,append(l1,l2)); @ } @*/ Unlike inductive definitions, there is no syntactic condition that guarantees that axiomatic definitions are consistent. It is usually up to the user to ensure that the introduction of axioms does not lead to a logical inconsistency. Example 2.44 The following axiomatization /*@ axiomatic sign { @ logic integer get_sign(real x); @ axiom sign_pos: \forall real x; x >= 0. ==> get_sign(x) == 1; @ axiom sign_neg: \forall real x; x <= 0. ==> get_sign(x) == -1; 49 2.6. LOGIC SPECIFICATIONS @ } @*/ is inconsistent since it implies sign(0.0) == 1 and sign(0.0) == -1, hence -1 == 1 The axiomatic construct is solely a grouping construct, meant to organize declarations that together define the behavior of a collection of types, predicates and logic functions. Currently the grammar requires logic function and predicate declarations and axioms to be written inside an axiomatic; only full definitions may be written outside an axiomatic. 2.6.5 Polymorphic logic types We consider here an algebraic specification setting based on multi-sorted logic, where types can be polymorphic (that is, parametrized by other types). For example, one may declare the type of polymorphic lists as //@ type list<A>; One can then consider for instance list of integers (list <integer>), list of pointers (e.g. list <char*>), list of list of reals (list<list <real> >9 ), etc. The grammar of Figure 2.14 contains rules for declaring polymorphic types and using polymorphic type expressions. 2.6.6 Recursive logic definitions Explicit definitions of logic functions and predicates can be recursive. Declarations in the same bunch of logic declarations are implicitly mutually recursive, so that mutually recursive functions are possible too. Example 2.45 The following logic declaration /*@ logic integer max_index{L}(int t[],integer n) = @ (n==0) ? 0 : @ (t[n-1]==0) ? n-1 : max_index(t, n-1); @*/ defines a logic function that returns the maximal index i between 0 and n-1 such that t[i]=0. There is no syntactic condition on such recursive definitions, such as limitation to primitive recursion. In essence, a recursive definition of the form f(args) = e; where f occurs in expression e is just a shortcut for an axiomatic declaration of f with an axiom \forall args; f(args) = e. In other words, recursive definitions are not guaranteed to be consistent, in the same way that axiomatics may introduce inconsistency. Of course, tools might provide a way to check consistency. 2.6.7 Higher-order logic constructions Experimental Figure 2.17 introduces new term constructs for higher-order logic. Abstraction The term \lambda τ1 x1 ,. . .,τn xn ; t denotes the n-ary logic function that maps x1 , . . . ,xn to t. It has the same precedence as \forall and \exists Extended quantifiers Terms \quant(t1 ,t2 ,t3 ) where quant is max, min, sum, product or numof are extended quantifications. t1 and t2 must have type integer, and t3 must be a unary function with an integer argument, and a numeric value (integer or real) except 9 In this latter case, note that the two ’>’ must be separated by a space, to avoid confusion with the shift operator. 50 2.6. LOGIC SPECIFICATIONS term ::= \lambda binders ; term abstraction | ext-quantifier ( term , term , term ) | { term \with [ range ] = term } a ext-quantifier ::= \max | \min | \sum | \product | \numof a The last term may be either a value of the correct type or a lambda expression from integer to the array element type Figure 2.17: Grammar for higher-order constructs for \numof for which it should have a boolean value. Their meanings are given as follows: \max(i,j,f) = max{f ( i ), f ( i+1), . . . , f ( j )} \min(i,j,f) = min{f ( i ), f ( i+1), . . . , f ( j )} \sum(i,j,f) = f ( i ) + f ( i+1) + · · · + f ( j ) \product(i,j,f) = f ( i ) × f ( i+1) × · · · × f ( j ) \numof(i,j,f) = #{k | i ≤ k ≤ j ∧ f (k)} = \sum(i,j,\lambda integer k ; f(k) ? 1 : 0) If i>j then \sum and \numof above are 0, \product is 1, and \max and \min are unspecified (see Section 2.2.2). Array slice update A term of the form { a \with [ low .. up ] = f } allows updating a slice of an array. a must be an array of τ and f a unary function taking as argument an integer and returning a value of type τ . Such a term denotes an array a′ such that: a[i] if i < low a′ [i] = f (i) if low ≤ i ≤ up a[i] if i > up If low (resp. up) is missing, then all the lower (resp. upper) part of the array gets modified in a′ . If both bounds are omitted, all elements of a′ are computed using f . As a special case, a term of the form { a \with [ low .. up ] = v} where v is a term of type τ is equivalent to { a \with [ low .. up ] = \lambda Z. v }, i.e. it evaluates to an array where the relevant cells all contain the same value v. Finally, ranges can also be used in designated initializers (see section 2.2.7), with the same semantics as above. Example 2.46 Function that sums the elements of an array of doubles. /*@ requires n >= 0 && \valid(t+(0..n-1)) ; @ ensures \result == \sum(0,n-1,\lambda integer k; t[k]); @*/ double array_sum(double t[],int n) { int i; double s = 0.0; /*@ loop invariant 0 <= i <= n; @ loop invariant s == \sum(0,i-1,\lambda integer k; t[k]); @ loop variant n-i; */ for(i=0; i < n; i++) s += t[i]; return s; } Example 2.47 Properties of arrays initialized as a whole slice 51 2.6. LOGIC SPECIFICATIONS //@ type seq = integer[]; //@ logic seq init = { [ .. ] = 0 }; //@ logic seq ident = { init \with [0 .. 10] = \lambda integer i; i }; //@ lemma init_def: \forall integer i; init[i] == 0; //@ lemma ident_def1: \forall integer i; i < 0 ==> ident[i] == 0; //@ lemma ident_def2: \forall integer i; 0 <= i <= 10 ==> ident[i] == i; //@ lemma ident_def3: \forall integer i; i > 10 ==> ident[i] == 0; 2.6.8 Concrete logic types Experimental Logic types may not only be declared but also be given a definition. Defined logic types can be either record types, sum types, product (tuple) types, or function types. These definitions may be recursive. For record types, the field access notation t.id can be used; for sum types, a pattern-matching construction is available. Grammar rules for these additional constructions are given in Figure 2.18 Example 2.48 The declaration //@ type list<A> = Nil | Cons(A,list<A>); introduces a concrete definition of finite lists. The logic definition /*@ logic integer list_length<A>(list<A> l) = @ \match l { @ case Nil : 0 @ case Cons(h,t) : 1+list_length(t) @ }; @*/ defines the length of a list by recursion and pattern-matching. 2.6.9 Hybrid functions and predicates Logic functions and predicates may take arguments with either (pure) C type or logic type. Such a predicate (or function) can either be defined with the same syntax as before (or axiomatized). However, such definitions usually depend on one or more program points, because it depends upon memory states, via expressions such as: – pointer dereferencing: *p, p->f; – array access: t[i]; – address-of operator: &x; – built-in predicate depending on memory: \valid To make such a definition safe, it is mandatory to add after the declared identifier a set of labels, between curly braces. We then speak of a hybrid predicate (or function). The grammar for ident is extended as shown on Figure 2.19. Expressions as above must then be enclosed in an \at construct to refer to a given label. However, to ease reading of such logic expressions, it is allowed to omit a label whenever there is only one label in the context. Example 2.49 The following annotations declare a function that returns the number of occurrences of a given double in a memory block storing doubles between the given indexes, together with the related axioms. It should be noted that without labels, this axiomatization would be inconsistent, since the 52 2.6. LOGIC SPECIFICATIONS logic-def ::= type logic-type = logic-type-def ; logic-type-def ::= record-type | sum-type | product-type | function-type | type-expr type abbreviation record-type ::= { type-expr id ( ; type-expr id)∗ ;? } function-type ::= ( ( type-expr (, type-expr )∗ )? ) -> type-expr sum-type ::= |? constructor ( | constructor)∗ constructor ::= id constant constructor | id ( type-expr (, type-expr)∗ ) non-constant constructor product-type ::= ( type-expr (, type-expr)+ ) product type term ::= term . id record field access | \match term { match-cases } pattern-matching | ( term (, term)+ ) tuples | { (. id = term ;)+ } records | \let ( id (, id)+ ) = term ; term match-cases ::= match-case + match-case ::= case pat : term pat ::= id constant constructor | id ( pat ( , pat)∗ ) non-constant constructor | pat | pat or pattern | _ any pattern | literal | { (. id = pat)∗ } record pattern | ( pat ( , pat )∗ ) tuple pattern | pat as id pattern binding Figure 2.18: Grammar for concrete logic types and pattern-matching 53 2.6. LOGIC SPECIFICATIONS a ident ::= ident label-binders poly-id ::= id label-binders | id type-var-binders label-binders | id label-binders type-var-binders label-binders ::= { label-id (, label-id)∗ } label-id defined in Fig. 2.12 a An ident can have label-binders and actual type arguments, in either order but only at most one of each. Figure 2.19: Grammar for logic declarations with labels function would not depend on the values stored in t, hence the two last axioms would say both that a==b+1 and a==b for some a and b. /*@ axiomatic NbOcc { @ // nb_occ(t,i,j,e) gives the number of occurrences of e in t[i..j] @ // (in a given memory state labelled L) @ logic integer nb_occ{L}(double *t, integer i, integer j, @ double e); @ axiom nb_occ_empty{L}: @ \forall double *t, e, integer i, j; @ i > j ==> nb_occ(t,i,j,e) == 0; @ axiom nb_occ_true{L}: @ \forall double *t, e, integer i, j; @ i <= j && t[j] == e ==> @ nb_occ(t,i,j,e) == nb_occ(t,i,j-1,e) + 1; @ axiom nb_occ_false{L}: @ \forall double *t, e, integer i, j; @ i <= j && t[j] != e ==> @ nb_occ(t,i,j,e) == nb_occ(t,i,j-1,e); @ } @*/ Example 2.50 This second example defines a predicate that indicates whether two memory blocks of the same size are a permutation of each other. It illustrates the use of more than a single label. Thus, the \at operator is mandatory here. Indeed the two blocks may come from two distinct memory states. Typically, one of the post conditions of a sorting function would be permut{Pre,Post}(t,t). /*@ axiomatic Permut { @ // permut{L1,L2}(t1,t2,n) is true whenever t1[0..n-1] in state L1 @ // is a permutation of t2[0..n-1] in state L2 @ predicate permut{L1,L2}(double *t1, double *t2, integer n); @ axiom permut_refl{L}: @ \forall double *t, integer n; permut{L,L}(t,t,n); @ axiom permut_sym{L1,L2} : @ \forall double *t1, *t2, integer n; @ permut{L1,L2}(t1,t2,n) ==> permut{L2,L1}(t2,t1,n) ; @ axiom permut_trans{L1,L2,L3} : @ \forall double *t1, *t2, *t3, integer n; @ permut{L1,L2}(t1,t2,n) && permut{L2,L3}(t2,t3,n) @ ==> permut{L1,L3}(t1,t3,n) ; @ axiom permut_exchange{L1,L2} : 54 2.6. LOGIC SPECIFICATIONS @ \forall double *t1, *t2, integer i, j, n; @ \at(t1[i],L1) == \at(t2[j],L2) && @ \at(t1[j],L1) == \at(t2[i],L2) && @ (\forall integer k; 0 <= k < n && k != i && k != j ==> @ \at(t1[k],L1) == \at(t2[k],L2)) @ ==> permut{L1,L2}(t1,t2,n); @ } @*/ 2.6.10 Memory footprint specification: reads clause logic-function-decl ::= logic type-expr poly-id parameters reads-clause ; logic-predicate-decl ::= predicate poly-id parameters ? reads-clause ; reads-clause ::= reads locations logic-function-def ::= logic type-expr poly-id parameters reads-clause = term ; logic-predicate-def ::= predicate poly-id parameters ? reads-clause = pred ; Figure 2.20: Grammar for logic declarations with reads clauses Experimental Logic declarations may be augmented with a reads clause, with the syntax given in Figure 2.20, which extends the syntax in Figure 2.14. This feature allows specifying the footprint of a hybrid predicate or function, that is, the set of memory locations that it depends on. From such information, one might deduce properties of the form f {L1 }(args) = f {L2 }(args) if it is known that between states L1 and L2 , the memory changes are disjoint from the declared footprint. Only mutable locations need be listed in a reads footprint: locations that hold constants that do not change in the course of a program may be omitted. Example 2.51 The following is the same as example 2.49 augmented with a reads clause. /*@ axiomatic Nb_occ { @ logic integer nb_occ{L}(double *t, integer i, integer j, @ double e) @ reads t[i..j]; @ @ axiom nb_occ_empty{L}: // ... @ @ // ... @ } @*/ If for example a piece of code between labels L_1 and L_2 only modifies t[k] for some index k outside i..j, then one can deduce that nb_occ{L_1}(t,i,j,e)==nb_occ{L_2}(t,i,j,e). 2.6.11 Specification Modules Experimental Specification modules can be provided to encapsulate several logic definitions, for example 55 2.7. POINTERS AND PHYSICAL ADDRESSING /*@ module List { @ @ type list<A> = Nil | Cons(A , list<A>); @ @ logic integer length<A>(list<A> l) = @ \match l { @ case Nil : 0 @ case Cons(h,t) : 1+length(t) } ; @ @ logic A fold_right<A,B>((A -> B -> B) f, list<A> l, B acc) = @ \match l { @ case Nil : acc @ case Cons(h,t) : f(h,fold_right(f,t,acc)) } ; @ @ logic list<A> filter<A>((A -> boolean) f, list<A> l) = @ fold_right((\lambda A x, list<A> acc; @ f(x) ? Cons(x,acc) : acc), Nil) ; @ @ } @*/ Module components are then accessible using a qualified notation like List::length . Predefined algebraic specifications can be provided as libraries (see section 3), and imported using a construct like //@ import List; where the file List.acsl contains logic definitions, like the List module above. 2.7 Pointers and physical addressing The grammar for terms and predicates is extended with new constructs given in Figure 2.21. The arguments of these built-in predicates are terms or location-lists designating sets of locations. Each argument is a set of values of some common pointer type as defined in Section 2.3.4. As indicated below where necessary, many built-in functions and predicates dealing with pointers depend on the size of the referenced type. Thus, they cannot be given a pointer to void as an argument. On the other hand, a pointer referencing an incomplete type (hence having an abstract size) is possible. 2.7.1 Memory blocks and pointer dereferencing C memory is structured into allocated blocks that can come either from a declarator or a call to one of the calloc, malloc or realloc functions. A block is characterized by its base address, which is the address of the declared object (the first declared object in case of an array declarator) or the pointer returned by the allocating function (when the allocation succeeds), and its length. ACSL provides the following built-in functions to deal with allocated blocks. Each of them takes an optional label identifier as argument. The default value of that label is defined in Section 2.4.3. – \base_addr{L}(p) returns the base address of the allocated block containing, at the label L, the pointer p \base_addr{id} : void* → char* – \block_length{L}(p) returns the length (in bytes) of the allocated block containing, at the label L, its argument pointer. \block_length{id} : void* → size_t 56 2.7. POINTERS AND PHYSICAL ADDRESSING term ::= \null | \base_addr one-label ? ( term ) | \block_length one-label ? ( term ) | \offset one-label ? ( term ) | \allocation one-label ? ( term ) pred ::= \allocable one-label ? ( term ) | \freeable one-label ? ( term ) | \fresh two-labels ? ( term, term ) | \valid one-label ? ( locations-list ) | \valid_read one-label ? ( locations-list ) | \separated ( location , locations-list ) | \object_pointer one-label ? ( locations-list ) | \pointer_comparable one-label ? ( term , term ) one-label ::= { label-id } two-labels ::= { label-id, label-id } Figure 2.21: Grammar extension of terms and predicates about memory Moreover, some operations involving pointers may lead to runtime errors. A pointer p is said to be valid if *p is guaranteed to produce a definite value according to the C standard [16]. The following built-in predicates deal with this notion: – \valid applies to a tset (see Section 2.3.4) whose elements have type pointer to some common object type. \valid{L}(s) holds if and only if dereferencing any p ∈ s is safe at label L, both for reading from *p and writing to it. In particular, \valid{L}(\empty) holds for any label L. \valid{id} : set<α *> → boolean – \valid_read applies to a tset of some pointer to an object type and holds if and only if it is safe to read from all the pointers in the set \valid_read{id} : set<α *> → boolean \valid{L}(s) implies \valid_read{L}(s) but the reverse is not true. In particular, it is allowed to read from a string literal, but not to write in it (see [16], 6.4.5§6). The status of \valid and \valid_read constructs depends on the type of their argument. Namely, \valid{L}((int *) p) and \valid{L}((char *)p) are not equivalent. On the other hand, if we ignore potential alignment constraints, the following equivalence is true for any pointer p: \valid{L}(p) <==> \valid{L}(((char *)p)+(0 .. sizeof(*p)-1)) and similarly for \valid_read \valid_read{L}(p) <==> \valid_read{L}(((char *)p)+(0 .. sizeof(*p)-1)) In addition to this notion of validity, it should be noted that adding or subtracting an offset to a pointer, or comparing two pointers may also lead to undefined behaviors (see [16, 6.5.6 and 6.5.8]). Predicates \object_pointer and \pointer_comparable deal with these notions. – \object_pointer applies to a tset of some pointer to an object type. \object_pointer{L}(s) indicates that each element of s either points to an element of an array object whose lifetime includes the program point denoted by L or one past the last element of such an array object. \object_pointer{id} : set<α *> → boolean – \pointer_comparable takes two pointers to object or function type as arguments. \pointer_comparable{L}(p1,p2) holds if and only if p1 and p2 point to the same function 57 2.7. POINTERS AND PHYSICAL ADDRESSING or to an element (or one past the last element) of the same array object. \pointer_comparable{id} : α * → β * → boolean Some shortcuts are provided: – \null is an extra notation for the null pointer (i.e. a shortcut for (void*)0). As in C itself (see [16], 6.3.2.3§3), the constant 0 can have any pointer type. Note that \valid{L}((char*)\null) and \valid_read{L}((char*)\null) are always false, for any logic label L. – \offset{L}(p) returns the offset in bytes between p and its base address \offset{id} : void* → size_t \offset{L}(p) = (char*)p - \base_addr{L}(p) Again, if there are no alignment constraints, the following property holds: for any set of pointers s and label L, \valid_read{L}(s) if and only if for all p∈s: \offset{L}(p) >= 0 && \offset{L}(p) + sizeof(*p) <= \block_length{L}(p) 2.7.2 Separation ACSL provides a built-in function to deal with separation of locations: – \separated applies to tsets (see Section 2.3.4) of pointers to some common object type. \separated(s1 ,s2 ) holds for any set of pointers s1 and s2 if and only if for all p∈s1 and q∈s2 : \forall integer i,j; 0 <= i < sizeof(*p), 0 <= j < sizeof(*q) ==> (char*)p + i != (char*)q + j In fact, \separated is an n-ary predicate. \separated(s1 ,..,sn ) means that for each i ̸= j, \separated(si ,sj ). Note that \separated does not have a label argument. The separation of sets of locations can be determined without reference to the content of the heap, so no reference to a heap state is needed. However the evaluation of each argument may depend on a heap state, so \at expressions are often needed. 2.7.3 Dynamic allocation and deallocation Experimental Allocation-clauses allow specifying which memory locations are dynamically allocated or deallocated. The grammar for those constructions is given in Figure 2.22. allocates \nothing and frees \nothing are respectively equivalent to allocates \empty and frees \empty; it is left for convenience like for assigns clauses. allocation-clause ::= allocates dyn-allocation-addresses ; | frees dyn-allocation-addresses ; loop-allocation ::= loop allocates dyn-allocation-addresses ; | loop frees dyn-allocation-addresses ; a dyn-allocation-addresses ::= locations a \nothing is allowed Figure 2.22: Grammar for dynamic allocations and deallocations 58 2.7. POINTERS AND PHYSICAL ADDRESSING Allocation clauses for function and statement contracts Clauses allocates and frees are tied together. The simple contract /*@ frees P1 ,P2 ,. . .; @ allocates Q1 ,Q2 ,. . .; @*/ where Pi and Qj are sets of pointers to a common object type, means that any memory address that does not belong to the union of the sets has the same allocation status (see below) in the post-state as in the pre-state. The only difference between allocates and frees is that sets Pi are evaluated in the pre-state, and sets Qi are evaluated in the post-state. The built-in type allocation_status can take the following values: /*@ type allocation_status = \static | \register | \automatic | \dynamic | \unallocated; * / Built-in function \allocation{L}(p) returns the allocation status of the block containing, at the label L, the pointer p \allocation{id} : void* → allocation_status This function is such that for any pointer p and label L \allocation{L}(p) == \allocation{L}(\base_addr(p)) and \allocation{L}(p)==\unallocated ==> !\valid_read{L}((char*)p) allocates Q1 ,. . .,Qn is equivalent to the postcondition \forall char* p; \separated(\union(Q1 ,. . .,Qn ),p)==> (\base_addr{Here}(p)==\base_addr{Pre}(p) && \block_length{Here}(p)==\block_length{Pre}(p) && \valid{Here}(p)<==>\valid{Pre}(p) && \valid_read{Here}(p)<==>\valid_read{Pre}(p) && \allocation{Here}(p)==\allocation{Pre}(p)) In fact, just as the assigns clause does not specify precisely which memory locations are modified (just which are permitted to be modified), the allocation-clauses do not specify which memory locations are dynamically allocated or deallocated (just those that might be allocated or deallocated). Pre- conditions and post-conditions should be added to complete the specifications about allocations and deallocations. The following shortcuts can be used for that: – \allocable{L}(p) holds if and only if the pointer p refers, at the label L, to the base address of an unallocated memory block. \allocable{id} : void* → boolean For any pointer p and label L \allocable{L}(p) <==> (\allocation{L}(p)==\unallocated && (void*)p==(void*)\base_addr{L}(p)) – \freeable{L}(p) holds if and only if the pointer p refers, at the label L, to the base address of an allocated memory block that can be safely released using the C function free. Note that \freeable(\null) does not hold, despite NULL being a valid argument to the C function free. \freeable{id} : void* → boolean For any pointer p and label L \freeable{L}(p) <==> (\allocation{L}(p)==\dynamic && (void*)p==(void*)\base_addr{L}(p)) 59 2.7. POINTERS AND PHYSICAL ADDRESSING – \fresh{L0 ,L1 }(p,n) indicates that p refers to the base address of an allocated memory block at label L1 , but that it is not the case at label L0 . The predicate ensures also that, at label L1 , the length (in bytes) of the block allocated dynamically equals n. \fresh{id,id} : void*, integer → boolean For any pointer p and labels L0 and L1 \fresh{L0 ,L1 }(p,n) <==> (\allocable{L0 }(p) && \freeable{L1 }(p) && \block_length{L1 }(p)==n && \valid{L1 }((char*)p+(0 .. (n-1))) Example 2.52 malloc and free functions can be specified as follows. typedef unsigned long size_t; /*@ assigns \nothing; @ allocates \result; @ ensures \result==\null || \fresh{Old,Here}(\result,n); @*/ void *malloc(size_t n); /*@ requires p!=\null ==> \freeable{Here}(p); @ assigns \nothing; @ frees p; @ ensures p!=\null ==> \allocable{Here}(p); @*/ void free(void *p); Default labels for constructs dedicated to memory are such that the logic label Here can be omitted. When a behavior contains only one of the two allocation clauses, the given clause specifies the whole set of memory addresses to consider. This means that the set value for the other clause of that behavior defaults to \nothing. Now, when neither of the two allocation clauses is given, the meaning is different for anonymous behaviors and named behaviors: – a named behavior without allocation clauses does not specify anything about allocations and deallocations. The allocated and deallocated memory blocks are in fact specified by the anonymous behavior of the contract. There is no condition to verify for these named behaviors about allocations and deallocations; – for an anonymous behavior, the absence of allocation clauses means that there is no newly allocated nor deallocated memory block. That is equivalent to stating allocates \nothing; (which is equivalent to allocates \nothing; frees \nothing;). These rules are such that contracts without any allocation clause should be considered as having only one allocates \nothing; leading to a condition to verify for each anonymous behavior. Example 2.53 More precise specifications can be given using named behaviors under the assumption of assumes clauses. typedef unsigned long size_t; //@ ghost int heap_status; /*@ axiomatic dynamic_allocation { @ predicate is_allocable(size_t n) // Can a block of n bytes be allocated? @ reads heap_status; @ } @*/ 60 2.7. POINTERS AND PHYSICAL ADDRESSING /*@ allocates \result; @ behavior allocation: @ assumes is_allocable(n); @ assigns heap_status; @ ensures \fresh(\result,n); @ behavior no_allocation: @ assumes !is_allocable(n); @ assigns \nothing; @ allocates \nothing; @ ensures \result==\null; @ complete behaviors; @ disjoint behaviors; @*/ void *malloc(size_t n); /*@ frees p; @ behavior deallocation: @ assumes p!=\null; @ requires \freeable(p); @ assigns heap_status; @ ensures \allocable(p); @ behavior no_deallocation: @ assumes p==\null; @ assigns \nothing; @ frees \nothing; @ complete behaviors; @ disjoint behaviors; @*/ void free(void *p); The behaviors named allocation and deallocation do not need an allocation clause. For example, the allocation constraint of the allocation behavior is given by the clause allocates \result of the anonymous behavior of the malloc function contract. To set a stronger constraint into the behavior named no_allocation, the clause allocates \nothing should be given. Allocation clauses for loop annotations Loop annotations may contain similar clauses allowing one to specify which memory locations are dynamically allocated or deallocated by a loop. The grammar for those constructions is given in Figure 2.22. The clauses loop allocates and loop frees are tied together. The simple loop annotation /*@ loop frees P1 ,P2 ,. . .; @ loop allocates Q1 ,Q2 ,. . .; */ means that any memory address that does not belong to the union of sets of terms Pi and Qi has the same allocation status in the current state as before entering the loop. The only difference between these two clauses is that sets Pi are evaluated in the state before entering the loop (label LoopEntry), and Qi are evaluated in the current loop state (label LoopCurrent). Just as for loop assigns, the loop annotations loop frees and loop allocates define a loop invariant. More precisely, this loop annotation //@ loop allocates Q1 ,. . .,Qn ; */ is equivalent to the loop invariant \forall char* p; \separated(\union(Q1 ,. . .,Qn ),p) ==> 61 2.8. SETS AND LISTS (\base_addr{Here}(p)==\base_addr{LoopEntry}(p) && \block_length{Here}(p)==\block_length{LoopEntry}(p) && (\valid{Here}(p)<==>\valid{LoopEntry}(p)) && (\valid_read{Here}(p)<==>\valid_read{LoopEntry}(p)) && \allocation{Here}(p)==\allocation{LoopEntry}(p)) Example 2.54 /*@ integer j; 0<=j<n ==> \freeable(q[j]); */ assert \forall /*@ loop assignsq[0..(i-1)]; @ loop frees q[0..\at(i-1,LoopCurrent)]; @ \forall integer j ; loop invariant 0 <= j < i ==> \allocable(\at(q[j],LoopEntry)); @ loop invariant \forall integer j ; 0 <= i <= n; @*/ for (i=0; i<n; i++) { free(q[i]); q[i]=NULL; } The addresses of locations q[0..n] are not modified by the loop, but their values are. The clause loop frees catches the set of the memory blocks that may have been released by the previous loop iterations. The first loop invariant defines exactly these memory blocks. On the other hand, loop frees indicates that the remaining blocks have not been freed since the beginning of the loop. Hence, they are still \freeable as expressed by the initial assert, and free(q[i]) will succeed at next step. A loop-annot without an allocation clause implicitly states loop allocates \nothing. That means the allocation status is not modified by the loop body. A loop-behavior without allocation clause means that the allocated and deallocated memory blocks are in fact specified by the allocation clauses of the loop-annot (The grammar of loop-annot and loop-behaviors is given in Figure 2.10). 2.8 Sets and lists 2.8.1 Finite sets Sets of memory locations (tsets), as defined in Section 2.3.4, can be used as first-class values in annotations. All the elements of such a set must share the same type (taking into account the usual implicit conversions). Sets have the built-in type set<A> where A is the type of terms contained in the set. In addition, it is possible to consider sets of pointers to values of different types. In this case, the set is of type set<char*> and each of its elements e is converted to (char*)e + (0..sizeof(*e)-1). Example 2.55 The following example defines the footprint of a structure, that is the set of locations that can be accessed from an object of this type. struct S { char *x; int *y; }; //@ logic set<char*> footprint(struct S s) = \union(s.x,s.y) ; /*@ logic set<char*> footprint2(struct S s) = 62 2.8. SETS AND LISTS @ \union(s.x,(char*)s.y+(0..sizeof(s.y)-1)) ; @*/ /*@ axiomatic Conv { axiom conversion: \forall struct S s; footprint(s) == \union(s.x,(char*) s.y + (0 .. sizeof(int) - 1)); } */ In the first definition, since the arguments of union are a set<char*> and a set<int*>, the result is a set<char*> (according to typing of union). In other words, the two definitions above are equivalent. This logic function can be used as an argument of \separated or of an assigns clause. Thus, the \separated predicate satisfies the following property (with s1 of type set<τ1 *> and s2 of type set<τ2 *>) \separated(s1 ,s2 ) <==> (\forall τ1 * p; \forall τ2 * q; \subset(p,s1 ) && \subset(q,s2 ) ==> (\forall integer i,j; 0 <= i < \sizeof(τ1 ) && 0 <= j < \sizeof(τ2 ) ==> (char*)p + i != (char*)q + j)) and a clause assigns L1 ,. . .,Ln is equivalent to the postcondition \forall char* p; \separated(\union(&L1 ,. . .,&Ln ),p) ==> *p == \old(*p) 2.8.2 Finite lists The built-in type \list<A> can be used for finite sequences of elements of the same type A. For constructing such homogeneous lists, built-in functions and notations are available. The term \Nil denotes the empty sequence. \list<A> \Nil<A>; The function \Cons prepends an element elt onto a sequence tail \list<A> \Cons<A>(<A> elt, \list<A> tail); while \concat concatenates two sequences \list<A> \concat<A>(\list<A> front, \list<A> tail); and \repeat repeats a sequence n times, n being a positive number \list<A> \repeat<A>(\list<A> seq, integer n); The semantics of these functions rely on two useful functions: \length returns the number of elements of a sequence seq integer \length<A>(\list<A> seq); and \nth returns the element that is at position n of the given sequence seq. The first element is at position 0. <A> \nth<A>(\list<A> seq, integer n); Last but not least, the functions \repeat and \nth aren’t specified for negative number n. The function \nth(l) is also unspecified for index greater than or equal to \length(l). The notation [| |] is just the same thing as \Nil and [|1,2,3|] is the sequence of three integers. In addition the infix operator ^ (resp. *^) is the same as function \concat (resp. \repeat). These infix operators have the same precedence as the conventional bit-wise exclusive-or operator and are left-associative. 63 2.8. SETS AND LISTS term ::= [| |] empty list | [| term (, term)∗ |] list of elements | term ^ term list concatenation (overloading bitwise-xor operator) | term *^ term list repetition Figure 2.23: Notations for built-in list datatype Example 2.56 The following example illustrates using such a data structure and notations in connection with ghost code. //@ ghost int ghost_trace; /*@ axiomatic TraceObserver { @ logic \list<integer> observed_trace{L} reads ghost_trace; @ } @*/ /*@ ghost /@ assigns ghost_trace; @ ensures register: observed_trace == (\old(observed_trace) ^ [| a |]); @/ void track(int a); */ /*@ requires empty_trace: observed_trace == \Nil; @ assigns ghost_trace; @ ensures head_seq: \nth(observed_trace,0) == x; @ behavior shortest_trace: @ assumes no_loop_entrance: n<=0; @ ensures shortest_len: \length(observed_trace) == 2; @ ensures shortest_seq: observed_trace == [| x, z |]; @ behavior longest_trace: @ assumes loop_entrance: n>0; @ ensures longest_len: \length(observed_trace) == 2+n; @ ensures longest_seq: @ observed_trace == ([| x |] ^ ([| y |] *^ n) ^ [| z |]); @*/ void loops(int n, int x, int y, int z) { int i; //@ ghost track(x); /*@ loop assigns i, ghost_trace; @ loop invariant idx_min: 0<=i; @ loop invariant idx_max: 0<=n ? i<=n : i<=0; @ loop invariant inv_seq: @ observed_trace == (\at(observed_trace,LoopEntry) ^ ([| y |] *^ i)); @*/ for (i=0; i<n; i++) { //@ ghost track(y); ; } //@ ghost track(z); } The function track adds a value to the tail of a ghost trace variable. Calls to that function inside ghost statements allow modifying that trace; also properties of the observed_trace can be specified. Notice 64 2.9. ABRUPT TERMINATION that the assigned ghost variable is ghost_trace. 2.9 Abrupt termination abrupt-clause ::= exits-clause exits-clause ::= exits pred ; abrupt-clause-stmt ::= breaks-clause | continues-clause | returns-clause | exits-clause breaks-clause ::= breaks pred ; continues-clause ::= continues pred ; returns-clause ::= returns pred ; term ::= \exit_status Figure 2.24: Grammar of contracts about abrupt terminations The ensures clause of function and statement contracts does not constrain the post-state when the annotated function or statement terminates abruptly. In such cases, abrupt clauses can be used within simple clause or behavior body. The allowed constructs are shown in Figure 2.24. The clauses breaks, continues and returns can only be found in a statement contract and state properties on the program state that hold when the annotated statement terminates abruptly with the corresponding statement (break, continue or return). Inside these clauses, the construct \old(e) is allowed and denotes, as for statement contracts ensures, assigns and allocates, the value of e in the pre-state of the statement. More generally, the visibility in abrupt clauses of predefined logic labels (presented in Section 2.4.3) is the same as in ensures clauses. For the returns case, the \result construct is allowed (if the function does not return void) and is bound to the returned value. Example 2.57 The following example illustrates each abrupt clause of statement contracts. int f(int x) { while (x > 0) { /*@ breaks x % 11 == 0 && x == \old(x); @ continues (x+1) % 11 != 0 && x % 7 == 0 && x == \old(x)-1; @ returns (\result+2) % 11 != 0 && (\result+1) % 7 != 0 @ && \result % 5 == 0 && \result == \old(x)-2; @ ensures (x+3) % 11 != 0 && (x+2) % 7 != 0 && (x+1) % 5 != 0 @ && x == \old(x)-3; @*/ { if (x % 11 == 0) break; x--; if (x % 7 == 0) continue; x--; if (x % 5 == 0) return x; x--; } 65 2.9. ABRUPT TERMINATION } return x; } The exits clause can be used in both function and statement contracts to give behavioral properties to the main function or to any function that may exit the program, e.g. by calling the exit function. The simple contract /*@ exits E; @*/ means that, if the program terminates while executing the corresponding function (or statement), then it exits in a post-state where the property E holds. In any other termination kind, the exits clause does not constrain the post-state. In such clauses, \old(e) is allowed and denotes the value of e in the pre-state of the function or statement, and \exit_status is bound to the return code, e.g. the value returned by main or the argument passed to exit. The construct \exit_status can be used only in exits, assigns and allocates clauses; \result cannot be used in exits clauses. Example 2.58 Here is a complete specification of the exit function, which performs an unconditional exit of the main function: /*@ terminates \true; @ assigns \nothing; @ ensures \false; @ exits \exit_status == status; @*/ void exit(int status); int status; /*@ terminates \true; @ assigns status; @ exits !cond && \exit_status == 1 && status == val; @ ensures cond && status == \old(status); @*/ void may_exit(int cond, int val) { if (! cond) { status = val; exit(1); } } Note that the specification of the may_exit function is incomplete since it allows modifications of the variable status when no exit is performed. Using behaviors, it is possible to distinguish between the exit case and the normal case, as in the following specification: /*@ behavior no_exit : @ assumes cond; @ assigns \nothing; @ exits \false; @ behavior no_return : @ assumes !cond; @ assigns status; @ exits \exit_status == 1 && status == val; @ ensures \false; @*/ void may_exit(int cond, int val) ; 66 2.10. DEPENDENCIES INFORMATION In contrast to ensures clauses, assigns , allocates and frees clauses of function and statement contracts constrain the post-state even when the annotated function or statement terminates abruptly. This is shown in example 2.58 for a function contract. 2.10 Dependencies information Experimental An extended syntax of assigns clauses, described in Figure 2.25, allows specifying data dependencies and functional expressions. assigns-clause ::= assigns locations-list (\from locations )? ; | assigns term \from locations = term ; Figure 2.25: Grammar for dependencies information Such a clause indicates that the assigned values can only depend upon the locations mentioned in the \from part of the clause. Again, this is an over-approximation: all of the locations involved in the computation of the modified values must be present, but some of locations might not be used in practice. If the \from clause is absent, all of the locations reachable at the given point of the program are supposed to be used. Moreover, for a single location, it is possible to give the precise relation between its final value and the value of its dependencies. This expression is evaluated in the pre-state of the corresponding contract. Example 2.59 The following example is a variation of the array_sum function in example 2.46, in which the values of the array are added to a global variable total. double total = 0.0; /*@ requires n >= 0 && \valid(t+(0..n-1)) ; @ assigns total \from t[0..n-1] = total + \sum(0,n-1,\lambda int k; t[k]); @*/ void array_sum(double t[],int n) { int i; for(i=0; i < n; i++) total += t[i]; return; } Example 2.60 The composite element modifier operators can be useful for writing such functional expressions. struct buffer { int pos ; char buf[80]; } line; /*@ requires 80 > line.pos >= 0 ; @ assigns line @ \from line = { line \with .buf = { line.buf \with [line.pos] = (char)’\0’ } }; @*/ void add_eol() { line.buf[line.pos] = ’\0’ ; } 67 2.11. DATA INVARIANTS 2.11 Data invariants Data invariants are properties on data that are supposed to hold permanently during the lifetime of these data. ACSL distinguishes between – global invariants and type invariants: the former only apply to specified global variables, whereas the latter are associated with a static type, and apply to any variables of the corresponding type; – strong invariants and weak invariants: strong invariants must be valid at any time during program execution (more precisely at any sequence point as defined in the C standard), whereas weak invariants must be valid at function boundaries (function entrance and exit) but can be violated in between. data-inv-def ::= data-invariant | type-invariant ? data-invariant ::= inv-strength global invariant id : pred ; type-invariant ::= inv-strength? type invariant id ( C-type-name id ) = pred ; inv-strength ::= weak | strong Figure 2.26: Grammar for declarations of data invariants The syntax for declaring data invariants is given in Figure 2.26. The strength modifier defaults to weak. Example 2.61 In the following example, we declare 1. a weak global invariant a_is_positive, which specifies that global variable a should remain positive (weakly, so this property might be violated temporarily between function calls); 2. a strong type invariant for variables of type temperature; 3. a weak type invariant for variables of type struct S. int a; //@ global invariant a_is_positive: a >= 0 ; typedef double temperature; /*@ strong type invariant temp_in_celsius(temperature t) = @ t >= -273.15 ; @*/ struct S { int f; }; //@ type invariant S_f_is_positive(struct S s) = s.f >= 0 ; 2.11.1 Semantics The distinction between strong and weak invariants has to do with the sequence points where the property is supposed to hold. The distinction between global and type invariants has to do with the set of values on which they are supposed to hold. – Weak global invariants are properties that apply to global data and hold at any function entrance and function exit. 68 2.11. DATA INVARIANTS – Strong global invariants are properties that apply to global data and hold at any step during execution (starting after initialization of these data). – A weak type invariant on type τ must hold at any function entrance and exit, and applies to any value (variable, field, array element, formal parameter, etc.) with static type τ . If the result of a function is of type τ , that result must also satisfy its weak invariant at function exit. – A strong type invariant on type τ must hold at any step (more precisely, ay sequence point as defined in C) during execution, and applies to any global variable, local variable, or formal parameter with static type τ . If the result of a function has type τ , that result must also satisfy its strong invariant at function exit. Example 2.62 The following example illustrates the use of a weak data invariant on a local static variable. void out_char(char c) { static int col = 0; //@ global invariant I : 0 <= col <= 79; col++; if (col >= 80) col = 0; } Example 2.63 Here is a longer example, the famous Dijkstra’s Dutch flag algorithm. typedef enum { BLUE, WHITE, RED } color; /*@ type invariant isColor(color c) = @ c == BLUE || c == WHITE || c == RED ; @*/ /*@ predicate permut{L1,L2}(color *t1, color *t2, integer n) = @ \at(\valid(t1+(0..n)),L1) && \at(\valid(t2+(0..n)),L2) && @ \numof(0,n,\lambda integer i; \at(t1[i],L1) == BLUE) == @ \numof(0,n,\lambda integer i; \at(t2[i],L2) == BLUE) @ && @ \numof(0,n,\lambda integer i; \at(t1[i],L1) == WHITE) == @ \numof(0,n,\lambda integer i; \at(t2[i],L2) == WHITE) @ && @ \numof(0,n,\lambda integer i; \at(t1[i],L1) == RED) == @ \numof(0,n,\lambda integer i; \at(t2[i],L2) == RED); @*/ /*@ requires \valid(t+i) && \valid(t+j); @ assigns t[i],t[j]; @ ensures t[i] == \old(t[j]) && t[j] == \old(t[i]); @*/ void swap(color t[], int i, int j) { int tmp = t[i]; t[i] = t[j]; t[j] = tmp; } typedef struct flag { int n; color *colors; } flag; /*@ type invariant is_colored(flag f) = @ f.n >= 0 && \valid(f.colors+(0..f.n-1)) && @ \forall integer k; 0 <= k < f.n ==> isColor(f.colors[k]) ; @*/ 69 2.11. DATA INVARIANTS /*@ predicate isMonochrome{L}(color *t, integer i, integer j, @ color c) = @ \forall integer k; i <= k <= j ==> t[k] == c ; @*/ /*@ assigns f.colors[0..f.n-1]; @ ensures @ \exists integer b, integer r; @ isMonochrome(f.colors,0,b-1,BLUE) && @ isMonochrome(f.colors,b,r-1,WHITE) && @ isMonochrome(f.colors,r,f.n-1,RED) && @ permut{Old,Here}(f.colors,f.colors,f.n-1); @*/ void dutch_flag(flag f) { color *t = f.colors; int b = 0; int i = 0; int r = f.n; /*@ loop invariant @ (\forall integer k; 0 <= k < f.n ==> isColor(t[k])) && @ 0 <= b <= i <= r <= f.n && @ isMonochrome(t,0,b-1,BLUE) && @ isMonochrome(t,b,i-1,WHITE) && @ isMonochrome(t,r,f.n-1,RED) && @ permut{Pre,Here}(t,t,f.n-1); @ loop assigns b,i,r,t[0 .. f.n-1]; @ loop variant r - i; @*/ while (i < r) { switch (t[i]) { case BLUE: swap(t, b++, i++); break; case WHITE: i++; break; case RED: swap(t, --r, i); break; } } } Note that in this example the invariant could be declared strong. However, not all C enums would obey a corresponding invariant, because in C, enum values are just ints and can hold values other than those listed in the declaration of the enum type. 2.11.2 Model variables and model fields A model variable is a variable introduced in the specification with the keyword model. Its type must be a logic type. Analogously, types may have model fields. These are used to provide abstract specifications for functions whose concrete implementation must remain private. The precise syntax for declaring model variables and fields is given in Figure 2.27. It is presented as additions to the regular C grammar for declarations. The informal semantics of model variables is as follows. 70 2.11. DATA INVARIANTS logic-def ::= model parameter ; model variable | model C-type-name { parameter ;? } ; model field ; Figure 2.27: Grammar for declarations of model variables and fields – Model variables can only appear in specifications. They are not lvalues, thus they cannot be assigned directly (unlike ghost variables, see below). – Nevertheless, a function contract might state that a model variable is assigned, meaning that the value of the model variable may be different between the pre and post states of the contract. – When a function contract mentions model variables: – the precondition is implicitly existentially quantified over those variables; – the postconditions are universally quantified over the old values of model variables, and existentially quantified over the new values. Thus, in practice, the only way to prove that a function body satisfies a contract with model variables is to provide an invariant relating model variables and concrete variables, as in the example below. Model fields behave the same, but they are attached to any value whose static type is the one of the model declaration. A model field can be attached to any C type, not only to struct. When it is attached to a compound type, however, it must not have the same name as a C field of that compound type. In addition, model fields are “inherited” by a typedef in the sense that the newly defined type has also the model fields of its parents (and can acquire more, which will not be present for the parent). For instance, in the following code, t1 has one model field m1, while t2 has two model fields, m1 and m2. typedef int t1; typedef t1 t2; /*@ model t1 { int m1 }; */ /*@ model t2 { int m2 }; */ Example 2.64 Here is an example of a specification for a function that generates fresh integers. The contract is given in terms of a model variable that is intended to represent the set of “forbidden” values, e.g. the values that have already been generated. /* public interface */ //@ model set<integer> forbidden = \empty; /*@ assigns forbidden; @ ensures ! (\result \in \old(forbidden)) @ && \result \in forbidden && \subset(\old(forbidden),forbidden); @*/ int gen(); The contract is expressed abstractly, telling that – the forbidden set of values is modified; – the value returned is not in the set of forbidden values, thus it is “fresh”; – the new set of forbidden values contains both the value returned and the previous forbidden values. The new set may have more values than the union of {\result} and \old(forbidden). An implementation of this function might be as follows, where a decision has been made to generate values in increasing order, so that it is sufficient to record the last value generated. This decision is made explicit by an invariant. /* implementation */ 71 2.12. GHOST VARIABLES AND STATEMENTS int gen() { static int x = 0; /*@ global invariant I: \forall integer k; @ Set::mem(k,forbidden) ==> x > k; @*/ return x++; } Remarks Although the syntax of model variables is close to JML model variables, they differ in the sense that the type of a model variable is a logic type, not a C type. Also, the semantics above is closer to the one of B machines [1]. It should be noticed that program verification with model variables does not have a well-established theoretical background [22, 20], so we deliberately do not provide a precise semantics in this document . 2.12 Ghost variables and statements Ghost variables and statements are like C variables and statements, but visible only in the specifications. They are introduced by the ghost keyword at the beginning of the annotation (i.e. /*@ ghost ... */ or //@ ghost ... for one-line ghost code, as mentioned in section 1.2). The grammar is given in Figure 2.28, in which only the first form of annotation is used. In this figure, the C-* non-terminals refer to the corresponding grammar rules of the ISO standard. The definition of some of them is extended in order to accept ACSL entensions. Such extensions are sometimes only available in ghost code (e.g. use of logic types), or only in the C code (e.g. you can’t use /*@ ghost when already in ghost code). This is mentioned in the definition as well. The variations with respect to the C grammar are the following: – Comments within ghost code must be introduced by // and extend until the end of the line (the ghost code itself is placed inside a C comment, so an embedded comment of the form /* ... */ would be incorrect C code). – It is however possible to write multi-line annotations inside ghost code. These annotations are enclosed between /@ and @/ (since as indicated above, /*@ ... */ would lead to incorrect C code). As in normal annotations, @ characters (most commonly at the beginning of a line and at the end of an annotation, before the final @/) are considered to be white space. This style of annotation is only needed and permitted within ghost code. Also, ghost code may not be written within enclosing ghost code. – Logical types, such as integer or real are authorized in ghost code. – A non-ghost function can take ghost parameters. If such a ghost clause is present in the declarator, then the list of ghost parameters must be non-empty and fixed (no vararg ghost). The call to the function must then provide the appropriate number of ghost parameters. – Any non-ghost if-statement that does not have a non-ghost else clause can be augmented with a ghost one. Similarly, a non-ghost switch can have a ghost default: clause if it does not have a non-ghost one (there are however semantic restrictions for valid ghost labelled statements in a switch, see next paragraph for details). Semantics of Ghost Code The question of semantics is essential for ghost code. Informally, the semantics requires that ghost statements do not change the regular program execution. This implies several conditions, including e.g.: – Ghost code cannot modify a non-ghost C variable. – Ghost code cannot modify a non-ghost structure field. – If p is a ghost pointer pointing to a non-ghost memory location, then it is forbidden to assign *p. 72 2.12. GHOST VARIABLES AND STATEMENTS a C-type-qualifier ::= \ghost ghost qualifier b C-type-specifier ::= logic-type logic-def ::= ghost C-declaration c C-direct-declarator ::= C-direct-declarator function declarator ( C-parameter-type-list? ) /*@ ghost ( C-parameter-type-list with ghost params ) */ d C-postfix-expression ::= C-postfix-expression function call ( C-argument-expression-list? ) /*@ ghost ( C-argument-expression-list with ghost args ) */ e C-statement ::= /*@ ghost C-statement+ ghost code */ | if ( C-expression ) C-statement /*@ ghost else C-statement ghost alternative C-statement∗ unconditional ghost code */ f C-struct-declaration ::= /*@ ghost C-struct-declaration ghost field */ a Extension to the C standard grammar for type qualifiers in ghost code only b extension to the C standard grammar for type specifiers in ghost code only c Extension to the C standard grammar for direct declarators, except in ghost code d Extension to the C standard grammar for postfix expressions, except in ghost code e Extension to the C standard grammar for statements, except in ghost code f Extension to the C standard grammar for struct declarations, except in ghost code Figure 2.28: Grammar for ghost statements 73 2.12. GHOST VARIABLES AND STATEMENTS – The body of a ghost function is ghost code, and hence may not modify non-ghost variables or fields. – If a non-ghost C function is called in ghost code, it must not modify non-ghost variables or fields. – If a structure has ghost fields, the sizeof of the structure is the same as the structure without ghost fields. Also, alignment of fields remains unchanged. – The control-flow graph of a function must not be altered by ghost statements. In particular, no ghost return can appear in the body of a non-ghost function. Similarly, ghost goto, break, and continue cannot jump outside of the innermost non-ghost enclosing block. The semantics is specified as follows. First, the execution of a program with ghost code involves a ghost memory heap and a ghost stack, disjoint from the regular heap and stack. Ghost variables lie in the ghost heap, as do the ghost fields of structures. Thus, every memory side-effect can be classified as ghost or non-ghost. Then, the semantics is that any memory side-effects of ghost code must be only in the ghost heap or the ghost stack. Notice that this semantics is not statically decidable. It is left to tools to provide approximations, correct in the sense that any code statically detected as ghost must be semantically ghost. Example 2.65 The following example shows some invalid assignments of ghost pointers: void f(int x, int *q) { //@ ghost int *p = q; //@ ghost *p = 0; // above assignment is wrong: it modifies *q which lies // in regular memory heap //@ ghost p = &x; //@ ghost *p = 0; // above assignment is wrong: it modifies x which lies // in regular memory stack } Example 2.66 The following example shows some invalid ghost statements: int f (int x, int y) { //@ ghost int z = x + y; switch (x) { case 0: return y; //@ ghost case 1: z=y; // above statement is correct. //@ ghost case 2: { z++; break; } // invalid, would bypass the non-ghost default default: y++; } return y; } int g(int x) { //@ ghost int z = x; if (x > 0) { return x; } //@ ghost else { z++; return x; } // invalid, would bypass the non-ghost return return x+1; } 74 2.12. GHOST VARIABLES AND STATEMENTS The qualifier \ghost can be used, in ghost code only, in declaration of a variable to state precisely in which memory (normal or ghost) its type belongs. Since it is a syntactic element, it is statically decidable. Since \ghost is a qualifier, it obeys to the same typing rules except on two aspects. First, a variable declared in a ghost annotation (including ghost parameters) receives implicitly the \ghost qualifier. Second, compared to the const qualifier, the \ghost qualifier follows a stricter rule. When assigning a reference, the ghost qualification of the lvalue must exactly match the ghost qualification of the reference, meaning that a (non-)\ghost memory location can only be referenced by a pointer to a (non-)\ghost memory location. Example 2.67 The following example shows simple uses of the \ghost qualifier. int a ; // a non-ghost location /*@ ghost int* good0 = &a ; // can be referenced by a pointer to non-ghost int \ghost* bad0 = &a ; // cannot be referenced by a pointer to ghost */ /*@ ghost int g ; // a ghost location int \ghost* good1 = &a ; // can be referenced by a pointer to ghost int * bad1 = &a ; // cannot be referenced by a pointer to non-ghost */ Differences between model variables and ghost variables A ghost variable is an additional specification variable that is assigned in ghost code like any C variable. On the other hand, a model variable cannot be assigned, but one can state it is modified and can express properties about the new value, in a non-deterministic way, using logic assertions and invariants. In other words, specifications using ghost variable assignments are executable. Example 2.68 The example 2.64 can also be specified with a ghost variable instead of a model variable: //@ ghost set<integer> forbidden = \empty; /*@ assigns forbidden; @ ensures ! \subset(\result,\old(forbidden)) @ && \result \in forbidden && \subset(\old(forbidden),forbidden); @*/ int gen() { static int x = 0; /*@ global invariant I: \forall integer k; @ k \in forbidden ==> x > k; @*/ x++; //@ ghost forbidden = \union(x,forbidden); return x; } 2.12.1 Volatile variables Volatile variables can not be used in logic terms, since reading such a variable may have a side effect, in particular two successive reads may return different values. Specifying properties of a volatile variable may be done via a specific construct to attach two ghost functions to it. This construct, described by the grammar of Figure 2.29, has the following shape: volatile τ x; 75 2.12. GHOST VARIABLES AND STATEMENTS logic-def ::= //@ volatile locations (reads ident)? (writes ident)? ; a a only implemented for C-external-declaration Figure 2.29: Grammar for volatile constructs //@ volatile x reads f writes g; where f and g are ghost functions with the following prototypes: τ f(volatile τ * p); τ g(volatile τ * p, τ v); This must be understood as a special construct to instrument the C code, where each access to the variable x is replaced by a call to f(&x), and each assignment to x of a value v is replaced by g(&x,v). If a given volatile variable is only read or only written to, the unused accessor function can be omitted from the volatile construct. Example 2.69 The following code is instrumented in order to inject fixed values at each read of variable x, and collect written values. volatile int x; //@ ghost int injector_x[3] = { 1, 2, 3 }; //@ ghost int injector_count = 0; /*@ ghost /@ requires p == &x; @ assigns injector_count; @/ @ int reads_x(volatile int *p) { @ if (p == &x) @ return injector_x[injector_count++]; @ else @ return 0; // should not happen @ } @*/ //@ ghost int collector_x[3]; //@ ghost int collector_count = 0; /*@ ghost /@ requires p == &x; @ assigns collector_count; @/ @ int writes_x(volatile int *p, int v) { @ if (p == &x) @ return collector_x[collector_count++] = v; @ else @ return 0; // should not happen @ } @*/ //@ volatile x reads reads_x writes writes_x; /*@ ensures collector_count == 3 && collector_x[2] == 2; @ ensures \result == 6; @*/ int main () { int i, sum = 0; for (i=0 ; i < 3; i++) { 76 2.13. INITIALIZATION AND UNDEFINED VALUES sum += x; x = i; } return sum; } pred ::= \initialized one-label ? ( location-address ) | \dangling one-label ? ( location-address ) location-address ::= & location Figure 2.30: Grammar extensions regarding initialized and dangling memory 2.13 Initialization and undefined values \initialized{L}(p) is a predicate taking a set of pointers (to some object type) to l-values as argument (cf. Fig. 2.30) and means that each l-value in this set is initialized at label L. \initialized{id} : set<α*> → boolean Example 2.70 In the following, the assertion is true. int f(int n) { int x; if (n > 0) x = n ; else x = -n; //@ assert \initialized{Here}(&x); return x; } Default labels are such that logic label {Here} can be omitted. 2.14 Dangling pointers \dangling{L}(p) is a predicate taking a set of pointers (to some object type) to l-values as argument (cf. Fig. 2.30) and means that each l-value in this set has a dangling content at label L. That is, its value is (or contains bits of) a dangling address: either the address of a local variable referred to outside of its scope or the address of a variable that has been dynamically allocated, then deallocated. \dangling{id} : set<α*> → boolean Example 2.71 In the following, the assertion holds. int* f() { int a; return &a; } int* g() { int* p = f(); 77 2.15. WELL-TYPED POINTERS //@ assert \dangling{Here}(&p); return p+1; } In most cases, the arguments to \dangling are pointers to l-values that themselves have type pointer, so the usual signature of \dangling is actually set<α**> → boolean. The signature set<α*> → boolean is useful to handle pointer values that have been written inside scalar variables through heterogeneous casts. Note that \dangling takes a set of memory locations as its argument. The predicate is true if all of the memory locations contained in the argument are dangling. That semantics implies that !\dangling(s) is true precisely when at least one of the locations in s is not dangling. !\dangling(s) does not mean that all of the indicated memory locations are not dangling, only that some are. 2.15 Well-typed pointers Experimental pred ::= \valid_function ( locations-list ) Figure 2.31: Grammar for predicates related to well-typedness The predicates of Figure 2.31 are used to relate the type of a pointer to the effective type of the memory location or function that is being pointed to. Currently, only the compatibility of a function pointer with the type of the function it points to is ax- iomatized, through the predicate \valid_function. This predicate has type set<α*> → boolean, and \valid_function(p) holds if and only if – p is a pointer to a function of type t, and – *p is a function whose type is compatible with t, in the sense of [16, §6.2.7] Example 2.72 In the following, the assertions are true. int* f (int x); int main() { int* (*p)(int) = &f; //@ assert \valid_function((int* (*)(int)) p); // true //@ assert \valid_function((int* (*)()) p); // true (see C99 6.7.5.3:15) //@ assert !\valid_function((void* (*)(int)) p); // not compatible: void* and int* are not compatible (see C99 6.7.5.1:2) //@ assert !\valid_function((volatile int* (*)(int)) p); // not compatible: qualifiers cannot be dropped (see C99 6.7.3:9) return *(p(0)); } 2.16 Logic attribute annotations Experimental 78 2.17. PREPROCESSING FOR ACSL These are annotations allowing to add attributes on variables, like regular C qualifiers (const, volatile, restrict), or GNU __attribute__. They are defined in figure 2.32. a C-type-qualifier ::= acsl-attribute acsl-attribute ::= /*@ b id */ implementation dependent attribute a Extension to the C standard grammar for type qualifiers b The identifier may be enclosed between /@ and @/ in ghost code Figure 2.32: Grammar for ACSL attributes Supported attributes are implementation dependent. 2.17 Preprocessing for ACSL The C/C++ preprocessor transforms input text files before the C/C++ compiler acts on them. Although in principle any preprocessor could be used, in practice, a standard C/C++ preprocessor is used by nearly all C/C++ systems and its behavior is assumed in interpreting source files. This standard behavior replaces comments (including ACSL annotation comments) with white space as part of initial tokenization and before any preprocessing directives are interpreted. Thus any tool that embeds information in formatted comments, such as tools that support ACSL, must provide its own tools to do preprocessing. More importantly for language definition, any content within comments cannot change the interpretation of non-comment material that the C/C++ compiler sees. Consequently, the following rules apply to preprocessing features within ACSL annotations: – define and undef are not permitted in an annotation. (If they were to be allowed, their scope would have to extend only to the end of the annotation, which could be confusing to readers.) – macros occurring in an annotation but defined by define statements prior to the annotation are expanded according to the normal rules, including concatenation by ## operators. The context of macro definitions corresponds to the textual location of the annotation, as would be the case if the annotation were not embedded in a comment. – if, ifdef, ifndef, elif, else, endif are permitted but must be completely nested within the annotation in which they appear (an endif and its corresponding if, ifdef, ifndef, or elif must both be in the same annotation comment.) – warning and error are permitted – include is permitted, but will cause errors if it contains, as is almost always the case, other disallowed directives – line is not permitted – pragma and the _Pragma operator are not permitted – stringizing (#) and string concatenation (##) operators are permitted – the defined operator is permitted – the standard predefined macro names are permitted: __DATE__, __TIME__, __FILE__, __LINE__, __STDC_HOSTED__ 79 Libraries 3 Disclaimer: this chapter is unfinished, it is left here to give an idea of what it will look like in the final document. This chapter is devoted to libraries of specification, built upon the ACSL specification language. Section 3.2 describes additional predicates introduced by the Jessie plugin of Frama-C, to propose a slightly higher level of annotation. 3.1 Libraries of logic specifications A standard library is provided, in the spirit of the List module of Section 2.6.11 3.1.1 Real numbers A library of general purpose functions and predicates over real numbers, floats and doubles. Includes – abs, exp, power, log, sin, cos, atan, etc. over reals – isFinite predicate over floats and doubles (means not NaN nor infinity) – rounding reals to floats or doubles with specific rounding modes. 3.1.2 Finite lists – pure functions nil, cons, append, fold, etc. – Path, Reachable, isFiniteList, isCyclic, etc. on C linked-lists. 3.1.3 Sets and Maps Finite sets, finite maps, in ZB-style. 3.2 Jessie library: logical addressing of memory blocks The Jessie library is a collection of logic specifications whose semantics is well-defined only on source codes free from architecture-dependent features. In particular it is currently incompatible with pointer casts or unions (although there is ongoing work to support some of them [23]). As a consequence, a valid pointer of some type τ ∗ necessarily points to a memory block which contains values of type τ . 3.2.1 Abstract level of pointer validity In the particular setting described above, it is possible to introduce the following logic functions: 80 3.3. MEMORY LEAKS /*@ @ logic integer \offset_min{L}<a>(a *p); @ logic integer \offset_max{L}<a>(a *p); @*/ – \offset_min{L}(p) is the minimum integer i such that (p+i) is a valid pointer at label L. – \offset_max{L}(p) is the maximum integer i such that (p+i) is a valid pointer at label L. The following properties hold: \offset_min{L}(p+i) == \offset_min{L}(p)-i \offset_max{L}(p+i) == \offset_max{L}(p)-i It also introduces some syntactic sugar: /*@ predicate \valid_range{L}<a>(a *p,integer i,integer j) = \offset_min{L}(p) <= i && \offset_max{L}(p) >= j; */ and the ACSL built-in predicate \valid{L}(p+(a..b)) is now equivalent to \valid_range{L}(p,a,b). 3.2.2 Strings Experimental The logic function //@ logic integer \strlen(char* p); denotes the length of a 0-terminated C string. It is a total function, whose value is nonnegative if and only if the pointer in the argument is really a string. Example 3.1 Here is a contract for the strcpy function: /*@ // src and dest cannot overlap @ requires \base_addr(src) != \base_addr(dest); @ // src is a valid C string @ requires \strlen(src) >= 0 ; @ // dest is large enough to store a copy of src up to the 0 @ requires \valid(dest+(0..\strlen(src))); @ ensures @ \forall integer k; 0 <= k <= \strlen(src) ==> dest[k] == src[k]; @*/ char* strcpy(char *dest, const char *src); 3.3 Memory leaks Experimental Verification of absence of memory leak is outside the scope of the specification language. On the other hand, various models could be set up, using for example ghost variables. 81 Conclusion 4 This document presents a Behavioral Interface Specification Language for ANSI C source code. It provides a common basis that can be shared among different tools. The specification language described here is intended to evolve in the future and remain open to additional constructions. One interesting possible extension regards “temporal” properties in a large sense, such as liveness properties, which can sometimes be simulated by regular specifications with ghost variables [14], or properties on evolution of data over the time, such as the history constraints of JML, or in the Lustre assertion language. 82 Appendices A A.1 Glossary pure expressions In ACSL setting, a pure expression is a C expression which contains no assignments, no incrementation operator ++ or --, no function call, and no access to a volatile object. The set of pure expressions is a subset of the set of C expressions without side effect (C standard [17, 16], §5.1.2.3, alinea 2). left-values A left-value (lvalue for short) is an expression which denotes some place in the memory during program execution, either on the stack, on the heap, or in the static data segment. It can be either a variable identifier or an expression of the form *e, e[e], e.id or e->id, where e is any expression and id a field name. See C standard, §6.3.2.1 for a more detailed description of lvalues. A modifiable lvalue is an lvalue allowed in the left part of an assignment. In essence, all lvalues are modifiable except variables declared as const or of some array type with explicit length. pre-state and post-state For a given function call, the pre-state denotes the program state at the beginning of the call, including the current values for the function parameters. The post-state denotes the program state at the return of the call. For a statement annotation, the pre-state denotes the program state just prior to the annotation statement; the post-state denotes the program state immediately after execution of the annotated statement (which may be a block statement). For a statement annotation, the pre-state denotes the program state just prior to the annotation statement; the post-state denotes the program state immediately after execution of the annotated statement (which may be a block statement). function behavior A function behavior (behavior for short) is a set of properties relating the pre-state and the post-state for a possibly restricted set of pre-states (behavior assumptions). function contract A function contract (contract for short) forms a specification of a function, consisting of the combination of a precondition (a requirement on the pre-state for any caller to that function), a collection of behaviors, and possibly a measure in case of a recursive function. 83 A.2. BUILTIN FUNCTIONS A.2 Builtin functions The following are pre-defined, mathematical logic functions that are built-in to ACSL. integer \min(integer x, integer y) ; integer \max(integer x, integer y) ; real \min(real x, real y) ; real \max(real x, real y) ; integer \abs(integer x) ; real \abs(real x) ; real \sqrt(real x) ; integer pow(integer x, integer y) ; real \pow(real x, real y) ; integer \ceil(real x) ; integer \floor(real x) ; real \e ; real \exp(real x) ; real \log(real x) ; real \log10(real x) ; real \pi ; real \sin(real x) ; real \cos(real x) ; real \tan(real x) ; real \cosh(real x) ; real \sinh(real x) ; real \tanh(real x) ; real \asin(real x) ; real \acos(real x) ; real \atan(real x) ; real \asinh(real x) ; real \acosh(real x) ; real \atanh(real x) ; real \atan2(real y, real x) ; real \hypot(real x, real y) ; float \round_float(rounding_mode m, real x) ; double \round_double(rounding_mode, real x) ; These are the built-in predicates: \is_finite(float x) ; \is_finite(double x) ; \is_NaN(float x) ; \is_NaN(double x) ; \is_plus_infinity( float x) ; \is_plus_infinity( double x) ; \is_minus_infinity( float x) ; \is_minus_infinity( double x) ; 84 A.2. BUILTIN FUNCTIONS \eq_float(float x, float y) ; \eq_double(double x, double y) ; \gt_float(float x, float y) ; \gt_double(double x, double y) ; \ge_float(float x, float y) ; \ge_double(double x, double y) ; \lt_float(float x, float y) ; \lt_double(double x, double y) ; \le_float(float x, float y) ; \le_double(double x, double y) ; \ne_float(float x, float y) ; \ne_double(double x, double y) ; 85 A.3. COMPARISON WITH JML A.3 Comparison with JML Although ACSL took inspiration from the Java Modeling Language (aka JML [18]), ACSL is notably different from JML in two crucial aspects: – ACSL is a BISL for C, a low-level structured language, while JML is a BISL for Java, an object- oriented inheritance-based high-level language. Not only are the language features not the same between Java and C, but the programming styles and idioms are very different, which then entails different ways of specifying behaviors. In particular, C has no inheritance or exceptions, and no language support for the simplest properties on memory (e.g., the size of an allocated memory block). – JML also supports runtime assertion checking (RAC) when typing, static analysis and automatic deductive verification fail. The example of CCured [24, 9], which also adds strong typing to C by relying on RAC, shows that it is not possible to do it in a modular way. Indeed, it is necessary to modify the layout of C data structures for RAC, which is not modular. The follow-up project Deputy [10] thus reduces the checking power of annotations in order to preserve modularity. In contrast, we choose not to restrain the power of annotations (e.g., all first order logic formulas are allowed). To that end, we rely on manual deductive verification using an interactive theorem prover (e.g., Coq) when every other technique fails. In the remainder of this chapter, we describe these differences in further detail. A.3.1 Low-level language vs. inheritance-based one No inherited specifications JML has a core notion of specification inheritance, which enables support for behavioral subtyping, by applying specifications of parent methods to overriding methods. Inheritance combined with visibility and modularity account for a number of complex features in JML (e.g., spec_public modifier, data groups, represents clauses, etc), that are necessary to express the desired inheritance-related specifications while respecting visibility and modularity. Since C has no inheritance, these intricacies are avoided in ACSL. Error handling without exceptions The usual way of signaling errors in Java is through exceptions. Therefore, JML specifications are tailored to express exceptional postconditions, depending on the exception raised. Since C has no exceptions, ACSL does not use exceptional specifications. Instead, C programmers typically signal errors by returning special values, as is mandated in various ways by the C standard. Example A.1 In §7.12.1 of the standard, it is said that functions in <math.h> signal errors as follows: “On a domain error, [...] the integer expression errno acquires the value EDOM.” Example A.2 In §7.19.5.1 of the standard, it is said that function fclose signals errors as follows: “The fclose function returns [...] EOF if any errors were detected.” Example A.3 In §7.19.6.1 of the standard, it is said that function fprintf signals errors as follows: “The fprintf function returns [...] a negative value if an output or encoding error occurred.” Example A.4 In §7.20.3 of the standard, it is said that memory management functions signal errors as follows: “If the space cannot be allocated, a null pointer is returned.” As shown by these few examples, there is no unique way to signal errors in the C standard library, not to mention errors from user-defined functions. But since errors are signaled by returning special values, it is sufficient to write an appropriate postcondition: /*@ ensures \result == error_value || normal_postcondition; */ 86 A.3. COMPARISON WITH JML C contracts are not Java ones In Java, the precondition of the following function that nullifies an array of characters is always true. Even if there was a precondition on the length of array a, it could easily be expressed using the Java expression a.length that gives the dynamic length of array a. public static void Java_nullify(char[] a) { if (a == null) return; for (int i = 0; i < a.length; ++i) { a[i] = 0; } } On the other hand, the precondition of the same function in C, whose definition follows, is more involved. First, note that the C programmer has to add an extra argument for the size of the array, or rather a lower bound on this array size. void C_nullify(char* a, unsigned int n) { int i; if (n == 0) return; for (i = 0; i < n; ++i) { a[i] = 0; } } A correct precondition for this function is the following: /*@ requires \valid(a + 0..(n-1)); */ where predicate \valid is the one defined in Section 2.7.1. (note that \valid(a + 0..(-1)) is the same as \valid(\empty) and thus is true regardless of the validity of a itself). When n is 0, a does not need to be valid at all, and when n is strictly positive, a must point to an array of size at least n. To make it more obvious, the C programmer adopted a defensive programming style, which returns immediately when n is 0. We can duplicate this in the specification: /*@ requires n == 0 || \valid(a + 0..(n-1)); */ Many memory requirements are only necessary for some paths through the function, which correspond to some particular behaviors, selected according to some tests performed along the corresponding paths. Since C has no memory primitives, these tests involve other variables that the C programmer adds to track additional information, such as n in our example. To make it easier, it is possible in ACSL to distinguish between the assumes part of a behavior, that specifies the tests that need to succeed for this behavior to apply, and the requires part that specifies the additional assumptions that must be true when a behavior applies. The specification for our example can then be translated into: /*@ behavior n_is_null: @ assumes n == 0; @ behavior n_is_not_null: @ assumes n > 0; @ requires \valid(a + 0..(n-1)); @*/ This is equivalent to the previous requirement, except here behaviors can be completed with postconditions that belong to one behavior only. ACSL contracts vs. JML ones In JML, the set of stated behaviors is assumed to cover all permitted uses of the function; any calling context in which none of the requires preconditions are true would be identified as an error. In ACSL, 87 A.3. COMPARISON WITH JML the set of behaviors for a function do not necessarily cover all cases of use for this function, as mentioned in Section 2.3.3. This allows for partial specifications. In the example above, our two behaviors are clearly mutually exclusive, and, since n is an unsigned int, they cover all the possible cases. We could have specified that as well, by adding the following lines in the contract (see Section 2.3.3). @ ... @ disjoint behaviors; @ complete behaviors; @*/ To fully understand the difference between specifications in ACSL and JML, we detail below the requirements on the pre-state and the guarantees in the post-state given by behaviors in JML and ACSL. A JML contract is either lightweight or heavyweight. For the purpose of our comparison, it is sufficient to know that a lightweight contract is syntactic sugar for a single specific heavyweight contract; a contract can have multiple heavyweight behaviors and these can be nested. Here is a hypothetical JML contract: /*@ behavior x1 : @ requires A1 ; @ requires R1 ; @ ensures E1 ; @ behavior x2 : @ requires A2 ; @ requires R2 ; @ ensures E2 ; @*/ It assumes that the pre-state satisfies the condition: ((A1 && R1 ) || (A2 && R2 )) and guarantees that the following condition holds in post-state: (\old(A1 && R1 ) ==> E1 ) && (\old(A2 && R2 ) ==> E2 ) Note particularly that the pre-state is required to satisfy the precondition of at least one behavior. Here is now a syntactically similar ACSL specification: /*@ requires P1 ; @ requires P2 ; @ ensures Q1 ; @ ensures Q2 ; @ behavior x1 : @ assumes A1 ; @ requires R1 ; @ ensures E1 ; @ behavior x2 : @ assumes A2 ; @ requires R2 ; @ ensures E2 ; @*/ Syntactically, the only difference with the JML specification is the addition of the assumes clauses and allowing an anonymous behavior at the beginning of the contract. Rewriting the anonymous behavior with a name gives /*@ @ behavior x0 : @ assumes \true; @ requires P1 ; 88 A.3. COMPARISON WITH JML @ requires P2 ; @ ensures Q1 ; @ ensures Q2 ; @ behavior x1 : @ assumes A1 ; @ requires R1 ; @ ensures E1 ; @ behavior x2 : @ assumes A2 ; @ requires R2 ; @ ensures E2 ; @*/ Its translation to assume-guarantee is however quite different than JML. It assumes the pre-state satisfies the condition (\true ==> (P1 && P2 )) && (A1 ==> R1 ) && (A2 ==> R2 ) Here, it is acceptable that none of the behaviors are active (that is, that none of the assumes clauses are true, even without the unnamed behavior). In that case there is no post-condition guarantee either. The contract guarantees that the following condition holds in the post-state: (\true ==> (Q1 && Q2 )) && (\old(A1 ) ==> E1 ) && (\old(A2 ) ==> E2 ) Thus, ACSL allows distinguishing between the clauses that control which behavior is active (the assumes clauses) and the clauses that are preconditions for a particular behavior (the internal requires clauses). In addition, as mentioned above, there is by default no requirement in ACSL for the specification to be complete. In JML an incomplete specification may cause a warning in a calling context; partial behavior is specified by an explicitly underspecified postcondition. In ACSL, an incomplete specification specifies partial behavior; a warning for a particular behavior is produced by a requires \false; clause. Modifies vs. writes semantics As described in §2.3.2, ACSL interprets frame conditions with modifies semantics, whereas JML defines frame conditions with writes semantics. A.3.2 Deductive verification vs. RAC Sugar-free behaviors As explained in detail in [25], JML heavyweight behaviors can be viewed as syntactic sugar that can be translated automatically into more basic contracts consisting mostly of pre- and postconditions and frame conditions. This allows complex nesting of behaviors from the user point of view, while tools only have to deal with basic contracts. In particular, older tools on JML used this desugaring process, such as the Common JML tools to do assertion checking, unit testing, etc. (see [21]) and the tool ESC/Java2 for automatic deductive verification of JML specifications (see [8]). One issue with such a desugaring approach is the complexity of the transformations involved, as e.g. for desugaring assignable clauses between multiple spec-cases in JML [25]. Another issue is precisely that tools only see one global contract, instead of multiple independent behaviors, that could be analyzed separately in more detail. Instead, we favor the view that a function implements multiple behaviors, that can be analyzed separately if a tool feels like it. Therefore, we do not intend to provide a desugaring process. Indeed, the current JML tool, OpenJML [6, 7], also does only a partial desugaring, which at minimum is able to give more informative error messages when proof attempts fail. 89 A.3. COMPARISON WITH JML Axiomatized functions in specifications JML allows pure Java methods to be called in specifications [19]. This avoids having to write essentially duplicate logical functions that mimic Java functions. It is also useful when relying on RAC: methods called should be defined so that the runtime can call them, and they should not have side-effects in order not to pollute the program they are supposed to annotate. JML also permits model (logical) functions to be used in specifications; if the model function does not have a body, then RAC cannot be used. But for deductive verification, the properties of a model function can be specified axiomatically. ACSL focuses on deductive verification and currently only allows calls to logical functions in specifications. These functions may be defined, like program functions, but they may also be only declared (with a suitable declaration of reads clause) and their behavior defined through an axiomatization. This makes for richer specifications that may be useful either in automatic or in manual deductive verification. A.3.3 Syntactic differences The following table summarizes the difference between JML and ACSL keywords, when the intent is the same, although minor differences might exist. JML ACSL modifiable, assignable assigns measured_by decreases loop_invariant loop invariant decreases loop variant (\forall τ x ; P ; Q) (\forall τ x ; P ==> Q) (\exists τ x ; P ; Q) (\exists τ x ; P && Q) \max τ x ; a <= x <= b ; f) \max(a,b,\lambda τ x ; f) 90 A.4. C GRAMMAR ELEMENTS A.4 C grammar elements This appendix chapter summarizes the elements of the C grammar that are used by ACSL. A.4.1 Identifiers – An id is a sequence of alphanumeric characters and underscores beginning with a non-digit: [a-zA-Z_][a-zA-Z_0-9]* . A.4.2 Literals Numeric, character and string literals are adopted from C without modification: – An integer literal is a digit sequence with optional radix and bit-size indicators: [+-]?(0 | [1-9][0-9]* | 0[0-7]+ | 0x[0-9A-Za-z]+) – A real literal has the following form: [+-]? ([0-9]+)? (\.[0-9]*)? ([eE][+-]?(0-9)+)? ([fFlL])? where there must be either an initial digit sequence or post-decimal point digit sequence and either a decimal point or an exponent.1 – A character literal is a single character or a backslash followed by a single character enclosed in single quotes, optionally preceded by the L character to denote a wide character. – A string literal is a sequence of printable characters or escape sequences enclosed in double quotes: TODO A.4.3 C Type Expressions 1 In C++17 exponents beginning with p or P and hex digit sequences with leading 0x are permitted. 91 A.4. C GRAMMAR ELEMENTS C-type-expr ::= C-specifier-qualifier + C-abstract-declarator ? C-type-name ::= C-declaration-specifier + C-specifier-qualifier ::= C-type-specifier | C-type-qualifier C-type-qualifier ::= const | volatile C-type-specifier ::= void | char | short | int | long | float | double | signed | unsigned a | ( struct | union | enum) ident | ident C-abstract-declarator ::= C-pointer | C-pointer C-direct-abstract-declarator | C-direct-abstract-declarator C-pointer ::= ( * C-type-qualifier ∗ )+ C-direct-abstract-declarator ::= ( C-abstract-declarator ) | C-direct-abstract-declarator ? [ C-constant-expression ] | C-direct-abstract-declarator ? ( C-parameter-type-list? ) C-parameter-type-list ::= C-parameter-declaration (, C-parameter-declaration )+ C-parameter-declaration ::= C-declaration-specifier + C-declarator | C-declaration-specifier + C-abstract-declarator | C-declaration-specifier + C-declaration-specifier ::= C-type-specifier | C-type-qualifier ? C-declarator ::= C-pointer C-direct-declarator C-direct-declarator ::= ident | ( C-declarator ) | C-direct-declarator [ C-constant-expression? ] | C-direct-declarator ( C-parameter-type-list ) | C-direct-declarator ( ident∗ ) b C-constant-expression ::= ... a ACSL does not permit declaring a new type within the type-specifier b An expression formed from constant literals Figure A.1: The grammar of C type expressions, from the C standard 92 A.5. TYPING RULES A.5 Typing rules Disclaimer: this section is unfinished, it is left here just to give an idea of what it will look like when completed. A.5.1 Rules for terms Integer promotion: Γ⊢e:τ Γ ⊢ e : integer if τ is any C integer type char, short, int, or long, whatever attribute they have, in particular signed or unsigned Variables: if id : τ ∈ Γ Γ ⊢ id : τ Unary integer operations: Γ ⊢ t : integer if op ∈ {+, −, ∼} Γ ⊢ op t : integer Boolean negation: Γ ⊢ t : boolean Γ ⊢! t : boolean Pointer dereferencing: Γ ⊢ t : τ∗ Γ ⊢ ∗t : τ Address operator: Γ⊢t:τ Γ ⊢ &t : τ ∗ Binary Γ ⊢ t1 : integer Γ ⊢ t2 : integer if op ∈ {+, −, ∗, /, %} Γ ⊢ t1 op t2 : integer Γ ⊢ t1 : real Γ ⊢ t2 : real if op ∈ {+, −, ∗, /} Γ ⊢ t1 op t2 : real Γ ⊢ t1 : integer Γ ⊢ t2 : integer if op ∈ {==, ! =, <=, <, >=, >} Γ ⊢ t1 op t2 : boolean Γ ⊢ t1 : real Γ ⊢ t2 : real if op ∈ {==, ! =, <=, <, >=, >} Γ ⊢ t1 op t2 : boolean Γ ⊢ t1 : τ ∗ Γ ⊢ t2 : τ ∗ if op ∈ {==, ! =, <=, <, >=, >} Γ ⊢ t1 op t2 : boolean (to be continued) A.5.2 Typing rules for sets We consider the typing judgement Γ, Λ ⊢ s : τ, b meaning that s is a set of terms of type τ , which is moreover a set of locations if the boolean b is true. Γ is the C environment and Λ is the logic environment. Rules: if id : τ ∈ Γ Γ, Λ ⊢ id : τ, true if id : τ ∈ Λ Γ, Λ ⊢ id : τ, true 93 A.5. TYPING RULES Γ, Λ ⊢ s : τ ∗, b Γ, Λ ⊢ ∗s : τ, true id : τ s : set < struct S∗ > ⊢ s− > id : set < τ > Γ, b ∪ Λ ⊢ e : tsetτ Γ, Λ ⊢ {e | b; P } : tsetτ Γ, Λ ⊢ e1 : τ, b Γ, Λ ⊢ e2 : τ, b Γ, Λ ⊢ e1 , e2 : τ, b 94 A.6. SPECIFICATION TEMPLATES A.6 Specification Templates This section describes some common issues that may occur when writing an ACSL specification and proposes some solution to overcome them A.6.1 Accessing a C variable that is masked The situation may happen where it is necessary to refer in an annotation to a C variable that is masked at that point. For instance, a function contract may need to refer to a global variable that has the same name as a function parameter, as in the following code: int x; //@ assigns x; int g(); int f(int x) { // ... return g(); } In order to write the assigns clause for f, we must access the global variable x, since f calls g, which can modify x. This is not possible with C scoping rules, as x refers to the parameter of f in the scope of the function. A solution is to use a ghost pointer to x, as shown in the following code: int x; //@ ghost int* const ghost_ptr_x = &x; //@ assigns x; int g(); //@ assigns *ghost_ptr_x; int f(int x) { // ... return g(); } 95 A.7. ILLUSTRATIVE EXAMPLE A.7 Illustrative example This is an attempt to define an example for ACSL, much as the Purse example in JML description papers. It is a memory allocator, whose main functions are memory_alloc and memory_free, to respectively allocate and deallocate memory. The goal is to exercise as much as possible of ACSL. #include <stdlib.h> #define DEFAULT_BLOCK_SIZE 1000 typedef enum _bool { false = 0, true = 1 } bool; /*@ predicate finite_list<A>((A* -> A*) next_elem, A* ptr) = @ ptr == \null || @ (\valid(ptr) && finite_list(next_elem,next_elem(ptr))) ; @ @ logic integer list_length<A>((A* -> A*) next_elem, A* ptr) = @ (ptr == \null) ? 0 : @ 1 + list_length(next_elem,next_elem(ptr)) ; @ @ @ predicate lower_length<A>((A* -> A*) next_elem, @ A* ptr1, A* ptr2) = @ finite_list(next_elem, ptr1) && finite_list(next_elem, ptr2) @ && list_length(next_elem, ptr1) < list_length(next_elem, ptr2) ; @*/ // forward reference struct _memory_slice; /* A memory block holds a pointer to a raw block of memory allocated by * calling [malloc]. It is sliced into chunks, which are maintained by * the [slice] structure. It maintains additional information such as * the [size] of the memory block, the number of bytes [used] and the [next] * index at which to put a chunk. */ typedef struct _memory_block { //@ ghost boolean packed; // ghost field [packed] is meant to be used as a guard that tells when // the invariant of a structure of type [memory_block] holds unsigned int size; // size of the array [data] unsigned int next; // next index in [data] at which to put a chunk unsigned int used; // how many bytes are used in [data], not necessarily contiguous ones char* data; // raw memory block allocated by [malloc] struct _memory_slice* slice; // structure that describes the slicing of a block into chunks } memory_block; /*@ strong type invariant inv_memory_block(memory_block mb) = @ mb.packed ==> @ (0 < mb.size && mb.used <= mb.next <= mb.size 96 A.7. ILLUSTRATIVE EXAMPLE @ && \offset(mb.data) == 0 @ && \block_length(mb.data) == mb.size) ; @ @ predicate valid_memory_block(memory_block* mb) = @ \valid(mb) && mb->packed ; @*/ /* A memory chunk holds a pointer [data] to some part of a memory block * [block]. It maintains the [offset] at which it points in the block, * as well as the [size] of the block it is allowed to access. * A field [free] tells whether the chunk is used or not. */ typedef struct _memory_chunk { //@ ghost boolean packed; // ghost field [packed] is meant to be used as a guard that tells when // the invariant of a structure of type [memory_chunk] holds unsigned int offset; // offset at which [data] points into [block->data] unsigned int size; // size of the chunk bool free; // true if the chunk is not used, false otherwise memory_block* block; // block of memory into which the chunk points char* data; // shortcut for [block->data + offset] } memory_chunk; /*@ strong type invariant inv_memory_chunk(memory_chunk mc) = @ mc.packed ==> @ (0 < mc.size && valid_memory_block(mc.block) @ && mc.offset + mc.size <= mc.block->next) ; @ @ predicate valid_memory_chunk(memory_chunk* mc, int s) = @ \valid(mc) && mc->packed && mc->size == s ; @ @ predicate used_memory_chunk(memory_chunk mc) = @ mc.free == false ; @ @ predicate freed_memory_chunk(memory_chunk mc) = @ mc.free == true ; @*/ /* A memory chunk list links memory chunks in the same memory block. * Newly allocated chunks are put first, so that the offset of chunks * decreases when following the [next] pointer. Allocated chunks should * fill the memory block up to its own [next] index. */ typedef struct _memory_chunk_list { memory_chunk* chunk; // current list element struct _memory_chunk_list* next; // tail of the list } memory_chunk_list; /*@ logic memory_chunk_list* next_chunk(memory_chunk_list* ptr) = @ ptr->next ; 97 A.7. ILLUSTRATIVE EXAMPLE @ @ predicate valid_memory_chunk_list @ (memory_chunk_list* mcl, memory_block* mb) = @ \valid(mcl) && valid_memory_chunk(mcl->chunk,mcl->chunk->size) @ && mcl->chunk->block == mb @ && (mcl->next == \null || @ valid_memory_chunk_list(mcl->next, mb)) @ && mcl->offset == mcl->chunk->offset @ && ( @ // it is the last chunk in the list @ (mcl->next == \null && mcl->chunk->offset == 0) @ || @ // it is a chunk in the middle of the list @ (mcl->next != \null @ && mcl->next->chunk->offset + mcl->next->chunk->size @ == mcl->chunk->offset) @ ) @ && finite_list(next_chunk, mcl) ; @ @ predicate valid_complete_chunk_list @ (memory_chunk_list* mcl, memory_block* mb) = @ valid_memory_chunk_list(mcl,mb) @ && mcl->next->chunk->offset + @ mcl->next->chunk->size == mb->next ; @ @ predicate chunk_lower_length(memory_chunk_list* ptr1, @ memory_chunk_list* ptr2) = @ lower_length(next_chunk, ptr1, ptr2) ; @*/ /* A memory slice holds together a memory block [block] and a list of chunks * [chunks] on this memory block. */ typedef struct _memory_slice { //@ ghost boolean packed; // ghost field [packed] is meant to be used as a guard that tells when // the invariant of a structure of type [memory_slice] holds memory_block* block; memory_chunk_list* chunks; } memory_slice; /*@ strong type invariant inv_memory_slice(memory_slice* ms) = @ ms.packed ==> @ (valid_memory_block(ms->block) && ms->block->slice == ms @ && (ms->chunks == \null @ || valid_complete_chunk_list(ms->chunks, ms->block))) ; @ @ predicate valid_memory_slice(memory_slice* ms) = @ \valid(ms) && ms->packed ; @*/ /* A memory slice list links memory slices, to form a memory pool. */ typedef struct _memory_slice_list { //@ ghost boolean packed; // ghost field [packed] is meant to be used as a guard that tells when // the invariant of a structure of type [memory_slice_list] holds 98 A.7. ILLUSTRATIVE EXAMPLE memory_slice* slice; // current list element struct _memory_slice_list* next; // tail of the list } memory_slice_list; /*@ logic memory_slice_list* next_slice(memory_slice_list* ptr) = @ ptr->next ; @ @ strong type invariant inv_memory_slice_list(memory_slice_list* msl) = @ msl.packed ==> @ (valid_memory_slice(msl->slice) @ && (msl->next == \null || @ valid_memory_slice_list(msl->next)) @ && finite_list(next_slice, msl)) ; @ @ predicate valid_memory_slice_list(memory_slice_list* msl) = @ \valid(msl) && msl->packed ; @ @ predicate slice_lower_length(memory_slice_list* ptr1, @ memory_slice_list* ptr2) = @ lower_length(next_slice, ptr1, ptr2) @ } */ typedef memory_slice_list* memory_pool; /*@ type invariant valid_memory_pool(memory_pool *mp) = @ \valid(mp) && valid_memory_slice_list(*mp) ; @*/ /*@ behavior zero_size: @ assumes s == 0; @ assigns \nothing; @ ensures \result == 0; @ @ behavior positive_size: @ assumes s > 0; @ requires valid_memory_pool(arena); @ ensures \result == 0 @ || (valid_memory_chunk(\result,s) && @ used_memory_chunk(*\result)); @ */ memory_chunk* memory_alloc(memory_pool* arena, unsigned int s) { memory_slice_list *msl = *arena; memory_chunk_list *mcl; memory_slice *ms; memory_block *mb; memory_chunk *mc; unsigned int mb_size; //@ ghost unsigned int mcl_offset; char *mb_data; // guard condition if (s == 0) return 0; // iterate through memory blocks (or slices) /*@ @ loop invariant valid_memory_slice_list(msl); @ loop variant msl for slice_lower_length; 99 A.7. ILLUSTRATIVE EXAMPLE @ */ while (msl != 0) { ms = msl->slice; mb = ms->block; mcl = ms->chunks; // does [mb] contain enough free space? if (s <= mb->size - mb->next) { //@ ghost ms->ghost = false; // unpack the slice // allocate a new chunk mc = (memory_chunk*)malloc(sizeof(memory_chunk)); if (mc == 0) return 0; mc->offset = mb->next; mc->size = s; mc->free = false; mc->block = mb; //@ ghost mc->ghost = true; // pack the chunk // update block accordingly //@ ghost mb->ghost = false; // unpack the block mb->next += s; mb->used += s; //@ ghost mb->ghost = true; // pack the block // add the new chunk to the list mcl = (memory_chunk_list*)malloc(sizeof(memory_chunk_list)); if (mcl == 0) return 0; mcl->chunk = mc; mcl->next = ms->chunks; ms->chunks = mcl; //@ ghost ms->ghost = true; // pack the slice return mc; } // iterate through memory chunks /*@ @ loop invariant valid_memory_chunk_list(mcl,mb); @ loop variant mcl for chunk_lower_length; @ */ while (mcl != 0) { mc = mcl->chunk; // is [mc] free and large enough? if (mc->free && s <= mc->size) { mc->free = false; mb->used += mc->size; return mc; } // try next chunk mcl = mcl->next; } msl = msl->next; } // allocate a new block mb_size = (DEFAULT_BLOCK_SIZE < s) ? s : DEFAULT_BLOCK_SIZE; mb_data = (char*)malloc(mb_size); if (mb_data == 0) return 0; mb = (memory_block*)malloc(sizeof(memory_block)); if (mb == 0) return 0; mb->size = mb_size; mb->next = s; mb->used = s; 100 A.7. ILLUSTRATIVE EXAMPLE mb->data = mb_data; //@ ghost mb->ghost = true; // pack the block // allocate a new chunk mc = (memory_chunk*)malloc(sizeof(memory_chunk)); if (mc == 0) return 0; mc->offset = 0; mc->size = s; mc->free = false; mc->block = mb; //@ ghost mc->ghost = true; // pack the chunk // allocate a new chunk list mcl = (memory_chunk_list*)malloc(sizeof(memory_chunk_list)); if (mcl == 0) return 0; //@ ghost mcl->offset = 0; mcl->chunk = mc; mcl->next = 0; // allocate a new slice ms = (memory_slice*)malloc(sizeof(memory_slice)); if (ms == 0) return 0; ms->block = mb; ms->chunks = mcl; //@ ghost ms->ghost = true; // pack the slice // update the block accordingly mb->slice = ms; // add the new slice to the list msl = (memory_slice_list*)malloc(sizeof(memory_slice_list)); if (msl == 0) return 0; msl->slice = ms; msl->next = *arena; //@ ghost msl->ghost = true; // pack the slice list *arena = msl; return mc; } /*@ behavior null_chunk: @ assumes chunk == \null; @ assigns \nothing; @ @ behavior valid_chunk: @ assumes chunk != \null; @ requires valid_memory_pool(arena); @ requires valid_memory_chunk(chunk,chunk->size); @ requires used_memory_chunk(chunk); @ ensures @ // if it is not the last chunk in the block, mark it as free @ (valid_memory_chunk(chunk,chunk->size) @ && freed_memory_chunk(chunk)) @ || @ // if it is the last chunk in the block, deallocate the block @ ! \valid(chunk); @ */ void memory_free(memory_pool* arena, memory_chunk* chunk) { memory_slice_list *msl = *arena; memory_block *mb = chunk->block; memory_slice *ms = mb->slice; memory_chunk_list *mcl; memory_chunk *mc; 101 A.7. ILLUSTRATIVE EXAMPLE // is it the last chunk in use in the block? if (mb->used == chunk->size) { // remove the corresponding slice from the memory pool // case it is the first slice if (msl->slice == ms) { *arena = msl->next; //@ ghost msl->ghost = false; // unpack the slice list free(msl); } // case it is not the first slice while (msl != 0) { if (msl->next != 0 && msl->next->slice == ms) { memory_slice_list* msl_next = msl->next; msl->next = msl->next->next; // unpack the slice list //@ ghost msl_next->ghost = false; free(msl_next); break; } msl = msl->next; } //@ ghost ms->ghost = false; // unpack the slice // deallocate all chunks in the block mcl = ms->chunks; // iterate through memory chunks /*@ @ loop invariant valid_memory_chunk_list(mcl,mb); @ loop variant mcl for chunk_lower_length; @ */ while (mcl != 0) { memory_chunk_list *mcl_next = mcl->next; mc = mcl->chunk; //@ ghost mc->ghost = false; // unpack the chunk free(mc); free(mcl); mcl = mcl_next; } mb->next = 0; mb->used = 0; // deallocate the memory block and its data //@ ghost mb->ghost = false; // unpack the block free(mb->data); free(mb); // deallocate the corresponding slice free(ms); return; } // mark the chunk as freed chunk->free = true; // update the block accordingly mb->used -= chunk->size; return; } 102 A.8. CHANGES A.8 Changes A.8.1 Version dev – Introduces built-in predicates \object_pointer and \pointer_comparable (section 2.7.1). A.8.2 Version 1.18 – Clarifies meaning of terminates and decreases/variant clauses (section 2.5.5) A.8.3 Version 1.17 – explicit role of check and admit requires clause with respect to complete and disjoint clauses (section 2.3.3) A.8.4 Version 1.16 – Slightly improve section 2.16, that was a bit rushed into the last version – Introduce check and admit clause kinds (sections 2.3.2, 2.4.1, 2.4.2, 2.4.2, and 2.6.2). A.8.5 Version 1.15 – Add section 2.17 for precising status of pre-processing directives and macros against specifications – Introduction of the \ghost qualifier (section 2.12) A.8.6 Version 1.14 – Introduce check annotation (section 2.4.1) A.8.7 Version 1.13 – New infix predicate \in for set membership (section 2.3.4) – Fixes some typing error for constructs rejecting void* pointers (section 2.7.3) – Notations added for real numbers π and e (section 2.2.5) A.8.8 Version 1.12 – Fixes syntax rule for statement contracts in allowing completeness clauses (figure 2.13) A.8.9 Version 1.11 – Functions related to infinites and the sign of floating-point value (section 2.2.5) – New section for predicates related to well-typedness (section 2.15) – Syntax for defining a set by giving explicitely its elements (section 2.3.4) – Adding lists as first-class values (section 2.8.2) – Change the associativity of bitwise operator --> to right, in accordance with the one of ==> operator – Glyph used for ^^ operator (xor) fixed A.8.10 Version 1.10 – Change keyword for importing libraries (section 2.6.11) – Fix numerous typos reported by David Cok – Disallow meaningless assigns \nothing \from x (section 2.10) 103 A.8. CHANGES A.8.11 Version 1.9 – Fix typo in definition of \fresh predicate (section 2.7.3) – Fix grammar inconsistencies – use proper C rules names – fix mismatch in non-terminal names – Rename "Unspecified values" to "Dangling pointers" and precise it (section 2.14) A.8.12 Version 1.8 – Mention binary literal constant typing A.8.13 Version 1.7 – Added missing shift operators in figure 2.1 – Modified syntax for naming terms and predicates (figures 2.2 and 2.1) – Added syntax rule for literal constants (figure 2.1) A.8.14 Version 1.6 – Modified syntax for model fields (section 2.11.2) – Added missing logical xor operator (figure 2.1). – Addition of logical labels related to loops (section 2.4.3). – Addition of labels to built-ins related to memory blocks (section 2.7.1) – Introduction of \valid_read built-in and clarification of the notion of validity (section 2.7.1). – Introduction of built-in \allocable, \allocation, \freeable and \fresh (section 2.7.3). – Introduction of allocates and frees clauses (section 2.7.3). – Clarify the semantics of assigns clauses into statement contract. – Improvements to the volatile clause (section 2.12.1). – Clarify the evaluation of arrays inside an at (section 2.4.3). A.8.15 Version 1.5 – Clarify the status of loop invariant in presence of break or side-effects in the loop test. – Introduction of \with keyword for functional updates. – Added bnf entry for completeness of function behaviors. – Order of clauses in statement contracts is now fixed. – requires clauses are allowed before behaviors of statement contracts. – Added explicit singleton construct for sets. – Introduction of logical arrays. – Operations over pointers and arrays have been precised. – Predicate \initialized (section 2.13) now takes a set of pointers as argument. A.8.16 Version 1.4 – Added UTF-8 counterparts for built-in types (integer, real, boolean). – Fixed typos in the examples corresponding to features implemented in Frama-C. – Order of clauses in function contracts is now fixed. – Introduction of abrupt termination clauses. – Introduction of axiomatic to gather predicates, logic functions, and their defining axioms. – Added specification templates appendix for common specification issues. – Use of sets as first-class term has been precised. – Fixed semantics of predicate \separated. 104 A.8. CHANGES A.8.17 Version 1.3 – Functional update of structures. – Terminates clause in function behaviors. – Typos reported by David Mentré. A.8.18 Version 1.2 This is the first public release of this document. 105 Bibliography [1] Jean-Raymond Abrial. The B-Book: Assigning Programs to Meanings. Cambridge University Press, 1996. [2] Ali Ayad and Claude Marché. Behavioral properties of floating-point programs. Hisseo publications, 2009. http://hisseo.saclay.inria.fr/ayad09.pdf. [3] Sylvie Boldo and Jean-Christophe Filliâtre. Formal Verification of Floating-Point Programs. In 18th IEEE International Symposium on Computer Arithmetic, pages 187–194, Montpellier, France, June 2007. [4] Patrice Chalin. Reassessing JML’s logical foundation. In Proceedings of the 7th Workshop on Formal Techniques for Java-like Programs (FTfJP’05), Glasgow, Scotland, July 2005. [5] Patrice Chalin. A sound assertion semantics for the dependable systems evolution verifying compiler. In Proceedings of the International Conference on Software Engineering (ICSE’07), pages 23–33, Los Alamitos, CA, USA, 2007. IEEE Computer Society. [6] David R. Cok. OpenJML: JML for Java 7 by Extending OpenJDK. In Mihaela Bobaru, Klaus Havelund, Gerard Holzmann, and Rajeev Joshi, editors, NASA Formal Methods, volume 6617 of Lecture Notes in Computer Science, pages 472–479. Springer Berlin / Heidelberg, 2011. 10.1007/978- 3-642-20398-5_35. [7] David R. Cok. OpenJML: Software verification for Java 7 using JML, OpenJDK, and Eclipse. In F-IDE, pages 79–92, 2014. [8] David R. Cok and Joseph R. Kiniry. ESC/Java2: Uniting ESC/Java and JML: Progress and issues in building and using ESC/Java2, including a case study involving the use of the tool to verify portions of an Internet voting tally system. In Gilles Barthe, Lilian Burdy, Marieke Huisman, Jean-Louis Lanet, and Traian Muntean, editors, Construction and Analysis of Safe, Secure, and Interoperable Smart Devices (CASSIS 2004), volume 3362 of Lecture Notes in Computer Science, pages 108–128. Springer, 2005. [9] Jeremy Condit, Matthew Harren, Scott McPeak, George C. Necula, and Westley Weimer. Ccured in the real world. In PLDI ’03: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, pages 232–244, 2003. [10] Jeremy Paul Condit, Matthew Thomas Harren, Zachary Ryan Anderson, David Gay, and George Necula. Dependent types for low-level programming. In ESOP ’07: Proceedings of the 16th European Symposium on Programming, October 2006. [11] Jean-Christophe Filliâtre and Claude Marché. Multi-prover verification of C programs. In Jim Davies, Wolfram Schulte, and Mike Barnett, editors, 6th International Conference on Formal Engineering Methods, volume 3308 of Lecture Notes in Computer Science, pages 15–29, Seattle, WA, USA, November 2004. Springer. 106 BIBLIOGRAPHY [12] Jean-Christophe Filliâtre and Claude Marché. The Why/Krakatoa/Caduceus platform for deductive program verification. In Werner Damm and Holger Hermanns, editors, 19th International Conference on Computer Aided Verification, Lecture Notes in Computer Science, Berlin, Germany, July 2007. Springer. [13] The Frama-C framework for analysis of C code. http://frama-c.cea.fr/. [14] A. Giorgetti and J. Groslambert. JAG: JML Annotation Generation for verifying temporal properties. In FASE’2006, Fundamental Approaches to Software Engineering, volume 3922 of LNCS, pages 373–376, Vienna, Austria, March 2006. Springer. [15] John Hatcliff, Gary T. Leavens, K Rustan M Leino, Peter Müller, and Matthew Parkinson. Behavioral interface specification languages. ACM Computing Surveys (CSUR), 44(3):16, 2012. [16] International Organization for Standardization (ISO). The ANSI C standard (C99). http: //www.open-std.org/JTC1/SC22/WG14/www/docs/n1124.pdf. [17] Brian Kernighan and Dennis Ritchie. The C Programming Language (2nd Ed.). Prentice-Hall, 1988. [18] Gary Leavens. Jml. http://www.eecs.ucf.edu/~leavens/JML/. [19] Gary T. Leavens, Albert L. Baker, and Clyde Ruby. Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98-06i, Iowa State University, 2000. [20] Gary T. Leavens, K. Rustan M. Leino, and Peter Müller. Specification and verification challenges for sequential object-oriented programs. Form. Asp. Comput., 19(2):159–189, 2007. [21] Gary T. Leavens, K. Rustan M. Leino, Erik Poll, Clyde Ruby, and Bart Jacobs. JML: notations and tools supporting detailed design in Java. In OOPSLA 2000 Companion, Minneapolis, Minnesota, pages 105–106, 2000. [22] Claude Marché. Towards modular algebraic specifications for pointer programs: a case study. In H. Comon-Lundh, C. Kirchner, and H. Kirchner, editors, Rewriting, Computation and Proof, volume 4600 of Lecture Notes in Computer Science, pages 235–258. Springer-Verlag, 2007. [23] Yannick Moy. Union and cast in deductive verification. Technical Report ICIS-R07015, Radboud University Nijmegen, July 2007. http://www.lri.fr/~moy/union_and_cast/union_and_ cast.pdf. [24] George C. Necula, Scott McPeak, and Westley Weimer. CCured: Type-safe retrofitting of legacy code. In Symposium on Principles of Programming Languages, pages 128–139, 2002. [25] Arun D. Raghavan and Gary T. Leavens. Desugaring JML method specifications. Technical Report 00-03a, Iowa State University, 2000. [26] David Stevenson et al. An american national standard: IEEE standard for binary floating point arithmetic. ACM SIGPLAN Notices, 22(2):9–25, 1987. [27] Wikipedia. First order logic. http://en.wikipedia.org/wiki/First_order_logic. [28] Wikipedia. IEEE 754. http://en.wikipedia.org/wiki/IEEE_754-1985. 107 List of Figures 2.1 Grammar of terms. The terminals id, C-type-name, and various literals are the same as the corresponding C lexical tokens (cf. §A.4). . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Grammar of predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3 The grammar of C type expressions, from the C standard . . . . . . . . . . . . . . . . . 13 2.4 Grammar of binders and type expressions . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.5 Operator precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.6 Grammar of function contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.7 \old and \result in terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.8 Grammar for sets of memory locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.9 Grammar for assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.10 Grammar for loop annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.11 Grammar for general inductive invariants . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.12 Grammar for at construct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.13 Grammar for statement contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.14 Grammar for global logic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.15 Grammar for inductive definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2.16 Grammar for axiomatic declarations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.17 Grammar for higher-order constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 2.18 Grammar for concrete logic types and pattern-matching . . . . . . . . . . . . . . . . . . 53 2.19 Grammar for logic declarations with labels . . . . . . . . . . . . . . . . . . . . . . . . . . 54 2.20 Grammar for logic declarations with reads clauses . . . . . . . . . . . . . . . . . . . . . 55 2.21 Grammar extension of terms and predicates about memory . . . . . . . . . . . . . . . . 57 2.22 Grammar for dynamic allocations and deallocations . . . . . . . . . . . . . . . . . . . . 58 2.23 Notations for built-in list datatype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 2.24 Grammar of contracts about abrupt terminations . . . . . . . . . . . . . . . . . . . . . . 65 2.25 Grammar for dependencies information . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 2.26 Grammar for declarations of data invariants . . . . . . . . . . . . . . . . . . . . . . . . . 68 2.27 Grammar for declarations of model variables and fields . . . . . . . . . . . . . . . . . . . 71 2.28 Grammar for ghost statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 2.29 Grammar for volatile constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 2.30 Grammar extensions regarding initialized and dangling memory . . . . . . . . . . . . . . 77 2.31 Grammar for predicates related to well-typedness . . . . . . . . . . . . . . . . . . . . . 78 2.32 Grammar for ACSL attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 A.1 The grammar of C type expressions, from the C standard . . . . . . . . . . . . . . . . . 92 108 Index ?, 11, 12 data invariant, 68 _, 53 deallocation, 58 decreases, 24, 42 abrupt clause, 65 dependency, 67 admit, 24 disjoint, 24 \allocable, 57, 59 disjoint behaviors, 29 allocates, 58, 67 double, 13, 92 allocation, 58 \dynamic, 59 \allocation, 57, 59 dynamic allocation, 58 allocation_status, 59 annotation, 32 else, 73 loop, 32 \empty, 30, 31 as, 53 ensures, 24, 25, 41, 65 assert, 32, 33 enum, 13, 92 assertion, 32 \eq_double, 19 assigns, 24, 25, 33, 41, 67 \eq_float, 19 assumes, 24 \exists, 12 \at, 38, 40 \exit_status, 65, 66 \automatic, 59 exits, 65 axiom, 49 axiomatic, 49 \false, 11, 12, 16 float, 13, 92 \base_addr, 56, 57 for, 24, 33, 36, 41 behavior, 24, 27, 41, 83 \forall, 12 behaviors, 24 formal parameter, 25, 26, 69 \block_length, 23, 56, 57 \freeable, 57, 59 boolean, 14, 16 frees, 58, 67 breaks, 65 \fresh, 57, 60 \from, 67 case, 48, 53 function behavior, 27, 83 cast, 17–19 function contract, 24, 83 char, 13, 92 functional expression, 67 check, 24 complete, 24 \ge_double, 19 complete behaviors, 29 \ge_float, 19 comprehension, 31 ghost, 72, 73 \concat, 63 \ghost, 73 \Cons, 63 global, 68 const, 13, 92 global invariant, 68 continues, 65 grammar entries contract, 24, 32, 41, 83 C-abstract-declarator, 13, 92 C-compound-statement, 33 \dangling, 77 C-constant-expression, 13, 92 109 INDEX C-declaration-specifier, 13, 92 lemma-def, 47 C-declarator, 13, 92 literal, 11 C-direct-abstract-declarator, 13, 92 location-address, 77 C-direct-declarator, 13, 73, 92 locations-list, 24 C-external-declaration, 47 locations, 24 C-parameter-declaration, 13, 92 location, 24 C-parameter-type-list, 13, 92 logic-const-decl, 49 C-pointer, 13, 92 logic-const-def, 47 C-postfix-expression, 73 logic-decl, 49 C-specifier-qualifier, 13, 92 logic-def, 47–49, 53, 71, 73, 76 C-statement, 33, 41, 73 logic-function-decl, 49, 55 C-struct-declaration, 73 logic-function-def, 47, 55 C-type-expr, 13, 92 logic-predicate-decl, 49, 55 C-type-name, 13, 92 logic-predicate-def, 47, 55 C-type-qualifier, 13, 73, 79, 92 logic-type-decl, 49 C-type-specifier, 13, 73, 92 logic-type-def, 53 abrupt-clause-stmt, 65 logic-type-name, 14 abrupt-clause, 65 logic-type, 49 acsl-attribute, 79 loop-allocation, 58 allocation-clause, 58 loop-annot, 33 assertion-kind, 33 loop-assigns, 33 assertion, 33, 36 loop-behavior, 33 assigns-clause, 24, 67 loop-clause, 33 assumes-clause, 24 loop-invariant, 33 axiom-def, 49 loop-variant, 33 axiomatic-decl, 49 match-cases, 53 behavior-body-stmt, 41 match-case, 53 behavior-body, 24 named-behavior-stmt, 41 bin-op, 11 named-behavior, 24 binders, 14 one-label, 57 binder, 14 parameters, 47 breaks-clause, 65 parameter, 47 built-in-logic-type, 14 pat, 53 clause-kind, 24 poly-id, 11, 47, 54 completeness-clause, 24 pred, 12, 24, 30, 40, 57, 77, 78 constructor, 53 product-type, 53 continues-clause, 65 range, 30 data-inv-def, 68 reads-clause, 55 data-invariant, 68 record-type, 53 decreases-clause, 24 rel-op, 12 dyn-allocation-addresses, 58 requires-clause, 24 ensures-clause, 24 returns-clause, 65 exits-clause, 65 simple-clause-stmt, 41 ext-quantifier, 51 simple-clause, 24 function-contract, 24 statement-contract, 41 function-type, 53 sum-type, 53 ident, 11, 54 terminates-clause, 24 indcase, 48 term, 11, 24, 40, 51, 53, 57, 64, 65 inductive-def, 48 tset, 30 inv-strength, 68 two-labels, 57 label-binders, 54 type-expr, 14, 47 label-id, 40 type-invariant, 68 110 INDEX type-name, 14 annotation, 32 type-var-binders, 47 assigns, 34 type-var, 47 behavior, 34 unary-op, 11 deallocation, 61 variable-ident, 14 invariant, 34 \gt_double, 19 variant, 35 \gt_float, 19 loop, 33, 58 LoopCurrent, 38, 40 Here, 38, 40, 65 LoopEntry, 38, 40 hybrid \lt_double, 19 function, 52 \lt_float, 19 predicate, 52 lvalue, 83 if, 73 \match, 53 \in, 30 \max, 50, 51 inductive, 48 \min, 50, 51 inductive definitions, 48 model, 70, 71 inductive predicates, 48 module, 55 Init, 38, 40 \initialized, 77 \ne_double, 19 int, 13, 92 \ne_float, 19 integer, 14, 16 \Nil, 63 \inter, 30, 31 \nothing, 24 invariant, 35 \nth, 63 data, 68 \null, 57, 58 global, 68 \numof, 50, 51 loop, 34 strong, 68 \object_pointer, 57 type, 68 \offset, 57, 58 weak, 68 Old, 38, 40, 65 invariant, 33, 36, 68 \old, 24, 25, 38, 65, 66 \is_finite, 20 \pointer_comparable, 57 \is_infinite, 20 polymorphism, 50 \is_minus_infinity, 20 Post, 38, 40, 65 \is_NaN, 20 post-state, 83 \is_plus_infinity, 20 Pre, 38, 40, 65 l-value, 30 pre-state, 83 \lambda, 50, 51 predicate, 11 \le_double, 19 predicate, 47, 49, 55 \le_float, 19 \product, 50, 51 left-value, 83 pure expression, 83 lemma, 47 reads, 55, 76 \length, 63 real, 14, 16 \let, 11, 12, 53 real_of_double, 19 library, 56 real_of_float, 19 \list, 63 recursion, 50 location, 30, 62 \register, 59 logic, 47, 49, 55 \repeat, 63 logic specification, 46 requires, 24, 25 long, 13, 92 \result, 24, 25, 65 loop returns, 65 allocation, 61 \round_double, 19 111 INDEX \round_float, 19 \separated, 57, 58 set type, 62 short, 13, 92 \sign, 20 signed, 13, 92 sizeof, 11, 18 specification, 46 statement contract, 32, 41 \static, 59 strong, 68 struct, 13, 92 \subset, 30 \sum, 50, 51 term, 11 terminates, 24, 44 termination, 35, 42 \true, 11, 12, 16 type concrete, 52 polymorphic, 50 record, 52, 53 sum, 52, 53 type, 49, 53, 68 type invariant, 68 \unallocated, 59 union, 13, 92 \union, 30, 31 unsigned, 13, 92 \valid, 57 valid_function, 78 \valid_function, 78 \valid_read, 57 variant, 33, 35, 42 void, 13, 92 volatile, 13, 75, 76, 92 weak, 68 \with, 11, 51 writes, 76 112