--- layout: fc_discuss_archives title: Message 9 from Frama-C-discuss on February 2010 ---
Le lun. 01 f?vr. 2010 15:18:24 CET, BAUDIN Patrick <Patrick.Baudin at cea.fr> a ?crit : > Hollas Boris (CR/AEY1) wrote: > > Consider a function that calls another function: > > > > Void f1(...) { > > ... > > K = f2(...); // (*) > > ... > > } > > > > I assume that if f2 has a contract (ie, pre- and postcondition as given by the user), this contract will be used by the verifier at the place of the function call. That is, the prover shows that > > - the postcondition of f2 implies the wp derived so far > > - the precondition of f2 is the new precondition for line (*). > > > > What happens if f2 isn't annotated? Will the call to f2 just be ignored by the verifier? > > > Please, look at the document "ACSL: ANSI/ISO C Specification Language", > section 2.3.5 about "default contracts". To complete Patrick's answer, even if f2 is not annotated, it has a contract (requires \true; ensures \true;), thus the schema you described above still holds (of course, you'll have trouble proving anything related to K after line (*)). The absence of assigns clause is more problematic. In theory, this means that f2 could modify any memory location. In practice, if the code of f2 is given Jessie will infer an over-approximation of the set of locations that may have been modified (so that any property about locations which are not in this set still holds after the call). If only the declaration of f2 is available, frama-c's kernel infer some assigns clause based on the type of the arguments of f2, but does not offer any guarantee of correction for this clause (in particular, it considers that no global is modified directly by f2). -- E tutto per oggi, a la prossima volta. Virgile