问题
I have a simple matrix transpose function which I would like to verify with a postcondition such that
matrix_transpose(matrix_transpose(original_matrix)==original_matrix
What would be the syntax for that? I've tried
ensures \result(\result)==a;
where a is the original matrix, but that doesn't seem to work.
Edit: This is my code
void transpose_matrix(int[][10],int,int);
int main()
{
int r=3;
int c=3;
int a[10][10]={
{1,1,1},
{2,2,2},
{3,3,3}
};
transpose_matrix(a,r,c);
return 0;
}
/*@
ensures \result(\result)==a;
*/
void transpose_matrix(int a[][10], int r, int c){
int trans[10][10],i,j;
for(i=0; i<r; ++i)
for(j=0; j<c; ++j)
{
trans[j][i]=a[i][j];
}
}
Perhaps I am not thinking about this in the right way.
回答1:
The property you want to prove cannot really be expressed with a simple function contract as offered by ACSL. Namely a function contract specifies what should happen during a single function call. What you're after to concerns two related function calls.
There is an external (and very experimental) plug-in of Frama-C that let you write this kind of properties: RPP (Relational Properties Prover), available at https://github.com/lyonel2017/Frama-C-RPP, with some articles describing the technique (known as self-composition) on which it is based at https://hal-cea.archives-ouvertes.fr/cea-01808885 and https://hal-cea.archives-ouvertes.fr/cea-01835470
Note that in its current state, RPP has many limitations, notably with respect to handling pointers, which will probably be a problem for matrices. It might be however possible to do self-composition manually and then use WP as usual.
来源:https://stackoverflow.com/questions/61070376/verifying-matrix-transpose-function-in-frama-c