--- layout: fc_discuss_archives title: Message 30 from Frama-C-discuss on November 2009 ---
Sections 2.7 and 2.3.4 of the ACSL documentation, which deal with memory locations, should explain the memory model of the verifyer or the assumptions ACLS makes on this memory model. I assume this is meant to be a typed memory model, so that eg this code verifies: struct A { int x; int y; }; struct B { struct A a; int z; }; /*@ requires \valid(p); */ void foo(struct B *p) { p->a.x = 0; p->z = 0; } The documentation states "\valid(s) holds if and only if dereferencing any p \in s is safe." However, it's not clear what dereferencing means wrt structs. I think that in this case, validity must be defined by induction on data types. That is, for primitive data types the definition in the documentation applies. Arrays are considered as part of a contiguous region of memory locations of the same type. A struct S is valid iff all members in the transitive hull of S (with respect to the access operator .) are valid. What do you think?