Wrong specification for standard library function memmove
ID0001648: This issue was created automatically from Mantis Issue 1648. Further discussion may take place here.
| Id | Project | Category | View | Due Date | Updated |
|---|---|---|---|---|---|
| ID0001648 | Frama-C | Kernel | public | 2014-02-17 | 2018-11-30 |
| Reporter | pascal | Assigned To | maroneze | Resolution | open |
| Priority | normal | Severity | major | Reproducibility | always |
| Platform | - | OS | - | OS Version | - |
| Product Version | - | Target Version | - | Fixed in Version | - |
Description :
CONTEXT: This issue does not originate from an industrial application. It is reported for the lulz.
DESCRIPTION: The post-condition for memmove() incorrectly describes its effects when source and destination overlap.
/@ ... @ ensures memcmp((char)dest,(char*)src,n) == 0; ... @*/ extern void *memmove(void *dest, const void *src, size_t n);
In order to be maximally useful, the memcmp logic function, which is defined thus:
/*@ axiomatic MemCmp { @ logic ℤ memcmp{L}(char *s1, char *s2, ℤ n) @ reads s1[0..n - 1], s2[0..n - 1]; ...
would need to be parameterized by two labels L1 and L2, and state that the memory zone pointed by s1 in L1 is identical to the memory zone pointed by s2 in L2.