--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>Back to range_is_empty()</h1>
+
+<pre class="code">
+ <span class="comment">/*@
+ predicate valid_range(struct Range range) =
+ range.lob <= range.upb + 1;
+ predicate empty_range(struct Range range) =
+ range.lob == range.upb + 1;
+ */</span>
+
+ /* Is range empty? */
+ <span class="comment">/*@
+ requires \valid_read(range);
+ requires valid_range(*range);
+ assigns \nothing;
+ ensures \result <==> empty_range(*range);
+ */</span>
+ static inline bool range_is_empty(const Range *range)
+ {
+ return range->lob > range->upb;
+ }
+</pre>
+
+<pre>
+ $ frama-c -wp -wp-rte snippets/range_is_empty.c
+</pre>
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_contains()</h1>
+
+<pre class="code">
+ /* Does range contain val? */
+ static inline bool range_contains(const Range *range, uint64_t val)
+ {
+ return val >= range->lob && val <= range->upb;
+ }
+</pre>
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_contains()</h1>
+
+<pre class="code">
+ <span class="comment">/*@
+ predicate value_in_range(struct Range range, uint64_t value) =
+ range.lob <= value <= range.upb;
+ */</span>
+
+ /* Does range contain val? */
+ <span class="comment">/*@
+ requires \valid_read(range);
+ requires valid_range(*range);
+ assigns \nothing;
+ ensures \result <==> value_in_range(*range, val);
+ */</span>
+ static inline bool range_contains(const Range *range, uint64_t val)
+ {
+ return val >= range->lob && val <= range->upb;
+ }
+</pre>
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_make_empty()</h1>
+
+<pre class="code">
+ /* Initialize range to the empty range */
+ <span class="comment">/*@
+ requires \valid(range);
+ requires valid_range(*range);
+ assigns *range;
+ ensures empty_range(*range);
+ */</span>
+ static inline void range_make_empty(Range *range)
+ {
+ *range = range_empty;
+ assert(range_is_empty(range));
+ }
+</pre>
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_size()</h1>
+
+<pre class="code">
+ /* Get the size of range. */
+ static inline uint64_t range_size(const Range *range)
+ {
+ return range->upb - range->lob + 1;
+ }
+</pre>
--- /dev/null
+#!/bin/bash -
+
+source functions
+
+# Title.
+export title="qemu’s range_size()"
+
+# History.
+remember 'cat snippets/range_size.c'
+remember 'frama-c -wp -wp-rte snippets/range_size.c'
+
+terminal
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_size() counterexample</h1>
+
+<pre class="code">
+ /* Get the size of range. */
+ static inline uint64_t range_size(const Range *range)
+ {
+ return range->upb - range->lob + 1;
+ }
+</pre>
+<pre>
+ ┌─────────────────────────────────────────────────┐
+ │░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
+ └─────────────────────────────────────────────────┘
+ range->lob == 0 range->upb == UINT64_MAX
+</pre>
--- /dev/null
+#!/bin/bash -
+
+source functions
+
+# Title.
+export title="qemu’s range_size()"
+
+# History.
+remember 'cat snippets/range_size-good.c'
+remember 'frama-c -wp -wp-rte snippets/range_size-good.c'
+
+terminal
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_init_nofail()</h1>
+
+<pre class="code">
+ /*
+ * Initialize range to span the interval [lob,lob + size - 1].
+ * size may be 0. Range must not overflow.
+ */
+ static inline void range_init_nofail(Range *range, uint64_t lob,
+ uint64_t size)
+ {
+ range->lob = lob;
+ range->upb = lob + size - 1;
+ }
+</pre>
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_init_nofail()</h1>
+
+<pre class="code">
+ /*
+ * Initialize range to span the interval [lob,lob + size - 1].
+ * size may be 0. Range must not overflow.
+ */
+ static inline void range_init_nofail(Range *range, uint64_t lob,
+ uint64_t size)
+ {
+ range->lob = lob;
+ range->upb = lob + size - 1;
+ }
+</pre>
+<pre>
+ lob == 0 size == 0
+ ┌─────────────────────────────────────────────────┐
+ │░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
+ └─────────────────────────────────────────────────┘
+</pre>
+<pre>
+ lob == 1 size == 0
+ ┌─────────────────────────────────────────────────┐
+ │ │ │
+ └─────────────────────────────────────────────────┘
+</pre>
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>qemu range_init_nofail() spec</h1>
+
+<pre class="code">
+ /*@
+ requires \valid(range);
+ requires lob + (integer)size <= UINT64_MAX;
+ assigns *range;
+ behavior empty:
+ assumes lob > 0 && size == 0;
+ ensures empty_range(*range);
+ behavior non_empty:
+ assumes size > 0;
+ ensures range->lob == lob;
+ ensures size_of_bounds(lob, range->upb) == size;
+ behavior total:
+ assumes lob == 0 && size == 0;
+ ensures total_range(*range);
+ complete behaviors;
+ disjoint behaviors;
+ */
+</pre>
--- /dev/null
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<link rel="stylesheet" href="style.css" type="text/css"/>
+<script src="code.js" type="text/javascript"></script>
+
+<h1>New empty_range and total_range predicates</h1>
+
+<pre class="code">
+ /*@ // before:
+ predicate empty_range(struct Range range) =
+ range.lob == range.upb + 1;
+ */
+</pre>
+
+<pre class="code">
+ /*@ // after:
+ predicate empty_range(struct Range range) =
+ range.lob > 0 && range.lob == range.upb + 1;
+
+ predicate total_range(struct Range range) =
+ range.lob == 0 && range.upb == UINT64_MAX;
+ */
+</pre>
git.annexia.org / libguestfs-talks.git / commitdiff