--- layout: fc_discuss_archives title: Message 20 from Frama-C-discuss on July 2020 ---
Hi Denis, Your link actually leads to even more "interesting" thoughts. My axiom stated that any strlen should be less or equal than UINTPTR_MAX. But assuming that strings s1 and s2 are not overlapping, the sum of their lengths is seemingly less or equal than UINTPTR_MAX. On Thu, Jul 30, 2020 at 2:44 PM Denis Efremov <efremov at ispras.ru> wrote: > Hi, > > On 7/30/20 11:36 PM, Yurii Rashkovskii wrote: > > > > I have a question / thought to bounce off. I've been recently trying to > prove a few properties on some trivial functions in a small project of mine > (https://github.com/yrashk/clam). > > > > I ran into an interesting aspect where I needed to do extensive checks > on certain counters not hitting UINTPTR_MAX. I have managed to simplify > that with a rather trivial axiom: > > > > > https://github.com/yrashk/clam/commit/e84af3bf8d72ebdcec392589e189952d560ba28a > > > > (obviously, I would have preferred an actual prove, but I am but a > novice) > > > > I am wondering if any thought has been previously given on such cases > where, for example `strlen` axioms are bound by \forall ⤠which is > admittedly wider than pointers would allow? > > > > Is my approach anywhere close to reasonable? Should Frama-C axiomatics > include more consideration for the [limited] pointer integer universe? > > I faced it while proving strcat > > https://github.com/evdenis/verker/blob/master/src/strcat.h#L14 > > Regards, > > Denis > > -- Y. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.gforge.inria.fr/pipermail/frama-c-discuss/attachments/20200730/bb2996f8/attachment-0001.html>