| 61 | | * `$input` |
| 62 | | * `$output` |
| 63 | | * `$abstract` |
| 64 | | * `$atomic_f` |
| 65 | | * `$system` |
| 66 | | * `$pure` |
| | 61 | === The `$input` and `$output` type qualifiers |
| | 62 | |
| | 63 | The declaration of a variable in the root scope may include the type qualifier `$input`, e.g., |
| | 64 | {{{ |
| | 65 | $input int N; |
| | 66 | }}} |
| | 67 | This declares the variable to be an input variable, i.e., one which is considered to be an input to the program. |
| | 68 | Such a variable is initialized with an arbitrary (unconstrained) value of its type. |
| | 69 | When using symbolic execution to verify a program, such a variable will be assigned a unique symbolic constant of its type. |
| | 70 | In contrast, variables in the root scope which are not input variables will instead be initialized with the “undefined” value. |
| | 71 | Reading an undefined value is erroneous. [Note: the model checker attempts to catch such errors but currently |
| | 72 | does not do so for arrays, which are always initialized with unconstrained values.] |
| | 73 | In addition, input variables may only be read, never written to; an attempt to write to an input variable is also flagged as an error. |
| | 74 | |
| | 75 | Alternatively, it is possible to specify a particular concrete value for an input variable, either on the command line, e.g., |
| | 76 | {{{ |
| | 77 | civl verify -inputN=8 ... |
| | 78 | }}} |
| | 79 | or by including an initializer in the declaration, e.g. |
| | 80 | {{{ |
| | 81 | $input int N=8; |
| | 82 | }}} |
| | 83 | The protocol for initializing an input variable is the following: if a command line value is specified, it is used. |
| | 84 | Otherwise, if an initializer is present, it is used. Otherwise, the variable is assigned an arbitrary value of its type. |
| | 85 | |
| | 86 | A variable in the root scope may be declared with `$output` to declare it to be an output variable. |
| | 87 | Output variables may only be written to, never read. |
| | 88 | They are used primarily in functional equivalence checking. |
| | 89 | |
| | 90 | Input and output variables play a key role when determining whether two programs are functionally equivalent. |
| | 91 | Two programs are considered functionally equivalent if, whenever they are given the same inputs (i.e., corresponding $input |
| | 92 | variables are initialized with the same values) they will produce the same outputs (i.e., corresponding $output variables will |
| | 93 | end up with the same values at termination). |
| | 94 | |
| | 95 | === `$abstract` |
| | 96 | |
| | 97 | === `$atomic_f` |
| | 98 | |
| | 99 | === `$system` |
| | 100 | |
| | 101 | === `$pure` |
