A Lesson on Runtime Assertion Checking with Frama-C - Runtime Verification

Information Technology Reference

In-Depth Information

1 frama-c -machdep x86_64 -e-acsl-prepare -val sum.c -then -e-acsl \

2

-then-on e-acsl -print -ocode out.c

Linking and executing the generated program in the usual way does not report

any failure on this correct program.

6 Customization of Runtime Monitoring

By default, as shown in the previous examples, when the evaluation of a predicate

fails at runtime, the execution stops with an error message and exit code 1. This

behavior is implemented by the function e_acsl_assert provided in the file e_acsl.c

of the e-acsl library. This function is called each time an annotation is checked.

It is fully possible to modify this behavior by providing your own definition of

e_acsl_assert . The prototype of the function to implement is as follows.

void e_acsl_assert( int , char * , char * , char * , int );

For each annotation a to be checked, the parameters are the following:

- the first one is the validity status of a (0 if false, non-zero if true);

- the second one is a string describing the kind of a (an assertion, a precondi-

tion, a postcondition, etc);

- the third one is the function name where a takes place;

- the fourth one is a textual description of a ;

- the fifth one is the line number of a in the source file.

For instance, Fig. 6 provides an implementation which does not stop the program

execution, but appends an error message at the end of file log_file.log when an

annotation is violated.

Then, in the script of Fig. 4, we can replace the file $share/e-acsl.c by the one

defining the function of Fig. 6. Thus, executing it on the binary generated from

the first example of Section 3.3 generates a file log_file.log which contains the

following lines:

Precondition failed at line 8 in function sum.

The failing predicate is:

\forall integer i, integer j;

(0 <= i && i < size) && (0 <= j && j < size) ==> \valid ((b+i * size)+j).

RTE failed at line 11 in function sum.

The failing predicate is:

mem_access:

\valid_read (__e_acsl_at_7

+( long long )(( long long )(( long long )__e_acsl_i_4 * ( long long )__e_acsl_at_8)

+( long long )__e_acsl_j_4)).

It indicates that there were actually two failed runtime checks. The former

was previously described in Section 3.3 and corresponds to the invalid precondi-

tion about the array b (which has 3 elements while 4 are expected). The latter

corresponds to an out-of-bound error detected when trying to evaluate the post-

condition since b[i * size+j] tries to access the fourth element of the array b of

length 3 (when i =1, j =1and size =2).

Runtime Verification

Search WWH ::

Custom Search

Home