acsl-annotation-assistant
SKILL.md
ACSL Annotation Assistant
Generate comprehensive ACSL (ANSI/ISO C Specification Language) annotations for C/C++ programs to support formal verification with tools like Frama-C.
Core Capabilities
1. Function Contracts
Add complete function specifications with preconditions and postconditions:
/*@
requires \valid(array + (0..n-1));
requires n > 0;
ensures \result >= 0 && \result < n;
ensures \forall integer i; 0 <= i < n ==> array[\result] >= array[i];
assigns \nothing;
*/
int find_max_index(int *array, int n);
2. Loop Annotations
Generate loop invariants, variants, and assigns clauses:
/*@
loop invariant 0 <= i <= n;
loop invariant \forall integer k; 0 <= k < i ==> sum == \sum(0, k, array);
loop assigns i, sum;
loop variant n - i;
*/
for (i = 0; i < n; i++) {
sum += array[i];
}
3. Memory Safety Specifications
Add pointer validity and separation annotations:
/*@
requires \valid(dest + (0..n-1));
requires \valid_read(src + (0..n-1));
requires \separated(dest + (0..n-1), src + (0..n-1));
ensures \forall integer i; 0 <= i < n ==> dest[i] == \old(src[i]);
assigns dest[0..n-1];
*/
void memcpy_safe(char *dest, const char *src, size_t n);
4. Assertions and Assumptions
Insert runtime and verification assertions:
//@ assert 0 <= index && index < array_length;
//@ assume divisor != 0;
5. Axiomatic Definitions and Predicates
Define reusable logical predicates and axioms:
/*@
predicate sorted{L}(int *a, integer n) =
\forall integer i, j; 0 <= i <= j < n ==> a[i] <= a[j];
*/
/*@
axiomatic Sum {
logic integer sum{L}(int *a, integer low, integer high);
axiom sum_empty{L}:
\forall int *a, integer i; sum(a, i, i) == 0;
axiom sum_next{L}:
\forall int *a, integer low, high;
low < high ==> sum(a, low, high) == sum(a, low, high-1) + a[high-1];
}
*/
Annotation Workflow
Step 1: Analyze the Function
Before annotating:
- Identify inputs, outputs, and side effects
- Determine memory access patterns
- Understand algorithmic properties (sorting, searching, etc.)
- Note any implicit assumptions
Step 2: Add Function Contract
Start with the function-level specification:
- Preconditions (
requires): What must be true when function is called - Postconditions (
ensures): What will be true when function returns - Assigns clause: What memory locations may be modified
- Behavioral specification: Normal and exceptional behaviors if applicable
Step 3: Annotate Loops
For each loop, specify:
- Loop invariant: Properties that hold before and after each iteration
- Loop variant: Decreasing measure proving termination
- Loop assigns: Memory modified within the loop
Step 4: Add Assertions
Insert intermediate assertions to:
- Document algorithmic properties
- Help verification tools
- Clarify complex logic
Step 5: Define Helper Predicates
Create reusable logical definitions for:
- Common patterns (sorted arrays, valid ranges)
- Domain-specific properties
- Complex mathematical relationships
Common ACSL Constructs
Memory Validity
\valid(ptr) // Single valid pointer
\valid(ptr + (low..high)) // Valid range
\valid_read(ptr) // Read-only validity
\separated(ptr1, ptr2) // No aliasing
Quantifiers
\forall type var; condition ==> property
\exists type var; condition && property
Logic Functions
\old(expr) // Value at function entry
\at(expr, Label) // Value at specific point
\result // Function return value
\nothing // Empty set (for assigns)
Integer Ranges
\forall integer i; low <= i < high ==> array[i] >= 0
Behaviors
/*@
behavior valid_input:
assumes n > 0;
requires \valid(array + (0..n-1));
ensures \result >= 0;
behavior invalid_input:
assumes n <= 0;
ensures \result == -1;
complete behaviors;
disjoint behaviors;
*/
Verification Considerations
For Frama-C WP Plugin
When generating annotations for WP verification:
- Use
assignsclauses to specify frame conditions - Prefer
\validover raw pointer checks - Use
\separatedfor pointer disjointness - Add
loop assignsfor all loops - Include
loop variantfor termination proofs
Common Verification Patterns
Array bounds safety:
/*@ requires 0 <= index < length;
requires \valid(array + index);
*/
Null pointer checks:
/*@ requires ptr != \null;
requires \valid(ptr);
*/
Overflow prevention:
/*@ requires INT_MIN <= a + b <= INT_MAX; */
Output Format
Generate annotations in standard ACSL comment syntax:
- Multi-line contracts:
/*@ ... */ - Single-line assertions:
//@ assertion - Place contracts immediately before function declarations
- Place loop annotations immediately before loop headers
- Include explanatory comments when annotations are complex
Best Practices
- Start simple: Begin with basic contracts, then refine
- Be precise: Avoid over-specification or under-specification
- Document assumptions: Make implicit assumptions explicit
- Use predicates: Factor out common patterns
- Test incrementally: Verify annotations with Frama-C as you go
- Include rationale: Add comments explaining non-obvious specifications
Example: Complete Annotated Function
/*@
predicate valid_array(int *a, integer n) =
\valid(a + (0..n-1)) && n > 0;
*/
/*@
requires valid_array(array, n);
ensures \result >= 0 && \result < n;
ensures \forall integer i; 0 <= i < n ==> array[\result] >= array[i];
assigns \nothing;
*/
int find_max_index(int *array, int n) {
int max_idx = 0;
/*@
loop invariant 0 <= i <= n;
loop invariant 0 <= max_idx < n;
loop invariant \forall integer k; 0 <= k < i ==>
array[max_idx] >= array[k];
loop assigns i, max_idx;
loop variant n - i;
*/
for (int i = 1; i < n; i++) {
if (array[i] > array[max_idx]) {
max_idx = i;
}
}
return max_idx;
}
Resources
This skill includes reference materials for ACSL:
references/
acsl_reference.md- Comprehensive ACSL syntax referencecommon_patterns.md- Frequently used annotation patternsframa_c_integration.md- Tips for using with Frama-C
Load these references as needed for detailed syntax information or advanced patterns.
Weekly Installs
1
Repository
arabelatso/skills-4-seGitHub Stars
47
First Seen
12 days ago
Security Audits
Installed on
amp1
cline1
opencode1
cursor1
kimi-cli1
codex1