Binary search in C annotated in ACSL
This is a C version of Binary Search, annotated in ACSL.
Authors: Claude Marché / Jean-Christophe Filliâtre
Topics: Arithmetic Overflow / Searching Algorithms / Tricky termination
References: The VerifyThis Benchmarks
see also the index (by topic, by tool, by reference, by year)
Here is the annotated source code
/*@ predicate sorted{L}(long *t, integer a, integer b) = @ \forall integer i,j; a <= i <= j <= b ==> t[i] <= t[j]; @*/ /*@ requires n >= 0 && \valid_range(t,0,n-1); @ ensures -1 <= \result < n; @ behavior success: @ ensures \result >= 0 ==> t[\result] == v; @ behavior failure: @ assumes sorted(t,0,n-1); @ ensures \result == -1 ==> @ \forall integer k; 0 <= k < n ==> t[k] != v; @*/ int binary_search(long t[], int n, long v) { int l = 0, u = n-1; /*@ loop invariant @ 0 <= l && u <= n-1; @ for failure: @ loop invariant @ \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u; @ loop variant u-l; @*/ while (l <= u ) { int m = (l + u) / 2; //@ assert l <= m <= u; if (t[m] < v) l = m + 1; else if (t[m] > v) u = m - 1; else return m; } return -1; }
The program above is the classical binary search for a given element in an array sorted in increasing order.
This program exposes a long-standing bug, that is the computation of l+u may overflow. When attempting to prove this program with Frama-C/Jessie, the VC corresponding to this overflow cannot be proved.
See also
- http://en.wikipedia.org/wiki/Binary_search_algorithm
- http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html
- Harvey Tuch, Gerwin Klein, and Michael Norrish. 2007. Types, bytes, and separation logic. In Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL ’07). ACM, New York, NY, USA, pages 97–108. http://doi.acm.org/10.1145/1190216.1190234