unchecked_assert
Constrain variable ranges for static analysis with Polyspace products
Syntax
unchecked_assert(condition);
Description
unchecked_assert( is a function-like C/C++ macro that imposes a constraint on variable ranges for Polyspace® analysis of the subsequent code. For instance, in the following example, when analyzing the condition);return statement, Polyspace assumes that arg does not contain the value 0:
double reciprocal (int arg) {
unchecked_assert(arg != 0);
return 1.0/arg;
}Since the macro is not part of the C/C++ language standard, to avoid compilation errors, enclose the macro in a preprocessor directive like this:
#ifdef POLYSPACE unchecked_assert(arg != 0); #endif
POLYSPACE as a defined preprocessor directive. For instance, at the command line, append the analysis option -D POLYSPACE. See Preprocessor definitions (-D). Enclosing the unchecked_assert macro in an preprocessor directive like this makes the macro visible to a Polyspace analysis but not during regular compilation.A constraint specified through an unchecked_assert macro becomes part of the analysis assumptions. The analysis assumes the constraint and does not actually check if the constraint is true. If you want the constraint to be checked, instead of unchecked_assert, use the standard C debug macro assert.
Usage
Use the unchecked_assert macro to impose external constraints not directly supported through Polyspace analysis options such as Constraint setup (-data-range-specifications). When specifying external constraints, note the following:
Use
unchecked_assertto specify preconditions on variables at the program boundary, in particular:Inputs to uncalled functions (when there is no
main)Return values and modifiable parameters of undefined (stubbed) functions.
If you want to insert constraints in the middle of a program flow, use the standard C debug macro
assertinstead ofunchecked_assert. Code Prover uses theUser assertioncheck to determine if your constraints actually hold (in addition to imposing the constraint for the subsequent analysis).Use
unchecked_assertto specify only constraints that follow from actual external considerations. For instance, you can impose constraints to eliminate unphysical values of a physical quantity, such as temperature or efficiency ratio.
Examples
Impose Relations Between Inputs to Uncalled Functions
Consider the following example:
double getCoefficient(int item, int match)
{
double coefficient = match/(match-item);
return coefficient;
}The function getCoefficient() has two apparently unrelated inputs: item and match. When analyzing the function in the absence of a callee, Code Prover analysis considers the possibility that:
The two variables might have the same value. As a result, the analysis shows a possible division by zero on the
/operation.The variables
itemandmatchmight have opposite signs and arbitrarily large values allowed by their data types. As a result, the analysis shows a possible overflow on the-operation.
Suppose that you know from external requirements that:
The first parameter of
getCoefficient()is positive.The second parameter of
getCoefficient()is greater than the first parameter.
You can enter unchecked_assert statements at the beginning of getCoefficient() to impose the external requirements.
double getCoeff(int item, int match)
{
#ifdef POLYSPACE
unchecked_assert(item > 0 && match > item);
#endif
double coefficient = match/(match-item);
return coefficient;
}POLYSPACE and effectively activates the constraint, the analysis no longer shows the two possible errors. For more information on the option, see Preprocessor definitions (-D).Impose Relations Between Parameters of Undefined Functions
Consider the following example:
int getAnItem();
void lookup(int item, int *match);
int main(char argc, char* argv[])
{
int item = getAnItem(), match;
lookup(item, &match);
double coefficient = match/(match-item);
return 0;
}Both variables item and match are initialized with undefined functions, getAnItem() and lookup(). Since undefined functions are stubbed, a Code Prover analysis considers the possibility that:
The two variables might have the same value. As a result, the analysis shows a possible division by zero on the
/operation.The variables
matchanditemmight have opposite signs and arbitrarily large values allowed by their data types. As a result, the analysis shows a possible overflow on the-operation.
Suppose that you know from external requirements that:
The function
getAnItem()returns a positive value.The function
lookup()writes a positive value to the second argument passed by pointer. The value written is greater than the value of the first argument.
You can enter dummy definitions of the getAnItem() and lookup() functions. Within the dummy definitions, you can use unchecked_assert statements to impose the external
requirements.
int getAnItem();
void lookup(int item, int *match);
#ifdef POLYSPACE
// Function to initialize a variable with a random value
int getRandomValue();
// Dummy definition of getAnItem()
// Function returns a positive value
int getAnItem()
{
int ret = getRandomValue();
unchecked_assert(ret > 0);
return ret;
}
// Dummy definition of lookup()
// Function writes its second argument
// With a positive value greater than first argument
void lookup(int item, int *match)
{
*match = getRandomValue();
unchecked_assert(*match > 0 && *match > item);
}
#endif
int main(char argc, char* argv[])
{
int item = getAnItem(), match;
lookup(item, &match);
double coefficient = match/(match-item);
return 0;
}POLYSPACE and effectively activates the dummy function definitions, the analysis no longer shows the two possible errors. For more information on the option, see Preprocessor definitions (-D).Version History
Introduced in R2013b
