如何在 frama-c 中用多维数组声明 'assigns' 子句？

Question

我有以下变量：

int** send_count;
message_struct*** send_queue;

我有一个函数要为

声明一个合约

message_record_struct postSend(int destination, double* buf);

如何声明允许分配给 send_count 和 send_queue 元素的合约？

我担心以下方法只允许对数组指针地址处的元素赋值：

@ assigns send_count

下面的方法在代码前面部分给出 axiomatic theory { logic integer NP; } 时会抛出一个错误：

@ assigns *(send_count+(0..NP-1));
@ assigns \forall integer i; 0<=i<NP ==>                                                                                                                                                                
          *(send_count[i]+(0..NP-1));

$ frama-c -wp -wp-prover "why3ide" assign_example.c

[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)

[kernel] Parsing assign_example.c (with preprocessing)

assign_example.c:62:[kernel] user error: syntax error (expression expected but predicate found) in annotation.

[kernel] user error: stopping on file "assign_example.c" that has errors. Add '-kernel-msg-key pp' for preprocessing command.

[kernel] Frama-C aborted: invalid user input.

Answer 1

您要查找的语法可能是

/*@ assigns *(send_count+(0..NP-1));
    assigns *(send_count[0..NP-1]+(0..NP-1));

引入 ACSL 范围 [a..b] 是为了让赋值子句不含量词，应尽可能多地使用。