Open JustusAdam opened 1 year ago
There are two major issues:
Well I think we can apply the same solution we do elsewhere:
void set_0(int * i, int[] arr)
__CPROVER_ensures(__CPROVER_forall(int j; *i != j || arr[*i] == 0))
{ arr[*i] = 0; }
Let me know if I'm begin naïve or wrong here.
Function calls are currently supported in function contracts, however they are not allowed in quantifiers. This is inconsistent and unintuitive, since the logical restrictions for function calls in contracts apply the same way in quantifiers.
Having the capability to call functions in quantifiers is important for the implementation of model-checking/kani#2546. This is for two reasons
std::ops::Eq::eq
function which overloads==
orstd::ops::Ord::cmp
which overloads comparison. As a result these are likely to be used by users of kani's function contracts.I would ask that CBMC should lift the arbitrary restriction on function calls in quantifiers and enforce side-effect freedom the same way it does in function contracts otherwise.