unprovable PO in function manipulating structs - issue with Qed's simplifications
ID0001556: This issue was created automatically from Mantis Issue 1556. Further discussion may take place here.
| Id | Project | Category | View | Due Date | Updated |
|---|---|---|---|---|---|
| ID0001556 | Frama-C | Plug-in > wp | public | 2013-11-08 | 2014-02-05 |
| Reporter | virgile | Assigned To | correnson | Resolution | open |
| Priority | normal | Severity | minor | Reproducibility | always |
| Platform | - | OS | - | OS Version | - |
| Product Version | Frama-C GIT, precise the release id | Target Version | - | Fixed in Version | - |
Description :
In the attached file, the two post-conditions KO and OK are equivalent, since s2 is not modified and separated from s1. However, frama-c -wp struct_assign.i shows that WP is only capable to prove OK.
Additional Information :
the resulting PO for KO is a bit strange. Once all let have been rewritten, it amounts to (in ACSL-like format): \at(s2->x, Pre) == \at(s2->x, Post) Moreover, the state Post is described as the update of the state at L with s1->y |-> \at(s1->y,Pre) + \at(s2->y,L) i.e. as if it wasn't clear whether s1->x and s2->y were separated.
If we disable variable elimination, the proof obligation gets discharged by alt-ergo, and there's no mix of memory states in the various updates. Issue is thus likely there.