Context Navigation

Changes between Version 1 and Version 2 of Language

Timestamp:: 05/16/23 23:06:18 (3 years ago)
Author:: siegel
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Language

-              v1
+              v2
 = CIVL-C Language Manual
-== Qualifiers
-=== The `$input` and  `$output` type qualifiers
-The declaration of a variable in the root scope may include the type qualifier `$input`, e.g.,
-{{{
-$input int N;
-}}}
-This declares the variable to be an input variable, i.e., one which is considered to be an input to the program.
-Such a variable is initialized with an arbitrary (unconstrained) value of its type.
-When using symbolic execution to verify a program, such a variable will be assigned a unique symbolic constant of its type.
-In contrast, variables in the root scope which are not input variables will instead be initialized with the “undefined” value.
-Reading an undefined value is erroneous. [Note: the model checker attempts to catch such errors but currently
-does not do so for arrays, which are always initialized with unconstrained values.]
-In addition, input variables may only be read, never written to; an attempt to write to an input variable is also flagged as an error.
-Alternatively, it is possible to specify a particular concrete value for an input variable, either on the command line, e.g.,
-{{{
-civl verify -inputN=8 ...
-}}}
-or by including an initializer in the declaration, e.g.
-{{{
-$input int N=8;
-}}}
-The protocol for initializing an input variable is the following: if a command line value is specified, it is used.
-Otherwise, if an initializer is present, it is used.   Otherwise, the variable is assigned an arbitrary value of its type.
-A variable in the root scope may be declared with `$output` to declare it to be an output variable.
-Output variables may only be written to, never read.
-They are used primarily in functional equivalence checking.
-Input and output variables play a key role when determining whether two programs are functionally equivalent.
-Two programs are considered functionally equivalent if, whenever they are given the same inputs (i.e., corresponding $input
-variables are initialized with the same values) they will produce the same outputs (i.e., corresponding $output variables will
-end up with the same values at termination).
-=== `$abstract`
-An abstract function declares a function without a body.  An abstract function is declared using a standard function prototype with the function qualifier `$abstract`, e.g.,
-{{{
-  $abstract int f(int x);
-}}}
-An abstract function must have a non-void return type and take at least one parameter.   An invocation of an abstract function is an expression and can be used anywhere an expression is allowed.  The interpretation is an "uninterpreted function".    A unique symbolic constant of function type will be created, corresponding to the abstract function, and invocations are represented as applications of the uninterpreted function to the arguments.
-=== `$atomic_f`
-A function is declared atomic using the function qualifier `$atomic_f`, e.g.,
-{{{
-$atomic_f int f(int x) {
-  ...
+}
-}}}
-A call to such a function executes as a single atomic step, i.e., without interleaving from other processes.   Hence, this is only relevant for concurrent programs.  Declaring a function to be atomic is almost equivalent to placing `$atomic{ ... }` around the function body.   The difference is that in the latter case, the call to the function and the execution of the body are executed in two atomic steps, i.e., after activation frame is pushed onto the call stack, another process could execute before the first process obtains the atomic lock and executes its body.   For an atomic function, the entire sequence of events happens in one atomic step.
-An atomic function must have a definition; in particular, neither a system function nor an abstract function may be declared using `$atomic_f`.
-=== `$system`
-A system function is one in which the definition of the function is not provided in CIVL-C code, but is implemented instead in a certain Java class.  A system function is declared by adding the function qualifier `$system` to a function prototype.  Invocation of a system function always takes place in a single atomic step.
-A system function may have a guard, which is specified in the function contract using a `$executes_when` clause.  Unless constrained by its contract or other qualifiers, a system function may modify the stay in an arbitrary way.
-=== `$pure`
-A system or atomic function may be declared to be `$pure`, e.g.,
-{{{
-$pure $system double sin(double x);
-$pure $atomic_f double mysin(double x) {
-  return  x - x*x*x/6.;
+}
-}}}
-This means that the function is a mathematical function of its arguments only.    I.e., an invocation of the function has no side-effects and the return value depends on the arguments only (if called twice with the same arguments, it will return the same value, regardless of any differences in the state).   The user is responsible for ensuring that a function declared pure actually is pure.    If this is not the case, the model checker may produce incorrect results.
 == Types
 …
 The boolean type is denoted `_Bool`, as in C. Its values are 0 and 1, which are also denoted by `$false` and `$true`, respectively.
+One may also include the standard C header `stdbool.h`, which defines `false` and `true` (also as 0 and 1), and defines the type
+`bool` to be an alias for `_Bool`.
 === The integer type
 …
 Ranges are typically used as a step in constructing domains.
 They can also be used in quantified expressions to specify the domain of a bound variable (see `$forall` and `$exists`).
+== Type qualifiers
+=== The `$input` and  `$output` type qualifiers
+The declaration of a variable in the root scope may include the type qualifier `$input`, e.g.,
+{{{
+$input int N;
+}}}
+This declares the variable to be an input variable, i.e., one which is considered to be an input to the program.
+Such a variable is initialized with an arbitrary (unconstrained) value of its type.
+When using symbolic execution to verify a program, such a variable will be assigned a unique symbolic constant of its type.
+In contrast, variables in the root scope which are not input variables will instead be initialized with the “undefined” value.
+Reading an undefined value is erroneous. [Note: the model checker attempts to catch such errors but currently
+does not do so for arrays, which are always initialized with unconstrained values.]
+In addition, input variables may only be read, never written to; an attempt to write to an input variable is also flagged as an error.
+Alternatively, it is possible to specify a particular concrete value for an input variable, either on the command line, e.g.,
+{{{
+civl verify -inputN=8 ...
+}}}
+or by including an initializer in the declaration, e.g.
+{{{
+$input int N=8;
+}}}
+The protocol for initializing an input variable is the following: if a command line value is specified, it is used.
+Otherwise, if an initializer is present, it is used.   Otherwise, the variable is assigned an arbitrary value of its type.
+A variable in the root scope may be declared with `$output` to declare it to be an output variable.
+Output variables may only be written to, never read.
+They are used primarily in functional equivalence checking.
+Input and output variables play a key role when determining whether two programs are functionally equivalent.
+Two programs are considered functionally equivalent if, whenever they are given the same inputs (i.e., corresponding $input
+variables are initialized with the same values) they will produce the same outputs (i.e., corresponding $output variables will
+end up with the same values at termination).
+===  Abstract (uninterpreted) functions
+An abstract function declares a function without a body.  An abstract function is declared using a standard function prototype with the function qualifier `$abstract`, e.g.,
+{{{
+  $abstract int f(int x);
+}}}
+An abstract function must have a non-void return type and take at least one parameter.   An invocation of an abstract function is an expression and can be used anywhere an expression is allowed.  The interpretation is an "uninterpreted function".    A unique symbolic constant of function type will be created, corresponding to the abstract function, and invocations are represented as applications of the uninterpreted function to the arguments.
+=== Atomic functions
+A function is declared atomic using the function qualifier `$atomic_f`, e.g.,
+{{{
+$atomic_f int f(int x) {
+  ...
+}
+}}}
+A call to such a function executes as a single atomic step, i.e., without interleaving from other processes.   Hence, this is only relevant for concurrent programs.  Declaring a function to be atomic is almost equivalent to placing `$atomic{ ... }` around the function body.   The difference is that in the latter case, the call to the function and the execution of the body are executed in two atomic steps, i.e., after activation frame is pushed onto the call stack, another process could execute before the first process obtains the atomic lock and executes its body.   For an atomic function, the entire sequence of events happens in one atomic step.
+An atomic function must have a definition; in particular, neither a system function nor an abstract function may be declared using `$atomic_f`.
+=== System functions
+A system function is one in which the definition of the function is not provided in CIVL-C code, but is implemented instead in a certain Java class.  A system function is declared by adding the function qualifier `$system` to a function prototype.  Invocation of a system function always takes place in a single atomic step.
+A system function may have a guard, which is specified in the function contract using a `$executes_when` clause.  Unless constrained by its contract or other qualifiers, a system function may modify the stay in an arbitrary way.
+=== Pure functions
+A system or atomic function may be declared to be `$pure`, e.g.,
+{{{
+$pure $system double sin(double x);
+$pure $atomic_f double mysin(double x) {
+  return  x - x*x*x/6.;
+}
+}}}
+This means that the function is a mathematical function of its arguments only.    I.e., an invocation of the function has no side-effects and the return value depends on the arguments only (if called twice with the same arguments, it will return the same value, regardless of any differences in the state).   The user is responsible for ensuring that a function declared pure actually is pure.    If this is not the case, the model checker may produce incorrect results.
 == Expressions
 …
 === `$here`
+=== The `$here` scope expression
 Expression of type `$scope`, evaluating to the dynamic scope in which the evaluation takes place.
 === `$proc_null`
+=== The null process reference
 The null process constant.  Similar to the NULL pointer, this gives an object of `$proc` type a defined value, and can be used in `==` and `!=` expressions.  It cannot be used as the argument to `$wait` or `$waitall`.
 === `$root`
+=== The root scope constant
 Constant of type `$scope`, the root dynamic scope.
 …
 Precisely, the infinite sequence is intersected with the set of integers greater than or equal to `lo`.
 === `$scopeof`
+=== The scope of an expression
 Given any left-hand-side expression ''expr'', the expression `$scopeof(`''expr''`)` evaluates to the dynamic scope containing the object specified by ''expr''.
 …
 Each of these expressions is erroneous if `s1` or `s2` is undefined.  This error is reported by the model checker.
 === `$self`
+=== This process: `$self`
 This expression of `$proc` type returns a reference to the process which is evaluating this expression.  It provides a way for code to obtain the identity of the process executing the code.