Description
CBMC version: 6.0.0
Operating system: macOS
Exact command line resulting in the issue: make -f make_inc2
What behaviour did you expect: success
What happened instead: verification fails - see below.
See this example: https://github.com/rod-chapman/cbmc-examples/tree/main/modularity
This is an example of modular reasoning using contracts. I have a function called "inc()" increments its parameter by one, so declared in p.h as:
int32_t inc (int32_t x)
__CPROVER_requires(x < 20)
__CPROVER_ensures(__CPROVER_return_value == x + 1);
I then want to verify a function that calls inc() twice. See the files q.h and q.c
BUT...
make -f make_inc2
fails with:
** Results:
./p.h function inc
[inc.assertion.1] line 3 undefined function should be unreachable: FAILURE
./q.h function inc2
[inc2.overflow.1] line 5 arithmetic overflow on signed + in x_wrapper + 2: SUCCESS
[inc2.postcondition.1] line 5 Check ensures clause of contract contract::inc2 for function inc2: SUCCESS
... then...
q.c function inc2
[inc2.no_alloc_dealloc_in_ensures.1] line 4 Check that ensures do not allocate or deallocate memory: SUCCESS
[inc2.no_alloc_dealloc_in_requires.1] line 4 Check that requires do not allocate or deallocate memory: SUCCESS
[inc2.no_recursive_call.1] line 4 No recursive call to function inc2 when checking contract inc2: SUCCESS
[inc2.single_top_level_call.1] line 4 Only a single top-level call to function inc2 when checking contract inc2: SUCCESS
[inc2.assigns.1] line 6 Check that r is assignable: SUCCESS
[inc2.assigns.2] line 7 Check that r is assignable: SUCCESS
[inc2.assigns.3] line 8 Check that r is assignable: SUCCESS
It appears to be unhappy because I have not compiled the body of inc() (in file p.c).
This shouldn't be necessary. Firstly, I haven't written p.c yet, so it can't be supplied. Secondly, the whole point of modular reasoning with contracts is to avoid such need in the first please?