Making your source code compatible with eCv

Overview

You can configure eCv to assume source code is C90, C99, C++ 1998 or C++ 2011. The choice is made in the compiler configuration dialog in the Project Manager, or using the -gl option if you are running eCv from the command line.

The following describes the core C90 language subset supported by eCv, in particular the restrictions placed on C constructs. Where these restrictions have equivalent or related MISRA-C 2004 rules, we quote the rule numbers.

Not all of the restrictions are rigidly enforced; some will give rise to warning (rather than error) messages if they are violated, allowing analysis to continue.

For information on constructs from C99 and C++ that eCv supports when you select on of those languages, see Appendix E.

Keywords

eCv treats some additional words as keywords. These words may not be used as identifiers. Here is a list of them:

Normal keyword Underlying keyword Where used See section

any _ecv_any 'any' expression Collections

array _ecv_array Indicates that a pointer refers to an array array

assert _ecv_assert Assertion statement assert

assume _ecv_assume Assume declaration assume

bool Boolean type Boolean types

decrease _ecv_decrease Declares a loop variant decrease

exists _ecv_exists 'exists' expression Quantified expressions

false
Boolean false value Boolean types

forall _ecv_forall 'forall' expression Quantified expressions

ghost _ecv_ghost Declares that a declaration is for use in specifications only ghost (see also Ghosts)

holds _ecv_holds 'holds' expression Disjoint expressions

idiv _ecv_idiv An integer division operator that always rounds down Binary operators

imod _ecv_imod An integer modulus operator that always yields a non-negative result Binary operators

in _ecv_in Element-in-collecton operator Binary operators

integer _ecv_integer Unbounded integer type ghost

_ecv_interrupt Function specifier to indicate that the function is an interrupt service routine (to be added)

invariant _ecv_invariant Declares a structure invariant invariant

keep _ecv_keep Declares a loop invariant keep

let _ecv_let Names a subexpression so you can refer to it in a larger expression let

maxof _ecv_maxof Yields the maximum value in a type Type operators

minof _ecv_minof Yields the minimum value in a type Type operators

min_sizeof _ecv_minof Yields the minimum value that sizeof could yield for the same type Type operators

not_null _ecv_not_null Cast a nullable pointer to a non-nullable pointer not_null

null _ecv_null Declares that a pointer is nullable Nullable and non-nullable pointers

_ecv_nullptr Null pointer literal Additional eCv++ keywords

old _ecv_old Selects the original value of an expression instead of the final or current value in a postcondition, loop invariant or loop variant old

out _ecv_out Indicates that a pointer parameter is used only to pass a value back to the caller Pointers as function parameters

over _ecv_over 'over' expression Collections

pass _ecv_pass Null statement pass

post _ecv_post Declares a postcondition post

_ecv_pow Exponentiation operator Binary operators

pre _ecv_pre Declares a precondition pre

result _ecv_result Refers to function result in a postcondition post

returns _ecv_returns Declares a function return value returns

some _ecv_some Indicates any object(s) of a specified type

spec _ecv_spec Declares that a function prototype overrides another similar one

that _ecv_that 'that' expression Collections

those _ecv_those 'those' expression Collections

true Boolean true value Boolean types

wchar_t Wide character type below

writes _ecv_writes Declares nonlocal variables that a function writes to writes

value _ecv_value Refers to the value of the structure in a structure invariant, similar to (*this) in C++

yield _ecv_yield 'for..yield' and 'for..those..yield' expressions Collections

zero_init _ecv_zero_init Yields the value of a type obtained by setting all bits to zero Type operators

Notes on keywords

If you must use one of the keywords in the above table as an identifier in your program (perhaps because a third-party library header file uses it) then there is a workaround. Apart from bool, false, true and wchar_t, all the reserved words not beginning with _ecv_ are defined in file ecv.h as macros equivalent to the corresponding _ecv_ versions. After you #include "ecv.h" at the start of your program, you may #undef the keyword. So if you need to use e.g. resultas an identifier, you can #undef result, and then subsequently use _ecv_result instead of result in eCv specifications.

Note: if you use keywords beginning with _ecv_ directly, then this may result in the column numbers in eCv error, warning and informational messages being incorrect (see later in this chapter).

eCv also places a number of identifiers beginning with _ecv_ in the global namespace, therefore you should not use identifiers beginning with _ecv_ in your source code.

Although we have listed wchar_t as a reserved word, if your source code is C90 or C99 (not C++) then you are allowed to use a typedef in a standard header file to define wchar_t with its usual meaning, i.e. the type of a wide character literal.

If you are using any of the keywords {bool, true, false} to define your own Boolean type, you should make your own definitions conditional - see here.

Restrictions

eCv places the following restrictions on using of the C language.

Tokens

eCv treats ":-" as a single token, rather than the two tokens ":" and "-". This means that conditional expressions such as the following, will not be parsed correctly:

c ? e :-f
c ? e :--x

The fix is simple: ensure that there is at least one space between the colon and the minus-sign, as in the following:

c ? e : -f
c ? e : --f

Declarations

In any scope, you may not use the same identifier as more than one of:
- the name of a single variable, function or parameter, and/or the name of one or more struct or union fields
- a struct name
- a union name
- a typedef name
- an enum name
So, at any location in the program, a given identifier that does not immediately follow a period has exactly one meaning. (MISRA 5.6)
You may not declare an identifier in an inner scope so that it hides a declaration of the same identifier in an enclosing scope. This includes parameter names in prototypes [because prototypes may contain specifications that refer to the parameters]. (MISRA 5.2)
Advice: avoid declaring static or extern variables/functions with short names that you may also want to use as parameter names.
eCv currently requires the names of parameters in function prototypes to match exactly with the corresponding parameter names in the function definition. (MISRA 16.4)
Storage-class specifiers must be placed before type qualifiers. For example, you may use extern const ... or static volatile ... , but not const extern ... or volatile static ... .
You may not declare a struct, union or enum within a parameter list.
You may not declare a struct, union or enum within the operand of sizeof.
You may not declare a struct, union or enum within the type-part of a cast expression.
Variables must be explicitly typed (i.e. no default of int). (MISRA 8.2)
eCv currently requires that all types declared are also defined. (MISRA 18.1) So if your source file refers to type struct Foo * then type Foo must be defined somewhere. If necessary, declare a dummy definition, like this:

#ifdef __ECV__ struct Foo { int x; } #endif
This dummy definition includes a member so that eCv cannot infer that all instances of Foo are equal.
When initializing arrays of arrays, arrays of structs, structs containing arrays etc. each part of the initializer list for any array or struct must be enclosed in braces. (MISRA 9.2)
When you declare a variable with static or extern linkage, if the type of the variable does not have a valid default-initialized value, then the declaration must include an initializer. For example, if you declare a static variable with non-nullable pointer type, or with struct type where the struct contains a field with non-nullable pointer type, then you must provide an initializer. Similarly, if you declare a static array whose element type does not have a valid default initial value, then you must provide an initializer for all the elements of the array.

Pointers summary

A pointer variable or parameter may only be given the value 0 if it has been declared nullable. See later section on pointers and arrays.
Pointer variables in static data that are not declared nullable must have initializers.
Pointers to arrays are distinguished from plain pointers (i.e. pointers to single values) by the keyword array after the * in the corresponding declaration. See later section on pointers and arrays.
A plain pointer may not be indexed or have any other operator applied to it other than * or == or != . (MISRA 17.1, 17.3)
A function parameter of pointer type that is used only to pass a value back to the caller should be flagged with the keyword out.

Characters and character types

eCv treats plain char as distinct from both signed char and unsigned char (like C++). eCv does not perform implicit type conversions to or from plain char. (MISRA 6.1, 6.2)
The type of a character literal in eCv is char (as in C++), not int (as in C).
eCv treats wchar_t as a separate type distinct from all other types (like C++). eCv does not perform implicit type conversions to or from wchar_t.
The type of a wide character literal in eCv is wchar_t.

Types and type conversions

eCv does not perform implicit type conversions between integral types and floating-point types. Any such conversion required must be done using an explicit cast. (MISRA 10.1)
eCv generates a warning where there is an implicit type conversion and the destination type cannot contain all the values of the source type. (MISRA 10.1, 10.2) Exception: eCv will not warn if an integer literal having a signed type is implicitly converted to an unsigned type with the same or a larger number of bits, because an integer literal is non-negative, so there is no risk that it will not fit in the type.
Where a string literal is converted implicitly into a pointer to the first character (i.e. whenever it is not used as an array initializer or the operand of sizeof), its type in eCv is const char* array (i.e. const char* as in C++, with the eCv array modifier), not char* as in C. Note the const. This means that you can't modify a string literal (which would in any case amount to "undefined behaviour" in the C standard), or pass a string literal to a function that takes a char* (without the const) parameter.
Enum types are treated as separate types (as in C++), not as a shorthand for integers. Enum types can be converted to integers implicitly. Conversion from integral types to enum types can be done using an explicit cast - there is no implicit conversion. You cannot use the operators ++, -- or the assigning operators +=, -= etc. on enum types (they are normally allowed by the C language standards but not by the C++ standard).
eCv uses a distinct Boolean type called bool, and treats the result of evaluating a relational operator as having type bool. The condition part of a conditional expression or if-statement, and the while-expression in a while, do...while or for loop must have type bool. (MISRA 13.2) If you already define your own Boolean type, see here for how to make eCv understand it.
A cast expression must do one of the following:
- Convert between two integral type, two floating-point type, or one integral type and one floating-point type (note that plain char and wchar_t are not treated by eCv as integral types for the purpose of this rule)
- Convert from char to signed char or unsigned char
- Convert from an integral type to char
- Convert between wchar_t and an integral type
- Convert between an enumeration type and an integral type
- Convert between bool and an integral type
- Convert from [const] [volatile] T1* [array] [null] to [const] [volatile] T2* [array] [null], where T1 and T2 are the same type or one of them is void, and elements shown here in [ ] are optional. There are some further restrictions: you can't cast from a const-pointer to a non-const-pointer, and you can't cast from a plain pointer to an array pointer.
Some cast-expressions other than the above are accepted by eCv but provoke a warning that verification of the program may not be sound.

Functions

Function declarations must adhere to the ANSI format (not the old K&R format) and have explicit return type. (MISRA 8.2)
A function signature of the form T f() is interpreted as having no parameters, rather than unspecified parameters; i.e. it is treated as if it were T f(void).
Variable length argument lists are not supported. (MISRA 16.1)
The body of a function with a non-void return type may not fall through to the end of the function (i.e. it must return a defined value). (MISRA 16.8)
Return statements inside a function with a non-void return type must include a returned value. Return statements inside a function with void return type must not include a returned value. (MISRA 16.8)
A function that writes to non-local variables (other than only to variables directly pointed to by any parameters of non-const pointer types) must declare this in a writes clause. See the section on function contracts for more details.

Arithmetic operations

The unary-minus operator may not be applied to an operand of unsigned type. (MISRA 12.9)
eCv allows you to use mixed signed/unsigned operands in arithmetic operators and comparisons, but it will both issue a warning and generate verification conditions to ensure that the implicit type conversion(s) involved do not lose information. We recommend adding an explicit type conversion, which will suppress the warning. (MISRA 10.1)
You cannot mix integral and floating operands in arithmetic expressions. This is a consequence of the fact that eCv does not provide implicit conversions from integral to floating-point types. If you want to mix integral and floating operands, you will have to cast the operand having integral type to a suitable floating type. (MISRA 10.2)

Bit operations

The underlying type of the operands of binary operators & | ^ << and >> and unary operator ~ must be unsigned. (MISRA 12.7)

Switch statements

In a switch-statement, the end of one case may not fall through to the next case, i.e. it must end in break, return, continue or goto. (MISRA 15.2) However, you can have multiple case labels on a single statement.
The case-labels of a switch statement must be placed on statements directly within the compound statement that forms the switch body. (MISRA 15.1) They may not be placed on nested statements.Example:

switch(i) { case 1: /* ok */ case 2: /* ok */ ... break; { case 3: /* error, case label is inside another statement */ default: /* error, case label is inside another statement */ ... break; } case 4: { /* ok */ ... break; } }
The compound statement that forms the body of a switch statement may not contain declarations unless they are inside a further compound statement. Example:

switch(i) { int temp1; /* error, declarations not allowed here */ case 1: { int temp2; /* ok, declaration is inside a compound statement */ ... } break; default: int temp3; /* error, declarations not allowed here even in C99 or C++ mode */ ... break; }

Other restricted constructs

The operand of sizeof may not be a character literal or enumeration constant. The reason is that C and C++ give different results for this.
You may not use the unary & operator to take the address of a field of a union or any sub-part thereof.
eCv generates a warning if an unsuffixed integer literal is implicitly unsigned. (MISRA 10.6)
In any goto statement, the destination label must be later in the preprocessed source file that the goto keyword, and must be in the same block as the goto keyword or in an enclosing block. So backwards jumps and jumps into blocks are not permitted. When processing C'99 or C++ source, a goto statement may not jump over any declarations that are in the same block as the destination label.

Side effects

The operand of sizeof() may not have side effects. (MISRA 12.3)
Any given variable may be read or written at most once between each pair of consecutive sequence points; except that a variable may be read as part of the calculation of the new value that is to be written to it in an assignment expression. (MISRA 12.2)
At most one volatile variable may be read or written, and only once, between each pair of consecutive sequence points. (MISRA 12.2)
The three operands of a conditional expression may not have side effects.

Unsupported constructs

The offsetof(...) macro is not supported, because it is defined in terms of unsupported type conversions. (MISRA 20.6)
Calls to the setjmp and longjmp functions/macros are not supported. (MISRA 20.7)

Additional restrictions enforced by the verifier

When any of the operators < <= > >= is used with pointer operands, they must be array pointers that point into the same array. (MISRA 17.3)
The value assigned to any entity of an enum type must be not lower than the lowest value declared in the corresponding enum declaration, and not higher than the highest value declared in the enum declaration. One consequence of this is that if you have any static variables of enumeration type, either the enumeration type must have a named member whose value is zero, or the static variable must have an initializer.
A member of a union may not be read unless the last assignment to the union was done via the same member. So unions cannot be used to convert between types or to pack or unpack data structures. Their sole function must be to represent data of different types at different times or in different situations.
All variables must be initialized before use. (MISRA 9.1)
Every array pointer value (including any intermediate values in pointer arithmetic expressions) must address an element that is within the bounds of an array, or be one past the last element of an array, or be null (if it is declared nullable).
Every access to an array element (whether by indexing or by dereferencing) must be within the bounds of the array.
Null pointers may not be dereferenced.
In any type conversion, whether explicit or implicit, the destination type must be able to hold the value being converted without loss of information or a change in the interpretation of the value; except that for conversions from floating-point types to integral types, the foregoing applies only to the integral part after truncation or rounding of the fractional part.
If the left operand of the right-shift operator has a signed type, its value may not be negative.
The result of any integral arithmetic operation or left-shift operation must be representable in the result type without any modulo-N wrap round, even if the operands are unsigned.
When using the integer / and % operators, the second operand must be positive.
The right operand of a shift operator must lie between zero and one less than the number of bits in the promoted operand.

Defining and Using Boolean types

C90 does not provide a Boolean type. C99 provides a boolean type called _Bool, and if you #include "stdbool.h" then it is also called bool and the corresponding literals are called false and true. C++ provides a Boolean type, calling it bool and the corresponding literals false and true.

eCv follows the C++ standard in order to provide stronger typing than C90. Therefore, in order that you can use the Boolean type in your code in a manner that your compiler will accept, you should do one of the following:

(a) Add the following to your standard header:

#if !defined(__ECV__) && !defined(__cplusplus) /* we're neither running under eCv nor compiling as C++, so we need to define the Boolean type */ #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) /* we're compiling as C99 so use the definition in stdbool.h */ #include <stdbool.h> #else /* compiling as an older version of C */ /* define the Boolean type ourselves in a manner compatible with C99 and C++ */ typedef enum { false = 0, true = 1 } bool; #endif #endif

and then use the names bool, false and true in your code.

(b) If you are already using some names other than {bool, false, true} to denote Boolean types and values, then do something like the following (this example assumes that you are using BOOL_T, FALSE and TRUE):

#if defined(__ECV__) typedef bool BOOL_T; #define FALSE (false) #define TRUE (true) #else /* insert your own code here, e.g. the following */ /* typedef enum { FALSE = 0, TRUE = 1 } BOOL_T; */ #endif

Pointers

Pointers in C and C++ can be troublesome in several ways:

Zero (i.e. NULL) is an allowed value of every pointer type in C and in C++. In critical systems, while we may occasionally want to allow null pointers, for example in the link field of the last element of a linked list, more usually we want to disallow null pointers. Verification requires that anywhere we use the * or [ ] operator on a pointer, we can be sure that it is not null.
C and C++ do not distinguish between pointers to single variables and pointers to arrays. So, where we have a parameter or variable of type T*, we can’t tell whether it is supposed to point to a variable or an array. If it points to a single variable, then we mustn’t do pointer arithmetic or indexing on it. The verifier must be able to check this.
Array parameters in C/C++ are passed as pointers. Aside from the problem that we can’t distinguish array pointers from pointers to single variables, we also have the problem that there is no size information contained in an array pointer.
Anywhere we use pointers to mutable data, there is the possibility of aliasing. In other words, there may be more than one pointer to the same data. The verifier needs to take account of the fact that changes to data made through one pointer may affect the values subsequently read through another pointer.

Nullable and non-nullable pointers

By default, eCv assumes when you declare a variable, parameter or function return value as having a pointer type, the value zero (or NULL) is not allowed. If you wish to allow this value, you must say so by using the null qualifier in the declaration. Here's an example:

void foo(int * p, int * null q) { ... }
...
int a = 1;
foo(NULL, &a); /* error, parameter p of foo() is not nullable */
foo(&a, NULL); /* ok, parameter q was declared nullable */

Array pointers

eCv requires array pointers to be qualified with the keyword array. Here’s an example:

void copyError(const char * array msg, char * array dst, int dstSize) { ... }

The presence of the array keyword tells eCv that the msg and dst parameters point to arrays rather than single values. If you leave it out, then eCv will not allow you to perform indexing or any other sort of pointer arithmetic on those parameters. When you compile the code, array becomes a macro with an empty expansion, so your standard C or C++ compiler doesn’t notice it.

In this example, we’ve passed the size of the destination buffer in a separate int parameter, so that the code can limit how many characters it writes. However, in writing specifications, we often need to talk about the size of the array that a pointer points to even when we don’t have it available in a separate parameter. eCv treats an array pointer like a struct comprising three values: the pointer itself, the lower bound (i.e. index of the first element), and the limit (i.e. one plus the index of the last element). To refer to the lower bound or limit of dst we use the syntax dst.lwb or dst.lim respectively. We also allow dst.upb (for upper bound), which is defined as (dst.lim – 1). Of course, you cannot refer to these fields in code, but you can use them in specification constructs (such as preconditions, invariants, assertions) as much as you like. We call them ghost fields because they aren’t stored.

For example, let’s specify that when the copyError function is called, it assumes that dst points to an array with at least dstsize elements available. Here’s how we can specify that:

void copyError(const char * array msg, char * array dst, int dstSize) pre(dst.lim >= dstSize) { ... }

An array pointer in C/C++ may only address the first element of an array, or one-past-the-last element, or any element in between. If p addresses the first element of an array of N elements, then p.lwb == 0 and p.lim == N. If it addresses one-past-the-last element, then p.lwb = -N and p.lim = 0. So p has implicit invariant p.lwb <= 0 && p.lim >= 0.

Within the body of copyError, eCv will attempt to prove that all accesses to msg and dst are in bounds. For example, the expression dst[i] has precondition dst.lwb <= i && i < dst.lim. Also, wherever copyError is called, eCv will attempt to prove that the precondition holds. So anywhere that buffer overflow is possible, there will be a corresponding a failed proof. If all the proofs succeed, and provided that no function with a precondition is ever called by external unproven code, we know that buffer overflow will not occur.

As with plain pointers, eCv assumes that array pointers may not take the value zero (i.e. NULL) unless you qualify them with the null keyword. When you qualify a pointer declaration with both array and null, it does not matter which order you place the qualifiers in; however we suggest using array null rather than the other way round.

When declaring a function parameter that accepts an array of elements of some type T, both C and C++ allow the type to be declared as T[ ] as an alternative to T*, with the same meaning. eCv also allows T[ ] as the type of a parameter to be qualified with null; so declaring a parameter with type T[ ] null has the same meaning as declaring it with type T* array null.

The not_null operator

Sometimes you may have an expression that has a nullable pointer type, but you know that its value is not null and you wish to use it in a context that requires a non-nullable pointer. You can do this using the not_null construct.

The expression not_null(pointer-expression) yields the value of pointer-expression (which must have nullable pointer or nullable array pointer type) as a non-nullable pointer or non-nullable array pointer, asserting that it is not null. This is equivalent to a cast from the nullable type to the non-nullable type, but avoids your C compiler or other static checker perhaps issuing a warning about a redundant cast. It also makes it clear that you are just asserting non-nullness, rather than trying to do a more general type conversion. eCv will generate a verification condition that pointer-expression is not null.

If you use an expression whose type is a nullable pointer type in a context where a non-null pointer is required, eCv will assume an implicit not_null(...) operation around the expression, and warn you that it has done so.

Pointers as function parameters

Parameters of pointer type are often used to pass values results between functions and their callers. When you declare a parameter of a non-const pointer type, eCv normally assumes that when you call the function, it both reads and writes the value that is pointed to. Therefore, if you take the address of a variable and then pass that address to a function, you must initialize that variable first. The function is permitted but not obliged to update the variable by writing through the pointer.

You can change this behaviour by flagging a parameter with the keyword out at the start of its declaration. This indicates to eCv that the pointer parameter is used only to pass a value back from the function. When you take the address of a variable and then pass that address as the actual value of an out parameter, you do not need to initialize the variable first. However, a function is obliged to write through all its pointer parameters that have been flagged as out parameters, except when the parameter is a nullable pointer and the actual parameter is null.

Here is an example:

void foo(int *p, out int *q, out int *r) {
p += 1; /* ok */
q += 1; /* error, out-parameter q used before it has been initialized */
return; /* error, function must initialize out-parameter r before returning */
}

...
int a, b, c, d;
foo(&a, &b, &c); /* error, 'a' has not been initialised */
foo(&b, &c, &d); /* ok, 'b' was initialized by the previous call to foo */

Only parameters of non-const pointer type (including pointer types flagged array and/or null) may be flagged out.

Assertions and assert.h

If you use assertions in your program and #include "assert.h" in your source file, we suggest that you make this inclusion conditional like this:

/* #include "ecv.h " somewhere before the following */ #ifndef __ECV__ #undef assert /* remove eCv's definition */ #include "assert.h" #endif

eCv will then treat your assertions as eCv assertion statements (see assert) and try to prove they are true.

If you do not make the inclusion conditional, then the definition of assert in file assert.h may override the definition of assert in file ecv.h. If the DEBUG macro is defined when you run eCv, then your assertions will typically be expanded to code that performs I/O if the assertion fails. eCv will try to verify this code and will report errors if it modifies variables that were not declared in the writes-clause of the current function.

Extensions to the C and C++ languages supported by eCv

eCv supports the following extensions to the C and C++ languages as defined in the ISO standard documents:

Comments beginning with // and ending at end-of-line are permitted even in C90 mode. Comments of this form are part of the C99 and C++ language standards.
Integer literals in binary format beginning with 0b or 0B are supported. The type of a binary integer literal is determined using the same rules as for hexadecimal integer literals. Note that eCv generates a warning if an un-suffixed integer literal is implicitly unsigned.
The address-placement syntax for variables supported by many embedded C compilers are supported.

Many C and C++ compilers support additional extensions. Where these extensions are implemented using additional keywords (possibly followed by a bracketed argument list), it is usually possible to define these keywords as null macros when processing with eCv, so that eCv does not see those extensions and can process the source file. File eCv.h already contains a number of these macro definitions.

Common error messages and what to do about them

Sometimes you may find that your C compiler accepts your source code, but eCv does not. Here are some of the most common eCv error messages that you may see under these conditions, and what they mean.

Error! Incorrect syntax at ... Assuming that a regular C compiler accepts your source code, then this means one of the following:

You have used an eCv reserved word as an identifier. You must either rename the identifier, or rename the keyword. To make this sort of error easier to spot visually, we recommend that you use an editor that supports syntax highlighting, and add all the eCv keywords to its keyword list for C.
You have declared the types of function parameters using the old K&R syntax. Use the ANSI/ISO syntax instead.
(when this error occurs at the keyword case or default) You have written a switch statement that does not conform to the format supported by eCv. Case labels must appear directly in the body of the switch statement, not nested inside further compound statements.
You have included a declaration directly in the body of a switch statement.
You have followed the colon character in a conditional expression directly by a minus-sign. Resolve this by inserting a space character after the colon.
You are using a C99 or C++ construct that is not supported by eCv.

Error! Incorrect syntax at token '_ecv_pre'. This can occur if you have extra brackets around the function declarator, e.g.

int (foo(int arg)) pre arg > 0 { ... }

The fix is either to remove the extra brackets:

int foo(int arg) pre arg > 0 { ... }

or to include the precondition (and any other specifications) inside the brackets:

int (foo(int arg) pre arg > 0 ) { ... }

Error! Cannot find declaration of class 'size_t'. This will occur if your program uses the C sizeof keyword, but you haven't included any standard header file that defines size_t. eCv needs this definition so that it knows exactly what type a sizeof expression yields. The fix is to #include stddef.h (or some other header that correctly defines size_t) in your source file.

Error! Cannot find declaration of class 'ptrdiff_t'. This will occur if your program subtracts one pointer from another, but you haven't included any standard header file that defines ptrdiff_t. eCv needs this definition so that it knows exactly what type a pointer difference expression yields. The fix is to #include stddef.h (or some other header that correctly defines ptrdiff_t) in your source file.

Error! No binary operator '==' defined between types 'T*' and 'int' (for some T, where the integer operand is literal zero, and where == can also be !=). This normally indicates that the variable or parameter of type T* should have been declared nullable, i.e. T* null instead of just T*.

Error! No binary operator '+' defined between types 'double' and 'int' (for '+' or some other arithmetic operator). eCv does not support mixed-mode arithmetic. Cast the integral operand to double or some other suitable floating-point type.

Error! No globals or current class members can match 'result'. This occurs when you use an expression like 0..result in a specification and you are using your compiler's own preprocessor. The reason is that the preprocessor treats 0..result as a single pp-number token, so it doesn't recognise result as a macro to be expanded. To fix this, put a space between 0 and .. or between .. and result, or use (0) instead of 0, or use (result) instead of result.

Line and column coordinates in error and warning messages

If your code uses either an eCv specification macro such as pre or one of your own macros, and eCv detects errors either in the code resulting from the macro expansion or in code that follows the macro and its arguments on the same line, then the line/column coordinates that eCv provides in the error message may to be incorrect. This is because eCv sees the code after macro expansion.

If you put specification macros and their actual parameters all on the same line, and you do not use any other macros on that line, then the line number should be correct. If you are using the eCv preprocessor or your compiler's preprocessor preserves white space, and you use the standard eCv specification macro names, then the column numbers should also be correct.

If you use keywords starting with _ecv_ directly, then the column number of any message that refers to a construct after that keyword but on the same line will be incorrect. This is because when eCv calculates the column number in the original source file, it assumes that any keyword starting with _ecv_ was generated by expanding the corresponding keyword without the _ecv_ prefix.

If you put macro parameters on more than one line, then your preprocessor may expand the macro such that everything is on one line. In that case, any error messages relating to code or specifications in the macro parameters will have a line number that relates to the source line on which the macro name appeared; and the column number may be somewhat higher than the number of columns in that line. For this reason, we suggest that, when declaring specifications, you keep each specification and its arguments on the same line, wherever possible. For example, don't use:

pre(a >= 0; a < 10)

Instead, use either:

pre(a >= 0; a < 10)

or:

pre(a >= 0) pre(a < 10)

Suppressing warning messages

You can suppress a warning message (but not an error message) like this:

#pragma ECV ignore_warning "warning-text"

This will cause a single instance of a warning message that includes the specified text to be ignored. Instead, an information message will be generated that the warning has been ignored. You can list multiple comma-separate warning messages in a single pragma. Here is an example:

void f(int a, unsigned int b) { #pragma ECV ignore_warning "Signed/unsigned mismatch", "Implicit conversion of expression 'a + b'" int c = a + b;

Optionally, you may give an integer line offset before the first message, to specify the number of lines to be skipped before the warning message is expected. Here is another way of expressing the previous example:

#pragma ECV ignore_warning 2 "Signed/unsigned mismatch" #pragma ECV ignore_warning 1 "Implicit conversion of expression 'a + b'" void f(int a, unsigned int b) { int c = a + b;

eCv will warn you if you use the ignore-warning pragma but no matching warning is generated.

TOC

Normal keyword	Underlying keyword	Where used	See section
any	_ecv_any	'any' expression	Collections
array	_ecv_array	Indicates that a pointer refers to an array	array
assert	_ecv_assert	Assertion statement	assert
assume	_ecv_assume	Assume declaration	assume
bool		Boolean type	Boolean types
decrease	_ecv_decrease	Declares a loop variant	decrease
exists	_ecv_exists	'exists' expression	Quantified expressions
false		Boolean false value	Boolean types
forall	_ecv_forall	'forall' expression	Quantified expressions
ghost	_ecv_ghost	Declares that a declaration is for use in specifications only	ghost (see also Ghosts)
holds	_ecv_holds	'holds' expression	Disjoint expressions
idiv	_ecv_idiv	An integer division operator that always rounds down	Binary operators
imod	_ecv_imod	An integer modulus operator that always yields a non-negative result	Binary operators
in	_ecv_in	Element-in-collecton operator	Binary operators
integer	_ecv_integer	Unbounded integer type	ghost
	_ecv_interrupt	Function specifier to indicate that the function is an interrupt service routine	(to be added)
invariant	_ecv_invariant	Declares a structure invariant	invariant
keep	_ecv_keep	Declares a loop invariant	keep
let	_ecv_let	Names a subexpression so you can refer to it in a larger expression	let
maxof	_ecv_maxof	Yields the maximum value in a type	Type operators
minof	_ecv_minof	Yields the minimum value in a type	Type operators
min_sizeof	_ecv_minof	Yields the minimum value that sizeof could yield for the same type	Type operators
not_null	_ecv_not_null	Cast a nullable pointer to a non-nullable pointer	not_null
null	_ecv_null	Declares that a pointer is nullable	Nullable and non-nullable pointers
	_ecv_nullptr	Null pointer literal	Additional eCv++ keywords
old	_ecv_old	Selects the original value of an expression instead of the final or current value in a postcondition, loop invariant or loop variant	old
out	_ecv_out	Indicates that a pointer parameter is used only to pass a value back to the caller	Pointers as function parameters
over	_ecv_over	'over' expression	Collections
pass	_ecv_pass	Null statement	pass
post	_ecv_post	Declares a postcondition	post
	_ecv_pow	Exponentiation operator	Binary operators
pre	_ecv_pre	Declares a precondition	pre
result	_ecv_result	Refers to function result in a postcondition	post
returns	_ecv_returns	Declares a function return value	returns
some	_ecv_some	Indicates any object(s) of a specified type
spec	_ecv_spec	Declares that a function prototype overrides another similar one
that	_ecv_that	'that' expression	Collections
those	_ecv_those	'those' expression	Collections
true		Boolean true value	Boolean types
wchar_t		Wide character type	below
writes	_ecv_writes	Declares nonlocal variables that a function writes to	writes
value	_ecv_value	Refers to the value of the structure in a structure invariant, similar to (*this) in C++
yield	_ecv_yield	'for..yield' and 'for..those..yield' expressions	Collections
zero_init	_ecv_zero_init	Yields the value of a type obtained by setting all bits to zero	Type operators