VCC

Updated Wiki: Install

erniecohen — Fri, 17 May 2013 14:00:21 GMT

VCC Installation

Prerequisites

The following prerequisites are needed to successfully run VCC:

.Net v4.0 or later - Download installer.
F# 2.0 Redistributable - Download installer.
F# Power Pack - Download installer.
Microsoft Visual C++ 2010 Redistributable Package - Download installer.
Visual Studio 2010 or 2012 (any edition with C++ support). Note, however, that the express editions are not recommended, because they will not allow you to use VCC from the IDE. Download installer.

Once you have all the required prerequisites you can download the latest installer or VCC using the link on the right hand side of this web page, or the Downloads tab above.

If you want to run VCC from the IDE, you need to have the VCC headers in your included paths. (The installer adds them for the command-line, but these are not picked up by Visual Studio). To add the VCC headers to your path in the IDE, do the following after installing VCC:

Run visual studio, and create a new empty C++ project.
Click view->Other Windows->PropertyManager. This should open the property manager for your project.
In the property manager, if you only want to add the paths for this project, double-click on the project name to open up its property sheet. If you want to add the paths for all projects, click on the triangle next to the project name to open up its configurations (probably (Debug | Win32) and (Release | Win32)), open up (Debug | Win32) and double-click on Microsoft.Cpp.Win32.User.
In the property sheet, click on "VC++ Directories", click on "Include Directories", click on the down-arrow on the right hand side of the directory list, and click "edit".
Click on the little folder icon to add a new directory, and add $(INCLUDE). Alternatively, navigate to Program Files (x86)\Microsoft Research\Vcc\Headers, and click "select folder" to add it to the path. (The (x86) will be in this path only if you are running 64 bit Windows.)

After you have done this, check that your installation works:

Go to the solution explorer pane
Right-click on the project (not the solution) and choose "add->New Item". Choose "C++ file", and choose a file name (e.g. test.c) in the box below, but give it the extension .c. Click "add".
The new file should open up in the code editor. Add the following text to the window:

#include <vcc.h>

void test() {
}

Right-click on the function and choose "Verify test.c". After a moment, you should see "Verification succeeded" in the lower-left-hand corner of the IDE.

New Post: Doxygen

PEPE89 — Fri, 10 May 2013 09:21:46 GMT

Hi all,

does anybody know how to set doxygen to skip anotations in code?

I set up doxygen C preprocessor in config.doxygen like this:

ENABLE_PREPROCESSING   = YES
MACRO_EXPANSION        = YES
EXPAND_ONLY_PREDEF     = YES
PREDEFINED             = _(x)=

which seems working, but I am not sure if is it correct. Does anybody have some experience with this?

Thanks a lot
Jan

New Post: Funtion calls modify global variables

Hare — Thu, 02 May 2013 19:12:29 GMT

Hi Mark,

Thank you very much!!

It really helps! I confused "the context pointed by s" and "the pointer s itself" at the beginning. And I'm thinking for foo3(), I also didn't mention \gemb(&s) in the requirement. Why the function call of malloc() works properly in this function? This makes me confuse.

Thanks very much for helping.

Best Regards,

Shu Cheng

New Post: _(writes) clause error VC8510

Hare — Thu, 02 May 2013 19:03:48 GMT

Hi Mark,

Thanks very much!

I added an requirement, _(requires \malloc_root(N)), for dispose(). And it works!

Best,

Shu Cheng

New Post: _(writes) clause error VC8510

MarkHillebrand — Thu, 02 May 2013 18:09:47 GMT

Hi,

non-NULL pointers return by malloc() satisfy the \malloc_root() predicate, which is requires in calls to free(). You need to keep track of this information, until free() is called in the dispose() function (e.g., by adding it as an invariant of struct A and as a requirement to dispose()).

Hope that helps, Mark

New Post: Funtion calls modify global variables

MarkHillebrand — Thu, 02 May 2013 17:54:39 GMT

Hi,

sorry, in my earlier post, instead of "with explicitly mentioning [the object]" I meant "without explicitly mentioning [the object]". So foo() would stay without a postcondition. However, to take advantage of VCC framing, in foo1(), you would need to state something on the enclosing object of your global pointer 's', e.g.,
"_(requires \wrapped(\emb(&s)))". This would allow you to derive that 's' remains unchanged after foo() is called (even though the specification of foo() does not mention 's').

If I understand you correctly, foo() would correspond to malloc(), so this would be fine.

Hope that helps, Mark

New Post: _(writes) clause error VC8510

Hare — Thu, 02 May 2013 17:45:20 GMT

MarkHillebrand wrote:

Hi,

no, I was only suggesting to change the _(writes ...) clause in actualize() and dispose(), the other annotations looked fine to me.

Cheers, Mark

Hi Mark,

I tried to verify this code. I got a error issued about free(_(A *) N) of function dispose(A *N). VCC tried to prove N is returned by malloc(). What should I do to handle this?

Best, Shu Cheng

New Post: Funtion calls modify global variables

Hare — Thu, 02 May 2013 16:01:25 GMT

Hi Mark,

Thanks very much for your reply.

The thread you mentioned is my another thread. I understand that and in the code here I also mentioned that if I have said something special in the post-condition for foo(), the proof would be fine. But my question is the system function calls, like malloc(), in the library, it is impossible to know which global variables I have in the code. In this case, it is impossible to state the pointers of global variables stay the same as post-condition for malloc(). And I'd like to know what happen here. Because if I have lots of global variables, it would be boring to have ensures clause for each of them to keep them unchanged.

Thanks very much.

Best,

Shu Cheng

New Post: error VC9502: Call 'stack_free()

MarkHillebrand — Sat, 27 Apr 2013 05:22:14 GMT

Hi,

the old writes clause introduced an inconsistency, which made the proof seemingly run through. (Hint: "vcc /smoke" should have complained about it).

With regards to the latest assertion failure you need to strengthen the loop invariants. VCC doesn't know that the fields of L are writable anymore after L was unwrapped earlier. "_(invariant \mutable(L))" may fix that.

Cheers, Mark

New Post: _(writes) clause error VC8510

MarkHillebrand — Sat, 27 Apr 2013 05:10:17 GMT

Hi,

no, I was only suggesting to change the _(writes ...) clause in actualize() and dispose(), the other annotations looked fine to me.

Cheers, Mark

New Post: _(writes) clause error VC8510

PEPE89 — Fri, 26 Apr 2013 19:11:28 GMT

Mark, if I understant you right you suppose something like this:

typedef struct A {  
    struct A *x;  
} A;

void init(A *N) 

_(writes \extent(N)) 
{
    N->x = NULL; 
} 

void actualize(A *N) 

_(writes N)
{
    N->x = NULL;  
} 

void dispose(A *N) 

_(writes N)
{
    free(_(A*)N);
} 

int main() 
{ 
    A *N = (A*) malloc(sizeof(A));
    _(assume N)

    init(N);
    _(assume N->x == NULL)

    actualize(N);

    dispose(N);
}

BUT its still the same case --> problem with (write) clause:

Verification of init succeeded. [0,62]
Verification of actualize failed. [0,11]
error VC8507: Assertion 'N->x is writable' did not verify.
Verification of dispose failed. [0,79]
error VC8510: Assertion '\extent(p) is writable in call to free((A*)N)' did not verify.
error VC9502: Call 'free(_(A*)N)' did not verify.
error VC9599: (related information) Precondition: 'the extent of the object being reclaimed is mutable'.
error VC9599: (related information) Precondition: 'the pointer being reclaimed was returned by malloc()'.
Verification of main failed. [0,12]
error VC8510: Assertion 'N is writable in call to actualize(N)' did not verify.
error VC8510: Assertion 'N is writable in call to dispose(N)' did not verify.

Thanks
Jan

New Post: error VC9502: Call 'stack_free()

PEPE89 — Fri, 26 Apr 2013 18:54:45 GMT

Ok Mark,

I changed specification of DisposeList() function like below, but now I cant change values of abstract variables and fields of L, which I need for abstract representation of list. Sorry that I didnt mention them in previous post.

    void DisposeList (tList *L)

    _(requires \wrapped(L))
    _(requires \thread_local(L))
    _(writes L)
    _(ensures L->size == 0)
    _(ensures L->values == \lambda int a; \false) 
    _(decreases 0)
    {
        tElem *hlp_p1 = NULL;
        tElem *hlp_p2 = NULL;

        _(unwrap L)

        hlp_p1 = L->First;
        L->First = NULL;
        L->Last = NULL;

        while (hlp_p1 != NULL)

        _(invariant hlp_p1 ==> hlp_p1 \in L->\owns && hlp_p1 \in \domain(L))
        _(decreases 0)
        {
            hlp_p2 = hlp_p1->Nextptr;
            free(_(tElem*) hlp_p1);
            hlp_p1 = hlp_p2;
        }

        _(ghost { 
            L->\owns = {}; 
            L->size = 0;
            L->values = (\lambda int k; \false);
            _(ghost L->find = (\lambda int k; (tElem *) NULL))
        })
    }

Now I get:
error VC8510: Assertion '\span(obj) is writable in call to L->\owns = {}' did not verify.
error VC9502: Call 'L->\owns = {}' did not verify.
error VC9599: (related information) Precondition: 'the owner is mutable'.

So therefore I thought i need \span(L). Thanks

Jan

New Post: error VC9502: Call 'stack_free()

MarkHillebrand — Fri, 26 Apr 2013 18:03:25 GMT

Hi,

I guess this is (partially?) answered by the other discussion (malloc() can fail; DisposeList() should only write L, not \span(L)).

Cheers, Mark

New Post: Funtion calls modify global variables

MarkHillebrand — Fri, 26 Apr 2013 18:00:44 GMT

Hi,

your global pointer is a variable of primitive type and thus has an implicit object wrapped around it (cf. the previous discussion https://vcc.codeplex.com/discussions/405153). You can derive that the pointer stays the same if you reason with this enclosing object. For example, if you know the enclosing object is wrapped and not written to (by functions you call), you can derive that the pointer stays the same with explicitly mentioning it in functions such as foo().

Hope this helps, Mark

New Post: _(writes) clause error VC8510

MarkHillebrand — Fri, 26 Apr 2013 17:48:24 GMT

Hi,

_(writes \span(N)) and _(requires \wrapped(N)) are contradictory - you can't have an object wrapped and at the same time have its fields writable. It should work when you use _(writes N) in actualize() and dispose().

Hope that helps, Mark

New Post: _(writes) clause error VC8510

PEPE89 — Fri, 26 Apr 2013 08:41:31 GMT

Ok thanks Shu,

it helps, but I have the same problem with next function after init(), again _(writable) clause, it seems I need to somehow set N for main function and keep it, but how?

typedef struct A {  
    struct A *x;  
} A;

void init(A *N) 

_(writes \extent(N)) 
_(ensures \wrapped(N))
{
    N->x = NULL; 
    _(wrap N)
} 

void actualize(A *N) 

_(writes \span(N))
_(maintains \wrapped(N))
{
    _(unwrapping N){
        N->x = NULL;    
    }
} 

void dispose(A *N) 

_(writes \span(N))
_(requires \wrapped(N))
{
    _(unwrap N)
    free(_(A*)N);
} 

int main() 
{ 
    A *N = (A*) malloc(sizeof(A));
    _(assume N)

    init(N);

    actualize(N);

    dispose(N);
}

VCC:
error VC8510: Assertion '\span(N) is writable in call to actualize(N)' did not verify.
error VC8510: Assertion '\span(N) is writable in call to dispose(N)' did not verify.

Thanks for any suggestion.
Jan

New Post: Funtion calls modify global variables

Hare — Thu, 25 Apr 2013 17:29:02 GMT

Can no one have any idea about this? Or where can I found any resources about this?

Thanks very much!

Best,
Shu Cheng

New Post: _(writes) clause error VC8510

Hare — Thu, 25 Apr 2013 17:20:20 GMT

This is because your pointer N in main() isn't writable. It's a NULL pointer. Following main() may help

int main() {
    A * N = (A *) malloc(sizeof(A));
    _(assume N) // malloc() may fail
    init (N);
}

New Post: _(writes) clause error VC8510

PEPE89 — Wed, 24 Apr 2013 09:23:15 GMT

Hi all,

I got this error in simple function, I am not sure what I am doing wrong. Do anybody know what I am missing?

error VC8510: Assertion '\extent(N) is writable in call to init(N)' did not verify.

This error occurs even if I use \span(N) in write clause or just type _(writes N->x).

#include <vcc.h> 
#include <stdlib.h>

typedef struct A { 
 
    struct A *x; 
    struct A *y; 
 
} A;

void init(A *N) 

_(writes \extent(N)) 

{
    N->x = NULL;    
} 

int main() 
{ 
    A *N = NULL;

    init(N);
}

Thanks Jan.

New Post: error VC9502: Call 'stack_free()

PEPE89 — Tue, 23 Apr 2013 19:14:32 GMT

Thanks Mark a lot,

if I understand you right, i should destroy "list" before the end of test_01() function. So I can call my DisposeList() function:

void test_01(void)
{
   tList *list = malloc(sizeof(tList));

   InitList(list);  

   DisposeList(list);
    
}

inside DisposeList() I just destroy nodes of the list one by other in while loop, inside looks like this:

void DisposeList (tList *L)

_(requires \wrapped(L))
_(requires \thread_local(L))
_(writes \span(L))
_(ensures L->First == NULL && L->Last == NULL)
_(ensures \wrapped(L))
_(decreases 0)

{
    tElem *hlp_p1 = NULL;
    tElem *hlp_p2 = NULL;

    _(unwrapping L) {

        hlp_p1 = L->First;
        L->First = NULL;
        L->Last = NULL;

        while (hlp_p1 != NULL)

        _(invariant hlp_p1 ==> hlp_p1 \in L->\owns && hlp_p1 \in \domain(L))
        _(decreases 0)
        {
            hlp_p2 = hlp_p1->Nextptr;
            free(_(tElem*) hlp_p1);
            hlp_p1 = hlp_p2;
        }
    }
}

So I think I would destroy the "list" properly, but now I am getting these errors:

\singly_linked_list_test_vcc.c(46,3) : error VC8510: Assertion '\extent(L) is writable in call to InitList(list)' did not verify.
\singly_linked_list_test_vcc.c(49,3) : error VC8510: Assertion '\span(L) is writable in call to DisposeList(list)' did not verify.

It seems there is some problem with _(write) clause. Can you help me with that please or anyone else?

Thanks in advance.