CProver manual
|
Assumptions are used to restrict nondeterministic choices made by the program. As an example, suppose we wish to model a nondeterministic choice that returns a number from 1 to 100. There is no integer type with this range. We therefore use __CPROVER_assume to restrict the range of a nondeterministically chosen integer:
This function returns the desired integer from 1 to 100. You must ensure that the condition given as an assumption is actually satisfiable by some nondeterministic choice, otherwise the model checking step will pass vacuously.
Also note that assumptions are never retroactive. They only affect assertions (or other properties) that follow them in program order. This is best illustrated with an example. In the following fragment the assumption has no effect on the assertion, which means that the assertion will fail:
Assumptions do restrict the search space, but only for assertions that follow. As an example, this program will pass:
Beware that nondeterminism cannot be used to obtain the effect of universal quantification in assumptions. For example:
This code fails, as there is a choice of x and y which results in a counterexample (any choice in which x and y are different).
You can ask CBMC to give coverage information regarding __CPROVER_assume
statements. This is useful when you need, for example, to check which assume statements may have led to an emptying of the search state space, resulting in assert
statements being vaccuously passed.
To use that invoke CBMC with the --cover assume
option. For example, for a file:
CBMC invoked with cbmc --cover assume test.c
will report:
When an assert(false)
statement before the assume has the property status SATISFIED
, but is followed by an assert(false)
statement after the assume statement that has status FAILED
, this is an indication that this specific assume statement (on the line reported) is one that is emptying the search space for model checking.
Last modified: 2024-11-20 06:00:32 -0800