The document describes the implementation and verification of a bubble sort algorithm using the Frama-C software analysis platform. It includes the C code implementation of bubble sort, pre and post conditions specified in contracts, annotations added to the code, and an example run demonstrating that the inner loop maintains the partially sorted property.

1. Correct sorting with Frama-C
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
July 2, 2009
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

2. Algorithm implementation
Implementation
void bubbleSort ( int * vector , int tam ) {
int j , i ;
j = i = 0;
for ( i =0; i < tam ; i ++) {
for ( j =0; j < tam -i -1; j ++) {
if ( vector [ j ] > vector [ j +1]) {
swap (& vector [ j ] ,& vector [ j +1]) ;
}
}
}
}
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

3. Contract
pre-conditions
tam > 0
valid range(vector , 0, tam − 1)
post-conditions
sorted(vector , 0, tam − 1)
∀a : 0 ≤ a < tam : (∃b : 0 ≤ b < tam : old(vector (b)) ≡ vector (a))
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

4. Annotations
requires tam > 0;
requires valid_range ( vector ,0 , tam -1) ;
ensures ( forall integer a ; 0 <= a < tam
== > ( exists integer b ; 0 <= b < tam
== > at ( vector [ b ] , Old ) == at ( vector [ a ] , Here ) ) ) ;
ensures Sorted { Here }( vector , 0 , tam -1) ;
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

5. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

6. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

7. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

8. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

9. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

10. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

11. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

12. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

13. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

14. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

15. Inner-loop (cont.)
Loop invariants
0 ≤ j < tam − i
0 < j < tam − i ⇒ (∀a : 0 ≤ a ≤ j : vector (a) ≤ vector (j + 1))
Loop variants
tam − i − j − 1
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

16. Inner-loop invariants & variant
loop invariant 0 <= j < tam - i ;
loop invariant 0 < j < tam - i
== > forall int a ; 0 <= a <= j
== > vector [ a ] <= vector [ j +1];
loop variant tam -i -j -1;
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

17. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

18. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

19. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

20. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

21. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

22. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

23. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

24. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

25. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

26. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

27. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

28. Outer-loop (cont.)
Loop invariants
0 ≤ i < tam
sorted(vector , tam − i − 1, tam − 1)
0 < i < tam ⇒
(∀{a,b} : 0 ≤ b ≤ tam − i − 1 ≤ a < tam : vector (a) ≥ vector (b))
Loop variants
tam − i
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

29. Outer-loop invariants & variant
loop invariant 0 <= i < tam ;
loop invariant Sorted { Here }( vector , tam -i -1 , tam -1) ;
loop invariant 0 < i < tam
== > forall int a , b ; 0 <= b <= tam -i -1 <= a < tam
== > vector [ a ] >= vector [ b ];
loop variant tam - i ;
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

30. Conclusions
Fast and powerful
Possible to prove bubble-sort’s correctness with just 16
annotations
Constantly updated
Although extensive, the documentation lacks detail x
Complex programs may require advanced knowledge in Logic x
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

31. Questions
?
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

32. Resources - rest of the code
/* @ predicate Sorted { L }( int a [] , integer l , integer h ) =
@ forall integer i ; l <= i < h
@ == > at ( a [ i ] , L ) <= at ( a [ i +1] , L ) ;
@ */
/* @ requires valid ( i ) && valid ( j ) ;
@ // BUG 0000080: Assertion failed in jc_int erp_misc . ml
@ // assigns *i , * j ;
@ ensures at (* i , Old )
@ == at (* j , Here ) && at (* j , Old )
@ == at (* i , Here ) ;
@ */
void swap ( int *i , int * j ) {
int tmp = * i ;
*i = *j;
* j = tmp ;
}
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

33. Resources - images
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C

34. Resources - images (cont.)
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C