src/filegen.[ch], src/photorec.h: improve Frama-C annotations

3 files changed, 49 insertions, 8 deletions

diff --git a/src/filegen.c b/src/filegen.c
index 477f6872..174912cd 100644
--- a/src/filegen.c
+++ b/src/filegen.c
@@ -163,6 +163,7 @@ static void file_check_add_tail(file_check_t *file_check_new, file_check_list_t
   unsigned int i;
   const unsigned int tmp=(file_check_new->length==0?0:((const unsigned char *)file_check_new->value)[0]);
   file_check_list_t *newe=(file_check_list_t *)MALLOC(sizeof(*newe));
+  /*@ assert \valid(newe); */
   newe->offset=file_check_new->offset;
   /*@
     @ loop unroll 256;
@@ -233,6 +234,9 @@ static void index_header_check_aux(file_check_t *file_check_new)
     /*@ assert file_check_new->offset < 0x80000000; */
     /*@ assert 0 < file_check_new->length <= 4096; */
     struct td_list_head *tmp;
+    /*@
+      @ loop invariant \valid(tmp);
+      @*/
     td_list_for_each(tmp, &file_check_list.list)
     {
       file_check_list_t *pos=td_list_entry(tmp, file_check_list_t, list);
@@ -264,7 +268,11 @@ static unsigned int index_header_check(void)
   struct td_list_head *tmp;
   struct td_list_head *next;
   unsigned int nbr=0;
- /* Initialize file_check_list from file_check_plist */
+  /* Initialize file_check_list from file_check_plist */
+  /*@
+    @ loop invariant \valid_read(tmp);
+    @ loop invariant \valid_read(next);
+    @*/
   td_list_for_each_prev_safe(tmp, next, &file_check_plist.list)
   {
     file_check_t *current_check;
@@ -513,10 +521,12 @@ file_stat_t * init_file_stats(file_enable_t *files_enable)
   unsigned int enable_count=1;	/* Lists are terminated by NULL */
   unsigned int sign_nbr;
   unsigned int i;
-  /*@ loop assigns enable_count, file_enable; */
+  /*@
+    @ loop invariant valid_file_enable_node(file_enable);
+    @ loop assigns enable_count, file_enable;
+    @*/
   for(file_enable=files_enable;file_enable->file_hint!=NULL;file_enable++)
   {
-    /*@ assert \valid_read(file_enable); */
     if(file_enable->enable>0 && file_enable->file_hint->register_header_check!=NULL)
     {
       enable_count++;
@@ -524,25 +534,34 @@ file_stat_t * init_file_stats(file_enable_t *files_enable)
   }
   /*@ assert enable_count > 0; */
   file_stats=(file_stat_t *)MALLOC(enable_count * sizeof(file_stat_t));
+  /*@ assert \valid(file_stats + (0 .. enable_count-1)); */
   i=0;
   /*@
-    @ loop invariant 0 <= i <= enable_count;
+    @ loop invariant \valid(file_stats + (0 .. enable_count-1));
+    @ loop invariant valid_file_enable_node(file_enable);
+    @ loop invariant 1 <= enable_count;
+    @ loop invariant 0 <= i < enable_count;
     @ loop invariant \forall integer j; 0 <= j < i ==> valid_file_stat(&file_stats[j]);
     @*/
   for(file_enable=files_enable;file_enable->file_hint!=NULL;file_enable++)
   {
+    /*@ assert i < enable_count; */
     /*@ assert \valid_read(file_enable); */
+    /*@ assert \valid_read(file_enable->file_hint); */
     if(file_enable->enable>0 && file_enable->file_hint->register_header_check!=NULL)
     {
       file_stats[i].file_hint=file_enable->file_hint;
       file_stats[i].not_recovered=0;
       file_stats[i].recovered=0;
+      /*@ assert \valid_function((file_enable->file_hint)->register_header_check); */
       file_enable->file_hint->register_header_check(&file_stats[i]);
       /*@ assert valid_file_stat(&file_stats[i]); */
       i++;
     }
   }
   sign_nbr=index_header_check();
+  /*@ assert \valid(file_stats + (0 .. enable_count-1)); */
+  /*@ assert 1 <= enable_count; */
   file_stats[enable_count-1].file_hint=NULL;
 #ifndef DISABLED_FOR_FRAMAC
   log_info("%u first-level signatures enabled\n", sign_nbr);
@@ -561,6 +580,7 @@ file_stat_t * init_file_stats(file_enable_t *files_enable)
   @*/
 static int file_rename_aux(file_recovery_t *file_recovery, const char *new_ext)
 {
+  /*@ assert valid_file_recovery(file_recovery); */
   /*@ assert valid_string((char *)&file_recovery->filename); */
   char new_filename[sizeof(file_recovery->filename)];
   char *dst;
@@ -671,6 +691,7 @@ static int _file_rename(char *filename, const void *buffer, const int buffer_siz
     len+=strlen(new_ext)+1;
 #ifndef DISABLED_FOR_FRAMAC
   new_filename=(char*)MALLOC(len);
+  /*@ assert \valid(new_filename); */
   dst=new_filename;
   directory_sep=dst;
   strcpy(dst, src);
@@ -799,6 +820,7 @@ static int _file_rename(char *filename, const void *buffer, const int buffer_siz
 /* The original filename begins at offset in buffer and is null terminated */
 int file_rename(file_recovery_t *file_recovery, const void *buffer, const int buffer_size, const int offset, const char *new_ext, const int append_original_ext)
 {
+  /*@ assert valid_file_recovery(file_recovery); */
   if(file_recovery->filename[0] == 0)
     return 0;
   /*@ assert strlen((char *)&file_recovery->filename) > 0; */
@@ -843,6 +865,7 @@ static int _file_rename_unicode(file_recovery_t *file_recovery, const void *buff
     len+=strlen(new_ext);
 #ifndef DISABLED_FOR_FRAMAC
   new_filename=(char*)MALLOC(len);
+  /*@ assert \valid(new_filename); */
   dst=new_filename;
   dst_dir_sep=dst;
   while(*src!='\0')
diff --git a/src/filegen.h b/src/filegen.h
index 74320f64..72813e58 100644
--- a/src/filegen.h
+++ b/src/filegen.h
@@ -132,6 +132,9 @@ typedef struct
      \valid(node->file_stat) &&
      valid_file_stat(node->file_stat)
    );
+
+   predicate valid_file_enable_node(file_enable_t *node) = (\valid_read(node) && (node->file_hint == \null || valid_file_hint(node->file_hint)));
+
    @*/
 
 typedef struct
@@ -372,7 +375,7 @@ void register_header_check(const unsigned int offset, const void *value, const u
     file_stat_t *file_stat);
 
 /*@
-  @ requires \valid(files_enable);
+  @ requires valid_file_enable_node(files_enable);
   @ ensures valid_file_stat(\result);
   @*/
 file_stat_t * init_file_stats(file_enable_t *files_enable);
diff --git a/src/photorec.h b/src/photorec.h
index 517efdbe..59f9dfd8 100644
--- a/src/photorec.h
+++ b/src/photorec.h
@@ -66,7 +66,9 @@ struct ph_param
 
 /*@
    predicate valid_ph_param(struct ph_param *p) = (\valid_read(p) &&
-	(p->recup_dir == \null || valid_read_string(p->recup_dir))
+	(p->recup_dir == \null || valid_read_string(p->recup_dir)) &&
+	(p->disk == \null || valid_disk(p->disk)) &&
+	(p->cmd_run == \null || valid_read_string(p->cmd_run))
 	);
   @*/
 
@@ -87,6 +89,7 @@ int get_prev_file_header(const alloc_data_t *list_search_space, alloc_data_t **c
   @ requires valid_ph_param(params);
   @ requires valid_list_search_space(list_search_space);
   @ requires \separated(file_recovery, params, list_search_space);
+  @ requires valid_disk(params->disk);
   @*/
 int file_finish_bf(file_recovery_t *file_recovery, struct ph_param *params, 
     alloc_data_t *list_search_space);
@@ -108,6 +111,7 @@ void file_recovery_aborted(file_recovery_t *file_recovery, struct ph_param *para
   @ requires valid_ph_param(params);
   @ requires valid_list_search_space(list_search_space);
   @ requires \separated(file_recovery, params, list_search_space);
+  @ requires valid_disk(params->disk);
   @ ensures  \result == PFSTATUS_BAD || \result == PFSTATUS_OK || \result == PFSTATUS_OK_TRUNCATED;
   @*/
 // ensures  valid_file_recovery(file_recovery);
@@ -119,6 +123,7 @@ pfstatus_t file_finish2(file_recovery_t *file_recovery, struct ph_param *params,
 void write_stats_log(const file_stat_t *file_stats);
 
 /*@
+  @ requires \valid(file_stats);
   @ requires valid_list_search_space(list_search_space);
   @ requires \separated(file_stats, list_search_space);
   @*/
@@ -179,6 +184,12 @@ unsigned int remove_used_space(disk_t *disk_car, const partition_t *partition, a
   @*/
 void free_list_search_space(alloc_data_t *list_search_space);
 
+/*@
+  @ requires \valid_read((const file_stat_t *)p1);
+  @ requires \valid_read((const file_stat_t *)p2);
+  @ terminates \true;
+  @ assigns \nothing;
+  @*/
 int sorfile_stat_ts(const void *p1, const void *p2);
 
 /*@
@@ -205,6 +216,7 @@ void free_search_space(alloc_data_t *list_search_space);
   @ requires \valid(params);
   @ requires valid_ph_param(params);
   @ requires \separated(file_recovery, params);
+  @ requires valid_disk(params->disk);
   @*/
 // ensures  valid_file_recovery(file_recovery);
 void set_filename(file_recovery_t *file_recovery, struct ph_param *params);
@@ -212,11 +224,13 @@ void set_filename(file_recovery_t *file_recovery, struct ph_param *params);
 /*@
   @ requires \valid(params);
   @ requires valid_ph_param(params);
+  @ requires valid_disk(params->disk);
   @ requires valid_list_search_space(list_search_space);
   @ requires \separated(params, new_current_search_space, list_search_space);
-  @ requires new_current_search_space==\null || (\valid(*new_current_search_space) && valid_list_search_space(*new_current_search_space));
+  @ requires \valid(*new_current_search_space);
+  @ requires valid_list_search_space(*new_current_search_space);
   @*/
-// ensures  new_current_search_space==\null || (\valid(*new_current_search_space) && valid_list_search_space(*new_current_search_space));
+// ensures  \valid(*new_current_search_space) && valid_list_search_space(*new_current_search_space);
 // ensures  valid_list_search_space(list_search_space);
 uint64_t set_search_start(struct ph_param *params, alloc_data_t **new_current_search_space, alloc_data_t *list_search_space);
 
@@ -227,6 +241,7 @@ uint64_t set_search_start(struct ph_param *params, alloc_data_t **new_current_se
   @ requires \separated(params, options);
   @ requires params->disk->sector_size > 0;
   @ requires valid_read_string(params->recup_dir);
+  @ requires valid_file_enable_node(options->list_file_format);
   @ ensures  valid_ph_param(params);
   @ ensures  params->file_nbr == 0;
   @ ensures  params->status == STATUS_FIND_OFFSET;