Vote

Soundness bug: termination checking on delayed _(def) definitions

description

The following goes through, and therefore causes a trivially false axiom to be sent to Z3.
Having two declarations seem to be necessary to trigger the bug.

include <vcc.h>

_(abstract \natural toto()
_(decreases 0)
_(ensures 2 <= \result))

_(abstract \natural titi()
_(decreases 0)
_(ensures \result == toto() + toto()))

_(def \natural toto() { return 16; })
_(def \natural titi() { return titi() + toto(); })

comments

fdupress wrote Aug 1, 2012 at 10:52 AM

To illustrate the bug in a more compelling way, consider the following definition, that verifies when appended to the code shown above.

_(def void tata() _(ensures \false) { return; })

Item 36 of 242 Previous | Next

work item details

Item number:	6611
User comments:	1
Status:	Proposed
Reason Closed:	Unassigned
Type:	Issue
Impact:	Low
Release:	Unassigned
Assigned to:	Unassigned
Component:
Reported on: Reported by:	Aug 1, 2012 at 10:46 AM fdupress
Updated on: Updated by:	Aug 1, 2012 at 10:52 AM fdupress
Closed on: Closed by:	n/a n/a

Keyboard shortcuts are available for this page.

Updating...

Soundness bug: termination checking on delayed _(def) definitions

description

include <vcc.h>

file attachments

comments

work item details

Updating...

Woops...X

Are you sure?X

Soundness bug: termination checking on delayed _(def) definitions

description

include <vcc.h>

file attachments

comments

work item details