Changes between Version 34 and Version 35 of ContractReduction


Ignore:
Timestamp:
12/09/15 11:52:29 (10 years ago)
Author:
zmanchun
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ContractReduction

    v34 v35  
    33== ACSL function contract grammar with CIVL-C extension (starting with `$`) ==
    44The CIVL-C function contract extends ACSL function contract with the following elements:
    5 * `$guards` clause: specify the guard of a function, i.e., the specified predicate should hold in order to enable the execution of the function body
    6 * `$depends` clause: specify the dependency relation of the function, usually used for partial order reduction (POR) or other analysis
    7 * `$reads` clause: specify memory locations read by the function, the syntax of which is similar to `assigns` clause
     5* `guards` clause: specify the guard of a function, i.e., the specified predicate should hold in order to enable the execution of the function body
     6* `depends` clause: specify the dependency relation of the function, usually used for partial order reduction (POR) or other analysis
     7* `reads` clause: specify memory locations read by the function, the syntax of which is similar to `assigns` clause
    88* additional parameter for `allocates` clause: specify the scope of the heap for allocation; if absent then the root scope `$root` is used
    99
     
    1414terminates-clause ::= terminates pred ;
    1515decreases-clause  ::= decreases term (for id)? ;
    16 guards-clause ::= $guards pred ;
     16guards-clause ::= guards pred ;
    1717simple-clause ::= assigns-clause | ensures-clause
    1818                | allocation-clause | abrupt-clause-fn
     
    2222ensures-clause ::= ensures pred ;
    2323allocation-clause ::= allocates tsets (, scope)? ; | frees tsets ;
    24 reads-clause ::= $reads tsets;
    25 depends-clause := $depends event (, event)*;
     24reads-clause ::= reads tsets;
     25depends-clause := depends event (, event)*;
    2626named-behavior ::= behavior id : behavior-body
    2727behavior-body ::= assumes-clause∗ requires-clause∗ simple-clause∗
     
    2929completeness-clause ::= complete behaviors (id (, id)∗)? ;
    3030                      | disjoint behaviors (id (, id)∗)? ;
    31 term ::= \old ( term ) | \result | \nothing | $everything
     31term ::= \old ( term ) | \result | \nothing | \everything
    3232pred ::= \old ( pred )
    3333}}}
     
    5454* a left-hand-side expression, when used in certain contexts, is automatically converted to `$memory`.  The contexts are: arguments to the built-in functions `$access`, `$read`, and `$write` described below, or occurrence in the list of an `$assigns` clause
    5555* `a[dom]`, where `a` is an expression of array type and `dom` is an expression of `$domain` type.   The dimension of the array must match the dimension of the domain.   This represents all memory units which are the cells in the array indexed by a tuple in `dom`.
    56 * `$region(ptr)`, where `ptr` is an expression with a pointer type.  This represents the set of all memory units reachable from `ptr`, including the memory unit pointed to by `ptr` itself.
     56* `\region(ptr)`, where `ptr` is an expression with a pointer type.  This represents the set of all memory units reachable from `ptr`, including the memory unit pointed to by `ptr` itself.
    5757
    5858[[* `mem1+mem2`, where `mem1` and `mem2` are expressions of type `$memory`.  This is the union of the two sets.]]  Problem this is ambiguous with numeric +, as in x+y.
     
    6868Example:
    6969{{{
    70 assigns x,a[i][j],$region(list->head),b[dom];
    71 }}}
    72 
    73 
    74 == `$depends` clause ==
     70assigns x,a[i][j],\region(list->head),b[dom];
     71}}}
     72
     73
     74== `depends` clause ==
    7575
    7676This contractual clause specifies part of the dependence relation used in POR.
    7777{{{
    78 $depends event (, event)*
     78depends event (, event)*
    7979}}}
    8080where `event` is a memory event represented as a boolean expression.   For each process `p`, the `event ` can be evaluated in the context of `p`.   If `event ` evaluates to `true`, then `p` must be included in an ample set containing a call to this function.
     
    8484{{{
    8585EventSetExpression
    86  ::= $read(MemorySetExpression)
    87  | $write(MemorySetExpression)
    88  | $access(MemorySetExpression)
    89  | $calls(FunctionCallExpression)
     86 ::= \read(MemorySetExpression)
     87 | \write(MemorySetExpression)
     88 | \calls(FunctionCallExpression)
    9089 | \nothing
    91  | $everything
     90 | \everything
    9291 | ‘(’ EventSetExpression ‘)’
    9392 | EventSetExpression + EventSetExpression
     
    102101The following built-in functions may be used as constituents in the boolean expression `e`:
    103102
    104 * `_Bool $access(<memory-list>)`
    105  * holds if any memory unit in the list may be read or modified by `p` at some point now or in the future.
    106 * `_Bool $write(<memory-list>)`
     103* `_Bool \write(<memory-list>)`
    107104 * holds if any memory unit in the list may be modified by `p` at some point now or in the future.
    108 * `_Bool $read(<memory-list>)`
     105* `_Bool \read(<memory-list>)`
    109106 * holds if any memory unit in the list may be read by `p` at some point now or in the future.
    110107
    111 Default: if there is no `$depends` clause present, the dependency information will be obtained from Java code in the library enabler.  If the library enabler does not specify anything for this function, the default rules will be used, which are sound:
     108Default: if there is no `depends` clause present, the dependency information will be obtained from Java code in the library enabler.  If the library enabler does not specify anything for this function, the default rules will be used, which are sound:
    112109* if the body of the function is not provided, i.e., the function is a system function, the verifier will assume that execution of the function may read and/or modify any memory unit that it can reach, and decide on the partial order reduction appropriately, else
    113110* if the body of the function is present, the statements comprising the body may be analyzed to further restrict the reduction.
     
    176173=== Use of `$depends` ===
    177174
    178 In the case where S is a function call, the `$depends` clause in the function contract specifies the
     175In the case where S is a function call, the `depends` clause in the function contract specifies the
    179176set A(s,S,p) as follows: first the depends clause specifies a predicate d(s,q) where s is a state and
    180177q is a proc.  Then
     
    204201- The following means that any process that can reach the memory unit of `comm` should be in the ample set if the current process (`$self`) is to be chosen in the ample set.
    205202{{{
    206 /*@ $depends $access(*comm); */
     203/*@ depends \access(*comm); */
    207204void comm_dequeue($comm comm, ....);
    208205}}}
     
    216213/*@ requires scope <= $root;
    217214  @ requires size >= 0;
    218   @ $depends \nothing;
    219   @ $guards $true;
     215  @ depends \nothing;
     216  @ guards true;
    220217  @ assigns \nothing;
    221218  @ */
     
    226223/* Destroys the gbarrier */
    227224/*@ requires barrier != \null;
    228   @ $guards $true;
    229   @ $depends \nothing;
     225  @ guards true;
     226  @ depends \nothing;
    230227  @ assigns barrier;//barrier has pointer type, and is converted into $memory type automatically
    231228  @ */