Closed
Description
Hello Alt-ergo team,
We believe we have found an unsoundness on this small file:
logic div : int, int -> int
logic bit_index : int
predicate in_range(x: int) = (((- 2147483648) <= x) and (x <= 2147483647))
predicate in_range2(x: int) = ((1 <= x) and (x <= 17179869183))
axiom cdiv_cases :
(forall n:int. forall d:int [div(n, d)].
(((0 <= n) -> ((0 < d) -> (div(n, d) = (n / d))))
and (((n < 0) -> ((0 < d) -> (div(n, d) = (-((-n) / d))))))))
axiom Div_1 : (forall x:int. (div(x, 1) = x))
goal VC_1 : (in_range2 (bit_index) ->
(in_range ((div((bit_index - 1), 8) + 1))))
(*goal VC_2 : (not
(in_range ((div((17179869183 - 1), 8) + 1))))*)
Our comments:
VC_1proves with option-max-split 5, without it alt-ergo suffers from an internal crash- when we comment
VC_1and uncommentVC_2, it proves too, which is bad sinceVC_2is(not VC_1)whenbit_indexis17179869183 cdiv_casescannot be unsound since it gives a value to an otherwise undefined symbolDiv_1can be proved fromcdiv_casesif we commentVC1andVC2and change the axiom to be a goal, so it cannot introduce an unsoundness either.- We have a slightly modified version of alt-ergo, can you tell us if you can reproduce the unsoundness on the regular 2.3 version?
Metadata
Metadata
Assignees
Labels
No labels