| 459 | | === `$assume_push` |
| 460 | | |
| 461 | | === `$assume_pop` |
| | 459 | === Temporary assumptions: `$assume_push` and `$assume_pop` |
| | 460 | |
| | 461 | These functions have signatures: |
| | 462 | {{{ |
| | 463 | $system void $assume_push(_Bool pred); |
| | 464 | $system void $assume_pop(); |
| | 465 | }}} |
| | 466 | In the concrete semantics, `$assume_push` has the same semantics as `$assume`, and `$assume_pop` is a no-op. |
| | 467 | |
| | 468 | In the symbolic semantics, they behave as follows: each process maintains a stack of boolean symbolic expressions known as the temporary assumption stack. |
| | 469 | At any state, the ''effective path condition'' is the conjunction of the permanent path condition , and the conjunction, |
| | 470 | over all processes ''p'', of all entries in the temporary assumption stack of ''p''. |
| | 471 | A call to `$assume_push` pushes a new assumption onto the temporary assumption stack of the process making the call. |
| | 472 | A call to `$assume_pop` pops the stack of that process. |
| | 473 | This allows prior assumptions to be removed. |
| | 474 | This mechanism is consistent with the concrete semantics in that it yields an over-approximation of the set of reachable concrete states. |
| | 475 | Specifically, removing a clause from the effective path condition can only increase the set of concrete states represented by a symbolic state. |
| | 476 | This mechanism serves as a "widening operator" (in the sense of abstract interpretation), which enables symbolic execution to converge. |
| | 477 | |
