int x;<sidenote>This is a variable declaration. Amazing!</sidenote><point></point>
x = 21;
int y;<sidenote>Yet another variable declaration.</sidenote><point></point>
y = 21;
int z;
z = x + y;
return z;<sidenote>And this is a function return, and a not so short sidenote. Let's see how this is diplayed on the website.</sidenote><point></point>
}
</pre>
</div>
<h2>Quick description</h2>
<h2>Quick description</h2>
<p>The ANSI/ISO C Specification Langage (ACSL) is a behavioral
<p>The ANSI/ISO C Specification Langage (ACSL) is a behavioral
specification language for C programs. The design of ACSL is
specification language for C programs. The design of ACSL is
...
@@ -39,25 +24,35 @@ software, they generally leave the actual expression of the
...
@@ -39,25 +24,35 @@ software, they generally leave the actual expression of the
contract to run-time assertions, or to comments in the source code.
contract to run-time assertions, or to comments in the source code.
ACSL is expressly designed for writing the kind of properties that
ACSL is expressly designed for writing the kind of properties that
make up a function contract.
make up a function contract.
ACSL is a <em>formal</em> language. This means that the
ACSL is a <em>formal</em> language.</p>
specifications written in ACSL can be automatically manipulated by
helper programs, in the same way that a programming language is a
formal language manipulated by a compiler, and by opposition to
informally written comments that can only be useful to humans.</p>
<p>ACSL allows to write contracts that range from the low-level
<divclass="sidecode">
(“<i>this function expects a valid pointer to int</i>”) to the
<pre>
high-level (“<i>this function expects a nonempty linked list of
/*@
ints and returns the greatest of these ints</i>”). It is expressive
requires \valid(a+(0..n-1));<sidenote>ACSL provides specification primitives to cover the low-level aspects of the C programming language</sidenote><point></point>
enough to write complete specifications for many functions, but it
can also be used for writing partial specifications. Partial
assigns a[0..n-1];
specifications, of which the “<i>expects a valid pointer to
int</i>” contract is a typical example, do not describe completely
ensures<sidenote>As a formal language, ACSL enables a precise specification of function contracts. That makes the specification not only understanble by a human, but also manipulable by an analyzer. Furthermore, as complete specification is not always useful, the contract can be partial, it depends on one wants to verify.</sidenote><point></point>
the expected behavior of the function. Function contracts written as
\forall integer i;
run-time assertions are almost always partial specifications,
0 <=i<n ==> a[i] == 0;
because a complete specification would be too annoying to write in
*/
the same language as the programming language (indeed, most often
void set_to_0(int* a, int n){
this would mean programming the function a second time).</p>
int i;
/*@
loop invariant 0 <=i<=n;
loopinvariant
\forallintegerj;<sidenote>It also allows more abstract reasoning through mathematical or logic types, or through the definition of high level ideas, like "the function expect a valid linked list".</sidenote><point></point>
0 <=j<i ==> a[j] == 0;
loop assigns i, a[0..n-1];
loop variant n-i;
*/
for(i = 0; i <n;++i)
a[i] = 0;
}
</pre>
</div>
<p><ahref="../fc-plugins/wp.html">WP</a> and the older
<p><ahref="../fc-plugins/wp.html">WP</a> and the older
