I often use cardinality of sets in others formal specifications and I wondering if it was possible to use it in ACSL with WP frama-c plugin.
For example, it seems clearer to me to write
assumes card({*a, *b, *c}) == 3
rather than
assumes *a != *b && *a != *c && *b != *c
Alright, I found a solution (a slow one I warn you, had to change the timeout from 10 seconds to 30 seconds just for the following example). Also it is broken in Frama-C version Calcium claiming that it can't find the Qed library (the bug appears to be in attempting to call a logic boolean type Frama-C function). It works properly in Frama-C version Chlorine (didn't test other versions).
/* "set" appears to be a reserved word in frama-c */
/*@ predicate full_card{L}(unsigned int* the_set, integer set_size) =
\forall integer a, b; 0 <= a < set_size && 0 <= b < set_size && a != b ==> the_set[a] != the_set[b];
*/
/*@ logic boolean in_set_bool{L}(unsigned int* the_set, integer set_size, unsigned int element) =
set_size == 0 ? \false : element == the_set[0] || in_set_bool(the_set + 1, set_size - 1, element);
*/
/*@ logic integer card{L}(unsigned int* the_set, integer set_size) =
set_size == 0 ? 0 : (
in_set_bool(the_set + 1, set_size - 1, the_set[0])
? card(the_set + 1, set_size - 1)
: card(the_set + 1, set_size - 1) + 1);
*/
int main(int argc, char** argv) {
unsigned int set[] = { 1, 2, 3 };
unsigned int set_size = 3;
/*@ assert full_card(&set[0], set_size); */
/*@ assert card(&set[0], set_size) == 3; */
unsigned int set_two[] = { 3, 2, 1, 3 };
unsigned int set_two_size = 4;
/*@ assert card(&set_two[0], set_two_size) == 3; */
/*@ assert !full_card(&set_two[0], set_two_size); */
}
