Commit 5552a911 authored by Rodolphe Lepigre's avatar Rodolphe Lepigre
Browse files

Refactoring and renaming in [lang.v] (mostly).

- Put stuff in sections in [lang.v].
- Renamed [mk_layout] into [Layout] (for uniformity).
- Renamed [it_min] and [it_max] into [max_int] and [min_int].
- Some other renamings on [int_type]-related stuff.
- Changed [max_int] to be the last representable integer.
- Turned [in_it_range] into an instance of [ElemOf].
parent ea5c3527
Pipeline #36125 passed with stage
in 16 minutes and 44 seconds
......@@ -21,7 +21,7 @@ Section spec.
constrained (padded (struct struct_alloc_entry [@{type}
(size @ (int (size_t))) ;
(guarded ("alloc_entry_t_0") (apply_dfun self (l)))
]) struct_alloc_entry (mk_layout size 3)) (
]) struct_alloc_entry (Layout size 3)) (
(8 | size)
)
)
......@@ -46,7 +46,7 @@ Section spec.
constrained (padded (struct struct_alloc_entry [@{type}
(size @ (int (size_t))) ;
(guarded "alloc_entry_t_0" (l @ alloc_entry_t))
]) struct_alloc_entry (mk_layout size 3)) (
]) struct_alloc_entry (Layout size 3)) (
(8 | size)
)
)
......@@ -147,22 +147,22 @@ Section spec.
(* Specifications for function [alloc]. *)
Definition type_of_alloc :=
fn( size : nat; (size @ (int (size_t))); size + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (mk_layout size 3))); True.
fn( size : nat; (size @ (int (size_t))); size + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (Layout size 3))); True.
(* Specifications for function [free]. *)
Definition type_of_free :=
fn( size : nat; (size @ (int (size_t))), (&own (uninit (mk_layout size 3))); (alloc_initialized) (8 | size))
fn( size : nat; (size @ (int (size_t))), (&own (uninit (Layout size 3))); (alloc_initialized) (8 | size))
() : (), (void); True.
(* Specifications for function [alloc_array]. *)
Definition type_of_alloc_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); True.
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); True.
(* Specifications for function [free_array]. *)
Definition type_of_free_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); size * n < it_max size_t (8 | size) (alloc_initialized))
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); size * n max_int size_t (8 | size) (alloc_initialized))
() : (), (void); True.
(* Specifications for function [init_alloc]. *)
......
......@@ -74,7 +74,7 @@ Section code.
Program Definition struct_alloc_state := {|
sl_members := [
(Some "lock", layout_of struct_spinlock);
(None, mk_layout 7%nat 0%nat);
(None, Layout 7%nat 0%nat);
(Some "data", LPtr)
];
|}.
......
......@@ -22,7 +22,7 @@ Section spec.
constrained (padded (struct struct_alloc_entry [@{type}
(size @ (int (size_t))) ;
(guarded ("alloc_entry_t_0") (apply_dfun self (l)))
]) struct_alloc_entry (mk_layout size 3)) (
]) struct_alloc_entry (Layout size 3)) (
(8 | size)
)
)
......@@ -47,7 +47,7 @@ Section spec.
constrained (padded (struct struct_alloc_entry [@{type}
(size @ (int (size_t))) ;
(guarded "alloc_entry_t_0" (l @ alloc_entry_t))
]) struct_alloc_entry (mk_layout size 3)) (
]) struct_alloc_entry (Layout size 3)) (
(8 | size)
)
)
......@@ -162,22 +162,22 @@ Section spec.
(* Specifications for function [alloc]. *)
Definition type_of_alloc :=
fn( size : nat; (size @ (int (size_t))); size + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (mk_layout size 3))); True.
fn( size : nat; (size @ (int (size_t))); size + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (Layout size 3))); True.
(* Specifications for function [free]. *)
Definition type_of_free :=
fn( size : nat; (size @ (int (size_t))), (&own (uninit (mk_layout size 3))); (alloc_initialized) (8 | size))
fn( size : nat; (size @ (int (size_t))), (&own (uninit (Layout size 3))); (alloc_initialized) (8 | size))
() : (), (void); True.
(* Specifications for function [alloc_array]. *)
Definition type_of_alloc_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); True.
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); True.
(* Specifications for function [free_array]. *)
Definition type_of_free_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); size * n < it_max size_t (8 | size) (alloc_initialized))
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); size * n max_int size_t (8 | size) (alloc_initialized))
() : (), (void); True.
(* Specifications for function [init_alloc]. *)
......@@ -187,7 +187,7 @@ Section spec.
(* Specifications for function [main]. *)
Definition type_of_main :=
fn( () : (); (initialized "initialized" ()) (global_with_type "allocator_state" Own (uninit struct_alloc_state)) (global_with_type "allocator_data" Own (uninit (mk_layout (Z.to_nat 10000) 3))))
fn( () : (); (initialized "initialized" ()) (global_with_type "allocator_state" Own (uninit struct_alloc_state)) (global_with_type "allocator_data" Own (uninit (Layout (Z.to_nat 10000) 3))))
() : (), (int (i32)); True.
(* Specifications for function [main2]. *)
......
......@@ -630,7 +630,7 @@ Section code.
(Some "left", LPtr);
(Some "right", LPtr);
(Some "key", it_layout i32);
(None, mk_layout 4%nat 0%nat)
(None, Layout 4%nat 0%nat)
];
|}.
Solve Obligations with solve_struct_obligations.
......
......@@ -119,22 +119,22 @@ Section spec.
(* Specifications for function [alloc]. *)
Definition type_of_alloc :=
fn( size : nat; (size @ (int (size_t))); size + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (mk_layout size 3))); True.
fn( size : nat; (size @ (int (size_t))); size + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (Layout size 3))); True.
(* Specifications for function [free]. *)
Definition type_of_free :=
fn( size : nat; (size @ (int (size_t))), (&own (uninit (mk_layout size 3))); (alloc_initialized) (8 | size))
fn( size : nat; (size @ (int (size_t))), (&own (uninit (Layout size 3))); (alloc_initialized) (8 | size))
() : (), (void); True.
(* Specifications for function [alloc_array]. *)
Definition type_of_alloc_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); True.
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); True.
(* Specifications for function [free_array]. *)
Definition type_of_free_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); size * n < it_max size_t (8 | size) (alloc_initialized))
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); size * n max_int size_t (8 | size) (alloc_initialized))
() : (), (void); True.
(* Specifications for function [empty]. *)
......
......@@ -15,7 +15,7 @@ Section spec.
(* Specifications for function [test_switch_default]. *)
Definition type_of_test_switch_default :=
fn( i : nat; (i @ (int (i32))); i + 1 < it_max i32)
fn( i : nat; (i @ (int (i32))); i + 1 max_int i32)
() : (), (((if bool_decide (i 4) then 5 else i + 1)%nat) @ (int (i32))); True.
(* Specifications for function [incr_less_than_5]. *)
......@@ -25,6 +25,6 @@ Section spec.
(* Specifications for function [duffs_identity]. *)
Definition type_of_duffs_identity :=
fn( i : Z; (i @ (int (i32))); 0 < i i + 3 < it_max i32)
fn( i : Z; (i @ (int (i32))); 0 < i i + 3 max_int i32)
() : (), (i @ (int (i32))); True.
End spec.
......@@ -81,22 +81,22 @@ Section spec.
(* Specifications for function [alloc]. *)
Definition type_of_alloc :=
fn( size : nat; (size @ (int (size_t))); size + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (mk_layout size 3))); True.
fn( size : nat; (size @ (int (size_t))); size + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (uninit (Layout size 3))); True.
(* Specifications for function [free]. *)
Definition type_of_free :=
fn( size : nat; (size @ (int (size_t))), (&own (uninit (mk_layout size 3))); (alloc_initialized) (8 | size))
fn( size : nat; (size @ (int (size_t))), (&own (uninit (Layout size 3))); (alloc_initialized) (8 | size))
() : (), (void); True.
(* Specifications for function [alloc_array]. *)
Definition type_of_alloc_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 < it_max size_t (8 | size) (alloc_initialized))
() : (), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); True.
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))); size * n + 16 max_int size_t (8 | size) (alloc_initialized))
() : (), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); True.
(* Specifications for function [free_array]. *)
Definition type_of_free_array :=
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (mk_layout size 3) (replicate n (uninit (mk_layout size 3))))); size * n < it_max size_t (8 | size) (alloc_initialized))
fn( (size, n) : nat * nat; (size @ (int (size_t))), (n @ (int (size_t))), (&own (array (Layout size 3) (replicate n (uninit (Layout size 3))))); size * n max_int size_t (8 | size) (alloc_initialized))
() : (), (void); True.
(* Specifications for function [empty]. *)
......
......@@ -142,13 +142,13 @@ int int_id2(int a) {
needs to ensure that the addition does not overflow. In RefinedC
(like in VCC) all over- and underflow is considered undefined
behaviour and verification with RefinedC ensures that no overflow
or underflow can happen. This is why the precondtion [n + 1 <
it_max i32] is necessary.
or underflow can happen. This is why the precondtion [n + 1
max_int i32] is necessary.
*/
[[rc::parameters("n : Z")]]
[[rc::args("n @ int<i32>")]]
/* try commenting out the following line */
[[rc::requires("{n + 1 < it_max i32}")]]
[[rc::requires("{n + 1 ≤ max_int i32}")]]
[[rc::returns("{n + 1} @ int<i32>")]]
int add1(int a) {
return a + 1;
......@@ -170,11 +170,11 @@ int add1(int a) {
n : Z
arg_a : loc
x : val
_Hyp_ : (it_min i32 ≤ n)
_Hyp1_ : (n < it_max i32)
_Hyp2_ : (it_min i32 ≤ 1)
_Hyp_ : (min_int i32 ≤ n)
_Hyp1_ : (n ≤ max_int i32)
_Hyp2_ : (min_int i32 ≤ 1)
---------------------------------------
(it_in_range i32 (n + 1))
((n + 1) ∈ i32)
This is one of the possible failure modes of RefinedC. If you look
at the first line, you can see that RefinedC could not prove a side
......@@ -189,7 +189,7 @@ int add1(int a) {
not prove. Everything above the long line are the facts which are
known at this point in the program and below you can see the
statement which could not be proven. In this example, RefinedC
cannot prove [it_in_range i32 (n + 1)] which means that [n + 1] is
cannot prove [(n + 1) ∈ i32] which means that [n + 1] is
in the range of a signed 32bit integer ([i32]). As we have
discussed before, this condition is generated by typechecking of
the [+] since overflow is undefined behavior in the RefinedC C
......@@ -297,7 +297,7 @@ int min(int a, int b) {
[[rc::parameters("va : Z", "vb : Z")]]
[[rc::args("va @ int<i32>", "vb @ int<i32>")]]
[[rc::requires("{va + vb < it_max i32}", "{0 <= va}")]]
[[rc::requires("{va + vb ≤ max_int i32}", "{0 <= va}")]]
[[rc::returns("{va + vb} @ int<i32>")]]
int looping_add(int a, int b) {
[[rc::exists("acc : Z")]]
......@@ -376,7 +376,7 @@ int looping_add(int a, int b) {
an integer to 1 shows two of them:
- [uninit<layout>] represents uninitialized memory which might
contain arbitrary values (including Poison). It is parametrized
contain arbitrary values (including poison). It is parametrized
by a [layout], which describes the size of the uninitialized
memory. There is a coercions from [int_type] to [layout] so we
can just use [uninit<i32>] to denote uninitialized memory which
......
......@@ -10,7 +10,7 @@ static unsigned char allocator_data[DATA_SIZE];
[[rc::requires("[initialized \"initialized\" ()]")]]
[[rc::requires("[global_with_type \"allocator_state\" Own (uninit struct_alloc_state)]")]]
[[rc::requires("[global_with_type \"allocator_data\" Own (uninit (mk_layout (Z.to_nat 10000) 3))]")]]
[[rc::requires("[global_with_type \"allocator_data\" Own (uninit (Layout (Z.to_nat 10000) 3))]")]]
[[rc::returns("int<i32>")]]
int main() {
init_alloc();
......
......@@ -18,7 +18,7 @@ int test_switch(int i){
[[rc::parameters("i : nat")]]
[[rc::args("i @ int<i32>")]]
[[rc::requires("{i + 1 < it_max i32}")]]
[[rc::requires("{i + 1 ≤ max_int i32}")]]
[[rc::returns("{(if bool_decide (i ≤ 4) then 5 else i + 1)%nat} @ int<i32>")]]
int test_switch_default(int i){
int o = i;
......@@ -53,7 +53,7 @@ int incr_less_than_5(int i){
[[rc::parameters("i : Z")]]
[[rc::args("i @ int<i32>")]]
[[rc::requires("{0 < i}", "{i + 3 < it_max i32}")]]
[[rc::requires("{0 < i}", "{i + 3 ≤ max_int i32}")]]
[[rc::returns("i @ int<i32>")]]
int duffs_identity(int i){
int o = 0;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment