Consider flag/config file for specifying impl-defined behaviour #695
Comments
|
From my understanding CN is parametric over things such as the signedness of chars and size of ints (thanks to Cerberus), so for runtime testing you'd need to ensure that its using the same model/config/whatever as the system you're running the tests or instrumentation on. I don't know how that is done, perhaps @dc-mak or @cp526 can help. This shows up in testing because the execution of the user's code follows their system's rules, but the executable spec generates code based on the CN types ( To see with just the instrumentation: int f(char x, char y)
/*@
requires x < y;
ensures return == 1i32;
@*/
{
return x < y;
}
int main() {
f(100, -25);
}The precondition is unsigned, due to CN converting /* EXECUTABLE CN PRECONDITION */
cn_bits_u8* x_cn = convert_to_cn_bits_u8(x);
cn_bits_u8* y_cn = convert_to_cn_bits_u8(y);
cn_assert(cn_bits_u8_lt(x_cn, y_cn)); |
|
The signed-ness of char is an implementation-defined detail. In CN, it's hard-coded to pKVM-friendly defaults here: cerberus/backend/cn/bin/main.ml Line 66 in 368d51a Though that doesn't say much about how to proceed. |
|
Perhaps we could add a flag or a configuration file to CN for specifying implementation defined behavior? |
dc-mak
changed the title
char
dc-mak
changed the title
|
Cerberus's It's not clear to me how this relates to |
|
If we make this switchable, we should check how normal cerberus does the same switching and mirror that. |
Testing the following example fails with a violation of the
ensuresclause.It however works if we use explicit
unsigned charorsigned char.It looks like the error might be a disagreement between the generator and the execution on the sign-edness of
char(perhaps one is assume that is signed and the other that it is unsgined?)The text was updated successfully, but these errors were encountered: