ACSL Annotation Assistant
Generate comprehensive ACSL (ANSI/ISO C Specification Language) annotations for C/C++ programs to support formal verification with tools like Frama-C.
Core Capabilities
1. Function Contracts
Add complete function specifications with preconditions and postconditions:
/*@ requires \valid(array + (0..n-1)); requires n > 0; ensures \result >= 0 && \result < n; ensures \forall integer i; 0 <= i < n ==> array[\result] >= array[i]; assigns \nothing; */ int find_max_index(int *array, int n);
2. Loop Annotations
Generate loop invariants, variants, and assigns clauses:
/*@
loop invariant 0 <= i <= n;
loop invariant \forall integer k; 0 <= k < i ==> sum == \sum(0, k, array);
loop assigns i, sum;
loop variant n - i;
*/
for (i = 0; i < n; i++) {
sum += array[i];
}
3. Memory Safety Specifications
Add pointer validity and separation annotations:
/*@ requires \valid(dest + (0..n-1)); requires \valid_read(src + (0..n-1)); requires \separated(dest + (0..n-1), src + (0..n-1)); ensures \forall integer i; 0 <= i < n ==> dest[i] == \old(src[i]); assigns dest[0..n-1]; */ void memcpy_safe(char *dest, const char *src, size_t n);
4. Assertions and Assumptions
Insert runtime and verification assertions:
//@ assert 0 <= index && index < array_length; //@ assume divisor != 0;
5. Axiomatic Definitions and Predicates
Define reusable logical predicates and axioms:
/*@
predicate sorted{L}(int *a, integer n) =
\forall integer i, j; 0 <= i <= j < n ==> a[i] <= a[j];
*/
/*@
axiomatic Sum {
logic integer sum{L}(int *a, integer low, integer high);
axiom sum_empty{L}:
\forall int *a, integer i; sum(a, i, i) == 0;
axiom sum_next{L}:
\forall int *a, integer low, high;
low < high ==> sum(a, low, high) == sum(a, low, high-1) + a[high-1];
}
*/
Annotation Workflow
Step 1: Analyze the Function
Before annotating:
- •Identify inputs, outputs, and side effects
- •Determine memory access patterns
- •Understand algorithmic properties (sorting, searching, etc.)
- •Note any implicit assumptions
Step 2: Add Function Contract
Start with the function-level specification:
- •Preconditions (
requires): What must be true when function is called - •Postconditions (
ensures): What will be true when function returns - •Assigns clause: What memory locations may be modified
- •Behavioral specification: Normal and exceptional behaviors if applicable
Step 3: Annotate Loops
For each loop, specify:
- •Loop invariant: Properties that hold before and after each iteration
- •Loop variant: Decreasing measure proving termination
- •Loop assigns: Memory modified within the loop
Step 4: Add Assertions
Insert intermediate assertions to:
- •Document algorithmic properties
- •Help verification tools
- •Clarify complex logic
Step 5: Define Helper Predicates
Create reusable logical definitions for:
- •Common patterns (sorted arrays, valid ranges)
- •Domain-specific properties
- •Complex mathematical relationships
Common ACSL Constructs
Memory Validity
\valid(ptr) // Single valid pointer \valid(ptr + (low..high)) // Valid range \valid_read(ptr) // Read-only validity \separated(ptr1, ptr2) // No aliasing
Quantifiers
\forall type var; condition ==> property \exists type var; condition && property
Logic Functions
\old(expr) // Value at function entry \at(expr, Label) // Value at specific point \result // Function return value \nothing // Empty set (for assigns)
Integer Ranges
\forall integer i; low <= i < high ==> array[i] >= 0
Behaviors
/*@
behavior valid_input:
assumes n > 0;
requires \valid(array + (0..n-1));
ensures \result >= 0;
behavior invalid_input:
assumes n <= 0;
ensures \result == -1;
complete behaviors;
disjoint behaviors;
*/
Verification Considerations
For Frama-C WP Plugin
When generating annotations for WP verification:
- •Use
assignsclauses to specify frame conditions - •Prefer
\validover raw pointer checks - •Use
\separatedfor pointer disjointness - •Add
loop assignsfor all loops - •Include
loop variantfor termination proofs
Common Verification Patterns
Array bounds safety:
/*@ requires 0 <= index < length;
requires \valid(array + index);
*/
Null pointer checks:
/*@ requires ptr != \null;
requires \valid(ptr);
*/
Overflow prevention:
/*@ requires INT_MIN <= a + b <= INT_MAX; */
Output Format
Generate annotations in standard ACSL comment syntax:
- •Multi-line contracts:
/*@ ... */ - •Single-line assertions:
//@ assertion - •Place contracts immediately before function declarations
- •Place loop annotations immediately before loop headers
- •Include explanatory comments when annotations are complex
Best Practices
- •Start simple: Begin with basic contracts, then refine
- •Be precise: Avoid over-specification or under-specification
- •Document assumptions: Make implicit assumptions explicit
- •Use predicates: Factor out common patterns
- •Test incrementally: Verify annotations with Frama-C as you go
- •Include rationale: Add comments explaining non-obvious specifications
Example: Complete Annotated Function
/*@
predicate valid_array(int *a, integer n) =
\valid(a + (0..n-1)) && n > 0;
*/
/*@
requires valid_array(array, n);
ensures \result >= 0 && \result < n;
ensures \forall integer i; 0 <= i < n ==> array[\result] >= array[i];
assigns \nothing;
*/
int find_max_index(int *array, int n) {
int max_idx = 0;
/*@
loop invariant 0 <= i <= n;
loop invariant 0 <= max_idx < n;
loop invariant \forall integer k; 0 <= k < i ==>
array[max_idx] >= array[k];
loop assigns i, max_idx;
loop variant n - i;
*/
for (int i = 1; i < n; i++) {
if (array[i] > array[max_idx]) {
max_idx = i;
}
}
return max_idx;
}
Resources
This skill includes reference materials for ACSL:
references/
- •
acsl_reference.md- Comprehensive ACSL syntax reference - •
common_patterns.md- Frequently used annotation patterns - •
frama_c_integration.md- Tips for using with Frama-C
Load these references as needed for detailed syntax information or advanced patterns.