├── project ├── build.properties └── assembly.sbt ├── cc-parser └── cc-parser.jar ├── acsl-parser └── acsl-parser.jar ├── lib └── java-cup-11b-runtime.jar ├── regression-tests ├── horn-hcc │ ├── preprocess-1.c │ ├── static-global.c │ ├── assert-ite-1.c │ ├── test-para1.hcc │ ├── inits2.hcc │ ├── unsigned1.hcc │ ├── assert-ite-2.c │ ├── ternary-bug.c │ ├── atomic3c.hcc │ ├── inits.hcc │ ├── preprocess-2-assert.c │ ├── preprocess-3-assert.c │ ├── atomic3d.hcc │ ├── inits4.hcc │ ├── atomic3b.hcc │ ├── inits3.hcc │ ├── shadowing.hcc │ ├── atomic3.hcc │ ├── extended-decl.hcc │ ├── atomic4.hcc │ ├── abort-1.c │ ├── abort-2.c │ ├── inits4-explicit.hcc │ ├── jumps2.hcc │ ├── inits2-opt.hcc │ ├── loop1.hcc │ ├── loop2.hcc │ ├── test6.hcc │ ├── predicates.hcc │ ├── test3.hcc │ ├── test7.hcc │ ├── functions2.hcc │ ├── inits4-opt.hcc │ ├── test5.hcc │ ├── predicates2.hcc │ ├── jumps3.hcc │ ├── disconnected-assertions.hcc │ ├── function-in-assume-assert-1-true.c │ ├── static-local-retention-false.c │ ├── function-in-assume-assert-1-false.c │ ├── static-local-retention-true.c │ ├── test4.hcc │ ├── test1.hcc │ ├── atomic1.hcc │ ├── lazy-eval1.hcc │ ├── function-in-assume-assert-2-false.c │ ├── function-in-assume-assert-2-true.c │ ├── atomic2.hcc │ ├── diamond_true-unreach-call1.c │ ├── test-para2.hcc │ ├── shadowing-global.hcc │ ├── function-in-assume-assert-3-false.c │ ├── function-in-assume-assert-3-true.c │ ├── static-shadowing-true.c │ ├── test2c.hcc │ ├── jumps.hcc │ ├── test2.hcc │ ├── test2b.hcc │ ├── functions.hcc │ ├── down_true-unreach-call.i.c │ ├── locking.hcc │ └── literals.c ├── properties │ ├── valid-deref-uninit-false.c │ ├── valid-deref-nullptr-false.c │ ├── valid-free-7-false.c │ ├── valid-deref-arraybounds-2-false.c │ ├── valid-deref-arraybounds-1-false.c │ ├── valid-free-1-true.c │ ├── todo │ │ ├── valid-deref-type-2-true.c │ │ ├── valid-deref-type-1-false.c │ │ ├── valid-deref-type-2-false.c │ │ ├── valid-deref-stack-1-true.c │ │ ├── valid-deref-stack-1-true.yml │ │ ├── valid-deref-type-2-true.yml │ │ ├── valid-deref-stack-1-false.yml │ │ ├── valid-deref-type-1-false.yml │ │ ├── valid-deref-type-2-false.yml │ │ ├── valid-deref-stack-1-false.c │ │ └── README.md │ ├── valid-deref-arraybounds-4-false.c │ ├── valid-free-6-true.c │ ├── valid-memcleanup-1-true.c │ ├── valid-free-3-true.c │ ├── valid-free-4-false.c │ ├── valid-free-10-true.c │ ├── valid-free-11-true.c │ ├── valid-free-5-false.c │ ├── valid-free-2-false.c │ ├── valid-free-8-false.c │ ├── valid-free-9-false.c │ ├── valid-memcleanup-1-false.c │ ├── valid-memcleanup-array-false.c │ ├── valid-deref-arraybounds-3-false.c │ ├── valid-deref-arraybounds-3-true.c │ ├── valid-memcleanup-2-false.c │ ├── valid-memcleanup-1-true.yml │ ├── valid-memcleanup-3-true.yml │ ├── valid-memcleanup-1-false.yml │ ├── valid-memcleanup-2-false.yml │ ├── valid-memcleanup-3-false.yml │ ├── valid-memcleanup-4-false.yml │ ├── valid-memcleanup-array-true.yml │ ├── valid-memcleanup-4-false.c │ ├── valid-memcleanup-array-false.yml │ ├── valid-free-1-true.yml │ ├── valid-free-3-true.yml │ ├── valid-free-6-true.yml │ ├── valid-free-10-true.yml │ ├── valid-free-12-false.yml │ ├── valid-free-2-false.yml │ ├── valid-free-4-false.yml │ ├── valid-free-5-false.yml │ ├── valid-free-7-false.yml │ ├── valid-free-8-false.yml │ ├── valid-free-9-false.yml │ ├── valid-free-11-true.yml │ ├── valid-deref-nullptr-false.yml │ ├── valid-deref-uninit-false.yml │ ├── valid-memtrack-array-true.yml │ ├── valid-deref-arraybounds-1-false.yml │ ├── valid-deref-arraybounds-2-false.yml │ ├── valid-deref-arraybounds-3-false.yml │ ├── valid-deref-arraybounds-3-true.yml │ ├── valid-deref-arraybounds-4-false.yml │ ├── valid-memcleanup-3-false.c │ ├── valid-memcleanup-3-true.c │ ├── valid-memtrack-array-true.c │ ├── valid-memcleanup-array-true.c │ ├── valid-free-12-false.c │ └── runtests ├── horn-hcc-array │ ├── array-of-ptr-1.c │ ├── simple-global-memsafety1.c │ ├── simple-alloca-memsafety1.c │ ├── simple-stack-memsafety1.c │ ├── nondet-global-array-explicit-1.c │ ├── out-of-bounds-line4.c │ ├── out-of-bounds-line2.c │ ├── nondet-static-array-explicit-1.c │ ├── ilp32-bug-1.c │ ├── simple-dynamic-array.c │ ├── simple-global-array.c │ ├── nondet-global-array-explicit-2.c │ ├── simple-alloca-memsafety2.c │ ├── nondet-global-array-opt-1.c │ ├── nondet-static-array-explicit-2.c │ ├── nondet-static-array-opt-1.c │ ├── global-struct-array-1.c │ ├── pointer-arith-1-safe.c │ ├── pointer-arith-2-safe.c │ ├── pointer-arith-1-unsafe.c │ ├── pointer-arith-2-unsafe.c │ ├── pointer-arith-3-safe.c │ ├── out-of-bounds-line3.c │ ├── out-of-bounds-line1.c │ ├── nondet-global-array-explicit-3.c │ ├── nondet-global-array-opt-2.c │ ├── nondet-static-array-opt-2.c │ ├── nondet-static-array-explicit-3.c │ ├── out-of-bounds-loop.c │ ├── array-single-alloc.c │ ├── out-of-bounds-line1.yml │ ├── out-of-bounds-line2.yml │ ├── out-of-bounds-line3.yml │ ├── out-of-bounds-line4.yml │ ├── out-of-bounds-loop.yml │ ├── nondet-global-array-opt-3.c │ ├── dynamic-loop1.yml │ ├── pointer-arith-1-safe.yml │ ├── pointer-arith-2-safe.yml │ ├── pointer-arith-3-safe.yml │ ├── simple-dynamic-array.yml │ ├── nondet-static-array-opt-3.c │ ├── simple-stack-memsafety1.yml │ ├── simple-alloca-memsafety1.yml │ ├── simple-alloca-memsafety2.yml │ ├── simple-global-memsafety1.yml │ ├── array-inside-struct-1.c │ ├── pointer-arith-2-unsafe.yml │ ├── pointer-arith-3-unsafe.yml │ ├── pointer-arith-1-unsafe.yml │ ├── pointer-arith-3-unsafe.c │ └── dynamic-loop1.c ├── acsl-standalone │ ├── getptr_unsafe.c │ ├── inc_safe.c │ ├── inc_unsafe.c │ ├── getptr_safe.c │ ├── assigns_safe.c │ ├── assigns_unsafe.c │ ├── old_safe.c │ ├── old_unsafe.c │ ├── mc91_safe.c │ ├── swap_safe.c │ ├── getptr_safe.yml │ ├── dblptr-assigns_safe.c │ ├── mc91_unsafe.c │ ├── getptr_unsafe.yml │ ├── maxptr_safe.c │ ├── maxptr_unsafe.c │ ├── dblptr-assigns_unsafe.c │ ├── incdec_safe.c │ ├── incdec_unsafe.c │ ├── swap_unsafe.c │ └── runtests ├── horn-hcc-2 │ ├── clocks2.hcc │ ├── lazy-and-or-bug.hcc │ ├── atomic3f.hcc │ ├── interval-propagator-bug.hcc │ ├── hints3.hcc │ ├── channels.hcc │ ├── nonlinear1.hcc │ ├── clocks3.hcc │ ├── typedef1.hcc │ ├── clocks4.hcc │ ├── clocks1.hcc │ ├── atomic3e.hcc │ ├── channels-3.hcc │ ├── channels-2b.hcc │ ├── clocks5.hcc │ ├── hints.hcc │ ├── switch1.hcc │ ├── channels-2.hcc │ ├── hints4.hcc │ ├── duration3.hcc │ ├── duration3c.hcc │ ├── duration3d.hcc │ ├── duration3b.hcc │ ├── nonlinear2.hcc │ ├── hints2.hcc │ ├── duration1.hcc │ ├── duration2.hcc │ ├── fischer.hcc │ ├── fischer-AB.hcc │ ├── switch2.hcc │ └── runtests ├── horn-hcc-pointer │ ├── ptrptr-bug-2.c │ ├── cast-stack-heap-01.c │ ├── ptrptr-bug-1.c │ ├── list-init.hcc │ ├── ptr-to-int-cast.c │ ├── fields.hcc │ ├── stack-ptr-fun-ret.c │ ├── struct-pointer2.hcc │ ├── struct-pointer.hcc │ ├── runtests │ ├── unary.hcc │ ├── unary-struct.hcc │ ├── fields-nested.hcc │ ├── basic.hcc │ └── unary-struct-nested.hcc ├── loop-invariants │ ├── simple-loop.c │ ├── simple-loop-contract.c │ ├── loop-in-func.c │ ├── simple-loop-annotate.c │ └── runtests ├── horn-hcc-heap │ ├── illegal-access-002.c │ ├── illegal-access-001.c │ ├── preop.c │ ├── free-1-unsafe.c │ ├── free-3-safe.c │ ├── unsafe-access-001.c │ ├── free-4-unsafe.c │ ├── postop.c │ ├── stackptr-to-heapptr-double.c │ ├── stack-array-1-unsafe.c │ ├── free-2-nondet-unsafe.c │ ├── preop-struct.c │ ├── typecastUnsafe-001.c │ ├── postop-struct.c │ ├── simple-struct.c │ ├── stack-array-2-safe.c │ ├── stack-ptr-bug-1.c │ ├── simple-struct-fail.c │ ├── free-3-safe.yml │ ├── simple-struct-2.c │ ├── stack-array-2-unsafe.c │ ├── struct-ptrfield-1.yml │ ├── struct-ptrfield-1.c │ ├── swap-1-fail.c │ ├── free-5-unsafe.c │ ├── opassign.c │ ├── swap-1.c │ ├── typecastSafe-001.c │ ├── free-1-unsafe.yml │ ├── free-4-unsafe.yml │ ├── sizeof-bug-1-true.c │ ├── unsafe-access-001.yml │ ├── typecastUnsafe-001.yml │ ├── free-2-nondet-unsafe.yml │ ├── stackptr-to-heapptr.c │ ├── struct-chained-ptr-field-1-safe.c │ ├── struct-chained-ptr-field-1-unsafe.c │ ├── swap-3.c │ ├── swap-2.c │ ├── typecastSafe-001.yml │ ├── heap-guard-bug-1.c │ ├── swap-2-fail.c │ ├── heap-guard-bug-2.c │ ├── opassign-struct.c │ ├── sizeof-bug-2-true.c │ ├── simple-arith.c │ ├── mutually-referential-structs-unsafe.c │ ├── list-001.c │ ├── list-002.c │ ├── list-001-fail.c │ ├── mutually-referential-structs.c │ ├── list-002-fail.c │ └── mutually-referential-structs-fail.c ├── horn-hcc-enum │ ├── enum3.hcc │ ├── enum2.hcc │ ├── enum1.hcc │ ├── enum1-trailing-comma.hcc │ ├── enum4.hcc │ ├── enum-typedef.hcc │ ├── enum-typedef-pointer2.hcc │ ├── enum-typedef2.hcc │ ├── runtests │ ├── enum-typedef-X.hcc │ ├── enum-typedef-pointer.hcc │ ├── enum-typedef-pointer2.hcc~ │ └── enum5.hcc ├── at-expressions │ ├── Answers │ ├── runtests │ ├── simple-01-false.c │ ├── at-old-01-false.c │ ├── simple-01-true.c │ └── at-old-01-true.c ├── uninterpreted-predicates │ ├── unint-pred-simple-false.c │ ├── unint-pred-simple-true.c │ ├── unint-pred-stack-ptr-unsupported.c │ ├── unint-pred-unnamed-ptr-arg-bug.c │ ├── unint-pred-simple-ptr-true.c │ ├── runtests │ ├── pred-hint.c │ └── Answers ├── acsl-contracts │ ├── contract7.hcc │ ├── contract14.hcc │ ├── contract6.hcc │ ├── contract2.hcc │ ├── contract1.hcc │ ├── contract3.hcc │ ├── contract4.hcc │ ├── contract12.hcc │ ├── contract17.hcc │ ├── contract18.hcc │ ├── contract15.hcc │ ├── contract21.hcc │ ├── contract26.hcc │ ├── contract8.hcc │ ├── contract22.hcc │ ├── contract20.hcc │ ├── contract23.hcc │ ├── contract25.hcc │ ├── contract24.hcc │ ├── contract10.hcc │ ├── struct-field-access-1-true.hcc │ ├── contract5.hcc │ ├── contract11.hcc │ ├── contract13.hcc │ ├── struct-field-access-2-false.hcc │ ├── contract9.hcc │ ├── contract16.hcc │ ├── contract27.hcc │ ├── struct-field-access-3-true.hcc │ ├── contract19.hcc │ ├── struct-field-access-4-false.hcc │ ├── runtests │ └── Answers ├── horn-contracts │ ├── stackptr-ilp32.hcc │ ├── stackptr.hcc │ ├── contract3.hcc │ ├── contract1.hcc │ ├── stackptr-func-dec.hcc │ ├── struct-name-bug.hcc │ ├── contract2.hcc │ ├── contract2b.hcc │ ├── assert.hcc │ ├── fib.hcc │ ├── stackptr-custom-entry.hcc │ ├── stackptr-struct.hcc │ ├── takeuchi.hcc │ ├── stackptr-nested-calls.hcc │ ├── stackptr-retvalue.hcc │ ├── stackptr-multi-arg.hcc │ ├── stackptr-recursion.hcc │ └── runtests ├── horn-bv │ ├── bitwise3.hcc │ ├── bitwise2.hcc │ ├── nonlinear2.hcc │ ├── runtests │ ├── bitwise1.hcc │ ├── convert.sh │ └── MonadicInv.hcc ├── interpreted-predicates │ ├── simple-invariant-false.c │ ├── simple-invariant-true.c │ ├── runtests │ ├── simple-loop-invariant-true.c │ ├── simple-loop-invariant-false.c │ └── Answers ├── horn-hcc-struct │ ├── emptyStruct.hcc │ ├── assign-illegal.hcc │ ├── typedef.hcc │ ├── assign2.hcc │ ├── anon.hcc │ ├── assign-exp.hcc │ ├── assign-exp-eval-order.hcc │ ├── loop.hcc │ ├── assign.hcc │ ├── race.hcc │ ├── nested.hcc │ ├── runtests │ ├── Answers │ └── init.hcc ├── quantifiers │ ├── ext-univ-1-safe.hcc │ ├── ext-univ-4-empty-safe.hcc │ ├── ext-univ-3-nonzero-lo-safe.hcc │ ├── ext-univ-1-unsafe.hcc │ ├── ext-univ-5-cmpN-safe.hcc │ ├── ext-univ-2-safe.hcc │ ├── runtests │ └── Answers ├── math-arrays │ ├── runtests │ ├── simple-math-array-1.hcc │ ├── struct-array.hcc │ └── Answers ├── horn-contract-parsing │ └── fib.hcc ├── toh-contract-translation │ ├── heapptr-to-stackptr.c │ ├── multi-arg-1.c │ ├── qualified-heapptr-to-stackptr.c │ ├── runtests │ ├── incdec-2.c │ ├── multi-arg-2.c │ ├── struct-1.c │ ├── get-1.c │ ├── incdec-3.c │ ├── incdec-1.c │ ├── max-1.c │ ├── max-2.c │ ├── truck-1.c │ ├── multadd-1.c │ ├── get-2.c │ ├── multadd-3.c │ ├── truck-2.c │ └── multadd-2.c ├── ParametricEncoder │ └── runtests └── rundir ├── tri ├── .gitignore ├── .github └── workflows │ └── scala.yml └── src └── main └── scala └── tricera ├── Literals.scala └── concurrency └── ccreader └── CCPredicate.scala /project/build.properties: -------------------------------------------------------------------------------- 1 | sbt.version=1.4.0 2 | -------------------------------------------------------------------------------- /project/assembly.sbt: -------------------------------------------------------------------------------- 1 | addSbtPlugin("com.eed3si9n" % "sbt-assembly" % "0.14.5") 2 | -------------------------------------------------------------------------------- /cc-parser/cc-parser.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uuverifiers/tricera/HEAD/cc-parser/cc-parser.jar -------------------------------------------------------------------------------- /acsl-parser/acsl-parser.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uuverifiers/tricera/HEAD/acsl-parser/acsl-parser.jar -------------------------------------------------------------------------------- /lib/java-cup-11b-runtime.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uuverifiers/tricera/HEAD/lib/java-cup-11b-runtime.jar -------------------------------------------------------------------------------- /regression-tests/horn-hcc/preprocess-1.c: -------------------------------------------------------------------------------- 1 | #define X 42 2 | 3 | void main() { 4 | assert(X == 42); 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-uninit-false.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *p; 3 | *p = 42; 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/static-global.c: -------------------------------------------------------------------------------- 1 | static int x; 2 | 3 | void main() 4 | { 5 | assert(x == 0); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-nullptr-false.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *p = 0; 3 | *p = 42; 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/array-of-ptr-1.c: -------------------------------------------------------------------------------- 1 | void main(){ 2 | int* a[3]; 3 | a[0] = malloc(sizeof(int)); 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-global-memsafety1.c: -------------------------------------------------------------------------------- 1 | int a[42]; 2 | 3 | void main() { 4 | assert(a[0] == 0); 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/assert-ite-1.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | assert((1 == 1 ? 1 : 0) + 3 | (2 == 2 ? 1 : 0)); 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test-para1.hcc: -------------------------------------------------------------------------------- 1 | int gid = _; 2 | 3 | thread[id] Proc { 4 | gid = id; 5 | assert (gid == id); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-7-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int x[42]; 5 | free(x); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/getptr_unsafe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | ensures \result == *p; 3 | */ 4 | int foo(int* p) { 5 | return *p; 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/clocks2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | thread A { 4 | clock x = 0; 5 | clock z = 1; 6 | 7 | assert(z > x); 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/ptrptr-bug-2.c: -------------------------------------------------------------------------------- 1 | void main(void) { 2 | int** p = (int**) malloc(sizeof(int*)); 3 | *p = 0; 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/inits2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int g; 4 | unsigned int h; 5 | 6 | void main() { 7 | assert(g == 0 && h == 0); 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/loop-invariants/simple-loop.c: -------------------------------------------------------------------------------- 1 | void foo() { 2 | for (int i = 0; i < 3; ++i) { 3 | assert(i < 3); 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-2-false.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int arr[3] = {1, 2, 3}; 3 | arr[4] = 42; 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-1-false.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int arr[3] = {1, 2, 3}; 3 | arr[-1] = 42; 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-alloca-memsafety1.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int a[]; 3 | a = alloca(sizeof(int)*42); 4 | a[0] = 0; 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/illegal-access-002.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *x = calloc(sizeof(int)); 3 | x = 1; 4 | *x = 42; 5 | } 6 | 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/unsigned1.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | unsigned int x; 4 | 5 | void main() { 6 | unsigned int y; 7 | assert(x >= 0 && y >= 0); 8 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum3.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | enum week{Mon, Tue, Wed}day; 4 | 5 | void main() { 6 | day = Mon; 7 | assert(day != Tue); 8 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/illegal-access-001.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *x = calloc(sizeof(int)); 3 | int *y = 1; 4 | *y = 42; 5 | } 6 | 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/assert-ite-2.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int x=1,y=0; 3 | assert((x == y ? x : y) + 4 | (x == y+1 ? x : y)); 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/ternary-bug.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int x, y; 3 | int z = y; 4 | assume( x == ((z == y)? 1 : 0) ); 5 | assert(0); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-1-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *x = malloc(sizeof *x); 5 | free(x); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/inc_safe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires x >= 0; 3 | ensures \result >= 1; 4 | */ 5 | int foo(int x) { 6 | return x+1; 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/inc_unsafe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires x >= 0; 3 | ensures \result >= 1; 4 | */ 5 | int foo(int x) { 6 | return x; 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/preop.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *x = calloc(sizeof(int)); 3 | assert(++(*x) == 1); 4 | assert(--(*x) == 0); 5 | } 6 | 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/cast-stack-heap-01.c: -------------------------------------------------------------------------------- 1 | int *x = ((void *)0); 2 | int** y = (int**)&x; 3 | 4 | void main() { 5 | assert (*y == x); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/atomic3c.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int x = 0; 5 | while (1) 6 | atomic { 7 | x++; 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/inits.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int M = 40, mm, n, mpt = M + 1; 4 | 5 | 6 | void main() { 7 | 8 | assert(mpt > 40); 9 | 10 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/preprocess-2-assert.c: -------------------------------------------------------------------------------- 1 | #include "assert.h" 2 | 3 | int main() { 4 | int x = 42; 5 | assert(x != 42); 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/preprocess-3-assert.c: -------------------------------------------------------------------------------- 1 | #include "assert.h" 2 | 3 | int main() { 4 | int x = 42; 5 | assert(x == 42); 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-type-2-true.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | long *p = (long*) malloc(sizeof(int)); // this is fine, no access. 3 | } 4 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-4-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int arr[10]; 4 | 5 | void main() { 6 | arr[10] = 42; 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-6-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *x = malloc(sizeof(int)*42); 5 | free(x); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/getptr_safe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p); 3 | ensures \result == *p; 4 | */ 5 | int foo(int* p) { 6 | return *p; 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-stack-memsafety1.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int a[42], b[10]; 3 | a[0] = 0; // prevent optimisation 4 | b[0] = 1; 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-1-unsafe.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *a = malloc(sizeof(int)); 3 | free(a); 4 | *a = 42; // unsafe - use after free 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/ptrptr-bug-1.c: -------------------------------------------------------------------------------- 1 | void main(void) { 2 | int** p = (int**) malloc(sizeof *p); // this was a bug from tri-pp 3 | *p = 0; 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/atomic3d.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int x = 0; 5 | 6 | l : atomic { 7 | x++; 8 | goto l; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/inits4.hcc: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int g; 4 | static unsigned int h; 5 | 6 | assert(h >= 0); 7 | assert(g == 0); 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-1-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *p = malloc(sizeof(int)); 5 | free(p); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-global-array-explicit-1.c: -------------------------------------------------------------------------------- 1 | int a[5] = _; 2 | 3 | void main() { 4 | // Should be UNSAFE 5 | assert(a[0] == 0); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line4.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int a[42]; 5 | 6 | void main() { 7 | a[-1] = 3; 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | enum E { 4 | A, B, C 5 | }; 6 | 7 | void main() { 8 | enum E x; 9 | assert(x == A || x == B); 10 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-3-safe.c: -------------------------------------------------------------------------------- 1 | int nondet(); 2 | 3 | void main() { 4 | int *a = malloc(sizeof(int)); 5 | free(a); 6 | int *b = a; // safe 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/atomic3b.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int x = 0; 5 | atomic { 6 | while (1) { 7 | x++; 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/inits3.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int g = _; 4 | unsigned int h = _; 5 | 6 | void main() { 7 | assert(h >= 0); 8 | assert(g == 0); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/loop-invariants/simple-loop-contract.c: -------------------------------------------------------------------------------- 1 | /*@contract@*/ 2 | void foo() { 3 | for (int i = 0; i < 3; ++i) { 4 | assert(i < 3); 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-3-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *x = 0; 5 | free(x); // OK because x is null pointer. 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int a[42]; 5 | 6 | void main() { 7 | int x = a[42]; 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/unsafe-access-001.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *x = calloc(sizeof(int)); 3 | int **y = 0; 4 | *y = x; // y is not allocated 5 | } 6 | 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/shadowing.hcc: -------------------------------------------------------------------------------- 1 | 2 | void f(int x) { 3 | ++x; 4 | } 5 | 6 | void main(void) { 7 | int x = 0; 8 | f(x); 9 | assert(x == 0); 10 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum1.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | enum E { 4 | A, B, C 5 | }; 6 | 7 | void main() { 8 | enum E x; 9 | assert(x == A || x == B || x == C); 10 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-4-unsafe.c: -------------------------------------------------------------------------------- 1 | int nondet(); 2 | 3 | void main() { 4 | int *a = malloc(sizeof(int)); 5 | free(a); 6 | int *b = a; 7 | *b = 42; 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/list-init.hcc: -------------------------------------------------------------------------------- 1 | struct list{ 2 | int k; 3 | } 4 | 5 | struct list *LIST; 6 | 7 | void main(){ 8 | assert(LIST == 0); // should be safe 9 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-static-array-explicit-1.c: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int a[5] = _; 4 | 5 | // Should be UNSAFE 6 | assert(a[0] == 0); 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/postop.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *x = calloc(sizeof(int)); 3 | assert((*x)++ == 0); 4 | assert((*x)-- == 1); 5 | assert(*x == 0); 6 | } 7 | 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/atomic3.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int x = 0; 5 | atomic { 6 | x++; 7 | while (1) { 8 | x++; 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-4-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *x; 5 | free(x); // not OK, because x is uninitialized and not null. 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/assigns_safe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p); 3 | assigns \nothing; 4 | ensures \result == 42; 5 | */ 6 | int foo(int* p) { 7 | return 42; 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/ilp32-bug-1.c: -------------------------------------------------------------------------------- 1 | int i[2]; 2 | 3 | void f1() { 4 | assert(i[1] == (i[1] & 0x0000FFFF) + (i[1] & 0xFFFF0000)); 5 | } 6 | 7 | void main() { 8 | f1(); 9 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/extended-decl.hcc: -------------------------------------------------------------------------------- 1 | 2 | thread A { 3 | 4 | int x; 5 | assume(x >= 0); 6 | int y; 7 | assume(y < -10); 8 | 9 | assert(y < x); 10 | 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-10-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void foo() { 4 | int *x = alloca(sizeof(int)); 5 | } 6 | 7 | void main() { 8 | foo(); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum1-trailing-comma.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | enum E { 4 | A, B, C, 5 | }; 6 | 7 | void main() { 8 | enum E x; 9 | assert(x == A || x == B || x == C); 10 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum4.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | enum week{Mon = 3, Tue = 2, Wed = 1, Thu}day; 4 | 5 | void main() { 6 | day = Mon; 7 | assert(day != Tue); 8 | assert(Tue == Thu); 9 | } -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-11-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void foo() { 4 | int *x = alloca(sizeof(int)*3); 5 | } 6 | 7 | void main() { 8 | foo(); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-5-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int x; 5 | int *y = &x; 6 | free(y); // not OK, because y is a stack pointer. 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/at-expressions/Answers: -------------------------------------------------------------------------------- 1 | 2 | simple-01-false.c 3 | UNSAFE 4 | 5 | simple-01-true.c 6 | SAFE 7 | 8 | at-old-01-false.c 9 | UNSAFE 10 | 11 | at-old-01-true.c 12 | SAFE 13 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/unint-pred-simple-false.c: -------------------------------------------------------------------------------- 1 | /*$ P(int x) $*/ 2 | 3 | void main() { 4 | assert(P(42)); 5 | int x; 6 | assume(P(x)); 7 | assert(x == 43); 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/lazy-and-or-bug.hcc: -------------------------------------------------------------------------------- 1 | int x; 2 | 3 | void main(void) { 4 | int y; 5 | y = (0 == x && x == 1); 6 | assert(!y); 7 | } 8 | 9 | thread A { 10 | x = 1; 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/stackptr-to-heapptr-double.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main () { 4 | int *x1, *x2; 5 | int y = 42; 6 | x1 = &y; 7 | x2 = &y; 8 | assert(x1 == x2); 9 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/atomic4.hcc: -------------------------------------------------------------------------------- 1 | 2 | int x = _; 3 | 4 | thread A { 5 | atomic { assume(x > 0); } 6 | assert(0); 7 | } 8 | 9 | thread B { 10 | atomic { assume(x < 0); } 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-2-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *x = malloc(sizeof *x); 5 | free(x); 6 | free(x); // double free - undefined behavior 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/atomic3f.hcc: -------------------------------------------------------------------------------- 1 | 2 | int x = 0; 3 | 4 | void main() { 5 | clock C = 0; 6 | 7 | within(C <= 3) { 8 | while(1) 9 | x++; 10 | C = 0; 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/interval-propagator-bug.hcc: -------------------------------------------------------------------------------- 1 | extern int nondet_int(); 2 | 3 | void main() { 4 | int x = 1, y; 5 | for (y = 0; y < 1000; y++) 6 | x = x + y; 7 | assert(x >= y); 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-type-1-false.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int a = 10; 3 | long *p = (long *)&a; 4 | *p = 20; // Incorrect type access - accessing an 'int' as a 'long' 5 | } 6 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-type-2-false.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | long *p = (long*) malloc(sizeof(int)); 3 | *p = 42; // Incorrect type access - accessing an 'int' as a 'long' 4 | } 5 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-8-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void foo() { 4 | int *x = alloca(sizeof(int)); 5 | free(x); 6 | } 7 | 8 | void main() { 9 | foo(); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-9-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void foo() { 4 | int *x = alloca(sizeof(int)*3); 5 | free(x); 6 | } 7 | 8 | void main() { 9 | foo(); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract7.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires n >= 0; 3 | ensures n >= 0; 4 | */ 5 | int foo(int n) { 6 | return 42; 7 | } 8 | 9 | void main() 10 | { 11 | foo(2); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/assigns_unsafe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p); 3 | assigns \nothing; 4 | ensures \result == 42; 5 | */ 6 | int foo(int* p) { 7 | *p = 42; 8 | return 42; 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/stack-array-1-unsafe.c: -------------------------------------------------------------------------------- 1 | // see https://github.com/uuverifiers/tricera/issues/36 2 | 3 | void main(void) { 4 | int a[3]; 5 | int b[3]; 6 | 7 | assert(a[0] == b[0]); 8 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/abort-1.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | int x = 42; 3 | if(x != 42) { 4 | abort(); 5 | } else { 6 | exit(0); 7 | } 8 | assert(0); // unreachable 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/abort-2.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | int x = 42; 3 | if(x == 42) { 4 | abort(); 5 | } else { 6 | exit(0); 7 | } 8 | assert(0); // unreachable 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-1-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *p = malloc(sizeof(int)); 5 | // p is not freed before program end - violates memcleanup. 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract14.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | ensures \forall int i; i >= 0 ==> i > \result; 3 | */ 4 | int getNeg() { 5 | return -1; 6 | } 7 | 8 | void main(void) { 9 | getNeg(); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract6.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires n == 2; 3 | ensures \result == 12; 4 | */ 5 | int foo(int n) { 6 | return n+10; 7 | } 8 | 9 | void main() 10 | { 11 | foo(2); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/loop-invariants/loop-in-func.c: -------------------------------------------------------------------------------- 1 | /*@contract@*/ 2 | void value() { 3 | for (int i = 0; i < 3; ++i) { 4 | assert(i < 3); 5 | } 6 | } 7 | 8 | void foo() { 9 | value(); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/loop-invariants/simple-loop-annotate.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \true; 3 | ensures \true; 4 | */ 5 | void foo() { 6 | for (int i = 0; i < 3; ++i) { 7 | assert(i < 3); 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-ilp32.hcc: -------------------------------------------------------------------------------- 1 | /*@contract@*/ 2 | static void f1(int *p) 3 | { 4 | *p = 0; 5 | } 6 | 7 | void main() 8 | { 9 | int c; 10 | f1(&c); 11 | assert(c == 0); 12 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/hints3.hcc: -------------------------------------------------------------------------------- 1 | 2 | int t; 3 | 4 | void main() { 5 | int /*@ predicates { i == t, i == t+1 } @*/ i = 0; 6 | 7 | for (; i < 100; ++i) 8 | ++t; 9 | 10 | assert(t == 100); 11 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-dynamic-array.c: -------------------------------------------------------------------------------- 1 | int a[]; 2 | 3 | void main() { 4 | a = malloc(sizeof(int)*(2)); 5 | a[0] = 1; 6 | a[1] = 2; 7 | assert((a[0] + a[1]) == 3); 8 | free(a); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-2-nondet-unsafe.c: -------------------------------------------------------------------------------- 1 | int nondet(); 2 | 3 | void main() { 4 | int *a = malloc(sizeof(int)); 5 | if(nondet()) 6 | free(a); 7 | *a = 42; // unsafe - possible use after free 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/preop-struct.c: -------------------------------------------------------------------------------- 1 | struct S { 2 | int x; 3 | } *s; 4 | 5 | void main() { 6 | s = calloc(sizeof(struct S)); 7 | assert(++(s->x) == 1); 8 | assert(--(s->x) == 0); 9 | } 10 | 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/inits4-explicit.hcc: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int g = _; 4 | static unsigned int h = _; 5 | 6 | assert(h >= 0); 7 | 8 | // Should be UNSAFE 9 | assert(g == 0); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/jumps2.hcc: -------------------------------------------------------------------------------- 1 | 2 | int g = 0; 3 | 4 | void f(int x) { 5 | if (x > 0) 6 | return; 7 | g++; 8 | } 9 | 10 | thread A { 11 | 12 | f(42); 13 | assert(!g); 14 | 15 | } 16 | 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/channels.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | chan c, d; 4 | int x; 5 | 6 | thread A { 7 | x++; 8 | chan_send(c); 9 | } 10 | 11 | thread B { 12 | chan_receive(c); 13 | x++; 14 | assert(x == 2); 15 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-global-array.c: -------------------------------------------------------------------------------- 1 | int a[10]; 2 | 3 | void main() { 4 | assert(a[0] == 0); 5 | a[1] = 40; 6 | assert(a[1] == 40); 7 | a[2] = 2; 8 | assert(a[1] + a[2] == 42); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/inits2-opt.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int g; 4 | unsigned int h; 5 | 6 | void main() { 7 | 8 | // Should be UNSAFE due to command line option -forceNondetInit 9 | assert(g == 0 && h == 0); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/loop1.hcc: -------------------------------------------------------------------------------- 1 | 2 | thread A { 3 | 4 | int x = 1; 5 | int y = 0; 6 | 7 | while (y < 3) { 8 | x = x + y; 9 | y = y + 1; 10 | } 11 | 12 | assert(x >= y); 13 | 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/loop2.hcc: -------------------------------------------------------------------------------- 1 | 2 | thread A { 3 | 4 | int x = 1; 5 | int y = 0; 6 | 7 | do { 8 | x = x + y; 9 | y = y + 1; 10 | } while (y < 3); 11 | 12 | assert(x >= y); 13 | 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-global-array-explicit-2.c: -------------------------------------------------------------------------------- 1 | int a[5] = _; 2 | 3 | void main() { 4 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 5 | assert(a[0] == a[1]); 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-alloca-memsafety2.c: -------------------------------------------------------------------------------- 1 | int foo() { 2 | int a[]; 3 | a = alloca(sizeof(int)*42); 4 | a[0] = 3; 5 | return a[0]; 6 | } 7 | 8 | void main() { 9 | assert(foo() == 3); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/unint-pred-simple-true.c: -------------------------------------------------------------------------------- 1 | /*$ P(int x) $*/ 2 | 3 | void main() { 4 | assert(P(42)); // push 5 | 6 | int x; 7 | assume(P(x)); // pull 8 | 9 | assert(x == 42); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-bv/bitwise3.hcc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int i; 5 | int cnt = 0; 6 | while (i > 0) { 7 | if (i & 1) 8 | ++cnt; 9 | i >>= 1; 10 | } 11 | assert(cnt >= 0); 12 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/ptr-to-int-cast.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *a = malloc(sizeof(int)); 5 | int addrA = (int) a; // safe in ILP32 - violates MISRA-C 11.4 and not supported by TriCera 6 | } 7 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test6.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int x = 0; 4 | int y = 0; 5 | 6 | 7 | thread A { 8 | int i; 9 | 10 | for (i = 0; i < 100; ++i) { 11 | ++x; 12 | ++y; 13 | } 14 | 15 | assert(y == 100); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-array-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void* allocArray(int n) { 4 | return malloc(sizeof(int)*n); 5 | } 6 | 7 | void main() { 8 | int p[] = (int*) allocArray(10); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract2.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires x >= 0 && x <= 4; 3 | ensures \result >= 10 && \result <= 14; 4 | */ 5 | int foo(int x) { 6 | return 12; 7 | } 8 | 9 | void main() 10 | { 11 | foo(2); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr.hcc: -------------------------------------------------------------------------------- 1 | /*@contract@*/ 2 | void f(int *x) 3 | { 4 | *x = *x + 1; 5 | } 6 | 7 | void main() 8 | { 9 | int init = _; 10 | int x = init; 11 | f(&x); 12 | assert(x == init+1); 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/nonlinear1.hcc: -------------------------------------------------------------------------------- 1 | 2 | int nondet(); 3 | 4 | void main() { 5 | int f = 1; 6 | int i = 1; 7 | 8 | while (nondet()) { 9 | f = f * i; 10 | i++; 11 | } 12 | 13 | assert(f > 0 && i > 0); 14 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/predicates.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int /*@ predicates { x == 0, x == 1 } @*/ x = 0; 5 | int i; 6 | 7 | for (i = 0; i < 100; ++i) 8 | x = 1 - x; 9 | 10 | assert(x == 0 || x == 1); 11 | } -------------------------------------------------------------------------------- /regression-tests/interpreted-predicates/simple-invariant-false.c: -------------------------------------------------------------------------------- 1 | /*$ 2 | SimpleInvariant(int x) { 3 | x == 3 4 | } 5 | $*/ 6 | 7 | void main() { 8 | int x; 9 | assume(SimpleInvariant(x)); 10 | assert(x == 42); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/interpreted-predicates/simple-invariant-true.c: -------------------------------------------------------------------------------- 1 | /*$ 2 | SimpleInvariant(int x) { 3 | x == 42 4 | } 5 | $*/ 6 | 7 | void main() { 8 | int x; 9 | assume(SimpleInvariant(x)); 10 | assert(x == 42); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-global-array-opt-1.c: -------------------------------------------------------------------------------- 1 | 2 | /* Nondeterministically initialized by command line option -forceNondetInit. */ 3 | int a[5]; 4 | 5 | void main() { 6 | // Should be UNSAFE 7 | assert(a[1] == 0); 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-static-array-explicit-2.c: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int a[5] = _; 4 | 5 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 6 | assert(a[0] == a[1]); 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-static-array-opt-1.c: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int a[5]; // Nondeterministically initialized by command line option -forceNondet. 4 | 5 | // Should be UNSAFE 6 | assert(a[1] == 0); 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/typecastUnsafe-001.c: -------------------------------------------------------------------------------- 1 | struct S { 2 | int f; 3 | }; 4 | 5 | void main() { 6 | int *x = calloc(sizeof(int)); 7 | struct S *y = (struct S *) x; 8 | y->f = 42; 9 | assert(y->f == 42); 10 | } 11 | 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test3.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int N = _; 4 | 5 | 6 | thread A { 7 | int i = 0, x = 1, y = x; 8 | 9 | while (i < N) { 10 | x = x * 2; 11 | y = x; 12 | ++i; 13 | } 14 | 15 | assert(x == y); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test7.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int x = 0; 4 | int y = 0; 5 | 6 | 7 | thread A { 8 | int i; 9 | 10 | for (i = 0; i < 100;) { 11 | ++x; 12 | ++y; 13 | ++i; 14 | } 15 | 16 | assert(y == 100); 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/unint-pred-stack-ptr-unsupported.c: -------------------------------------------------------------------------------- 1 | /*$ P(int *x) $*/ 2 | 3 | void main() { 4 | int x = 42; 5 | assert(P(&x)); 6 | 7 | int *y; 8 | assume(P(y)); 9 | 10 | assert(*y == 42); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract1.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires x >= 0; 3 | ensures \result == 2; 4 | */ 5 | int foo(int x) { 6 | x = 2; 7 | return x; 8 | } 9 | 10 | 11 | void main() 12 | { 13 | int a = 1; 14 | foo(a); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-bv/bitwise2.hcc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int i; 5 | assert((i << 5) == 32 * i); 6 | int j; 7 | assume(0 <= j && j <= 10); 8 | assume(i > 0 && i <= 100000); 9 | assert((i << j) > 0); 10 | } -------------------------------------------------------------------------------- /regression-tests/horn-bv/nonlinear2.hcc: -------------------------------------------------------------------------------- 1 | 2 | int nondet(); 3 | 4 | void main() { 5 | int f = 1000000; 6 | int i = 1; 7 | 8 | while (nondet()) { 9 | f = f * i; 10 | i++; 11 | } 12 | 13 | assert(f > 0 && i > 0); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/global-struct-array-1.c: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | int f; 3 | } S; 4 | 5 | S sArr[2] = {{10}, {20}}; 6 | 7 | void main() { 8 | assert(sArr[0].f == 0); 9 | sArr[1].f++; 10 | assert(sArr[1].f == 1); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/postop-struct.c: -------------------------------------------------------------------------------- 1 | struct S { 2 | int x; 3 | } *s; 4 | 5 | void main() { 6 | s = calloc(sizeof(struct S)); 7 | assert((s->x)++ == 0); 8 | assert((s->x)-- == 1); 9 | assert(s->x == 0); 10 | } 11 | 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/simple-struct.c: -------------------------------------------------------------------------------- 1 | struct simple{ 2 | int x; 3 | }; 4 | 5 | void main(){ 6 | struct simple *p = calloc(sizeof(struct simple)); 7 | p->x = 42; 8 | int v = p->x; 9 | assert(v == 42 || v ==0); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/emptyStruct.hcc: -------------------------------------------------------------------------------- 1 | struct a { 2 | }; 3 | 4 | struct b { 5 | struct a f1; 6 | int f2; 7 | }; 8 | 9 | int main() { 10 | struct b s; 11 | s.f2 = 42; 12 | assert(s.f2 == 42); 13 | return s.f2; 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/functions2.hcc: -------------------------------------------------------------------------------- 1 | 2 | int f() { 3 | return 42; 4 | } 5 | 6 | int inc(int x) { 7 | return x + 1; 8 | } 9 | 10 | void main() { 11 | 12 | int x = 0; 13 | x = inc(x); 14 | assert(x == 1); 15 | 16 | } 17 | 18 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/inits4-opt.hcc: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int g; 4 | static unsigned int h; 5 | 6 | assert(h >= 0); 7 | 8 | // Should be UNSAFE due to command line option -forceNondetInit 9 | assert(g == 0); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/contract3.hcc: -------------------------------------------------------------------------------- 1 | 2 | int g; 3 | 4 | void f(int x) { 5 | if (x > 0) { 6 | g += x; 7 | --x; 8 | f(x); 9 | } 10 | } 11 | 12 | int main() { 13 | int x; 14 | f(x); 15 | assert(g >= x); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test5.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int x = 0; 4 | int y = 0; 5 | 6 | 7 | thread A { 8 | while (1) { 9 | x++, y++; 10 | assert(x == y); 11 | } 12 | } 13 | 14 | thread B { 15 | // assert(x == y || x == y + 1); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract3.hcc: -------------------------------------------------------------------------------- 1 | // Precondition violation. 2 | 3 | /*@ 4 | requires x >= 0; 5 | ensures \result == 42; 6 | */ 7 | int foo(int x) { 8 | return 42; 9 | } 10 | 11 | 12 | void main() 13 | { 14 | foo(-1); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract4.hcc: -------------------------------------------------------------------------------- 1 | // Postcondition violation. 2 | 3 | /*@ 4 | requires x >= 0; 5 | ensures \result == 42; 6 | */ 7 | int foo(int x) { 8 | return -42; 9 | } 10 | 11 | 12 | void main() 13 | { 14 | foo(1); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/contract1.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int f(int x) { 4 | if (x > 0) { 5 | x--; 6 | return f(x) + 1; 7 | } else 8 | return 0; 9 | } 10 | 11 | int main() { 12 | int y; 13 | y = f(10); 14 | assert(y > 0); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/clocks3.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int finished = 0; 4 | 5 | thread A { 6 | clock x = 0; 7 | within (x <= 5) finished = 1; 8 | } 9 | 10 | thread B { 11 | clock y = 0; 12 | assume(y > 7); 13 | assert(finished); 14 | } 15 | 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/stack-array-2-safe.c: -------------------------------------------------------------------------------- 1 | // see https://github.com/uuverifiers/tricera/issues/36 2 | 3 | void main(void) { 4 | int a[3]; 5 | int b[3]; 6 | 7 | a[0] = 42; 8 | b[0] = 3; 9 | 10 | assert(a[0] == 42); 11 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/stack-ptr-bug-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct S { int data; }; 4 | 5 | void access(int *x){ 6 | *x; 7 | } 8 | 9 | void main() { 10 | struct S *s = malloc(sizeof(struct S)); 11 | access(&(s->data)); 12 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/typedef1.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef int s32; 4 | typedef unsigned int u32; 5 | typedef s32 s32_2; 6 | 7 | void main() { 8 | 9 | s32 x; 10 | u32 y; 11 | s32_2 z; 12 | 13 | if (x == y) 14 | assert(y >= 0); 15 | 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-3-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | extern int nondet(); 3 | 4 | void main() { 5 | int n = nondet(); 6 | int *arr = (int*) malloc(sizeof(int)*n); 7 | arr[n] = 42; 8 | free(arr); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract12.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p); 3 | ensures \result == 42; 4 | */ 5 | int get(int* p) { 6 | *p = 42; 7 | return *p; 8 | } 9 | 10 | void main(void) { 11 | int* p = malloc(sizeof(*p)); 12 | get(p); 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/old_safe.c: -------------------------------------------------------------------------------- 1 | // SAFE because assign to *p occurs after assign to g. 2 | int g = 0; 3 | 4 | /*@ 5 | requires \valid(p); 6 | ensures g == \old(g) + \old(*p); 7 | */ 8 | void foo(int* p) { 9 | g += *p; 10 | *p = 42; 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/assign-illegal.hcc: -------------------------------------------------------------------------------- 1 | 2 | typedef struct { 3 | int x; 4 | } S1; 5 | 6 | typedef struct { 7 | int x; 8 | } S2; 9 | 10 | S1 s1; 11 | 12 | int main() { 13 | S2 s2; 14 | s2 = s1; //this should fail (does not compile) 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/old_unsafe.c: -------------------------------------------------------------------------------- 1 | // UNSAFE because assign to *p occurs before assign to g. 2 | int g = 0; 3 | 4 | /*@ 5 | requires \valid(p); 6 | ensures g == \old(g) + \old(*p); 7 | */ 8 | void foo(int* p) { 9 | *p = 42; 10 | g += *p; 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-func-dec.hcc: -------------------------------------------------------------------------------- 1 | void f(int *x); 2 | 3 | void main() 4 | { 5 | int init = _; 6 | int x = init; 7 | f(&x); 8 | assert(x == init+1); 9 | } 10 | 11 | /*@contract@*/ 12 | void f(int *x) 13 | { 14 | *x = *x + 1; 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/clocks4.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int finished = 0; 4 | 5 | thread A { 6 | clock x = 0; 7 | assume (x > 5); 8 | finished = 1; 9 | } 10 | 11 | thread B { 12 | clock y = 0; 13 | within (y <= 5) 14 | assert(!finished); 15 | } 16 | 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-1-safe.c: -------------------------------------------------------------------------------- 1 | int a[]; 2 | 3 | void main() { 4 | int n = 2; 5 | a = calloc(sizeof(int)*n); 6 | int *p = a; 7 | for(int i = 0; i < n; ++i) { 8 | assert(*p == 0); 9 | p = p+1; 10 | } 11 | free(a); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-2-safe.c: -------------------------------------------------------------------------------- 1 | int a[]; 2 | 3 | void main() { 4 | int n = 2; 5 | a = calloc(sizeof(int)*n); 6 | int *p = a; 7 | for(int i = 0; i < n; ++i) { 8 | assert(*p == 0); 9 | p += 1; 10 | } 11 | free(a); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/simple-struct-fail.c: -------------------------------------------------------------------------------- 1 | struct simple{ 2 | int x; 3 | }; 4 | 5 | void main(){ 6 | struct simple *p = malloc(sizeof(struct simple)); 7 | p->x = 42; 8 | assert(p->x == 42); //this should actually pass after the refinements 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/predicates2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int x = 0; 4 | int y = 0; 5 | 6 | 7 | thread A { 8 | int /*@ predicates { i == y } @*/ i; 9 | 10 | for (i = 0; i < 100; ++i) { 11 | ++x; 12 | ++y; 13 | } 14 | 15 | assert(y == 100); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/ext-univ-1-safe.hcc: -------------------------------------------------------------------------------- 1 | void main() { 2 | int n = 3; 3 | int a[]; 4 | 5 | int i = 0; 6 | for(; i < n; ++i) 7 | { 8 | a[i] = i-1; 9 | } 10 | 11 | //@ assert \forall int j; ((0 <= j) && (j < n)) ==> (a[j] == j-1); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/ext-univ-4-empty-safe.hcc: -------------------------------------------------------------------------------- 1 | void main() { 2 | int n = 0; 3 | int a[]; 4 | int i = 0; 5 | for(; i < n; ++i) 6 | { 7 | a[i] = 41; 8 | } 9 | 10 | //@ assert \forall int j; ((0 <= j) && (j < n)) ==> (a[j] == 42); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/mc91_safe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | ensures n <= 100 ==> \result == 91; 3 | ensures n > 100 ==> \result == n-10; 4 | */ 5 | int foo(int n) { 6 | if (n > 100) { 7 | return n - 10; 8 | } else { 9 | return foo(foo(n + 11)); 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/at-expressions/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="simple-01-false.c simple-01-true.c at-old-01-false.c at-old-01-true.c" 6 | 7 | for name in $TESTS; do 8 | echo 9 | echo $name 10 | $LAZABS "$@" $name 11 | done 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-1-unsafe.c: -------------------------------------------------------------------------------- 1 | int a[]; 2 | 3 | void main() { 4 | int n = 2; 5 | a = calloc(sizeof(int)*n); 6 | int *p = a; 7 | for(int i = 0; i <= n; ++i) { 8 | assert(*p == 0); 9 | p = p+1; 10 | } 11 | free(a); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-2-unsafe.c: -------------------------------------------------------------------------------- 1 | int a[]; 2 | 3 | void main() { 4 | int n = 2; 5 | a = calloc(sizeof(int)*n); 6 | int *p = a; 7 | for(int i = 0; i <= n; ++i) { 8 | assert(*p == 0); 9 | p += 1; 10 | } 11 | free(a); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-3-safe.c: -------------------------------------------------------------------------------- 1 | int a[]; 2 | 3 | void main() { 4 | int n = 2; 5 | a = calloc(sizeof(int)*n); 6 | int *p = &(a[0]); 7 | for(int i = 0; i < n; ++i) { 8 | assert(*p == 0); 9 | p = p+1; 10 | } 11 | free(a); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/ext-univ-3-nonzero-lo-safe.hcc: -------------------------------------------------------------------------------- 1 | void main() { 2 | int n = 3; 3 | int a[]; 4 | int i = 0; 5 | for(; i < n; ++i) 6 | { 7 | a[i] = 42; 8 | } 9 | 10 | //@ assert \forall int j; ((1 <= j) && (j < n)) ==> (a[j] == 42); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/swap_safe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(a) && \valid(b); 3 | assigns *a, *b; 4 | ensures (*a) == \old(*b); 5 | ensures (*b) == \old(*a); 6 | */ 7 | void foo(int* a, int* b) { 8 | int tmp = *a; 9 | *a = *b; 10 | *b = tmp; 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/struct-name-bug.hcc: -------------------------------------------------------------------------------- 1 | struct S { 2 | int f; 3 | }; 4 | 5 | /*@ contract @*/ 6 | int foo(struct S s) { 7 | return s.f*2; 8 | } 9 | 10 | int main() { 11 | struct S s; 12 | s.f = 21; 13 | assert(foo(s) == 42); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/clocks1.hcc: -------------------------------------------------------------------------------- 1 | 2 | int finished = 0; 3 | 4 | void main() { 5 | clock x = 0; 6 | assert(x >= 0); 7 | assume(x >= 3); 8 | finished = 1; 9 | } 10 | 11 | thread A { 12 | clock y = 0; 13 | assume(finished); 14 | assert(y > 2); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | extern int nondet(); 5 | 6 | int a[]; 7 | 8 | void main() { 9 | int n = nondet(); 10 | assume(n > 0); 11 | a = malloc(sizeof(int)*n); 12 | a[n] = 42; 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/typedef.hcc: -------------------------------------------------------------------------------- 1 | typedef struct{ 2 | int a; 3 | }MyStruct; 4 | 5 | typedef struct S{ 6 | int a; 7 | }MyStruct2; 8 | 9 | MyStruct s; 10 | MyStruct2 s2; 11 | 12 | thread A { 13 | assert(s.a == 0); 14 | assert(s2.a == 0); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/jumps3.hcc: -------------------------------------------------------------------------------- 1 | 2 | int main() { 3 | 4 | int x; 5 | int y = x; 6 | 7 | while (1) { 8 | x++; 9 | y += 2; 10 | if (x >= 0) 11 | goto END; 12 | assert(!(x > 0)); 13 | } 14 | 15 | END: assert(y > 0); 16 | 17 | } 18 | 19 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/unint-pred-unnamed-ptr-arg-bug.c: -------------------------------------------------------------------------------- 1 | /*$ P(int *) $*/ 2 | 3 | int* nondet_ptr(); 4 | 5 | void main() { 6 | int *p = 0; 7 | assert(P(p)); 8 | 9 | int *q = nondet_ptr(); 10 | assume(P(q)); 11 | 12 | assert(p == q); 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract17.hcc: -------------------------------------------------------------------------------- 1 | // UNSAFE because modifies g. 2 | 3 | int g = 1; 4 | 5 | /*@ 6 | assigns \nothing; 7 | ensures \result == 13; 8 | */ 9 | int get() { 10 | g = 42; 11 | return 13; 12 | } 13 | 14 | void main(void) { 15 | get(); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract18.hcc: -------------------------------------------------------------------------------- 1 | // UNSAFE because g's value might have changed. 2 | 3 | int g = 1; 4 | 5 | /*@ 6 | ensures \result == 13; 7 | */ 8 | int get() { 9 | return 13; 10 | } 11 | 12 | void main(void) { 13 | get(); 14 | assert(g == 1); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/getptr_safe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'getptr_safe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/atomic3e.hcc: -------------------------------------------------------------------------------- 1 | 2 | int x = 0; 3 | 4 | void main() { 5 | clock C = 0; 6 | 7 | l : within(C <= 3) { 8 | x++; 9 | C = 0; 10 | goto l; 11 | } 12 | } 13 | 14 | thread A { 15 | clock D = 0; 16 | assume(D > 10); 17 | assert(x > 1); 18 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/channels-3.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | chan c, d; 4 | int x; 5 | 6 | thread A { 7 | x++; 8 | atomic { 9 | chan_receive(d); 10 | chan_send(c); 11 | } 12 | } 13 | 14 | thread B { 15 | chan_receive(c); 16 | x++; 17 | assert(x == 2); 18 | } 19 | 20 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | extern int nondet(); 5 | 6 | int a[]; 7 | 8 | void main() { 9 | int n = nondet(); 10 | assume(n > 0); 11 | a = malloc(sizeof(int)*n); 12 | int x = a[n]; 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-3-safe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'free-3-safe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/disconnected-assertions.hcc: -------------------------------------------------------------------------------- 1 | 2 | int N = _; 3 | 4 | 5 | void main(void) { 6 | int i = 0, x = 1, y = x; 7 | 8 | while (i < N) { 9 | x = x * 2; 10 | y = x; 11 | ++i; 12 | } 13 | 14 | B: goto B; 15 | 16 | assert(0); 17 | } 18 | 19 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-3-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | extern int nondet(); 3 | 4 | void main() { 5 | int n = nondet(); 6 | assume(n > 0); 7 | int *arr = (int*) malloc(sizeof(int)*n); 8 | arr[n-1] = 42; 9 | free(arr); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/unint-pred-simple-ptr-true.c: -------------------------------------------------------------------------------- 1 | /*$ P(int *x) $*/ 2 | 3 | void main() { 4 | int *x = malloc(sizeof(int)); 5 | int t = _; 6 | *x = t; 7 | assert(P(x)); 8 | 9 | int *y; 10 | assume(P(y)); 11 | 12 | assert(*y == t); 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/dblptr-assigns_safe.c: -------------------------------------------------------------------------------- 1 | // SAFE 2 | 3 | int g = 42; 4 | 5 | /*@ 6 | requires \valid(p, q, *q); 7 | assigns *p; 8 | assigns **q; 9 | assigns g; 10 | */ 11 | void foo(int* p, int** q) { 12 | *p = 42; 13 | **q = 42; 14 | g = 42; 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-global-array-explicit-3.c: -------------------------------------------------------------------------------- 1 | int a[5] = _; 2 | int b[5] = _; 3 | 4 | void main() { 5 | assume(a[0] == b[0]); 6 | 7 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 8 | assert(a[1] == b[1]); 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/simple-struct-2.c: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | int x; 3 | struct { 4 | int z; 5 | }y; 6 | } S; 7 | 8 | void main(){ 9 | S *p = malloc(sizeof(S)); 10 | 11 | p->y.z = 42; 12 | 13 | int v = p->y.z; 14 | assert(v == 0 || v == 42); 15 | 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/stack-array-2-unsafe.c: -------------------------------------------------------------------------------- 1 | // see https://github.com/uuverifiers/tricera/issues/36 2 | 3 | void main(void) { 4 | int a[3]; 5 | int b[3]; 6 | 7 | a[0] = 42; 8 | b[0] = 3; 9 | 10 | assert(a[0] == 3); // this is not SAFE, a[0] is 42. 11 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/struct-ptrfield-1.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'memtrack-02.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/function-in-assume-assert-1-true.c: -------------------------------------------------------------------------------- 1 | int subOne(int x){ 2 | return x - 1; 3 | } 4 | 5 | int addOne(int x) { 6 | return x + 1; 7 | } 8 | 9 | void main() { 10 | int x; 11 | int y = 1; 12 | assume(x == subOne(y)); 13 | assert(addOne(x) == 1); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/static-local-retention-false.c: -------------------------------------------------------------------------------- 1 | void incrementLocalStatic() { 2 | static int local = 0; 3 | assert(local == 0); // Will fail in second call. 4 | local++; 5 | } 6 | 7 | void main() { 8 | incrementLocalStatic(); 9 | incrementLocalStatic(); 10 | } -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-2-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | int *p = malloc(sizeof(int)); 5 | // p is not freed before program end - violates memcleanup. 6 | // int main with no return value, this triggers a different exit in CCReader 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/ext-univ-1-unsafe.hcc: -------------------------------------------------------------------------------- 1 | void main() { 2 | int n = _; 3 | assume(n > 0); 4 | int a[]; 5 | int i = 0; 6 | for(; i < n; ++i) 7 | { 8 | a[i] = i; 9 | } 10 | 11 | //@ assert \forall int j; ((0 <= j) && (j < n)) ==> (a[j] == j-1); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/ext-univ-5-cmpN-safe.hcc: -------------------------------------------------------------------------------- 1 | void main() { 2 | int n = 3; 3 | //assume(n > 0); 4 | int a[]; 5 | int i = 0; 6 | for(; i < n; ++i) 7 | { 8 | a[i] = i; 9 | } 10 | 11 | //@ assert \forall int j; ((0 <= j) && (j < n)) ==> (a[j] <= n); 12 | } 13 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract15.hcc: -------------------------------------------------------------------------------- 1 | // SAFE because no assign to g. 2 | 3 | int g = 1; 4 | 5 | /*@ 6 | assigns \nothing; 7 | ensures \result == 13; 8 | */ 9 | int get() { 10 | return 13; 11 | } 12 | 13 | void main(void) { 14 | get(); 15 | assert(g == 1); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/mc91_unsafe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | ensures ((n <= 100) ==> (\result == 91)); 3 | ensures ((n > 101) ==> (\result == (n-10))); 4 | */ 5 | int foo(int n) { 6 | if (n > 100) { 7 | return n - 10; 8 | } else { 9 | return foo(foo(n + 11)); 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/struct-ptrfield-1.c: -------------------------------------------------------------------------------- 1 | struct S { 2 | int *f; 3 | }; 4 | 5 | void alloc(struct S *ps) { 6 | ps->f = (int *)malloc(sizeof(int)); 7 | *(ps->f) = 42; 8 | } 9 | 10 | int main() { 11 | struct S s; 12 | alloc(&s); 13 | free(s.f); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/function-in-assume-assert-1-false.c: -------------------------------------------------------------------------------- 1 | int subOne(int x){ 2 | return x - 1; 3 | } 4 | 5 | int addOne(int x) { 6 | return x + 1; 7 | } 8 | 9 | void main() { 10 | int x; 11 | int y = 1; 12 | assume(x == subOne(y)); 13 | assert(addOne(x) == 0); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract21.hcc: -------------------------------------------------------------------------------- 1 | int g = 0; 2 | 3 | /*@ 4 | assigns g; 5 | ensures g == \old(g) + n; 6 | */ 7 | void addToG(int n) { 8 | g += n; 9 | } 10 | 11 | int main(void) { 12 | addToG(42); 13 | assert(g == 42); 14 | addToG(1); 15 | assert(g == 43); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/channels-2b.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | chan c; 4 | int p; 5 | 6 | thread A { 7 | atomic { 8 | p = 42; 9 | chan_receive(c); 10 | } 11 | } 12 | 13 | thread B { 14 | int x = -10; 15 | atomic { 16 | chan_send(c); 17 | x += p; 18 | } 19 | assert(x > 0); 20 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/swap-1-fail.c: -------------------------------------------------------------------------------- 1 | void swap(int *x, int *y){ 2 | int tmp = *x; 3 | *x = *y; 4 | *y = tmp; 5 | } 6 | 7 | void main() { 8 | int a = 3; 9 | int *b = calloc(sizeof(int)); 10 | *b = 42; 11 | swap(&a, b); 12 | assert(a == 42); 13 | } 14 | 15 | -------------------------------------------------------------------------------- /regression-tests/math-arrays/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="simple-math-array-1.hcc struct-array.hcc" 6 | 7 | for name in $TESTS; do 8 | echo 9 | echo $name 10 | $LAZABS -cex -abstract:off -mathArrays -sol "$@" $name 2>&1 | grep -v 'at ' 11 | done 12 | -------------------------------------------------------------------------------- /regression-tests/at-expressions/simple-01-false.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | int x = 0; 3 | int y = 3; 4 | 5 | L1: // x = 0; 6 | x = 42; 7 | 8 | L2:; // x = 42; y = 3; 9 | x = 3; 10 | 11 | assert($at("L1", (int)(x+5)) == 5); 12 | assert($at("L2", (int)(x+y)) == 43); 13 | assert(x == 3); 14 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/clocks5.hcc: -------------------------------------------------------------------------------- 1 | int lock = 0; 2 | 3 | void main() { 4 | int tid; 5 | clock C; 6 | 7 | while (1) { 8 | atomic { assume(lock == 0); C = 0; } 9 | within (C <= 1) lock = tid; 10 | } 11 | } 12 | 13 | thread A { 14 | while (1) { 15 | lock = 0; 16 | } 17 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-global-array-opt-2.c: -------------------------------------------------------------------------------- 1 | 2 | /* Nondeterministically initialized by command line option -forceNondetInit. */ 3 | int a[5]; 4 | 5 | void main() { 6 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 7 | assert(a[0] == a[1]); 8 | } 9 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-static-array-opt-2.c: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int a[5]; // Nondeterministically initialized by command line option -forceNondet. 4 | 5 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 6 | assert(a[0] == a[1]); 7 | } 8 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-5-unsafe.c: -------------------------------------------------------------------------------- 1 | int nondet(); 2 | 3 | void main() { 4 | int *a = malloc(sizeof(int)); 5 | free(a); 6 | int *b = malloc(sizeof(int)); 7 | assert(a != b); // known limitation: 8 | // unsafe, but current implementation returns safe... 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/fields.hcc: -------------------------------------------------------------------------------- 1 | struct{ 2 | int a; 3 | int b; 4 | } s = {1, 2}; 5 | 6 | void swap(int *x, int *y){ 7 | int tmp = *x; 8 | *x = *y; 9 | *y = tmp; 10 | } 11 | 12 | void main() { 13 | swap(&s.a, &s.b); 14 | assert(s.a == 2 && s.b == 1); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-stack-1-true.c: -------------------------------------------------------------------------------- 1 | int* validStackAccess() { 2 | static int a = 10; // Static variable persists beyond the scope of the function 3 | return &a; 4 | } 5 | 6 | void main() { 7 | int *p = validStackAccess(); 8 | *p = 20; // Valid access 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-1-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-1-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: true 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-3-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-3-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: true 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract26.hcc: -------------------------------------------------------------------------------- 1 | // SAFE beacuse *q unchanged. 2 | 3 | /*@ 4 | assigns *p; 5 | */ 6 | void foo(int* p) { 7 | } 8 | 9 | int main(void) { 10 | int* p = malloc(sizeof(*p)); 11 | int* q = malloc(sizeof(*q)); 12 | *q = 42; 13 | foo(p); 14 | assert(*q == 42); 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-contract-parsing/fib.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires n >= 0; 3 | ensures n >= 0; 4 | @*/ 5 | int f(int n) { 6 | if(n == 0) 7 | return 0; 8 | else if (n == 1) 9 | return 1; 10 | else return 42; 11 | } 12 | 13 | void main() 14 | { 15 | assert(f(0) + f(2) == 42); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/opassign.c: -------------------------------------------------------------------------------- 1 | void main() { 2 | int *x = calloc(sizeof(int)); 3 | *x += 42; 4 | assert(*x == 42); 5 | *x *= 2; 6 | assert(*x == 84); 7 | *x /= 4; 8 | assert(*x == 21); 9 | *x -= 1; 10 | assert(*x == 20); 11 | *x %= 3; 12 | assert(*x == 2); 13 | } 14 | 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/assign2.hcc: -------------------------------------------------------------------------------- 1 | struct{ 2 | struct { 3 | int a; 4 | } s1, s2; 5 | } s; 6 | 7 | void main() { 8 | s.s1.a = 3; 9 | s.s2.a = 42; 10 | assert(s.s1.a == 3); 11 | assert(s.s2.a == 42); 12 | s.s1 = s.s2; 13 | assert(s.s1.a == 42); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/static-local-retention-true.c: -------------------------------------------------------------------------------- 1 | int global; 2 | 3 | void incrementLocalStatic() { 4 | static int local = 0; 5 | local++; 6 | global++; 7 | assert(local == global); 8 | } 9 | 10 | void main() { 11 | incrementLocalStatic(); 12 | incrementLocalStatic(); 13 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test4.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int N = 3; 4 | 5 | 6 | thread A { 7 | int i = 0, x = 1, y = x; 8 | 9 | while (i < N) { 10 | x *= 2; 11 | y = x; 12 | ++i; 13 | } 14 | 15 | assert(x > 1); 16 | } 17 | 18 | thread B { 19 | while (1) { 20 | N++; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-1-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-1-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: false 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-2-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-2-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: false 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-3-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-3-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: false 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-4-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-4-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: false 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract8.hcc: -------------------------------------------------------------------------------- 1 | // Relies solely on specified post condition, not implementation. 2 | 3 | /*@ 4 | ensures \result >= 2; 5 | */ 6 | int foo(int x) { 7 | return 2; 8 | } 9 | 10 | 11 | void main() 12 | { 13 | int a = foo(1); 14 | assert(a == 2); // Should fail 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-static-array-explicit-3.c: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | static int a[5] = _; 4 | static int b[5] = _; 5 | 6 | assume(a[0] == b[0]); 7 | 8 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 9 | assert(a[1] == b[1]); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/swap-1.c: -------------------------------------------------------------------------------- 1 | void swap(int *x, int *y){ 2 | int tmp = *x; 3 | *x = *y; 4 | *y = tmp; 5 | } 6 | 7 | void main() { 8 | int a = 3; 9 | int *b = calloc(sizeof(int)); 10 | *b = 42; 11 | swap(&a, b); 12 | assert(a == 0 || a == 3 || a == 42); 13 | } 14 | 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/anon.hcc: -------------------------------------------------------------------------------- 1 | struct{ 2 | int a; 3 | struct { 4 | int b; 5 | } b; 6 | } b; 7 | 8 | thread A { 9 | b.a = 42; 10 | b.b.b = 41; 11 | 12 | b.b = b.b; 13 | b.a = b.b.b - 1; 14 | 15 | assert(b.a == 40); 16 | assert(b.b.b == 41); 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-array-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-array-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: true 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/hints.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int i = 0; 5 | 6 | /* Define one term template 2*i - j, used with default cost 1 */ 7 | 8 | int /*@ terms_tpl { 2*i - j } @*/ j = 0; 9 | 10 | while (i <= 1000) { 11 | i += 1; 12 | j += 2; 13 | } 14 | 15 | assert(j <= 3000); 16 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-loop.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | extern int nondet(); 5 | 6 | int a[]; 7 | 8 | void main() { 9 | int n = 1; 10 | a = malloc(sizeof(int)*n); 11 | 12 | for (int i = 0; i <= n; ++i) { 13 | a[i] = 3; 14 | } 15 | free(a); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/typecastSafe-001.c: -------------------------------------------------------------------------------- 1 | struct S { 2 | int f; 3 | }; 4 | 5 | void main() { 6 | int *x = calloc(sizeof(int)); 7 | struct S *y = (struct S *) x; 8 | int *z = y; 9 | assert(*z == 0); 10 | *x = 42; 11 | assert(*z == *x); 12 | assert(*z == 42); 13 | free(y); 14 | } 15 | 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/assign-exp.hcc: -------------------------------------------------------------------------------- 1 | struct { 2 | int x; 3 | int y; 4 | struct{ 5 | int x; 6 | } s; 7 | } s1; 8 | 9 | int main() { 10 | s1.s.x = (s1.x = 2) * (s1.y = 20) + 2 ; 11 | assert(s1.x == 2); 12 | assert(s1.y == 20); 13 | assert(s1.s.x == 42); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-4-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | extern int nondet(); 4 | int main() { 5 | int *p = malloc(sizeof(int)); 6 | // p is not freed before program end - violates memcleanup. 7 | // int main with multiple exit paths 8 | abort(); 9 | free(p); 10 | } 11 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-array-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memcleanup-array-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memcleanup.prp 7 | expected_verdict: false 8 | 9 | options: 10 | language: C 11 | data_model: ILP32 12 | -------------------------------------------------------------------------------- /tri: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ $(uname) = "Linux" ]; then 4 | pathCmd="readlink -f" 5 | elif [ $(uname) = "Darwin" ]; then 6 | pathCmd="stat -f %N" 7 | else 8 | pathCmd="realpath" 9 | fi 10 | 11 | BASEDIR=`dirname $($pathCmd $0)` 12 | 13 | . $BASEDIR/triEnv 14 | 15 | exec $LAZABS_CMD tricera.Main "$@" 16 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/getptr_unsafe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'getptr_unsafe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/array-single-alloc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int foo (int a[]) { 5 | a[0] = 0; 6 | return a[0]; 7 | } 8 | 9 | void main() { 10 | int a[] = calloc(sizeof(int) * 1); // not standard C, simplified 11 | int res = foo(a); 12 | assert(res == 0); 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-1-unsafe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'free-1-unsafe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-4-unsafe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'free-4-unsafe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/sizeof-bug-1-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct S1 4 | { 5 | struct S1* f1; 6 | }; 7 | 8 | struct S2 9 | { 10 | struct S1* f2; 11 | }; 12 | 13 | int main() 14 | { 15 | struct S2 s2; 16 | s2.f2 = malloc(sizeof(*s2.f2)); 17 | s2.f2->f1 = s2.f2; 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-1-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-1-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-3-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-3-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-6-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-6-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract22.hcc: -------------------------------------------------------------------------------- 1 | // UNSAFE because missing \old 2 | int g = 0; 3 | 4 | /*@ 5 | assigns g; 6 | ensures g == g + n; 7 | */ 8 | void addToG(int n) { 9 | g += n; 10 | } 11 | 12 | int main(void) { 13 | addToG(42); 14 | assert(g == 42); 15 | addToG(1); 16 | assert(g == 43); 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/maxptr_safe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p, q); 3 | ensures ((\result == *p) || (\result == *q)); 4 | ensures \result >= (*p); 5 | ensures \result >= (*q); 6 | */ 7 | int foo(int* p, int* q) { 8 | if (*p >= *q) { 9 | return *p; 10 | } else { 11 | return *q; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/maxptr_unsafe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p, q); 3 | ensures \result == *p || \result == *q; 4 | ensures \result >= *p; 5 | ensures \result >= (*q); 6 | */ 7 | int foo(int* p, int* q) { 8 | if (*p >= *q) { 9 | return *p+1; 10 | } else { 11 | return *q; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/at-expressions/at-old-01-false.c: -------------------------------------------------------------------------------- 1 | int g = 10; 2 | 3 | void f(int p) { 4 | // Pre / Old: p == 5, g == 10. 5 | 6 | p = 20; 7 | g = 30; 8 | // p = 20, g = 30 9 | 10 | assert($at("Pre", (int)(p)) == 10); 11 | 12 | g = 5; 13 | } 14 | 15 | void main() { 16 | f(5); 17 | assert(g == 5); 18 | } -------------------------------------------------------------------------------- /regression-tests/horn-contracts/contract2.hcc: -------------------------------------------------------------------------------- 1 | 2 | int g; 3 | 4 | int f(int x) { 5 | g++; 6 | if (x > 0) { 7 | x--; 8 | return f(x) + 1; 9 | } else 10 | return 0; 11 | } 12 | 13 | int main() { 14 | int y; 15 | assume(y >= 10); 16 | y = f(y); 17 | assert(y >= 10); 18 | assert(g >= 0); 19 | } 20 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/switch1.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int x; 5 | int y = 10; 6 | 7 | switch(x) { 8 | case 1: case 2: 9 | y = 42; 10 | break; 11 | case 3: 12 | y = 43; 13 | break; 14 | default: 15 | y = 0; 16 | break; 17 | } 18 | 19 | assert(y >= 1); 20 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/unsafe-access-001.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'unsafe-access-001.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test1.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | int x; 5 | 6 | chan c, d; 7 | 8 | 9 | 10 | thread A { 11 | int i = 0; 12 | while (i < 10) { 13 | x = x + 1; 14 | ++i; 15 | } 16 | } 17 | 18 | thread B { 19 | int i = 0; 20 | while (i < 10) { 21 | x = x + 1; 22 | ++i; 23 | } 24 | } 25 | 26 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-10-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-10-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-12-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-12-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-2-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-2-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-4-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-4-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-5-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-5-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-7-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-7-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-8-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-8-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-9-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-9-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-free 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract20.hcc: -------------------------------------------------------------------------------- 1 | // UNSAFE as *p might have changed. 2 | 3 | /*@ 4 | requires \valid(p); 5 | ensures \result == *p; 6 | */ 7 | int get(int* p) { 8 | return *p; 9 | } 10 | 11 | void main() { 12 | int* p = malloc(sizeof(*p)); 13 | *p = 13; 14 | get(p); 15 | assert(*p == 13); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/contract2b.hcc: -------------------------------------------------------------------------------- 1 | 2 | int g = -10; 3 | 4 | int f(int x) { 5 | g++; 6 | if (x > 0) { 7 | x--; 8 | return f(x) + 1; 9 | } else 10 | return 0; 11 | } 12 | 13 | int main() { 14 | int y; 15 | assume(y >= 5); 16 | y = f(y); 17 | assert(y >= 5); 18 | assert(g >= 0); 19 | } 20 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line1.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'out-of-bounds-line1.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line2.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'out-of-bounds-line2.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line3.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'out-of-bounds-line3.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-line4.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'out-of-bounds-line4.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/out-of-bounds-loop.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'out-of-bounds-loop.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/typecastUnsafe-001.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'typecastUnsafe-001.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/assign-exp-eval-order.hcc: -------------------------------------------------------------------------------- 1 | struct { 2 | int x; 3 | int y; 4 | struct{ 5 | int x; 6 | } s; 7 | } s1; 8 | 9 | int main() { 10 | s1.s.x = (s1.x = 2) * (s1.y = 20) + (s1.x) ; 11 | assert(s1.x == 2); 12 | assert(s1.y == 20); 13 | assert(s1.s.x == 42); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-11-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-free-11-true 4 | .c' 5 | 6 | properties: 7 | - property_file: ../properties/valid-memsafety.prp 8 | expected_verdict: true 9 | subproperty: valid-free 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/dblptr-assigns_unsafe.c: -------------------------------------------------------------------------------- 1 | // UNSAFE because `assigns *q;` and not `assigns **q;`. 2 | 3 | int g = 42; 4 | 5 | /*@ 6 | requires \valid(p, q, *q); 7 | assigns *p; 8 | assigns *q; 9 | assigns g; 10 | */ 11 | void foo(int* p, int** q) { 12 | *p = 42; 13 | **q = 42; 14 | g = 42; 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/at-expressions/simple-01-true.c: -------------------------------------------------------------------------------- 1 | typedef int INTEGER; 2 | 3 | int main() { 4 | int x = 0; 5 | int y = 3; 6 | 7 | L1: // x = 0; 8 | x = 42; 9 | 10 | L2:; // x = 42; y = 3; 11 | x = 3; 12 | 13 | assert($at("L1", (INTEGER)(x+5)) == 5); 14 | assert($at("L2", (int)(x+y)) == 45); 15 | assert(x == 3); 16 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/free-2-nondet-unsafe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'free-2-nondet-unsafe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/stackptr-to-heapptr.c: -------------------------------------------------------------------------------- 1 | 2 | void swap(int **x, int **y){ 3 | int* tmp = *x; 4 | *x = *y; 5 | *y = tmp; 6 | } 7 | 8 | void main() { 9 | int *a = calloc(sizeof(int)); 10 | int *b = calloc(sizeof(int)); 11 | *b = 42; 12 | swap(&a, &b); 13 | assert(*a == 42 && *b == 0); 14 | } 15 | 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/stack-ptr-fun-ret.c: -------------------------------------------------------------------------------- 1 | int x, y; 2 | extern int nondet(); 3 | 4 | int *get_stack_ptr() 5 | { 6 | return (nondet() ? &x : &y); 7 | } 8 | 9 | void main() 10 | { 11 | int *p = get_stack_ptr(); 12 | assert(*p == 0); //safe ,but we do not yet support getting stack pointers this way. 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/atomic1.hcc: -------------------------------------------------------------------------------- 1 | 2 | int x = 0; 3 | int finished = 0; 4 | 5 | thread A { 6 | atomic { 7 | int t = x; 8 | x = t + 1; 9 | } 10 | 11 | finished = 1; 12 | } 13 | 14 | thread B { 15 | atomic { 16 | int t = x; 17 | x = t + 1; 18 | } 19 | 20 | if (finished) 21 | assert(x == 2); 22 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/lazy-eval1.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | thread A { 4 | int x = 0, y = 1; 5 | y = y == 1 ? 3 : ++x; 6 | assert(x == 0 && y == 3); 7 | } 8 | 9 | thread B { 10 | int x = 0; 11 | x == 0 || x++; 12 | assert(x == 0); 13 | } 14 | 15 | thread C { 16 | int x = 0; 17 | x == 1 && x++; 18 | assert(x == 0); 19 | } 20 | -------------------------------------------------------------------------------- /regression-tests/loop-invariants/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="simple-loop.c \ 6 | simple-loop-annotate.c \ 7 | simple-loop-contract.c \ 8 | loop-in-func.c" 9 | 10 | for name in $TESTS; do 11 | echo 12 | echo $name 13 | $LAZABS "$@" $name 2>&1 | grep -v 'at ' 14 | done -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/incdec_safe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | ensures \result == n+1; 3 | */ 4 | int inc(int n) { 5 | return n+1; 6 | } 7 | 8 | /*@ 9 | ensures \result == n-1; 10 | */ 11 | int dec(int n) { 12 | return n-1; 13 | } 14 | 15 | /*@ 16 | ensures \result == n; 17 | */ 18 | int foo(int n) { 19 | return inc(dec(n)); 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/channels-2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | chan c; 4 | int p; 5 | 6 | thread A { 7 | atomic { 8 | p = 42; 9 | chan_send(c); 10 | } 11 | } 12 | 13 | thread B { 14 | int x = -10; 15 | atomic { 16 | chan_receive(c); 17 | x += p; 18 | } 19 | assert(x > 0); 20 | chan_receive(c); 21 | assert(0); 22 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/function-in-assume-assert-2-false.c: -------------------------------------------------------------------------------- 1 | int subOne(int x){ 2 | return x - 1; 3 | } 4 | 5 | int addOne(int x) { 6 | return x + 1; 7 | } 8 | 9 | void main() { 10 | int x; 11 | int y = 1; 12 | assume(x == (y > 0 ? addOne(y) : (subOne(y)+1))); 13 | assert(x == (y <= 0 ? addOne(y) : (subOne(y)+1))); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/function-in-assume-assert-2-true.c: -------------------------------------------------------------------------------- 1 | int subOne(int x){ 2 | return x - 1; 3 | } 4 | 5 | int addOne(int x) { 6 | return x + 1; 7 | } 8 | 9 | void main() { 10 | int x; 11 | int y = 1; 12 | assume(x == (y > 0 ? addOne(y) : (subOne(y)+1))); 13 | assert(x == (y > 0 ? addOne(y) : (subOne(y)+1))); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-stack-1-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-stack-1-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-type-2-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-type-2-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-nullptr-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-nullptr-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-uninit-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-uninit-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memtrack-array-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-memtrack-array-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-memtrack 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/incdec_unsafe.c: -------------------------------------------------------------------------------- 1 | /*@ 2 | ensures \result == n+2; 3 | */ 4 | int inc(int n) { 5 | return n+2; 6 | } 7 | 8 | /*@ 9 | ensures \result == n-1; 10 | */ 11 | int dec(int n) { 12 | return n-1; 13 | } 14 | 15 | /*@ 16 | ensures \result == n; 17 | */ 18 | int foo(int n) { 19 | return inc(dec(n)); 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-stack-1-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-stack-1-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-type-1-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-type-1-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-type-2-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-type-2-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/ext-univ-2-safe.hcc: -------------------------------------------------------------------------------- 1 | void main() { 2 | int n = 3; 3 | int a[], b[]; 4 | int i = 0; 5 | for(; i < n; ++i) 6 | { 7 | a[i] = i-1; 8 | } 9 | 10 | for(i = 0; i < n; ++i) 11 | { 12 | b[i] = i+1; 13 | } 14 | 15 | //@ assert \forall int j; ((0 <= j) && (j < n)) ==> (a[j] == j-1); 16 | 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/assert.hcc: -------------------------------------------------------------------------------- 1 | int N = _; // uninitialised 2 | int N2 = _; 3 | 4 | int mult(int x, int y) { 5 | if (x <= 0 || y <= 0) { 6 | return 0; 7 | } 8 | else { 9 | return (x + mult(x, y - 1)); 10 | } 11 | } 12 | 13 | void main(void) { 14 | assume(N >= 0); 15 | 16 | assert(N <= mult(N,N)); 17 | 18 | } 19 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/atomic2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int x = 0; 4 | 5 | void main() { 6 | 7 | l1: atomic { 8 | x++; 9 | goto end; 10 | x++; 11 | end : goto l2; 12 | } 13 | 14 | l2: atomic { x--; goto l1; } 15 | 16 | } 17 | 18 | thread A { 19 | atomic { x += 10; } 20 | atomic { x -= 10; } 21 | assert(x == 0 || x == 1); 22 | } -------------------------------------------------------------------------------- /regression-tests/interpreted-predicates/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="simple-invariant-false.c simple-invariant-true.c \ 6 | simple-invariant-false.c simple-loop-invariant-true.c" 7 | 8 | for name in $TESTS; do 9 | echo 10 | echo $name 11 | $LAZABS -cex "$@" $name 2>&1 | grep -v 'at ' 12 | done 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-1-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-arraybounds-1-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-2-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-arraybounds-2-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-3-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-arraybounds-3-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-3-true.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-arraybounds-3-true.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-deref-arraybounds-4-false.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'valid-deref-arraybounds-4-false.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | 10 | options: 11 | language: C 12 | data_model: ILP32 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/hints4.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int toggle(int /*@ predicates { x, !x } @*/ x, 4 | int /*@ predicates { y, !y } @*/ y) { 5 | int i; 6 | for (i = 0; i < 10; ++i) { 7 | x = !x; 8 | y = !y; 9 | } 10 | return (x != 0) == (y != 0); 11 | } 12 | 13 | void main() { 14 | int res = toggle(1, 2); 15 | assert(res); 16 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/struct-chained-ptr-field-1-safe.c: -------------------------------------------------------------------------------- 1 | struct Node 2 | { 3 | struct Node* next; 4 | int data; 5 | }; 6 | 7 | void main() 8 | { 9 | struct Node* head = calloc(sizeof(struct Node)); 10 | head->data = 3; 11 | head->next = calloc(sizeof(struct Node)); 12 | head->next->next = 0; 13 | assert(head->data == 3); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/struct-chained-ptr-field-1-unsafe.c: -------------------------------------------------------------------------------- 1 | struct Node 2 | { 3 | struct Node* next; 4 | int data; 5 | }; 6 | 7 | void main() 8 | { 9 | struct Node* head = calloc(sizeof(struct Node)); 10 | head->data = 3; 11 | head->next = calloc(sizeof(struct Node)); 12 | head->next->next = 0; 13 | assert(head->data == 0); 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/struct-pointer2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef struct { 4 | int x, y; 5 | } Pair; 6 | 7 | void inc(Pair *p) { 8 | p->y = p->x; 9 | ++(p->x); 10 | } 11 | 12 | int nondet(); 13 | 14 | void main() { 15 | Pair p = { 0, 1 }; 16 | 17 | while(nondet()) { 18 | inc(&p); 19 | } 20 | 21 | assert(p.x != p.y); 22 | } 23 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/diamond_true-unreach-call1.c: -------------------------------------------------------------------------------- 1 | unsigned int __VERIFIER_nondet_uint(void); 2 | int main(void) { 3 | unsigned int x = 0; 4 | unsigned int y = __VERIFIER_nondet_uint(); 5 | while (x < 9) { 6 | if (y % 2 == 0) { 7 | x += 2; 8 | } else { 9 | x++; 10 | } 11 | } 12 | assert((x % 2) == (y % 2)); 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test-para2.hcc: -------------------------------------------------------------------------------- 1 | int N = _; 2 | int offset = _; 3 | 4 | int writeLoc = -1; 5 | 6 | thread[tid] Proc { 7 | assume(0 <= tid && tid < N); 8 | assume(N < offset); 9 | 10 | { 11 | int t; 12 | 13 | assert(writeLoc != tid && writeLoc != tid + offset); 14 | 15 | if (t) 16 | writeLoc = tid; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /regression-tests/math-arrays/simple-math-array-1.hcc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int a[_]; // [_] denotes that a is a mathematical array that is allocated everywhere 5 | int n = 3; 6 | int i = 0; 7 | for(i = 0; i < n; ++i) { 8 | a[i] = i; 9 | } 10 | for(i = 0; i < n; ++i) { 11 | assert(a[i] == i); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/properties/todo/valid-deref-stack-1-false.c: -------------------------------------------------------------------------------- 1 | int* invalidStackAccess() { 2 | int a = 10; // Local variable 3 | return &a; // Returning address of local variable - leads to invalid access 4 | } 5 | 6 | void main() { 7 | int *p = invalidStackAccess(); 8 | *p = 20; // Invalid access, dereferencing a dangling pointer 9 | } 10 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-global-array-opt-3.c: -------------------------------------------------------------------------------- 1 | 2 | /* Nondeterministically initialized by command line option -forceNondetInit. */ 3 | int a[5]; 4 | int b[5]; 5 | 6 | void main() { 7 | assume(a[0] == b[0]); 8 | 9 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 10 | assert(a[1] == b[1]); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract23.hcc: -------------------------------------------------------------------------------- 1 | // UNSAFE because assigns *q. 2 | 3 | /*@ 4 | requires \valid(p, q); 5 | assigns *p; 6 | */ 7 | void foo(int* p, int* q) { 8 | *q = 43; 9 | } 10 | 11 | int main(void) { 12 | int* p = malloc(sizeof(*p)); 13 | int* q = malloc(sizeof(*q)); 14 | *q = 42; 15 | foo(p,q); 16 | assert(*q == 42); 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract25.hcc: -------------------------------------------------------------------------------- 1 | // SAFE because only *p assigned. 2 | 3 | /*@ 4 | requires \valid(p, q); 5 | assigns *p; 6 | */ 7 | void foo(int* p, int* q) { 8 | *p = 42; 9 | } 10 | 11 | int main(void) { 12 | int* p = malloc(sizeof(*p)); 13 | int* q = malloc(sizeof(*q)); 14 | *q = 42; 15 | foo(p,q); 16 | assert(*q == 42); 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/acsl-standalone/swap_unsafe.c: -------------------------------------------------------------------------------- 1 | // FIXME: Currently gives error when producing CEX. Update answer when fixed. 2 | 3 | /*@ 4 | requires \valid(a) && \valid(b); 5 | assigns *a, *b; 6 | ensures (*a) == \old(*b); 7 | ensures (*b) == (*a); 8 | */ 9 | void foo(int* a, int* b) { 10 | int tmp = *a; 11 | *a = *b; 12 | *b = tmp; 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract24.hcc: -------------------------------------------------------------------------------- 1 | // UNSAFE because *p unknown value. 2 | 3 | /*@ 4 | requires \valid(p, q); 5 | assigns *p; 6 | */ 7 | void foo(int* p, int* q) { 8 | *p = 42; 9 | } 10 | 11 | int main(void) { 12 | int* p = malloc(sizeof(*p)); 13 | int* q = malloc(sizeof(*q)); 14 | *q = 42; 15 | foo(p,q); 16 | assert(*p == 42); 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/fib.hcc: -------------------------------------------------------------------------------- 1 | 2 | int fib(int n) { 3 | if(n == 0) 4 | return 0; 5 | else if (n == 1) 6 | return 1; 7 | else return fib(n - 1) + fib(n - 2); 8 | } 9 | 10 | void main() 11 | { 12 | int x = fib(6); 13 | // 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, ... 14 | assert(x == 0); // unsafe, cex should show that x is 8 15 | } 16 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/duration3.hcc: -------------------------------------------------------------------------------- 1 | 2 | duration A, B; 3 | chan finished; 4 | 5 | int main() { 6 | 7 | clock x = 0; 8 | within(x <= A + B) 9 | chan_send(finished); 10 | 11 | } 12 | 13 | thread B { 14 | 15 | clock x = 0; 16 | assume(x >= A); 17 | x = 0; 18 | assume(x > B); 19 | 20 | chan_receive(finished); 21 | 22 | assert(0); 23 | 24 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/duration3c.hcc: -------------------------------------------------------------------------------- 1 | 2 | duration A; 3 | chan finished; 4 | 5 | int main() { 6 | 7 | clock x = 0; 8 | within(x <= A + 1) 9 | chan_send(finished); 10 | 11 | } 12 | 13 | thread B { 14 | 15 | clock x = 0; 16 | assume(x >= A); 17 | x = 0; 18 | assume(x > 1); 19 | 20 | chan_receive(finished); 21 | 22 | assert(0); 23 | 24 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/duration3d.hcc: -------------------------------------------------------------------------------- 1 | 2 | duration A; 3 | chan finished; 4 | 5 | int main() { 6 | 7 | clock x = 0; 8 | within(x <= A + 1) 9 | chan_send(finished); 10 | 11 | } 12 | 13 | thread B { 14 | 15 | clock x = 0; 16 | assume(x >= A); 17 | x = 0; 18 | assume(x >= 1); 19 | 20 | chan_receive(finished); 21 | 22 | assert(0); 23 | 24 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/dynamic-loop1.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'dynamic-loop1.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/unreach-call.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/swap-3.c: -------------------------------------------------------------------------------- 1 | void swap(int *x, int *y){ 2 | int tmp = *x; 3 | *x = *y; 4 | *y = tmp; 5 | } 6 | 7 | void main() { 8 | int *a = calloc(sizeof(int)); 9 | *a = 3; 10 | int *b = calloc(sizeof(int)); 11 | *b = 42; 12 | swap(a, b); 13 | int v = *a; 14 | assert(v == 0 || v == 3 || v == 42); 15 | } 16 | 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/shadowing-global.hcc: -------------------------------------------------------------------------------- 1 | int x = 0; 2 | 3 | /* 4 | This test makes sure that no predicates with the same name are created 5 | when there is an argument and a global variable with the same name. 6 | */ 7 | 8 | /*@contract@*/ 9 | void f(int x) { 10 | ++x; 11 | } 12 | 13 | void main(void) { 14 | f(x); 15 | assert(x == 0); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/duration3b.hcc: -------------------------------------------------------------------------------- 1 | 2 | duration A, B; 3 | chan finished; 4 | 5 | int main() { 6 | 7 | clock x = 0; 8 | within(x <= A + B) 9 | chan_send(finished); 10 | 11 | } 12 | 13 | thread B { 14 | 15 | clock x = 0; 16 | assume(x >= A); 17 | x = 0; 18 | assume(x >= B); 19 | 20 | chan_receive(finished); 21 | 22 | assert(0); 23 | 24 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/swap-2.c: -------------------------------------------------------------------------------- 1 | void swap(int *x, int *y){ 2 | int tmp = *x; 3 | *x = *y; 4 | *y = tmp; 5 | } 6 | 7 | void main() { 8 | int *a = calloc(sizeof(int)); 9 | *a = 3; 10 | int *b = calloc(sizeof(int)); 11 | *b = 42; 12 | swap(a, b); 13 | int tmp = *a; 14 | assert(tmp == 0 || tmp == 3 || tmp == 42); 15 | } 16 | 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/typecastSafe-001.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'typecastSafe-001.c' 4 | 5 | properties: 6 | - property_file: ../properties/unreach-call.prp 7 | expected_verdict: true 8 | - property_file: ../properties/valid-memsafety.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/loop.hcc: -------------------------------------------------------------------------------- 1 | 2 | typedef struct { 3 | int x; 4 | unsigned y; 5 | } S1; 6 | 7 | int main() { 8 | S1 s1; 9 | int i; 10 | 11 | s1.x -= s1.x; 12 | 13 | assert(s1.x == 0); // currently failing, but should hold 14 | 15 | for (i = 0; i < s1.y; ++i) { 16 | ++s1.x; 17 | } 18 | 19 | assert(s1.x == s1.y); 20 | assert(s1.y >= 0); 21 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-1-safe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'pointer-arith-1-safe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/unreach-call.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-2-safe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'pointer-arith-2-safe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/unreach-call.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-3-safe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'pointer-arith-3-safe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/unreach-call.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-dynamic-array.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'simple-dynamic-array.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/unreach-call.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/function-in-assume-assert-3-false.c: -------------------------------------------------------------------------------- 1 | int subOne(int x){ 2 | int res = x - 1; 3 | return res; 4 | } 5 | 6 | int addOne(int x) { 7 | int res = x + 1; 8 | return res; 9 | } 10 | 11 | void main() { 12 | int x; 13 | int y = 1; 14 | assume(x == (y > 0 ? addOne(y) : (subOne(y)+1))); 15 | assert(x == (y <= 0 ? addOne(y) : (subOne(y)+1))); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/function-in-assume-assert-3-true.c: -------------------------------------------------------------------------------- 1 | int subOne(int x){ 2 | int res = x - 1; 3 | return res; 4 | } 5 | 6 | int addOne(int x) { 7 | int res = x + 1; 8 | return res; 9 | } 10 | 11 | void main() { 12 | int x; 13 | int y = 1; 14 | assume(x == (y > 0 ? addOne(y) : (subOne(y)+1))); 15 | assert(x == (y > 0 ? addOne(y) : (subOne(y)+1))); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/math-arrays/struct-array.hcc: -------------------------------------------------------------------------------- 1 | struct A { 2 | int a; 3 | }; 4 | 5 | // Not working 6 | void main() { 7 | struct A arr[3]; 8 | struct A old_arr[3]; 9 | 10 | assume(arr[2].a >= 10); 11 | assume(old_arr == arr); 12 | 13 | arr[2].a = arr[2].a * 2; 14 | 15 | assert(arr[2].a == old_arr[2].a * 2); 16 | assert(arr[1] == old_arr[1]); 17 | } -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract10.hcc: -------------------------------------------------------------------------------- 1 | // Recursive function 2 | 3 | /*@ 4 | ensures ((n <= 100) ==> (\result == 91)); 5 | ensures ((n > 100) ==> (\result == (n-10))); 6 | */ 7 | int mc91(int n) { 8 | if (n > 100) { 9 | return n - 10; 10 | } else { 11 | return mc91(mc91(n + 11)); 12 | } 13 | } 14 | 15 | void main() 16 | { 17 | int a; 18 | mc91(a); 19 | } 20 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/nondet-static-array-opt-3.c: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | /* Nondeterministically initialized by command line option -forceNondetInit. */ 4 | static int a[5]; 5 | static int b[5]; 6 | 7 | assume(a[0] == b[0]); 8 | 9 | // Should be UNSAFE - but is currently SAFE 2025-10-02. Needs extension of theory. 10 | assert(a[1] == b[1]); 11 | } 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/heap-guard-bug-1.c: -------------------------------------------------------------------------------- 1 | struct Node { 2 | struct Node* left; 3 | struct Node* right; 4 | }; 5 | 6 | void main() { 7 | struct Node* n = malloc(sizeof(struct Node)); 8 | 9 | n->left = 0; 10 | n->right = 0; 11 | 12 | while (n->left || n->right) { 13 | if (n->left) 14 | n = n->left; 15 | else 16 | n = n->right; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/swap-2-fail.c: -------------------------------------------------------------------------------- 1 | void swap(int *x, int *y){ 2 | int tmp = *x; 3 | *x = *y; 4 | *y = tmp; 5 | } 6 | 7 | void main() { 8 | int *a = calloc(sizeof(int)); 9 | *a = 3; 10 | int *b = calloc(sizeof(int)); 11 | *b = 42; 12 | swap(a, b); 13 | int tmp = *a; 14 | assert(tmp == 42); // should pass after refinements 15 | } 16 | 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/static-shadowing-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int x; 4 | 5 | int foo() { 6 | static int x; 7 | x = x + 1; // This should increment the local x 8 | return x; 9 | } 10 | 11 | int main() { 12 | int y; 13 | foo(); // foo::x = 1 14 | y = foo(); // y = foo::x == 2 15 | assert(y == 2); 16 | assert(x == 0); // global x should be unchanged 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="ext-univ-1-safe.hcc ext-univ-2-safe.hcc ext-univ-3-nonzero-lo-safe.hcc ext-univ-4-empty-safe.hcc ext-univ-5-cmpN-safe.hcc ext-univ-1-unsafe.hcc" 6 | 7 | for name in $TESTS; do 8 | echo 9 | echo $name 10 | $LAZABS -cex -abstract:off -mathArrays "$@" $name 2>&1 | grep -v 'at ' 11 | done 12 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/nonlinear2.hcc: -------------------------------------------------------------------------------- 1 | // For this program, Eldarica previously computed an incorrect counterexample, 2 | // due to a bug in the Princess NIA solver 3 | 4 | int nondet(); 5 | 6 | int main(void) { 7 | int x = nondet(); 8 | assume(x >= 1); 9 | assume(x <= 100); 10 | int y = x * x; 11 | 12 | if (y > x) { 13 | assert(0); 14 | } 15 | 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-stack-memsafety1.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'simple-stack-memsafety1.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/valid-memcleanup.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum-typedef.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef enum { 4 | A, B, C, NUM 5 | } E; 6 | 7 | void main() { 8 | E x; 9 | int res; 10 | 11 | assume(x >= 0 && x < NUM); 12 | 13 | switch(x) { 14 | case A: 15 | case B: 16 | res = 5; 17 | break; 18 | case C: 19 | res = 10; 20 | break; 21 | } 22 | 23 | assert(res <= 100); 24 | } 25 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/heap-guard-bug-2.c: -------------------------------------------------------------------------------- 1 | struct Node { 2 | struct Node* left; 3 | struct Node* right; 4 | }; 5 | 6 | void main() { 7 | struct Node* n = malloc(sizeof(struct Node)); 8 | 9 | n->left = 0; 10 | n->right = 0; 11 | 12 | while (!(!n->left && !n->right)) { 13 | if (n->left) 14 | n = n->left; 15 | else 16 | n = n->right; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/struct-pointer.hcc: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | int a; 3 | int b; 4 | } S; 5 | 6 | S s; 7 | 8 | void main() { 9 | S *p = &s; 10 | s.b = 42; 11 | s.a = p->b; 12 | assert(s.a == 42); 13 | assert(p->b == 42); 14 | (*p).a = 3; 15 | assert(s.a == 3); 16 | p->b = p->a; 17 | assert(s.b == 3); 18 | (&s)->a = 1; 19 | assert(s.a == 1); 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/struct-field-access-1-true.hcc: -------------------------------------------------------------------------------- 1 | struct S { 2 | int f1; 3 | int f2; 4 | }; 5 | 6 | /*@ 7 | requires s.f1 > s.f2; 8 | ensures \result.f2 == 42; 9 | ensures \result.f1 == \old(s).f1; 10 | */ 11 | struct S foo(struct S s) { 12 | s.f2 = 42; 13 | return s; 14 | } 15 | 16 | 17 | void main() 18 | { 19 | struct S s = { 2 , 1 }; 20 | foo(s); 21 | } 22 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/hints2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | void main() { 4 | int i = 0; 5 | 6 | /* Define one predicate template 2*i == j (cost 1), and two 7 | term templates i, j (cost 3) */ 8 | 9 | int /*@ predicates_tpl { 2*i == j } 10 | terms_tpl[3] { i, j } @*/ j = 0; 11 | 12 | while (i <= 1000) { 13 | i += 1; 14 | j += 2; 15 | } 16 | 17 | assert(j <= 3000); 18 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-alloca-memsafety1.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'simple-alloca-memsafety1.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/valid-memcleanup.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-alloca-memsafety2.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'simple-alloca-memsafety1.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/valid-memcleanup.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/simple-global-memsafety1.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'simple-global-memsafety1.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: true 8 | - property_file: ../properties/valid-memcleanup.prp 9 | expected_verdict: true 10 | 11 | options: 12 | language: C 13 | data_model: ILP32 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test2c.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | int x = 0, y = 0; 5 | 6 | chan c, d; 7 | 8 | 9 | 10 | thread A { 11 | int i = 0; 12 | 13 | while (i < 3) { 14 | x = x + 1; 15 | ++i; 16 | } 17 | 18 | assert(y == 0 || 2*i == x); 19 | } 20 | 21 | thread B { 22 | int i = 0; 23 | while (i < 3) { 24 | x = x + 1; 25 | ++i; 26 | } 27 | 28 | y = 1; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/heapptr-to-stackptr.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | /*@contract@*/ 4 | void swap(int **x, int **y){ 5 | int *tmp = *x; 6 | *x = *y; 7 | *y = tmp; 8 | } 9 | 10 | void main() { 11 | int *a = malloc(sizeof(int)); 12 | int *b = malloc(sizeof(int)); 13 | *a = 0; 14 | *b = 2; 15 | swap(&a, &b); 16 | assert(*a == 2 && *b == 0); 17 | } 18 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/duration1.hcc: -------------------------------------------------------------------------------- 1 | int x; 2 | 3 | duration D, E; 4 | chan start; 5 | 6 | void main() { 7 | clock C1; 8 | assume(D < E); 9 | 10 | atomic { chan_send(start); C1 = 0; } 11 | within(C1 <= D) x = 42; 12 | } 13 | 14 | thread A { 15 | clock C2; 16 | assume(D < E); 17 | 18 | atomic { chan_receive(start); C2 = 0; } 19 | assume(C2 >= E); 20 | 21 | assert(x > 0); 22 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/duration2.hcc: -------------------------------------------------------------------------------- 1 | int x; 2 | 3 | duration D, E; 4 | chan start; 5 | 6 | void main() { 7 | clock C1; 8 | assume(D <= E); 9 | 10 | atomic { chan_send(start); C1 = 0; } 11 | within(C1 <= D) x = 42; 12 | } 13 | 14 | thread A { 15 | clock C2; 16 | assume(D <= E); 17 | 18 | atomic { chan_receive(start); C2 = 0; } 19 | assume(C2 >= E); 20 | 21 | assert(x > 0); 22 | } -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract5.hcc: -------------------------------------------------------------------------------- 1 | // Multiple annotated functions. 2 | 3 | /*@ 4 | requires x < 0; 5 | ensures \result >= 0; 6 | */ 7 | int foo(int x) { 8 | return 1; 9 | } 10 | 11 | /*@ 12 | requires x >= 0; 13 | ensures \result == 42; 14 | */ 15 | int bar(int x) { 16 | return 42; 17 | } 18 | 19 | void main() 20 | { 21 | int a = -2; 22 | int b = foo(a); 23 | bar(b); 24 | } 25 | -------------------------------------------------------------------------------- /regression-tests/at-expressions/at-old-01-true.c: -------------------------------------------------------------------------------- 1 | int g = 10; 2 | 3 | int f(int p) { 4 | // Pre / Old: p == 5, g == 10. 5 | 6 | p = 20; 7 | g = 30; 8 | // p = 20, g = 30 9 | 10 | assert($at("Pre", (int)(p + g)) == 15); 11 | assert($at("Old", (int)(p + g)) == 15); 12 | 13 | p = 3; 14 | g = 5; 15 | 16 | return p + g; 17 | } 18 | 19 | void main() { 20 | f(5); 21 | assert(g == 5); 22 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/fischer.hcc: -------------------------------------------------------------------------------- 1 | int lock = 0; 2 | 3 | thread[tid] Proc { 4 | clock C; 5 | assume(tid > 0); 6 | 7 | while (1) { 8 | atomic { assume(lock == 0); C = 0; } 9 | within (C <= 1) lock = tid; 10 | 11 | C = 0; 12 | assume(C > 1); 13 | 14 | if (lock == tid) { 15 | // critical section 16 | assert(lock == tid); 17 | lock = 0; 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/jumps.hcc: -------------------------------------------------------------------------------- 1 | 2 | thread A { 3 | 4 | int x = 0; 5 | 6 | while (1) { 7 | if (++x == 10) 8 | break; 9 | assert(x <= 9); 10 | } 11 | 12 | assert(x == 10); 13 | 14 | } 15 | 16 | thread B { 17 | 18 | int y = 0, i; 19 | 20 | for (i = 0; i < 10; ++i) { 21 | if (i > 2 && i <= 7) 22 | continue; 23 | ++y; 24 | } 25 | 26 | assert(y == 5); 27 | 28 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | int x = 0, y = 0; 5 | 6 | chan c, d; 7 | 8 | 9 | 10 | thread A { 11 | int i = 0; 12 | 13 | while (i < 3) { 14 | atomic(x = x + 1); 15 | ++i; 16 | } 17 | 18 | assert(y == 0 || 2*i == x); 19 | } 20 | 21 | thread B { 22 | int i = 0; 23 | while (i < 3) { 24 | atomic(x = x + 1); 25 | ++i; 26 | } 27 | 28 | y = 1; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/test2b.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | int x = 0, y = 0; 5 | 6 | chan c, d; 7 | 8 | 9 | 10 | thread A { 11 | int i = 0; 12 | 13 | while (i < 3) { 14 | atomic(x = x + 1); 15 | ++i; 16 | } 17 | 18 | assert(y == 0 || i == x); 19 | } 20 | 21 | thread B { 22 | int i = 0; 23 | while (i < 3) { 24 | atomic(x = x + 1); 25 | ++i; 26 | } 27 | 28 | y = 1; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-3-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | extern int nondet(); 4 | int main() { 5 | int *p = malloc(sizeof(int)); 6 | // p is not freed before program end - violates memcleanup. 7 | // int main with multiple exit paths 8 | if(nondet()) { 9 | free(p); 10 | return 0; 11 | } 12 | // if above if is not taken, this is still unsafe. 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/array-inside-struct-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | typedef struct S { 5 | int data[4]; 6 | } S; 7 | 8 | int foo (int a[]) { 9 | a[0] = 0; 10 | return a[0]; 11 | } 12 | 13 | void main() { 14 | S s; 15 | for(int i = 0; i < 4; ++i) { 16 | s.data[i] = i; 17 | } 18 | for(int i = 0; i < 4; ++i) { 19 | assert(s.data[i] != i); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/multi-arg-1.c: -------------------------------------------------------------------------------- 1 | /*@contract@*/ 2 | void mod(int* t1, int* t2) { 3 | (*t1)++; 4 | (*t2)--; 5 | } 6 | 7 | int main() { 8 | int* s1 = (int*) malloc(sizeof(int)); 9 | int* s2 = (int*) malloc(sizeof(int)); 10 | 11 | *s1 = 1; 12 | *s2 = 2; 13 | 14 | mod(s1, s2); 15 | assert(*s1 == 1+1); 16 | assert(*s2 == 2-1); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-2-unsafe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'pointer-arith-2-unsafe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | - property_file: ../properties/unreach-call.prp 10 | expected_verdict: false 11 | 12 | options: 13 | language: C 14 | data_model: ILP32 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-3-unsafe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'pointer-arith-3-unsafe.c' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | - property_file: ../properties/unreach-call.prp 10 | expected_verdict: false 11 | 12 | options: 13 | language: C 14 | data_model: ILP32 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/opassign-struct.c: -------------------------------------------------------------------------------- 1 | struct S { 2 | int x; 3 | } *s; 4 | 5 | void main() { 6 | s = calloc(sizeof(struct S)); 7 | s->x += 42; 8 | assert(s->x == 42); 9 | s->x *= 2; 10 | assert(s->x == 84); 11 | s->x /= 4; 12 | assert(s->x == 21); 13 | s->x -= 1; 14 | assert(s->x == 20); 15 | s->x %= 3; 16 | assert(s->x == 2); 17 | s->x -= s->x; 18 | assert(s->x == 0); 19 | } 20 | 21 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/assign.hcc: -------------------------------------------------------------------------------- 1 | struct { 2 | int x; 3 | struct{ 4 | int x; 5 | } s; 6 | } s1, s2; 7 | 8 | int main() { 9 | s2.x = 1; 10 | assert(s2.x == 1); 11 | assert(s2.s.x == 0); 12 | s1.s.x = 42; 13 | s1.x = 2; 14 | assert(s1.x == 2); 15 | assert(s1.s.x == 42); 16 | 17 | s2.s = s1.s; 18 | assert(s2.x == 1); 19 | assert(s2.s.x == 42); 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/race.hcc: -------------------------------------------------------------------------------- 1 | 2 | typedef struct { 3 | int x; 4 | } S1; 5 | 6 | S1 s; 7 | 8 | int flag = 0; 9 | 10 | int main() { 11 | int n; 12 | 13 | assert(s.x == 0); 14 | 15 | s.x = n; 16 | 17 | flag = 1; 18 | ++s.x; 19 | 20 | assume(flag == 2); 21 | assert(s.x == n + 2); // should not hold 22 | } 23 | 24 | thread A { 25 | assume(flag == 1); 26 | ++s.x; 27 | flag = 2; 28 | } 29 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-1-unsafe.yml: -------------------------------------------------------------------------------- 1 | format_version: '2.0' 2 | 3 | input_files: 'pointer-arith-1-unsafe' 4 | 5 | properties: 6 | - property_file: ../properties/valid-memsafety.prp 7 | expected_verdict: false 8 | subproperty: valid-deref 9 | - property_file: ../properties/unreach-call.prp 10 | expected_verdict: false 11 | 12 | options: 13 | language: C 14 | data_model: ILP32 15 | -------------------------------------------------------------------------------- /regression-tests/ParametricEncoder/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | export LAZABS_HOME=../.. 4 | export JAR="${LAZABS_HOME}"/target/scala-*/TriCera-assembly-*.jar 5 | export JAVA_OPTS="-Xmx4096m -Xss20000k -cp $JAR" 6 | 7 | for mainClass in tricera.concurrency.ParameterisedExamples; do 8 | echo 9 | echo $mainClass 10 | java $JAVA_OPTS $mainClass 2>&1 | grep -v time | grep -v 'ms)' | sed -e 's/Map(.*$//g' 11 | done 12 | 13 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-3-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | extern int nondet(); 4 | int main() { 5 | int *p = malloc(sizeof(int)); 6 | // p is not freed before program end - violates memcleanup. 7 | // int main with multiple exit paths 8 | if(nondet()) { 9 | free(p); 10 | return 0; 11 | } else { 12 | free(p); 13 | } // p is freed on all paths, this is safe. 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/qualified-heapptr-to-stackptr.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | /*@contract@*/ 4 | void swap(int *volatile* x, int *volatile* y){ 5 | int *volatile tmp = *x; 6 | *x = *y; 7 | *y = tmp; 8 | } 9 | 10 | void main() { 11 | int *volatile a = malloc(sizeof(int)); 12 | int *volatile b = malloc(sizeof(int)); 13 | *b = 42; 14 | swap(&a, &b); 15 | assert(*a == 42 && *b == 0); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract11.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p, q); 3 | ensures \result == *p || \result == *q; 4 | ensures \result >= *p; 5 | ensures \result >= (*q); 6 | */ 7 | int max(int* p, int* q) { 8 | if (*p >= *q) { 9 | return *p; 10 | } else { 11 | return *q; 12 | } 13 | } 14 | 15 | void main() 16 | { 17 | int* p = malloc(sizeof(*p)); 18 | int* q = malloc(sizeof(*q)); 19 | max(p, q); 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-custom-entry.hcc: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | int val; 3 | } S; 4 | 5 | extern int non_det_int(); 6 | 7 | /*@contract@*/ 8 | void incr(S* t) { 9 | t->val++; 10 | } 11 | 12 | 13 | void entryPoint(void) { 14 | int init = non_det_int(); 15 | 16 | assume(-2147483648 <= init && init < 2147483647); 17 | 18 | S s = {init}; 19 | incr(&s); 20 | 21 | assert(s.val == init+1); 22 | } 23 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-struct.hcc: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | int val; 3 | } S; 4 | 5 | extern int non_det_int(); 6 | 7 | /*@contract@*/ 8 | void incr(S* t) { 9 | t->val++; 10 | } 11 | 12 | int main() { 13 | int init = non_det_int(); 14 | S s = {init}; 15 | 16 | assume(-2147483648 < init && init < 2147483647); 17 | 18 | incr(&s); 19 | 20 | assert(s.val == init+1); 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/takeuchi.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | int tak(int x, int y, int z) { 4 | if (y < x) 5 | return 6 | tak( 7 | tak(x-1, y, z), 8 | tak(y-1, z, x), 9 | tak(z-1, x, y) 10 | ); 11 | else 12 | return y; 13 | } 14 | 15 | void main() { 16 | int x, y, z; 17 | assume(x > y && y <= z); 18 | int res = tak(x, y, z); 19 | assert(res == z); 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract13.hcc: -------------------------------------------------------------------------------- 1 | /*@ 2 | requires \valid(p, q); 3 | ensures \result == *p || \result == *q; 4 | ensures \result >= *p; 5 | ensures \result >= (*q); 6 | */ 7 | int max(int* p, int* q) { 8 | if (*p >= *q) { 9 | return *p; 10 | } else { 11 | return *q + 1; 12 | } 13 | } 14 | 15 | void main() 16 | { 17 | int* p = malloc(sizeof(*p)); 18 | int* q = malloc(sizeof(*q)); 19 | max(p, q); 20 | } 21 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/struct-field-access-2-false.hcc: -------------------------------------------------------------------------------- 1 | struct S { 2 | int f1; 3 | int f2; 4 | }; 5 | 6 | /*@ 7 | requires s.f1 > s.f2; 8 | ensures \result.f2 == 42; 9 | ensures \result.f1 == \old(s).f1; 10 | */ 11 | struct S foo(struct S s) { 12 | s.f2 = 42; 13 | s.f1 = 3; // violates the second post-condition 14 | return s; 15 | } 16 | 17 | 18 | void main() 19 | { 20 | struct S s = { 2 , 1 }; 21 | foo(s); 22 | } 23 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/fischer-AB.hcc: -------------------------------------------------------------------------------- 1 | int lock = 0; 2 | 3 | duration A, B; 4 | 5 | thread[tid] Proc { 6 | clock C; 7 | assume(tid > 0 && A <= B); 8 | 9 | while (1) { 10 | atomic { assume(lock == 0); C = 0; } 11 | within (C <= A) lock = tid; 12 | 13 | C = 0; 14 | assume(C > B); 15 | 16 | if (lock == tid) { 17 | // critical section 18 | assert(lock == tid); 19 | lock = 0; 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/pointer-arith-3-unsafe.c: -------------------------------------------------------------------------------- 1 | int a[]; 2 | 3 | void main() { 4 | int n = 2; 5 | a = calloc(sizeof(int)*n); 6 | int *p = &(a[1]); 7 | for(int i = 0; i < n; ++i) { 8 | if(*p != 0) { 9 | reach_error(); 10 | } 11 | // Above the read *p is unsafe (valid-deref), 12 | // reach_error will also be hit (unreach-call), that location might not contain 0. 13 | p = p+1; 14 | } 15 | free(a); 16 | } 17 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/sizeof-bug-2-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct S1 4 | { 5 | struct S1* f1; 6 | }; 7 | 8 | struct S2 9 | { 10 | struct S1* f2; 11 | }; 12 | 13 | int main() 14 | { 15 | struct S2 s2; 16 | struct S1 **p = malloc(sizeof(s2.f2)); // p is S1**, s2.f2 is S1* 17 | *p = malloc(sizeof(*s2.f2)); // *p is S1*, *s2.f2 is S1 18 | s2.f2 = *p; 19 | s2.f2->f1 = *p; // lhs is S1*, rhs is also S1* 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memtrack-array-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void* allocArray(int n) { 4 | return malloc(sizeof(int)*n); 5 | } 6 | 7 | void main() { 8 | int p[] = (int*) allocArray(10); 9 | // This violates memcleanup, but not memtrack. 10 | // Note, if there would have been a return statement, this would 11 | // have violated memtrack too. 12 | // See https://groups.google.com/g/sv-comp/c/Slug4p2DACM/m/ajhC7krvEgAJ 13 | } 14 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="pred-hint.c pred-hint-loop.c \ 6 | unint-pred-simple-false.c unint-pred-simple-true.c \ 7 | unint-pred-stack-ptr-unsupported.c unint-pred-simple-ptr-true.c 8 | unint-pred-unnamed-ptr-arg-bug.c" 9 | 10 | for name in $TESTS; do 11 | echo 12 | echo $name 13 | $LAZABS -cex -abstract:off "$@" $name 2>&1 | grep -v 'at ' 14 | done 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/nested.hcc: -------------------------------------------------------------------------------- 1 | struct S3{ 2 | int a; 3 | }; 4 | struct S2{ 5 | int a; 6 | struct S3 b; 7 | }; 8 | struct S1{ 9 | int a; 10 | struct S2 b; 11 | }; 12 | 13 | thread A { 14 | struct S1 s; 15 | s.b.b.a = 41; 16 | s.b.a = s.b.b.a++; 17 | s.b.b.a--; 18 | s.a = ++s.b.a; 19 | --s.b.a; 20 | s.b.a--; 21 | 22 | assert(s.b.b.a == 41); 23 | assert(s.b.a == 40); 24 | assert(s.a == 42); 25 | } 26 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/functions.hcc: -------------------------------------------------------------------------------- 1 | 2 | int f() { 3 | return 42; 4 | } 5 | 6 | int inc(int x) { 7 | return x + 1; 8 | } 9 | 10 | thread A { 11 | 12 | int x = 0; 13 | x = inc(x); 14 | assert(x == 1); 15 | 16 | } 17 | 18 | thread B { 19 | 20 | int x = inc(f()); 21 | assert(x == 43); 22 | 23 | } 24 | 25 | int nondet(); 26 | 27 | thread C { 28 | 29 | int x, y; 30 | 31 | x = nondet(); 32 | y = inc(x); 33 | 34 | assert(y > x); 35 | 36 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | target/** 2 | regression-tests/*/Output* 3 | **.png 4 | **.dot 5 | .bsp 6 | **/CMakeCache.txt 7 | CMakeFiles 8 | .idea 9 | cc-parser/bin 10 | cc-parser/target 11 | cc-parser/tricera 12 | cc-parser/lib 13 | acsl-parser/bin 14 | acsl-parser/target 15 | acsl-parser/tricera 16 | project/project 17 | project/target 18 | project/.bloop 19 | Makefile 20 | cmake_install.cmake 21 | preprocessor/build 22 | tri-pp 23 | *.swp 24 | *.swo 25 | .metals/** 26 | .bloop/** 27 | .vscode -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="basic.hcc fields.hcc fields-nested.hcc struct-pointer.hcc struct-pointer2.hcc unary.hcc unary-struct.hcc unary-struct-nested.hcc list-init.hcc cast-stack-heap-01.c ptrptr-bug-1.c ptrptr-bug-2.c ptr-to-int-cast.c stack-ptr-fun-ret.c" 6 | 7 | for name in $TESTS; do 8 | echo 9 | echo $name 10 | $LAZABS -cex -abstract:off "$@" $name 2>&1 | grep -v 'at ' 11 | done 12 | 13 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum-typedef-pointer2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef struct { 4 | enum { A, B, C } x, y; 5 | } Pair; 6 | 7 | void inc(Pair *p) { 8 | p->y = p->x; 9 | switch(p->x) { 10 | case A: p->x = B; break; 11 | case B: p->x = C; break; 12 | case C: p->x = A; break; 13 | } 14 | } 15 | 16 | int nondet(); 17 | 18 | void main() { 19 | Pair p = { A, B }; 20 | 21 | while(nondet()) { 22 | inc(&p); 23 | } 24 | 25 | assert(p.x != p.y); 26 | } 27 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract9.hcc: -------------------------------------------------------------------------------- 1 | // ACSL used alongside contract gen. and inlining. 2 | 3 | /*@ 4 | requires n >= 0; 5 | ensures \result >= 1; 6 | */ 7 | int foo(int n) { 8 | return n+1; 9 | } 10 | 11 | /*@ contract */ 12 | int bar(int n) { 13 | return n+2; 14 | } 15 | 16 | int baz(int n) { 17 | return n+3; 18 | } 19 | 20 | 21 | void main() 22 | { 23 | int a = foo(0); 24 | int b = bar(a); 25 | int c = baz(b); 26 | assert((a + b + c) >= (1 + 3 + 6)); 27 | } 28 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum-typedef2.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef enum { 4 | A, B, C 5 | } E; 6 | 7 | typedef struct { 8 | E x; 9 | E y; 10 | } Pair; 11 | 12 | E inc(E x) { 13 | switch(x) { 14 | case A: return B; 15 | case B: return C; 16 | case C: return A; 17 | } 18 | } 19 | 20 | int nondet(); 21 | 22 | void main() { 23 | Pair p = { A, B }; 24 | 25 | while(nondet()) { 26 | p.x = inc(p.x); 27 | p.y = inc(p.y); 28 | } 29 | 30 | assert(p.x != p.y); 31 | } 32 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="enum1.hcc \ 6 | enum1-trailing-comma.hcc \ 7 | enum2.hcc \ 8 | enum3.hcc \ 9 | enum4.hcc \ 10 | enum-typedef.hcc \ 11 | enum-typedef2.hcc \ 12 | enum-typedef-pointer.hcc \ 13 | enum-typedef-pointer2.hcc" 14 | 15 | for name in $TESTS; do 16 | echo 17 | echo $name 18 | $LAZABS -cex -abstract:off "$@" $name 2>&1 | grep -v 'at ' 19 | done 20 | 21 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract16.hcc: -------------------------------------------------------------------------------- 1 | // SAFE as values are reset. 2 | 3 | int g = 1; 4 | 5 | /*@ 6 | requires \valid(p); 7 | assigns \nothing; 8 | ensures \result == *p; 9 | */ 10 | int get(int* p) { 11 | int g_before = g; 12 | int p_before = *p; 13 | g = 42; 14 | *p = 42; 15 | g = g_before; 16 | *p = p_before; 17 | return *p; 18 | } 19 | 20 | void main(void) { 21 | int* p = malloc(sizeof(*p)); 22 | int res = get(p); 23 | assert(g == 1); 24 | assert(*p == res); 25 | } 26 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum-typedef-X.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef enum { 4 | A, B, C 5 | } E; 6 | 7 | typedef struct { 8 | E x; 9 | // E y; 10 | } Pair; 11 | 12 | E inc(E x) { 13 | switch(x) { 14 | case A: return B; 15 | case B: return C; 16 | case C: return A; 17 | } 18 | } 19 | 20 | int nondet(); 21 | 22 | void main() { 23 | Pair p = { A }; 24 | 25 | while(nondet()) { 26 | p.x = inc(p.x); 27 | // p.y = inc(p.y); 28 | } 29 | 30 | assert(p.x != inc(p.x)); 31 | } 32 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/simple-arith.c: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | int *x = calloc(sizeof(int)); 4 | *x = 42; 5 | *x = 3; 6 | int y = *x + *x; 7 | assert(y == 0 || y == 3 || y == 6 || y == 42 || y == 45 || y == 84); 8 | /* possible values for y without refinements 9 | 0 + 0 = 0 10 | 0 + 3 = 3 11 | 3 + 3 = 6 12 | 0 + 42 = 42 13 | 3 + 42 = 45 14 | 42 + 42 = 84 15 | 16 | with refinements 17 | 3 + 3 = 6 18 | */ 19 | } 20 | 21 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-array/dynamic-loop1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | extern int nondet(); 5 | 6 | int a[]; 7 | 8 | void main() { 9 | // int n = nondet(); // cannot verify 10 | int n = 2; 11 | a = malloc(sizeof(int)*n); 12 | 13 | for (int i = 0; i < n; ++i) { 14 | a[i] = 3; 15 | } 16 | 17 | int sum = 0; 18 | for (int i = 0; i < n; ++i) { 19 | sum += a[i]; 20 | assert(a[i] == 3); 21 | } 22 | 23 | assert(sum == n*3); 24 | 25 | free(a); 26 | } 27 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/unary.hcc: -------------------------------------------------------------------------------- 1 | 2 | void main() { 3 | int a = 0; 4 | int b; 5 | int *x = &a; 6 | ++(*x); 7 | assert(a == 1 && 8 | *x == a); 9 | 10 | b = --(*x); 11 | assert(a == 0 && 12 | *x == a && 13 | b == a); 14 | 15 | b = (*x)++; 16 | assert(a == 1 && 17 | *x == a && 18 | b == (a-1)); 19 | 20 | b = (*x)--; 21 | assert(a == 0 && 22 | *x == a && 23 | b == (a+1)); 24 | } 25 | -------------------------------------------------------------------------------- /regression-tests/interpreted-predicates/simple-loop-invariant-true.c: -------------------------------------------------------------------------------- 1 | /*$ 2 | P(int x, int i, int n) { 3 | x == i*n && i <= n //0 <= i not needed 4 | } 5 | $*/ 6 | 7 | void main() { 8 | int n = _; 9 | assume(n > 0); 10 | int x = 0; 11 | int i = 0; 12 | assert(P(x, i, n)); 13 | while (i < n) { 14 | assume(P(x, i, n)); // does not work without this assumption 15 | x += n; 16 | i++; 17 | assert(P(x, i, n)); 18 | } 19 | assume(P(x, i, n)); 20 | 21 | 22 | assert(x == n*n); 23 | } 24 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum-typedef-pointer.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef enum { 4 | A, B, C 5 | } E; 6 | 7 | typedef struct { 8 | E x; 9 | E y; 10 | } Pair; 11 | 12 | void inc(E *x) { 13 | switch(*x) { 14 | case A: *x = B; break; 15 | case B: *x = C; break; 16 | case C: *x = A; break; 17 | } 18 | } 19 | 20 | int nondet(); 21 | 22 | void main() { 23 | Pair p = { A, B }; 24 | 25 | while(nondet()) { 26 | inc(&p.x); 27 | inc(&p.y); 28 | } 29 | 30 | assert(p.x != p.y); 31 | } 32 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum-typedef-pointer2.hcc~: -------------------------------------------------------------------------------- 1 | 2 | 3 | typedef enum { 4 | A, B, C 5 | } E; 6 | 7 | typedef struct { 8 | E x; 9 | E y; 10 | } Pair; 11 | 12 | void inc(E *x) { 13 | switch(*x) { 14 | case A: *x = B; break; 15 | case B: *x = C; break; 16 | case C: *x = A; break; 17 | } 18 | } 19 | 20 | int nondet(); 21 | 22 | void main() { 23 | Pair p = { A, B }; 24 | 25 | while(nondet()) { 26 | inc(&p.x); 27 | inc(&p.y); 28 | } 29 | 30 | assert(p.x != p.y); 31 | } 32 | -------------------------------------------------------------------------------- /regression-tests/interpreted-predicates/simple-loop-invariant-false.c: -------------------------------------------------------------------------------- 1 | /*$ 2 | P(int x, int i, int n) { 3 | x == i*n && i <= n //0 <= i not needed 4 | } 5 | $*/ 6 | 7 | void main() { 8 | int n = _; 9 | assume(n > 0); 10 | int x = 0; 11 | int i = 0; 12 | assert(P(x, i, n)); 13 | while (i < n) { 14 | assume(P(x, i, n)); // does not work without this assumption 15 | x += n; 16 | i++; 17 | assert(P(x, i, n)); 18 | } 19 | assume(P(x, i, n)); 20 | 21 | 22 | assert(x != n*n); 23 | } 24 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="get-1.c \ 6 | incdec-1.c \ 7 | incdec-2.c \ 8 | max-1.c \ 9 | max-2.c \ 10 | multadd-1.c \ 11 | truck-2.c \ 12 | heapptr-to-stackptr.c \ 13 | qualified-heapptr-to-stackptr.c \ 14 | multi-arg-1.c multi-arg-2.c" 15 | 16 | for name in $TESTS; do 17 | echo 18 | echo $name 19 | $LAZABS -cex -acsl "$@" $name 2>&1 | grep -v 'at ' 20 | done 21 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-nested-calls.hcc: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | int val; 3 | } S; 4 | 5 | extern int non_det_int(); 6 | 7 | /*@contract@*/ 8 | void decr(S* q) { 9 | q->val--; 10 | } 11 | 12 | /*@contract@*/ 13 | void incdec(S* p) { 14 | p->val++; 15 | decr(p); 16 | } 17 | 18 | int main() { 19 | int init = non_det_int(); 20 | S s = {init}; 21 | 22 | assume(-2147483648 <= init && init < 2147483647); 23 | 24 | incdec(&s); 25 | 26 | assert(s.val == init); 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-memcleanup-array-true.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int* allocArray(int n) { 4 | return malloc(sizeof(int)*n); 5 | } 6 | 7 | void freePtr(int *q) { 8 | free(q); 9 | } 10 | 11 | void main() { 12 | int p[] = allocArray(10); 13 | /* Note that int * p = ... does not work, and will be unsafe, 14 | because tricera currently cannot recognize p as an array pointer, 15 | and as a result incorrectly treats AddrRange as Addr sort. 16 | */ 17 | freePtr(p); 18 | } 19 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract27.hcc: -------------------------------------------------------------------------------- 1 | 2 | 3 | /*@ 4 | requires \valid(a) && \valid(b); 5 | assigns *a, *b; 6 | ensures *a == \old(*b); 7 | ensures (*b) == \old(*a); 8 | */ 9 | void swap(int* a, int* b) { 10 | int tmp = *a; 11 | *a = *b; 12 | *b = tmp; 13 | } 14 | 15 | int main(void) { 16 | int* a = (int*) malloc(sizeof(*a)); 17 | int* b = (int*) malloc(sizeof(*b)); 18 | int* c = (int*) malloc(sizeof(*c)); 19 | *a = 1; 20 | *c = 3; 21 | swap(a, b); 22 | assert(*b == 1); 23 | assert(*c == 3); 24 | } 25 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/mutually-referential-structs-unsafe.c: -------------------------------------------------------------------------------- 1 | struct parent; 2 | struct child; 3 | 4 | struct child { 5 | struct parent *p; 6 | }; 7 | 8 | struct parent { 9 | struct child *child1, *child2; 10 | }; 11 | 12 | void main() 13 | { 14 | struct parent* list = calloc(sizeof(struct parent)); 15 | list->child1 = calloc(sizeof(struct child)); 16 | list->child1->p = list; 17 | list->child2 = calloc(sizeof(struct child)); 18 | //list->child2->p = list; 19 | 20 | assert(list->child1->p == list->child2->p); 21 | } 22 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/unary-struct.hcc: -------------------------------------------------------------------------------- 1 | struct{ 2 | int a; 3 | int b; 4 | } s = {1, 2}; 5 | 6 | void main() { 7 | int *x = &s.a; 8 | ++(*x); 9 | assert(s.a == 2 && 10 | *x == s.a); 11 | --(*x); 12 | assert(s.a == 1 && 13 | *x == s.a); 14 | 15 | s.b = (*x)++; 16 | assert(s.a == 2 && 17 | *x == s.a && 18 | s.b == (s.a - 1) ); 19 | 20 | s.b = (*x)--; 21 | assert(s.a == 1 && 22 | *x == s.a && 23 | s.b == (s.a + 1) ); 24 | } 25 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="anon.hcc assign.hcc assign2.hcc assign-exp-eval-order.hcc assign-illegal.hcc \ 6 | init.hcc loop.hcc nested.hcc typedef.hcc emptyStruct.hcc" 7 | 8 | for name in $TESTS; do 9 | echo 10 | echo $name 11 | $LAZABS -cex -abstract:off "$@" $name 2>&1 | grep -v 'at ' 12 | done 13 | 14 | NOCEXTESTS="race.hcc" 15 | for name in $NOCEXTESTS; do 16 | echo 17 | echo $name 18 | $LAZABS -abstract:off "$@" $name 2>&1 | grep -v 'at ' 19 | done 20 | 21 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/pred-hint.c: -------------------------------------------------------------------------------- 1 | extern int nondet(); 2 | 3 | /*$ 4 | pre_p(int), post_p(int, int) 5 | $*/ 6 | int foo(int x) { // program entry point 1 7 | assume(pre_p(x)); 8 | int res = x + 1; 9 | assert(post_p(x, res)); 10 | return res; 11 | } 12 | 13 | void main1 () { // program entry point 2 14 | int x = _; 15 | int y = _; 16 | assert(pre_p(x)); 17 | assume(post_p(x, y)); 18 | assert(y == x + 1); 19 | } 20 | 21 | void main () { 22 | if (nondet()) 23 | main1(); 24 | else 25 | foo(nondet()); 26 | } 27 | -------------------------------------------------------------------------------- /regression-tests/horn-bv/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="nonlinear2.hcc \ 6 | ../horn-hcc/loop1.hcc \ 7 | ../horn-hcc/loop2.hcc \ 8 | bitwise1.hcc \ 9 | bitwise2.hcc" 10 | 11 | for name in $TESTS; do 12 | echo 13 | echo $name 14 | $LAZABS -cex -abstract:off -arithMode:ilp32 "$@" $name 2>&1 | grep -v 'at ' 15 | done 16 | 17 | echo 18 | echo MonadicInv.hcc 19 | $LAZABS -arithMode:ilp32 "$@" MonadicInv.hcc 2>&1 20 | 21 | echo 22 | echo bitwise3.hcc 23 | $LAZABS -arithMode:ilp32 "$@" bitwise3.hcc 2>&1 24 | 25 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/fields-nested.hcc: -------------------------------------------------------------------------------- 1 | struct{ 2 | int a; 3 | struct{ 4 | int a; 5 | struct{ 6 | int a; 7 | }b; 8 | }b; 9 | } s1 = {1,2,3}, s2 = {4,5,6}; 10 | 11 | void swap(int *x, int *y){ 12 | int tmp = *x; 13 | *x = *y; 14 | *y = tmp; 15 | } 16 | 17 | void main() { 18 | swap(&s1.b.b.a, &s2.b.b.a); 19 | assert(s1.b.b.a == 6 && s2.b.b.a == 3); 20 | 21 | int *x1 = &s1.b.a; 22 | swap(&s2.b.a, x1); 23 | assert(*x1 == s1.b.a && 24 | *x1 == 2 && 25 | s2.b.a == 5); 26 | } 27 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/struct-field-access-3-true.hcc: -------------------------------------------------------------------------------- 1 | struct S3{ 2 | int a; 3 | }; 4 | struct S2{ 5 | int a; 6 | struct S3 s3; 7 | }; 8 | struct S1{ 9 | int a; 10 | struct S2 s2; 11 | }; 12 | 13 | /*@ 14 | requires s.a == 1 && s.s2.a == 3 15 | && s.s2.s3.a == 42; 16 | ensures \result.s2 == \old(s).s2; 17 | */ 18 | struct S1 foo(struct S1 s) { 19 | s.a = 0; // does not affect the postcondition 20 | return s; 21 | } 22 | 23 | 24 | void main() 25 | { 26 | struct S1 s1; 27 | s1.s2.s3.a = 42; 28 | s1.s2.a = 3; 29 | s1.a = 1; 30 | foo(s1); 31 | } 32 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/list-001.c: -------------------------------------------------------------------------------- 1 | struct node 2 | { 3 | struct node *L; 4 | struct node *R; 5 | }; 6 | 7 | void main() 8 | { 9 | /* initialize the doubly linked list with a single node */ 10 | struct node* list=malloc(sizeof(struct node)); 11 | list->L=0; 12 | list->R=0; 13 | struct node *tail=list; 14 | 15 | /* initialize a node and add to the tail of the list */ 16 | struct node *n=malloc(sizeof(struct node)); 17 | n->L=tail; 18 | n->R=0; 19 | tail->R=n; 20 | tail=n; 21 | 22 | /* now the list should have two elements */ 23 | assert(list != tail); 24 | } 25 | -------------------------------------------------------------------------------- /regression-tests/properties/valid-free-12-false.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void main() { 4 | int *a = malloc(sizeof(int)); 5 | int addrA = (int) a; // safe in ILP32 - violates MISRA-C 11.4 and not supported by TriCera 6 | // TriCera is expected to reject above line (report unknown for this benchmark). 7 | free(a); // a is freed, addrA still holds prev. addr value 8 | int *b = malloc(sizeof(int)); 9 | int addrB = (int) b; 10 | if (addrA == addrB) { // this is possible, b might get alloced the freed address 11 | free(b); 12 | } 13 | free(b); // potential double free 14 | } 15 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/switch2.hcc: -------------------------------------------------------------------------------- 1 | 2 | int N = _; 3 | 4 | int nondet(); 5 | 6 | void main() { 7 | int x = 0, y = 0; 8 | int s = 0; 9 | 10 | loop : while (s != 3) { 11 | 12 | switch(s) { 13 | s = 0; case 0: if (nondet()) goto loop; 14 | while (x <= N) { 15 | s = 1; case 1: if (nondet()) goto loop; 16 | x++; 17 | s = 2; case 2: if (nondet()) goto loop; 18 | y++; 19 | } 20 | s = 3; case 3: if (nondet()) goto loop; 21 | } 22 | 23 | } 24 | 25 | assert(x == y); 26 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/basic.hcc: -------------------------------------------------------------------------------- 1 | int x; 2 | int *y = &x; 3 | 4 | void swap(int *x, int *y){ 5 | int tmp = *x; 6 | *x = *y; 7 | *y = tmp; 8 | } 9 | 10 | void main() { 11 | assert(*y == 0); //global *y -> global x 12 | x = 1; 13 | assert(*y == 1); 14 | *y = 2; 15 | assert(x == 2); 16 | 17 | int a = 3; 18 | int b = 42; 19 | swap(&a, &b); 20 | assert(a == 42 && b == 3); 21 | 22 | int *x = &a, *y = &b; //local *x and *y shadows the global ones 23 | swap(x, y); 24 | assert(a == 3 && b == 42); 25 | assert(*x == a && *y == b); 26 | } 27 | 28 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-pointer/unary-struct-nested.hcc: -------------------------------------------------------------------------------- 1 | struct{ 2 | struct { 3 | int a; 4 | int b; 5 | } s; 6 | } s = {1, 2}; 7 | 8 | void main() { 9 | int *x = &s.s.a; 10 | ++(*x); 11 | assert(s.s.a == 2 && 12 | *x == s.s.a); 13 | --(*x); 14 | assert(s.s.a == 1 && 15 | *x == s.s.a); 16 | 17 | s.s.b = (*x)++; 18 | assert(s.s.a == 2 && 19 | *x == s.s.a && 20 | s.s.b == (s.s.a - 1) ); 21 | 22 | s.s.b = (*x)--; 23 | assert(s.s.a == 1 && 24 | *x == s.s.a && 25 | s.s.b == (s.s.a + 1) ); 26 | } 27 | -------------------------------------------------------------------------------- /.github/workflows/scala.yml: -------------------------------------------------------------------------------- 1 | name: Scala CI 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | branches: [ master ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Set up JDK 11 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '11' 20 | distribution: 'adopt' 21 | - name: Set up sbt 22 | uses: sbt/setup-sbt@v1 23 | - name: Build 24 | run: sbt assembly 25 | - name: Test 26 | run: cd regression-tests; export TERM=xterm; ./runalldirs 27 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/contract19.hcc: -------------------------------------------------------------------------------- 1 | // (SAFE) Nested calls 2 | 3 | /*@ 4 | assigns \nothing; 5 | ensures \result == n+1; 6 | */ 7 | int incr(int n) { 8 | return n+1; 9 | } 10 | 11 | /*@ 12 | requires \valid(p); 13 | assigns \nothing; 14 | ensures \result == *p; 15 | */ 16 | int get(int* p) { 17 | return *p; 18 | } 19 | 20 | /*@ 21 | requires \valid(p); 22 | assigns \nothing; 23 | ensures \result == ((*p) + 1); 24 | */ 25 | int getIncr(int* p) { 26 | return incr(get(p)); 27 | } 28 | 29 | void main() { 30 | int *p = malloc(sizeof(*p)); 31 | int res = getIncr(p); 32 | assert(res == *p + 1); 33 | } 34 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/incdec-2.c: -------------------------------------------------------------------------------- 1 | int a_init; 2 | 3 | /*@contract@*/ 4 | void increment(int* val) { 5 | (*val)++; 6 | } 7 | 8 | /*@contract@*/ 9 | void decrement(int* val) { 10 | (*val)--; 11 | } 12 | 13 | int *a; 14 | 15 | extern int non_det_int(); 16 | extern int* non_det_int_ptr(); 17 | 18 | void main() 19 | { 20 | //Non-det assignment of global variables 21 | a_init = non_det_int(); 22 | a = non_det_int_ptr(); 23 | 24 | assume(1); 25 | 26 | a = (int*) malloc(sizeof(*a)); 27 | 28 | *a = a_init; 29 | 30 | increment(a); 31 | decrement(a); 32 | 33 | assert((*a == a_init)); 34 | } 35 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/struct-field-access-4-false.hcc: -------------------------------------------------------------------------------- 1 | struct S3{ 2 | int a; 3 | }; 4 | struct S2{ 5 | int a; 6 | struct S3 s3; 7 | }; 8 | struct S1{ 9 | int a; 10 | struct S2 s2; 11 | }; 12 | 13 | /*@ 14 | requires s.a == 1 && s.s2.a == 3 15 | && s.s2.s3.a == 42; 16 | ensures \result.s2 == \old(s).s2; 17 | */ 18 | struct S1 foo(struct S1 s) { 19 | s.a = 0; // does not affect the postcondition 20 | s.s2.a = 42; // violates the postcondition 21 | return s; 22 | } 23 | 24 | 25 | void main() 26 | { 27 | struct S1 s1; 28 | s1.s2.s3.a = 42; 29 | s1.s2.a = 3; 30 | s1.a = 1; 31 | foo(s1); 32 | } 33 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/down_true-unreach-call.i.c: -------------------------------------------------------------------------------- 1 | extern void __VERIFIER_error(void); 2 | extern void __VERIFIER_assume(int); 3 | void __VERIFIER_assert(int cond) { 4 | if (!(cond)) { 5 | ERROR: reach_error(); 6 | } 7 | return; 8 | } 9 | int __VERIFIER_nondet_int(); 10 | int main() { 11 | int n; 12 | int k = 0; 13 | int /*@ predicates { k >= i } @*/ i = 0; 14 | n = __VERIFIER_nondet_int(); 15 | while( i < n ) { 16 | i++; 17 | k++; 18 | } 19 | int /*@ predicates { k >= j } @*/ j = n; 20 | while( j > 0 ) { 21 | __VERIFIER_assert(k > 0); 22 | j--; 23 | k--; 24 | } 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/locking.hcc: -------------------------------------------------------------------------------- 1 | // Use the option -abstract for thread-modular verification 2 | // (otherwise verification might diverge) 3 | 4 | int N = _; 5 | int lock = 0; 6 | 7 | int x = 0; 8 | 9 | thread A { 10 | int i, t; 11 | 12 | for (i = 0; i < N; ++i) { 13 | atomic { assume(!lock); lock=1; } 14 | t = x; 15 | x = t + 1; 16 | lock = 0; 17 | } 18 | 19 | assert(x >= N); 20 | } 21 | 22 | thread B { 23 | int i, t; 24 | 25 | for (i = 0; i < N; ++i) { 26 | atomic { assume(!lock); lock=2; } 27 | t = x; 28 | x = t + 1; 29 | lock = 0; 30 | } 31 | 32 | assert(x >= N); 33 | } 34 | 35 | 36 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-retvalue.hcc: -------------------------------------------------------------------------------- 1 | typedef struct { 2 | unsigned int val; 3 | } S; 4 | 5 | /*@contract@*/ 6 | int* incr(S* t) { 7 | t->val++; 8 | return &(t->val); 9 | } 10 | 11 | int main() { 12 | S s = {0}; 13 | 14 | // NOTE: 2025-03-27: This would fail due to the way stack 15 | // pointer support is implemented via rewriting to global variables. 16 | // However, TriCera interprets the return value as a heap pointer, and 17 | // recognizes the mix of heap and stackpointer and issues an 18 | // "Unsupported" message. 19 | assert(incr(&s) == &(s.val)); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /regression-tests/horn-bv/bitwise1.hcc: -------------------------------------------------------------------------------- 1 | 2 | void f1() { 3 | unsigned int x; 4 | unsigned int y = x | 255; 5 | assert(y >= 255); 6 | } 7 | 8 | void f2() { 9 | int i; 10 | for (i = 0; !(i & 4); ++i); 11 | assert(i == 4); 12 | } 13 | 14 | void f4() { 15 | unsigned int i; 16 | assert((i % 0x00010000) == (i & 0x0000FFFF)); 17 | } 18 | 19 | void f5() { 20 | unsigned int i; 21 | assert(i == (i & 0x0000FFFF) + (i & 0xFFFF0000)); 22 | } 23 | 24 | void f6() { 25 | int i; 26 | for (i = 0; i < 16; ++i) 27 | assert((i & 8) == (i / 8) * 8); 28 | } 29 | 30 | void main() { 31 | f1(); 32 | f2(); 33 | f4(); 34 | f5(); 35 | f6(); 36 | } -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-multi-arg.hcc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | typedef struct { 4 | int val; 5 | } S; 6 | 7 | extern int non_det_int(); 8 | 9 | /*@contract@*/ 10 | void mod(S* t1, S* t2) { 11 | t1->val++; 12 | t2->val--; 13 | } 14 | 15 | int main() { 16 | int init1 = non_det_int(); 17 | int init2 = non_det_int(); 18 | 19 | assume(-2147483648 <= init1 && init1 < 2147483647); 20 | assume(-2147483648 < init2 && init2 <= 2147483647); 21 | 22 | S s1 = {init1}; 23 | S s2 = {init2}; 24 | 25 | mod(&s1, &s2); 26 | 27 | assert(s1.val == init1+1 && s2.val == init2-1); 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc/literals.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | 5 | int main() { 6 | { 7 | int x = 'a'; 8 | int y = 'b'; 9 | int z = 123U; 10 | assert(x + 1 == y); 11 | assert(z > 0); 12 | } 13 | 14 | { 15 | long x = 123L; 16 | int y = 123U; 17 | int z = x + 1; 18 | assert(x == y); 19 | assert(z > 0); 20 | } 21 | 22 | { 23 | unsigned x; 24 | unsigned int y; 25 | assert(x + y + 1 > 0); 26 | } 27 | 28 | { 29 | unsigned int x = 4294967040; 30 | assert(x > 0); 31 | } 32 | 33 | { 34 | long x = 5; 35 | assert((unsigned int)x > 0); 36 | } 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/multi-arg-2.c: -------------------------------------------------------------------------------- 1 | /*@contract@*/ 2 | void mod(int* t1, int* t2, int* t3, int* t4) { 3 | (*t1)++; 4 | (*t3) *= 2; 5 | (*t2)--; 6 | (*t1)++; 7 | (*t4) = (*t1)*2; 8 | } 9 | 10 | int main() { 11 | int* s1 = (int*) malloc(sizeof(int)); 12 | int* s2 = (int*) malloc(sizeof(int)); 13 | int* s3 = (int*) malloc(sizeof(int)); 14 | int* s4 = (int*) malloc(sizeof(int)); 15 | 16 | *s1 = 1; 17 | *s2 = 2; 18 | *s3 = 3; 19 | 20 | mod(s1, s2, s3, s4); 21 | assert(*s1 == 1+1+1); 22 | assert(*s2 == 2-1); 23 | assert(*s3 == 3*2); 24 | assert(*s4 == 6); 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/list-002.c: -------------------------------------------------------------------------------- 1 | typedef enum {false, true} _Bool; 2 | 3 | _Bool nondet_bool(void); 4 | 5 | struct node 6 | { 7 | struct node *L; 8 | struct node *R; 9 | }; 10 | 11 | void main() 12 | { 13 | _Bool listNotEmpty = false; 14 | struct node* list=malloc(sizeof(struct node)); 15 | list->L=0; 16 | list->R=0; 17 | 18 | struct node *tail=list; 19 | 20 | while(nondet_bool()) 21 | { 22 | struct node *n=malloc(sizeof(struct node)); 23 | if(n==0) 24 | break; 25 | n->L=tail; 26 | n->R=0; 27 | tail->R=n; 28 | tail=n; 29 | 30 | listNotEmpty = true; 31 | } 32 | 33 | if(listNotEmpty) 34 | assert(list != tail); 35 | } 36 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/struct-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | int driver_distance; 5 | 6 | typedef struct Human { 7 | int distance_driven; 8 | } *HumanPtr; 9 | 10 | /*@contract@*/ 11 | void tick(struct Human* h) { 12 | h->distance_driven++; 13 | } 14 | 15 | extern int non_det_int(); 16 | 17 | void main() 18 | { 19 | //Non-det assignment of global variables 20 | driver_distance = non_det_int(); 21 | 22 | assume(1); 23 | 24 | HumanPtr driver = (HumanPtr) malloc(sizeof(*driver)); 25 | driver->distance_driven = 0; 26 | 27 | tick(driver); 28 | 29 | driver_distance = driver->distance_driven; 30 | 31 | assert((driver_distance == 1)); 32 | } 33 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/get-1.c: -------------------------------------------------------------------------------- 1 | 2 | int r1; 3 | int n_init; 4 | 5 | /*@contract@*/ 6 | int get(int* p) { 7 | if (*p <= 0) { 8 | return 0; 9 | } else { 10 | *p = *p - 1; 11 | return 1 + get(p); 12 | } 13 | } 14 | 15 | int* n; 16 | 17 | extern int non_det_int(); 18 | extern int* non_det_int_ptr(); 19 | 20 | void main() 21 | { 22 | //Non-det assignment of global variables 23 | r1 = non_det_int(); 24 | n_init = non_det_int(); 25 | n = non_det_int_ptr(); 26 | 27 | assume((n_init > 0)); 28 | 29 | n = (int*) malloc(sizeof(*n)); 30 | *n = n_init; 31 | r1 = get(n); 32 | 33 | assert(((r1 >= n_init) && (r1 <= n_init))); 34 | } 35 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/list-001-fail.c: -------------------------------------------------------------------------------- 1 | struct node 2 | { 3 | int x; 4 | //struct node *L; 5 | //struct node *R; 6 | }; 7 | 8 | void main() 9 | { 10 | /* initialize the doubly linked list with a single node */ 11 | struct node* list=calloc(sizeof(struct node)); 12 | int y = list->x; 13 | assert (y != 0); 14 | //list->L=0; 15 | //list->R=0; 16 | //struct node *tail=list; 17 | 18 | /* initialize a node and add to the tail of the list */ 19 | /*struct node *n=calloc(sizeof(struct node)); 20 | n->L=tail; 21 | n->R=0; 22 | 23 | tail->R=n;*/ 24 | /* tail=n; */ 25 | 26 | /* the tail was not updated, the assertion should fail*/ 27 | //assert(list != tail); 28 | } 29 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/mutually-referential-structs.c: -------------------------------------------------------------------------------- 1 | struct parent; 2 | struct child; 3 | 4 | struct child { 5 | struct parent *p; 6 | int data; 7 | }; 8 | 9 | struct parent { 10 | struct child *child1, *child2; 11 | }; 12 | 13 | void main() 14 | { 15 | struct parent* list = calloc(sizeof(struct parent)); 16 | list->child1 = calloc(sizeof(struct child)); 17 | list->child1->p = list; 18 | list->child2 = calloc(sizeof(struct child)); 19 | list->child2->p = list; 20 | 21 | struct parent *cp1 = list->child1->p; 22 | struct parent *cp2 = list->child2->p; 23 | assert(cp1 == list || cp1 == 0); 24 | //assert(cp1 == cp2); //should work after adding flow sensitivity 25 | } 26 | -------------------------------------------------------------------------------- /regression-tests/horn-bv/convert.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env scala 2 | 3 | import scala.io.Source 4 | 5 | val filename = args(0) 6 | for (line <- Source.fromFile(filename).getLines) { 7 | if (line.replaceAll("\\s","").startsWith(";")) 8 | println(line) 9 | else 10 | println(line.replaceAll("Int","(_ BitVec 32)") 11 | .replaceAll("\\*","bvmul") 12 | .replaceAll("\\+","bvadd") 13 | .replaceAll("(?=","bvsge") 17 | .replaceAll("<","bvslt") 18 | .replaceAll("(?","bvsgt") 19 | .replaceAll("(?L=0; 16 | list->R=0; 17 | struct node *tail=list; 18 | 19 | /* conditionally initialize a node and add to the tail of the list */ 20 | if(nondet_bool()){ 21 | struct node *n=malloc(sizeof(struct node)); 22 | n->L=tail; 23 | n->R=0; 24 | tail->R=n; 25 | tail=n; 26 | } 27 | 28 | /* this assertion should fail, maybe no nodes were added */ 29 | assert(list != tail); 30 | } 31 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/incdec-1.c: -------------------------------------------------------------------------------- 1 | int a_init; 2 | int b_init; 3 | 4 | /*@contract@*/ 5 | void increment(int* val) { 6 | (*val)++; 7 | } 8 | 9 | /*@contract@*/ 10 | void decrement(int* val) { 11 | (*val)--; 12 | } 13 | 14 | int *a; 15 | int *b; 16 | 17 | extern int non_det_int(); 18 | extern int* non_det_int_ptr(); 19 | 20 | void main() 21 | { 22 | //Non-det assignment of global variables 23 | a_init = non_det_int(); 24 | b_init = non_det_int(); 25 | a = non_det_int_ptr(); 26 | b = non_det_int_ptr(); 27 | 28 | assume(1); 29 | 30 | a = (int*) malloc(sizeof(*a)); 31 | b = (int*) malloc(sizeof(*b)); 32 | 33 | *a = a_init; 34 | *b = b_init; 35 | 36 | increment(a); 37 | decrement(b); 38 | 39 | assert(((*a == (a_init + 1)) && (*b == (b_init - 1)))); 40 | } 41 | -------------------------------------------------------------------------------- /regression-tests/rundir: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | DIR="$1" 6 | shift 7 | 8 | ANSWER_SUFFIX="$1" 9 | shift 10 | 11 | [ -d "$DIR" ] || exit 1 12 | 13 | echo -n "$DIR ($@) ... " 14 | 15 | export TIMEFORMAT="%U" 16 | TIME=`time ( cd $DIR; ./runtests "$@" >Output"$ANSWER_SUFFIX" 2>&1; ) 2>&1` 17 | 18 | res=0 19 | 20 | if cmp -s "$DIR"/Answers"$ANSWER_SUFFIX" "$DIR"/Output"$ANSWER_SUFFIX"; then 21 | tput setaf 2 22 | echo -ne "\tSucceeded" 23 | tput sgr0 24 | else 25 | tput setaf 1 26 | echo -e "\tFAILED" 27 | tput sgr0 28 | echo 29 | diff "$DIR"/Answers"$ANSWER_SUFFIX" "$DIR"/Output"$ANSWER_SUFFIX" || true 30 | echo 31 | cp "$DIR"/Output"$ANSWER_SUFFIX" "$DIR"/Output"$ANSWER_SUFFIX"-"`date`" 32 | res=1 33 | fi 34 | 35 | echo -n " ($TIME" 36 | echo "s)" 37 | 38 | exit $res 39 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-enum/enum5.hcc: -------------------------------------------------------------------------------- 1 | typedef enum { 2 | x=0, 3 | y=1, 4 | z=0x8C 5 | }b_Ans; 6 | 7 | // int x[10]; 8 | 9 | typedef struct { 10 | int x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; 11 | } int_ar_10; 12 | 13 | /* 14 | typedef union { 15 | int x; unsigned int y; 16 | } U; 17 | 18 | typedef struct { 19 | int x; unsigned int y; 20 | } U2; 21 | */ 22 | 23 | 24 | struct { 25 | // int32 _db_32[N]; 26 | struct { 27 | int32 _SIGNAL_WHEEL; 28 | int32 _XYZ; 29 | ... 30 | }_db_32; 31 | int16 _db_16[M]; 32 | } db; 33 | 34 | 35 | int read(E index) { 36 | switch(index) { 37 | case SIGNAL_WHEEL: return db._db_32._SIGNAL_WHEEL; 38 | case XYZ: return db._db_32._XYZ; 39 | ... 40 | } 41 | } 42 | 43 | 44 | int main() { 45 | 46 | db._db_32._SIGNAL_WHEEL = ...; 47 | 48 | assert(z == 0x8c); 49 | } -------------------------------------------------------------------------------- /regression-tests/horn-hcc-heap/mutually-referential-structs-fail.c: -------------------------------------------------------------------------------- 1 | struct parent; 2 | struct child; 3 | 4 | struct child { 5 | struct parent *p; 6 | int data; 7 | }; 8 | 9 | struct parent { 10 | struct child *child1, *child2; 11 | }; 12 | 13 | void main() 14 | { 15 | struct parent* list = calloc(sizeof(struct parent)); 16 | list->child1 = calloc(sizeof(struct child)); 17 | list->child1->p = list; 18 | list->child2 = calloc(sizeof(struct child)); 19 | list->child2->p = list; 20 | 21 | struct parent *cp1 = list->child1->p; //commenting out this line 22 | //removes the assertion error 23 | struct parent *cp2 = list->child2->p; 24 | assert(list->child1->p == list); //should succeed after refinements 25 | // assert(cp1 == cp2); //should succeed after adding flow-sensitivity 26 | } 27 | -------------------------------------------------------------------------------- /regression-tests/interpreted-predicates/Answers: -------------------------------------------------------------------------------- 1 | 2 | simple-invariant-false.c 3 | 4 | ------------ 5 | Init: 6 | main9_3(3) 7 | ------------ 8 | | 9 | | 10 | V 11 | main(3) 12 | ------------ 13 | Final: 14 | main(3) 15 | ------------ 16 | Failed assertion: 17 | false :- main(x:8), x:8 != 42. (line:10 col:3) (property: user-assertion) 18 | 19 | UNSAFE 20 | 21 | simple-invariant-true.c 22 | SAFE 23 | 24 | simple-invariant-false.c 25 | 26 | ------------ 27 | Init: 28 | main9_3(3) 29 | ------------ 30 | | 31 | | 32 | V 33 | main(3) 34 | ------------ 35 | Final: 36 | main(3) 37 | ------------ 38 | Failed assertion: 39 | false :- main(x:8), x:8 != 42. (line:10 col:3) (property: user-assertion) 40 | 41 | UNSAFE 42 | 43 | simple-loop-invariant-true.c 44 | SAFE 45 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/max-1.c: -------------------------------------------------------------------------------- 1 | int r; 2 | 3 | /*@contract@*/ 4 | int findMax(int* x, int* y) { 5 | if(*x >= *y) 6 | return *x; 7 | else 8 | return *y; 9 | } 10 | 11 | int* a; 12 | int* b; 13 | int a_init; 14 | int b_init; 15 | 16 | extern int non_det_int(); 17 | extern int* non_det_int_ptr(); 18 | 19 | void main() 20 | { 21 | //Non-det assignment of global variables 22 | r = non_det_int(); 23 | a = non_det_int_ptr(); 24 | b = non_det_int_ptr(); 25 | a_init = non_det_int(); 26 | b_init = non_det_int(); 27 | 28 | assume(1); 29 | 30 | a = (int*) malloc(sizeof(*a)); 31 | b = (int*) malloc(sizeof(*b)); 32 | 33 | *a = a_init; 34 | *b = b_init; 35 | 36 | r = findMax(a, b); 37 | 38 | assert(!((a_init >= b_init) && !(r == a_init))); 39 | assert(!((b_init > a_init) && !(r == b_init))); 40 | } 41 | -------------------------------------------------------------------------------- /src/main/scala/tricera/Literals.scala: -------------------------------------------------------------------------------- 1 | package tricera 2 | 3 | /** 4 | * This object is intended to collect literal constants 5 | * that are needed in more than one place throughout 6 | * the application. The number of these should be kept 7 | * at a minimum. 8 | */ 9 | object Literals { 10 | // Used for signaling the context of a predicate variable value. 11 | val preExecSuffix = "_old" 12 | val postExecSuffix = "_post" 13 | val resultExecSuffix = "_res" 14 | val invPrefix = "inv_" 15 | 16 | // Used for context of predicates 17 | val predPostSuffix = "_post" 18 | val predPreSuffix = "_pre" 19 | 20 | // Used for indicating that an annotation is ACSL related 21 | val annotationMarker = "■■" // ascii 254 times 2 22 | 23 | val atExpressionName = "$at" 24 | 25 | val anonStructName = ".AS" 26 | val anonEnumName = ".ES" 27 | } 28 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/max-2.c: -------------------------------------------------------------------------------- 1 | int* r; 2 | 3 | /*@contract@*/ 4 | void findMax(int* x, int* y, int* max) { 5 | if(*x >= *y) 6 | *max = *x; 7 | else 8 | *max = *y; 9 | } 10 | 11 | int* a; 12 | int* b; 13 | int a_init; 14 | int b_init; 15 | 16 | extern int non_det_int(); 17 | extern int* non_det_int_ptr(); 18 | 19 | void main() 20 | { 21 | //Non-det assignment of global variables 22 | r = non_det_int_ptr(); 23 | a = non_det_int_ptr(); 24 | b = non_det_int_ptr(); 25 | a_init = non_det_int(); 26 | b_init = non_det_int(); 27 | 28 | assume(1); 29 | 30 | a = (int*) malloc(sizeof(*a)); 31 | b = (int*) malloc(sizeof(*b)); 32 | r = (int*) malloc(sizeof(*r)); 33 | 34 | *a = a_init; 35 | *b = b_init; 36 | 37 | findMax(a, b, r); 38 | 39 | assert(!((a_init >= b_init) && !(*r == a_init))); 40 | assert(!((b_init > a_init) && !(*r == b_init))); 41 | } 42 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/truck-1.c: -------------------------------------------------------------------------------- 1 | 2 | int driver_distance; 3 | int r_cab_position; 4 | 5 | typedef struct Human { 6 | int distance_driven; 7 | } Human; 8 | 9 | typedef struct Truck { 10 | int x; 11 | struct Human driver; 12 | } *TruckPtr; 13 | 14 | /*@contract@*/ 15 | void tick(TruckPtr t) { 16 | t->x++; 17 | t->driver.distance_driven++; 18 | } 19 | 20 | extern int non_det_int(); 21 | 22 | void main() 23 | { 24 | //Non-det assignment of global variables 25 | driver_distance = non_det_int(); 26 | r_cab_position = non_det_int(); 27 | 28 | assume(1); 29 | 30 | TruckPtr r_cab = malloc(sizeof(*r_cab)); 31 | r_cab->x = 0; 32 | r_cab->driver.distance_driven = 0; 33 | tick(r_cab); 34 | tick(r_cab); 35 | 36 | driver_distance = r_cab->driver.distance_driven; 37 | r_cab_position = r_cab->x; 38 | 39 | assert((driver_distance == 2)); 40 | assert((r_cab_position == 2)); 41 | } 42 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/Answers: -------------------------------------------------------------------------------- 1 | 2 | anon.hcc 3 | Warning: entry function "main" not found 4 | SAFE 5 | 6 | assign.hcc 7 | SAFE 8 | 9 | assign2.hcc 10 | SAFE 11 | 12 | assign-exp-eval-order.hcc 13 | SAFE 14 | 15 | assign-illegal.hcc 16 | tricera.concurrency.ccreader.CCExceptions$TranslationException: Cannot assign struct S1: ((S1::x/1p,int)) to struct S2: ((S2::x/1p,int))! 17 | (error "Cannot assign struct S1: ((S1::x/1p,int)) to struct S2: ((S2::x/1p,int))!") 18 | Other Error: Cannot assign struct S1: ((S1::x/1p,int)) to struct S2: ((S2::x/1p,int))! 19 | 20 | init.hcc 21 | Warning: entry function "main" not found 22 | SAFE 23 | 24 | loop.hcc 25 | SAFE 26 | 27 | nested.hcc 28 | Warning: entry function "main" not found 29 | SAFE 30 | 31 | typedef.hcc 32 | Warning: entry function "main" not found 33 | SAFE 34 | 35 | emptyStruct.hcc 36 | Warning: Struct a was declared, but never defined, or it has no fields. 37 | SAFE 38 | 39 | race.hcc 40 | UNSAFE 41 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/stackptr-recursion.hcc: -------------------------------------------------------------------------------- 1 | /* 2 | NOTE: 2025-03-27: Stackpointers does currently not work 3 | together with recursion. In a situation as the following 4 | the parameter gets replaced by a global variable, and the 5 | function is replaced by two other functions, a wrapper, 6 | and a transformed function that manipulates the global 7 | variable in a similar way to what the original function 8 | would do to the value pointed to by the variable. Any 9 | recursive call in the transformed function will call the 10 | wrapper but use the adress of the global variable as the 11 | argument. All in all, this will mess up the value of the 12 | global variable. 13 | */ 14 | 15 | /*@contract@*/ 16 | void incr(int* t) { 17 | if (*t < 5) { 18 | *t += 1; 19 | incr(t); 20 | } 21 | } 22 | 23 | int main() { 24 | int s = 0; 25 | incr(&s); 26 | assert(s == 5); 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/multadd-1.c: -------------------------------------------------------------------------------- 1 | /*@contract@*/ 2 | void multiplyByTwo(int* num) { 3 | *num = *num * 2; 4 | } 5 | 6 | /*@contract@*/ 7 | void addTwoNumbers(int* a, int* b, int* result) { 8 | *result = *a + *b; 9 | } 10 | 11 | int* a; 12 | int* b; 13 | int* result; 14 | int a_init; 15 | int b_init; 16 | 17 | extern int non_det_int(); 18 | extern int* non_det_int_ptr(); 19 | 20 | void main() 21 | { 22 | //Non-det assignment of global variables 23 | a = non_det_int_ptr(); 24 | b = non_det_int_ptr(); 25 | result = non_det_int_ptr(); 26 | a_init = non_det_int(); 27 | b_init = non_det_int(); 28 | 29 | assume(1); 30 | 31 | a = (int*) malloc(sizeof(*a)); 32 | b = (int*) malloc(sizeof(*b)); 33 | result = (int*) malloc(sizeof(*result)); 34 | 35 | *a = a_init; 36 | *b = b_init; 37 | 38 | multiplyByTwo(a); 39 | addTwoNumbers(a, b, result); 40 | 41 | assert((*a == (a_init * 2))); 42 | assert((*result == (*a + b_init))); 43 | } 44 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-struct/init.hcc: -------------------------------------------------------------------------------- 1 | struct S{ 2 | unsigned char flag; 3 | int x; 4 | struct{ 5 | int y; 6 | int z; 7 | }s; 8 | int y; 9 | struct{ 10 | struct{ 11 | int y; 12 | int z; 13 | }s3; 14 | int x; 15 | }s2; 16 | int z; 17 | }S; 18 | 19 | thread A { 20 | struct S a = { 1, 2, {3, 4}, 5, {{6, 7}, 8}, 9}; 21 | assert(a.flag == 1); 22 | assert(a.x == 2); 23 | assert (a.s.y == 3); 24 | assert (a.s.z == 4); 25 | assert (a.y == 5); 26 | assert (a.s2.s3.y == 6); 27 | assert (a.s2.s3.z == 7); 28 | assert (a.s2.x == 8); 29 | assert (a.z == 9); 30 | struct S b = { 1, 2, 3, }; 31 | assert(b.flag == 1); 32 | assert(b.x == 2); 33 | assert (b.s.y == 3); 34 | assert (b.s.z == 0); 35 | assert (b.y == 0); 36 | assert (b.s2.x == 0); 37 | assert (b.s2.s3.y == 0); 38 | assert (b.s2.s3.z == 0); 39 | assert (b.z == 0); 40 | } 41 | -------------------------------------------------------------------------------- /src/main/scala/tricera/concurrency/ccreader/CCPredicate.scala: -------------------------------------------------------------------------------- 1 | package tricera.concurrency.ccreader 2 | 3 | import ap.parser.IExpression._ 4 | import ap.parser.{IAtom, ITerm} 5 | import tricera.Util.SourceInfo 6 | 7 | // a wrapper for IExpression.Predicate that keeps more info about arguments 8 | case class CCPredicate(pred : Predicate, argVars : scala.Seq[CCVar], 9 | srcInfo : Option[SourceInfo]) { 10 | 11 | 12 | def apply(terms : scala.Seq[ITerm]) : IAtom = 13 | pred(terms: _*) 14 | def apply[X: scala.reflect.ClassTag](ccVars : scala.Seq[CCVar]) : IAtom = 15 | pred(ccVars.map(_.term): _*) 16 | def arity : Int = pred.arity 17 | override def toString: String = 18 | pred.name + (if(argVars.nonEmpty) "(" + argVars.mkString(", ") + ")" else "") 19 | def toStringWithLineNumbers: String = 20 | pred.name + (if(argVars.nonEmpty) "(" + 21 | argVars.map(_.toStringWithLineNumbers).mkString(", ") + ")" else "") 22 | assert(pred.arity == argVars.size) 23 | } 24 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/get-2.c: -------------------------------------------------------------------------------- 1 | // TODO: This test currently results in 2 | // 3 | // java.lang.Exception: Predicate generation failed 4 | // (error "Predicate generation failed") 5 | // Other Error: Predicate generation failed 6 | // 7 | // 8 | int r1; 9 | int n_init; 10 | 11 | 12 | int get(int* p) { 13 | if (*p <= 0) { 14 | return 0; 15 | } else { 16 | *p = *p - 1; 17 | return 1 + get(p); 18 | } 19 | } 20 | 21 | int* n; 22 | 23 | extern int non_det_int(); 24 | extern int* non_det_int_ptr(); 25 | 26 | void main() 27 | { 28 | //Non-det assignment of global variables 29 | r1 = non_det_int(); 30 | n_init = non_det_int(); 31 | n = non_det_int_ptr(); 32 | 33 | assume((n_init > 0)); 34 | 35 | n = (int*) malloc(sizeof(*n)); 36 | // Commenting out the following line makes the test pass, 37 | // but leads to undefined behavior. 38 | *n = n_init; 39 | r1 = get(n); 40 | 41 | assert(((r1 >= n_init) && (r1 <= (n_init * n_init)))); 42 | } 43 | -------------------------------------------------------------------------------- /regression-tests/horn-contracts/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="contract1.hcc \ 6 | contract2.hcc \ 7 | contract2b.hcc \ 8 | contract3.hcc \ 9 | takeuchi.hcc \ 10 | assert.hcc \ 11 | fib.hcc \ 12 | stackptr.hcc \ 13 | struct-name-bug.hcc \ 14 | stackptr-func-dec.hcc \ 15 | stackptr-multi-arg.hcc \ 16 | stackptr-nested-calls.hcc \ 17 | stackptr-recursion.hcc \ 18 | stackptr-retvalue.hcc \ 19 | stackptr-struct.hcc" 20 | 21 | for name in $TESTS; do 22 | echo 23 | echo $name 24 | $LAZABS -cex -acsl "$@" $name 2>&1 | grep -v 'at ' 25 | done 26 | 27 | TESTS="stackptr-custom-entry.hcc" 28 | 29 | for name in $TESTS; do 30 | echo 31 | echo $name 32 | $LAZABS -cex -acsl -m:entryPoint "$@" $name 2>&1 | grep -v 'at ' 33 | done 34 | 35 | ILP32TESTS="stackptr-ilp32.hcc" 36 | for name in $ILP32TESTS; do 37 | echo 38 | echo $name 39 | $LAZABS -cex -acsl -arithMode:ilp32 "$@" $name 2>&1 | grep -v 'at ' 40 | done 41 | -------------------------------------------------------------------------------- /regression-tests/horn-bv/MonadicInv.hcc: -------------------------------------------------------------------------------- 1 | /* Nontrivial program whose correctness can be shown using a monadic loop 2 | * invariant. 3 | * E.g., the following loop invariant is sufficient. 4 | * 0 <= offset <= 4 * 10000 /\ offset % 4 == 0 /\ length = 4 * 10000 5 | * Note that the second conjunct (divisibility) is indispensable. 6 | * 7 | * Simplified version of verification problem that occurs regularly if we use 8 | * Ultimate to very C programs. 9 | * - The variable offset is the "offset" of some int pointer. 10 | * - The while loop moves a pointer along some memory area. 11 | * - The assert checks if we are still in some allocated area. 12 | * - An int takes four byte, hence the pointer is incremented by four. 13 | * 14 | * Author: heizmann@informatik.uni-freiburg.de 15 | * Date: 2015-09-03 16 | */ 17 | 18 | void main () { 19 | int /*@ terms_tpl { offset % 4 } @*/ offset; 20 | int length; 21 | offset = 0; 22 | length = 4 * 10000; 23 | while (offset < length) { 24 | assert (4 + offset <= length); 25 | offset = offset + 4; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /regression-tests/properties/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="valid-free-10-true.c valid-free-3-true.c valid-free-7-false.c \ 6 | valid-free-11-true.c valid-free-4-false.c valid-free-8-false.c \ 7 | valid-free-1-true.c valid-free-5-false.c valid-free-9-false.c \ 8 | valid-free-2-false.c valid-free-6-true.c \ 9 | valid-deref-arraybounds-1-false.c valid-deref-arraybounds-3-true.c \ 10 | valid-deref-arraybounds-2-false.c valid-deref-nullptr-false.c \ 11 | valid-deref-arraybounds-3-false.c valid-deref-uninit-false.c \ 12 | valid-deref-arraybounds-4-false.c \ 13 | valid-memcleanup-1-false.c valid-memcleanup-array-false.c \ 14 | valid-memcleanup-1-true.c valid-memcleanup-array-true.c \ 15 | valid-memtrack-array-true.c valid-memcleanup-2-false.c \ 16 | valid-memcleanup-3-false.c valid-memcleanup-3-true.c \ 17 | valid-free-12-false.c valid-memcleanup-4-false.c" 18 | 19 | for name in $TESTS; do 20 | echo 21 | echo $name 22 | $LAZABS -abstract:off "$@" $name 2>&1 | grep -v 'at ' 23 | done 24 | -------------------------------------------------------------------------------- /regression-tests/horn-hcc-2/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="atomic3e.hcc atomic3f.hcc \ 6 | clocks1.hcc clocks2.hcc clocks3.hcc clocks4.hcc clocks5.hcc \ 7 | fischer.hcc lazy-and-or-bug.hcc \ 8 | channels.hcc channels-2.hcc channels-2b.hcc channels-3.hcc \ 9 | duration1.hcc duration2.hcc \ 10 | duration3.hcc duration3b.hcc duration3c.hcc duration3d.hcc \ 11 | nonlinear1.hcc nonlinear2.hcc typedef1.hcc switch1.hcc switch2.hcc" 12 | 13 | for name in $TESTS; do 14 | echo 15 | echo $name 16 | $LAZABS -cex -abstract:off "$@" $name 2>&1 | grep -v 'at ' 17 | done 18 | 19 | TESTS="hints.hcc hints2.hcc hints3.hcc" 20 | 21 | for opt in -abstract -abstract:manual; do 22 | for name in $TESTS; do 23 | echo 24 | echo $name 25 | $LAZABS -cex $opt "$@" $name 26 | done 27 | done 28 | 29 | TESTS="interval-propagator-bug.hcc" 30 | 31 | for name in $TESTS; do 32 | echo 33 | echo $name 34 | $LAZABS -cex -abstract "$@" $name 35 | done 36 | 37 | echo 38 | echo hints4.hcc 39 | $LAZABS -log:1 -abstract:off "$@" hints4.hcc 2>&1 | grep 'SAFE\|CEGAR iterations' 40 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/runtests: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | LAZABS=../../tri 4 | 5 | TESTS="contract1.hcc \ 6 | contract2.hcc \ 7 | contract3.hcc \ 8 | contract4.hcc \ 9 | contract5.hcc \ 10 | contract6.hcc \ 11 | contract7.hcc \ 12 | contract8.hcc \ 13 | contract9.hcc \ 14 | contract10.hcc \ 15 | contract11.hcc \ 16 | contract12.hcc \ 17 | contract13.hcc \ 18 | contract14.hcc \ 19 | contract15.hcc \ 20 | contract16.hcc \ 21 | contract17.hcc \ 22 | contract18.hcc \ 23 | contract19.hcc \ 24 | contract20.hcc \ 25 | contract21.hcc \ 26 | contract22.hcc \ 27 | contract23.hcc \ 28 | contract24.hcc \ 29 | contract25.hcc \ 30 | contract26.hcc \ 31 | contract27.hcc \ 32 | struct-field-access-1-true.hcc \ 33 | struct-field-access-2-false.hcc \ 34 | struct-field-access-3-true.hcc \ 35 | struct-field-access-4-false.hcc" 36 | 37 | for name in $TESTS; do 38 | echo 39 | echo $name 40 | $LAZABS "$@" $name 2>&1 | grep -v 'at ' 41 | done 42 | 43 | -------------------------------------------------------------------------------- /regression-tests/uninterpreted-predicates/Answers: -------------------------------------------------------------------------------- 1 | 2 | pred-hint.c 3 | Warning: no definition of function "nondet" available 4 | SAFE 5 | 6 | pred-hint-loop.c 7 | Warning: no definition of function "nondet" available 8 | SAFE 9 | 10 | unint-pred-simple-false.c 11 | 12 | ------------ 13 | Init: 14 | main4_3 15 | ------------ 16 | | 17 | | 18 | V 19 | main_1(42) 20 | ------------ 21 | Final: 22 | main_1(42) 23 | ------------ 24 | Failed assertion: 25 | false :- main_1(x:5), x:5 != 43. (line:7 col:3) (property: user-assertion) 26 | 27 | UNSAFE 28 | 29 | unint-pred-simple-true.c 30 | SAFE 31 | 32 | unint-pred-stack-ptr-unsupported.c 33 | tricera.concurrency.ccreader.CCExceptions$TranslationException: 5:3 Unsupported operation: stack pointer argument to uninterpreted predicate. 34 | (error "5:3 Unsupported operation: stack pointer argument to uninterpreted predicate.") 35 | Other Error: 5:3 Unsupported operation: stack pointer argument to uninterpreted predicate. 36 | 37 | unint-pred-simple-ptr-true.c 38 | SAFE 39 | 40 | unint-pred-unnamed-ptr-arg-bug.c 41 | Warning: no definition of function "nondet_ptr" available 42 | SAFE 43 | -------------------------------------------------------------------------------- /regression-tests/acsl-contracts/Answers: -------------------------------------------------------------------------------- 1 | 2 | contract1.hcc 3 | SAFE 4 | 5 | contract2.hcc 6 | SAFE 7 | 8 | contract3.hcc 9 | UNSAFE 10 | 11 | contract4.hcc 12 | UNSAFE 13 | 14 | contract5.hcc 15 | SAFE 16 | 17 | contract6.hcc 18 | SAFE 19 | 20 | contract7.hcc 21 | SAFE 22 | 23 | contract8.hcc 24 | UNSAFE 25 | 26 | contract9.hcc 27 | SAFE 28 | 29 | contract10.hcc 30 | SAFE 31 | 32 | contract11.hcc 33 | SAFE 34 | 35 | contract12.hcc 36 | SAFE 37 | 38 | contract13.hcc 39 | UNSAFE 40 | 41 | contract14.hcc 42 | SAFE 43 | 44 | contract15.hcc 45 | SAFE 46 | 47 | contract16.hcc 48 | SAFE 49 | 50 | contract17.hcc 51 | UNSAFE 52 | 53 | contract18.hcc 54 | UNSAFE 55 | 56 | contract19.hcc 57 | SAFE 58 | 59 | contract20.hcc 60 | UNSAFE 61 | 62 | contract21.hcc 63 | SAFE 64 | 65 | contract22.hcc 66 | UNSAFE 67 | 68 | contract23.hcc 69 | UNSAFE 70 | 71 | contract24.hcc 72 | UNSAFE 73 | 74 | contract25.hcc 75 | SAFE 76 | 77 | contract26.hcc 78 | SAFE 79 | 80 | contract27.hcc 81 | SAFE 82 | 83 | struct-field-access-1-true.hcc 84 | SAFE 85 | 86 | struct-field-access-2-false.hcc 87 | UNSAFE 88 | 89 | struct-field-access-3-true.hcc 90 | SAFE 91 | 92 | struct-field-access-4-false.hcc 93 | UNSAFE 94 | -------------------------------------------------------------------------------- /regression-tests/math-arrays/Answers: -------------------------------------------------------------------------------- 1 | 2 | simple-math-array-1.hcc 3 | 4 | Solution (Prolog) 5 | ================================================================================ 6 | main10_7_3(a:4, n:5, i:6) :- n:5 = 3 & 2 >= i:6 & i:6 >= 0 & ((i:6 = 2 & select(a:4, 2) = 2) | (i:6 >= 1 & select(a:4, 1 + i:6) - i:6 = 1 & select(a:4, i:6) = i:6) | (select(a:4, 2 + i:6) - i:6 = 2 & select(a:4, 1 + i:6) - i:6 = 1 & select(a:4, i:6) = i:6)). 7 | main7_3(a:4, n:5, i:6) :- i:6 = 0 & n:5 = 3. 8 | main7_7(a:4, n:5, i:6) :- n:5 = 3 & 3 >= i:6 & i:6 >= 0 & (0 >= i:6 | (i:6 = 1 & select(a:4, 0) = 0) | (select(a:4, 1) = 1 & select(a:4, 0) = 0 & (i:6 != 3 | select(a:4, 2) = 2))). 9 | ================================================================================ 10 | 11 | SAFE 12 | 13 | struct-array.hcc 14 | 15 | Solution (Prolog) 16 | ================================================================================ 17 | main10_5(arr:7, old_arr:8). 18 | main_2(arr:7, old_arr:8) :- A::a(select(old_arr:8, 2)) >= 10 & store(old_arr:8, 2, A(2*A::a(select(old_arr:8, 2)))) = arr:7. 19 | main_3(arr:7, old_arr:8) :- A::a(select(old_arr:8, 2)) >= 10 & store(old_arr:8, 2, A(2*A::a(select(old_arr:8, 2)))) = arr:7. 20 | ================================================================================ 21 | 22 | SAFE 23 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/multadd-3.c: -------------------------------------------------------------------------------- 1 | 2 | /*@contract@*/ 3 | void addNumbers(int* x, int* y, int* result) { 4 | *result = *x + *y; 5 | } 6 | 7 | /*@contract@*/ 8 | void multiplyNumbers(int* x, int* y, int* result) { 9 | *result = *x * *y; 10 | } 11 | 12 | int* a; 13 | int* b; 14 | int* c; 15 | int* result1; 16 | int* result2; 17 | int a_init; 18 | int b_init; 19 | int c_init; 20 | 21 | extern int non_det_int(); 22 | extern int* non_det_int_ptr(); 23 | 24 | void main() 25 | { 26 | //Non-det assignment of global variables 27 | a = non_det_int_ptr(); 28 | b = non_det_int_ptr(); 29 | c = non_det_int_ptr(); 30 | result1 = non_det_int_ptr(); 31 | result2 = non_det_int_ptr(); 32 | a_init = non_det_int(); 33 | b_init = non_det_int(); 34 | c_init = non_det_int(); 35 | 36 | a = (int*) malloc(sizeof(*a)); 37 | b = (int*) malloc(sizeof(*b)); 38 | result1 = (int*) malloc(sizeof(*result1)); 39 | c = result1; 40 | result2 = (int*) malloc(sizeof(*result2)); 41 | *a = a_init; 42 | *b = b_init; 43 | 44 | addNumbers(a, b, result1); 45 | multiplyNumbers(a, b, result2); 46 | addNumbers(b, c, c); 47 | 48 | assert((*result1 == ((a_init + b_init) + b_init))); 49 | assert((*result2 == (a_init * b_init))); 50 | assert((*c == *result1)); 51 | } 52 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/truck-2.c: -------------------------------------------------------------------------------- 1 | 2 | int driver1_distance; 3 | int driver2_distance; 4 | int r_cab_position; 5 | 6 | typedef struct Human { 7 | int distance_driven; 8 | } *HumanPtr; 9 | 10 | typedef struct Truck { 11 | int x; 12 | struct Human* driver; 13 | } *TruckPtr; 14 | 15 | //No inferred contract found for tick 16 | void tick(TruckPtr t) { 17 | t->x++; 18 | t->driver->distance_driven++; 19 | } 20 | 21 | /*@ 22 | requires \true; 23 | ensures driver1_distance == 2 && driver2_distance == 3; 24 | ensures r_cab_position == driver1_distance + driver2_distance; 25 | assigns driver1_distance, driver2_distance, r_cab_position; 26 | */ 27 | int main(void) { 28 | TruckPtr r_cab = malloc(sizeof(*r_cab)); 29 | HumanPtr driver1 = malloc(sizeof(*driver1)); 30 | HumanPtr driver2 = malloc(sizeof(*driver2)); 31 | r_cab->x = 0; 32 | driver1->distance_driven = 0; 33 | driver2->distance_driven = 0; 34 | 35 | r_cab->driver = driver1; 36 | tick(r_cab); 37 | tick(r_cab); 38 | 39 | r_cab->driver = driver2; 40 | tick(r_cab); 41 | tick(r_cab); 42 | tick(r_cab); 43 | 44 | driver1_distance = driver1->distance_driven; 45 | driver2_distance = driver2->distance_driven; 46 | r_cab_position = r_cab->x; 47 | } 48 | -------------------------------------------------------------------------------- /regression-tests/toh-contract-translation/multadd-2.c: -------------------------------------------------------------------------------- 1 | 2 | /*@contract@*/ 3 | void addNumbers(int* x, int* y, int* result) { 4 | *result = *x + *y; 5 | } 6 | 7 | /*@contract@*/ 8 | void multiplyNumbers(int* x, int* y, int* result) { 9 | *result = *x * *y; 10 | } 11 | 12 | int* a; 13 | int* b; 14 | int* c; 15 | int* result1; 16 | int* result2; 17 | int a_init; 18 | int b_init; 19 | int c_init; 20 | 21 | extern int non_det_int(); 22 | extern int* non_det_int_ptr(); 23 | 24 | void main() 25 | { 26 | //Non-det assignment of global variables 27 | a = non_det_int_ptr(); 28 | b = non_det_int_ptr(); 29 | c = non_det_int_ptr(); 30 | result1 = non_det_int_ptr(); 31 | result2 = non_det_int_ptr(); 32 | a_init = non_det_int(); 33 | b_init = non_det_int(); 34 | c_init = non_det_int(); 35 | 36 | a = (int*) malloc(sizeof(*a)); 37 | b = (int*) malloc(sizeof(*b)); 38 | c = (int*) malloc(sizeof(*c)); 39 | result1 = (int*) malloc(sizeof(*result1)); 40 | result2 = (int*) malloc(sizeof(*result2)); 41 | *a = a_init; 42 | *b = b_init; 43 | *c = c_init; 44 | 45 | addNumbers(a, b, result1); 46 | multiplyNumbers(a, b, result2); 47 | addNumbers(b, c, c); 48 | 49 | assert((*result1 == (a_init + b_init))); 50 | assert((*result2 == (a_init * b_init))); 51 | assert((*c == (b_init + c_init))); 52 | } 53 | -------------------------------------------------------------------------------- /regression-tests/quantifiers/Answers: -------------------------------------------------------------------------------- 1 | 2 | ext-univ-1-safe.hcc 3 | SAFE 4 | 5 | ext-univ-2-safe.hcc 6 | SAFE 7 | 8 | ext-univ-3-nonzero-lo-safe.hcc 9 | SAFE 10 | 11 | ext-univ-4-empty-safe.hcc 12 | SAFE 13 | 14 | ext-univ-5-cmpN-safe.hcc 15 | SAFE 16 | 17 | ext-univ-1-unsafe.hcc 18 | 19 | -------------------------------------- 20 | Init: 21 | main2_3 22 | -------------------------------------- 23 | | 24 | | 25 | V 26 | main6_7(1, const(1), 0) 27 | -------------------------------------- 28 | | 29 | | 30 | V 31 | main6_7(1, store(const(1), 0, 0), 1) 32 | -------------------------------------- 33 | | 34 | | 35 | V 36 | main_2(1, store(const(1), 0, 0), 1) 37 | -------------------------------------- 38 | Final: 39 | main_2(1, store(const(1), 0, 0), 1) 40 | -------------------------------------- 41 | Failed assertion: 42 | false :- main_2(n:2, a:4, i:5), \exists int v0; (v0 >= 0 & n:2 - v0 >= 1 & select(a:4, v0) != v0 - 1). (line:11 col:3) (property: unreach-call) 43 | 44 | UNSAFE 45 | --------------------------------------------------------------------------------