A CIL Tutorial - Department of Computer Science - ETH Zürich
A CIL Tutorial - Department of Computer Science - ETH Zürich A CIL Tutorial - Department of Computer Science - ETH Zürich
CHAPTER 11. PROGRAM VERIFICATION 94 by integers and storing integers. Thus, the C expression *a is translated to M(a), and the i'th eld of array a is translated to M(a + i). Since attribute parameters will be used to express function pre- and post-conditions, and loop invariants, we also interpret syntax for universal quantication. The forall attribute parameter is parameterized by the quantied formula and the free variables of this formula. The free variables are added to the context, the attribute parameter for the quantied formula is translated to a Why3 term, and then we construct a Why3 term for the qualier. let rec term of attrparam (wc : wctxt) (ap : attrparam) : T.term = match ap with | AInt i → term of int i | ACons(n, [ ]) → T.t var (SM.find n wc.vars) | ACons("forall",apl) → term of forall wc apl | ACons("implies",[a; c]) → term of implies wc a c | AUnOp(uo, ap) → term of apuop wc uo ap | ABinOp(bo, ap1, ap2) → term of apbop wc bo ap1 ap2 | AStar ap → term of star wc ap | AIndex(base, index) → term of index wc base index (∗ The rest are unimplemented. See the exercises at the end of the section. ∗) | → Em.s(Em.error "Attrparam is not a term: %a" d attrparam ap) The function term of forall builds a Why3 term for our universal quantier annotation. The list of parameters to a forall ends with the formula we are quantifying over. We copy this last element of apl into fat. The rest of the elements of apl are the variables that we are quantifying over. We translate those strings into fresh Why3 symbols and store the list in vl. Next, we add the new symbols to the Why3 context after keeping a copy of the old map. Then, we translate fat in the new context, restore the old context, and then nally build the Why3 term for the quantier. and term of forall (wc : wctxt) (apl : attrparam list) : T.term = let fat = apl | > L.rev | > L.hd in let vl = apl | > L.rev | > L.tl | > L.map freshvar of ap in let oldm = wc.vars in wc.vars ← L.fold left (fun m (n, v) → SM.add n v m) oldm vl; let t = term of attrparam wc fat in wc.vars ← oldm; T.t forall close (L.map snd vl) [ ] t The function term of implies translates the antecedent and consequence, then constructs and returns the Why3 implication term. and term of implies (wc : wctxt) (a : attrparam) (c : attrparam) : T.term = let at = term of attrparam wc a in let ct = term of attrparam wc c in T.t implies at ct
CHAPTER 11. PROGRAM VERIFICATION 95 The functions term of apuop and term of apbop translate AUnOp and ABinOp attribute parameters into Why3 terms. and term of apuop (wc : wctxt) (u : unop) (ap : attrparam) : T.term = let te = term of attrparam wc ap in match u with | Neg → T.t app infer wc.ops.iminus op [(term of int 0); te] | LNot → T.t equ te (term of int 0) | BNot → Em.s (Em.unimp "Attribute BNot: £%a\n" d attrparam ap) and term of apbop (wc : wctxt) (b : binop) (ap1 : attrparam) (ap2 : attrparam) : T.term = let te1 = term of attrparam wc ap1 in let te2 = term of attrparam wc ap2 in match b with | PlusA | PlusPI | IndexPI → T.t app infer wc.ops.iplus op [te1; te2] | MinusA | MinusPI | MinusPP → T.t app infer wc.ops.iminus op [te1; te2] (∗ ... ∗) | → Em.s (Em.error "term of bop failed: %a %a %a\n" d attrparam ap1 d binop b d attrparam ap2) The function term of star translates a memory referene in an attribute parameter into a Why3 get operation of the address in the memory map of the Why3 context. and term of star (wc : wctxt) (a : attrparam) : T.term = let at = term of attrparam wc a in let mt = T.t var wc.memory in T.t app infer wc.ops.get op [mt; at] The function term of index is similar to term of star. First, though, we have to calculate the address by adding the index to the base pointer. and term of index (wc : wctxt) (base : attrparam) (index : attrparam) : T.term = let bt = term of attrparam wc base in let it = term of attrparam wc index in let addr = T.t app infer wc.ops.iplus op [bt; it] in let mt = T.t var wc.memory in T.t app infer wc.ops.get op [mt; addr] The function oldvar of ap nds the Why3 symbol for a variable in the context. let oldvar of ap (wc : wctxt) (ap : attrparam) : T.vsymbol = match ap with | ACons(n, [ ]) → SM.find n wc.vars | → Em.s(Em.error "Names only")
- Page 45 and 46: CHAPTER 5. INTERPRETED CONSTRUCTORS
- Page 47 and 48: CHAPTER 5. INTERPRETED CONSTRUCTORS
- Page 49 and 50: Chapter 6 Overriding Functions When
- Page 51 and 52: CHAPTER 6. OVERRIDING FUNCTIONS 49
- Page 53 and 54: References [1] Kumar Avijit, Pratee
- Page 55 and 56: CHAPTER 7. TYPE QUALIFIERS 53 let c
- Page 57 and 58: CHAPTER 7. TYPE QUALIFIERS 55 let w
- Page 59 and 60: CHAPTER 7. TYPE QUALIFIERS 57 $ cil
- Page 61 and 62: Chapter 8 Dependant Type Qualiers O
- Page 63 and 64: CHAPTER 8. DEPENDANT TYPE QUALIFIER
- Page 65 and 66: CHAPTER 8. DEPENDANT TYPE QUALIFIER
- Page 67 and 68: CHAPTER 8. DEPENDANT TYPE QUALIFIER
- Page 69 and 70: CHAPTER 8. DEPENDANT TYPE QUALIFIER
- Page 71 and 72: CHAPTER 8. DEPENDANT TYPE QUALIFIER
- Page 73 and 74: Chapter 9 Type Qualier Inference In
- Page 75 and 76: CHAPTER 9. TYPE QUALIFIER INFERENCE
- Page 77 and 78: CHAPTER 9. TYPE QUALIFIER INFERENCE
- Page 79 and 80: CHAPTER 9. TYPE QUALIFIER INFERENCE
- Page 81 and 82: CHAPTER 9. TYPE QUALIFIER INFERENCE
- Page 83 and 84: Chapter 10 Adding a New Kind of Sta
- Page 85 and 86: CHAPTER 10. ADDING A NEW KIND OF ST
- Page 87 and 88: CHAPTER 10. ADDING A NEW KIND OF ST
- Page 89 and 90: CHAPTER 10. ADDING A NEW KIND OF ST
- Page 91 and 92: CHAPTER 10. ADDING A NEW KIND OF ST
- Page 93 and 94: Chapter 11 Program Verication In th
- Page 95: CHAPTER 11. PROGRAM VERIFICATION 93
- Page 99 and 100: CHAPTER 11. PROGRAM VERIFICATION 97
- Page 101 and 102: CHAPTER 11. PROGRAM VERIFICATION 99
- Page 103 and 104: CHAPTER 11. PROGRAM VERIFICATION 10
- Page 105 and 106: CHAPTER 11. PROGRAM VERIFICATION 10
- Page 107 and 108: Chapter 12 Comments CIL has a very
- Page 109 and 110: CHAPTER 12. COMMENTS 107 let printC
- Page 111 and 112: References [1] Lin Tan, Ding Yuan,
- Page 113 and 114: CHAPTER 13. WHOLE-PROGRAM ANALYSIS
- Page 115 and 116: CHAPTER 13. WHOLE-PROGRAM ANALYSIS
- Page 117 and 118: CHAPTER 14. IMPLEMENTING A SIMPLE D
- Page 119 and 120: CHAPTER 14. IMPLEMENTING A SIMPLE D
- Page 121 and 122: CHAPTER 14. IMPLEMENTING A SIMPLE D
- Page 123 and 124: CHAPTER 14. IMPLEMENTING A SIMPLE D
- Page 125 and 126: CHAPTER 14. IMPLEMENTING A SIMPLE D
- Page 127 and 128: Chapter 15 Automated Test Generatio
- Page 129 and 130: CHAPTER 15. AUTOMATED TEST GENERATI
- Page 131 and 132: CHAPTER 15. AUTOMATED TEST GENERATI
- Page 133 and 134: CHAPTER 15. AUTOMATED TEST GENERATI
- Page 135 and 136: Index A (module), 10, 13, 15, 10, 1
- Page 137 and 138: INDEX 135 isCacheReportType, 11, 11
CHAPTER 11. PROGRAM VERIFICATION 94<br />
by integers and storing integers. Thus, the C expression *a is translated to M(a), and the i'th eld<br />
<strong>of</strong> array a is translated to M(a + i).<br />
Since attribute parameters will be used to express function pre- and post-conditions, and loop<br />
invariants, we also interpret syntax for universal quantication. The forall attribute parameter is<br />
parameterized by the quantied formula and the free variables <strong>of</strong> this formula. The free variables<br />
are added to the context, the attribute parameter for the quantied formula is translated to a Why3<br />
term, and then we construct a Why3 term for the qualier.<br />
let rec term <strong>of</strong> attrparam (wc : wctxt) (ap : attrparam) : T.term =<br />
match ap with<br />
| AInt i → term <strong>of</strong> int i<br />
| ACons(n, [ ]) → T.t var (SM.find n wc.vars)<br />
| ACons("forall",apl) → term <strong>of</strong> forall wc apl<br />
| ACons("implies",[a; c]) → term <strong>of</strong> implies wc a c<br />
| AUnOp(uo, ap) → term <strong>of</strong> apuop wc uo ap<br />
| ABinOp(bo, ap1, ap2) → term <strong>of</strong> apbop wc bo ap1 ap2<br />
| AStar ap → term <strong>of</strong> star wc ap<br />
| AIndex(base, index) → term <strong>of</strong> index wc base index<br />
(∗ The rest are unimplemented. See the exercises at the end <strong>of</strong> the section. ∗)<br />
| → Em.s(Em.error "Attrparam is not a term: %a" d attrparam ap)<br />
The function term <strong>of</strong> forall builds a Why3 term for our universal quantier annotation. The<br />
list <strong>of</strong> parameters to a forall ends with the formula we are quantifying over. We copy this last<br />
element <strong>of</strong> apl into fat. The rest <strong>of</strong> the elements <strong>of</strong> apl are the variables that we are quantifying<br />
over. We translate those strings into fresh Why3 symbols and store the list in vl. Next, we add the<br />
new symbols to the Why3 context after keeping a copy <strong>of</strong> the old map. Then, we translate fat in<br />
the new context, restore the old context, and then nally build the Why3 term for the quantier.<br />
and term <strong>of</strong> forall (wc : wctxt) (apl : attrparam list) : T.term =<br />
let fat = apl | > L.rev | > L.hd in<br />
let vl = apl | > L.rev | > L.tl | > L.map freshvar <strong>of</strong> ap in<br />
let oldm = wc.vars in<br />
wc.vars ← L.fold left (fun m (n, v) → SM.add n v m) oldm vl;<br />
let t = term <strong>of</strong> attrparam wc fat in<br />
wc.vars ← oldm;<br />
T.t forall close (L.map snd vl) [ ] t<br />
The function term <strong>of</strong> implies translates the antecedent and consequence, then constructs and<br />
returns the Why3 implication term.<br />
and term <strong>of</strong> implies (wc : wctxt) (a : attrparam) (c : attrparam) : T.term =<br />
let at = term <strong>of</strong> attrparam wc a in<br />
let ct = term <strong>of</strong> attrparam wc c in<br />
T.t implies at ct
Change language