imprecision in widening/narrowing for char and short index
ID0000414: This issue was created automatically from Mantis Issue 414. Further discussion may take place here.
| Id | Project | Category | View | Due Date | Updated |
|---|---|---|---|---|---|
| ID0000414 | Frama-C | Plug-in > Eva | public | 2010-02-19 | 2010-04-13 |
| Reporter | sduprat | Assigned To | pascal | Resolution | fixed |
| Priority | normal | Severity | feature | Reproducibility | always |
| Platform | - | OS | - | OS Version | - |
| Product Version | Frama-C Beryllium-20090902 | Target Version | - | Fixed in Version | Frama-C Boron-20100401 |
Description :
Hello Stéphane,
Depending the type of i, the range is not the same. The range of i in the loop is [0..10] (for int) or [0..15] for char or short.
void main(void) { char i=0; int j=0; while (i<10) i++; while (j<10) j++; }
[value] ====== VALUES COMPUTED ====== [value] Values for function main: i IN {10; 11; 12; 13; 14; 15; } j IN {10; }
It's interesting that you noticed this behavior, because I fixed a comparable problem on short notice this summer for an intern who had to demo his plug-in the following week.
Note that the AST for the two loops is different: i = (char)0; j = 0; while ((int )i < 10) {i = (char )((int )i + 1);} while (j < 10) {j ++;}
CIL transforms the code thus because the C standard specifies that operators such as ++ do not operate on types smaller than int, and that values of these types are implicitly promoted to int in these conditions.
Meanwhile, in the absence of any loop-related option, the value analysis tries to keep computations short at the price of precision by using a technique called "widening". In order to limit the loss of precision, however, various heuristics are used, including a syntactic one for the j loop that recognizes that j IN [0..10] is a good candidate for the loop invariant.
This heuristic does not currently recognize the condition ((int )i < 10) as one where it would be valuable to try the same kind of invariant.
I have filed this issue as "feature wish" in the Bug Tracking System, so that it is not forgotten. http://bts.frama-c.com/view.php?id=325
Pascal