[英]Timeout while proving the WP using Alt-ergo on Frama C
I was trying to verify the correctness of the below program using Frama-cI am new user to frama-C.我试图使用 Frama-c 验证以下程序的正确性我是 frama-C 的新用户。
PROBLEM:问题:
Input basic salary of an employee and calculate its Gross salary according to following:输入员工的基本工资,并根据以下计算其总工资:
Basic Salary <= 10000 : HRA = 20%, DA = 80%基本工资 <= 10000 : HRA = 20%, DA = 80%
Basic Salary <= 20000 : HRA = 25%, DA = 90%基本工资 <= 20000 : HRA = 25%, DA = 90%
Basic Salary > 20000 : HRA = 30%, DA = 95%基本工资 > 20000 : HRA = 30%, DA = 95%
#include <limits.h>
/*@requires sal >= 0 && sal <= INT_MAX/2;
ensures \result > sal && \result <= INT_MAX[enter image description here][1];
behavior sal1:
assumes sal <= 10000;
ensures \result == sal+(sal*0.2*0.8);
behavior sal2:
assumes sal <= 20000;
ensures \result == sal+(sal*0.25*0.9);
behavior sal3:
assumes sal >20000;
ensures \result == sal+(sal*0.3*0.95);
complete behaviors sal1,sal2,sal3;
*/
double salary(double sal){
if(sal<=10000){return (sal+(sal*0.2*0.8));}
else if(sal<=20000){return (sal+(sal*0.25*0.9));}
else{return (sal+(sal*0.3*0.95));}
}
what mistake am i making here?我在这里犯了什么错误? should the precondition be more precise.前提条件应该更精确。
console message:控制台消息:
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_ensures : Timeout (Qed:57ms) (10s)
(cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_assert_rte_is_nan_or_infinite_3 :
Timeout (Qed:20ms) (10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_assert_rte_is_nan_or_infinite_6 :
Timeout (Qed:2ms) (10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_assert_rte_is_nan_or_infinite_5 :
Timeout (Qed:2ms) (10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_assert_rte_is_nan_or_infinite_4 :
Timeout (Qed:17ms) (10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_assert_rte_is_nan_or_infinite_7 :
Timeout (Qed:15ms) (10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_sal1_ensures : Timeout (Qed:33ms)
(10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_assert_rte_is_nan_or_infinite_9 :
Timeout (Qed:2ms) (10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_assert_rte_is_nan_or_infinite_8 :
Timeout (Qed:4ms) (10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_sal2_ensures : Timeout (Qed:42ms)
(10s) (cached)
[wp] [Alt-Ergo 2.3.3] Goal typed_salary_sal3_ensures : Timeout (Qed:35ms)
(10s) (cached)
Automated theorem provers behave generally quite poorly when confronted to floating-point computation (see eg this report ).自动定理证明器在面对浮点计算时通常表现不佳(参见例如本报告)。 If you really, really need them, you may want to install Gappa , which is specialized for that, or hope that using CVC4, Z3 and Alt-Ergo (as opposed to just Alt-Ergo) will allow you to have at least one prover able to discharge each proof obligation.如果你真的,真的需要它们,你可能需要安装Gappa ,这是专门为,或希望使用CVC4,Z3和Alt-人机工程学(而不是仅仅的Alt-人机工程学),将允许您至少有一个证明能够履行每一项证明义务。 But I'd advise to stick to integer arithmetic, eg by using cents as unit in order to only manipulate integers when computing percentages (EDIT: since your multiplying percentages, this would mean working with 1/10000 units, but it still shouldn't be a problem).但我建议坚持使用整数算术,例如使用美分作为单位,以便在计算百分比时只操作整数(编辑:因为你的乘法百分比,这意味着使用 1/10000 单位,但它仍然不应该有问题)。 In fact, if you insist on doubles, the requirements to have values less than INT_MAX
does not make much sense.事实上,如果你坚持双打,那么要求值小于INT_MAX
就没有多大意义了。
In the same vein, if you use an integer type, it's probably easier to go for unsigned
, which will automatically fulfill the requirement of having a non-negative salary.同样,如果您使用整数类型,则使用unsigned
可能更容易,它会自动满足非负工资的要求。
Finally, your specification is ambiguous: for any salary less than 10000, you have two distinct formulas to compute the result.最后,您的规范是模棱两可的:对于低于 10000 的任何薪水,您有两个不同的公式来计算结果。 the assumes
clause of behavior sal2
should probably read: assumes 10000 < sal <= 20000;
行为sal2
的assumes
子句应该是: assumes 10000 < sal <= 20000;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.