-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve support for arrays of unknown element size #176
Comments
Proof obligations in A. Unsigned multiplication underflow check: B. Unsigned multiplication overflow check: C. Precondition of Here, (*) Here, |
Proof obligations in A. Unsigned multiplication underflow check: B. Unsigned multiplication overflow check: C. Unsigned multiplication underflow check: D. Unsigned multiplication overflow check: E. Pointer arithmetic underflow check: F. Pointer arithmetic overflow check: |
Currently, verifying programs that involve arrays whose element size is not statically known, like arrays of structs, is encumbered by the need to manually invoke the
mul_mono_l
lemma to prove that pointer arithmetic stays within bounds. Indeed, ifsizeof(T)
is not a literal number, thenp + i
wherep
is of typeT *
andi
is of integral type, involves nonlinear arithmetic, and proof obligations like0 <= p + i
andp + i <= UINTPTR_MAX
are not discharged automatically. They typically require invocations ofmul_mono_l(0, i, sizeof(T))
(to prove that0 <= i * sizeof(T)
given0 <= i
) andmul_mono_l(i, n, sizeof(T))
(to prove thati * sizeof(T) <= n * sizeof(T)
giveni <= n
).See
examples/array_of_struct.c
for an example of this.This problem will become much more pressing when VeriFast moves to targetless verification ( #143 ), where
sizeof(int)
andsizeof(T *)
are not literals. Then, examples likearraylist.c
(array of pointers) andmergesort_and_binarysort.c
(array of ints) will need such lemma calls as well.The text was updated successfully, but these errors were encountered: