& Lt; VCC notes & gt; about Assertion, vcc notes assertion

<VCC Notes> about Assertion and vcc notes assertion

This blog introduces the usage of VCC. It first introduces the basic syntax of VCC with simple examples. Of course, VCC simplifies and analyzes more complex programs.

1. Assertion

#include <vcc.h>int main() {    int x,y,z;    if (x <= y) z = x;    else z = y;    _(assert z <= x)    return 0;}

The code above makes z the minimum value of x and y. The comments enclosed by _ () are the comments required by VCC, And the C language compiler ignores these comments. Because the <vcc. h> of include defines # de javasne _ (...)/begin nothing/

A comment similar to _ (assert E) is an Assertion, which requires VCC to prove that expression E in the comment is true (hold ). SO _ (assert z <= x) requires that when the code is executed to this line, z should be less than or equal to x. It should be noted that if the VCC verification passes this Assertion, this indicates that the VCC will be valid no matter when or no matter how many times it is executed.

C language also has something similar to assert (E ). The Microsoft document introduces the differences between the two.

It is instructive to compare_(assert E)with the macro assert(E) (defined in <assert.h>), which evaluates E at runtime and aborts execution if E doesn’t hold. First, assert(E) requires runtime overhead (at least in builds where the check is made), whereas_(assert E)doesnot.Second,assert(E)will catch failure of the assertion only when it actually fails in an execution, whereas _(assert E) is guaranteed to catch the failure if it is possible in any execution. Third, because _(assert E) is not actually executed, E can include unimplementable mathematical operations, such as quantification over infinite domains.

If you want to use VCC to verify this function in the cmd command line, you can save the code as minimum. c, and use VCC in the command line as follows, ** representing the code file directory.

C:\**> vcc.exe minimum.c
Verification of main succeeded.

If the Visual Studio plug-in of VCC is installed, right-click the blank area after opening the file with VS, and select Verify minimum from the menu. c can verify this file, and the verification result will be given at the bottom of. If you click in the function, you can only verify this function.

 

2.Principles of VCC

To understand how VCC works, you can understand what information VCC has in each step. In the above example, VCC knows nothing at the beginning, and then knows the first condition x of if <= y, and then z = x, so VCC knows z <= x. In the else branch, VCC knows y <x, z = y, so VCC knows z <= x. If each branch VCC finds that the Assertion is true, and then it verifies that the Assertion is passed.

What VCC knows is that VCC knows the information provided by the Code, and new information can be inferred directly through the currently known information. In this ideal state, when you add a correct Assertion, it will certainly not affect the correctness of the Assertion. However, VCC only completes the deduction of basic formulas, including equal, unequal, addition, subtraction, multiplication, division, and other simple operations, but does not automatically infer all calculation formulas, is limited. Otherwise, all of them can be inferred, and our workload will be very small.

Therefore, in reality, sometimes, even if the VCC "knows" enough information, it cannot prove an Assertion. When you add a correct Assertion, it may affect the correctness of the Assertion. Of course, this probability is relatively low, and it is often because the code that involves non-linear algorithms has problems.

Therefore, information is generally not lost when VCC verifies the sequential code or condition statement, but it is easy to lose information when VCC verifies the loop statement. The loss here means that he does not continue to deduce more information. Providing comments helps reduce this situation. If VCC does not pass the code that you think can pass verification, it may be that VCC does not know or ignores what you think it knows. At this time, an Assertion is also a reminder. When VCC authenticates him, it may be suddenly realized that this condition should also be set up!