diff --git a/src/plugins/wp/.gitattributes b/src/plugins/wp/.gitattributes
index 6a84feb03c33c929346fe45eb86c1af7611987ae..0403cc5cb8c5f3a999adbfea876cb652d96c5851 100644
--- a/src/plugins/wp/.gitattributes
+++ b/src/plugins/wp/.gitattributes
@@ -64,5 +64,5 @@ MakeDoc header_spec=CEA_WP
/doc/manual/nullable.c header_spec=.ignore
/doc/manual/*.tex header_spec=.ignore
-
+/share/why3/frama_c_wp/Wp.header header_spec=.ignore
/tests/**/* header_spec=.ignore
diff --git a/src/plugins/wp/Factory.ml b/src/plugins/wp/Factory.ml
index 488ce673bc4bf6c3da09f5ec1d0545ed45297c8b..f173e8b2e0bb0dda307e02dd515d13002bb160bd 100644
--- a/src/plugins/wp/Factory.ml
+++ b/src/plugins/wp/Factory.ml
@@ -24,7 +24,7 @@
(* --- Model Factory --- *)
(* -------------------------------------------------------------------------- *)
-type mheap = Hoare | ZeroAlias | Typed of MemTyped.pointer | Eva
+type mheap = Hoare | ZeroAlias | Typed of MemTyped.pointer | Eva | Bytes
type mvar = Raw | Var | Ref | Caveat
type setup = {
@@ -68,6 +68,7 @@ let descr_mheap d = function
| Hoare -> main d "hoare"
| Typed p -> main d "typed" ; descr_mtyped d p
| Eva -> main d "eva"
+ | Bytes -> main d "bytes"
let descr_mvar d = function
| Var -> ()
@@ -205,6 +206,8 @@ module Model_Hoare_Raw = Register(MemVar.Raw)(MemEmpty)
module Model_Hoare_Ref = Register(Ref)(MemEmpty)
module Model_Typed_Var = Register(Var)(MemTyped)
module Model_Typed_Ref = Register(Ref)(MemTyped)
+module Model_Bytes_Var = Register(Var)(MemBytes)
+module Model_Bytes_Ref = Register(Ref)(MemBytes)
module Model_Caveat = Register(Caveat)(MemTyped)
module MemVal = MemVal.Make(MemVal.Eva)
@@ -218,12 +221,20 @@ struct
end
module Comp_MemZeroAlias = MakeCompiler(MemZeroAlias)
+
module Comp_Hoare_Raw = MakeCompiler(Model_Hoare_Raw)
module Comp_Hoare_Ref = MakeCompiler(Model_Hoare_Ref)
+
module Comp_MemTyped = MakeCompiler(MemTyped)
module Comp_Typed_Var = MakeCompiler(Model_Typed_Var)
module Comp_Typed_Ref = MakeCompiler(Model_Typed_Ref)
+
module Comp_Caveat = MakeCompiler(Model_Caveat)
+
+module Comp_MemBytes = MakeCompiler(MemBytes)
+module Comp_Bytes_Var = MakeCompiler(Model_Bytes_Var)
+module Comp_Bytes_Ref = MakeCompiler(Model_Bytes_Ref)
+
module Comp_MemVal = MakeCompiler(MemVal)
@@ -237,6 +248,10 @@ let compiler mheap mvar : (module Sigs.Compiler) =
| Typed _ , Var -> (module Comp_Typed_Var)
| Typed _ , Ref -> (module Comp_Typed_Ref)
| Eva, _ -> (module Comp_MemVal)
+ | Bytes, Raw -> (module Comp_MemBytes)
+ | Bytes, Var -> (module Comp_Bytes_Var)
+ | Bytes, Ref -> (module Comp_Bytes_Ref)
+
(* -------------------------------------------------------------------------- *)
(* --- Tuning --- *)
@@ -246,6 +261,7 @@ let configure_mheap = function
| Hoare -> MemEmpty.configure ()
| ZeroAlias -> MemZeroAlias.configure ()
| Eva -> MemVal.configure ()
+ | Bytes -> MemBytes.configure ()
| Typed p ->
let rollback_memtyped = MemTyped.configure () in
let orig_memtyped_pointer = Context.push MemTyped.pointer p in
@@ -330,6 +346,7 @@ let update_config ~warning m s = function
| "CAST" -> { s with mheap = Typed MemTyped.Unsafe }
| "NOCAST" -> { s with mheap = Typed MemTyped.NoCast }
| "EVA" -> { s with mheap = Eva }
+ | "BYTES" -> { s with mheap = Bytes }
| "CAVEAT" -> { s with mvar = Caveat }
| "RAW" -> { s with mvar = Raw }
| "REF" -> { s with mvar = Ref }
diff --git a/src/plugins/wp/Factory.mli b/src/plugins/wp/Factory.mli
index dc9e29707e3241907c83617588ce6900b2d4fcec..1b9ac3843c252292249ffcc1f491024aefad20b4 100644
--- a/src/plugins/wp/Factory.mli
+++ b/src/plugins/wp/Factory.mli
@@ -24,7 +24,7 @@
(* --- Model Factory --- *)
(* -------------------------------------------------------------------------- *)
-type mheap = Hoare | ZeroAlias | Typed of MemTyped.pointer | Eva
+type mheap = Hoare | ZeroAlias | Typed of MemTyped.pointer | Eva | Bytes
type mvar = Raw | Var | Ref | Caveat
type setup = {
diff --git a/src/plugins/wp/MemAddr.ml b/src/plugins/wp/MemAddr.ml
index 8c8dd1fcb4c4e1bf8a217a849a7492bd2f266995..cbda49a4c972608ba881139407b1a8d9bf2217a3 100644
--- a/src/plugins/wp/MemAddr.ml
+++ b/src/plugins/wp/MemAddr.ml
@@ -34,6 +34,7 @@ let library = "memaddr"
let t_addr = Qed.Logic.Data(Lang.datatype ~library "addr",[])
let t_table = Qed.Logic.Data(Lang.datatype ~library "table",[])
+let t_malloc = Qed.Logic.Array(Qed.Logic.Int, Qed.Logic.Int)
let f_base = Lang.extern_f ~library ~result:Qed.Logic.Int
~link:(Qed.Engine.F_subst ("base", "%1.base")) "base"
diff --git a/src/plugins/wp/MemAddr.mli b/src/plugins/wp/MemAddr.mli
index 93685f13772ac7ec03564eb9d16ad48d67fdea22..482a6d876a76a9d876f9d4f3d1621faa9413289c 100644
--- a/src/plugins/wp/MemAddr.mli
+++ b/src/plugins/wp/MemAddr.mli
@@ -32,6 +32,16 @@ open Lang.F
val t_addr : Lang.tau
(** Pointer type : addr *)
+val t_malloc : Lang.tau
+(** Allocation table : [int[base] -> int]
+
+ Note: this is not a binding with the symbol in the theory but the exact same
+ definition, we need this so that Qed knows the underlying type.
+
+ @since Frama-C+dev
+*)
+
+
(** {2 Basic constructors} *)
val base : term -> term
diff --git a/src/plugins/wp/MemBytes.ml b/src/plugins/wp/MemBytes.ml
new file mode 100644
index 0000000000000000000000000000000000000000..b3d3dad054fceb0e5f459852e480ce16873a2473
--- /dev/null
+++ b/src/plugins/wp/MemBytes.ml
@@ -0,0 +1,1132 @@
+(**************************************************************************)
+(* *)
+(* This file is part of WP plug-in of Frama-C. *)
+(* *)
+(* Copyright (C) 2007-2024 *)
+(* CEA (Commissariat a l'energie atomique et aux energies *)
+(* alternatives) *)
+(* *)
+(* you can redistribute it and/or modify it under the terms of the GNU *)
+(* Lesser General Public License as published by the Free Software *)
+(* Foundation, version 2.1. *)
+(* *)
+(* It is distributed in the hope that it will be useful, *)
+(* but WITHOUT ANY WARRANTY; without even the implied warranty of *)
+(* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *)
+(* GNU Lesser General Public License for more details. *)
+(* *)
+(* See the GNU Lesser General Public License version 2.1 *)
+(* for more details (enclosed in the file licenses/LGPLv2.1). *)
+(* *)
+(**************************************************************************)
+
+open Lang.F
+open Sigs
+open Ctypes
+
+module Logic = Qed.Logic
+
+(* Why3 symbols *)
+
+module Why3 = struct
+ let library = "membytes"
+
+ let t_vblock = Qed.Logic.Array (Qed.Logic.Int, Qed.Logic.Int)
+ let t_memory = Qed.Logic.Array (Qed.Logic.Int,t_vblock)
+ let t_iblock = Qed.Logic.Array (Qed.Logic.Int, Qed.Logic.Bool)
+ let t_init = Qed.Logic.Array (Qed.Logic.Int,t_iblock)
+
+ let ty_fst_arg = function
+ | Some l :: _ -> l
+ | _ -> raise Not_found
+ let l_havoc = Qed.Engine.F_call "havoc"
+ let f_havoc = Lang.extern_f ~library ~typecheck:ty_fst_arg ~link:l_havoc "havoc"
+ let havoc fresh current loc n =
+ Lang.F.e_fun f_havoc [fresh;current;loc;n]
+
+ let p_cinits = Lang.extern_fp ~coloring:true ~library "cinits"
+ let cinits m = p_call p_cinits [m]
+ let p_sconst = Lang.extern_fp ~coloring:true ~library "sconst"
+ let sconst m = p_call p_sconst [m]
+ let p_eqmem = Lang.extern_fp ~library "eqmem"
+ let eqmem m1 m2 a size = p_call p_eqmem [ m1 ; m2 ; a ; size ]
+ let p_is_init_range = Lang.extern_fp ~library "is_init_range"
+ let is_init_range m a size = p_call p_is_init_range [ m ; a ; size ]
+ let f_set_init_range = Lang.extern_fp ~library "set_init_range"
+ let set_init_range m a size = e_fun f_set_init_range [ m ; a ; size ]
+
+ let ty_fst_arg_val = function
+ | Some (Qed.Logic.Array (_, Qed.Logic.Array (_, t))) :: _ -> t
+ | _ -> raise Not_found
+
+ let f_raw_get = Lang.extern_f ~typecheck:ty_fst_arg_val ~library "raw_get"
+ let raw_get m a = e_fun f_raw_get [ m ; a ]
+ let f_raw_set = Lang.extern_f ~typecheck:ty_fst_arg ~library "raw_set"
+ let raw_set m a v = e_fun f_raw_set [ m ; a ; v]
+
+ let p_bytes = Lang.extern_fp ~library "bytes"
+ let bytes m = p_call p_bytes [ m ]
+
+ (* read/write *)
+ let f_read_uint8 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_uint8"
+ let read_uint8 m a = e_fun f_read_uint8 [ m ; a ]
+ let f_read_uint16 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_uint16"
+ let read_uint16 m a = e_fun f_read_uint16 [ m ; a ]
+ let f_read_uint32 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_uint32"
+ let read_uint32 m a = e_fun f_read_uint32 [ m ; a ]
+ let f_read_uint64 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_uint64"
+ let read_uint64 m a = e_fun f_read_uint64 [ m ; a ]
+ let f_read_sint8 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_sint8"
+ let read_sint8 m a = e_fun f_read_sint8 [ m ; a ]
+ let f_read_sint16 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_sint16"
+ let read_sint16 m a = e_fun f_read_sint16 [ m ; a ]
+ let f_read_sint32 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_sint32"
+ let read_sint32 m a = e_fun f_read_sint32 [ m ; a ]
+ let f_read_sint64 = Lang.extern_f ~result:Qed.Logic.Int ~library "read_sint64"
+ let read_sint64 m a = e_fun f_read_sint64 [ m ; a ]
+ let f_write_uint8 = Lang.extern_f ~result:t_memory ~library "write_uint8"
+ let write_uint8 m a v = e_fun f_write_uint8 [ m ; a ; v ]
+ let f_write_uint16 = Lang.extern_f ~result:t_memory ~library "write_uint16"
+ let write_uint16 m a v = e_fun f_write_uint16 [ m ; a ; v ]
+ let f_write_uint32 = Lang.extern_f ~result:t_memory ~library "write_uint32"
+ let write_uint32 m a v = e_fun f_write_uint32 [ m ; a ; v ]
+ let f_write_uint64 = Lang.extern_f ~result:t_memory ~library "write_uint64"
+ let write_uint64 m a v = e_fun f_write_uint64 [ m ; a ; v ]
+ let f_write_sint8 = Lang.extern_f ~result:t_memory ~library "write_sint8"
+ let write_sint8 m a v = e_fun f_write_sint8 [ m ; a ; v ]
+ let f_write_sint16 = Lang.extern_f ~result:t_memory ~library "write_sint16"
+ let write_sint16 m a v = e_fun f_write_sint16 [ m ; a ; v ]
+ let f_write_sint32 = Lang.extern_f ~result:t_memory ~library "write_sint32"
+ let write_sint32 m a v = e_fun f_write_sint32 [ m ; a ; v ]
+ let f_write_sint64 = Lang.extern_f ~result:t_memory ~library "write_sint64"
+ let write_sint64 m a v = e_fun f_write_sint64 [ m ; a ; v ]
+
+ (* init *)
+ let f_read_init8 = Lang.extern_f ~result:Qed.Logic.Bool ~library "read_init8"
+ let read_init8 m a = e_fun f_read_init8 [ m ; a ]
+ let f_read_init16 = Lang.extern_f ~result:Qed.Logic.Bool ~library "read_init16"
+ let read_init16 m a = e_fun f_read_init16 [ m ; a ]
+ let f_read_init32 = Lang.extern_f ~result:Qed.Logic.Bool ~library "read_init32"
+ let read_init32 m a = e_fun f_read_init32 [ m ; a ]
+ let f_read_init64 = Lang.extern_f ~result:Qed.Logic.Bool ~library "read_init64"
+ let read_init64 m a = e_fun f_read_init64 [ m ; a ]
+ let f_write_init8 = Lang.extern_f ~result:t_init ~library "write_init8"
+ let write_init8 m a v = e_fun f_write_init8 [ m ; a ; v ]
+ let f_write_init16 = Lang.extern_f ~result:t_init ~library "write_init16"
+ let write_init16 m a v = e_fun f_write_init16 [ m ; a ; v ]
+ let f_write_init32 = Lang.extern_f ~result:t_init ~library "write_init32"
+ let write_init32 m a v = e_fun f_write_init32 [ m ; a ; v ]
+ let f_write_init64 = Lang.extern_f ~result:t_init ~library "write_init64"
+ let write_init64 m a v = e_fun f_write_init64 [ m ; a ; v ]
+end
+
+(* Model *)
+let datatype = "MemBytes"
+let lc_name = String.lowercase_ascii datatype
+let dkey_state = Wp_parameters.register_category (lc_name ^ ":state")
+let dkey_model = Wp_parameters.register_category (lc_name ^ ":model")
+
+let configure () =
+ begin
+ let orig_pointer = Context.push Lang.pointer MemAddr.t_addr in
+ let orig_null = Context.push Cvalues.null (p_equal MemAddr.null) in
+ let rollback () =
+ Context.pop Lang.pointer orig_pointer ;
+ Context.pop Cvalues.null orig_null ;
+ in
+ rollback
+ end
+let no_binder = { bind = fun _ f v -> f v }
+let configure_ia _ = no_binder
+
+let hypotheses p = p
+
+module Chunk =
+struct
+ type t = Mem | Init | Alloc
+ let self = "Chunk" ^ datatype
+ let hash = Hashtbl.hash
+ let equal = (=)
+ let compare c1 c2 =
+ match c1, c2 with
+ | Mem, Mem | Init, Init | Alloc, Alloc -> 0
+ | Mem, _ -> 1
+ | _, Mem -> -1
+ | Init, _ -> 1
+ | _, Init -> -1
+
+ let pretty fmt = function
+ | Mem -> Format.fprintf fmt "Mem"
+ | Init -> Format.fprintf fmt "Init"
+ | Alloc -> Format.fprintf fmt "Alloc"
+
+ let tau_of_memory = Why3.t_memory
+ let tau_of_init = Why3.t_init
+
+ let tau_of_chunk = function
+ | Mem -> tau_of_memory
+ | Init -> tau_of_init
+ | Alloc -> Logic.Array (Logic.Int, Logic.Int)
+
+ let val_of_chunk = function
+ | Mem -> Logic.Int
+ | Init -> Logic.Bool
+ | Alloc -> Logic.Int
+
+ let basename_of_chunk = function
+ | Mem -> "mem"
+ | Init -> "init"
+ | Alloc -> "alloc"
+
+ let is_framed _ = false
+end
+
+module Heap = Qed.Collection.Make(Chunk)
+module Sigma = Sigma.Make(Chunk)(Heap)
+
+type loc = term
+
+let pretty fmt =
+ Format.fprintf fmt "l:(%a)" pp_term
+
+let vars = vars
+let occurs = occurs
+
+type chunk = Chunk.t
+type sigma = Sigma.t
+type domain = Sigma.domain
+type segment = loc rloc
+
+let comp_cluster () =
+ Definitions.cluster ~id:"Compound" ~title:"Memory Compound Loader" ()
+
+let shift_cluster () =
+ Definitions.cluster ~id:"Shifts" ~title:"Shifts Definitions" ()
+
+
+(* ********************************************************************** *)
+(* SIZE *)
+(* ********************************************************************** *)
+
+module OPAQUE_COMP_LENGTH = WpContext.Generator(Cil_datatype.Compinfo)
+ (struct
+ let name = "MemBytes.EmptyCompLength"
+ type key = Cil_types.compinfo
+ type data = Lang.lfun
+ let compile c =
+ if c.Cil_types.cfields <> None then
+ Wp_parameters.fatal
+ "Asking for opaque struct length on non opaque struct" ;
+ let result = Lang.t_int in
+ let size =
+ Lang.generated_f ~params:[] ~result "Length_of_%s" (Lang.comp_id c)
+ in
+ (* Registration *)
+ Definitions.define_symbol {
+ d_cluster = Definitions.compinfo c ;
+ d_lfun = size ; d_types = 0 ; d_params = [] ;
+ d_definition = Logic result ;
+ } ;
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = "Positive_Length_of_" ^ Lang.comp_id c ;
+ l_triggers = [] ; l_forall = [] ;
+ l_cluster = Definitions.compinfo c ;
+ l_lemma = Lang.F.(p_lt e_zero (e_fun size []))
+ } ;
+ size
+ end)
+
+let protected_sizeof_object = function
+ | C_comp ({ cfields = None } as c) ->
+ e_fun (OPAQUE_COMP_LENGTH.get c) []
+ | obj -> e_int @@ Ctypes.sizeof_object obj
+
+(* ********************************************************************** *)
+(* SHIFT *)
+(* ********************************************************************** *)
+
+type shift =
+ | RS_Field of Cil_types.fieldinfo * term (* offset of the field *)
+ | RS_Index of term (* size of the shift *)
+
+let phi_base = function
+ | p::_ -> MemAddr.base p
+ | _ -> raise Not_found
+
+let phi_field offset = function
+ | [p] -> e_add (MemAddr.offset p) offset
+ | _ -> raise Not_found
+
+let phi_index size = function
+ | [p;k] -> e_add (MemAddr.offset p) (e_mul size k)
+ | _ -> raise Not_found
+
+module RegisterShift = WpContext.Static
+ (struct
+ type key = Lang.lfun
+ type data = shift
+ let name = "MemBytes.RegisterShift"
+ include Lang.Fun
+ end)
+
+let field_offset ci field =
+ let comp = Cil_types.TComp(ci, []) in
+ let field = Cil_types.Field(field, NoOffset) in
+ let bits_offset, bits_size = Cil.bitsOffset comp field in
+ if 0 <> bits_offset mod 8 || 0 <> bits_size mod 8 then
+ Wp_parameters.error "Bitfields not allowed in Bytes model" ;
+ bits_offset / 8
+
+
+module ShiftFieldDef = WpContext.StaticGenerator(Cil_datatype.Fieldinfo)
+ (struct
+ let name = "MemBytes.ShiftFieldDef"
+ type key = Cil_types.fieldinfo
+ type data = Definitions.dfun
+
+ let generate f =
+ let result = MemAddr.t_addr in
+ let lfun = Lang.generated_f ~result "shiftfield_%s" (Lang.field_id f) in
+ (* Since its a generated it is the unique name given *)
+ let p = Lang.freshvar ~basename:"p" MemAddr.t_addr in
+ let tp = e_var p in
+ let position = e_int @@ field_offset f.fcomp f in
+ let def = MemAddr.shift tp position in
+ let dfun = Definitions.Function( result , Def , def) in
+ RegisterShift.define lfun (RS_Field(f,position)) ;
+ MemAddr.register ~base:phi_base ~offset:(phi_field position) lfun ;
+ Definitions.{
+ d_lfun = lfun ; d_types = 0 ;
+ d_params = [p] ;
+ d_definition = dfun ;
+ d_cluster = Definitions.dummy () ;
+ }
+
+ let compile = Lang.local generate
+ end)
+
+module ShiftField = WpContext.Generator(Cil_datatype.Fieldinfo)
+ (struct
+ let name = "MemBytes.ShiftField"
+ type key = Cil_types.fieldinfo
+ type data = Lang.lfun
+ let compile fd =
+ let dfun = ShiftFieldDef.get fd in
+ let d_cluster = shift_cluster () in
+ Definitions.define_symbol { dfun with d_cluster } ;
+ dfun.d_lfun
+ end)
+
+module Cobj =
+struct
+ type t = c_object
+ let pretty = C_object.pretty
+ let compare = compare_ptr_conflated
+end
+
+(* This is a model-independent generator,
+ which will be inherited from the model-dependent clusters *)
+module ShiftGen = WpContext.StaticGenerator(Cobj)
+ (struct
+ let name = "MemBytes.ShiftDef"
+ type key = Cobj.t
+ type data = Definitions.dfun
+
+ let rec c_object_id fmt = function
+ | C_int i -> pp_int fmt i
+ | C_float f -> pp_float fmt f
+ | C_pointer _ -> Format.fprintf fmt "PTR"
+ | C_comp c -> Format.pp_print_string fmt (Lang.comp_id c)
+ | C_array a ->
+ let te = object_of a.arr_element in
+ match a.arr_flat with
+ | None -> Format.fprintf fmt "A_%a" c_object_id te
+ | Some f -> Format.fprintf fmt "A%d_%a" f.arr_size c_object_id te
+
+ let c_object_id c = Format.asprintf "%a@?" c_object_id c
+
+ let generate obj =
+ let result = MemAddr.t_addr in
+ let shift = Lang.generated_f ~result "shift_%s" (c_object_id obj) in
+ let size = protected_sizeof_object obj in
+ (* Since its a generated it is the unique name given *)
+ let p = Lang.freshvar ~basename:"p" MemAddr.t_addr in
+ let tp = e_var p in
+ let k = Lang.freshvar ~basename:"k" Qed.Logic.Int in
+ let tk = e_var k in
+ let def = MemAddr.shift tp (e_mul size tk) in
+ let dfun = Definitions.Function( result , Def , def) in
+ RegisterShift.define shift (RS_Index size) ;
+ MemAddr.register ~base:phi_base ~offset:(phi_index size)
+ ~linear:true shift ;
+ Definitions.{
+ d_lfun = shift ; d_types = 0 ;
+ d_params = [p;k] ;
+ d_definition = dfun ;
+ d_cluster = Definitions.dummy () ;
+ }
+
+ let compile = Lang.local generate
+ end)
+
+(* The model-dependent derivation of model-independent ShiftDef *)
+module Shift = WpContext.Generator(Cobj)
+ (struct
+ let name = "MemBytes.Shift"
+ type key = Cobj.t
+ type data = Lang.lfun
+ let compile obj =
+ let dfun = ShiftGen.get obj in
+ let d_cluster = shift_cluster () in
+ Definitions.define_symbol { dfun with d_cluster } ;
+ dfun.d_lfun
+ end)
+
+let field loc f =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.field %a.%a" datatype pretty loc Cil_printer.pp_field f ;
+ e_fun (ShiftField.get f) [loc]
+let shift loc obj k =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.shift %a + %a(%a)" datatype pretty loc pp_term k Ctypes.pp_object obj ;
+ e_fun (Shift.get obj) [loc;k]
+
+(* ********************************************************************** *)
+(* VALIDITY and SEPARATION *)
+(* ********************************************************************** *)
+
+let allocated sigma l = e_get (Sigma.value sigma Alloc) (MemAddr.base l)
+
+let s_valid sigma acs p n =
+ let valid = match acs with
+ | RW -> MemAddr.valid_rw
+ | RD -> MemAddr.valid_rd
+ | OBJ -> (fun m p _ -> MemAddr.valid_obj m p)
+ in
+ valid (Sigma.value sigma Alloc) p n
+
+let s_invalid sigma p n =
+ MemAddr.invalid (Sigma.value sigma Alloc) p n
+
+let segment phi = function
+ | Rloc(obj,l) ->
+ phi l @@ protected_sizeof_object obj
+ | Rrange(l,obj,Some a,Some b) ->
+ let l = shift l obj a in
+ let n = e_mul (protected_sizeof_object obj) (e_range a b) in
+ phi l n
+ | Rrange(l,_,a,b) ->
+ Wp_parameters.abort ~current:true
+ "Invalid infinite range @[<hov 2>%a+@,(%a@,..%a)@]"
+ Lang.F.pp_term l Vset.pp_bound a Vset.pp_bound b
+
+let valid sigma acs =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model "%s.valid _ _" datatype ;
+ segment (s_valid sigma acs)
+let invalid sigma =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model "%s.invalid _ _" datatype ;
+ segment (s_invalid sigma)
+
+let included =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model "%s.included _ _" datatype ;
+ let addrof l = l in
+ let sizeof obj = protected_sizeof_object obj in
+ MemAddr.included ~shift ~addrof ~sizeof
+
+let separated =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model "%s.separated _ _" datatype ;
+ let addrof l = l in
+ let sizeof obj = protected_sizeof_object obj in
+ MemAddr.separated ~shift ~addrof ~sizeof
+
+(* Prepare loader *)
+
+let float_cluster () =
+ Definitions.cluster ~id:"MemBytes.Float" ~title:"MemBytes definitions" ()
+
+module Float = struct
+ type t = Ctypes.c_float
+ let pretty = Ctypes.pp_float
+ let compare = Ctypes.compare_c_float
+ let ikind = function
+ | Float32 -> UInt32
+ | Float64 -> UInt64
+end
+
+module CODEC_FLOAT = WpContext.Generator(Float)
+ (struct
+ let name = "MemBytes.LOAD_FLOAT"
+ type key = Float.t
+ type data = Lang.lfun * Lang.lfun
+
+ let decode ft =
+ let result = Cfloat.tau_of_float ft in
+ let f = Lang.freshvar ~basename:"f" Lang.t_int in
+ let decode =
+ Lang.generated_f ~result "int_to_%a" Float.pretty ft in
+ Definitions.define_symbol {
+ d_lfun = decode ;
+ d_cluster = float_cluster () ; d_types = 0 ;
+ d_params = [ f ] ;
+ d_definition = Logic result ;
+ } ;
+ decode
+
+ let encode ft =
+ let result = Lang.t_int in
+ let f = Lang.freshvar ~basename:"f" @@ Cfloat.tau_of_float ft in
+ let encode =
+ Lang.generated_f ~result "%a_to_int" Float.pretty ft in
+ Definitions.define_symbol {
+ d_lfun = encode ;
+ d_cluster = float_cluster () ; d_types = 0 ;
+ d_params = [ f ] ;
+ d_definition = Logic result ;
+ } ;
+ encode
+
+ let add_decode_encode ft encode decode =
+ let f = Lang.freshvar ~basename:"f" @@ Cfloat.tau_of_float ft in
+ let tf = e_var f in
+ let name = Format.asprintf "decode_encode_%a" Float.pretty ft in
+ let lemma =
+ p_equal tf (e_fun decode [e_fun encode [tf]]) in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ;
+ l_triggers = [] ;
+ l_forall = [f] ;
+ l_cluster = float_cluster () ;
+ l_lemma = lemma
+ }
+
+ let add_encode_decode ft encode decode =
+ let i = Lang.freshvar ~basename:"i" Lang.t_int in
+ let ti = e_var i in
+ let name = Format.asprintf "encode_decode_%a" Float.pretty ft in
+ let lemma =
+ p_equal ti (e_fun encode [e_fun decode [ti]]) in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ;
+ l_triggers = [] ;
+ l_forall = [i] ;
+ l_cluster = float_cluster () ;
+ l_lemma = lemma
+ }
+
+ let add_encode_bounds ft encode =
+ let f = Lang.freshvar ~basename:"f" @@ Cfloat.tau_of_float ft in
+ let tf = e_var f in
+ let name = Format.asprintf "encode_bounds_%a" Float.pretty ft in
+ let lemma = Cint.range (Float.ikind ft) @@ e_fun encode [ tf ] in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ;
+ l_triggers = [] ;
+ l_forall = [f] ;
+ l_cluster = float_cluster () ;
+ l_lemma = lemma
+ }
+
+ let compile ft =
+ let encode = encode ft in
+ let decode = decode ft in
+ add_encode_decode ft encode decode ;
+ add_decode_encode ft encode decode ;
+ add_encode_bounds ft encode ;
+ encode, decode
+ end)
+
+let float_to_int fkind f =
+ e_fun (fst @@ CODEC_FLOAT.get fkind) [ f ]
+
+let int_to_float fkind f =
+ e_fun (snd @@ CODEC_FLOAT.get fkind) [ f ]
+
+let load_int_raw memory kind addr =
+ let read = match kind with
+ | CBool -> Why3.read_uint8
+ | UInt8 -> Why3.read_uint8
+ | SInt8 -> Why3.read_sint8
+ | UInt16 -> Why3.read_uint16
+ | SInt16 -> Why3.read_sint16
+ | UInt32 -> Why3.read_uint32
+ | SInt32 -> Why3.read_sint32
+ | UInt64 -> Why3.read_uint64
+ | SInt64 -> Why3.read_sint64
+ in
+ read memory addr
+
+let load_int sigma kind addr =
+ load_int_raw (Sigma.value sigma Chunk.Mem) kind addr
+
+let load_float sigma kind addr =
+ int_to_float kind @@ load_int sigma (Float.ikind kind) addr
+
+let load_pointer_raw memory _ty loc =
+ MemAddr.addr_of_int @@ load_int_raw memory (Ctypes.c_ptr ()) loc
+
+let load_pointer sigma _ty loc =
+ MemAddr.addr_of_int @@ load_int sigma (Ctypes.c_ptr ()) loc
+
+let load_init memory size loc =
+ match size with
+ | 1 -> Why3.read_init8 memory loc
+ | 2 -> Why3.read_init16 memory loc
+ | 4 -> Why3.read_init32 memory loc
+ | 8 -> Why3.read_init64 memory loc
+ | _ -> assert false
+
+let is_init_atom sigma obj loc =
+ let init_memory = Sigma.value sigma Init in
+ let size = sizeof_object obj in
+ load_init init_memory size loc
+
+let store_int sigma kind addr v =
+ let write = match kind with
+ | CBool -> Why3.write_uint8
+ | UInt8 -> Why3.write_uint8
+ | SInt8 -> Why3.write_sint8
+ | UInt16 -> Why3.write_uint16
+ | SInt16 -> Why3.write_sint16
+ | UInt32 -> Why3.write_uint32
+ | SInt32 -> Why3.write_sint32
+ | UInt64 -> Why3.write_uint64
+ | SInt64 -> Why3.write_sint64
+ in
+ Chunk.Mem, write (Sigma.value sigma Mem) addr v
+
+let store_float sigma kind addr v =
+ store_int sigma (Float.ikind kind) addr @@ float_to_int kind v
+
+let store_pointer sigma _kind addr v =
+ store_int sigma (Ctypes.c_ptr ()) addr @@ MemAddr.int_of_addr v
+
+let store_init_raw m size loc v =
+ let write = match size with
+ | 1 -> Why3.write_init8
+ | 2 -> Why3.write_init16
+ | 4 -> Why3.write_init32
+ | 8 -> Why3.write_init64
+ | _ -> assert false
+ in
+ write m loc v
+
+let set_init_atom sigma obj loc v =
+ let init_memory = Sigma.value sigma Init in
+ let size = sizeof_object obj in
+ Chunk.Init, store_init_raw init_memory size loc v
+
+module Model = struct
+ module Chunk = Chunk
+ module Sigma = Sigma
+
+ let name = "MemBytes.Loader"
+
+ type nonrec loc = loc
+
+ let sizeof = protected_sizeof_object
+ let field = field
+ let shift = shift
+
+ let to_addr l = l
+ let to_region_pointer l = 0,l
+ let of_region_pointer _r _obj l = l
+
+ let value_footprint _ _ = Sigma.Chunk.Set.singleton Chunk.Mem
+ let init_footprint _ _ = Sigma.Chunk.Set.singleton Chunk.Init
+
+ let frames ~addr:p ~offset:n ?(basename="mem") tau =
+ let t_block = Qed.Logic.Array (Qed.Logic.Int, tau) in
+ let t_mem = Qed.Logic.Array(Qed.Logic.Int, t_block) in
+ let m = e_var (Lang.freshvar ~basename t_mem) in
+ let m' = e_var (Lang.freshvar ~basename t_mem) in
+ let p' = e_var (Lang.freshvar ~basename:"q" MemAddr.t_addr) in
+ let n' = e_var (Lang.freshvar ~basename:"n" Qed.Logic.Int) in
+ let mh = Why3.havoc m' m p' n' in
+ let v' = e_var (Lang.freshvar ~basename:"v" tau) in
+ let meq = Why3.eqmem m m' p' n' in
+ let diff = p_call MemAddr.p_separated [p;n;p';e_one] in
+ let sep = p_call MemAddr.p_separated [p;n;p';n'] in
+ let inc = p_call MemAddr.p_included [p;n;p';n'] in
+ let teq = Definitions.Trigger.of_pred meq in
+ [
+ "update" , [] , [diff] , m , Why3.raw_set m p' v' ;
+ "eqmem" , [teq] , [inc;meq] , m , m' ;
+ "havoc" , [] , [sep] , m , mh ;
+ ]
+
+ let frames obj addr = function
+ | Chunk.Alloc -> []
+ | m ->
+ let offset = sizeof obj in
+ let tau = Chunk.val_of_chunk m in
+ let basename = Chunk.basename_of_chunk m in
+ frames ~addr ~offset ~basename tau
+
+ let last sigma obj l =
+ let n = protected_sizeof_object obj in
+ e_sub (e_div (allocated sigma l) n) e_one
+
+ let havoc obj loc ~length chunk ~fresh ~current =
+ if chunk <> Chunk.Alloc then
+ let n = e_mul (e_int @@ sizeof_object obj) length in
+ Why3.havoc fresh current loc n
+ else fresh
+
+ let eqmem obj loc _chunk m1 m2 =
+ Why3.eqmem m1 m2 loc @@ sizeof obj
+
+ let eqmem_forall obj loc _chunk m1 m2 =
+ let xp = Lang.freshvar ~basename:"p" MemAddr.t_addr in
+ let p = e_var xp in
+ let addrof l = l in
+ let separated =
+ MemAddr.separated
+ ~shift ~addrof ~sizeof (Rloc (C_int UInt8, p)) (Rloc (obj, loc))
+ in
+ let equal = p_equal (Why3.raw_get m1 p) (Why3.raw_get m2 p) in
+ [xp],separated,equal
+
+ let load_int = load_int
+ let load_float = load_float
+ let load_pointer = load_pointer
+
+ let store_int = store_int
+ let store_float = store_float
+ let store_pointer = store_pointer
+
+ let is_init_atom = is_init_atom
+ let is_init_range sigma obj loc length =
+ let n = e_mul (sizeof obj) length in
+ Why3.is_init_range (Sigma.value sigma Init) loc n
+
+ let set_init_atom = set_init_atom
+ let set_init obj loc ~length _chunk ~current =
+ let n = e_mul (sizeof obj) length in
+ Why3.set_init_range current loc n
+
+end
+
+include MemLoader.Make(Model)
+
+(* ********************************************************************** *)
+(* BASES *)
+(* ********************************************************************** *)
+
+let cluster_globals () =
+ Definitions.cluster ~id:"Globals" ~title:"Global Variables" ()
+let globals = 0
+let locals = 1
+let formals = 2
+
+module RegisterBASE = WpContext.Index
+ (struct
+ type key = Lang.lfun
+ type data = Cil_types.varinfo
+ let name = "MemBytes.RegisterBASE"
+ include Lang.Fun
+ end)
+
+module BASE = WpContext.Generator(Cil_datatype.Varinfo)
+ (struct
+ let name = datatype ^ ".BASE"
+ type key = Cil_types.varinfo
+ type data = Lang.F.term
+
+ open Cil_types
+
+ let static_alloc prefix base =
+ let name = prefix ^ "_static_alloc" in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ; l_triggers = [] ; l_forall = [] ;
+ l_lemma = MemAddr.static_alloc base ;
+ l_cluster = cluster_globals () ;
+ }
+
+ let region prefix x base =
+ let name = prefix ^ "_region" in
+ let region =
+ if x.vglob then globals
+ else if x.vformal then formals
+ else locals
+ in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ; l_triggers = [] ; l_forall = [] ;
+ l_lemma = p_equal (MemAddr.region base) (e_int region) ;
+ l_cluster = cluster_globals () ;
+ }
+
+ let sizeof x =
+ Warning.handle
+ ~handler:(fun _ -> None)
+ ~effect:(Printf.sprintf "No allocation size for variable '%s'" x.vname)
+ (fun obj -> Some (protected_sizeof_object obj))
+ (Ctypes.object_of x.vtype)
+
+ let alloc prefix x base =
+ let name = prefix ^ "_linked" in
+ let size =
+ if x.vglob then sizeof x else Some e_zero
+ in
+ match size with
+ | None -> ()
+ | Some size ->
+ let a = Lang.freshvar ~basename:"alloc" MemAddr.t_malloc in
+ let m = e_var a in
+ let base_size = p_equal (Lang.F.e_get m base) size in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ;
+ l_triggers = [] ; l_forall = [] ;
+ l_lemma = p_forall [a] (p_imply (MemAddr.linked m) base_size) ;
+ l_cluster = cluster_globals () ;
+ }
+
+ (* Specializes the lemma in Pointers below for globals *)
+ let pointer_type prefix base =
+ let name = prefix ^ "_is_pointer" in
+ let typed =
+ MemAddr.in_uintptr_range (MemAddr.global base)
+ in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ;
+ l_triggers = [] ; l_forall = [] ;
+ l_lemma = typed ;
+ l_cluster = cluster_globals () ;
+ }
+
+ let compile vi =
+ let result = Logic.Int in
+ let acs_rd = Cil.typeHasQualifier "const" vi.vtype in
+ let prefix =
+ if vi.vglob
+ then if acs_rd then "K" else "G"
+ else if vi.vformal then "P" else "L" in
+ let lfun = Lang.generated_f
+ ~category:Logic.Constructor ~result:Logic.Int "%s_%s_%d"
+ prefix vi.vorig_name vi.vid in
+ Definitions.define_symbol {
+ d_lfun = lfun ; d_types = 0 ; d_params = [ ] ;
+ d_definition = Definitions.Function (result, Def, e_int vi.vid) ;
+ d_cluster = cluster_globals () ;
+ } ;
+ let prefix = Lang.Fun.debug lfun in
+ let base = e_fun lfun [] in
+ RegisterBASE.define lfun vi ;
+ static_alloc prefix base ;
+ region prefix vi base ;
+ alloc prefix vi base ;
+ pointer_type prefix base ;
+ base
+ end)
+
+module LITERAL =
+struct
+ type t = int * Cstring.cst
+ let compare (a:t) (b:t) = Stdlib.compare (fst a) (fst b)
+ let pretty fmt (eid,cst) = Format.fprintf fmt "%a@%d" Cstring.pretty cst eid
+end
+
+module EID = State_builder.Ref(Datatype.Int)
+ (struct
+ let name = datatype ^ ".EID"
+ let dependencies = [Ast.self]
+ let default () = 0
+ end)
+
+module STRING = WpContext.Generator(LITERAL)
+ (struct
+ let name = datatype ^ ".STRING"
+ type key = LITERAL.t
+ type data = term
+
+ let linked prefix base cst =
+ let name = prefix ^ "_linked" in
+ let a = Lang.freshvar ~basename:"alloc" (Chunk.tau_of_chunk Alloc) in
+ let m = e_var a in
+ let alloc = Lang.F.e_get m base in (* The size is alloc-1 *)
+ let sized = Cstring.str_len cst (Lang.F.(e_add alloc e_minus_one)) in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ;
+ l_triggers = [] ; l_forall = [] ;
+ l_lemma = p_forall [a] (p_imply (MemAddr.linked m) sized) ;
+ l_cluster = Cstring.cluster () ;
+ }
+
+ let region prefix base cst =
+ let name = prefix ^ "_region" in
+ let re = - Cstring.str_id cst in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ; l_triggers = [] ; l_forall = [] ;
+ l_lemma = p_equal (MemAddr.region base) (e_int re) ;
+ l_cluster = Cstring.cluster () ;
+ }
+
+ let sconst prefix base cst =
+ (* describe the content of literal strings *)
+ let name = prefix ^ "_literal" in
+ let i = Lang.freshvar ~basename:"i" Lang.t_int in
+ let c = Cstring.char_at cst (e_var i) in
+ let ikind = Ctypes.c_char () in
+ let m = Lang.freshvar ~basename:"mchar" (Chunk.tau_of_chunk Mem) in
+ let addr = shift (MemAddr.global base) (C_int ikind) (e_var i) in
+ let v = load_int_raw (e_var m) ikind addr in
+ let read = Lang.F.(p_equal c v) in
+ Definitions.define_lemma {
+ l_kind = Admit ;
+ l_name = name ; l_triggers = [] ;
+ l_forall = [m;i] ;
+ l_cluster = Cstring.cluster () ;
+ l_lemma = Lang.F.p_imply (Why3.sconst @@ e_var m) read ;
+ }
+
+ let fresh () =
+ let eid = succ (EID.get ()) in
+ EID.set eid ; eid
+
+ let compile (_,cst) =
+ let eid = fresh () in
+ let lfun = Lang.generated_f ~result:Lang.t_int "Str_%d" eid in
+ (* Since its a generated it is the unique name given *)
+ let prefix = Lang.Fun.debug lfun in
+ let base = Lang.F.e_fun lfun [] in
+ Definitions.define_symbol {
+ d_lfun = lfun ; d_types = 0 ; d_params = [] ;
+ d_definition = Logic Lang.t_int ;
+ d_cluster = Cstring.cluster () ;
+ } ;
+ Definitions.define_lemma {
+ l_name = prefix ^ "_base" ;
+ l_kind = Admit ;
+ l_triggers = [] ; l_forall = [] ;
+ l_lemma = Lang.F.(p_lt base e_zero) ;
+ l_cluster = Cstring.cluster () ;
+ } ;
+ region prefix base cst ;
+ linked prefix base cst ;
+ sconst prefix base cst ;
+ base
+
+ end)
+
+let pretty fmt loc =
+ Format.fprintf fmt "l:(%a)" Lang.F.pp_term loc
+
+let null = MemAddr.null
+
+let literal ~eid cst =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.literal %d _" datatype eid ;
+ shift (MemAddr.global (STRING.get (eid,cst))) (C_int (Ctypes.c_char ())) e_zero
+
+let cvar vi =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.cvar %a" datatype Cil_printer.pp_varinfo vi ;
+ MemAddr.global (BASE.get vi)
+
+let global _sigma p =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model "%s.global _ _" datatype ;
+ p_leq (MemAddr.region @@ MemAddr.base p) e_zero
+
+(* ********************************************************************** *)
+(* STATE *)
+(* ********************************************************************** *)
+
+type state = chunk Tmap.t
+
+let rec lookup_a e =
+ match repr e with
+ | Fun( f , [e] ) when MemAddr.is_f_global f -> lookup_a e
+ | Fun( f , es ) -> lookup_f f es
+ | _ -> raise Not_found
+
+and lookup_f f es =
+ try match RegisterShift.find f , es with
+ | RS_Field(fd,_) , [e] -> Mstate.field (lookup_lv e) fd
+ | RS_Index _ , [e;k] -> Mstate.index (lookup_lv e) k
+ | _ -> raise Not_found
+ with Not_found when es = [] ->
+ Sigs.(Mvar (RegisterBASE.find f),[])
+
+and lookup_lv e = try lookup_a e with Not_found -> Sigs.(Mmem e,[])
+
+let mchunk c =
+ match c with
+ | Chunk.Init -> Sigs.Mchunk (Pretty_utils.to_string Chunk.pretty c, KInit)
+ | _ -> Sigs.Mchunk (Pretty_utils.to_string Chunk.pretty c, KValue)
+
+let lookup s e =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_state "%s.lookup _ %a"
+ datatype pp_term e ;
+ try mchunk (Tmap.find e s)
+ with Not_found ->
+ try match repr e with
+ | Fun( f , es ) -> Sigs.Maddr (lookup_f f es)
+ | Aget( m , k ) when Tmap.find m s = Init ->
+ Sigs.Mlval (lookup_lv k, KInit)
+ | Aget( m , k ) when Tmap.find m s <> Alloc ->
+ Sigs.Mlval (lookup_lv k, KValue)
+ | _ -> Sigs.Mterm
+ with Not_found -> Sigs.Mterm
+
+let state sigma =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_state "%s.state _" datatype ;
+ let s = ref Tmap.empty in
+ Sigma.iter (fun c x -> s := Tmap.add (e_var x) c !s) sigma ; !s
+
+let iter f s =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_state "%s.iter _ _" datatype ;
+ Tmap.iter (fun m c -> f (mchunk c) m) s
+
+let updates _ _ =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_state "%s.updates _ _" datatype ;
+ Bag.empty
+
+let apply f s =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_state "%s.apply _ _" datatype ;
+ Tmap.fold (fun m c w -> Tmap.add (f m) c w) s Tmap.empty
+
+(* ********************************************************************** *)
+(* POINTERS OPS *)
+(* ********************************************************************** *)
+
+let pointer_loc t = t
+let pointer_val t = t
+
+let base_addr loc =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.base_addr %a" datatype pretty loc ;
+ MemAddr.mk_addr (MemAddr.base loc) e_zero
+let base_offset loc =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.base_offset %a" datatype pretty loc ;
+ MemAddr.base_offset (MemAddr.base loc) (MemAddr.offset loc)
+let block_length sigma _obj loc =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.block_length _ _ _ " datatype ;
+ e_get (Sigma.value sigma Chunk.Alloc) (MemAddr.base loc)
+
+let cast _ loc =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.cast _ %a" datatype pretty loc ;
+ loc
+
+let loc_of_int _ loc =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.loc_of_int _ %a" datatype pretty loc ;
+ MemAddr.addr_of_int loc
+
+let int_of_loc _ loc =
+ Wp_parameters.debug ~level:3 ~dkey:dkey_model
+ "%s.int_of_loc _ %a" datatype pretty loc ;
+ MemAddr.int_of_addr loc
+
+
+(* -------------------------------------------------------------------------- *)
+
+let domain _ _ = Sigma.Chunk.Set.of_list [ Init ; Mem ]
+
+let is_null = p_equal null
+let loc_eq = p_equal
+let loc_lt = MemAddr.addr_lt
+let loc_leq = MemAddr.addr_le
+let loc_neq l1 l2 = p_not @@ loc_eq l1 l2
+
+let loc_diff _ l1 l2 =
+ let byte_size = Ctypes.sizeof_object (C_int (Ctypes.c_char ())) in
+ e_div (e_sub (MemAddr.offset l1) (MemAddr.offset l2)) (e_int byte_size)
+
+let pointer_cluster () =
+ Definitions.cluster
+ ~id:"MemBytes.PointersProperties" ~title:"MemBytes definitions" ()
+
+module PointersProperties = WpContext.Generator(Datatype.Unit)
+ (struct
+ let name = datatype ^ ".POINTERS"
+ type key = unit
+ type data = Lang.lfun
+
+ let ranges () =
+ let a = Lang.freshvar ~basename:"a" MemAddr.t_addr in
+ let prop = MemAddr.in_uintptr_range (e_var a) in
+ Definitions.define_lemma {
+ l_kind = Admit ; l_name = "pointers_int_range" ;
+ l_triggers = [] ; l_forall = [a] ;
+ l_cluster = pointer_cluster () ;
+ l_lemma = prop ;
+ }
+
+ let compile () =
+ let lfun = Lang.generated_p "framed" in
+ let m = Lang.freshvar ~basename:"m" Why3.t_memory in
+ let a = Lang.freshvar ~basename:"a" MemAddr.t_addr in
+ let p = load_pointer_raw (e_var m) (Cil_const.voidPtrType) (e_var a) in
+ let ba = MemAddr.base (e_var a) and bp = MemAddr.base p in
+ let body =
+ p_forall [a] @@ p_imply
+ (p_leq (MemAddr.region ba) e_zero)
+ (p_leq (MemAddr.region bp) e_zero)
+ in
+ Definitions.define_symbol {
+ d_lfun = lfun ;
+ d_cluster = pointer_cluster () ; d_types = 0 ;
+ d_params = [ m ] ; d_definition = Predicate (Def, body)
+ };
+ ranges () ;
+ lfun
+ end)
+
+let framed m =
+ p_call (PointersProperties.get ()) [ m ]
+
+let frame sigma =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model "%s.frame _" datatype ;
+ let wellformed_frame phi chunk =
+ if Sigma.mem sigma chunk
+ then [ phi (Sigma.value sigma chunk) ]
+ else []
+ in
+ wellformed_frame MemAddr.linked Alloc @
+ wellformed_frame Why3.cinits Init @
+ wellformed_frame Why3.sconst Mem @
+ [ framed (Sigma.value sigma Mem) ]
+
+let is_well_formed s =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model "%s.is_well_formed _" datatype ;
+ Why3.bytes (Sigma.value s Mem)
+
+(* ********************************************************************** *)
+(* ALLOCATION *)
+(* ********************************************************************** *)
+
+let alloc sigma xs =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model
+ "%s.alloc %a %a"
+ datatype Sigma.pretty sigma (Pretty_utils.pp_list Cil_printer.pp_varinfo) xs ;
+ if xs = [] then sigma else Sigma.havoc_chunk sigma Alloc
+
+let scope seq scope xs =
+ Wp_parameters.debug ~level:2 ~dkey:dkey_model
+ "%s.scope { %a ; %a } %s %a"
+ datatype Sigma.pretty seq.pre Sigma.pretty seq.post
+ (if scope = Sigs.Enter then "Enter" else "Leave")
+ (Pretty_utils.pp_list Cil_printer.pp_varinfo) xs ;
+ if xs = [] then [] else
+ let alloc =
+ List.fold_left
+ (fun m x ->
+ let size = match scope with
+ | Sigs.Leave -> e_zero
+ | Sigs.Enter ->
+ protected_sizeof_object @@ Ctypes.object_of x.Cil_types.vtype
+ in e_set m (BASE.get x) size)
+ (Sigma.value seq.pre Alloc) xs in
+ [ p_equal (Sigma.value seq.post Alloc) alloc ]
diff --git a/src/plugins/wp/MemLoader.ml b/src/plugins/wp/MemLoader.ml
index 27e8c434e5cb7e535bd2abc11ecceb4b4b5cc515..bf2d6b187cd68dbe8e27c7b9a1b1d5bfa3f092fe 100644
--- a/src/plugins/wp/MemLoader.ml
+++ b/src/plugins/wp/MemLoader.ml
@@ -66,8 +66,6 @@ sig
val havoc : c_object -> loc -> length:term ->
Chunk.t -> fresh:term -> current:term -> term
- val eqmem : c_object -> loc -> Chunk.t -> term -> term -> pred
-
val eqmem_forall :
c_object -> loc -> Chunk.t -> term -> term -> var list * pred * pred
@@ -79,9 +77,9 @@ sig
val store_float : Sigma.t -> c_float -> loc -> term -> Chunk.t * term
val store_pointer : Sigma.t -> typ -> loc -> term -> Chunk.t * term
- val is_init_atom : Sigma.t -> loc -> term
+ val is_init_atom : Sigma.t -> c_object -> loc -> term
val is_init_range : Sigma.t -> c_object -> loc -> term -> pred
- val set_init_atom : Sigma.t -> loc -> term -> Chunk.t * term
+ val set_init_atom : Sigma.t -> c_object -> loc -> term -> Chunk.t * term
val set_init : c_object -> loc -> length:term ->
Chunk.t -> current:term -> term
(* val monotonic_init : Sigma.t -> Sigma.t -> pred *)
@@ -549,7 +547,7 @@ struct
let initialized_loc sigma obj loc =
match obj with
- | C_int _ | C_float _ | C_pointer _ -> p_bool (M.is_init_atom sigma loc)
+ | C_int _ | C_float _ | C_pointer _ -> p_bool (M.is_init_atom sigma obj loc)
| C_comp ci -> initialized_comp sigma ci loc
| C_array a -> initialized_array sigma a loc
@@ -571,9 +569,9 @@ struct
module INIT_LOADER =
LOADER_GEN
(struct
- let load_int sigma _ = M.is_init_atom sigma
- let load_float sigma _ = M.is_init_atom sigma
- let load_pointer sigma _ = M.is_init_atom sigma
+ let load_int sigma ikind = M.is_init_atom sigma (C_int ikind)
+ let load_float sigma fkind = M.is_init_atom sigma (C_float fkind)
+ let load_pointer sigma typ = M.is_init_atom sigma (C_pointer typ)
end)(COMP_INIT)(ARRAY_INIT)
let load_init = INIT_LOADER.load
@@ -618,8 +616,8 @@ struct
(* --- Stored & Copied --- *)
(* -------------------------------------------------------------------------- *)
- let updated_init_atom seq loc value =
- let chunk_init,mem_init = M.set_init_atom seq.pre loc value in
+ let updated_init_atom seq obj loc value =
+ let chunk_init,mem_init = M.set_init_atom seq.pre obj loc value in
Set(Sigma.value seq.post chunk_init,mem_init)
let updated_atom seq obj loc value =
@@ -642,7 +640,7 @@ struct
let stored_init seq obj loc value =
match obj with
| C_int _ | C_float _ | C_pointer _ ->
- [ updated_init_atom seq loc value ]
+ [ updated_init_atom seq obj loc value ]
| C_comp _ | C_array _ ->
Set(load_init seq.post obj loc, value) :: havoc_init seq obj loc
@@ -659,7 +657,7 @@ struct
| C_int _ | C_float _ | C_pointer _ ->
let value = Lang.freshvar ~basename:"v" (Lang.tau_of_object obj) in
let init = Lang.freshvar ~basename:"i" (Lang.init_of_object obj) in
- [ updated_init_atom seq loc (e_var init) ;
+ [ updated_init_atom seq obj loc (e_var init) ;
updated_atom seq obj loc (e_var value) ]
| C_comp _ | C_array _ ->
havoc seq obj loc @ havoc_init seq obj loc
diff --git a/src/plugins/wp/MemLoader.mli b/src/plugins/wp/MemLoader.mli
index c460d3cae0b7142459d996efffc3453cac2c48c8..46d62359db33e62fbf0df3d723f02ffe00d4f24c 100644
--- a/src/plugins/wp/MemLoader.mli
+++ b/src/plugins/wp/MemLoader.mli
@@ -62,8 +62,6 @@ sig
val havoc : c_object -> loc -> length:term ->
Chunk.t -> fresh:term -> current:term -> term
- val eqmem : c_object -> loc -> Chunk.t -> term -> term -> pred
-
val eqmem_forall :
c_object -> loc -> Chunk.t -> term -> term -> var list * pred * pred
@@ -75,9 +73,9 @@ sig
val store_float : Sigma.t -> c_float -> loc -> term -> Chunk.t * term
val store_pointer : Sigma.t -> typ -> loc -> term -> Chunk.t * term
- val is_init_atom : Sigma.t -> loc -> term
+ val is_init_atom : Sigma.t -> c_object -> loc -> term
val is_init_range : Sigma.t -> c_object -> loc -> term -> pred
- val set_init_atom : Sigma.t -> loc -> term -> Chunk.t * term
+ val set_init_atom : Sigma.t -> c_object -> loc -> term -> Chunk.t * term
val set_init : c_object -> loc -> length:term ->
Chunk.t -> current:term -> term
(* val monotonic_init : Sigma.t -> Sigma.t -> pred *)
diff --git a/src/plugins/wp/MemTyped.ml b/src/plugins/wp/MemTyped.ml
index dbfafb02cb6d1ecd9e910710f2c3dd8f87f436a0..473a678b004e30bbf22b9b84420ed2cc52b1bb4e 100644
--- a/src/plugins/wp/MemTyped.ml
+++ b/src/plugins/wp/MemTyped.ml
@@ -1048,9 +1048,6 @@ struct
F.e_fun f_havoc [fresh;current;loc;n]
else fresh
- let eqmem obj loc _chunk m1 m2 =
- F.p_call p_eqmem [m1;m2;loc;length_of_object obj]
-
let eqmem_forall obj loc _chunk m1 m2 =
let xp = Lang.freshvar ~basename:"p" MemAddr.t_addr in
let p = F.e_var xp in
@@ -1065,8 +1062,8 @@ struct
let store_float sigma f l v = updated sigma (m_float f) l v
let store_pointer sigma _ty l v = updated sigma M_pointer l v
- let set_init_atom sigma l v = updated sigma T_init l v
- let is_init_atom sigma l = F.e_get (Sigma.value sigma T_init) l
+ let set_init_atom sigma _obj l v = updated sigma T_init l v
+ let is_init_atom sigma _ l = F.e_get (Sigma.value sigma T_init) l
let is_init_range sigma obj loc length =
let n = F.e_mul (length_of_object obj) length in
diff --git a/src/plugins/wp/dune b/src/plugins/wp/dune
index 6f393270237475ee5eb2c886e0111e358fe797bd..a83f14990653d6de97debb2017cf8caa8f9863bd 100644
--- a/src/plugins/wp/dune
+++ b/src/plugins/wp/dune
@@ -64,6 +64,8 @@
(share/why3/frama_c_wp/vset.mlw as wp/why3/frama_c_wp/vset.mlw)
(share/why3/frama_c_wp/memaddr.mlw as wp/why3/frama_c_wp/memaddr.mlw)
(share/why3/frama_c_wp/memory.mlw as wp/why3/frama_c_wp/memory.mlw)
+ (share/why3/frama_c_wp/membytes.mlw as wp/why3/frama_c_wp/membytes.mlw)
(share/why3/frama_c_wp/cmath.mlw as wp/why3/frama_c_wp/cmath.mlw)
(share/why3/frama_c_wp/cfloat.mlw as wp/why3/frama_c_wp/cfloat.mlw)
+ (share/why3/frama_c_wp/sequence.mlw as wp/why3/frama_c_wp/sequence.mlw)
(share/wp.driver as wp/wp.driver)))
diff --git a/src/plugins/wp/gui/GuiPanel.ml b/src/plugins/wp/gui/GuiPanel.ml
index 8292028a5c6851fa95f60b7e7fe612d0e641d7c5..4b25d1880a95c901a759b5d4830e83c42a2b67cb 100644
--- a/src/plugins/wp/gui/GuiPanel.ml
+++ b/src/plugins/wp/gui/GuiPanel.ml
@@ -99,7 +99,7 @@ let run_and_prove
(* --- Model Panel --- *)
(* ------------------------------------------------------------------------ *)
-type memory = TREE | HOARE | TYPED | EVA
+type memory = TREE | HOARE | TYPED | EVA | BYTES
class model_selector (main : Design.main_window_extension_points) =
let dialog = new Wpane.dialog
@@ -107,6 +107,7 @@ class model_selector (main : Design.main_window_extension_points) =
let memory = new Widget.group HOARE in
let r_hoare = memory#add_radio ~label:"Hoare Memory Model" ~value:HOARE () in
let r_typed = memory#add_radio ~label:"Typed Memory Model" ~value:TYPED () in
+ let r_bytes = memory#add_radio ~label:"Bytes Memory Model" ~value:BYTES () in
let r_eva = memory#add_radio ~label:"Eva Memory Model" ~value:EVA () in
let c_casts = new Widget.checkbox ~label:"Unsafe casts" () in
let c_byref = new Widget.checkbox ~label:"Reference Arguments" () in
@@ -120,6 +121,8 @@ class model_selector (main : Design.main_window_extension_points) =
begin
dialog#add_row r_hoare#coerce ;
dialog#add_row r_typed#coerce ;
+ dialog#add_row r_bytes#coerce ;
+ r_bytes#set_visible false ;
dialog#add_row r_eva#coerce ;
dialog#add_row c_casts#coerce ;
dialog#add_row c_byref#coerce ;
@@ -148,6 +151,7 @@ class model_selector (main : Design.main_window_extension_points) =
| Hoare -> memory#set HOARE
| Typed m -> memory#set TYPED ; c_casts#set (m = MemTyped.Unsafe)
| Eva -> memory#set EVA
+ | Bytes -> memory#set BYTES
) ;
c_byref#set (s.mvar = Ref) ;
c_ctxt#set (s.mvar = Caveat) ;
@@ -162,6 +166,7 @@ class model_selector (main : Design.main_window_extension_points) =
| TYPED -> Typed
(if c_casts#get then MemTyped.Unsafe else MemTyped.Fits)
| EVA -> Eva
+ | BYTES -> Bytes
in {
mheap = m ;
mvar = if c_ctxt#get then Caveat else if c_byref#get then Ref else Var ;
diff --git a/src/plugins/wp/share/why3/frama_c_wp/Wp.header b/src/plugins/wp/share/why3/frama_c_wp/Wp.header
new file mode 100644
index 0000000000000000000000000000000000000000..9d26ead4f953f335e05db0229554237d35eaeb86
--- /dev/null
+++ b/src/plugins/wp/share/why3/frama_c_wp/Wp.header
@@ -0,0 +1,21 @@
+(**************************************************************************)
+(* *)
+(* This file is part of WP plug-in of Frama-C. *)
+(* *)
+(* Copyright (C) 2007-2024 *)
+(* CEA (Commissariat a l'energie atomique et aux energies *)
+(* alternatives) *)
+(* *)
+(* you can redistribute it and/or modify it under the terms of the GNU *)
+(* Lesser General Public License as published by the Free Software *)
+(* Foundation, version 2.1. *)
+(* *)
+(* It is distributed in the hope that it will be useful, *)
+(* but WITHOUT ANY WARRANTY; without even the implied warranty of *)
+(* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *)
+(* GNU Lesser General Public License for more details. *)
+(* *)
+(* See the GNU Lesser General Public License version 2.1 *)
+(* for more details (enclosed in the file licenses/LGPLv2.1). *)
+(* *)
+(**************************************************************************)
diff --git a/src/plugins/wp/share/why3/frama_c_wp/dune b/src/plugins/wp/share/why3/frama_c_wp/dune
new file mode 100644
index 0000000000000000000000000000000000000000..b1734cc1c28c791158e69f9eb1dcb3aa21252dbe
--- /dev/null
+++ b/src/plugins/wp/share/why3/frama_c_wp/dune
@@ -0,0 +1,29 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; ;;
+;; This file is part of Frama-C. ;;
+;; ;;
+;; Copyright (C) 2007-2024 ;;
+;; CEA (Commissariat à l'énergie atomique et aux énergies ;;
+;; alternatives) ;;
+;; ;;
+;; you can redistribute it and/or modify it under the terms of the GNU ;;
+;; Lesser General Public License as published by the Free Software ;;
+;; Foundation, version 2.1. ;;
+;; ;;
+;; It is distributed in the hope that it will be useful, ;;
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of ;;
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;
+;; GNU Lesser General Public License for more details. ;;
+;; ;;
+;; See the GNU Lesser General Public License version 2.1 ;;
+;; for more details (enclosed in the file licenses/LGPLv2.1). ;;
+;; ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(executable (name membytesgen))
+
+(rule
+ (targets membytes.mlw)
+ (deps membytesgen.exe Wp.header)
+ (mode (promote))
+ (action (run ./membytesgen.exe)))
diff --git a/src/plugins/wp/share/why3/frama_c_wp/membytes.mlw b/src/plugins/wp/share/why3/frama_c_wp/membytes.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..04d1e5090ac0c9e3564b24e1811cad28c9dcb76b
--- /dev/null
+++ b/src/plugins/wp/share/why3/frama_c_wp/membytes.mlw
@@ -0,0 +1,1831 @@
+(**************************************************************************)
+(* *)
+(* This file is part of WP plug-in of Frama-C. *)
+(* *)
+(* Copyright (C) 2007-2024 *)
+(* CEA (Commissariat a l'energie atomique et aux energies *)
+(* alternatives) *)
+(* *)
+(* you can redistribute it and/or modify it under the terms of the GNU *)
+(* Lesser General Public License as published by the Free Software *)
+(* Foundation, version 2.1. *)
+(* *)
+(* It is distributed in the hope that it will be useful, *)
+(* but WITHOUT ANY WARRANTY; without even the implied warranty of *)
+(* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *)
+(* GNU Lesser General Public License for more details. *)
+(* *)
+(* See the GNU Lesser General Public License version 2.1 *)
+(* for more details (enclosed in the file licenses/LGPLv2.1). *)
+(* *)
+(**************************************************************************)
+
+(* DO NOT EDIT: this file is generated at build time *)
+
+(* Tactics for failing proofs:
+ intros variables ; compute_in_goal ; cvc5 *)
+
+module ValueCodec
+ use int.Int
+ use int.ComputerDivision
+ use frama_c_wp.cint.Cint
+ use frama_c_wp.sequence.Seq
+
+ function decode_uint8 (s: seq int) : int =
+ match s with
+ | L.Cons b0 (L.Nil) ->
+ b0 * 0x1
+ | _ -> 0
+ end
+
+ function decode_sint8 (s: seq int) : int =
+ to_sint8 (decode_uint8 s)
+
+ function encode_uint8 (v: int) : seq int =
+ (L.Cons (mod v 0x100) L.Nil)
+
+ function encode_sint8 (v: int) : seq int =
+ encode_uint8 (to_uint8 v)
+
+ lemma decode_uint8_encode_uint8:
+ forall v: int [decode_uint8 (encode_uint8 v)].
+ is_uint8 v -> decode_uint8 (encode_uint8 v) = v
+
+ lemma decode_sint8_encode_uint8:
+ forall v: int [decode_sint8 (encode_uint8 v)].
+ is_uint8 v -> decode_sint8 (encode_uint8 v) = to_sint8 v
+
+ lemma decode_uint8_encode_sint8:
+ forall v: int [decode_uint8 (encode_sint8 v)].
+ is_sint8 v -> decode_uint8 (encode_sint8 v) = to_uint8 v
+
+ lemma decode_sint8_encode_sint8:
+ forall v: int [decode_sint8 (encode_sint8 v)].
+ is_sint8 v -> decode_sint8 (encode_sint8 v) = v
+
+ function decode_uint16 (s: seq int) : int =
+ match s with
+ | L.Cons b0 (L.Cons b1 (L.Nil)) ->
+ b0 * 0x1 + b1 * 0x100
+ | _ -> 0
+ end
+
+ function decode_sint16 (s: seq int) : int =
+ to_sint16 (decode_uint16 s)
+
+ function encode_uint16 (v: int) : seq int =
+ (L.Cons (mod v 0x100)
+ (L.Cons (mod (div v 0x100) 0x100) L.Nil))
+
+ function encode_sint16 (v: int) : seq int =
+ encode_uint16 (to_uint16 v)
+
+ lemma decode_uint16_encode_uint16:
+ forall v: int [decode_uint16 (encode_uint16 v)].
+ is_uint16 v -> decode_uint16 (encode_uint16 v) = v
+
+ lemma decode_sint16_encode_uint16:
+ forall v: int [decode_sint16 (encode_uint16 v)].
+ is_uint16 v -> decode_sint16 (encode_uint16 v) = to_sint16 v
+
+ lemma decode_uint16_encode_sint16:
+ forall v: int [decode_uint16 (encode_sint16 v)].
+ is_sint16 v -> decode_uint16 (encode_sint16 v) = to_uint16 v
+
+ lemma decode_sint16_encode_sint16:
+ forall v: int [decode_sint16 (encode_sint16 v)].
+ is_sint16 v -> decode_sint16 (encode_sint16 v) = v
+
+ function decode_uint32 (s: seq int) : int =
+ match s with
+ | L.Cons b0 (L.Cons b1 (L.Cons b2 (L.Cons b3 (L.Nil)))) ->
+ b0 * 0x1 + b1 * 0x100 + b2 * 0x10000 + b3 * 0x1000000
+ | _ -> 0
+ end
+
+ function decode_sint32 (s: seq int) : int =
+ to_sint32 (decode_uint32 s)
+
+ function encode_uint32 (v: int) : seq int =
+ (L.Cons (mod v 0x100)
+ (L.Cons (mod (div v 0x100) 0x100)
+ (L.Cons (mod (div v 0x10000) 0x100)
+ (L.Cons (mod (div v 0x1000000) 0x100) L.Nil))))
+
+ function encode_sint32 (v: int) : seq int =
+ encode_uint32 (to_uint32 v)
+
+ lemma decode_uint32_encode_uint32:
+ forall v: int [decode_uint32 (encode_uint32 v)].
+ is_uint32 v -> decode_uint32 (encode_uint32 v) = v
+
+ lemma decode_sint32_encode_uint32:
+ forall v: int [decode_sint32 (encode_uint32 v)].
+ is_uint32 v -> decode_sint32 (encode_uint32 v) = to_sint32 v
+
+ lemma decode_uint32_encode_sint32:
+ forall v: int [decode_uint32 (encode_sint32 v)].
+ is_sint32 v -> decode_uint32 (encode_sint32 v) = to_uint32 v
+
+ lemma decode_sint32_encode_sint32:
+ forall v: int [decode_sint32 (encode_sint32 v)].
+ is_sint32 v -> decode_sint32 (encode_sint32 v) = v
+
+ function decode_uint64 (s: seq int) : int =
+ match s with
+ | L.Cons b0 (L.Cons b1 (L.Cons b2 (L.Cons b3 (L.Cons b4 (L.Cons b5 (L.Cons b6 (L.Cons b7 (L.Nil)))))))) ->
+ b0 * 0x1 + b1 * 0x100 + b2 * 0x10000 + b3 * 0x1000000 + b4 * 0x100000000 + b5 * 0x10000000000 + b6 * 0x1000000000000 + b7 * 0x100000000000000
+ | _ -> 0
+ end
+
+ function decode_sint64 (s: seq int) : int =
+ to_sint64 (decode_uint64 s)
+
+ function encode_uint64 (v: int) : seq int =
+ (L.Cons (mod v 0x100)
+ (L.Cons (mod (div v 0x100) 0x100)
+ (L.Cons (mod (div v 0x10000) 0x100)
+ (L.Cons (mod (div v 0x1000000) 0x100)
+ (L.Cons (mod (div v 0x100000000) 0x100)
+ (L.Cons (mod (div v 0x10000000000) 0x100)
+ (L.Cons (mod (div v 0x1000000000000) 0x100)
+ (L.Cons (mod (div v 0x100000000000000) 0x100) L.Nil))))))))
+
+ function encode_sint64 (v: int) : seq int =
+ encode_uint64 (to_uint64 v)
+
+ lemma decode_uint64_encode_uint64:
+ forall v: int [decode_uint64 (encode_uint64 v)].
+ is_uint64 v -> decode_uint64 (encode_uint64 v) = v
+
+ lemma decode_sint64_encode_uint64:
+ forall v: int [decode_sint64 (encode_uint64 v)].
+ is_uint64 v -> decode_sint64 (encode_uint64 v) = to_sint64 v
+
+ lemma decode_uint64_encode_sint64:
+ forall v: int [decode_uint64 (encode_sint64 v)].
+ is_sint64 v -> decode_uint64 (encode_sint64 v) = to_uint64 v
+
+ lemma decode_sint64_encode_sint64:
+ forall v: int [decode_sint64 (encode_sint64 v)].
+ is_sint64 v -> decode_sint64 (encode_sint64 v) = v
+
+
+end
+
+module InitCodec
+ use bool.Bool
+ use frama_c_wp.sequence.Seq
+
+ function decode_init8 (s: seq bool) : bool =
+ match s with
+ | L.Cons b0 (L.Nil) ->
+ b0
+ | _ -> false
+ end
+
+ function encode_init8 (v: bool) : seq bool =
+ create v 1
+
+ lemma decode_init8_encode_init8:
+ forall v: bool [decode_init8 (encode_init8 v)].
+ decode_init8 (encode_init8 v) = v
+
+ function decode_init16 (s: seq bool) : bool =
+ match s with
+ | L.Cons b0 (L.Cons b1 (L.Nil)) ->
+ b0 && b1
+ | _ -> false
+ end
+
+ function encode_init16 (v: bool) : seq bool =
+ create v 2
+
+ lemma decode_init16_encode_init16:
+ forall v: bool [decode_init16 (encode_init16 v)].
+ decode_init16 (encode_init16 v) = v
+
+ function decode_init32 (s: seq bool) : bool =
+ match s with
+ | L.Cons b0 (L.Cons b1 (L.Cons b2 (L.Cons b3 (L.Nil)))) ->
+ b0 && b1 && b2 && b3
+ | _ -> false
+ end
+
+ function encode_init32 (v: bool) : seq bool =
+ create v 4
+
+ lemma decode_init32_encode_init32:
+ forall v: bool [decode_init32 (encode_init32 v)].
+ decode_init32 (encode_init32 v) = v
+
+ function decode_init64 (s: seq bool) : bool =
+ match s with
+ | L.Cons b0 (L.Cons b1 (L.Cons b2 (L.Cons b3 (L.Cons b4 (L.Cons b5 (L.Cons b6 (L.Cons b7 (L.Nil)))))))) ->
+ b0 && b1 && b2 && b3 && b4 && b5 && b6 && b7
+ | _ -> false
+ end
+
+ function encode_init64 (v: bool) : seq bool =
+ create v 8
+
+ lemma decode_init64_encode_init64:
+ forall v: bool [decode_init64 (encode_init64 v)].
+ decode_init64 (encode_init64 v) = v
+
+
+end
+
+module Offset
+ use int.Int
+ type offset = int
+
+ predicate sepoffset (po: offset) (lp: int) (qo: offset) (lq: int) =
+ qo + lq <= po \/ po + lp <= qo
+
+end
+
+module RWBytes
+ use int.Int
+ use map.Map as M
+ use frama_c_wp.sequence.Seq as S
+ use Offset
+
+ type seq 'a = S.seq 'a
+ type block 'a = M.map int 'a
+
+ function bwrite_seq (b:block 'a) (o: int) (s: seq 'a) : block 'a =
+ match s with
+ | S.L.Nil -> b
+ | S.L.Cons h tl -> M.(set (bwrite_seq b (o+1) tl) o h)
+ end
+
+ predicate beq_blocks (b1 b2: block 'a) (o: int) (l: int) =
+ forall i: int. o <= i < o + l -> M.(get b1 i) = M.(get b2 i)
+
+ function bread_8bits (b: block 'a) (o: int) : seq 'a =
+ (S.L.Cons M.(b[o ]) S.L.Nil)
+
+ function bread_16bits (b: block 'a) (o: int) : seq 'a =
+ (S.L.Cons M.(b[o ])
+ (S.L.Cons M.(b[o+1]) S.L.Nil))
+
+ function bread_32bits (b: block 'a) (o: int) : seq 'a =
+ (S.L.Cons M.(b[o ])
+ (S.L.Cons M.(b[o+1])
+ (S.L.Cons M.(b[o+2])
+ (S.L.Cons M.(b[o+3]) S.L.Nil))))
+
+ function bread_64bits (b: block 'a) (o: int) : seq 'a =
+ (S.L.Cons M.(b[o ])
+ (S.L.Cons M.(b[o+1])
+ (S.L.Cons M.(b[o+2])
+ (S.L.Cons M.(b[o+3])
+ (S.L.Cons M.(b[o+4])
+ (S.L.Cons M.(b[o+5])
+ (S.L.Cons M.(b[o+6])
+ (S.L.Cons M.(b[o+7]) S.L.Nil))))))))
+
+ function bwrite_8bits (b: block 'a) (o: int) (s: seq 'a) : block 'a =
+ match s with
+ | S.L.Cons b0 (_) ->
+ M.(set b o b0)
+ | _ -> b
+ end
+
+ function bwrite_16bits (b: block 'a) (o: int) (s: seq 'a) : block 'a =
+ match s with
+ | S.L.Cons b0 (S.L.Cons b1 (_)) ->
+ M.(set (set b (o+1) b1) o b0)
+ | _ -> b
+ end
+
+ function bwrite_32bits (b: block 'a) (o: int) (s: seq 'a) : block 'a =
+ match s with
+ | S.L.Cons b0 (S.L.Cons b1 (S.L.Cons b2 (S.L.Cons b3 (_)))) ->
+ M.(set (set (set (set b (o+3) b3) (o+2) b2) (o+1) b1) o b0)
+ | _ -> b
+ end
+
+ function bwrite_64bits (b: block 'a) (o: int) (s: seq 'a) : block 'a =
+ match s with
+ | S.L.Cons b0 (S.L.Cons b1 (S.L.Cons b2 (S.L.Cons b3 (S.L.Cons b4 (S.L.Cons b5 (S.L.Cons b6 (S.L.Cons b7 (_)))))))) ->
+ M.(set (set (set (set (set (set (set (set b (o+7) b7) (o+6) b6) (o+5) b5) (o+4) b4) (o+3) b3) (o+2) b2) (o+1) b1) o b0)
+ | _ -> b
+ end
+
+ lemma bread_8bits_bwrite_8bits_eq:
+ forall b: block 'a, o: int, s: seq 'a [bread_8bits (bwrite_8bits b o s) o].
+ S.length s = 1 ->
+ bread_8bits (bwrite_8bits b o s) o = s
+
+ let rec lemma bread_8bits_bwrite_seq_sep (b: block 'a)(or ow: int)(s: seq 'a)
+ requires { sepoffset ow (S.length s) or 1 }
+ ensures { bread_8bits (bwrite_seq b ow s) or = bread_8bits b or }
+ = match s with
+ | S.L.Nil -> ()
+ | S.L.Cons _ tl -> bread_8bits_bwrite_seq_sep b or (ow + 1) tl
+ end
+
+ lemma bread_8bits_bwrite_8bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_8bits (bwrite_8bits b ow s) or].
+ sepoffset ow 1 or 1 ->
+ bread_8bits (bwrite_8bits b ow s) or = bread_8bits b or
+
+ lemma bread_8bits_bwrite_16bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_8bits (bwrite_16bits b ow s) or].
+ sepoffset ow 2 or 1 ->
+ bread_8bits (bwrite_16bits b ow s) or = bread_8bits b or
+
+ lemma bread_8bits_bwrite_32bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_8bits (bwrite_32bits b ow s) or].
+ sepoffset ow 4 or 1 ->
+ bread_8bits (bwrite_32bits b ow s) or = bread_8bits b or
+
+ lemma bread_8bits_bwrite_64bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_8bits (bwrite_64bits b ow s) or].
+ sepoffset ow 8 or 1 ->
+ bread_8bits (bwrite_64bits b ow s) or = bread_8bits b or
+
+ lemma bread_16bits_bwrite_16bits_eq:
+ forall b: block 'a, o: int, s: seq 'a [bread_16bits (bwrite_16bits b o s) o].
+ S.length s = 2 ->
+ bread_16bits (bwrite_16bits b o s) o = s
+
+ let rec lemma bread_16bits_bwrite_seq_sep (b: block 'a)(or ow: int)(s: seq 'a)
+ requires { sepoffset ow (S.length s) or 2 }
+ ensures { bread_16bits (bwrite_seq b ow s) or = bread_16bits b or }
+ = match s with
+ | S.L.Nil -> ()
+ | S.L.Cons _ tl -> bread_16bits_bwrite_seq_sep b or (ow + 1) tl
+ end
+
+ lemma bread_16bits_bwrite_8bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_16bits (bwrite_8bits b ow s) or].
+ sepoffset ow 1 or 2 ->
+ bread_16bits (bwrite_8bits b ow s) or = bread_16bits b or
+
+ lemma bread_16bits_bwrite_16bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_16bits (bwrite_16bits b ow s) or].
+ sepoffset ow 2 or 2 ->
+ bread_16bits (bwrite_16bits b ow s) or = bread_16bits b or
+
+ lemma bread_16bits_bwrite_32bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_16bits (bwrite_32bits b ow s) or].
+ sepoffset ow 4 or 2 ->
+ bread_16bits (bwrite_32bits b ow s) or = bread_16bits b or
+
+ lemma bread_16bits_bwrite_64bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_16bits (bwrite_64bits b ow s) or].
+ sepoffset ow 8 or 2 ->
+ bread_16bits (bwrite_64bits b ow s) or = bread_16bits b or
+
+ lemma bread_32bits_bwrite_32bits_eq:
+ forall b: block 'a, o: int, s: seq 'a [bread_32bits (bwrite_32bits b o s) o].
+ S.length s = 4 ->
+ bread_32bits (bwrite_32bits b o s) o = s
+
+ let rec lemma bread_32bits_bwrite_seq_sep (b: block 'a)(or ow: int)(s: seq 'a)
+ requires { sepoffset ow (S.length s) or 4 }
+ ensures { bread_32bits (bwrite_seq b ow s) or = bread_32bits b or }
+ = match s with
+ | S.L.Nil -> ()
+ | S.L.Cons _ tl -> bread_32bits_bwrite_seq_sep b or (ow + 1) tl
+ end
+
+ lemma bread_32bits_bwrite_8bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_32bits (bwrite_8bits b ow s) or].
+ sepoffset ow 1 or 4 ->
+ bread_32bits (bwrite_8bits b ow s) or = bread_32bits b or
+
+ lemma bread_32bits_bwrite_16bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_32bits (bwrite_16bits b ow s) or].
+ sepoffset ow 2 or 4 ->
+ bread_32bits (bwrite_16bits b ow s) or = bread_32bits b or
+
+ lemma bread_32bits_bwrite_32bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_32bits (bwrite_32bits b ow s) or].
+ sepoffset ow 4 or 4 ->
+ bread_32bits (bwrite_32bits b ow s) or = bread_32bits b or
+
+ lemma bread_32bits_bwrite_64bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_32bits (bwrite_64bits b ow s) or].
+ sepoffset ow 8 or 4 ->
+ bread_32bits (bwrite_64bits b ow s) or = bread_32bits b or
+
+ lemma bread_64bits_bwrite_64bits_eq:
+ forall b: block 'a, o: int, s: seq 'a [bread_64bits (bwrite_64bits b o s) o].
+ S.length s = 8 ->
+ bread_64bits (bwrite_64bits b o s) o = s
+
+ let rec lemma bread_64bits_bwrite_seq_sep (b: block 'a)(or ow: int)(s: seq 'a)
+ requires { sepoffset ow (S.length s) or 8 }
+ ensures { bread_64bits (bwrite_seq b ow s) or = bread_64bits b or }
+ = match s with
+ | S.L.Nil -> ()
+ | S.L.Cons _ tl -> bread_64bits_bwrite_seq_sep b or (ow + 1) tl
+ end
+
+ lemma bread_64bits_bwrite_8bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_64bits (bwrite_8bits b ow s) or].
+ sepoffset ow 1 or 8 ->
+ bread_64bits (bwrite_8bits b ow s) or = bread_64bits b or
+
+ lemma bread_64bits_bwrite_16bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_64bits (bwrite_16bits b ow s) or].
+ sepoffset ow 2 or 8 ->
+ bread_64bits (bwrite_16bits b ow s) or = bread_64bits b or
+
+ lemma bread_64bits_bwrite_32bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_64bits (bwrite_32bits b ow s) or].
+ sepoffset ow 4 or 8 ->
+ bread_64bits (bwrite_32bits b ow s) or = bread_64bits b or
+
+ lemma bread_64bits_bwrite_64bits_sep:
+ forall b: block 'a, or ow: int, s: seq 'a [bread_64bits (bwrite_64bits b ow s) or].
+ sepoffset ow 8 or 8 ->
+ bread_64bits (bwrite_64bits b ow s) or = bread_64bits b or
+
+
+end
+
+module ValueBlockRW
+ use int.Int
+ use frama_c_wp.cint.Cint
+ use ValueCodec
+ use Offset
+ use RWBytes
+
+ type vblock = block int
+
+ function bread_uint8 (b: vblock) (o: int) : int =
+ decode_uint8 (bread_8bits b o)
+
+ function bread_uint16 (b: vblock) (o: int) : int =
+ decode_uint16 (bread_16bits b o)
+
+ function bread_uint32 (b: vblock) (o: int) : int =
+ decode_uint32 (bread_32bits b o)
+
+ function bread_uint64 (b: vblock) (o: int) : int =
+ decode_uint64 (bread_64bits b o)
+
+ function bread_sint8 (b: vblock) (o: int) : int =
+ decode_sint8 (bread_8bits b o)
+
+ function bread_sint16 (b: vblock) (o: int) : int =
+ decode_sint16 (bread_16bits b o)
+
+ function bread_sint32 (b: vblock) (o: int) : int =
+ decode_sint32 (bread_32bits b o)
+
+ function bread_sint64 (b: vblock) (o: int) : int =
+ decode_sint64 (bread_64bits b o)
+
+ function bwrite_uint8 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_8bits b o (encode_uint8 v)
+
+ function bwrite_uint16 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_16bits b o (encode_uint16 v)
+
+ function bwrite_uint32 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_32bits b o (encode_uint32 v)
+
+ function bwrite_uint64 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_64bits b o (encode_uint64 v)
+
+ function bwrite_sint8 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_8bits b o (encode_sint8 v)
+
+ function bwrite_sint16 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_16bits b o (encode_sint16 v)
+
+ function bwrite_sint32 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_32bits b o (encode_sint32 v)
+
+ function bwrite_sint64 (b: vblock) (o: int) (v: int) : vblock =
+ bwrite_64bits b o (encode_sint64 v)
+
+ lemma bread_uint8_bwrite_uint8_eq:
+ forall b: vblock, o: int, v: int [bread_uint8 (bwrite_uint8 b o v) o].
+ is_uint8 v ->
+ bread_uint8 (bwrite_uint8 b o v) o = v
+
+ lemma bread_uint8_bwrite_sint8_eq:
+ forall b: vblock, o: int, v: int [bread_uint8 (bwrite_sint8 b o v) o].
+ is_sint8 v ->
+ bread_uint8 (bwrite_sint8 b o v) o = to_uint8 v
+
+ lemma bread_uint8_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_uint8 (bwrite_seq b ho u) or].
+ sepoffset or 1 ho (Seq.length u) ->
+ bread_uint8 (bwrite_seq b ho u) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 1 ->
+ bread_uint8 (bwrite_uint8 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 1 ->
+ bread_uint8 (bwrite_uint16 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 1 ->
+ bread_uint8 (bwrite_uint32 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 1 ->
+ bread_uint8 (bwrite_uint64 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 1 ->
+ bread_uint8 (bwrite_sint8 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 1 ->
+ bread_uint8 (bwrite_sint16 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 1 ->
+ bread_uint8 (bwrite_sint32 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint8_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint8 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 1 ->
+ bread_uint8 (bwrite_sint64 b ow v) or = bread_uint8 b or
+
+ lemma bread_uint16_bwrite_uint16_eq:
+ forall b: vblock, o: int, v: int [bread_uint16 (bwrite_uint16 b o v) o].
+ is_uint16 v ->
+ bread_uint16 (bwrite_uint16 b o v) o = v
+
+ lemma bread_uint16_bwrite_sint16_eq:
+ forall b: vblock, o: int, v: int [bread_uint16 (bwrite_sint16 b o v) o].
+ is_sint16 v ->
+ bread_uint16 (bwrite_sint16 b o v) o = to_uint16 v
+
+ lemma bread_uint16_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_uint16 (bwrite_seq b ho u) or].
+ sepoffset or 2 ho (Seq.length u) ->
+ bread_uint16 (bwrite_seq b ho u) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 2 ->
+ bread_uint16 (bwrite_uint8 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 2 ->
+ bread_uint16 (bwrite_uint16 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 2 ->
+ bread_uint16 (bwrite_uint32 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 2 ->
+ bread_uint16 (bwrite_uint64 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 2 ->
+ bread_uint16 (bwrite_sint8 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 2 ->
+ bread_uint16 (bwrite_sint16 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 2 ->
+ bread_uint16 (bwrite_sint32 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint16_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint16 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 2 ->
+ bread_uint16 (bwrite_sint64 b ow v) or = bread_uint16 b or
+
+ lemma bread_uint32_bwrite_uint32_eq:
+ forall b: vblock, o: int, v: int [bread_uint32 (bwrite_uint32 b o v) o].
+ is_uint32 v ->
+ bread_uint32 (bwrite_uint32 b o v) o = v
+
+ lemma bread_uint32_bwrite_sint32_eq:
+ forall b: vblock, o: int, v: int [bread_uint32 (bwrite_sint32 b o v) o].
+ is_sint32 v ->
+ bread_uint32 (bwrite_sint32 b o v) o = to_uint32 v
+
+ lemma bread_uint32_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_uint32 (bwrite_seq b ho u) or].
+ sepoffset or 4 ho (Seq.length u) ->
+ bread_uint32 (bwrite_seq b ho u) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 4 ->
+ bread_uint32 (bwrite_uint8 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 4 ->
+ bread_uint32 (bwrite_uint16 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 4 ->
+ bread_uint32 (bwrite_uint32 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 4 ->
+ bread_uint32 (bwrite_uint64 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 4 ->
+ bread_uint32 (bwrite_sint8 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 4 ->
+ bread_uint32 (bwrite_sint16 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 4 ->
+ bread_uint32 (bwrite_sint32 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint32_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint32 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 4 ->
+ bread_uint32 (bwrite_sint64 b ow v) or = bread_uint32 b or
+
+ lemma bread_uint64_bwrite_uint64_eq:
+ forall b: vblock, o: int, v: int [bread_uint64 (bwrite_uint64 b o v) o].
+ is_uint64 v ->
+ bread_uint64 (bwrite_uint64 b o v) o = v
+
+ lemma bread_uint64_bwrite_sint64_eq:
+ forall b: vblock, o: int, v: int [bread_uint64 (bwrite_sint64 b o v) o].
+ is_sint64 v ->
+ bread_uint64 (bwrite_sint64 b o v) o = to_uint64 v
+
+ lemma bread_uint64_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_uint64 (bwrite_seq b ho u) or].
+ sepoffset or 8 ho (Seq.length u) ->
+ bread_uint64 (bwrite_seq b ho u) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 8 ->
+ bread_uint64 (bwrite_uint8 b ow v) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 8 ->
+ bread_uint64 (bwrite_uint16 b ow v) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 8 ->
+ bread_uint64 (bwrite_uint32 b ow v) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 8 ->
+ bread_uint64 (bwrite_uint64 b ow v) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 8 ->
+ bread_uint64 (bwrite_sint8 b ow v) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 8 ->
+ bread_uint64 (bwrite_sint16 b ow v) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 8 ->
+ bread_uint64 (bwrite_sint32 b ow v) or = bread_uint64 b or
+
+ lemma bread_uint64_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_uint64 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 8 ->
+ bread_uint64 (bwrite_sint64 b ow v) or = bread_uint64 b or
+
+ lemma bread_sint8_bwrite_sint8_eq:
+ forall b: vblock, o: int, v: int [bread_sint8 (bwrite_sint8 b o v) o].
+ is_sint8 v ->
+ bread_sint8 (bwrite_sint8 b o v) o = v
+
+ lemma bread_sint8_bwrite_uint8_eq:
+ forall b: vblock, o: int, v: int [bread_sint8 (bwrite_uint8 b o v) o].
+ is_uint8 v ->
+ bread_sint8 (bwrite_uint8 b o v) o = to_sint8 v
+
+ lemma bread_sint8_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_sint8 (bwrite_seq b ho u) or].
+ sepoffset or 1 ho (Seq.length u) ->
+ bread_sint8 (bwrite_seq b ho u) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 1 ->
+ bread_sint8 (bwrite_uint8 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 1 ->
+ bread_sint8 (bwrite_uint16 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 1 ->
+ bread_sint8 (bwrite_uint32 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 1 ->
+ bread_sint8 (bwrite_uint64 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 1 ->
+ bread_sint8 (bwrite_sint8 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 1 ->
+ bread_sint8 (bwrite_sint16 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 1 ->
+ bread_sint8 (bwrite_sint32 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint8_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint8 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 1 ->
+ bread_sint8 (bwrite_sint64 b ow v) or = bread_sint8 b or
+
+ lemma bread_sint16_bwrite_sint16_eq:
+ forall b: vblock, o: int, v: int [bread_sint16 (bwrite_sint16 b o v) o].
+ is_sint16 v ->
+ bread_sint16 (bwrite_sint16 b o v) o = v
+
+ lemma bread_sint16_bwrite_uint16_eq:
+ forall b: vblock, o: int, v: int [bread_sint16 (bwrite_uint16 b o v) o].
+ is_uint16 v ->
+ bread_sint16 (bwrite_uint16 b o v) o = to_sint16 v
+
+ lemma bread_sint16_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_sint16 (bwrite_seq b ho u) or].
+ sepoffset or 2 ho (Seq.length u) ->
+ bread_sint16 (bwrite_seq b ho u) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 2 ->
+ bread_sint16 (bwrite_uint8 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 2 ->
+ bread_sint16 (bwrite_uint16 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 2 ->
+ bread_sint16 (bwrite_uint32 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 2 ->
+ bread_sint16 (bwrite_uint64 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 2 ->
+ bread_sint16 (bwrite_sint8 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 2 ->
+ bread_sint16 (bwrite_sint16 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 2 ->
+ bread_sint16 (bwrite_sint32 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint16_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint16 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 2 ->
+ bread_sint16 (bwrite_sint64 b ow v) or = bread_sint16 b or
+
+ lemma bread_sint32_bwrite_sint32_eq:
+ forall b: vblock, o: int, v: int [bread_sint32 (bwrite_sint32 b o v) o].
+ is_sint32 v ->
+ bread_sint32 (bwrite_sint32 b o v) o = v
+
+ lemma bread_sint32_bwrite_uint32_eq:
+ forall b: vblock, o: int, v: int [bread_sint32 (bwrite_uint32 b o v) o].
+ is_uint32 v ->
+ bread_sint32 (bwrite_uint32 b o v) o = to_sint32 v
+
+ lemma bread_sint32_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_sint32 (bwrite_seq b ho u) or].
+ sepoffset or 4 ho (Seq.length u) ->
+ bread_sint32 (bwrite_seq b ho u) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 4 ->
+ bread_sint32 (bwrite_uint8 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 4 ->
+ bread_sint32 (bwrite_uint16 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 4 ->
+ bread_sint32 (bwrite_uint32 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 4 ->
+ bread_sint32 (bwrite_uint64 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 4 ->
+ bread_sint32 (bwrite_sint8 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 4 ->
+ bread_sint32 (bwrite_sint16 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 4 ->
+ bread_sint32 (bwrite_sint32 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint32_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint32 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 4 ->
+ bread_sint32 (bwrite_sint64 b ow v) or = bread_sint32 b or
+
+ lemma bread_sint64_bwrite_sint64_eq:
+ forall b: vblock, o: int, v: int [bread_sint64 (bwrite_sint64 b o v) o].
+ is_sint64 v ->
+ bread_sint64 (bwrite_sint64 b o v) o = v
+
+ lemma bread_sint64_bwrite_uint64_eq:
+ forall b: vblock, o: int, v: int [bread_sint64 (bwrite_uint64 b o v) o].
+ is_uint64 v ->
+ bread_sint64 (bwrite_uint64 b o v) o = to_sint64 v
+
+ lemma bread_sint64_bhavoc_sep:
+ forall b: vblock, u: S.seq int, or ho: int [bread_sint64 (bwrite_seq b ho u) or].
+ sepoffset or 8 ho (Seq.length u) ->
+ bread_sint64 (bwrite_seq b ho u) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_uint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_uint8 b ow v) or].
+ sepoffset ow 1 or 8 ->
+ bread_sint64 (bwrite_uint8 b ow v) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_uint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_uint16 b ow v) or].
+ sepoffset ow 2 or 8 ->
+ bread_sint64 (bwrite_uint16 b ow v) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_uint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_uint32 b ow v) or].
+ sepoffset ow 4 or 8 ->
+ bread_sint64 (bwrite_uint32 b ow v) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_uint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_uint64 b ow v) or].
+ sepoffset ow 8 or 8 ->
+ bread_sint64 (bwrite_uint64 b ow v) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_sint8_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_sint8 b ow v) or].
+ sepoffset ow 1 or 8 ->
+ bread_sint64 (bwrite_sint8 b ow v) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_sint16_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_sint16 b ow v) or].
+ sepoffset ow 2 or 8 ->
+ bread_sint64 (bwrite_sint16 b ow v) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_sint32_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_sint32 b ow v) or].
+ sepoffset ow 4 or 8 ->
+ bread_sint64 (bwrite_sint32 b ow v) or = bread_sint64 b or
+
+ lemma bread_sint64_bwrite_sint64_sep:
+ forall b: vblock, or ow: int, v: int [bread_sint64 (bwrite_sint64 b ow v) or].
+ sepoffset ow 8 or 8 ->
+ bread_sint64 (bwrite_sint64 b ow v) or = bread_sint64 b or
+
+
+end
+
+module InitBlockRW
+ use bool.Bool
+ use int.Int
+ use InitCodec
+ use Offset
+ use RWBytes
+
+ type iblock = block bool
+
+ predicate is_init_range(b: iblock) (o: int) (size: int) =
+ forall i: int. o <= i < o + size -> M.get b i = True
+
+ function bread_init8 (b: iblock) (o: int) : bool =
+ decode_init8 (bread_8bits b o)
+
+ function bread_init16 (b: iblock) (o: int) : bool =
+ decode_init16 (bread_16bits b o)
+
+ function bread_init32 (b: iblock) (o: int) : bool =
+ decode_init32 (bread_32bits b o)
+
+ function bread_init64 (b: iblock) (o: int) : bool =
+ decode_init64 (bread_64bits b o)
+
+ function bwrite_init8 (b: iblock) (o: int) (init: bool) : iblock =
+ bwrite_8bits b o (encode_init8 init)
+
+ function bwrite_init16 (b: iblock) (o: int) (init: bool) : iblock =
+ bwrite_16bits b o (encode_init16 init)
+
+ function bwrite_init32 (b: iblock) (o: int) (init: bool) : iblock =
+ bwrite_32bits b o (encode_init32 init)
+
+ function bwrite_init64 (b: iblock) (o: int) (init: bool) : iblock =
+ bwrite_64bits b o (encode_init64 init)
+
+ lemma bread_init8_bwrite_init8_eq:
+ forall b: iblock, o: int, init: bool [bread_init8 (bwrite_init8 b o init) o].
+ bread_init8 (bwrite_init8 b o init) o = init
+
+ lemma bread_init8_bhavoc_sep:
+ forall b: iblock, u: S.seq bool, or ho: int [bread_init8 (bwrite_seq b ho u) or].
+ sepoffset or 1 ho (Seq.length u) ->
+ bread_init8 (bwrite_seq b ho u) or = bread_init8 b or
+
+ lemma bread_init8_bwrite_init8_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init8 (bwrite_init8 b ow init) or].
+ sepoffset ow 1 or 1 ->
+ bread_init8 (bwrite_init8 b ow init) or = bread_init8 b or
+
+ lemma bread_init8_bwrite_init16_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init8 (bwrite_init16 b ow init) or].
+ sepoffset ow 2 or 1 ->
+ bread_init8 (bwrite_init16 b ow init) or = bread_init8 b or
+
+ lemma bread_init8_bwrite_init32_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init8 (bwrite_init32 b ow init) or].
+ sepoffset ow 4 or 1 ->
+ bread_init8 (bwrite_init32 b ow init) or = bread_init8 b or
+
+ lemma bread_init8_bwrite_init64_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init8 (bwrite_init64 b ow init) or].
+ sepoffset ow 8 or 1 ->
+ bread_init8 (bwrite_init64 b ow init) or = bread_init8 b or
+
+ lemma bread_init16_bwrite_init16_eq:
+ forall b: iblock, o: int, init: bool [bread_init16 (bwrite_init16 b o init) o].
+ bread_init16 (bwrite_init16 b o init) o = init
+
+ lemma bread_init16_bhavoc_sep:
+ forall b: iblock, u: S.seq bool, or ho: int [bread_init16 (bwrite_seq b ho u) or].
+ sepoffset or 2 ho (Seq.length u) ->
+ bread_init16 (bwrite_seq b ho u) or = bread_init16 b or
+
+ lemma bread_init16_bwrite_init8_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init16 (bwrite_init8 b ow init) or].
+ sepoffset ow 1 or 2 ->
+ bread_init16 (bwrite_init8 b ow init) or = bread_init16 b or
+
+ lemma bread_init16_bwrite_init16_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init16 (bwrite_init16 b ow init) or].
+ sepoffset ow 2 or 2 ->
+ bread_init16 (bwrite_init16 b ow init) or = bread_init16 b or
+
+ lemma bread_init16_bwrite_init32_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init16 (bwrite_init32 b ow init) or].
+ sepoffset ow 4 or 2 ->
+ bread_init16 (bwrite_init32 b ow init) or = bread_init16 b or
+
+ lemma bread_init16_bwrite_init64_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init16 (bwrite_init64 b ow init) or].
+ sepoffset ow 8 or 2 ->
+ bread_init16 (bwrite_init64 b ow init) or = bread_init16 b or
+
+ lemma bread_init32_bwrite_init32_eq:
+ forall b: iblock, o: int, init: bool [bread_init32 (bwrite_init32 b o init) o].
+ bread_init32 (bwrite_init32 b o init) o = init
+
+ lemma bread_init32_bhavoc_sep:
+ forall b: iblock, u: S.seq bool, or ho: int [bread_init32 (bwrite_seq b ho u) or].
+ sepoffset or 4 ho (Seq.length u) ->
+ bread_init32 (bwrite_seq b ho u) or = bread_init32 b or
+
+ lemma bread_init32_bwrite_init8_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init32 (bwrite_init8 b ow init) or].
+ sepoffset ow 1 or 4 ->
+ bread_init32 (bwrite_init8 b ow init) or = bread_init32 b or
+
+ lemma bread_init32_bwrite_init16_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init32 (bwrite_init16 b ow init) or].
+ sepoffset ow 2 or 4 ->
+ bread_init32 (bwrite_init16 b ow init) or = bread_init32 b or
+
+ lemma bread_init32_bwrite_init32_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init32 (bwrite_init32 b ow init) or].
+ sepoffset ow 4 or 4 ->
+ bread_init32 (bwrite_init32 b ow init) or = bread_init32 b or
+
+ lemma bread_init32_bwrite_init64_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init32 (bwrite_init64 b ow init) or].
+ sepoffset ow 8 or 4 ->
+ bread_init32 (bwrite_init64 b ow init) or = bread_init32 b or
+
+ lemma bread_init64_bwrite_init64_eq:
+ forall b: iblock, o: int, init: bool [bread_init64 (bwrite_init64 b o init) o].
+ bread_init64 (bwrite_init64 b o init) o = init
+
+ lemma bread_init64_bhavoc_sep:
+ forall b: iblock, u: S.seq bool, or ho: int [bread_init64 (bwrite_seq b ho u) or].
+ sepoffset or 8 ho (Seq.length u) ->
+ bread_init64 (bwrite_seq b ho u) or = bread_init64 b or
+
+ lemma bread_init64_bwrite_init8_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init64 (bwrite_init8 b ow init) or].
+ sepoffset ow 1 or 8 ->
+ bread_init64 (bwrite_init8 b ow init) or = bread_init64 b or
+
+ lemma bread_init64_bwrite_init16_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init64 (bwrite_init16 b ow init) or].
+ sepoffset ow 2 or 8 ->
+ bread_init64 (bwrite_init16 b ow init) or = bread_init64 b or
+
+ lemma bread_init64_bwrite_init32_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init64 (bwrite_init32 b ow init) or].
+ sepoffset ow 4 or 8 ->
+ bread_init64 (bwrite_init32 b ow init) or = bread_init64 b or
+
+ lemma bread_init64_bwrite_init64_sep:
+ forall b: iblock, or ow: int, init: bool [bread_init64 (bwrite_init64 b ow init) or].
+ sepoffset ow 8 or 8 ->
+ bread_init64 (bwrite_init64 b ow init) or = bread_init64 b or
+
+
+end
+
+module MemBytes
+ use int.Int
+ use map.Map
+ use frama_c_wp.cint.Cint
+ use frama_c_wp.memaddr.MemAddr
+ use frama_c_wp.sequence.Seq as S
+ use RWBytes
+ use ValueBlockRW as VB
+ use InitBlockRW as IB
+
+ type memory = map int (VB.vblock)
+ type init = map int (IB.iblock)
+
+ (* override memory cinits for MemBytes memory *)
+ predicate cinits (init)
+
+ function raw_get (m: map int (map int 'a)) (a: addr) : 'a =
+ get (get m a.base) a.offset
+
+ function raw_set (m: map int (map int 'a)) (a: addr) (v: 'a) : map int (map int 'a) =
+ set m a.base (set (get m a.base) a.offset v)
+
+ let rec function to_seq (a: map int 'a) (b e: int) : S.seq 'a
+ ensures { e - b >= 0 -> S.length result = e - b }
+ ensures { forall i: int. b <= i < e -> S.(result[i - b]) = get a i }
+ variant { e - b }
+ = if e <= b then S.L.Nil else S.L.Cons (get a b) (to_seq a (b+1) e)
+
+ function init_seq (s: int) : S.seq bool =
+ S.create True s
+
+ function havoc (fresh cur: map int (block 'a)) (a: addr) (size: int): map int (block 'a) =
+ set cur a.base (bwrite_seq (get cur a.base) a.offset (to_seq fresh[a.base] 0 size))
+
+ predicate eqmem (m1 m2: map int (block 'a)) (a: addr) (size: int) =
+ beq_blocks (get m1 a.base) (get m2 a.base) (a.offset) size
+
+ predicate is_init_range (i: init) (a: addr) (size: int) =
+ IB.is_init_range (get i a.base) a.offset size
+
+ function set_init_range (cur: init) (a: addr) (size: int) : init =
+ set cur a.base (bwrite_seq (get cur a.base) a.offset (init_seq size))
+
+ function read_uint8 (m: memory) (a: addr) : int =
+ VB.bread_uint8 m[a.base] a.offset
+
+ function read_uint16 (m: memory) (a: addr) : int =
+ VB.bread_uint16 m[a.base] a.offset
+
+ function read_uint32 (m: memory) (a: addr) : int =
+ VB.bread_uint32 m[a.base] a.offset
+
+ function read_uint64 (m: memory) (a: addr) : int =
+ VB.bread_uint64 m[a.base] a.offset
+
+ function read_sint8 (m: memory) (a: addr) : int =
+ VB.bread_sint8 m[a.base] a.offset
+
+ function read_sint16 (m: memory) (a: addr) : int =
+ VB.bread_sint16 m[a.base] a.offset
+
+ function read_sint32 (m: memory) (a: addr) : int =
+ VB.bread_sint32 m[a.base] a.offset
+
+ function read_sint64 (m: memory) (a: addr) : int =
+ VB.bread_sint64 m[a.base] a.offset
+
+ function write_uint8 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_uint8 m [a.base] a.offset v)
+
+ function write_uint16 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_uint16 m [a.base] a.offset v)
+
+ function write_uint32 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_uint32 m [a.base] a.offset v)
+
+ function write_uint64 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_uint64 m [a.base] a.offset v)
+
+ function write_sint8 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_sint8 m [a.base] a.offset v)
+
+ function write_sint16 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_sint16 m [a.base] a.offset v)
+
+ function write_sint32 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_sint32 m [a.base] a.offset v)
+
+ function write_sint64 (m: memory) (a: addr) (v: int) : memory =
+ set m a.base (VB.bwrite_sint64 m [a.base] a.offset v)
+
+ lemma read_uint8_write_uint8_eq:
+ forall m: memory, a: addr, v: int [read_uint8 (write_uint8 m a v) a].
+ is_uint8 v ->
+ read_uint8 (write_uint8 m a v) a = v
+
+ lemma read_uint8_write_sint8_eq:
+ forall m: memory, a: addr, v: int [read_uint8 (write_sint8 m a v) a].
+ is_sint8 v ->
+ read_uint8 (write_sint8 m a v) a = to_uint8 v
+
+ lemma read_uint8_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_uint8 (havoc fresh cur aw size) ar].
+ separated ar 1 aw size ->
+ read_uint8 (havoc fresh cur aw size) ar = read_uint8 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint8 nb ar.offset = VB.bread_uint8 ob ar.offset
+
+ lemma read_uint8_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_uint8 m aw v) ar].
+ separated aw 1 ar 1 ->
+ read_uint8 (write_uint8 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint8_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_uint16 m aw v) ar].
+ separated aw 2 ar 1 ->
+ read_uint8 (write_uint16 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint8_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_uint32 m aw v) ar].
+ separated aw 4 ar 1 ->
+ read_uint8 (write_uint32 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint8_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_uint64 m aw v) ar].
+ separated aw 8 ar 1 ->
+ read_uint8 (write_uint64 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint8_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_sint8 m aw v) ar].
+ separated aw 1 ar 1 ->
+ read_uint8 (write_sint8 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint8_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_sint16 m aw v) ar].
+ separated aw 2 ar 1 ->
+ read_uint8 (write_sint16 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint8_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_sint32 m aw v) ar].
+ separated aw 4 ar 1 ->
+ read_uint8 (write_sint32 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint8_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint8 (write_sint64 m aw v) ar].
+ separated aw 8 ar 1 ->
+ read_uint8 (write_sint64 m aw v) ar = read_uint8 m ar
+
+ lemma read_uint16_write_uint16_eq:
+ forall m: memory, a: addr, v: int [read_uint16 (write_uint16 m a v) a].
+ is_uint16 v ->
+ read_uint16 (write_uint16 m a v) a = v
+
+ lemma read_uint16_write_sint16_eq:
+ forall m: memory, a: addr, v: int [read_uint16 (write_sint16 m a v) a].
+ is_sint16 v ->
+ read_uint16 (write_sint16 m a v) a = to_uint16 v
+
+ lemma read_uint16_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_uint16 (havoc fresh cur aw size) ar].
+ separated ar 2 aw size ->
+ read_uint16 (havoc fresh cur aw size) ar = read_uint16 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint16 nb ar.offset = VB.bread_uint16 ob ar.offset
+
+ lemma read_uint16_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_uint8 m aw v) ar].
+ separated aw 1 ar 2 ->
+ read_uint16 (write_uint8 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint16_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_uint16 m aw v) ar].
+ separated aw 2 ar 2 ->
+ read_uint16 (write_uint16 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint16_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_uint32 m aw v) ar].
+ separated aw 4 ar 2 ->
+ read_uint16 (write_uint32 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint16_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_uint64 m aw v) ar].
+ separated aw 8 ar 2 ->
+ read_uint16 (write_uint64 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint16_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_sint8 m aw v) ar].
+ separated aw 1 ar 2 ->
+ read_uint16 (write_sint8 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint16_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_sint16 m aw v) ar].
+ separated aw 2 ar 2 ->
+ read_uint16 (write_sint16 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint16_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_sint32 m aw v) ar].
+ separated aw 4 ar 2 ->
+ read_uint16 (write_sint32 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint16_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint16 (write_sint64 m aw v) ar].
+ separated aw 8 ar 2 ->
+ read_uint16 (write_sint64 m aw v) ar = read_uint16 m ar
+
+ lemma read_uint32_write_uint32_eq:
+ forall m: memory, a: addr, v: int [read_uint32 (write_uint32 m a v) a].
+ is_uint32 v ->
+ read_uint32 (write_uint32 m a v) a = v
+
+ lemma read_uint32_write_sint32_eq:
+ forall m: memory, a: addr, v: int [read_uint32 (write_sint32 m a v) a].
+ is_sint32 v ->
+ read_uint32 (write_sint32 m a v) a = to_uint32 v
+
+ lemma read_uint32_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_uint32 (havoc fresh cur aw size) ar].
+ separated ar 4 aw size ->
+ read_uint32 (havoc fresh cur aw size) ar = read_uint32 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint32 nb ar.offset = VB.bread_uint32 ob ar.offset
+
+ lemma read_uint32_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_uint8 m aw v) ar].
+ separated aw 1 ar 4 ->
+ read_uint32 (write_uint8 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint32_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_uint16 m aw v) ar].
+ separated aw 2 ar 4 ->
+ read_uint32 (write_uint16 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint32_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_uint32 m aw v) ar].
+ separated aw 4 ar 4 ->
+ read_uint32 (write_uint32 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint32_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_uint64 m aw v) ar].
+ separated aw 8 ar 4 ->
+ read_uint32 (write_uint64 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint32_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_sint8 m aw v) ar].
+ separated aw 1 ar 4 ->
+ read_uint32 (write_sint8 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint32_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_sint16 m aw v) ar].
+ separated aw 2 ar 4 ->
+ read_uint32 (write_sint16 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint32_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_sint32 m aw v) ar].
+ separated aw 4 ar 4 ->
+ read_uint32 (write_sint32 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint32_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint32 (write_sint64 m aw v) ar].
+ separated aw 8 ar 4 ->
+ read_uint32 (write_sint64 m aw v) ar = read_uint32 m ar
+
+ lemma read_uint64_write_uint64_eq:
+ forall m: memory, a: addr, v: int [read_uint64 (write_uint64 m a v) a].
+ is_uint64 v ->
+ read_uint64 (write_uint64 m a v) a = v
+
+ lemma read_uint64_write_sint64_eq:
+ forall m: memory, a: addr, v: int [read_uint64 (write_sint64 m a v) a].
+ is_sint64 v ->
+ read_uint64 (write_sint64 m a v) a = to_uint64 v
+
+ lemma read_uint64_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_uint64 (havoc fresh cur aw size) ar].
+ separated ar 8 aw size ->
+ read_uint64 (havoc fresh cur aw size) ar = read_uint64 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint64 nb ar.offset = VB.bread_uint64 ob ar.offset
+
+ lemma read_uint64_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_uint8 m aw v) ar].
+ separated aw 1 ar 8 ->
+ read_uint64 (write_uint8 m aw v) ar = read_uint64 m ar
+
+ lemma read_uint64_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_uint16 m aw v) ar].
+ separated aw 2 ar 8 ->
+ read_uint64 (write_uint16 m aw v) ar = read_uint64 m ar
+
+ lemma read_uint64_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_uint32 m aw v) ar].
+ separated aw 4 ar 8 ->
+ read_uint64 (write_uint32 m aw v) ar = read_uint64 m ar
+
+ lemma read_uint64_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_uint64 m aw v) ar].
+ separated aw 8 ar 8 ->
+ read_uint64 (write_uint64 m aw v) ar = read_uint64 m ar
+
+ lemma read_uint64_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_sint8 m aw v) ar].
+ separated aw 1 ar 8 ->
+ read_uint64 (write_sint8 m aw v) ar = read_uint64 m ar
+
+ lemma read_uint64_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_sint16 m aw v) ar].
+ separated aw 2 ar 8 ->
+ read_uint64 (write_sint16 m aw v) ar = read_uint64 m ar
+
+ lemma read_uint64_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_sint32 m aw v) ar].
+ separated aw 4 ar 8 ->
+ read_uint64 (write_sint32 m aw v) ar = read_uint64 m ar
+
+ lemma read_uint64_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_uint64 (write_sint64 m aw v) ar].
+ separated aw 8 ar 8 ->
+ read_uint64 (write_sint64 m aw v) ar = read_uint64 m ar
+
+ lemma read_sint8_write_sint8_eq:
+ forall m: memory, a: addr, v: int [read_sint8 (write_sint8 m a v) a].
+ is_sint8 v ->
+ read_sint8 (write_sint8 m a v) a = v
+
+ lemma read_sint8_write_uint8_eq:
+ forall m: memory, a: addr, v: int [read_sint8 (write_uint8 m a v) a].
+ is_uint8 v ->
+ read_sint8 (write_uint8 m a v) a = to_sint8 v
+
+ lemma read_sint8_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_sint8 (havoc fresh cur aw size) ar].
+ separated ar 1 aw size ->
+ read_sint8 (havoc fresh cur aw size) ar = read_sint8 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint8 nb ar.offset = VB.bread_uint8 ob ar.offset
+
+ lemma read_sint8_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_uint8 m aw v) ar].
+ separated aw 1 ar 1 ->
+ read_sint8 (write_uint8 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint8_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_uint16 m aw v) ar].
+ separated aw 2 ar 1 ->
+ read_sint8 (write_uint16 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint8_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_uint32 m aw v) ar].
+ separated aw 4 ar 1 ->
+ read_sint8 (write_uint32 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint8_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_uint64 m aw v) ar].
+ separated aw 8 ar 1 ->
+ read_sint8 (write_uint64 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint8_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_sint8 m aw v) ar].
+ separated aw 1 ar 1 ->
+ read_sint8 (write_sint8 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint8_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_sint16 m aw v) ar].
+ separated aw 2 ar 1 ->
+ read_sint8 (write_sint16 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint8_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_sint32 m aw v) ar].
+ separated aw 4 ar 1 ->
+ read_sint8 (write_sint32 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint8_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint8 (write_sint64 m aw v) ar].
+ separated aw 8 ar 1 ->
+ read_sint8 (write_sint64 m aw v) ar = read_sint8 m ar
+
+ lemma read_sint16_write_sint16_eq:
+ forall m: memory, a: addr, v: int [read_sint16 (write_sint16 m a v) a].
+ is_sint16 v ->
+ read_sint16 (write_sint16 m a v) a = v
+
+ lemma read_sint16_write_uint16_eq:
+ forall m: memory, a: addr, v: int [read_sint16 (write_uint16 m a v) a].
+ is_uint16 v ->
+ read_sint16 (write_uint16 m a v) a = to_sint16 v
+
+ lemma read_sint16_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_sint16 (havoc fresh cur aw size) ar].
+ separated ar 2 aw size ->
+ read_sint16 (havoc fresh cur aw size) ar = read_sint16 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint16 nb ar.offset = VB.bread_uint16 ob ar.offset
+
+ lemma read_sint16_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_uint8 m aw v) ar].
+ separated aw 1 ar 2 ->
+ read_sint16 (write_uint8 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint16_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_uint16 m aw v) ar].
+ separated aw 2 ar 2 ->
+ read_sint16 (write_uint16 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint16_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_uint32 m aw v) ar].
+ separated aw 4 ar 2 ->
+ read_sint16 (write_uint32 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint16_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_uint64 m aw v) ar].
+ separated aw 8 ar 2 ->
+ read_sint16 (write_uint64 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint16_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_sint8 m aw v) ar].
+ separated aw 1 ar 2 ->
+ read_sint16 (write_sint8 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint16_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_sint16 m aw v) ar].
+ separated aw 2 ar 2 ->
+ read_sint16 (write_sint16 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint16_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_sint32 m aw v) ar].
+ separated aw 4 ar 2 ->
+ read_sint16 (write_sint32 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint16_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint16 (write_sint64 m aw v) ar].
+ separated aw 8 ar 2 ->
+ read_sint16 (write_sint64 m aw v) ar = read_sint16 m ar
+
+ lemma read_sint32_write_sint32_eq:
+ forall m: memory, a: addr, v: int [read_sint32 (write_sint32 m a v) a].
+ is_sint32 v ->
+ read_sint32 (write_sint32 m a v) a = v
+
+ lemma read_sint32_write_uint32_eq:
+ forall m: memory, a: addr, v: int [read_sint32 (write_uint32 m a v) a].
+ is_uint32 v ->
+ read_sint32 (write_uint32 m a v) a = to_sint32 v
+
+ lemma read_sint32_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_sint32 (havoc fresh cur aw size) ar].
+ separated ar 4 aw size ->
+ read_sint32 (havoc fresh cur aw size) ar = read_sint32 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint32 nb ar.offset = VB.bread_uint32 ob ar.offset
+
+ lemma read_sint32_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_uint8 m aw v) ar].
+ separated aw 1 ar 4 ->
+ read_sint32 (write_uint8 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint32_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_uint16 m aw v) ar].
+ separated aw 2 ar 4 ->
+ read_sint32 (write_uint16 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint32_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_uint32 m aw v) ar].
+ separated aw 4 ar 4 ->
+ read_sint32 (write_uint32 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint32_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_uint64 m aw v) ar].
+ separated aw 8 ar 4 ->
+ read_sint32 (write_uint64 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint32_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_sint8 m aw v) ar].
+ separated aw 1 ar 4 ->
+ read_sint32 (write_sint8 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint32_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_sint16 m aw v) ar].
+ separated aw 2 ar 4 ->
+ read_sint32 (write_sint16 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint32_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_sint32 m aw v) ar].
+ separated aw 4 ar 4 ->
+ read_sint32 (write_sint32 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint32_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint32 (write_sint64 m aw v) ar].
+ separated aw 8 ar 4 ->
+ read_sint32 (write_sint64 m aw v) ar = read_sint32 m ar
+
+ lemma read_sint64_write_sint64_eq:
+ forall m: memory, a: addr, v: int [read_sint64 (write_sint64 m a v) a].
+ is_sint64 v ->
+ read_sint64 (write_sint64 m a v) a = v
+
+ lemma read_sint64_write_uint64_eq:
+ forall m: memory, a: addr, v: int [read_sint64 (write_uint64 m a v) a].
+ is_uint64 v ->
+ read_sint64 (write_uint64 m a v) a = to_sint64 v
+
+ lemma read_sint64_havoc_sep:
+ forall fresh cur: memory, size: int, ar aw: addr [read_sint64 (havoc fresh cur aw size) ar].
+ separated ar 8 aw size ->
+ read_sint64 (havoc fresh cur aw size) ar = read_sint64 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> VB.bread_uint64 nb ar.offset = VB.bread_uint64 ob ar.offset
+
+ lemma read_sint64_write_uint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_uint8 m aw v) ar].
+ separated aw 1 ar 8 ->
+ read_sint64 (write_uint8 m aw v) ar = read_sint64 m ar
+
+ lemma read_sint64_write_uint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_uint16 m aw v) ar].
+ separated aw 2 ar 8 ->
+ read_sint64 (write_uint16 m aw v) ar = read_sint64 m ar
+
+ lemma read_sint64_write_uint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_uint32 m aw v) ar].
+ separated aw 4 ar 8 ->
+ read_sint64 (write_uint32 m aw v) ar = read_sint64 m ar
+
+ lemma read_sint64_write_uint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_uint64 m aw v) ar].
+ separated aw 8 ar 8 ->
+ read_sint64 (write_uint64 m aw v) ar = read_sint64 m ar
+
+ lemma read_sint64_write_sint8_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_sint8 m aw v) ar].
+ separated aw 1 ar 8 ->
+ read_sint64 (write_sint8 m aw v) ar = read_sint64 m ar
+
+ lemma read_sint64_write_sint16_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_sint16 m aw v) ar].
+ separated aw 2 ar 8 ->
+ read_sint64 (write_sint16 m aw v) ar = read_sint64 m ar
+
+ lemma read_sint64_write_sint32_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_sint32 m aw v) ar].
+ separated aw 4 ar 8 ->
+ read_sint64 (write_sint32 m aw v) ar = read_sint64 m ar
+
+ lemma read_sint64_write_sint64_sep:
+ forall m: memory, ar aw: addr, v: int [read_sint64 (write_sint64 m aw v) ar].
+ separated aw 8 ar 8 ->
+ read_sint64 (write_sint64 m aw v) ar = read_sint64 m ar
+
+ function read_init8 (m: init) (a: addr) : bool =
+ IB.bread_init8 m[a.base] a.offset
+
+ function read_init16 (m: init) (a: addr) : bool =
+ IB.bread_init16 m[a.base] a.offset
+
+ function read_init32 (m: init) (a: addr) : bool =
+ IB.bread_init32 m[a.base] a.offset
+
+ function read_init64 (m: init) (a: addr) : bool =
+ IB.bread_init64 m[a.base] a.offset
+
+ function write_init8 (m: init) (a: addr) (i: bool) : init =
+ set m a.base (IB.bwrite_init8 m [a.base] a.offset i)
+
+ function write_init16 (m: init) (a: addr) (i: bool) : init =
+ set m a.base (IB.bwrite_init16 m [a.base] a.offset i)
+
+ function write_init32 (m: init) (a: addr) (i: bool) : init =
+ set m a.base (IB.bwrite_init32 m [a.base] a.offset i)
+
+ function write_init64 (m: init) (a: addr) (i: bool) : init =
+ set m a.base (IB.bwrite_init64 m [a.base] a.offset i)
+
+ lemma read_init8_write_init8_eq:
+ forall m: init, a: addr, i: bool [read_init8 (write_init8 m a i) a].
+ read_init8 (write_init8 m a i) a = i
+
+ lemma read_init8_havoc_sep:
+ forall fresh cur: init, size: int, ar aw: addr [read_init8 (havoc fresh cur aw size) ar].
+ separated ar 1 aw size ->
+ read_init8 (havoc fresh cur aw size) ar = read_init8 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> IB.bread_init8 nb ar.offset = IB.bread_init8 ob ar.offset
+
+ lemma read_init8_write_init8_sep:
+ forall m: init, ar aw: addr, i: bool [read_init8 (write_init8 m aw i) ar].
+ separated aw 1 ar 1 ->
+ read_init8 (write_init8 m aw i) ar = read_init8 m ar
+
+ lemma read_init8_write_init16_sep:
+ forall m: init, ar aw: addr, i: bool [read_init8 (write_init16 m aw i) ar].
+ separated aw 2 ar 1 ->
+ read_init8 (write_init16 m aw i) ar = read_init8 m ar
+
+ lemma read_init8_write_init32_sep:
+ forall m: init, ar aw: addr, i: bool [read_init8 (write_init32 m aw i) ar].
+ separated aw 4 ar 1 ->
+ read_init8 (write_init32 m aw i) ar = read_init8 m ar
+
+ lemma read_init8_write_init64_sep:
+ forall m: init, ar aw: addr, i: bool [read_init8 (write_init64 m aw i) ar].
+ separated aw 8 ar 1 ->
+ read_init8 (write_init64 m aw i) ar = read_init8 m ar
+
+ lemma read_init16_write_init16_eq:
+ forall m: init, a: addr, i: bool [read_init16 (write_init16 m a i) a].
+ read_init16 (write_init16 m a i) a = i
+
+ lemma read_init16_havoc_sep:
+ forall fresh cur: init, size: int, ar aw: addr [read_init16 (havoc fresh cur aw size) ar].
+ separated ar 2 aw size ->
+ read_init16 (havoc fresh cur aw size) ar = read_init16 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> IB.bread_init16 nb ar.offset = IB.bread_init16 ob ar.offset
+
+ lemma read_init16_write_init8_sep:
+ forall m: init, ar aw: addr, i: bool [read_init16 (write_init8 m aw i) ar].
+ separated aw 1 ar 2 ->
+ read_init16 (write_init8 m aw i) ar = read_init16 m ar
+
+ lemma read_init16_write_init16_sep:
+ forall m: init, ar aw: addr, i: bool [read_init16 (write_init16 m aw i) ar].
+ separated aw 2 ar 2 ->
+ read_init16 (write_init16 m aw i) ar = read_init16 m ar
+
+ lemma read_init16_write_init32_sep:
+ forall m: init, ar aw: addr, i: bool [read_init16 (write_init32 m aw i) ar].
+ separated aw 4 ar 2 ->
+ read_init16 (write_init32 m aw i) ar = read_init16 m ar
+
+ lemma read_init16_write_init64_sep:
+ forall m: init, ar aw: addr, i: bool [read_init16 (write_init64 m aw i) ar].
+ separated aw 8 ar 2 ->
+ read_init16 (write_init64 m aw i) ar = read_init16 m ar
+
+ lemma read_init32_write_init32_eq:
+ forall m: init, a: addr, i: bool [read_init32 (write_init32 m a i) a].
+ read_init32 (write_init32 m a i) a = i
+
+ lemma read_init32_havoc_sep:
+ forall fresh cur: init, size: int, ar aw: addr [read_init32 (havoc fresh cur aw size) ar].
+ separated ar 4 aw size ->
+ read_init32 (havoc fresh cur aw size) ar = read_init32 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> IB.bread_init32 nb ar.offset = IB.bread_init32 ob ar.offset
+
+ lemma read_init32_write_init8_sep:
+ forall m: init, ar aw: addr, i: bool [read_init32 (write_init8 m aw i) ar].
+ separated aw 1 ar 4 ->
+ read_init32 (write_init8 m aw i) ar = read_init32 m ar
+
+ lemma read_init32_write_init16_sep:
+ forall m: init, ar aw: addr, i: bool [read_init32 (write_init16 m aw i) ar].
+ separated aw 2 ar 4 ->
+ read_init32 (write_init16 m aw i) ar = read_init32 m ar
+
+ lemma read_init32_write_init32_sep:
+ forall m: init, ar aw: addr, i: bool [read_init32 (write_init32 m aw i) ar].
+ separated aw 4 ar 4 ->
+ read_init32 (write_init32 m aw i) ar = read_init32 m ar
+
+ lemma read_init32_write_init64_sep:
+ forall m: init, ar aw: addr, i: bool [read_init32 (write_init64 m aw i) ar].
+ separated aw 8 ar 4 ->
+ read_init32 (write_init64 m aw i) ar = read_init32 m ar
+
+ lemma read_init64_write_init64_eq:
+ forall m: init, a: addr, i: bool [read_init64 (write_init64 m a i) a].
+ read_init64 (write_init64 m a i) a = i
+
+ lemma read_init64_havoc_sep:
+ forall fresh cur: init, size: int, ar aw: addr [read_init64 (havoc fresh cur aw size) ar].
+ separated ar 8 aw size ->
+ read_init64 (havoc fresh cur aw size) ar = read_init64 cur ar
+ by
+ let ob = cur[aw.base] in
+ let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in
+ aw.base = ar.base -> IB.bread_init64 nb ar.offset = IB.bread_init64 ob ar.offset
+
+ lemma read_init64_write_init8_sep:
+ forall m: init, ar aw: addr, i: bool [read_init64 (write_init8 m aw i) ar].
+ separated aw 1 ar 8 ->
+ read_init64 (write_init8 m aw i) ar = read_init64 m ar
+
+ lemma read_init64_write_init16_sep:
+ forall m: init, ar aw: addr, i: bool [read_init64 (write_init16 m aw i) ar].
+ separated aw 2 ar 8 ->
+ read_init64 (write_init16 m aw i) ar = read_init64 m ar
+
+ lemma read_init64_write_init32_sep:
+ forall m: init, ar aw: addr, i: bool [read_init64 (write_init32 m aw i) ar].
+ separated aw 4 ar 8 ->
+ read_init64 (write_init32 m aw i) ar = read_init64 m ar
+
+ lemma read_init64_write_init64_sep:
+ forall m: init, ar aw: addr, i: bool [read_init64 (write_init64 m aw i) ar].
+ separated aw 8 ar 8 ->
+ read_init64 (write_init64 m aw i) ar = read_init64 m ar
+
+ predicate sconst (memory)
+
+ predicate bytes(m: memory) =
+ forall a: addr. 0 <= raw_get m a <= 255
+
+end
diff --git a/src/plugins/wp/share/why3/frama_c_wp/membytesgen.ml b/src/plugins/wp/share/why3/frama_c_wp/membytesgen.ml
new file mode 100644
index 0000000000000000000000000000000000000000..8c93efb9bdb7604620afb4dd1202be3be6036830
--- /dev/null
+++ b/src/plugins/wp/share/why3/frama_c_wp/membytesgen.ml
@@ -0,0 +1,686 @@
+(**************************************************************************)
+(* *)
+(* This file is part of WP plug-in of Frama-C. *)
+(* *)
+(* Copyright (C) 2007-2024 *)
+(* CEA (Commissariat a l'energie atomique et aux energies *)
+(* alternatives) *)
+(* *)
+(* you can redistribute it and/or modify it under the terms of the GNU *)
+(* Lesser General Public License as published by the Free Software *)
+(* Foundation, version 2.1. *)
+(* *)
+(* It is distributed in the hope that it will be useful, *)
+(* but WITHOUT ANY WARRANTY; without even the implied warranty of *)
+(* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *)
+(* GNU Lesser General Public License for more details. *)
+(* *)
+(* See the GNU Lesser General Public License version 2.1 *)
+(* for more details (enclosed in the file licenses/LGPLv2.1). *)
+(* *)
+(**************************************************************************)
+
+open Format
+
+let pp_type fmt (signed, size) =
+ let prefix = if signed then 's' else 'u' in
+ fprintf fmt "%cint%d" prefix size
+
+let pp_use fmt (m, alias) =
+ let pp_alias fmt = function
+ | Some alias -> fprintf fmt " as %s" alias
+ | None -> ()
+ in
+ fprintf fmt "use %s%a" m pp_alias alias
+
+let pp_use_list fmt l =
+ fprintf fmt "%a" (pp_print_list ~pp_sep:pp_print_cut pp_use) l
+
+let all_sizes = [ 8 ; 16 ; 32 ; 64 ]
+let all_types = [ (false, 8) ; (false, 16) ; (false, 32) ; (false, 64)
+ ; (true , 8) ; (true , 16) ; (true , 32) ; (true , 64) ]
+
+(* -------------------------------------------------------------------------- *)
+(* --- Value Encode/Decode --- *)
+(* -------------------------------------------------------------------------- *)
+
+let value_codec_preambule fmt () =
+ fprintf fmt "%a@," pp_use_list
+ [ "int.Int", None
+ ; "int.ComputerDivision", None
+ ; "frama_c_wp.cint.Cint", None
+ ; "frama_c_wp.sequence.Seq", None ]
+
+let value_codec_encode_unsigned fmt size =
+ let consbyte ~last fmt n =
+ if n = 1
+ then fprintf fmt "(L.Cons (mod v 0x100)"
+ else fprintf fmt "(L.Cons (mod (div v 0x%x) 0x100)" (1 lsl (8 * (n - 1))) ;
+
+ if last then fprintf fmt " L.Nil%s" (String.init n (fun _ -> ')')) ;
+ fprintf fmt "@,"
+ in
+ let rec all_consbytes n fmt m =
+ if n = m
+ then consbyte ~last:true fmt n
+ else begin consbyte ~last:false fmt n ; all_consbytes (n+1) fmt m end
+ in
+ fprintf fmt "@[<v 2>function encode_%a (v: int) : seq int =@," pp_type (false, size) ;
+ fprintf fmt "%a@]@," (all_consbytes 1) (size / 8)
+
+let value_codec_encode_signed fmt size =
+ fprintf fmt "@[<v 2>function encode_%a (v: int) : seq int =@," pp_type (true, size) ;
+ fprintf fmt "encode_%a (to_%a v)@,@]@," pp_type (false, size) pp_type (false, size)
+
+let value_codec_encode fmt size =
+ value_codec_encode_unsigned fmt size ;
+ value_codec_encode_signed fmt size
+
+let value_codec_decode_unsigned fmt size =
+ let rec mline n fmt stop =
+ if n = stop
+ then fprintf fmt "L.Nil"
+ else fprintf fmt "L.Cons b%d (%a)" n (mline (n + 1)) stop
+ in
+ let rec rline n fmt stop =
+ if n = stop - 1
+ then fprintf fmt "b%d * 0x%x" n (1 lsl (8 * n))
+ else fprintf fmt "b%d * 0x%x + %a" n (1 lsl (8 * n)) (rline (n + 1)) stop
+ in
+ let case fmt stop =
+ fprintf fmt "| %a ->@," (mline 0) stop ;
+ fprintf fmt " %a@," (rline 0) stop ;
+ in
+ fprintf fmt "@[<v 2>function decode_%a (s: seq int) : int =@," pp_type (false, size) ;
+ fprintf fmt "match s with@," ;
+ fprintf fmt "%a" case (size / 8) ;
+ fprintf fmt "| _ -> 0@," ;
+ fprintf fmt "end@,@]@,"
+
+let value_codec_decode_signed fmt size =
+ fprintf fmt "@[<v 2>function decode_%a (s: seq int) : int =@," pp_type (true, size) ;
+ fprintf fmt "to_%a (decode_%a s)@,@]@," pp_type (true, size) pp_type (false, size)
+
+let value_codec_decode fmt size =
+ value_codec_decode_unsigned fmt size ;
+ value_codec_decode_signed fmt size
+
+let value_codec_lemma_decode_encode fmt decoded encoded =
+ let guard fmt () =
+ fprintf fmt "is_%a v" pp_type encoded
+ in
+ let same = match decoded, encoded with (sd, _), (se, _) -> sd = se in
+ let decenc fmt () =
+ fprintf fmt "decode_%a (encode_%a v)"
+ pp_type decoded
+ pp_type encoded
+ in
+ let eq fmt () =
+ fprintf fmt "%a = %sv"
+ decenc ()
+ (if same then "" else asprintf "to_%a " pp_type decoded)
+ in
+ fprintf fmt "@[<v 2>lemma decode_%a_encode_%a:@,"
+ pp_type decoded pp_type encoded ;
+ fprintf fmt "forall v: int [%a].@,%a -> %a@,@]@," decenc () guard () eq ()
+
+let value_codec_lemma_decode_encode fmt size =
+ value_codec_lemma_decode_encode fmt (false, size) (false, size) ;
+ value_codec_lemma_decode_encode fmt (true, size) (false, size) ;
+ value_codec_lemma_decode_encode fmt (false, size) (true , size) ;
+ value_codec_lemma_decode_encode fmt (true, size) (true , size)
+
+let value_codec_all_symbols fmt size =
+ value_codec_decode fmt size ;
+ value_codec_encode fmt size ;
+ value_codec_lemma_decode_encode fmt size
+
+let value_codec fmt () =
+ fprintf fmt "%a@," value_codec_preambule () ;
+ List.iter (fprintf fmt "%a" value_codec_all_symbols) all_sizes
+
+(* -------------------------------------------------------------------------- *)
+(* --- Init Encode/Decode --- *)
+(* -------------------------------------------------------------------------- *)
+
+let init_codec_preambule fmt () =
+ fprintf fmt "%a@," pp_use_list
+ [ "bool.Bool", None
+ ; "frama_c_wp.sequence.Seq", None ]
+
+let init_codec_decode fmt size =
+ let rec mline n fmt stop =
+ if n = stop
+ then fprintf fmt "L.Nil"
+ else fprintf fmt "L.Cons b%d (%a)" n (mline (n + 1)) stop
+ in
+ let rec rline n fmt stop =
+ if n = stop - 1
+ then fprintf fmt "b%d" n
+ else fprintf fmt "b%d && %a" n (rline (n + 1)) stop
+ in
+ let case fmt stop =
+ fprintf fmt "| %a ->@," (mline 0) stop ;
+ fprintf fmt " %a@," (rline 0) stop
+ in
+ fprintf fmt "@[<v 2>function decode_init%d (s: seq bool) : bool =@," size ;
+ fprintf fmt "match s with@," ;
+ fprintf fmt "%a" case (size / 8) ;
+ fprintf fmt "| _ -> false@," ;
+ fprintf fmt "end@,@]@,"
+
+let init_codec_encode fmt size =
+ fprintf fmt "@[<v 2>function encode_init%d (v: bool) : seq bool =@," size ;
+ fprintf fmt "create v %d" (size / 8) ;
+ fprintf fmt "@,@]@,"
+
+let init_codec_lemma_decode_encode fmt size =
+ let decenc fmt () =
+ fprintf fmt "decode_init%d (encode_init%d v)" size size
+ in
+ let eq fmt () = fprintf fmt "%a = v" decenc () in
+ fprintf fmt "@[<v 2>lemma decode_init%d_encode_init%d:@," size size ;
+ fprintf fmt "forall v: bool [%a].@,%a@,@]@," decenc () eq ()
+
+
+let init_codec_all_symbols fmt size =
+ init_codec_decode fmt size ;
+ init_codec_encode fmt size ;
+ init_codec_lemma_decode_encode fmt size
+
+let init_codec fmt () =
+ fprintf fmt "%a@," init_codec_preambule () ;
+ List.iter (fprintf fmt "%a" init_codec_all_symbols) all_sizes
+
+(* -------------------------------------------------------------------------- *)
+(* --- Offset --- *)
+(* -------------------------------------------------------------------------- *)
+
+let offset fmt () =
+ fprintf fmt
+ {|use int.Int
+ type offset = int
+
+ predicate sepoffset (po: offset) (lp: int) (qo: offset) (lq: int) =
+ qo + lq <= po \/ po + lp <= qo
+|}
+
+(* -------------------------------------------------------------------------- *)
+(* --- RWBytes --- *)
+(* -------------------------------------------------------------------------- *)
+
+let rwbytes_preambule fmt () =
+ fprintf fmt "%a@,@," pp_use_list
+ [ "int.Int", None ; "map.Map", Some "M" ;
+ "frama_c_wp.sequence.Seq", Some "S" ; "Offset", None] ;
+ fprintf fmt
+ {|type seq 'a = S.seq 'a
+ type block 'a = M.map int 'a
+
+ function bwrite_seq (b:block 'a) (o: int) (s: seq 'a) : block 'a =
+ match s with
+ | S.L.Nil -> b
+ | S.L.Cons h tl -> M.(set (bwrite_seq b (o+1) tl) o h)
+ end
+
+ predicate beq_blocks (b1 b2: block 'a) (o: int) (l: int) =
+ forall i: int. o <= i < o + l -> M.(get b1 i) = M.(get b2 i)
+|}
+
+let rwbytes_write fmt size =
+ let rec mline n max fmt stop =
+ if n = stop
+ then fprintf fmt "%s" (if max = stop then "_" else "S.L.Nil")
+ else fprintf fmt "S.L.Cons b%d (%a)" n (mline (n + 1) max) stop
+ in
+ let rec rline n fmt stop =
+ let pp_offset fmt = function
+ | 0 -> fprintf fmt "o"
+ | n -> fprintf fmt "(o+%d)" n
+ in
+ if n = stop
+ then fprintf fmt "b"
+ else fprintf fmt "(set %a %a b%d)" (rline (n + 1)) stop pp_offset n n
+ in
+ let case stop fmt max =
+ fprintf fmt "| %a ->@," (mline 0 max) stop ;
+ fprintf fmt " M.%a@," (rline 0) stop ;
+ in
+ fprintf fmt "@[<v 2>function bwrite_%dbits (b: block 'a) (o: int) (s: seq 'a) : block 'a =@," size ;
+ fprintf fmt "match s with@," ;
+ fprintf fmt "%a" (case (size / 8)) (size / 8) ;
+ fprintf fmt "| _ -> b@," ;
+ fprintf fmt "end@,@]@,"
+
+let rwbytes_read fmt size =
+ let consbyte ~last fmt n =
+ if n = 1
+ then fprintf fmt "(S.L.Cons M.(b[o ])"
+ else fprintf fmt "(S.L.Cons M.(b[o+%d])" (n - 1) ;
+
+ if last then fprintf fmt " S.L.Nil%s" (String.init n (fun _ -> ')')) ;
+ fprintf fmt "@,"
+ in
+ let rec all_consbytes n fmt m =
+ if n = m
+ then consbyte ~last:true fmt n
+ else begin consbyte ~last:false fmt n ; all_consbytes (n+1) fmt m end
+ in
+ fprintf fmt "@[<v 2>function bread_%dbits (b: block 'a) (o: int) : seq 'a =@," size ;
+ fprintf fmt "%a@]@," (all_consbytes 1) (size / 8)
+
+let rwbytes_read_write_eq fmt size =
+ let guard fmt () =
+ fprintf fmt "S.length s = %d" (size / 8)
+ in
+ let read_write fmt () =
+ fprintf fmt "bread_%dbits (bwrite_%dbits b o s) o" size size
+ in
+ let eq fmt () = fprintf fmt "%a = s" read_write () in
+ fprintf fmt "@[<v 2>lemma bread_%dbits_bwrite_%dbits_eq:@," size size ;
+ fprintf fmt "forall b: block 'a, o: int, s: seq 'a [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@]@,@," guard () eq ()
+
+let rwbytes_read_bwrite_seq_sep fmt rsize =
+ let brsize = rsize / 8 in
+ let guard fmt () =
+ fprintf fmt "sepoffset ow (S.length s) or %d" brsize in
+ let read_write fmt () =
+ fprintf fmt "bread_%dbits (bwrite_seq b ow s) or" rsize
+ in
+ let eq fmt () = fprintf fmt "%a = bread_%dbits b or" read_write () rsize in
+ fprintf fmt "@[<v 2>let rec lemma bread_%dbits_bwrite_seq_sep " rsize ;
+ fprintf fmt "(b: block 'a)(or ow: int)(s: seq 'a)@," ;
+ fprintf fmt "requires { %a }@," guard() ;
+ fprintf fmt "ensures { %a }@,@]" eq () ;
+ fprintf fmt "@[<v 2>= match s with@," ;
+ fprintf fmt "| S.L.Nil -> ()@," ;
+ fprintf fmt "| S.L.Cons _ tl -> bread_%dbits_bwrite_seq_sep b or (ow + 1) tl@," rsize ;
+ fprintf fmt "end@]@,@,"
+
+let rwbytes_read_write_sep fmt rsize wsize =
+ let brsize = rsize / 8 and bwsize = wsize / 8 in
+ let guard fmt () =
+ fprintf fmt "sepoffset ow %d or %d" bwsize brsize in
+ let read_write fmt () =
+ fprintf fmt "bread_%dbits (bwrite_%dbits b ow s) or" rsize wsize
+ in
+ let eq fmt () = fprintf fmt "%a = bread_%dbits b or" read_write () rsize in
+ fprintf fmt "@[<v 2>lemma bread_%dbits_bwrite_%dbits_sep:@," rsize wsize ;
+ fprintf fmt "forall b: block 'a, or ow: int, s: seq 'a [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@]@,@," guard () eq ()
+
+let rwbytes_all_lemmas fmt size =
+ rwbytes_read_write_eq fmt size ;
+ rwbytes_read_bwrite_seq_sep fmt size ;
+ List.iter (rwbytes_read_write_sep fmt size) all_sizes
+
+let rwbytes fmt () =
+ fprintf fmt "%a@," rwbytes_preambule () ;
+ List.iter (fprintf fmt "%a" rwbytes_read) all_sizes ;
+ List.iter (fprintf fmt "%a" rwbytes_write) all_sizes ;
+ List.iter (fprintf fmt "%a" rwbytes_all_lemmas) all_sizes
+
+(* -------------------------------------------------------------------------- *)
+(* --- ValueBlockRW --- *)
+(* -------------------------------------------------------------------------- *)
+
+let value_blockrw_preambule fmt () =
+ fprintf fmt "%a@,@," pp_use_list
+ [ "int.Int", None
+ ; "frama_c_wp.cint.Cint", None
+ ; "ValueCodec", None
+ ; "Offset", None
+ ; "RWBytes", None
+ ] ;
+ fprintf fmt "type vblock = block int@,"
+
+let value_blockrw_write fmt ((_, size) as t) =
+ fprintf fmt "@[<v 2>function bwrite_%a (b: vblock) (o: int) (v: int) : vblock =@," pp_type t;
+ fprintf fmt "bwrite_%dbits b o (encode_%a v)@,@]@," size pp_type t
+
+let value_blockrw_read fmt ((_, size) as t) =
+ fprintf fmt "@[<v 2>function bread_%a (b: vblock) (o: int) : int =@," pp_type t ;
+ fprintf fmt "decode_%a (bread_%dbits b o)@,@]@," pp_type t size
+
+let value_blockrw_read_write_eq_same fmt t =
+ let guard fmt () = fprintf fmt "is_%a v" pp_type t in
+ let read_write fmt () =
+ fprintf fmt "bread_%a (bwrite_%a b o v) o" pp_type t pp_type t
+ in
+ let eq fmt () = fprintf fmt "%a = v" read_write () in
+ fprintf fmt "@[<v 2>lemma bread_%a_bwrite_%a_eq:@," pp_type t pp_type t ;
+ fprintf fmt "forall b: vblock, o: int, v: int [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let value_blockrw_read_write_eq_opposite fmt rt =
+ let wt = not @@ fst rt, snd rt in
+ let guard fmt () = fprintf fmt "is_%a v" pp_type wt in
+ let read_write fmt () =
+ fprintf fmt "bread_%a (bwrite_%a b o v) o" pp_type rt pp_type wt
+ in
+ let eq fmt () = fprintf fmt "%a = to_%a v" read_write () pp_type rt in
+ fprintf fmt "@[<v 2>lemma bread_%a_bwrite_%a_eq:@," pp_type rt pp_type wt ;
+ fprintf fmt "forall b: vblock, o: int, v: int [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let value_blockrw_read_write_eq fmt t =
+ value_blockrw_read_write_eq_same fmt t ;
+ value_blockrw_read_write_eq_opposite fmt t
+
+let value_blockrw_read_write_sep fmt rt wt =
+ let guard fmt () =
+ fprintf fmt "sepoffset ow %d or %d" ((snd wt) / 8) ((snd rt) / 8) in
+ let read_write fmt () =
+ fprintf fmt "bread_%a (bwrite_%a b ow v) or" pp_type rt pp_type wt
+ in
+ let eq fmt () = fprintf fmt "%a = bread_%a b or" read_write () pp_type rt in
+ fprintf fmt "@[<v 2>lemma bread_%a_bwrite_%a_sep:@," pp_type rt pp_type wt ;
+ fprintf fmt "forall b: vblock, or ow: int, v: int [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let value_blockrw_read_havoc_sep fmt rt =
+ let guard fmt () =
+ fprintf fmt "sepoffset or %d ho (Seq.length u)" ((snd rt) / 8) in
+ let read_havoc fmt () =
+ fprintf fmt "bread_%a (bwrite_seq b ho u) or" pp_type rt
+ in
+ let eq fmt () = fprintf fmt "%a = bread_%a b or" read_havoc () pp_type rt in
+ fprintf fmt "@[<v 2>lemma bread_%a_bhavoc_sep:@," pp_type rt ;
+ fprintf fmt "forall b: vblock, u: S.seq int, or ho: int [%a].@," read_havoc () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let value_blockrw_all_lemmas fmt size =
+ value_blockrw_read_write_eq fmt size ;
+ value_blockrw_read_havoc_sep fmt size ;
+ List.iter (value_blockrw_read_write_sep fmt size) all_types
+
+let value_blockrw fmt () =
+ fprintf fmt "%a@," value_blockrw_preambule () ;
+ List.iter (fprintf fmt "%a" value_blockrw_read) all_types ;
+ List.iter (fprintf fmt "%a" value_blockrw_write) all_types ;
+ List.iter (fprintf fmt "%a" value_blockrw_all_lemmas) all_types
+
+(* -------------------------------------------------------------------------- *)
+(* --- InitBlockRW --- *)
+(* -------------------------------------------------------------------------- *)
+
+let init_blockrw_preambule fmt () =
+ fprintf fmt "%a@,@," pp_use_list
+ [ "bool.Bool", None
+ ; "int.Int", None
+ ; "InitCodec", None
+ ; "Offset", None
+ ; "RWBytes", None
+ ] ;
+ fprintf fmt "type iblock = block bool@,@," ;
+ fprintf fmt "predicate is_init_range(b: iblock) (o: int) (size: int) =@," ;
+ fprintf fmt " forall i: int. o <= i < o + size -> M.get b i = True@,"
+
+let init_blockrw_write fmt size =
+ fprintf fmt "@[<v 2>function bwrite_init%d (b: iblock) (o: int) (init: bool) : iblock =@," size;
+ fprintf fmt "bwrite_%dbits b o (encode_init%d init)@,@]@," size size
+
+let init_blockrw_read fmt size =
+ fprintf fmt "@[<v 2>function bread_init%d (b: iblock) (o: int) : bool =@," size ;
+ fprintf fmt "decode_init%d (bread_%dbits b o)@,@]@," size size
+
+let init_blockrw_read_write_eq fmt size =
+ let read_write fmt () =
+ fprintf fmt "bread_init%d (bwrite_init%d b o init) o" size size
+ in
+ let eq fmt () = fprintf fmt "%a = init" read_write () in
+ fprintf fmt "@[<v 2>lemma bread_init%d_bwrite_init%d_eq:@," size size ;
+ fprintf fmt "forall b: iblock, o: int, init: bool [%a].@," read_write () ;
+ fprintf fmt "%a@,@]@," eq ()
+
+let init_blockrw_read_write_sep fmt rsize wsize =
+ let guard fmt () =
+ fprintf fmt "sepoffset ow %d or %d" (wsize / 8) (rsize / 8) in
+ let read_write fmt () =
+ fprintf fmt "bread_init%d (bwrite_init%d b ow init) or" rsize wsize
+ in
+ let eq fmt () = fprintf fmt "%a = bread_init%d b or" read_write () rsize in
+ fprintf fmt "@[<v 2>lemma bread_init%d_bwrite_init%d_sep:@," rsize wsize ;
+ fprintf fmt "forall b: iblock, or ow: int, init: bool [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let init_blockrw_read_havoc_sep fmt rsize =
+ let guard fmt () =
+ fprintf fmt "sepoffset or %d ho (Seq.length u)" (rsize / 8) in
+ let read_havoc fmt () =
+ fprintf fmt "bread_init%d (bwrite_seq b ho u) or" rsize
+ in
+ let eq fmt () = fprintf fmt "%a = bread_init%d b or" read_havoc () rsize in
+ fprintf fmt "@[<v 2>lemma bread_init%d_bhavoc_sep:@," rsize ;
+ fprintf fmt "forall b: iblock, u: S.seq bool, or ho: int [%a].@," read_havoc () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let init_blockrw_all_lemmas fmt size =
+ init_blockrw_read_write_eq fmt size ;
+ init_blockrw_read_havoc_sep fmt size ;
+ List.iter (init_blockrw_read_write_sep fmt size) all_sizes
+
+let init_blockrw fmt () =
+ fprintf fmt "%a@," init_blockrw_preambule () ;
+ List.iter (fprintf fmt "%a" init_blockrw_read) all_sizes ;
+ List.iter (fprintf fmt "%a" init_blockrw_write) all_sizes ;
+ List.iter (fprintf fmt "%a" init_blockrw_all_lemmas) all_sizes
+
+(* -------------------------------------------------------------------------- *)
+(* --- MemBytes --- *)
+(* -------------------------------------------------------------------------- *)
+
+let membytes_preambule fmt () =
+ fprintf fmt "%a@,@," pp_use_list
+ [ "int.Int", None
+ ; "map.Map", None
+ ; "frama_c_wp.cint.Cint", None
+ ; "frama_c_wp.memaddr.MemAddr", None
+ ; "frama_c_wp.sequence.Seq", Some "S"
+ ; "RWBytes", None
+ ; "ValueBlockRW", Some "VB"
+ ; "InitBlockRW", Some "IB"
+ ] ;
+ fprintf fmt
+ {|type memory = map int (VB.vblock)
+ type init = map int (IB.iblock)
+
+ (* override memory cinits for MemBytes memory *)
+ predicate cinits (init)
+
+ function raw_get (m: map int (map int 'a)) (a: addr) : 'a =
+ get (get m a.base) a.offset
+
+ function raw_set (m: map int (map int 'a)) (a: addr) (v: 'a) : map int (map int 'a) =
+ set m a.base (set (get m a.base) a.offset v)
+
+ let rec function to_seq (a: map int 'a) (b e: int) : S.seq 'a
+ ensures { e - b >= 0 -> S.length result = e - b }
+ ensures { forall i: int. b <= i < e -> S.(result[i - b]) = get a i }
+ variant { e - b }
+ = if e <= b then S.L.Nil else S.L.Cons (get a b) (to_seq a (b+1) e)
+
+ function init_seq (s: int) : S.seq bool =
+ S.create True s
+
+ function havoc (fresh cur: map int (block 'a)) (a: addr) (size: int): map int (block 'a) =
+ set cur a.base (bwrite_seq (get cur a.base) a.offset (to_seq fresh[a.base] 0 size))
+
+ predicate eqmem (m1 m2: map int (block 'a)) (a: addr) (size: int) =
+ beq_blocks (get m1 a.base) (get m2 a.base) (a.offset) size
+
+ predicate is_init_range (i: init) (a: addr) (size: int) =
+ IB.is_init_range (get i a.base) a.offset size
+
+ function set_init_range (cur: init) (a: addr) (size: int) : init =
+ set cur a.base (bwrite_seq (get cur a.base) a.offset (init_seq size))
+|}
+
+let membytes_write fmt t =
+ fprintf fmt "@[<v 2>function write_%a (m: memory) (a: addr) (v: int) : memory =@," pp_type t;
+ fprintf fmt "set m a.base (VB.bwrite_%a m [a.base] a.offset v)@,@]@," pp_type t
+
+let membytes_read fmt t =
+ fprintf fmt "@[<v 2>function read_%a (m: memory) (a: addr) : int =@," pp_type t ;
+ fprintf fmt "VB.bread_%a m[a.base] a.offset@,@]@," pp_type t
+
+let membytes_read_write_eq_same fmt t =
+ let guard fmt () = fprintf fmt "is_%a v" pp_type t in
+ let read_write fmt () =
+ fprintf fmt "read_%a (write_%a m a v) a" pp_type t pp_type t
+ in
+ let eq fmt () = fprintf fmt "%a = v" read_write () in
+ fprintf fmt "@[<v 2>lemma read_%a_write_%a_eq:@," pp_type t pp_type t ;
+ fprintf fmt "forall m: memory, a: addr, v: int [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let membytes_read_write_eq_opposite fmt rt =
+ let wt = not @@ fst rt, snd rt in
+ let guard fmt () = fprintf fmt "is_%a v" pp_type wt in
+ let read_write fmt () =
+ fprintf fmt "read_%a (write_%a m a v) a" pp_type rt pp_type wt
+ in
+ let eq fmt () = fprintf fmt "%a = to_%a v" read_write () pp_type rt in
+ fprintf fmt "@[<v 2>lemma read_%a_write_%a_eq:@," pp_type rt pp_type wt ;
+ fprintf fmt "forall m: memory, a: addr, v: int [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let membytes_read_write_eq fmt t =
+ membytes_read_write_eq_same fmt t ;
+ membytes_read_write_eq_opposite fmt t
+
+let membytes_read_write_sep fmt rt wt =
+ let guard fmt () =
+ fprintf fmt "separated aw %d ar %d" ((snd wt)/8) ((snd rt)/8) in
+ let read_write fmt () =
+ fprintf fmt "read_%a (write_%a m aw v) ar" pp_type rt pp_type wt
+ in
+ let eq fmt () = fprintf fmt "%a = read_%a m ar" read_write () pp_type rt in
+ fprintf fmt "@[<v 2>lemma read_%a_write_%a_sep:@," pp_type rt pp_type wt ;
+ fprintf fmt "forall m: memory, ar aw: addr, v: int [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let membytes_read_havoc_sep fmt rt =
+ let guard fmt () =
+ fprintf fmt "separated ar %d aw size" ((snd rt) / 8) in
+ let read_havoc fmt () =
+ fprintf fmt "read_%a (havoc fresh cur aw size) ar" pp_type rt
+ in
+ let eq fmt () = fprintf fmt "%a = read_%a cur ar" read_havoc () pp_type rt in
+ fprintf fmt "@[<v 2>lemma read_%a_havoc_sep:@," pp_type rt ;
+ fprintf fmt "forall fresh cur: memory, size: int, ar aw: addr [%a].@," read_havoc () ;
+ fprintf fmt "%a ->@, %a@," guard () eq () ;
+ fprintf fmt "@[<v 2>by@," ;
+ fprintf fmt "let ob = cur[aw.base] in@," ;
+ fprintf fmt "let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in@," ;
+ fprintf fmt "aw.base = ar.base -> " ;
+ fprintf fmt "VB.bread_uint%d nb ar.offset = VB.bread_uint%d ob ar.offset@]@,"
+ (snd rt) (snd rt) ;
+ fprintf fmt "@]@,"
+
+let membytes_all_lemmas fmt size =
+ membytes_read_write_eq fmt size ;
+ membytes_read_havoc_sep fmt size ;
+ List.iter (membytes_read_write_sep fmt size) all_types
+
+let membytes_write_init fmt size =
+ fprintf fmt "@[<v 2>function write_init%d (m: init) (a: addr) (i: bool) : init =@," size;
+ fprintf fmt "set m a.base (IB.bwrite_init%d m [a.base] a.offset i)@,@]@," size
+
+let membytes_read_init fmt size =
+ fprintf fmt "@[<v 2>function read_init%d (m: init) (a: addr) : bool =@," size ;
+ fprintf fmt "IB.bread_init%d m[a.base] a.offset@,@]@," size
+
+let membytes_read_write_init_eq fmt size =
+ let read_write fmt () =
+ fprintf fmt "read_init%d (write_init%d m a i) a" size size
+ in
+ let eq fmt () = fprintf fmt "%a = i" read_write () in
+ fprintf fmt "@[<v 2>lemma read_init%d_write_init%d_eq:@," size size ;
+ fprintf fmt "forall m: init, a: addr, i: bool [%a].@," read_write () ;
+ fprintf fmt "%a@,@]@," eq ()
+
+let membytes_read_write_init_sep fmt rsize wsize =
+ let guard fmt () =
+ fprintf fmt "separated aw %d ar %d" (wsize/8) (rsize/8) in
+ let read_write fmt () =
+ fprintf fmt "read_init%d (write_init%d m aw i) ar" rsize wsize
+ in
+ let eq fmt () = fprintf fmt "%a = read_init%d m ar" read_write () rsize in
+ fprintf fmt "@[<v 2>lemma read_init%d_write_init%d_sep:@," rsize wsize ;
+ fprintf fmt "forall m: init, ar aw: addr, i: bool [%a].@," read_write () ;
+ fprintf fmt "%a ->@, %a@,@]@," guard () eq ()
+
+let membytes_read_havoc_init_sep fmt rsize =
+ let guard fmt () =
+ fprintf fmt "separated ar %d aw size" (rsize / 8) in
+ let read_havoc fmt () =
+ fprintf fmt "read_init%d (havoc fresh cur aw size) ar" rsize
+ in
+ let eq fmt () = fprintf fmt "%a = read_init%d cur ar" read_havoc () rsize in
+ fprintf fmt "@[<v 2>lemma read_init%d_havoc_sep:@," rsize ;
+ fprintf fmt "forall fresh cur: init, size: int, ar aw: addr [%a].@," read_havoc () ;
+ fprintf fmt "%a ->@, %a@," guard () eq () ;
+ fprintf fmt "@[<v 2>by@," ;
+ fprintf fmt "let ob = cur[aw.base] in@," ;
+ fprintf fmt "let nb = bwrite_seq ob aw.offset (to_seq fresh[aw.base] 0 size) in@," ;
+ fprintf fmt "aw.base = ar.base -> " ;
+ fprintf fmt "IB.bread_init%d nb ar.offset = IB.bread_init%d ob ar.offset@]@,"
+ rsize rsize ;
+ fprintf fmt "@]@,"
+
+let membytes_all_init_lemmas fmt size =
+ membytes_read_write_init_eq fmt size ;
+ membytes_read_havoc_init_sep fmt size ;
+ List.iter (membytes_read_write_init_sep fmt size) all_sizes
+
+let membytes_context fmt () =
+ fprintf fmt "predicate sconst (memory)@," ;
+ fprintf fmt
+ {|
+ predicate bytes(m: memory) =
+ forall a: addr. 0 <= raw_get m a <= 255
+|}
+
+let membytes fmt () =
+ fprintf fmt "%a@," membytes_preambule () ;
+ List.iter (fprintf fmt "%a" membytes_read) all_types ;
+ List.iter (fprintf fmt "%a" membytes_write) all_types ;
+ List.iter (fprintf fmt "%a" membytes_all_lemmas) all_types ;
+ List.iter (fprintf fmt "%a" membytes_read_init) all_sizes ;
+ List.iter (fprintf fmt "%a" membytes_write_init) all_sizes ;
+ List.iter (fprintf fmt "%a" membytes_all_init_lemmas) all_sizes ;
+ fprintf fmt "%a" membytes_context ()
+
+(* -------------------------------------------------------------------------- *)
+(* --- Main --- *)
+(* -------------------------------------------------------------------------- *)
+
+let wmodule name builder fmt () =
+ fprintf fmt "@[<v 2>module %s@," name ;
+ fprintf fmt "%a" builder () ;
+ fprintf fmt "@]@.end"
+
+let file_contents filename =
+ let input = open_in_bin filename in
+ let contents = really_input_string input (in_channel_length input) in
+ close_in input;
+ contents
+
+let () =
+ let out = open_out "membytes.mlw" in
+ let header = file_contents "Wp.header" in
+ let fmt = formatter_of_out_channel out in
+ fprintf fmt "%s@." header ;
+ fprintf fmt "(* DO NOT EDIT: this file is generated at build time *)@.@." ;
+ fprintf fmt "(* Tactics for failing proofs:@. \
+ intros variables ; compute_in_goal ; cvc5 *)@.@." ;
+ fprintf fmt "%a@.@;" (wmodule "ValueCodec" value_codec) () ;
+ fprintf fmt "%a@.@;" (wmodule "InitCodec" init_codec) () ;
+ fprintf fmt "%a@.@;" (wmodule "Offset" offset) () ;
+ fprintf fmt "%a@.@;" (wmodule "RWBytes" rwbytes) () ;
+ fprintf fmt "%a@.@;" (wmodule "ValueBlockRW" value_blockrw) () ;
+ fprintf fmt "%a@.@;" (wmodule "InitBlockRW" init_blockrw) () ;
+ fprintf fmt "%a@.@;" (wmodule "MemBytes" membytes) () ;
+ close_out out
diff --git a/src/plugins/wp/share/why3/frama_c_wp/sequence.mlw b/src/plugins/wp/share/why3/frama_c_wp/sequence.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..4d364de7ddd4f7207d7db9a0ca4110079ad774a2
--- /dev/null
+++ b/src/plugins/wp/share/why3/frama_c_wp/sequence.mlw
@@ -0,0 +1,289 @@
+(**************************************************************************)
+(* *)
+(* This file is part of WP plug-in of Frama-C. *)
+(* *)
+(* Copyright (C) 2007-2024 *)
+(* CEA (Commissariat a l'energie atomique et aux energies *)
+(* alternatives) *)
+(* *)
+(* you can redistribute it and/or modify it under the terms of the GNU *)
+(* Lesser General Public License as published by the Free Software *)
+(* Foundation, version 2.1. *)
+(* *)
+(* It is distributed in the hope that it will be useful, *)
+(* but WITHOUT ANY WARRANTY; without even the implied warranty of *)
+(* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *)
+(* GNU Lesser General Public License for more details. *)
+(* *)
+(* See the GNU Lesser General Public License version 2.1 *)
+(* for more details (enclosed in the file licenses/LGPLv2.1). *)
+(* *)
+(**************************************************************************)
+
+(** {1 Finite Sequences}
+
+ This modules provides a persistent array interface to lists.
+ It is typically used to model byte arrays of COSMO implementation.
+*)
+
+module Seq
+
+ use int.Int
+ use int.MinMax
+ use option.Option
+ use list.ListRich as L
+
+ (** {2 Definition}
+
+ A sequence `s` is defined by its size `n = length s` and its elements
+ `s[i]` with `0 <= i < n`.
+
+ All other operations on sequences are defined
+ in terms of the length and elements of the returned sequences.
+ *)
+
+ type seq 'a = L.list 'a
+
+ (** Length of a sequence. *)
+ let function length (u : seq 'a) = L.length u
+ meta coercion function length
+
+ (** Elements of a sequence. *)
+ let rec function ([]) (u : seq 'a) (k : int) : 'a
+ requires { 0 <= k < u }
+ ensures { L.nth k u = Some result }
+ (*proof*)
+ variant { u }
+ = match u with L.Cons x w -> if k = 0 then x else w[k-1] end
+ (*qed*)
+
+ lemma head: forall x:'a, u. (L.Cons x u)[0] = x
+ lemma tail: forall x:'a, u k. 0 < k <= length u -> (L.Cons x u)[k] = u[k-1]
+
+ (** Definitionnal equality: `u == v` states that sequences `u` and `v` have
+ the same length and same elements. *)
+ predicate (==) (u v : seq 'a) =
+ length u = length v /\ forall k. 0 <= k < u -> u[k] = v[k]
+
+ (** Equal lists are definitionnaly equals. *)
+ lemma reflexivity : forall u : seq 'a. u == u
+
+ (** Definitionnaly equal lists _are_ equals. *)
+ let rec lemma extensivity (a b : seq 'a)
+ requires { a == b }
+ ensures { a = b }
+ (*proof*)
+ variant { a, b }
+ = match a, b with
+ | L.Cons _ a' , L.Cons _ b' -> extensivity a' b'
+ | _ -> ()
+ end
+ (*qed*)
+
+ (** Functional equality. *)
+ let rec equal (eq : 'a -> 'a -> bool) (u v : seq 'a) : bool
+ requires { forall x y. L.mem x u -> L.mem y v -> (eq x y <-> x = y) }
+ ensures { result <-> u = v }
+ (*proof*)
+ variant { u, v }
+ = match u, v with
+ | L.Cons x u', L.Cons y v' -> eq x y && equal eq u' v'
+ | L.Nil, L.Nil -> true
+ | _ -> false
+ end
+ (*qed*)
+
+ (** {2 Constructors}
+
+ Helper functions for constructing sequences.
+ *)
+
+ (** Empty sequence of length `0`. *)
+ let constant empty : seq 'a = L.Nil
+
+ (** Singleton sequence with a unique element. *)
+ let function elt (e : 'a) : seq 'a = L.Cons e L.Nil
+
+ (** Head element *)
+ let function hd (s : seq 'a) : 'a
+ requires { 0 < s.length }
+ ensures { result = s[0] }
+ (*proof*) = match s with L.Cons x _ -> x end (*qed*)
+
+ (** Tail element *)
+ let function tl (s : seq 'a) : 'a
+ requires { 0 < s.length }
+ ensures { result = s[ s.length - 1 ] }
+ (*proof*) = s[ s.length - 1 ] (*qed*)
+
+ (** `create e n` returns a sequence of length `n` filled with `e` elements. *)
+ let rec function create (e : 'a) (n : int) : seq 'a
+ requires { 0 <= n }
+ ensures { length result = n }
+ ensures { forall k. 0 <= k < result -> result[k] = e }
+ (*proof*)
+ variant { n }
+ = if n > 0 then L.Cons e (create e (n-1)) else L.Nil
+ (*qed*)
+
+ (** `reset e s` returns a sequence of same length `s` filled with `e` elements. *)
+ let function reset (e : 'a) (s : seq 'b) : seq 'a = create e s.length
+
+ (** `init f a b` returns the sequence of elements `f i` for `a <= i < b`. *)
+ let rec function init (f : int -> 'a) (a b : int) : seq 'a
+ requires { a <= b }
+ ensures { length result = b-a }
+ ensures { forall k. 0 <= k < result -> result[k] = f (a+k) }
+ (*proof*)
+ variant { b-a }
+ = if a < b then L.Cons (f a) (init f (a+1) b) else L.Nil
+ (*qed*)
+
+ (** `map f s` applies `f` to all elements f `s` *)
+ let rec function map (f : 'a -> 'b) (s : seq 'a) : seq 'b
+ ensures { length result = length s }
+ ensures { forall k. 0 <= k < result -> result[k] = f s[k] }
+ (*proof*)
+ variant { s }
+ = match s with L.Nil -> L.Nil | L.Cons x xs -> L.Cons (f x) (map f xs) end
+ (*qed*)
+
+ (** {2 Slices}
+
+ Sequences are commonly operated by a slice of their elements.
+ By convention, a slice `i..j` of elements denotes the range of elements
+ from `i` (_included_) to `j` (_excluded_), hence the range of indices `k`
+ such that `i <= k < j`.
+
+ The slice of all elements of a sequence of size `n` is then `0..n`, and
+ we also denote slice `0..i` by `..i` and slice `i..n` by `i..`.
+ Slice operations are properly defined only for a valid range of indices.
+
+ The dual operation of slice is the concatenation, here denoted by `(++)`.
+ *)
+
+ (** `u ++ v` is the concatenation of `u` and `v`,
+ where `u` elements comes first, and `v` elements follows. *)
+ let rec function (++) (u v : seq 'a) : seq 'a
+ ensures { length result = length u + length v }
+ ensures { forall k. 0 <= k < u -> result[k] = u[k] }
+ ensures { forall k. u <= k < result -> result[k] = v[k - u] }
+ (*proof*)
+ variant { u }
+ = match u with L.Nil -> v | L.Cons x w -> L.Cons x (w ++ v) end
+ (*qed*)
+
+ (** `u[i..j]` is the slice of `u` elements
+ from index `i` (_included_) to index `j` (_excluded_). *)
+ let rec function ([..]) (u : seq 'a) (i j : int) : seq 'a
+ requires { 0 <= i <= j <= u }
+ ensures { length result = j-i }
+ ensures { forall k. 0 <= k < result -> result[k] = u[i+k] }
+ (*proof*)
+ variant { u }
+ = match u with
+ | L.Nil -> L.Nil
+ | L.Cons x w ->
+ if 0 < i then w[i-1..j-1] else
+ if 0 < j then L.Cons x w[0..j-1]
+ else L.Nil
+ end
+ (*qed*)
+
+ (** `u[..i]` is the slice of `u` elements up to index `i` (_excluded_). *)
+ let function ([.._]) (u : seq 'a) (i : int) : seq 'a
+ requires { 0 <= i <= u }
+ ensures { length result = i }
+ ensures { forall k. 0 <= k < result -> result[k] = u[k] }
+ = u[0..i]
+
+ (** `u[i..]` is the slice of `u` elements from index `i` (_included_). *)
+ let function ([_..]) (u : seq 'a) (i : int) : seq 'a
+ requires { 0 <= i <= u }
+ ensures { result = u - i }
+ ensures { forall k. 0 <= k < result -> result[k] = u[i+k] }
+ = u[i..length u]
+
+ (** This property illustrates the duality of slice & concat. *)
+ goal split: forall u : seq 'a, i.
+ 0 <= i <= u ->
+ u[..i] ++ u[i..] = u
+ (*proof*)
+ by u[..i] ++ u[i..] == u
+ (*qed*)
+
+ (** This property illustrates the duality of slice & concat. *)
+ goal fullsplit: forall u : seq 'a, i j.
+ 0 <= i <= j <= u ->
+ u[..i] ++ u[i..j] ++ u[j..] = u
+ (*proof*)
+ by u[..i] ++ u[i..j] ++ u[j..] == u
+ (*qed*)
+
+ (** Tail insertion *)
+ let function (+.) (s : seq 'a) (e : 'a) : seq 'a
+ ensures { length result = length s + 1 }
+ ensures { forall k. 0 <= k < s -> result[k] = s[k] }
+ ensures { result[ s ] = e }
+ (*proof*) = s ++ elt e (*qed*)
+
+ (** Head insertion *)
+ let function (.+) (e : 'a) (s : seq 'a) : seq 'a
+ ensures { length result = length s + 1 }
+ ensures { forall k. 0 <= k < s -> result[1+k] = s[k] }
+ ensures { result[ 0 ] = e }
+ (*proof*) = elt e ++ s (*qed*)
+
+ (** {2 Updates & Copies} *)
+
+ (** `u[i<-x]` returns a copy of the sequence `u` where the element `u[i]`
+ has been replaced by `x`. *)
+ let rec function ([<-]) (u : seq 'a) (i : int) (x : 'a) : seq 'a
+ requires { 0 <= i < u }
+ ensures { length result = length u }
+ ensures { forall k. 0 <= k < result -> result[k] = if k=i then x else u[k] }
+ (*proof*)
+ variant { u }
+ = match u with L.Cons x0 w ->
+ if i = 0 then L.Cons x w else L.Cons x0 w[ i-1 <- x ]
+ end
+ (*qed*)
+
+ (** `memcpy u i v j n` returns a copy of `u` where the slice `u[i..i+n]` has been
+ replaced with the slice `v[j..j+n]` (last excluded). *)
+ let function memcpy (u : seq 'a) (i : int) (v : seq 'a) (j : int) (n : int)
+ requires { 0 <= i <= i+n <= u }
+ requires { 0 <= j <= j+n <= v }
+ ensures { length result = length u }
+ ensures { forall k. 0 <= k < i -> result[k] = u[k] }
+ ensures { forall k. i <= k < i+n -> result[k] = v[j+k-i] }
+ ensures { forall k. i+n <= k < u -> result[k] = u[k] }
+ = u[..i] ++ v[j..j+n] ++ u[i+n..]
+
+ (** `havoc u v p n` asserts that sequences `u` and `v` have identical elements
+ but elements in range `p..p+n` (last excluded). *)
+ predicate havoc (u v: seq 'a) (p n : int) =
+ u.length = v.length /\
+ (forall k. 0 <= k < p -> u[k] = v[k]) /\
+ (forall k. p+n <= k < u -> u[k] = v[k])
+
+end
+
+(** {2 Sequence Codomain} *)
+
+module Codomain
+
+ use int.Int
+ use set.Set
+ use Seq
+
+ let rec ghost function codomain (s : seq 'a) : set 'a
+ ensures { forall v. Set.mem v result <-> exists i. 0 <= i < s /\ s[i] = v }
+ (*proof*)
+ variant { s.length }
+ = if s.length = 0 then Set.empty else
+ let k = s.length-1 in
+ Set.add s[k] (codomain s[0..k])
+ (*qed*)
+
+end
diff --git a/src/plugins/wp/share/wp.driver b/src/plugins/wp/share/wp.driver
index 2bbd925602a696a9392e6ad30bc658fe55cffb5d..05bbeb82931e3d9e35a63fa248c8b3268d120642 100644
--- a/src/plugins/wp/share/wp.driver
+++ b/src/plugins/wp/share/wp.driver
@@ -92,6 +92,18 @@ why3.import := "frama_c_wp.memaddr.MemAddr";
library memory: memaddr
why3.import := "frama_c_wp.memory.Memory";
+library membytes: memaddr
+why3.import += "frama_c_wp.membytes.ValueCodec";
+why3.import += "frama_c_wp.membytes.InitCodec";
+why3.import += "frama_c_wp.membytes.Offset";
+why3.import += "frama_c_wp.membytes.RWBytes";
+why3.import += "frama_c_wp.membytes.ValueBlockRW";
+why3.import += "frama_c_wp.membytes.InitBlockRW";
+why3.import += "frama_c_wp.membytes.MemBytes";
+
+library sequence: sequence
+why3.import := "frama_c_wp.sequence.Seq";
+
library sqrt: cmath
why3.import += "real.Square";
why3.import += "frama_c_wp.cmath.Square";
diff --git a/src/plugins/wp/tests/ptests_config b/src/plugins/wp/tests/ptests_config
index d71d6024da0cf68a48b803c1cebd369561434d5f..9ea351239b8b70f111befdca7dd03aebaf071a90 100644
--- a/src/plugins/wp/tests/ptests_config
+++ b/src/plugins/wp/tests/ptests_config
@@ -1,8 +1,8 @@
DEFAULT_SUITES= wp wp_acsl wp_plugin wp_ce wp_bts wp_store wp_hoare
-DEFAULT_SUITES= wp_typed wp_usage wp_gallery wp_manual wp_tip
+DEFAULT_SUITES= wp_typed wp_bytes wp_usage wp_gallery wp_manual wp_tip
qualif_SUITES= wp wp_acsl wp_plugin wp_bts wp_store wp_hoare
-qualif_SUITES= wp_typed wp_usage wp_gallery wp_manual wp_tip
+qualif_SUITES= wp_typed wp_bytes wp_usage wp_gallery wp_manual wp_tip
qualif_SUITES= why3
ce_SUITES= wp_ce
diff --git a/src/plugins/wp/tests/wp_bytes/assigns_sep.i b/src/plugins/wp/tests/wp_bytes/assigns_sep.i
new file mode 100644
index 0000000000000000000000000000000000000000..8f2285630ce067918f611e469e62e96806309258
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/assigns_sep.i
@@ -0,0 +1,31 @@
+typedef unsigned uint32 ;
+typedef unsigned char uint8 ;
+
+void assignment(uint8 * array){
+ uint32 u32_0a = * (uint32 *) array ;
+ array[7] = 0x00 ;
+ uint32 u32_0b = * (uint32 *) array ;
+
+ //@ check u32_0a == u32_0b ;
+}
+
+//@ assigns array[l] ;
+void assigns(uint8* array, uint8 l);
+
+//@ assigns array[b .. e] ;
+void assigns_r(uint8* array, uint8 b, uint8 e);
+
+//@ assigns { array[i] | integer i ; i == x || i == y } ;
+void assigns_l2(uint8* array, uint8 x, uint8 y);
+
+void assigns_clause(uint8 * array){
+ uint32 u32_0a = * (uint32 *) array ;
+ assigns (array, 7) ;
+ uint32 u32_0b = * (uint32 *) array ;
+ assigns_r (array, 4, 7) ;
+ uint32 u32_0c = * (uint32 *) array ;
+ //@ check u32_0a == u32_0b == u32_0c ;
+ assigns_l2 (array, 4, 6) ;
+ uint32 u32_0d = * (uint32 *) array ;
+ //@ check u32_0c == u32_0d ;
+}
diff --git a/src/plugins/wp/tests/wp_bytes/floats.i b/src/plugins/wp/tests/wp_bytes/floats.i
new file mode 100644
index 0000000000000000000000000000000000000000..0ea0cc1c8fb4365ab7c6b97759d2467cb132f460
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/floats.i
@@ -0,0 +1,15 @@
+typedef unsigned char uint8 ;
+
+void float_(float f){
+ uint8 buffer[sizeof(float)] ;
+ *((float*) buffer) = f ;
+ float read = *((float*) buffer) ;
+ //@ assert read == f ;
+}
+
+void double_(double d){
+ uint8 buffer[sizeof(double)] ;
+ *((double*) buffer) = d ;
+ double read = *((double*) buffer) ;
+ //@ assert read == d ;
+}
diff --git a/src/plugins/wp/tests/wp_bytes/integers.i b/src/plugins/wp/tests/wp_bytes/integers.i
new file mode 100644
index 0000000000000000000000000000000000000000..b67a164c323bd44b0b2769155fdee3d59c8f9552
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/integers.i
@@ -0,0 +1,182 @@
+/* run.config*
+ STDOPT:+"-wp-model bytes+raw"
+*/
+
+typedef unsigned long long uint64 ;
+typedef unsigned uint32 ;
+typedef unsigned short uint16 ;
+typedef unsigned char uint8 ;
+
+typedef long long int64 ;
+typedef int int32 ;
+typedef short int int16 ;
+typedef signed char int8 ;
+
+void unsigned_(void){
+ uint64 u64 ;
+ uint32 u32 ;
+ uint16 u16 ;
+ uint8 u8 ;
+ unsigned write ;
+
+ u64 = 0x1122334455667788ULL ;
+ u32 = 0x11223344U ;
+ u16 = 0x1122 ;
+ u8 = 0x11 ;
+
+ write = 0 ;
+
+ //@ check \initialized(&u64) ;
+ //@ check \initialized(&u32) ;
+ //@ check \initialized(&u16) ;
+ //@ check \initialized(&u8) ;
+
+ //@ check u64 == 0x1122334455667788ULL ;
+ //@ check u32 == 0x11223344U ;
+ //@ check u16 == 0x1122 ;
+ //@ check u8 == 0x11 ;
+}
+
+void signed_pos(void){
+ int64 p64 ;
+ int32 p32 ;
+ int16 p16 ;
+ int8 p8 ;
+ unsigned write ;
+
+ p64 = 0x0122334455667788LL ;
+ p32 = 0x01223344 ;
+ p16 = 0x0122 ;
+ p8 = 0x01 ;
+
+ write = 0 ;
+
+ //@ check \initialized(&p64) ;
+ //@ check \initialized(&p32) ;
+ //@ check \initialized(&p16) ;
+ //@ check \initialized(&p8) ;
+
+ //@ check 0 < p64 == 0x0122334455667788LL ;
+ //@ check 0 < p32 == 0x01223344 ;
+ //@ check 0 < p16 == 0x0122 ;
+ //@ check 0 < p8 == 0x01 ;
+}
+
+void signed_neg(void){
+ int64 m64 ;
+ int32 m32 ;
+ int16 m16 ;
+ int8 m8 ;
+ unsigned write ;
+
+ m64 = -0x0122334455667788LL ;
+ m32 = -0x01223344 ;
+ m16 = -0x0122 ;
+ m8 = -0x01 ;
+
+ write = 0 ;
+
+ //@ check \initialized(&m64) ;
+ //@ check \initialized(&m32) ;
+ //@ check \initialized(&m16) ;
+ //@ check \initialized(&m8) ;
+
+ //@ check 0 > m64 == -0x0122334455667788LL ;
+ //@ check 0 > m32 == -0x01223344 ;
+ //@ check 0 > m16 == -0x0122 ;
+ //@ check 0 > m8 == -0x01 ;
+}
+
+void cast_unsigned_signed_pos(void){
+ uint64 u64 ;
+ uint16 u16 ;
+ unsigned write ;
+
+ u64 = 0x0122334455667788ULL ;
+ u16 = 0x0122 ;
+
+ //@ check 0 < *((int64*)&u64) == 0x0122334455667788LL ;
+ //@ check 0 < *(((int32*)&u64)+1) == 0x01223344 ;
+ //@ check 0 < *((int16*)&u16) == 0x0122 ;
+ //@ check 0 < *(((int8*) &u16)+1) == 0x01 ;
+}
+
+void cast_unsigned_signed_neg(void){
+ uint64 u64 ;
+ uint16 u16 ;
+ unsigned write ;
+
+ u64 = 0x8122334455667788ULL ;
+ u16 = 0x8182 ;
+
+ //@ check 0 > *((int64*)&u64) == -0x7EDDCCBBAA998878;
+ //@ check 0 > *(((int32*)&u64)+1) == -0x7EDDCCBC;
+ //@ check 0 > *((int16*)&u16) == -0x7E7E;
+ //@ check 0 > *(((int8*)&u16)+1) == -0x7F;
+}
+
+void cast_from_bytes_to_unsigned(void){
+ uint8 array[] = { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 };
+
+ uint64 u64_0 = * (uint64 *) array ;
+
+ uint32 u32_0 = * (uint32 *) array ;
+ uint32 u32_1 = * (((uint32 *) array) + 1) ;
+
+ uint16 u16_0 = * (uint16 *) array ;
+ uint16 u16_1 = * (((uint16 *) array) + 1) ;
+ uint16 u16_2 = * (((uint16 *) array) + 2) ;
+ uint16 u16_3 = * (((uint16 *) array) + 3) ;
+
+ //@ check u64_0 == 0x8877665544332211ULL ;
+ //@ check u32_0 == 0x44332211UL ;
+ //@ check u32_1 == 0x88776655UL ;
+ //@ check u16_0 == 0x2211 ;
+ //@ check u16_1 == 0x4433 ;
+ //@ check u16_2 == 0x6655 ;
+ //@ check u16_3 == 0x8877 ;
+}
+
+void cast_from_bytes_to_signed_pos(void){
+ uint8 array[] = { 0x11, 0x02, 0x33, 0x04, 0x55, 0x06, 0x77, 0x08 };
+
+ int64 i64_0 = * (int64 *) array ;
+
+ int32 i32_0 = * (int32 *) array ;
+ int32 i32_1 = * (((int32 *) array) + 1) ;
+
+ int16 i16_0 = * (int16 *) array ;
+ int16 i16_1 = * (((int16 *) array) + 1) ;
+ int16 i16_2 = * (((int16 *) array) + 2) ;
+ int16 i16_3 = * (((int16 *) array) + 3) ;
+
+ //@ check i64_0 > 0 && i64_0 == 0x0877065504330211LL ;
+ //@ check i32_0 > 0 && i32_0 == 0x04330211L ;
+ //@ check i32_1 > 0 && i32_1 == 0x08770655L ;
+ //@ check i16_0 > 0 && i16_0 == 0x0211 ;
+ //@ check i16_1 > 0 && i16_1 == 0x0433 ;
+ //@ check i16_2 > 0 && i16_2 == 0x0655 ;
+ //@ check i16_3 > 0 && i16_3 == 0x0877 ;
+}
+
+void cast_from_bytes_to_signed_neg(void){
+ uint8 array[] = { 0x11, 0x82, 0x33, 0x84, 0x55, 0x86, 0x77, 0x88 };
+
+ int64 i64_0 = * (int64 *) array ;
+
+ int32 i32_0 = * (int32 *) array ;
+ int32 i32_1 = * (((int32 *) array) + 1) ;
+
+ int16 i16_0 = * (int16 *) array ;
+ int16 i16_1 = * (((int16 *) array) + 1) ;
+ int16 i16_2 = * (((int16 *) array) + 2) ;
+ int16 i16_3 = * (((int16 *) array) + 3) ;
+
+ //@ check i64_0 < 0 && i64_0 == -0x778879AA7BCC7DEFLL ;
+ //@ check i32_0 < 0 && i32_0 == -0x7BCC7DEFL ;
+ //@ check i32_1 < 0 && i32_1 == -0x778879ABL ;
+ //@ check i16_0 < 0 && i16_0 == -0x7DEF ;
+ //@ check i16_1 < 0 && i16_1 == -0x7BCD ;
+ //@ check i16_2 < 0 && i16_2 == -0x79AB ;
+ //@ check i16_3 < 0 && i16_3 == -0x7789 ;
+}
diff --git a/src/plugins/wp/tests/wp_bytes/oracle/assigns_sep.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle/assigns_sep.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..c2ac0df24d1c944b1ba1698b273a280e0c8ca8c1
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle/assigns_sep.res.oracle
@@ -0,0 +1,79 @@
+# frama-c -wp -wp-model 'Bytes' [...]
+[kernel] Parsing assigns_sep.i (no preprocessing)
+[wp] Running WP plugin...
+[kernel:annot:missing-spec] assigns_sep.i:13: Warning:
+ Neither code nor explicit exits and terminates for function assigns,
+ generating default clauses. See -generated-spec-* options for more info
+[kernel:annot:missing-spec] assigns_sep.i:16: Warning:
+ Neither code nor explicit exits and terminates for function assigns_r,
+ generating default clauses. See -generated-spec-* options for more info
+[kernel:annot:missing-spec] assigns_sep.i:19: Warning:
+ Neither code nor explicit exits and terminates for function assigns_l2,
+ generating default clauses. See -generated-spec-* options for more info
+[wp] [Valid] Goal assignment_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal assignment_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+------------------------------------------------------------
+ Function assignment
+------------------------------------------------------------
+
+Goal Check (file assigns_sep.i, line 9):
+Let x = read_uint32(mem_0, array_0).
+Let x_1 = read_uint32(write_uint8(mem_0, shift_uint8(array_0, 7), 0),
+ array_0).
+Assume {
+ Type: is_uint32(x) /\ is_uint32(x_1).
+ (* Heap *)
+ Type: (region(array_0.base) <= 0) /\ framed(mem_0) /\ sconst(mem_0).
+}
+Prove: x_1 = x.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function assigns_clause
+------------------------------------------------------------
+
+Goal Termination-condition (generated) in 'assigns_clause':
+Prove: true.
+
+------------------------------------------------------------
+
+Goal Exit-condition (generated) in 'assigns_clause':
+Prove: true.
+
+------------------------------------------------------------
+
+Goal Check (file assigns_sep.i, line 27):
+Let x = read_uint32(mem_0, array_0).
+Let m = write_uint8(mem_0, shift_uint8(array_0, 7), v).
+Let x_1 = read_uint32(m, array_0).
+Let x_2 = read_uint32(havoc(mem_undef_0, m, shift_uint8(array_0, 4), 4),
+ array_0).
+Assume {
+ Type: is_uint32(x) /\ is_uint32(x_1) /\ is_uint32(x_2).
+ (* Heap *)
+ Type: (region(array_0.base) <= 0) /\ framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x_1 = x) /\ (x_2 = x_1).
+
+------------------------------------------------------------
+
+Goal Check (file assigns_sep.i, line 30):
+Let m = write_uint8(mem_0, shift_uint8(array_0, 7), v).
+Let a = havoc(mem_undef_0, m, shift_uint8(array_0, 4), 4).
+Let x = read_uint32(mem_1, array_0).
+Let x_1 = read_uint32(a, array_0).
+Assume {
+ Type: is_uint32(x) /\ is_uint32(read_uint32(mem_0, array_0)) /\
+ is_uint32(read_uint32(m, array_0)) /\ is_uint32(x_1).
+ (* Heap *)
+ Type: (region(array_0.base) <= 0) /\ framed(mem_0) /\ sconst(mem_0).
+ (* Call Effects *)
+ Have: forall a_1 : addr.
+ ((forall i : Z. (((i = 4) \/ (i = 6)) ->
+ (shift_uint8(array_0, i) != a_1))) ->
+ (raw_get(a, a_1) = raw_get(mem_1, a_1))).
+}
+Prove: x_1 = x.
+
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle/floats.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle/floats.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..5e7f855ba3d3e633696679286c48bb0550998480
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle/floats.res.oracle
@@ -0,0 +1,32 @@
+# frama-c -wp -wp-model 'Bytes' [...]
+[kernel] Parsing floats.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal double_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal double_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal float_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal float_terminates (Cfg) (Trivial)
+------------------------------------------------------------
+ Function double_
+------------------------------------------------------------
+
+Goal Assertion (file floats.i, line 14):
+Let a = shift_uint8(global(L_buffer_30), 0).
+Assume { (* Heap *) Type: framed(mem_0) /\ sconst(mem_0). }
+Prove: of_f64(int_to_float64(read_uint64(write_uint64(mem_0, a,
+ float64_to_int(d)), a)))
+ = of_f64(d).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function float_
+------------------------------------------------------------
+
+Goal Assertion (file floats.i, line 7):
+Let a = shift_uint8(global(L_buffer_23), 0).
+Assume { (* Heap *) Type: framed(mem_0) /\ sconst(mem_0). }
+Prove: of_f32(int_to_float32(read_uint32(write_uint32(mem_0, a,
+ float32_to_int(f)), a)))
+ = of_f32(f).
+
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle/integers.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle/integers.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..85659e3660abc9bbfbde617e9da62614a20d0f49
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle/integers.res.oracle
@@ -0,0 +1,1837 @@
+# frama-c -wp -wp-model 'Bytes (Raw)' [...]
+[kernel] Parsing integers.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal cast_from_bytes_to_signed_neg_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_from_bytes_to_signed_neg_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal cast_from_bytes_to_signed_pos_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_from_bytes_to_signed_pos_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal cast_from_bytes_to_unsigned_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_from_bytes_to_unsigned_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal cast_unsigned_signed_neg_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_unsigned_signed_neg_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal cast_unsigned_signed_pos_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_unsigned_signed_pos_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal signed_neg_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal signed_neg_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal signed_pos_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal signed_pos_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal unsigned_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal unsigned_terminates (Cfg) (Trivial)
+------------------------------------------------------------
+ Function cast_from_bytes_to_signed_neg
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 175):
+Let a = global(L_array_75).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_82)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_81)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_80)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_79)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_78)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_77)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_76)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 130.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 132.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 134.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_13 = (-8613268060474473967)) /\ (x_13 < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 176):
+Let a = global(L_array_75).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_82)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_81)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_80)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_79)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_78)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_77)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_76)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 130.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 132.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 134.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_11 = (-2076999151)) /\ (x_11 < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 177):
+Let a = global(L_array_75).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_82)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_81)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_80)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_79)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_78)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_77)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_76)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 130.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 132.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 134.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_9 = (-2005432747)) /\ (x_9 < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 178):
+Let a = global(L_array_75).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_82)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_81)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_80)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_79)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_78)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_77)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_76)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 130.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 132.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 134.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_7 = (-32239)) /\ (x_7 < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 179):
+Let a = global(L_array_75).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_82)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_81)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_80)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_79)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_78)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_77)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_76)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 130.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 132.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 134.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_5 = (-31693)) /\ (x_5 < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 180):
+Let a = global(L_array_75).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_82)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_81)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_80)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_79)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_78)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_77)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_76)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 130.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 132.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 134.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_3 = (-31147)) /\ (x_3 < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 181):
+Let a = global(L_array_75).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_82)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_81)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_80)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_79)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_78)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_77)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_76)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 130.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 132.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 134.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_1 = (-30601)) /\ (x_1 < 0).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function cast_from_bytes_to_signed_pos
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 153):
+Let a = global(L_array_65).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_72)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_71)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_70)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_69)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_68)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_67)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_66)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 2.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 4.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 6.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 8.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_13 = 609963236744430097) /\ (0 < x_13).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 154):
+Let a = global(L_array_65).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_72)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_71)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_70)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_69)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_68)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_67)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_66)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 2.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 4.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 6.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 8.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_11 = 70451729) /\ (0 < x_11).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 155):
+Let a = global(L_array_65).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_72)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_71)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_70)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_69)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_68)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_67)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_66)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 2.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 4.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 6.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 8.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_9 = 142018133) /\ (0 < x_9).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 156):
+Let a = global(L_array_65).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_72)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_71)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_70)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_69)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_68)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_67)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_66)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 2.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 4.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 6.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 8.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_7 = 529) /\ (0 < x_7).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 157):
+Let a = global(L_array_65).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_72)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_71)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_70)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_69)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_68)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_67)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_66)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 2.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 4.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 6.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 8.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_5 = 1075) /\ (0 < x_5).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 158):
+Let a = global(L_array_65).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_72)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_71)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_70)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_69)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_68)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_67)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_66)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 2.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 4.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 6.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 8.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_3 = 1621) /\ (0 < x_3).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 159):
+Let a = global(L_array_65).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_sint16(mem_0, shift_sint16(a_1, 3)).
+Let x_1 = read_sint16(mem_0, global(L_i16_3_72)).
+Let x_2 = read_sint16(mem_0, shift_sint16(a_1, 2)).
+Let x_3 = read_sint16(mem_0, global(L_i16_2_71)).
+Let x_4 = read_sint16(mem_0, shift_sint16(a_1, 1)).
+Let x_5 = read_sint16(mem_0, global(L_i16_1_70)).
+Let x_6 = read_sint16(mem_0, a_1).
+Let x_7 = read_sint16(mem_0, global(L_i16_0_69)).
+Let x_8 = read_sint32(mem_0, shift_sint32(a_1, 1)).
+Let x_9 = read_sint32(mem_0, global(L_i32_1_68)).
+Let x_10 = read_sint32(mem_0, a_1).
+Let x_11 = read_sint32(mem_0, global(L_i32_0_67)).
+Let x_12 = read_sint64(mem_0, a_1).
+Let x_13 = read_sint64(mem_0, global(L_i64_0_66)).
+Assume {
+ Type: is_sint16(x_7) /\ is_sint16(x_5) /\ is_sint16(x_3) /\
+ is_sint16(x_1) /\ is_sint32(x_11) /\ is_sint32(x_9) /\
+ is_sint64(x_13) /\ is_sint16(x_6) /\ is_sint32(x_10) /\
+ is_sint64(x_12) /\ is_sint16(x_4) /\ is_sint16(x_2) /\ is_sint16(x) /\
+ is_sint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 2.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 4.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 6.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 8.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: (x_1 = 2167) /\ (0 < x_1).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function cast_from_bytes_to_unsigned
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 131):
+Let a = global(L_array_55).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_uint16(mem_0, shift_uint16(a_1, 3)).
+Let x_1 = read_uint16(mem_0, global(L_u16_3_62)).
+Let x_2 = read_uint16(mem_0, shift_uint16(a_1, 2)).
+Let x_3 = read_uint16(mem_0, global(L_u16_2_61)).
+Let x_4 = read_uint16(mem_0, shift_uint16(a_1, 1)).
+Let x_5 = read_uint16(mem_0, global(L_u16_1_60)).
+Let x_6 = read_uint16(mem_0, a_1).
+Let x_7 = read_uint16(mem_0, global(L_u16_0_59)).
+Let x_8 = read_uint32(mem_0, shift_uint32(a_1, 1)).
+Let x_9 = read_uint32(mem_0, global(L_u32_1_58)).
+Let x_10 = read_uint32(mem_0, a_1).
+Let x_11 = read_uint32(mem_0, global(L_u32_0_57)).
+Let x_12 = read_uint64(mem_0, a_1).
+Let x_13 = read_uint64(mem_0, global(L_u64_0_56)).
+Assume {
+ Type: is_uint16(x_7) /\ is_uint16(x_5) /\ is_uint16(x_3) /\
+ is_uint16(x_1) /\ is_uint32(x_11) /\ is_uint32(x_9) /\
+ is_uint64(x_13) /\ is_uint16(x_6) /\ is_uint32(x_10) /\
+ is_uint64(x_12) /\ is_uint16(x_4) /\ is_uint16(x_2) /\ is_uint16(x) /\
+ is_uint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 34.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 68.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 102.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: x_13 = 9833440827789222417.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 132):
+Let a = global(L_array_55).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_uint16(mem_0, shift_uint16(a_1, 3)).
+Let x_1 = read_uint16(mem_0, global(L_u16_3_62)).
+Let x_2 = read_uint16(mem_0, shift_uint16(a_1, 2)).
+Let x_3 = read_uint16(mem_0, global(L_u16_2_61)).
+Let x_4 = read_uint16(mem_0, shift_uint16(a_1, 1)).
+Let x_5 = read_uint16(mem_0, global(L_u16_1_60)).
+Let x_6 = read_uint16(mem_0, a_1).
+Let x_7 = read_uint16(mem_0, global(L_u16_0_59)).
+Let x_8 = read_uint32(mem_0, shift_uint32(a_1, 1)).
+Let x_9 = read_uint32(mem_0, global(L_u32_1_58)).
+Let x_10 = read_uint32(mem_0, a_1).
+Let x_11 = read_uint32(mem_0, global(L_u32_0_57)).
+Let x_12 = read_uint64(mem_0, a_1).
+Let x_13 = read_uint64(mem_0, global(L_u64_0_56)).
+Assume {
+ Type: is_uint16(x_7) /\ is_uint16(x_5) /\ is_uint16(x_3) /\
+ is_uint16(x_1) /\ is_uint32(x_11) /\ is_uint32(x_9) /\
+ is_uint64(x_13) /\ is_uint16(x_6) /\ is_uint32(x_10) /\
+ is_uint64(x_12) /\ is_uint16(x_4) /\ is_uint16(x_2) /\ is_uint16(x) /\
+ is_uint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 34.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 68.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 102.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: x_11 = 1144201745.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 133):
+Let a = global(L_array_55).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_uint16(mem_0, shift_uint16(a_1, 3)).
+Let x_1 = read_uint16(mem_0, global(L_u16_3_62)).
+Let x_2 = read_uint16(mem_0, shift_uint16(a_1, 2)).
+Let x_3 = read_uint16(mem_0, global(L_u16_2_61)).
+Let x_4 = read_uint16(mem_0, shift_uint16(a_1, 1)).
+Let x_5 = read_uint16(mem_0, global(L_u16_1_60)).
+Let x_6 = read_uint16(mem_0, a_1).
+Let x_7 = read_uint16(mem_0, global(L_u16_0_59)).
+Let x_8 = read_uint32(mem_0, shift_uint32(a_1, 1)).
+Let x_9 = read_uint32(mem_0, global(L_u32_1_58)).
+Let x_10 = read_uint32(mem_0, a_1).
+Let x_11 = read_uint32(mem_0, global(L_u32_0_57)).
+Let x_12 = read_uint64(mem_0, a_1).
+Let x_13 = read_uint64(mem_0, global(L_u64_0_56)).
+Assume {
+ Type: is_uint16(x_7) /\ is_uint16(x_5) /\ is_uint16(x_3) /\
+ is_uint16(x_1) /\ is_uint32(x_11) /\ is_uint32(x_9) /\
+ is_uint64(x_13) /\ is_uint16(x_6) /\ is_uint32(x_10) /\
+ is_uint64(x_12) /\ is_uint16(x_4) /\ is_uint16(x_2) /\ is_uint16(x) /\
+ is_uint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 34.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 68.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 102.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: x_9 = 2289526357.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 134):
+Let a = global(L_array_55).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_uint16(mem_0, shift_uint16(a_1, 3)).
+Let x_1 = read_uint16(mem_0, global(L_u16_3_62)).
+Let x_2 = read_uint16(mem_0, shift_uint16(a_1, 2)).
+Let x_3 = read_uint16(mem_0, global(L_u16_2_61)).
+Let x_4 = read_uint16(mem_0, shift_uint16(a_1, 1)).
+Let x_5 = read_uint16(mem_0, global(L_u16_1_60)).
+Let x_6 = read_uint16(mem_0, a_1).
+Let x_7 = read_uint16(mem_0, global(L_u16_0_59)).
+Let x_8 = read_uint32(mem_0, shift_uint32(a_1, 1)).
+Let x_9 = read_uint32(mem_0, global(L_u32_1_58)).
+Let x_10 = read_uint32(mem_0, a_1).
+Let x_11 = read_uint32(mem_0, global(L_u32_0_57)).
+Let x_12 = read_uint64(mem_0, a_1).
+Let x_13 = read_uint64(mem_0, global(L_u64_0_56)).
+Assume {
+ Type: is_uint16(x_7) /\ is_uint16(x_5) /\ is_uint16(x_3) /\
+ is_uint16(x_1) /\ is_uint32(x_11) /\ is_uint32(x_9) /\
+ is_uint64(x_13) /\ is_uint16(x_6) /\ is_uint32(x_10) /\
+ is_uint64(x_12) /\ is_uint16(x_4) /\ is_uint16(x_2) /\ is_uint16(x) /\
+ is_uint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 34.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 68.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 102.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: x_7 = 8721.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 135):
+Let a = global(L_array_55).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_uint16(mem_0, shift_uint16(a_1, 3)).
+Let x_1 = read_uint16(mem_0, global(L_u16_3_62)).
+Let x_2 = read_uint16(mem_0, shift_uint16(a_1, 2)).
+Let x_3 = read_uint16(mem_0, global(L_u16_2_61)).
+Let x_4 = read_uint16(mem_0, shift_uint16(a_1, 1)).
+Let x_5 = read_uint16(mem_0, global(L_u16_1_60)).
+Let x_6 = read_uint16(mem_0, a_1).
+Let x_7 = read_uint16(mem_0, global(L_u16_0_59)).
+Let x_8 = read_uint32(mem_0, shift_uint32(a_1, 1)).
+Let x_9 = read_uint32(mem_0, global(L_u32_1_58)).
+Let x_10 = read_uint32(mem_0, a_1).
+Let x_11 = read_uint32(mem_0, global(L_u32_0_57)).
+Let x_12 = read_uint64(mem_0, a_1).
+Let x_13 = read_uint64(mem_0, global(L_u64_0_56)).
+Assume {
+ Type: is_uint16(x_7) /\ is_uint16(x_5) /\ is_uint16(x_3) /\
+ is_uint16(x_1) /\ is_uint32(x_11) /\ is_uint32(x_9) /\
+ is_uint64(x_13) /\ is_uint16(x_6) /\ is_uint32(x_10) /\
+ is_uint64(x_12) /\ is_uint16(x_4) /\ is_uint16(x_2) /\ is_uint16(x) /\
+ is_uint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 34.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 68.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 102.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: x_5 = 17459.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 136):
+Let a = global(L_array_55).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_uint16(mem_0, shift_uint16(a_1, 3)).
+Let x_1 = read_uint16(mem_0, global(L_u16_3_62)).
+Let x_2 = read_uint16(mem_0, shift_uint16(a_1, 2)).
+Let x_3 = read_uint16(mem_0, global(L_u16_2_61)).
+Let x_4 = read_uint16(mem_0, shift_uint16(a_1, 1)).
+Let x_5 = read_uint16(mem_0, global(L_u16_1_60)).
+Let x_6 = read_uint16(mem_0, a_1).
+Let x_7 = read_uint16(mem_0, global(L_u16_0_59)).
+Let x_8 = read_uint32(mem_0, shift_uint32(a_1, 1)).
+Let x_9 = read_uint32(mem_0, global(L_u32_1_58)).
+Let x_10 = read_uint32(mem_0, a_1).
+Let x_11 = read_uint32(mem_0, global(L_u32_0_57)).
+Let x_12 = read_uint64(mem_0, a_1).
+Let x_13 = read_uint64(mem_0, global(L_u64_0_56)).
+Assume {
+ Type: is_uint16(x_7) /\ is_uint16(x_5) /\ is_uint16(x_3) /\
+ is_uint16(x_1) /\ is_uint32(x_11) /\ is_uint32(x_9) /\
+ is_uint64(x_13) /\ is_uint16(x_6) /\ is_uint32(x_10) /\
+ is_uint64(x_12) /\ is_uint16(x_4) /\ is_uint16(x_2) /\ is_uint16(x) /\
+ is_uint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 34.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 68.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 102.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: x_3 = 26197.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 137):
+Let a = global(L_array_55).
+Let a_1 = shift_uint8(a, 0).
+Let x = read_uint16(mem_0, shift_uint16(a_1, 3)).
+Let x_1 = read_uint16(mem_0, global(L_u16_3_62)).
+Let x_2 = read_uint16(mem_0, shift_uint16(a_1, 2)).
+Let x_3 = read_uint16(mem_0, global(L_u16_2_61)).
+Let x_4 = read_uint16(mem_0, shift_uint16(a_1, 1)).
+Let x_5 = read_uint16(mem_0, global(L_u16_1_60)).
+Let x_6 = read_uint16(mem_0, a_1).
+Let x_7 = read_uint16(mem_0, global(L_u16_0_59)).
+Let x_8 = read_uint32(mem_0, shift_uint32(a_1, 1)).
+Let x_9 = read_uint32(mem_0, global(L_u32_1_58)).
+Let x_10 = read_uint32(mem_0, a_1).
+Let x_11 = read_uint32(mem_0, global(L_u32_0_57)).
+Let x_12 = read_uint64(mem_0, a_1).
+Let x_13 = read_uint64(mem_0, global(L_u64_0_56)).
+Assume {
+ Type: is_uint16(x_7) /\ is_uint16(x_5) /\ is_uint16(x_3) /\
+ is_uint16(x_1) /\ is_uint32(x_11) /\ is_uint32(x_9) /\
+ is_uint64(x_13) /\ is_uint16(x_6) /\ is_uint32(x_10) /\
+ is_uint64(x_12) /\ is_uint16(x_4) /\ is_uint16(x_2) /\ is_uint16(x) /\
+ is_uint32(x_8).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_uint8(mem_0, a_1) = 17.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 1)) = 34.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 2)) = 51.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 3)) = 68.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 4)) = 85.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 5)) = 102.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 6)) = 119.
+ (* Initializer *)
+ Init: read_uint8(mem_0, shift_uint8(a, 7)) = 136.
+ (* Initializer *)
+ Init: x_12 = x_13.
+ (* Initializer *)
+ Init: x_10 = x_11.
+ (* Initializer *)
+ Init: x_8 = x_9.
+ (* Initializer *)
+ Init: x_6 = x_7.
+ (* Initializer *)
+ Init: x_4 = x_5.
+ (* Initializer *)
+ Init: x_2 = x_3.
+ (* Initializer *)
+ Init: x = x_1.
+}
+Prove: x_1 = 34935.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function cast_unsigned_signed_neg
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 112):
+Let a = global(L_u64_50).
+Let a_1 = global(L_u16_51).
+Let m = write_uint16(write_uint64(mem_0, a, 9305056148684437384), a_1, 33154).
+Let x = read_sint64(m, a).
+Assume {
+ Type: is_sint8(read_sint8(m, shift_sint8(a_1, 1))) /\
+ is_sint16(read_sint16(m, a_1)) /\
+ is_sint32(read_sint32(m, shift_sint32(a, 1))) /\ is_sint64(x).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-9141687925025114232)) /\ (x < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 113):
+Let a = global(L_u64_50).
+Let a_1 = global(L_u16_51).
+Let m = write_uint16(write_uint64(mem_0, a, 9305056148684437384), a_1, 33154).
+Let x = read_sint32(m, shift_sint32(a, 1)).
+Assume {
+ Type: is_sint8(read_sint8(m, shift_sint8(a_1, 1))) /\
+ is_sint16(read_sint16(m, a_1)) /\ is_sint32(x) /\
+ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-2128465084)) /\ (x < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 114):
+Let a = global(L_u64_50).
+Let a_1 = global(L_u16_51).
+Let m = write_uint16(write_uint64(mem_0, a, 9305056148684437384), a_1, 33154).
+Let x = read_sint16(m, a_1).
+Assume {
+ Type: is_sint8(read_sint8(m, shift_sint8(a_1, 1))) /\ is_sint16(x) /\
+ is_sint32(read_sint32(m, shift_sint32(a, 1))) /\
+ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-32382)) /\ (x < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 115):
+Let a = global(L_u64_50).
+Let a_1 = global(L_u16_51).
+Let m = write_uint16(write_uint64(mem_0, a, 9305056148684437384), a_1, 33154).
+Let x = read_sint8(m, shift_sint8(a_1, 1)).
+Assume {
+ Type: is_sint8(x) /\ is_sint16(read_sint16(m, a_1)) /\
+ is_sint32(read_sint32(m, shift_sint32(a, 1))) /\
+ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-127)) /\ (x < 0).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function cast_unsigned_signed_pos
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 98):
+Let a = global(L_u64_45).
+Let a_1 = global(L_u16_46).
+Let m = write_uint16(write_uint64(mem_0, a, 81684111829661576), a_1, 290).
+Let x = read_sint64(m, a).
+Assume {
+ Type: is_sint8(read_sint8(m, shift_sint8(a_1, 1))) /\
+ is_sint16(read_sint16(m, a_1)) /\
+ is_sint32(read_sint32(m, shift_sint32(a, 1))) /\ is_sint64(x).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 81684111829661576) /\ (0 < x).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 99):
+Let a = global(L_u64_45).
+Let a_1 = global(L_u16_46).
+Let m = write_uint16(write_uint64(mem_0, a, 81684111829661576), a_1, 290).
+Let x = read_sint32(m, shift_sint32(a, 1)).
+Assume {
+ Type: is_sint8(read_sint8(m, shift_sint8(a_1, 1))) /\
+ is_sint16(read_sint16(m, a_1)) /\ is_sint32(x) /\
+ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 19018564) /\ (0 < x).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 100):
+Let a = global(L_u64_45).
+Let a_1 = global(L_u16_46).
+Let m = write_uint16(write_uint64(mem_0, a, 81684111829661576), a_1, 290).
+Let x = read_sint16(m, a_1).
+Assume {
+ Type: is_sint8(read_sint8(m, shift_sint8(a_1, 1))) /\ is_sint16(x) /\
+ is_sint32(read_sint32(m, shift_sint32(a, 1))) /\
+ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 290) /\ (0 < x).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 101):
+Let a = global(L_u64_45).
+Let a_1 = global(L_u16_46).
+Let m = write_uint16(write_uint64(mem_0, a, 81684111829661576), a_1, 290).
+Let x = read_sint8(m, shift_sint8(a_1, 1)).
+Assume {
+ Type: is_sint8(x) /\ is_sint16(read_sint16(m, a_1)) /\
+ is_sint32(read_sint32(m, shift_sint32(a, 1))) /\
+ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 1) /\ (0 < x).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function signed_neg
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 79):
+Let a = global(L_m64_38). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init64(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ a, true),
+ global(L_m32_39),
+ true),
+ global(L_m16_40), true),
+ global(L_m8_41), true),
+ global(L_write_42), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 80):
+Let a = global(L_m32_39). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init32(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_m64_38),
+ true), a, true),
+ global(L_m16_40), true),
+ global(L_m8_41), true),
+ global(L_write_42), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 81):
+Let a = global(L_m16_40). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init16(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_m64_38),
+ true),
+ global(L_m32_39),
+ true), a, true),
+ global(L_m8_41), true),
+ global(L_write_42), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 82):
+Let a = global(L_m8_41). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init8(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_m64_38),
+ true),
+ global(L_m32_39),
+ true),
+ global(L_m16_40), true), a,
+ true), global(L_write_42), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 84):
+Let a = global(L_m64_38).
+Let a_1 = global(L_m32_39).
+Let a_2 = global(L_m16_40).
+Let a_3 = global(L_m8_41).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ -81684111829661576),
+ a_1, -19018564), a_2, -290),
+ a_3, -1), global(L_write_42), 0).
+Let x = read_sint64(m, a).
+Assume {
+ Type: is_sint8(read_sint8(m, a_3)) /\ is_sint16(read_sint16(m, a_2)) /\
+ is_sint32(read_sint32(m, a_1)) /\ is_sint64(x).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-81684111829661576)) /\ (x < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 85):
+Let a = global(L_m64_38).
+Let a_1 = global(L_m32_39).
+Let a_2 = global(L_m16_40).
+Let a_3 = global(L_m8_41).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ -81684111829661576),
+ a_1, -19018564), a_2, -290),
+ a_3, -1), global(L_write_42), 0).
+Let x = read_sint32(m, a_1).
+Assume {
+ Type: is_sint8(read_sint8(m, a_3)) /\ is_sint16(read_sint16(m, a_2)) /\
+ is_sint32(x) /\ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-19018564)) /\ (x < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 86):
+Let a = global(L_m64_38).
+Let a_1 = global(L_m32_39).
+Let a_2 = global(L_m16_40).
+Let a_3 = global(L_m8_41).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ -81684111829661576),
+ a_1, -19018564), a_2, -290),
+ a_3, -1), global(L_write_42), 0).
+Let x = read_sint16(m, a_2).
+Assume {
+ Type: is_sint8(read_sint8(m, a_3)) /\ is_sint16(x) /\
+ is_sint32(read_sint32(m, a_1)) /\ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-290)) /\ (x < 0).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 87):
+Let a = global(L_m64_38).
+Let a_1 = global(L_m32_39).
+Let a_2 = global(L_m16_40).
+Let a_3 = global(L_m8_41).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ -81684111829661576),
+ a_1, -19018564), a_2, -290),
+ a_3, -1), global(L_write_42), 0).
+Let x = read_sint8(m, a_3).
+Assume {
+ Type: is_sint8(x) /\ is_sint16(read_sint16(m, a_2)) /\
+ is_sint32(read_sint32(m, a_1)) /\ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = (-1)) /\ (x < 0).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function signed_pos
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 54):
+Let a = global(L_p64_31). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init64(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ a, true),
+ global(L_p32_32),
+ true),
+ global(L_p16_33), true),
+ global(L_p8_34), true),
+ global(L_write_35), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 55):
+Let a = global(L_p32_32). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init32(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_p64_31),
+ true), a, true),
+ global(L_p16_33), true),
+ global(L_p8_34), true),
+ global(L_write_35), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 56):
+Let a = global(L_p16_33). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init16(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_p64_31),
+ true),
+ global(L_p32_32),
+ true), a, true),
+ global(L_p8_34), true),
+ global(L_write_35), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 57):
+Let a = global(L_p8_34). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init8(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_p64_31),
+ true),
+ global(L_p32_32),
+ true),
+ global(L_p16_33), true), a,
+ true), global(L_write_35), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 59):
+Let a = global(L_p64_31).
+Let a_1 = global(L_p32_32).
+Let a_2 = global(L_p16_33).
+Let a_3 = global(L_p8_34).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ 81684111829661576),
+ a_1, 19018564), a_2, 290),
+ a_3, 1), global(L_write_35), 0).
+Let x = read_sint64(m, a).
+Assume {
+ Type: is_sint8(read_sint8(m, a_3)) /\ is_sint16(read_sint16(m, a_2)) /\
+ is_sint32(read_sint32(m, a_1)) /\ is_sint64(x).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 81684111829661576) /\ (0 < x).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 60):
+Let a = global(L_p64_31).
+Let a_1 = global(L_p32_32).
+Let a_2 = global(L_p16_33).
+Let a_3 = global(L_p8_34).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ 81684111829661576),
+ a_1, 19018564), a_2, 290),
+ a_3, 1), global(L_write_35), 0).
+Let x = read_sint32(m, a_1).
+Assume {
+ Type: is_sint8(read_sint8(m, a_3)) /\ is_sint16(read_sint16(m, a_2)) /\
+ is_sint32(x) /\ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 19018564) /\ (0 < x).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 61):
+Let a = global(L_p64_31).
+Let a_1 = global(L_p32_32).
+Let a_2 = global(L_p16_33).
+Let a_3 = global(L_p8_34).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ 81684111829661576),
+ a_1, 19018564), a_2, 290),
+ a_3, 1), global(L_write_35), 0).
+Let x = read_sint16(m, a_2).
+Assume {
+ Type: is_sint8(read_sint8(m, a_3)) /\ is_sint16(x) /\
+ is_sint32(read_sint32(m, a_1)) /\ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 290) /\ (0 < x).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 62):
+Let a = global(L_p64_31).
+Let a_1 = global(L_p32_32).
+Let a_2 = global(L_p16_33).
+Let a_3 = global(L_p8_34).
+Let m = write_uint32(write_sint8(write_sint16(write_sint32(write_sint64(mem_0,
+ a,
+ 81684111829661576),
+ a_1, 19018564), a_2, 290),
+ a_3, 1), global(L_write_35), 0).
+Let x = read_sint8(m, a_3).
+Assume {
+ Type: is_sint8(x) /\ is_sint16(read_sint16(m, a_2)) /\
+ is_sint32(read_sint32(m, a_1)) /\ is_sint64(read_sint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: (x = 1) /\ (0 < x).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function unsigned_
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 29):
+Let a = global(L_u64_22). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init64(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ a, true),
+ global(L_u32_23),
+ true),
+ global(L_u16_24), true),
+ global(L_u8_25), true),
+ global(L_write_26), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 30):
+Let a = global(L_u32_23). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init32(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_u64_22),
+ true), a, true),
+ global(L_u16_24), true),
+ global(L_u8_25), true),
+ global(L_write_26), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 31):
+Let a = global(L_u16_24). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init16(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_u64_22),
+ true),
+ global(L_u32_23),
+ true), a, true),
+ global(L_u8_25), true),
+ global(L_write_26), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 32):
+Let a = global(L_u8_25). Assume { (* Heap *) Type: cinits(init_0). }
+Prove: (read_init8(write_init32(write_init8(write_init16(write_init32(
+ write_init64(init_0,
+ global(L_u64_22),
+ true),
+ global(L_u32_23),
+ true),
+ global(L_u16_24), true), a,
+ true), global(L_write_26), true), a)=true).
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 34):
+Let a = global(L_u64_22).
+Let a_1 = global(L_u32_23).
+Let a_2 = global(L_u16_24).
+Let a_3 = global(L_u8_25).
+Let m = write_uint32(write_uint8(write_uint16(write_uint32(write_uint64(mem_0,
+ a,
+ 1234605616436508552),
+ a_1, 287454020), a_2, 4386),
+ a_3, 17), global(L_write_26), 0).
+Let x = read_uint64(m, a).
+Assume {
+ Type: is_uint8(read_uint8(m, a_3)) /\ is_uint16(read_uint16(m, a_2)) /\
+ is_uint32(read_uint32(m, a_1)) /\ is_uint64(x).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: x = 1234605616436508552.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 35):
+Let a = global(L_u64_22).
+Let a_1 = global(L_u32_23).
+Let a_2 = global(L_u16_24).
+Let a_3 = global(L_u8_25).
+Let m = write_uint32(write_uint8(write_uint16(write_uint32(write_uint64(mem_0,
+ a,
+ 1234605616436508552),
+ a_1, 287454020), a_2, 4386),
+ a_3, 17), global(L_write_26), 0).
+Let x = read_uint32(m, a_1).
+Assume {
+ Type: is_uint8(read_uint8(m, a_3)) /\ is_uint16(read_uint16(m, a_2)) /\
+ is_uint32(x) /\ is_uint64(read_uint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: x = 287454020.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 36):
+Let a = global(L_u64_22).
+Let a_1 = global(L_u32_23).
+Let a_2 = global(L_u16_24).
+Let a_3 = global(L_u8_25).
+Let m = write_uint32(write_uint8(write_uint16(write_uint32(write_uint64(mem_0,
+ a,
+ 1234605616436508552),
+ a_1, 287454020), a_2, 4386),
+ a_3, 17), global(L_write_26), 0).
+Let x = read_uint16(m, a_2).
+Assume {
+ Type: is_uint8(read_uint8(m, a_3)) /\ is_uint16(x) /\
+ is_uint32(read_uint32(m, a_1)) /\ is_uint64(read_uint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: x = 4386.
+
+------------------------------------------------------------
+
+Goal Check (file integers.i, line 37):
+Let a = global(L_u64_22).
+Let a_1 = global(L_u32_23).
+Let a_2 = global(L_u16_24).
+Let a_3 = global(L_u8_25).
+Let m = write_uint32(write_uint8(write_uint16(write_uint32(write_uint64(mem_0,
+ a,
+ 1234605616436508552),
+ a_1, 287454020), a_2, 4386),
+ a_3, 17), global(L_write_26), 0).
+Let x = read_uint8(m, a_3).
+Assume {
+ Type: is_uint8(x) /\ is_uint16(read_uint16(m, a_2)) /\
+ is_uint32(read_uint32(m, a_1)) /\ is_uint64(read_uint64(m, a)).
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+}
+Prove: x = 17.
+
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle/pointers.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle/pointers.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..a3a50ae37433caf4eb2da7d1fa9dedd0d1fa3745
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle/pointers.res.oracle
@@ -0,0 +1,97 @@
+# frama-c -wp -wp-model 'Bytes' [...]
+[kernel] Parsing pointers.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal addr_formal_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_formal_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal addr_glob_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_glob_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal addr_local_ko_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_local_ko_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal addr_local_ok_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_local_ok_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal null_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal null_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal pointer_param_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal pointer_param_terminates (Cfg) (Trivial)
+------------------------------------------------------------
+ Function addr_formal
+------------------------------------------------------------
+
+Goal Check (file pointers.i, line 26):
+Let a = shift_uint8(global(L_buffer_34), 0).
+Let a_1 = global(P_f_33).
+Assume { (* Heap *) Type: framed(mem_0) /\ sconst(mem_0). }
+Prove: addr_of_int(read_uint64(write_uint64(mem_0, a, int_of_addr(a_1)), a)) =
+ a_1.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function addr_glob
+------------------------------------------------------------
+
+Goal Check (file pointers.i, line 18):
+Let a = shift_uint8(global(L_buffer_29), 0).
+Let a_1 = global(G_g_26).
+Assume { (* Heap *) Type: framed(mem_0) /\ sconst(mem_0). }
+Prove: addr_of_int(read_uint64(write_uint64(mem_0, a, int_of_addr(a_1)), a)) =
+ a_1.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function addr_local_ko
+------------------------------------------------------------
+
+Goal Check (file pointers.i, line 48):
+Let a = shift_uint8(global(L_buffer_43), 0).
+Assume { (* Heap *) Type: framed(mem_0) /\ linked(alloc_0) /\ sconst(mem_0).
+}
+Prove: !valid_rw(alloc_0[L_buffer_43 <- 8][L_l_44 <- 0],
+ addr_of_int(read_uint64(write_uint64(mem_0, a,
+ int_of_addr(global(L_l_44))), a)), 4).
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function addr_local_ok
+------------------------------------------------------------
+
+Goal Check 'P' (file pointers.i, line 36):
+Let a = global(L_l_38).
+Let a_1 = shift_uint8(global(L_buffer_39), 0).
+Assume {
+ (* Heap *)
+ Type: framed(mem_0) /\ sconst(mem_0).
+ (* Initializer *)
+ Init: read_sint32(mem_0, a) = 0.
+}
+Prove: addr_of_int(read_uint64(write_uint64(mem_0, a_1, int_of_addr(a)), a_1)) =
+ a.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function null
+------------------------------------------------------------
+
+Goal Check (file pointers.i, line 8):
+Let a = shift_uint8(global(L_buffer_22), 0).
+Assume { (* Heap *) Type: framed(mem_0) /\ sconst(mem_0). }
+Prove: addr_of_int(read_uint64(write_uint64(mem_0, a, 0), a)) = null.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function pointer_param
+------------------------------------------------------------
+
+Goal Check (file pointers.i, line 57):
+Let a = shift_uint8(global(L_buffer_50), 0).
+Assume {
+ (* Heap *)
+ Type: (region(f.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, f, 4).
+}
+Prove: addr_of_int(read_uint64(write_uint64(mem_0, a, int_of_addr(f)), a)) =
+ f.
+
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle/structs.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle/structs.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..898225de01563300510514f311a8ce95fa55f7f3
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle/structs.res.oracle
@@ -0,0 +1,47 @@
+# frama-c -wp -wp-model 'Bytes' [...]
+[kernel] Parsing structs.i (no preprocessing)
+[wp] Running WP plugin...
+[kernel:annot:missing-spec] structs.i:14: Warning:
+ Neither code nor explicit exits and terminates for function callee,
+ generating default clauses. See -generated-spec-* options for more info
+[wp] Warning: Missing RTE guards
+------------------------------------------------------------
+ Function caller
+------------------------------------------------------------
+
+Goal Termination-condition (generated) in 'caller':
+Prove: true.
+
+------------------------------------------------------------
+
+Goal Post-condition (file structs.i, line 18) in 'caller':
+Let a = Load_S2_Y(u, mem_0).
+Let a_1 = Load_S2_Y(u, havoc(mem_undef_0, mem_0, y, 32)).
+Assume {
+ Type: IsS2_Y(a) /\ IsS2_Y(a_1).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ (region(y.base) <= 0) /\ framed(mem_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: separated(u, 32, y, 32).
+}
+Prove: EqS2_Y(a_1, a).
+
+------------------------------------------------------------
+
+Goal Exit-condition (generated) in 'caller':
+Prove: true.
+
+------------------------------------------------------------
+
+Goal Assigns (file structs.i, line 17) in 'caller':
+Call Effect at line 21
+Prove: true.
+
+------------------------------------------------------------
+
+Goal Assigns (file structs.i, line 17) in 'caller':
+Call Effect at line 21
+Prove: true.
+
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle/union.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle/union.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..23b86bc3588bab56bd3c49ca3803ac687e15e650
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle/union.res.oracle
@@ -0,0 +1,424 @@
+# frama-c -wp -wp-model 'Bytes' [...]
+[kernel] Parsing union.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal union_1_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_1_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal union_2_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_2_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal union_3_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_3_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal union_4_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_4_terminates (Cfg) (Trivial)
+------------------------------------------------------------
+ Function union_1
+------------------------------------------------------------
+
+Goal Check (file union.i, line 23):
+Let m = write_uint64(mem_0, shiftfield_F2_U_u(u), 4294967295).
+Let a = shiftfield_F2_U_x(u).
+Let x = read_sint32(m, shiftfield_F1_X_i(a)).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F2_U_s(u))) /\
+ is_uint32(read_uint32(m, shiftfield_F1_X_u(a))) /\ is_sint32(x).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 0.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 24):
+Let m = write_uint64(mem_0, shiftfield_F2_U_u(u), 4294967295).
+Let a = shiftfield_F2_U_x(u).
+Let x = read_uint32(m, shiftfield_F1_X_u(a)).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F2_U_s(u))) /\ is_uint32(x) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 26):
+Let m = write_uint64(mem_0, shiftfield_F2_U_u(u), 4294967295).
+Let a = shiftfield_F2_U_x(u).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F2_U_s(u))) /\
+ is_uint32(read_uint32(m, shiftfield_F1_X_u(a))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Goal *)
+ When: (0 <= i) /\ (i <= 3).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: read_uint8(m, shift_uint8(shiftfield_F2_U_a(u), i)) = 255.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 27):
+Let m = write_uint64(mem_0, shiftfield_F2_U_u(u), 4294967295).
+Let a = shiftfield_F2_U_x(u).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F2_U_s(u))) /\
+ is_uint32(read_uint32(m, shiftfield_F1_X_u(a))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Goal *)
+ When: (4 <= i) /\ (i <= 7).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: read_uint8(m, shift_uint8(shiftfield_F2_U_a(u), i)) = 0.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 29):
+Let m = write_uint64(mem_0, shiftfield_F2_U_u(u), 4294967295).
+Let x = read_uint32(m, shiftfield_F2_U_s(u)).
+Let a = shiftfield_F2_U_x(u).
+Assume {
+ Type: is_uint32(x) /\ is_uint32(read_uint32(m, shiftfield_F1_X_u(a))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function union_2
+------------------------------------------------------------
+
+Goal Check (file union.i, line 43):
+Let a = shiftfield_F2_U_a(u).
+Let m = write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(
+ write_uint8(
+ write_uint8(mem_0,
+ shift_uint8(a,
+ 0), 255),
+ shift_uint8(a,
+ 1), 255),
+ shift_uint8(a,
+ 2), 255),
+ shift_uint8(a, 3),
+ 255),
+ shift_uint8(a, 4), 0),
+ shift_uint8(a, 5), 0), shift_uint8(a, 6),
+ 0), shift_uint8(a, 7), 0).
+Let a_1 = shiftfield_F2_U_x(u).
+Let x = read_uint64(m, shiftfield_F2_U_u(u)).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F2_U_s(u))) /\
+ is_uint32(read_uint32(m, shiftfield_F1_X_u(a_1))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a_1))) /\ is_uint64(x).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 45):
+Let a = shiftfield_F2_U_a(u).
+Let m = write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(
+ write_uint8(
+ write_uint8(mem_0,
+ shift_uint8(a,
+ 0), 255),
+ shift_uint8(a,
+ 1), 255),
+ shift_uint8(a,
+ 2), 255),
+ shift_uint8(a, 3),
+ 255),
+ shift_uint8(a, 4), 0),
+ shift_uint8(a, 5), 0), shift_uint8(a, 6),
+ 0), shift_uint8(a, 7), 0).
+Let a_1 = shiftfield_F2_U_x(u).
+Let x = read_sint32(m, shiftfield_F1_X_i(a_1)).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F2_U_s(u))) /\
+ is_uint32(read_uint32(m, shiftfield_F1_X_u(a_1))) /\ is_sint32(x) /\
+ is_uint64(read_uint64(m, shiftfield_F2_U_u(u))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 0.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 46):
+Let a = shiftfield_F2_U_a(u).
+Let m = write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(
+ write_uint8(
+ write_uint8(mem_0,
+ shift_uint8(a,
+ 0), 255),
+ shift_uint8(a,
+ 1), 255),
+ shift_uint8(a,
+ 2), 255),
+ shift_uint8(a, 3),
+ 255),
+ shift_uint8(a, 4), 0),
+ shift_uint8(a, 5), 0), shift_uint8(a, 6),
+ 0), shift_uint8(a, 7), 0).
+Let a_1 = shiftfield_F2_U_x(u).
+Let x = read_uint32(m, shiftfield_F1_X_u(a_1)).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F2_U_s(u))) /\ is_uint32(x) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a_1))) /\
+ is_uint64(read_uint64(m, shiftfield_F2_U_u(u))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 48):
+Let a = shiftfield_F2_U_a(u).
+Let m = write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(write_uint8(
+ write_uint8(
+ write_uint8(mem_0,
+ shift_uint8(a,
+ 0), 255),
+ shift_uint8(a,
+ 1), 255),
+ shift_uint8(a,
+ 2), 255),
+ shift_uint8(a, 3),
+ 255),
+ shift_uint8(a, 4), 0),
+ shift_uint8(a, 5), 0), shift_uint8(a, 6),
+ 0), shift_uint8(a, 7), 0).
+Let x = read_uint32(m, shiftfield_F2_U_s(u)).
+Let a_1 = shiftfield_F2_U_x(u).
+Assume {
+ Type: is_uint32(x) /\ is_uint32(read_uint32(m, shiftfield_F1_X_u(a_1))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a_1))) /\
+ is_uint64(read_uint64(m, shiftfield_F2_U_u(u))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function union_3
+------------------------------------------------------------
+
+Goal Check (file union.i, line 56):
+Let a = shiftfield_F2_U_u(u).
+Let m = write_uint32(write_uint64(mem_0, a, 4294967295),
+ shiftfield_F2_U_s(u), 4294967295).
+Let a_1 = shiftfield_F2_U_x(u).
+Let x = read_uint64(m, a).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F1_X_u(a_1))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a_1))) /\ is_uint64(x).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 58):
+Let a = shiftfield_F2_U_u(u).
+Let m = write_uint32(write_uint64(mem_0, a, 4294967295),
+ shiftfield_F2_U_s(u), 4294967295).
+Let a_1 = shiftfield_F2_U_x(u).
+Let x = read_sint32(m, shiftfield_F1_X_i(a_1)).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F1_X_u(a_1))) /\ is_sint32(x) /\
+ is_uint64(read_uint64(m, a)).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 0.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 59):
+Let a = shiftfield_F2_U_u(u).
+Let m = write_uint32(write_uint64(mem_0, a, 4294967295),
+ shiftfield_F2_U_s(u), 4294967295).
+Let a_1 = shiftfield_F2_U_x(u).
+Let x = read_uint32(m, shiftfield_F1_X_u(a_1)).
+Assume {
+ Type: is_uint32(x) /\ is_sint32(read_sint32(m, shiftfield_F1_X_i(a_1))) /\
+ is_uint64(read_uint64(m, a)).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 61):
+Let a = shiftfield_F2_U_u(u).
+Let m = write_uint32(write_uint64(mem_0, a, 4294967295),
+ shiftfield_F2_U_s(u), 4294967295).
+Let a_1 = shiftfield_F2_U_x(u).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F1_X_u(a_1))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a_1))) /\
+ is_uint64(read_uint64(m, a)).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Goal *)
+ When: (0 <= i) /\ (i <= 3).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: read_uint8(m, shift_uint8(shiftfield_F2_U_a(u), i)) = 255.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 62):
+Let a = shiftfield_F2_U_u(u).
+Let m = write_uint32(write_uint64(mem_0, a, 4294967295),
+ shiftfield_F2_U_s(u), 4294967295).
+Let a_1 = shiftfield_F2_U_x(u).
+Assume {
+ Type: is_uint32(read_uint32(m, shiftfield_F1_X_u(a_1))) /\
+ is_sint32(read_sint32(m, shiftfield_F1_X_i(a_1))) /\
+ is_uint64(read_uint64(m, a)).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Goal *)
+ When: (4 <= i) /\ (i <= 7).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+}
+Prove: read_uint8(m, shift_uint8(shiftfield_F2_U_a(u), i)) = 0.
+
+------------------------------------------------------------
+------------------------------------------------------------
+ Function union_4
+------------------------------------------------------------
+
+Goal Check (file union.i, line 70):
+Let a = shiftfield_F2_U_x(u).
+Let a_1 = havoc(mem_undef_0, mem_0, a, 8).
+Let x = read_uint64(a_1, shiftfield_F2_U_u(u)).
+Assume {
+ Type: is_uint32(read_uint32(a_1, shiftfield_F2_U_s(u))) /\ is_uint64(x).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+ (* Initializer *)
+ Init: read_uint32(a_1, shiftfield_F1_X_u(a)) = 4294967295.
+ (* Initializer *)
+ Init: read_sint32(a_1, shiftfield_F1_X_i(a)) = 0.
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 72):
+Let a = shiftfield_F2_U_x(u).
+Let a_1 = havoc(mem_undef_0, mem_0, a, 8).
+Assume {
+ Type: is_uint32(read_uint32(a_1, shiftfield_F2_U_s(u))) /\
+ is_uint64(read_uint64(a_1, shiftfield_F2_U_u(u))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Goal *)
+ When: (0 <= i) /\ (i <= 3).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+ (* Initializer *)
+ Init: read_uint32(a_1, shiftfield_F1_X_u(a)) = 4294967295.
+ (* Initializer *)
+ Init: read_sint32(a_1, shiftfield_F1_X_i(a)) = 0.
+}
+Prove: read_uint8(a_1, shift_uint8(shiftfield_F2_U_a(u), i)) = 255.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 73):
+Let a = shiftfield_F2_U_x(u).
+Let a_1 = havoc(mem_undef_0, mem_0, a, 8).
+Assume {
+ Type: is_uint32(read_uint32(a_1, shiftfield_F2_U_s(u))) /\
+ is_uint64(read_uint64(a_1, shiftfield_F2_U_u(u))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Goal *)
+ When: (4 <= i) /\ (i <= 7).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+ (* Initializer *)
+ Init: read_uint32(a_1, shiftfield_F1_X_u(a)) = 4294967295.
+ (* Initializer *)
+ Init: read_sint32(a_1, shiftfield_F1_X_i(a)) = 0.
+}
+Prove: read_uint8(a_1, shift_uint8(shiftfield_F2_U_a(u), i)) = 0.
+
+------------------------------------------------------------
+
+Goal Check (file union.i, line 75):
+Let a = shiftfield_F2_U_x(u).
+Let a_1 = havoc(mem_undef_0, mem_0, a, 8).
+Let x = read_uint32(a_1, shiftfield_F2_U_s(u)).
+Assume {
+ Type: is_uint32(x) /\ is_uint64(read_uint64(a_1, shiftfield_F2_U_u(u))).
+ (* Heap *)
+ Type: (region(u.base) <= 0) /\ framed(mem_0) /\ linked(alloc_0) /\
+ sconst(mem_0).
+ (* Pre-condition *)
+ Have: valid_rw(alloc_0, u, 8).
+ (* Initializer *)
+ Init: read_uint32(a_1, shiftfield_F1_X_u(a)) = 4294967295.
+ (* Initializer *)
+ Init: read_sint32(a_1, shiftfield_F1_X_i(a)) = 0.
+}
+Prove: x = 4294967295.
+
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle_qualif/assigns_sep.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle_qualif/assigns_sep.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..f8cf73fe311e60c7bbadbd00bafefb1fd29a7699
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle_qualif/assigns_sep.res.oracle
@@ -0,0 +1,32 @@
+# frama-c -wp -wp-model 'Bytes' -wp-timeout 20 [...]
+[kernel] Parsing assigns_sep.i (no preprocessing)
+[wp] Running WP plugin...
+[kernel:annot:missing-spec] assigns_sep.i:13: Warning:
+ Neither code nor explicit exits and terminates for function assigns,
+ generating default clauses. See -generated-spec-* options for more info
+[kernel:annot:missing-spec] assigns_sep.i:16: Warning:
+ Neither code nor explicit exits and terminates for function assigns_r,
+ generating default clauses. See -generated-spec-* options for more info
+[kernel:annot:missing-spec] assigns_sep.i:19: Warning:
+ Neither code nor explicit exits and terminates for function assigns_l2,
+ generating default clauses. See -generated-spec-* options for more info
+[wp] [Valid] Goal assignment_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal assignment_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] 5 goals scheduled
+[wp] [Valid] bytes_assignment_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_assigns_clause_terminates (Qed)
+[wp] [Valid] bytes_assigns_clause_exits (Qed)
+[wp] [Valid] bytes_assigns_clause_check (Alt-Ergo) (Cached)
+[wp] [Unsuccess] bytes_assigns_clause_check_2 (Alt-Ergo) (Cached)
+[wp] Proved goals: 6 / 7
+ Terminating: 1
+ Unreachable: 1
+ Qed: 2
+ Alt-Ergo: 2
+ Unsuccess: 1
+------------------------------------------------------------
+ Functions WP Alt-Ergo Total Success
+ assignment - 1 1 100%
+ assigns_clause 2 1 4 75.0%
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle_qualif/floats.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle_qualif/floats.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..b7d9a3d3cb45f16712781201036309a11a343aa0
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle_qualif/floats.res.oracle
@@ -0,0 +1,20 @@
+# frama-c -wp -wp-model 'Bytes' -wp-timeout 20 [...]
+[kernel] Parsing floats.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal double_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal double_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal float_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal float_terminates (Cfg) (Trivial)
+[wp] 2 goals scheduled
+[wp] [Valid] bytes_float_assert (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_double_assert (Alt-Ergo) (Cached)
+[wp] Proved goals: 6 / 6
+ Terminating: 2
+ Unreachable: 2
+ Alt-Ergo: 2
+------------------------------------------------------------
+ Functions WP Alt-Ergo Total Success
+ float_ - 1 1 100%
+ double_ - 1 1 100%
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle_qualif/integers.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle_qualif/integers.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..6e3206deee082b0d52540b419f933fc89fc66bac
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle_qualif/integers.res.oracle
@@ -0,0 +1,89 @@
+# frama-c -wp -wp-model 'Bytes (Raw)' -wp-timeout 20 [...]
+[kernel] Parsing integers.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal cast_from_bytes_to_signed_neg_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_from_bytes_to_signed_neg_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal cast_from_bytes_to_signed_pos_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_from_bytes_to_signed_pos_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal cast_from_bytes_to_unsigned_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_from_bytes_to_unsigned_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal cast_unsigned_signed_neg_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_unsigned_signed_neg_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal cast_unsigned_signed_pos_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal cast_unsigned_signed_pos_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal signed_neg_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal signed_neg_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal signed_pos_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal signed_pos_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal unsigned_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal unsigned_terminates (Cfg) (Trivial)
+[wp] 53 goals scheduled
+[wp] [Valid] bytes_raw_unsigned_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_unsigned_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_unsigned_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_unsigned_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_unsigned_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_unsigned_check_6 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_unsigned_check_7 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_unsigned_check_8 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check_6 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check_7 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_pos_check_8 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check_6 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check_7 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_signed_neg_check_8 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_pos_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_pos_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_pos_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_pos_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_neg_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_neg_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_neg_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_unsigned_signed_neg_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_unsigned_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_unsigned_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_unsigned_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_unsigned_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_unsigned_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_unsigned_check_6 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_unsigned_check_7 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_pos_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_pos_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_pos_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_pos_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_pos_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_pos_check_6 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_pos_check_7 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_neg_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_neg_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_neg_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_neg_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_neg_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_neg_check_6 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_raw_cast_from_bytes_to_signed_neg_check_7 (Alt-Ergo) (Cached)
+[wp] Proved goals: 69 / 69
+ Terminating: 8
+ Unreachable: 8
+ Alt-Ergo: 53
+------------------------------------------------------------
+ Functions WP Alt-Ergo Total Success
+ unsigned_ - 8 8 100%
+ signed_pos - 8 8 100%
+ signed_neg - 8 8 100%
+ cast_unsigned_signed_pos - 4 4 100%
+ cast_unsigned_signed_neg - 4 4 100%
+ cast_from_bytes_to_unsigned - 7 7 100%
+ cast_from_bytes_to_signed_pos - 7 7 100%
+ cast_from_bytes_to_signed_neg - 7 7 100%
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle_qualif/pointers.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle_qualif/pointers.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..b37bbb59a2cd2791d55ee56aa0c05db75a960fa2
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle_qualif/pointers.res.oracle
@@ -0,0 +1,36 @@
+# frama-c -wp -wp-model 'Bytes' -wp-timeout 20 [...]
+[kernel] Parsing pointers.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal addr_formal_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_formal_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal addr_glob_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_glob_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal addr_local_ko_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_local_ko_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal addr_local_ok_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal addr_local_ok_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal null_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal null_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal pointer_param_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal pointer_param_terminates (Cfg) (Trivial)
+[wp] 6 goals scheduled
+[wp] [Valid] bytes_null_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_addr_glob_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_addr_formal_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_addr_local_ok_check_P (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_addr_local_ko_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_pointer_param_check (Alt-Ergo) (Cached)
+[wp] Proved goals: 18 / 18
+ Terminating: 6
+ Unreachable: 6
+ Alt-Ergo: 6
+------------------------------------------------------------
+ Functions WP Alt-Ergo Total Success
+ null - 1 1 100%
+ addr_glob - 1 1 100%
+ addr_formal - 1 1 100%
+ addr_local_ok - 1 1 100%
+ addr_local_ko - 1 1 100%
+ pointer_param - 1 1 100%
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle_qualif/structs.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle_qualif/structs.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..cc3260b313a0bfdf392e5d699aa074406ea02eb7
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle_qualif/structs.res.oracle
@@ -0,0 +1,20 @@
+# frama-c -wp -wp-model 'Bytes' -wp-timeout 20 [...]
+[kernel] Parsing structs.i (no preprocessing)
+[wp] Running WP plugin...
+[kernel:annot:missing-spec] structs.i:14: Warning:
+ Neither code nor explicit exits and terminates for function callee,
+ generating default clauses. See -generated-spec-* options for more info
+[wp] Warning: Missing RTE guards
+[wp] 5 goals scheduled
+[wp] [Valid] bytes_caller_terminates (Qed)
+[wp] [Valid] bytes_caller_ensures (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_caller_exits (Qed)
+[wp] [Valid] bytes_caller_assigns_exit (Qed)
+[wp] [Valid] bytes_caller_assigns_normal (Qed)
+[wp] Proved goals: 5 / 5
+ Qed: 4
+ Alt-Ergo: 1
+------------------------------------------------------------
+ Functions WP Alt-Ergo Total Success
+ caller 4 1 5 100%
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/oracle_qualif/union.res.oracle b/src/plugins/wp/tests/wp_bytes/oracle_qualif/union.res.oracle
new file mode 100644
index 0000000000000000000000000000000000000000..a653dbd9983c1d57128144d4dcdfa27fa5553055
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/oracle_qualif/union.res.oracle
@@ -0,0 +1,43 @@
+# frama-c -wp -wp-model 'Bytes' -wp-timeout 20 [...]
+[kernel] Parsing union.i (no preprocessing)
+[wp] Running WP plugin...
+[wp] [Valid] Goal union_1_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_1_terminates (Cfg) (Trivial)
+[wp] Warning: Missing RTE guards
+[wp] [Valid] Goal union_2_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_2_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal union_3_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_3_terminates (Cfg) (Trivial)
+[wp] [Valid] Goal union_4_exits (Cfg) (Unreachable)
+[wp] [Valid] Goal union_4_terminates (Cfg) (Trivial)
+[wp] 18 goals scheduled
+[wp] [Valid] bytes_union_1_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_1_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_1_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_1_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_1_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_2_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_2_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_2_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_2_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_3_check (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_3_check_2 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_3_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_3_check_4 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_3_check_5 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_4_check (Alt-Ergo) (Cached)
+[wp] [Unsuccess] bytes_union_4_check_2 (Alt-Ergo) (Cached)
+[wp] [Unsuccess] bytes_union_4_check_3 (Alt-Ergo) (Cached)
+[wp] [Valid] bytes_union_4_check_4 (Alt-Ergo) (Cached)
+[wp] Proved goals: 24 / 26
+ Terminating: 4
+ Unreachable: 4
+ Alt-Ergo: 16
+ Unsuccess: 2
+------------------------------------------------------------
+ Functions WP Alt-Ergo Total Success
+ union_1 - 5 5 100%
+ union_2 - 4 4 100%
+ union_3 - 5 5 100%
+ union_4 - 2 4 50.0%
+------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bytes/pointers.i b/src/plugins/wp/tests/wp_bytes/pointers.i
new file mode 100644
index 0000000000000000000000000000000000000000..1f7e8530bd26dc296faa4309238e0cf00f0c9ede
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/pointers.i
@@ -0,0 +1,58 @@
+typedef unsigned char uint8 ;
+
+void null(void){
+ uint8 buffer[sizeof(int*)] ;
+ *((int**) buffer) = (void*) 0 ;
+
+ int* r = *((int**) buffer) ;
+ //@ check r == \null ;
+}
+
+int g ;
+
+void addr_glob(void){
+ uint8 buffer[sizeof(int*)] ;
+ *((int**) buffer) = &g ;
+
+ int* r = *((int**) buffer) ;
+ //@ check r == &g ;
+}
+
+void addr_formal(int f){
+ uint8 buffer[sizeof(int*)] ;
+ *((int**) buffer) = &f ;
+ int* r = *((int**) buffer) ;
+
+ //@ check r == &f ;
+}
+
+void addr_local_ok(void){
+ int l = 0;
+
+ uint8 buffer[sizeof(int*)] ;
+ *((int**) buffer) = &l ;
+
+ int* r = *((int**) buffer) ;
+ //@ check P: r == &l ;
+}
+
+void addr_local_ko(void){
+ uint8 buffer[sizeof(int*)] ;
+
+ {
+ int l ;
+ *((int**) buffer) = &l ;
+ }
+
+ int* r = *((int**) buffer) ;
+ //@ check ! \valid(r) ;
+}
+
+//@ requires \valid(f);
+void pointer_param(int *f){
+ uint8 buffer[sizeof(int*)] ;
+ *((int**) buffer) = f ;
+
+ int* r = *((int**) buffer) ;
+ //@ check r == f ;
+}
diff --git a/src/plugins/wp/tests/wp_bytes/structs.i b/src/plugins/wp/tests/wp_bytes/structs.i
new file mode 100644
index 0000000000000000000000000000000000000000..6018ae03d837d3b15a648eb7db59abbdf2b9ad6d
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/structs.i
@@ -0,0 +1,22 @@
+struct X {
+ char c ;
+ short s ;
+ int i ;
+ int a[5] ;
+} ;
+
+struct Y {
+ char c ;
+ struct X x ;
+} ;
+
+//@ assigns *y ;
+void callee(struct Y* y);
+
+/*@ requires \separated(u, y) ;
+ assigns *y ;
+ ensures *u == \old(*u) ;
+*/
+void caller(struct Y const* u, struct Y* y){
+ callee(y) ;
+}
diff --git a/src/plugins/wp/tests/wp_bytes/test_config b/src/plugins/wp/tests/wp_bytes/test_config
new file mode 100644
index 0000000000000000000000000000000000000000..3ef26ad2d9562857aed6c57009e8f64ed1b59213
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/test_config
@@ -0,0 +1 @@
+OPT: -wp-model bytes
diff --git a/src/plugins/wp/tests/wp_bytes/test_config_qualif b/src/plugins/wp/tests/wp_bytes/test_config_qualif
new file mode 100644
index 0000000000000000000000000000000000000000..b669ba76f90fc15e754af961f8067be691876bdd
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/test_config_qualif
@@ -0,0 +1 @@
+OPT: -wp-model bytes -wp-prover Alt-Ergo -wp-timeout 20
diff --git a/src/plugins/wp/tests/wp_bytes/union.i b/src/plugins/wp/tests/wp_bytes/union.i
new file mode 100644
index 0000000000000000000000000000000000000000..548d6b072a1bc831140948e672bdc798ebeac9fa
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bytes/union.i
@@ -0,0 +1,76 @@
+typedef unsigned long long uint64 ;
+typedef unsigned uint32 ;
+typedef unsigned char uint8 ;
+
+typedef int int32 ;
+
+struct X {
+ uint32 u ;
+ int32 i ;
+} ;
+
+union U {
+ struct X x ;
+ uint64 u ;
+ uint8 a[sizeof(struct X)] ;
+ uint32 s ;
+} ;
+
+//@ requires \valid(u) ;
+void union_1(union U* u){
+ u->u = 0x00000000FFFFFFFF ;
+
+ //@ check u->x.i == 0x00000000 ;
+ //@ check u->x.u == 0xFFFFFFFF ;
+
+ //@ check \forall integer i ; 0 <= i < 4 ==> u->a[i] == { 0xFF } ;
+ //@ check \forall integer i ; 4 <= i < 8 ==> u->a[i] == { 0x00 } ;
+
+ //@ check u->s == 0xFFFFFFFF ;
+}
+
+//@ requires \valid(u) ;
+void union_2(union U* u){
+ u->a[0] = 0xFF ;
+ u->a[1] = 0xFF ;
+ u->a[2] = 0xFF ;
+ u->a[3] = 0xFF ;
+ u->a[4] = 0x00 ;
+ u->a[5] = 0x00 ;
+ u->a[6] = 0x00 ;
+ u->a[7] = 0x00 ;
+
+ //@ check u->u == 0x00000000FFFFFFFF ;
+
+ //@ check u->x.i == 0x00000000 ;
+ //@ check u->x.u == 0xFFFFFFFF ;
+
+ //@ check u->s == 0xFFFFFFFF ;
+}
+
+//@ requires \valid(u) ;
+void union_3(union U* u){
+ u->u = 0x00000000FFFFFFFF ;
+ u->s = 0xFFFFFFFF ;
+
+ //@ check u->u == 0x00000000FFFFFFFF ;
+
+ //@ check u->x.i == 0x00000000 ;
+ //@ check u->x.u == 0xFFFFFFFF ;
+
+ //@ check \forall integer i ; 0 <= i < 4 ==> u->a[i] == { 0xFF } ;
+ //@ check \forall integer i ; 4 <= i < 8 ==> u->a[i] == { 0x00 } ;
+}
+
+//@ requires \valid(u) ;
+void union_4(union U* u){
+ struct X x = { .u = 0xFFFFFFFFu, .i = 0x00000000 } ;
+ u->x = x ;
+
+ //@ check u->u == 0x00000000FFFFFFFF ;
+
+ //@ check \forall integer i ; 0 <= i < 4 ==> u->a[i] == { 0xFF } ;
+ //@ check \forall integer i ; 4 <= i < 8 ==> u->a[i] == { 0x00 } ;
+
+ //@ check u->s == 0xFFFFFFFF ;
+}
diff --git a/src/plugins/wp/wp.ml b/src/plugins/wp/wp.ml
index c10ae35f5359dc4847111b07da904c402c24fefd..89dfaae71cb48d21636c4d5200800c055759753e 100644
--- a/src/plugins/wp/wp.ml
+++ b/src/plugins/wp/wp.ml
@@ -95,6 +95,7 @@ module MemDebug = MemDebug
module MemEmpty = MemEmpty
module MemLoader = MemLoader
module MemMemory = MemMemory
+module MemBytes = MemBytes
module MemTyped = MemTyped
module MemVal = MemVal
module MemVar = MemVar