An Interactive Way To C

The aim of this section is to introduce the Emacs controls that bring C to life within literate code.

Which code blocks are currently under focus is controlled by the command (currently-working-with "nameHere"), which produces a file nameHere.c that is used for the utility functions. If multiple blocks use the same filename, then the file is appended to. While reading this tutorial, bring/take code blocks in/out of focus by toggling between (currently-working-with "nameHere") and (not-currently-working-with "nameHere") —that is, simply prepend not-. Remember to undo such a toggle when you're done with a code block.

When no name is provided to [not-]currently-working-with, the name of the buffer is used.

Since C's #include is essentially a copy-paste, we can re-export other libraries from a make-shift ‘Prelude’.

// Artefacts so that exercises let the system progress as much as possible.
//
//@ predicate Exercise = \false;
//@ predicate FixMe = \false;
#define FixMeCode

// Tendency to require this header file to specfiy avoidance of overflow.
//
#include<limits.h>

We will continue to be (currently-working-with "Prelude") in the future to add more content. For now, we put the artefacts needed to let the exercises pass.

The use of \false is not the most appropriate, since its occurrence in a precondition vacuously makes everything true! This is something that should change.

The current setup produces only .c files, whence we use the prelude by declaring #include "Prelude.c". Forgive my use of a .c file in-place of a header file. The alternative is to force all code block names to end in a .c.

The assignment construct allows the creation of a statement with a variable x and an expression E. The assignment statement is written x = E;.

• Variables are identifiers which are written with one or more letters.
• Expressions are composed of variables, constants, and operator calls.
• Sometimes one notates assignment by x ≔ E even though it is invalid C code.

To understand the execution of an assignment, suppose that within the recesses of your computer's memory, there is a compartment labelled x. Obtain the value of E –possibly having to look up values of variables that E mentions– then erase the contents of x and fill the compartment with the newly obtained value.

The whole of the contents of the computer's memory is called a state. We also say “predicate R is the current state” as shorthand for: The current state is (non-deterministically) any variable-value assignment such that predicate R is true.

All in all, executing x ≔ E loads memory location x with the value of expression E; hence state R is satisfied after an assignment precisely when it is satisfied with variable x replaced by expression E. For example, wp (x ≔ x+1) (x = 5) ≡ (x+1 = 5).

wp (x ≔ E) R  ≡  R[x ≔ E]

Before being able to assign values to a variable x, it must be declared, which associates the name x to a location in the computer's memory. Variable declaration is a construct that allows the creation of a statement composed of a variable, an expression, and a statement. This is written {T x = e; p}, then variable x can be used in statement p, which is called the scope of variable x. ( When p has no assignments, functional programmers would call this statement a let statement since it lets x take on the value e in p. )

A sequence is a construct that allows a single statement to be created out of two statements p and q; it is written {p q}. The sequence is executed in state s by first executing p in state s thereby producing a new state s' in which statement q is then executed.

• The statement {p₁ {p₂ { ... pₙ } ...}} can also be written {p₁ p₂ ... pₙ}.

Usually a ‘;’ symbol is used in favour of a space, with braces, to yield,

wp (S₁;S₂) R  ≡  wp S₁ (wp S₂ R)

The pre-condition of the second statement becomes the post-condition of the first statement. Hence, we “push” along the post-condition into a sequence: In the upcoming swapping example, we read the proof steps from bottom to top!

Rendered pointfree, i.e., ignoring R, this rule becomes: wp (S₁;S₂) = wp S₁ ∘ wp S₂.

Recall that we need to ensure monotonicity is satisfied, and indeed: If R ⇒ R′, then

  wp (S₁;S₂) R
≡ wp S₁ (wp S₂ R)    -- Definition of wp on sequence
⇒ wp S₁ (wp S₂ R′)   -- Monotoncity for Sᵢ, twice; with assumption R ⇒ R′
≡ wp (S₁;S₂) R      -- Definition of wp on sequence

Neato!

Moreover, notice we have the useful ‘transitivity’ property for Hoare triples:

   {G} S₁ {R′}  ∧  {R′} S₂ {R}
≡  (G ⇒ wp S₁ R′)  ∧  (R′ ⇒ wp S₂ R)              -- Characterisation of wp
⇒ (G ⇒ wp S₁ R′)  ∧  (wp S₁ R′ ⇒ wp S₁ (wp S₂ R)) -- Monotonicity of wp
⇒ (G ⇒ wp S₁ (wp S₂ R))                           -- Transitivity of implication
≡  G ⇒ wp (S₁;S₂) R                               -- Definition of wp on sequence
≡  {G} S₁;S₂ {R}                                  -- Characterisation of wp

Exercise: Show that wp (x ≔ E; S) R ≡ (wp S R)[x ≔ E].

The “empty sequence” is denoted {} or just ; in the C language. It is also commonly known as the skip construct and its importance is akin to that of zero to addition.

wp skip R  ≡  R

The “do nothing” program skip is rendered as simple ; or as whitespace in the C language. This program does not alter the state at all, thus it truthifies R precisely when R was true to begin with.

Most often this appears in a weakening/strengthening form,

...code here...
//@ assert P;
//@ assert Q;
...code here...

Where P ⇒ Q is provable.

More concretely,

/*@ requires 3 < a < 9;
  @ ensures  -20 <= \result <= 99;
  */
int using_skip(int a)
{
  //@ assert our_strong_pre:         3 < a < 9;
  //@ assert weakened_intermediary: -7 <= a <= 14;
  //@ assert weakening_futher:     -20 <= a <= 99;
  return a;
}

Woah! It looks like the identity function somehow transforms input satisfying 3 < x < 9 to input satisfying -20 ≤ x ≤ 99. Wait, the former implies the latter and that's just the definition of wp on skip.

The above example suggests the following calculation,

   (G′ ⇒ G)  ∧  {G} S {R}  ∧  (R ⇒ R′)
≡  (G′ ⇒ G)  ∧  (G ⇒ wp S R)  ∧  (R ⇒ R′) -- Characterisation of wp
⇒ (G′ ⇒ wp S R)  ∧  (R ⇒ R′)              -- Transitivity of implication
⇒ (G′ ⇒ wp S R)  ∧  (wp S R ⇒ wp S R′)    -- Monotonicity of wp
⇒ (G′ ⇒ wp S R′)                          -- Transitivity of implication
≡  {G′} S {R′}                            -- Characterisation of wp

That is, strengthening the precondition or weakening the post-condition leaves a Hoare triple valid. In some industry circles –e.g., C#–, this is referred to as contravariance (antitone) in the input and covariance (monotone) in the output.

For example, if G′, G, R, R′ were classes such that G′ is a subclass of G and R is a subclass of R′, then the program S takes an input of type G yielding an output of type R′. However, any input of type G′ can be cast into the parent-class type G and, likewise, R objects can be cast into the parent-type R′. Thus, program S can also take the type of G′ to R′.

Writing <: for ‘sub-type’, or ‘sub-class’, we have argued,

Provided    G′ <: G  and R <: R′
Then
       G → R  <:  G′ → R′

It is now easier to see that the second argument of function-type former ‘→’ stays on the same side of the <: symbol, whereas it is flipped for the first argument.

Completely unrelated –or not– a nearly identical property holds for implication: If G′ ⇒ G and R ⇒ R′ then (G ⇒ R) ⇒ (G′ ⇒ R′). How coincidental … or not! \\ ( Foreshadowing: Curry-Howard Correspondence! )

Anyhow, this strengthening-weakening law will be useful when computing the wp of a statement directly is difficult –and possibly unhelpful– but we have a stronger precondition and so it suffices to use that. ( Foreshadowing: Loops! )

Before we close, here is an exercise to the reader: An alternate proof of the above law.

   (G′ ⇒ G)  ∧  {G} S {R}  ∧  (R ⇒ R′)
≡  {G′} skip {G} ∧ {G} S {R} ∧ {R} skip {R′}    -- ???
⇒ {G′} skip; S {R} ∧ {R} skip {R′}             -- ???
⇒ {G′} skip; S; skip {R′}                      -- ???
≡  {G′} S {R′}                                  -- skip is no-op & can be removed.

The last hint in the above calculation deserves some attention.

1. Rendered pointfree, i.e., ignoring R, the skip rule becomes: wp skip = id.
   • Where id is the identity function: id(x) = x.
2. “Program Equality”: Say S ≈ T precisely when wp S = wp T.
   • Two programs are considered equal precisely when they have the same observational behaviour –i.e., can satisfy the same set of post-conditions R.
3. Identity of Sequence Theorem: S ; skip ≈ S ≈ skip ; S.
4. Likewise, define wp abort R ≡ false – i.e., abort is a program that crashes on any input.
5. Zero of Sequence Theorem: S ; abort ≈ abort ≈ abort ; S.

To avoid having to write the verbose \at(x, Pre) to refer to the value of a variable x before method execution, we may use a ghost variable: A variable whose purpose is only to make the assertions provable, and otherwise is not an execution-relevant variable.

#include<limits.h>

/*@ requires \valid(x) && \valid(y);
  @ requires INT_MIN < *x + *y < INT_MAX;
  @ requires \separated(x, y); // Exercise: It's a swap, why is this needed?
  @ assigns *x, *y;
  */
void swap(int *x, int *y)
{
  //@ ghost int X = *x;
  //@ ghost int Y = *y;

  //@ assert  *y == Y  && *x == X;
  //@ assert  *y == Y  && (*x + *y) - *y == X;
  *x = *x + *y;
  //@ assert  *y == Y  && *x - *y == X;
  //@ assert  *x - (*x - *y) == Y  && *x - *y == X;
  *y = *x - *y;
  //@ assert  *x - *y == Y  && *y == X;
  *x = *x - *y;
  //@ assert  *x == Y  && *y == X;

  // 𝓢𝓽𝓪𝓻𝓽 upwards reading from here;
  // each assertion is obtained by the assigment, skip, and sequence rules.
}

Here is a more complicated exercise that also makes use of external functions…

#include "Prelude.c"

#define RAND_MAX 32767

/*@
  @ assigns \nothing;
  @ ensures 0 <= \result <= RAND_MAX;
*/
int rand();

/*@ requires min <= max;
  @ requires min + RAND_MAX < INT_MAX;
  @ requires max - min < INT_MAX;
  @ assigns \nothing;
  @ ensures min <= \result <= max;
*/
int random_between(int min, int max)
{
  int it = rand();
  //@ assert weakening: 0 <= it <= RAND_MAX;
  //@ assert assignment_rule_again: FixMe;
  it = it % (max - min + 1);
  // @ assert simplify: FixMe;
  // @ assert assignment_rule: FixMe;
  it = it + min;
  // @ assert min <= it;

  // Start at the bottom, and push assertion upwards!
  // The assertion names are also intended to be read upwards;
  // Each justifies how it was obtained.

  return it;

  // That is,
  // return (rand() % (max - min + 1)) + min;
}

A test is a statement formed from a Boolean expression and two statements; it is written \\ if (b) p else q –sometimes a ‘then’ keyword is used for readability, but such is not valid C code. This is executed in a state by evaluating the Boolean then deciding which branch to execute in the same state.

wp (if B then S₁ else S₂) R  ≣  if B then wp S₁ R else wp S₂ R
                             ≡ (B ⇒ wp S₁ R) ∧ (¬ B ⇒ wp S₂ R)

A conditional ensures R precisely when its branches each ensure R.

Observe the following calculation,

   { G } if B then S₁ else S₂ { R }
≡  G ⇒ wp (if B then S₁ else S₂) R         -- Characterisation of wp
≡  G ⇒ (B ⇒ wp S₁ R) ∧ (¬ B ⇒ wp S₂ R)     -- Definition of wp on conditional
≡  (G ⇒ B ⇒ wp S₁ R) ∧ (G ⇒ ¬ B ⇒ wp S₂ R) -- Characterisation of meets
≡  (G ∧ B ⇒ wp S₁ R) ∧ (G ∧ ¬ B ⇒ wp S₂ R) -- Shunting
≡  {G ∧ B} S₁ {R}  ∧  {G ∧ ¬ B} S₂ {R}     -- Characterisation of wp

That is, Hoare triples on a conditional ‘distribute’ into the branches with each branch precondition obtaining the branch guard.

A loop is a construct formed from a Boolean expression and a statement; it is written while (b) p. A loop is one of the ways in which we can express an infinite object –which may fail to terminate– using a finite expression. Indeed, its executional behaviour can be understood by realising it as a shorthand for the expression

if (b) {p if (b) {p if (b) ...
                    else skip}
          else skip}
else skip

Where skip is the fictional statement that performs no action when executed.

To understand the semantics of the loop:

1. Let giveup, terminate be aliases for abort and skip.

2. Recalling that a loop is a shorthand for an infinite nesting of conditionals, we try to approach it as a limit of finite approximations.

        while (b) q  ≈  limₙ pₙ
   
     Where:
     p₀ = if (b) giveup else terminate
     p₁ = if (b) {q ; if b giveup else terminate} else terminate
     ⋯
     pₙ₊₁ = if (b) {q; pₙ} else terminate;
   

3. The statement pₙ tries to execute the statement while (b) q by completing a maximum of n trips through the loop. If, after n loops, it has not terminated on its own, it gives up.

4. If the loop terminates in m trips, it also terminates in n ≥ m trips.

   • ∀ m. pₘ defined ⇒ ∀ n ≥ m. pₙ defined
   • ∀ m. pₘ defined ⇒ ∀ n ≥ m. pₙ ≈ pₘ

   Where ‘defined’ means it terminates without aborting.

5. Hence, by these two claims, we know that the sequence pₙ either never defined or it is defined beyond a certain point, and in this case, it is constant over its domain.
6. Hence: while(b) q ≈ limₙ pₙ.

The definition of ‘wp’ for loops is complicated and generally unhelpful, however from it we can prove the so called “Invariance Theorem”: If a property is maintained by the body of the loop and there is an integral value expressed using the body's variables that starts out non-negative and is decreased by each loop pass, then the loop will terminate and the property it maintained will be true.

   {Inv ∧ B ∧ bf = c} S {Inv ∧ bf < c}
⇒
   {Inv ∧ bf ≥ 0}  while(B) S  {¬B ∧ Inv}

A property that is maintained to be true throughout the loop is referred to as an invariant. In contrast, a value that changes through every pass –such as the number of passes remaining, the bf– is known as a variant.

In Frama-C rendition,

/*@ loop invariant ⋯  // property that is maintained by the loop body
  @ loop assigns ⋯    // variables that are altered by the loop body
  @ loop variant ⋯    // a bound on the total number of loops
  */
while(B) S;

Incidentally the primary function of the assigns clause is that variables its does not mention essentially have the invariant property of being equal to their value before the loop. That is, the assigns clause reduces clutter regarding constants from the invariant!

#include<limits.h>
/*@ requires N >= 0;
  @ requires N * (N + 1) /2 < INT_MAX;
  @ assigns \nothing;
  @ ensures \result == N * (N + 1) / 2;
  */
int euclid(int N)
{
  int sum = 0; int n = 0;
  //@ assert invariant_intially_estabished: 2 * sum == 0 * (0 + 1);

  /*@ loop invariant main_item: sum == n * (n + 1) / 2;
    @ loop invariant always_in_range: 0 <= n <= N;
    @ loop invariant range_for_sum: 0 <= sum;
    // Exercise: Why can we comment out the following two lines?
    @ loop invariant no_overflow1: n < INT_MAX;
    @ loop invariant no_overflow2: sum <= INT_MAX;
    @ loop assigns n, sum;
    @ loop variant N - n;
   */
  while(n != N)
  {
    //@ assert sum + n < INT_MAX;
    n   = n + 1;
    //@ assert sum + n <= INT_MAX;
    sum = sum + n;
    //@ assert sum <= INT_MAX;
  }
  //@ assert invariant_and_not_guard: n == N  &&  sum == n * (n + 1) / 2;
  //@ assert post_condition:    sum == N * (N + 1) / 2;
  //         rewrite_post:  2 * sum == N * (N + 1);  // Not true, due to ‘rounding’!

  return sum;
}

   sum ≤ INT_MAX
≡  n * (n + 1) / 2 ≤ INT_MAX                     --  ???
⇐ n * (n + 1) / 2 ≤ N * (N + 1) / 2 ≤ INT_MAX   --  Transtivitity of ≤
≡  N * (N + 1) / 2 ≤ INT_MAX                     --  ???
≡  true                                          --  ???

Here's a simple exercise,

#include<limits.h>

/*@ requires a + 10 < INT_MAX;
  @ ensures \result == \old(a) + 10;
 */
int look_ma_no_new_locals(int a)
{
  //@ ghost const int A = a;

  int i;                   // So we can refer to this ‘i’ *after* the loop.
  /* // @ loop assigns ???;         // Fix me.
    @ loop invariant a == 666;      // Fix me.
    @ loop invariant 0 <= i <= 10;
    @ loop variant   666;           // Fix me.
    @*/
  for(i = 0; i != 10; i++) a++;
//@ assert after_loop_guarantees: i == 10  && a == A + i;
//@ assert weakening_previous_gives: a == A + 10;
  return a;
}

Warning Without the loop assigns, you are more likely to have trouble proving a loop is correct!

Now a bit harder…

#include<limits.h>

/*@ assigns \nothing;
  @ ensures 0 <= \result <= 1;
 */
int random_bool(); // { return random_between(0, 1); }

/*@ requires \valid(it);
  @ requires *it + max <= INT_MAX;
  // @ requires FixMe -- a property on `max`;
  // @ assigns FixMe;
  @ ensures  \old(it) <= it <= it + max;
  */
void increment_randomly(int *it, int max)
{
   /*@ loop assigns i, *it;
     @ loop invariant *it == \at(*it, Pre) + i;
     // @ loop invariant range_of_i: FixMe;
     // @ loop variant FixMe;
    */
   for(int i = 0; i != max && random_bool(); i++) (*it)++;
}

Our invaraints were getting out of hand, the trouble can be mitigated by defining our own predicates rather than just using the built in ones. However, such definitions must be functional in nature: They do not produce side-effects, such as altering state. Moreover, they are generally parameterised by a label that refers to the C memory state in which they would be invoked –within the definition we cannot however reference the special labels Here, Pre, Post. Otherwise parameter passing is by value as in C.

The predicate keyword declares Boolean values functions:

/*@ predicate name_here {Label₀, …, Labelₖ} (type₀ arg₀, …, typeₘ argₘ) =
  @ // A Boolean valued relationship between all these things.
  */

// An integer memory location remains unaltered between given program points.
//
/*@ predicate unchanged{L0, L1} (int *i)   =  \at(*i, L0) == \at(*i, L1);
 */

int main()
{
  int i = 13, j = 12;

  DoSomeWork:
  j = 32;

  //@ assert unchanged{DoSomeWork, Here}(&i);

  return 0;
}

More usefully, there is the need to ensure a given integer is indeed a non-negative length of an array.

/*@ predicate valid_array(int* arr, integer len) =
  @ 0 <= len && \valid(arr + (0 .. len - 1));
 */

Notice that we did not specify a memory label. That's okay, one is provided for us and the entire definition is considered to transpire at that memory location. In particular, unlike the previous example, we cannot refer to distinct memory locations –after all we haven't named any! At the call site, the implicit memory location would be Here thereby referring to the current memory state –however we may still explicitly provide a different label at the call site.

Predicates must be either true or false, but logic functions are methods that can be invoked in our specifications –you may have noticed that C methods cannot be called in a specification, which is reasonably since they may produce side-effects! Since assignment, sequence, and loops rely on side effects they now suddenly become useless and our definitions must rely on recursion. Such logical functions generally need not worry about runtime issues such as overflow –which however must be handled at the call site, if need be.

/*@ logic return_type function_name {Label₀, …, Labelₖ} (type₀ arg₀, …, typeₘ argₘ) =
  @  // A formula using the arguments argᵢ, possibly at labels Labelᵢ
 */

//@ logic integer factorial(integer n)  =  (n <= 0) ? 1 : n * factorial(n-1);

If we wrote a program that contained many occurrences to factorial then the definition would need to be invoked each time. If the occurrences all happened, for example, on the same input, say 12 –any larger would be an unsigned int overflow– then it might make matters faster if we simply had that as a lemma that is proven once and used many times by the underlying provers. Indeed this can be accomplished by using the lemma phrase, and this can be done for any property.

//@ lemma name_of_property {Label₀, …, Label₀}:  property_here ;

For example,

//@ lemma lt_plus_lt: \forall integer i,j; i < j ==> i + 1 < j + 1;

Sometimes a proof may take too long to be proven, or it cannot be proven with the back-end provers, and, moreover, we do not wish to bother with its proof directly. In such cases, we may tell Frama-C to trust our judgement and take our word for it –if we're not careful, our ‘word’ may lead us to conclude false = true!

/*@ axiomatic my_axioms {
  @ axiom antisymmetry: \forall integer i, j; i <= j <= i  ==>  i == j;
  @ }
*/

Unlike lemmas, which require a proof, axioms are simply assumed to be true. It is the responsibility of the user to ensure no inconsistencies arise, as in:

//@ axiomatic UhOh{ axiom false_is_true: \false; }

int main()
{
  // Examples of proven properties

  //@ assert \false;
  //@ assert \forall integer x; x == 31;
  //@ assert \false == \true;
  return 0;
}

However, axiomatic definitions of recursive functions are useful since the underlying provers do not unroll the recursion when possible –after all, we are simply declaring the type of a function and some properties about it, which incidentally, happen to be its defining equations.

/*@ axiomatic Factorial
  {
     logic integer factorial(integer n);

     axiom factorial_base: \forall integer i;  i <= 0  ==>  factorial(i) == 0;
     axiom factorial_inductive:
          \forall integer i; i >  0  ==>  factorial(i) == i * factorial(i - 1);
  }
*/

A small subtlety is that access to memory locations must be specified in the function headers, for example:

/*@ axiomatic is_constant
  {
     predicate constant{L}(int * a, integer b, integer e, integer val) reads a[b .. e-1];

     axiom constant_empty{L}:
       \forall int * a, integer b, e, val; b >= e  ==> constant{L}(a, b, e, val);

     axiom constant_non_empty{L}:
       \forall int * a, integer b, e, val; b < e ==>
          ( constant{L}(a,b,e, val)  <==>  constant{L}(a,b,e-1, val) && a[e-1] == val );
  }
*/

Functions permit abstraction over program design since parts may be constructed independently and also promotes avoidance of repetition.

Unlike functional languages where the result of a function is the final term in its body, imperative languages signal result values by the return keyword; which immediately stops execution of the function regardless of the keyword's position.

Functions which return no value but instead perform some effectful action, i.e., are procedures, are marked with the void keyword in-place of a return type –surprisingly, this ‘return type’ is not a type at all! One cannot declare a variable of type void.

Function calls that yield a value are terms whereas those that do not constitute statements.

#include<stdio.h> // for IO

int  f(){ return 3;}
void g(){ printf("g(): Hello There!"); }

int main()
{
  // Valid invocations
  int x = f();
  f();           // Bad form! Result is discarded.
  g();

  // T y = g(); // Type error! No possible type T!
  return 0;
}

A program is an sequence of global variables, function declarations, then a special function called main. Since sequences are ordered, all names are declared before use! In C, main usually exits with return 0. Global variables tend to pollute the namespace and are more trouble than they're worth, so we shall ignore them –however they are already included by default since assignment is a top-level construct. Incidentally, function declarations with no arguments may be used to simulate global constants.

Note that C does not permit function overloading. Moreover, C uses the same namespace for methods as well as simple variables –which in is not the case in, say, Java which permits naming a method f and a variable f to obtain the valid invocation f(f)!

int it(int x){ return x; }
int it = 5;
int maybe = it(it);

Look at the definition of abs below and notice:

• Frama-C contracts are comments beginning with an @ symbol and concluded with a ; symbol.
• The post-condition is introduced with the ensures clause; which may contain the \result keyword to refer to the returned value of the method.
• We may combine multiple ensures clauses by using conjunction &&, or have them on separate lines. We may also use implication ==>, disjunction ||, negation !, value equality ==, and Boolean equivalence <==>.
  • Notice that implication: A ==> B informs that when A is true then so is B, and if A is false then we don't care and consider the whole thing to be true.
• Notice that we may name our conditions, which is helpful to remind us of their purpose as well as being helpful in the frama-c output.

/*@ ensures always_nonnegative: \result >= 0;
  @ ensures val > 0  ==>  \result == val;
  @ ensures val < 0  ==>  \result == -val;
 */
int abs(int val)
{
  return (val < 0) ? -val : val;
}

Pressing F9, you will notice that we are also checking for runtime errors by using the RTE plugin whose goal is to ensure the program cannot create runtime errors such as integer overflow, invalid pointer dereferencing, division by 0, etc.

In our case, we have runtime problems that do not crash but instead produce logical errors: The return value of abs is not positive! Indeed, in addition to the above block, add focus to the following block by removing the prefix -not, then run the code with F6 to see the output. –Remember to undo this alteration when you're done, otherwise the next invocation to frama-c will take a while dealing with printf!

#include<stdio.h>   // for IO
#include<limits.h>  // bounds on integers
#include<math.h>

int main()
{
  // Our implementation is faulty..
  printf("    INT_MIN      = %d\n", INT_MIN);
  printf("abs(INT_MIN)     = %d\n\n", abs(INT_MIN));

  printf("    INT_MIN + 1  = %d\n", INT_MIN+1);
  printf("abs(INT_MIN + 1) = %d\n\n", abs(INT_MIN+1));

  // Using standard library works..
  printf("fabs(INT_MIN)    = %.0f", fabs(INT_MIN));

  return 0;
}

The WP plugin forms the necessary proof obligations to ensure the program meets its specification, simplifies them using a module called Qed, then asks a prover such as Alt-Ergo whether the obligation is provable or not. Sometimes a property is not verified for two possible reasons:

1. There is not enough information –e.g., given assumptions– for the proof to go through.
2. The proof search timed-out –which can be configured.

In this section we step back a little to get more comfortable with requires preconditions and ensures postconditions. Moreover, we use this time to remind ourselves of some elementary logic. After all, we use logic to express properties and hope Frama-C can verify them.

In some sense false, true behave for the 𝔹ooleans as -∞, +∞ behave for the ℕumbers.

Using this correspondence we can rephrase the “Golden Rule” p ∧ q ≡ p ≡ q ≡ p ∨ q as the following trivial property x ↓ y = x ≡ y = x ↑ y –“The minimum of two numbers is the first precisely when the second is their maximum.” Neat Stuff!

#include "Prelude.c"
/*@ requires uhOh: a < 0 && a > 0;
  @ ensures  what: Exercise: FixMe;
  */
int id(int a){ return a;}

#include "Prelude.c"
/*@ requires Exercise: FixMe;   // <-- Change this false positive.
  @ ensures \true;
  */
int id(int a){ return a; }

#include "Prelude.c"
/*@ requires \true;
  @ ensures UpperBound: a <= \result  &&  b <= \result;
  @ ensures Exercise: Selection1: FixMe  ==> \result == b;
  @ ensures Exercise: Selection2: FixMe  ==> \result == a;
  @*/
int max(int a, int b)
{
  return a < b ? b : a;
}

#include "Prelude.c"
#define max(a,b) (a < b ? b : a)   // Ignore me.

/*@ requires max(a, b) <= c;
  @ ensures a <= c  &&  b <= c;
  @*/
void case_analysis(int a, int b, int c)
{
  FixMeCode;
}

Since function calls may alter memory state, the computation of a term may now not only produce a value, as before, but also alter the state altogether. ( Foreshadowing: The assigns ACSL keyword! )

Since a return interrupts executation, the sequence computation rule wp (S₁;S₂) = wp S₁ ∘ wp S₂ is no longer valid when the execution of S₁ causes the execution of a return thereby necessitating that S₂ is not executed. As we have already seen, we keep the rule valid by simply defining wp U R ≡ true for any unreachable code U –as is S₂ when S₁ has a return.

That is, unreachable assertions are always ‘true’: They are never in a memory state, and so cannot even be evaluated, let alone be false!

int main()
{
  goto End;
  //@assert my_cool_nonsense: 0 == 1;    // This is unreachale but ‘true’.

  End:
  return 0;
}

Likewise with infinite loops,

int main()
{
  while(1 > 0);
  //@assert my_cool_nonsense: 0 == 1;    // This is unreachale but ‘true’.
  return 0;
}

That is, Frama-C considers ‘partial correctness’: A specification is satisfied, provided it terminates.

In addition, since imperative expressions can modify memory, considerations must be given to the fact arguments of a function are evaluated from left to right. For example, suppose x,y are imperative constructions yield integers, then x + y and y + x are not guaranteed to produce the same behaviour!

#include<stdio.h> // for IO

int f(){ printf("\nf(): Hello with Four!");  return 4;}
int g(){ printf("\ng(): Hello with Three!"); return 3;}

int main()
{
  int result;

  // The output to the screen changes,
  // even though the *value* of result does not.
  result = f() + g();
  printf("\n---");
  result = g() + f();

  return 0;
}

The C language does not specify the order of evaluation of function arguments –albeit it is usually left-to-right–, and it is up to the programmer to write programs whose result does not depend on the order of evaluation.

Exercise: Produce a Frama-C checked variant of this example. Remember to remove all printf's!

Applying the definition of wp to the body of the following swap gives us wp swap = id, thereby demonstrating that this swap does not change the values of two variables!

void swap(int a, int b){ int c; c = a; a = b; b = c; }

The default mechanism of argument passing is that of pass by value: Only values are sent to function bodies, which cannot alter the original variables. Indeed, what should swap(x+y, 2) perform if it were to “alter the given variables”?

To say that two distinct variables share the same location in memory requires us to formally introduce a notion of location that variables may reference. Rather than introduce a new such type, C makes the convention that certain numeric values act –possibly dual roles– as reference locations.

Hence we can associate variables to references which are then associated to values. That is, a state now consists of two pieces: An environment mapping variables to references and a memory state mapping references to values. The key insight is that the environment may be non-injective thereby associating distinct variables to the same reference thereby permitting them to alter the shared value. Incidentally, the shared value can be thought of as a buffer for message passing between the two variable agents. Neato!

In C, passing by reference is not a primitive construct, but it can be simulated. The type of references that can be associated with a value of type T in memory is written T* in C. Incidentally, the dereference operator is written * in C. For example, in environment u ↦ r₁ and memory state r₁ ↦ r₂, r₂ ↦ 4 we have that u has value r₂ whereas *u has value 4. That is, u is a reference value at location r₁ having contents r₂, which when dereferenced refer to the value contained in location r₂ which is 4.

The reference associated with variable x in a C environment is written &x. E.g., in environment x ↦ r and memory state r ↦ 4, the value of x is the integer 4 whereas the value of &x is the reference r. Moreover, the value of *&x is the integer 4.

&_ : ∀{T} →  Variable T → Reference T   -- “address of”
*_ : ∀{T} → Reference T → T             -- “value of”

-- Using ‘value equality’:
Inverses:  ∀ a : Var T.  *&a   ≈ a
Inverses:  ∀ r : Ref T.  &(*r) ≈ r

void understanding_references()
{
  int  a = 4;    // integer a refers to 4
  int* x = &a;   // integer reference x refers to the location of a

  // Facts thus far
  //
  //@ assert a_is_a_number: a == 4;
  //@ assert x_points_to_a: *x == a == 4;
  //@ assert x_is_a_location: x == &a;

  // The inverse law: a == *(&a).
  //
  //@ assert x_points_to_a: *x == a == 4;
  //@ assert x_is_a_location: x == &a;
  //@ assert equals_for_equals: *(&a) == *x == a;

  // The inverse law: &(*x) == x
  //
  //@ assert x_points_to_a: *x == a == 4;
  //@ assert x_is_a_location: x == &a;
  //@ assert equals_for_equals: &(*x) == &a == x;

}

If t is an expression of type T* then the C language has the assignment construct *t = u: The reference of t is now associated with the value of u. The notation alludes to this executional behaviour: The contents of t, i.e., *t, now refer to the value of u.

For example, *&x = u has the same behaviour as the assignment x = u.

#include<stdio.h> // for IO

// x and y themselves cannot be assigned to: They're constant.
// I.e., assignments “x = t” are forbidden, but “*x = t” are permitted.
// This makes the compiler complain if we accidently made that assignment instead.
//
// However, “const int* x” works in the opposite: x=t okay, but not *x=t.
// Declaration “const int* const x” prevents both types of assignments.
void swap(int* const x, int* const y)
{
  int z;
  z  = *x; // z gets the value referenced to by x
  *x = *y; // the location x references now gets the value referenced by y
  *y =  z; // the location y references now gets the value z
}

int main()
{
  int x = 5, y = 10;
  swap(&x, &y);         // Note that the function is applied to the references.
  printf("x = %d, y = %d", x , y);
  return 0;
}

Since methods may alter state, thereby producing side-effects, it becomes important to indicate which global and local variables a method assigns to –that way its effects are explicit. We use the assigns clause to declare this. Unless stated otherwise, WP assumes a method can modify anything in memory; as such, the use of assigns becomes almost always necessary. When a method has no side-effects, thereby not assigning to anything, we may declare assigns \nothing.

/*@ requires \valid(a) && \valid(b);
  // @ assigns *a, *b;
  @ ensures *a == \old(*b);
  @ ensures *b == \old(*a);
  */
void swap(int *a, int *b)
{
  int tmp = *a;
  *a = *b;
  *b = tmp;
}

Notice that the following block fails to prove all goals –comment out the assigns clause below and re-check … still no luck! This can be fixed by un-commenting the assigns clause above.

int h = 12; // new global variable!

//@ assigns \nothing;  // In particular, this method does not alter “h”.
int main()
{
  int a = 1; int b = 2;

  //@ assert h == 12;
  swap(&a, &b);
  //@ assert h == 12;
  return 0;
}

Finally it is to be noted that assigns do not occur within a behavior –it occurs before by declaring all variables that may be altered, then each behavior would include a clause for the unmodified variables by indicating their new value is equal to their \old one.

The raison d'être of pointers is to be able to have aliases for memory locations. When the pointers refer to simple data, we may act functionally in that we copy data to newly allocated memory locations. However, sometimes –such as when we program with linked lists– copying large amounts of data is unreasonable and we may simply want to alter given pointers directly. When the given pointers are identical then an alteration to one of them is actually an alteration to the rest!

When we program with lists, we shall see that if we catenate two lists by altering the first to eventually point to the second then it all works. However, if we catenate a list with itself then the resulting alteration is not the catenation of the list with itself but instead is an infinite cycle of the first list! –We'll see this later on.

Here is a simpler example,

#include<limits.h>

/*@ requires \valid(fst) && \valid_read(snd);
  @ requires no_flow: INT_MIN <= *fst + *snd <= INT_MAX;
  // @ requires \separated(fst, snd);
  @ assigns *fst;
  @ ensures uhOh: *fst == \old(*fst) + *snd;
  */
void increment_first_by_second(int *fst, int const *snd)
{
  *fst += *snd;
}

Notice since we're only assigning to *fst, we need not explicitly state ensures *snd == \old(*snd). However, in the event that fst and snd both point to the same memory location, then we actually are assigning to both! As such the final ensures is not necessarily true either!

We need to uncomment the separated declaration: The memory locations are distinct.

Notice that in the final call below, since the pre-condition to increment_first_by_second fails, we have breached its contract and therefore no longer guarenteed the behaviour it ensures. Since the contract does not tells what happens when we breach it, anything is possible and so anything is “true”!

int main()
{
  int life = 42, universe = 12;

  int *this = &life;
  int *new  = &universe;

  //@ assert *this == 42  && *new == 12;
  increment_first_by_second(this, new);
  //@ assert *this == 42 + 12  && *new == 12;   // Yay!

  int *that = &life;  // uh-oh!

  //@ assert *this == 54  && *that == 54;
  increment_first_by_second(this, that);
  //@ assert *this == 54 + 54  && *that == 54;   // Nope...?
  //@ assert 1 == 0;                             // Notice everything is now “true”!

  return 0;
}

We may invoke \separated(p₁, …, pₙ) to express the pointers pᵢ should refer to distinct memory locations and therefore are non-overlapping.

As a matter of abstraction, or separation of concerns, a program may be split up into an interface of declarations –a ‘header’ file– and an implementation file. Frama-C permits this approach by allowing us to use a specification of a declared method, which it assumes to be correct, and so we need to verify its precondition is established whenever we call it. In some sense, for proof purposes, this allows us to ‘postulate’ a correct method and use it elsewhere –this idea is very helpful when we want to use an external libary's methods but do not –or cannot– want to prove them.

#include<limits.h>

/*@ requires val > INT_MIN;
  @ assigns \nothing;
  @ ensures always_non_negative: \result >= 0;
  @ ensures non_negative: 0 <= val ==> \result == val;
  @ ensures negative: val < 0  ==> \result == -val;
  @ */
int abs(int val);

/*@ assigns \nothing;
  @ ensures UpperBound: a <= \result  &&  b <= \result;
  @ ensures Selection1: a <= b  ==>  \result == b;
  @ ensures Selection2: b <= a  ==>  \result == a;
  @*/
int max(int a, int b);

// Uncomment this to observe proof obligations failing.
//
// int max(int a, int b){ return 5; }

/*@ requires inherited_from_abs: a > INT_MIN  && b > INT_MIN;

  @ assigns \nothing;

  @ ensures always_non_negative: inherited_from_abs: \result >= 0;

  @ ensures upper_bound: inherited_from_max:
         \result >= a && \result >= -a    // ≈ result ≥ |a|
      && \result >= b && \result >= -b;   // ≈ result ≥ |b|

  @ ensures selection: inherited_from_max:
          \result == a || \result == -a
       || \result == b || \result == -b;
*/
int abs_max(int a, int b)
{
  return max(abs(a), abs(b));
}

• Recall that a variable declaration associates the variable with a reference to the variable in memory –i.e., it's address–, moreover this reference is associated a value for the variable.
• Record variables declared without a value are given the special default value null.
• In Java, a record variable's reference is not directly associated with a record in memory! It is usually associated with null or another reference.

To associate a record with a variable, we need to create memory large enough to contain the record contents. Some languages use the keyword new to accomplish this task: Create a new reference and associated it with the record variable being defined.

For example, in Java,

class Pair
{
  int fst;
  int snd;
}

Pair p = new Pair();

The resulting environment is p ↦ r and the resulting memory state is r ↦ r', r' ↦ {fst = 0, snd = 0}. Note that default values are used.

• A reference that was added to memory by the construct new is called a cell.
• The set of memory cells is called a heap.
• The operation that adds a new cell to the memory state is called allocation.

Interestingly in C the creation of records does not allocate cells and so there is no need for the new keyword. Indeed record variables cannot ever have the value null. C directly associates a variable with a reference which has the record contents as its value. That is, C has one less level of indirection than is found in Java. E.g., struct Pair p = {2, 3}; gives us environment p ↦ r and memory state r ↦ {fst = 2, snd = 3}, whereas Java would have p ↦ r′ in the environment and r′ ↦ r additionally in the memory state That is to say, records in Java correspond to references to records in C and so Java access notation r.f is rendered in C as (*r).f.

Remember that references are themselves first-class values and it is possible for a reference to be associated to another reference.

Records are usually handled using four constructs:

• Defining a record type; e.g., using class or struct.
• Allocating a cell; e.g., using new or malloc.
• Accessing a field; e.g., myRecord.myField.
• Assigning to a field; e.g., myRecord.myField = myValue.

Understanding records in a language is thus tantamount to understanding these fundamental basics. E.g., in functional languages, assignment to a field is essentially record copying or, more efficiently, reference redirection. Incidentally, neither Haskell nor Agda make use of the new keyword: Declarations must be accompanied by initialisation which indicate the need for cell allocation –consequently there is no need for a null value. The use of new may be used for careful efficiency optimisations, or memory management –which is rarely brought to the forefront in functional languages.

The act of assigning to each field of a record is so common that they are usually placed into a so-called constructor method.

Arrays are essentially records whose labels are numeric and all labels have the same type. The number of fields of an array is determined during allocation of the array, and not during the declaration of its type, as is the case with records. This trade-off makes arrays more desirable in certain contexts.

The fields are usually numbered 0 to n-1, where n is the number of fields.

Once an array is allocated, its size cannot be changed. –Stop & think: Why not?

• Arrays of type T are denoted by T[] in C/Java.
  • Matrices, or arrays of arrays, are denoted by T[][] with access by T[i][j].

C arrays, like records, are not allocated. Consequently, their size cannot be determined by allocation and so must be a part of their type.

C arrays of type T of length n are declared using the mixfix syntax: T x[n]; Each element of the array is arbitrary –with no designated defaults– so it is best to initialise them. E.g., int x[10] = {}; sets all elements of the array to 0.

#include<stdio.h> // for IO

int makeFive(int x[], int length)
{
  for(int i=0; i != length; i++)
    x[i] = 5;
}

int main()
{
  int x[3] = {};
  printf("\n x = [%d, %d, %d]", x[0], x[1], x[2]);

  makeFive(x, 3);
  printf("\n x = [%d, %d, %d]", x[0], x[1], x[2]);

  return 0;
}

However, C arrays differ from C records in that array variables are actually references that are associated in memory with an array. Consequently, array arguments to methods are automatically pass by reference!

Moreover this means the assignment t[k] = u works in a rather general sense: t suffices to be any expression whose value is a reference associated in memory with an array.

A recursive function such as the factorial function can be seen as an equation where the unknown variable is the function currently being defined. For example, the factorial function is the unique partial function f satisfying the equation

f  ≈ (x ↦ if x ≈ 0 then 1 else x * f(x-1))

This equation has the form f ≈ F(f), so it is a “fixed point equation”.

Since recursive functions may not terminate, the functions they describe are partial. It can be proven that any fixed point equation always has at least one solution; i.e., it defines at least one partial function on the integers. For example, the equation f ≈ (x ↦ 1 + f(x)) corresponding to

int loop(int n){ return 1 + loop(n); }

Has one solution: The empty function, which is not defined on any input.

The set of possible solutions can be ordered by inclusion of their graphs and so one of them is the smallest. Incidentally, this least solution is also obtained by the aforementioned limit!

E.g., every function is a solution to the equation f ≈ (x ↦ f x).

Notice that the factorial function can be written without using assignments:

/*@ axiomatic Factorial
  @ {
  @    logic integer factorial(integer n);
  @
  @    axiom fact_zero:  \forall integer n;    factorial(0) == 1;
  @
  @    axiom fact_succ:  \forall integer n; 0 <= n
  @                 ==>  factorial (n + 1) == n * factorial (n);
  @
  @    axiom fact_monotone : \forall integer m,n; 0 <= m <= n
  @          ==> factorial(m) <= factorial(n);
  @ }
  */

#include "Prelude.c"

/*@ requires Exercise: FixMe;
  @ assigns \nothing;
  @ ensures Exercise: FixMe;
  */
int fact_imp(int n)
{
  int r = 1;

  /*@ loop assigns i, r;
    @ loop invariant range_on_i: FixMe;
    @ loop invariant relationship_between_r_i_n: FixMe;
    @ loop variant FixMe: 666;
  */
  for(int i = 1; i <= n; i++)
    r = r * i;

  return r;
}

// ≈

/*@ requires 0 <= n;
  @ requires factorial(n) <= INT_MAX;
  @ assigns \nothing;
  @ ensures \result == factorial(n);
  */
int fact_functional(int n)
{
  if (n == 0) return 1;
  return n * fact_functional(n - 1);
}

( Notice that ¬(i ≤ n)[i ≔ 1] ≡ n = 0 when considering n : ℕ. )

Hence if we remove assignments, then the memory state for computation is always empty and so sequences and loops become useless. We are left with only variable declarations, function calls, and the built-in operations. This is the functional core of the language and it is surprisingly as powerful as the imperative core. Why? Recall that a term, or statement, can be thought of as a (partial) function of its free variables; now the functions obtained this way using only the functional core are the same as those obtained by also using the whole of the imperative core! Note that omitting recursion falsifies this result.