--- layout: fc_discuss_archives title: Message 11 from Frama-C-discuss on August 2015 ---
I'm getting close on my first small verification attempt (!), but running across a problem i can't figure out. I have code with the following specification that is being validated by frama-c (all showing up with a green dot in the gui): /*@ requires \initialized(buf+(0 .. len-1)); ensures \result ⡠0 ⨠\initialized(*\old(retp)+(0 .. *\old(lenp)-1)); assigns *retp, *lenp; assigns *retp \from *buf, len; assigns *lenp \from *buf, len; */ int auth(unsigned char *buf, unsigned int len, unsigned char **retp, unsigned int *lenp) I even threw in an extra assert before returning to confirm this: /*@ assert \valid(*retp+(0 .. *lenp-1)); */ ; __retres = 1; return_label: return __retres; now back at the call site I have: ok = auth(buf,sz,& pay,& paysz); /*@ assert ok ⡠0 ⨠\initialized(pay+(0 .. paysz-1)); */ ; if (ok) { /*@ assert \initialized(pay+(0 .. paysz-1)); */ ; there's a green dot saying the analysis is good at the auth() call. But I have yellow dots next to the two assertions. What is confusing me is that the assertion right after the call site is the same (seems to me!) as the "ensures" clause of the implementation! So why is the analyzer not drawing the connection? Is there something I can do to help it out? PS: none of this code is 'secret', so I can provide a full example if it is helpful. Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.gforge.inria.fr/pipermail/frama-c-discuss/attachments/20150817/d7530b78/attachment.html>