Includes modifying the matrix valid predicate to ensure matrices are in the queue when they should be, not in the queue when they shouldn't be, etc. (see GB_object_check.c)

EVA is crashing with an error claiming it doesn't support ACSL logic inductive types. identity_is_zero_bool_valid is the predicate where the logic inductive types apparently show up. Determine if logic inductive types are used (I didn't think they were) and try to get around it, otherwise leave it out. Commented out for now.

EVA and WP cannot discharge proofs with \pow(2,60), but can with 1ULL << 60; representing 2^60 which is the GB_INDEX_MAX.

nzmax may not be the same as nvals in meaning

• GrB_Matrix_new & dependencies
• GrB_Matrix_free & dependencies
• GrB_Matrix_nrows/ncols & dependencies
• GrB_Matrix_clear & dependencies
• GrB_AxB_numeric & dependencies

Using ghost code it should be possible to validate that a matrix has the correct number of zombies.

Quirk of the specification language is that (0..size-1) has to contain spaces around .., ie. (0 .. size-1). Need to make sure annotated code reflects this.

• Need to refactor memory footprint logic functions into separated predicates, because WP doesn't support most heterogeneous pointer casts, Alt-Ergo throws an error when using logic functions which return set<T>, and \separated does not ensure pointers within a set are separated from themselves, but rather it ensures those pointers are separated from pointers in other argument sets to \separated. This will make the logic/annotations significantly longer. [The last reason is the most important, because the others can be resolved through the Value Analysis plug-in]
• Need to take a second look at how I deal with pointers to other GraphBLAS structs within the current GraphBLAS struct
• Some pointers can alias within and between structs, ie. type and function pointers, so make sure this is handled correctly within footprints and when they are used

WP doesn't support assigns clauses well within behaviors, particularly when verifying a call hierarchy. WP doesn't support frees/allocates clauses at all, but may in the future and most likely will not support them well within behaviors as with assigns clauses.

• GrB_Matrix_free and dependencies
• GrB_Matrix_new and dependencies
• GrB_Matrix_nrows and dependencies - no assigns/frees/allocates clauses
• GrB_Matrix_ncols and dependencies - no assigns/frees/allocates clauses
• GB_AxB_numeric dependencies

Use of separation predicates should involve checking for null pointers as EVA's memory model ensures null pointers alias, ie. \separated(null,null) == false.

• Matrix footprint separated predicate
• GrB_Matrix_new and dependencies
• GrB_Matrix_free and dependencies
• GrB_Matrix_nrows/ncols and dependencies
• GB_shallow_cast and dependencies
• GB_Matrix_clear and dependencies
• GB_Work_alloc/free and dependencies
• Other footprint separated predicates

Currently, not verifying anything about global and local thread storage structs during method/function calls.

• verify that the binary operator of a monoid is associative
• verify that the identity element of a monoid is in fact an identity element of the binary operator and monoid domain
• validate any other algebraic properties of a monoid

WP's Typed+cast memory model (Byte not implemented yet) does support heterogeneous casts of polymorphic void ptrs, so long as it is casted to the proper type ptr that it should be.

Ie.

    bool b = (bool)true;
    bool *b_ptr = &b;
    void* f = (void*)b_ptr;
    //@ assert \valid((bool*)f);

Therefore, annotlib.acsl predicates and logic functions must be refactored to ensure sound casting of void ptrs. Otherwise, proofs will be unsound following the Typed+cast memory model.

Annotations for shallow_cast and cast_array written with minimal testing for matrix multiply. WP can parse the annotations fine, but EVA is crashing when being run on shallow_cast + its dependencies. Does not crash on cast_array. Need to fix this.

Something in matrix_valid predicate is crashing it.

Should check that the valid monoid within a semiring is in fact commutative. Monoid validity should check for algebraic properties of monoid structures, such as having an associative binary operator and a proper identity for that operator. Therefore, resolution of this issue depends on resolution of issue 2.

Write predicates to determine the equality of the GraphBLAS structs annotated in annotlib.acsl.

RTE gaurds can't be proven by behaviors - need top level requires clauses to discharge the proofs.

• GrB_Matrix_free and dependencies
• GrB_Matrix_new and dependencies
• GrB_Matrix_nrows and dependencies - no assigns/frees/allocates clauses
• GrB_Matrix_ncols and dependencies - no assigns/frees/allocates clauses
• GB_AxB_numeric and dependencies

GB_Matrix_free should probably ensure that internal graphblas objects are still valid, since they may alias with other objects which have not been freed or may be used in following program statements.

• GrB_Type
• GrB_BinaryOp

Matrix queue pointers will be handled when verifying the Matrix queue.

Write matrix_storage_init predicate that describes the internal storage values after a call to GrB_Matrix_new

Currently, free method annotations do not handle non-valid matrices which is technically incorrect, but done currently for simplicity.