error in generated proof obligation

ID0002501: This issue was created automatically from Mantis Issue 2501. Further discussion may take place here.

---

Id	Project	Category	View	Due Date	Updated
ID0002501	Frama-C	Plug-in > wp	public	2020-03-10	2020-06-12

Reporter	jens	Assigned To	AllanBlanchard	Resolution	fixed
Priority	normal	Severity	major	Reproducibility	always
Platform	-	OS	Linux, macOS	OS Version	-
Product Version	Frama-C 20-Calcium	Target Version	-	Fixed in Version	Frama-C 21-Scandium

Description :

The attached file 'issue.c' contains a simplified (but still not very small) example of an issue I have within ACSL by Example.

There is lemma R_2 for the logic function R. The definition of R uses the logic function F contained in the axiomatic block A. When trying to verify R_2 with the command line below I obtain the message [Why3 Error] anomaly: Failure("Can't find 'L_F' in why3 namespace")

frama-c -wp -wp-prover alt-ergo -wp-prover native:coq issue.c [kernel] Parsing issue.c (with preprocessing) [wp] Warning: native support for coq is deprecated, use tip instead [wp] 2 goals scheduled [wp] [Failed] Goal typed_lemma_R_2 Alt-Ergo 2.3.1: Failed [Why3 Error] anomaly: Failure("Can't find 'L_F' in why3 namespace") Coq: Unknown [wp] [Cache] found:1 [wp] Proved goals: 1 / 2 Qed: 0 Coq: 0 (unknown: 1) Alt-Ergo 2.3.1: 1 (10ms) (23) (cached: 1) (failed: 1)

When looking at the generated verification condition with Coq I found the following: The generated hypothesis 'FixL_R' uses of course the function 'L_F'. However, the necessary import clause 'Require Import A_A.' comes only AFTER the definition of 'FixL_R'.

Additional Information :

There is a work-around by calling the helper function 'Fix' in the definition of R (see the comment in the code).

The problem also "disappears' if lemma 'R_1' is removed (but I don't have this option).

While looking at this problem, I noticed that in general coq definitions and import clauses are interspersed in the verification conditions...

Attachments

• issue.c