Changes between Version 43 and Version 44 of Language


Ignore:
Timestamp:
05/22/23 09:23:42 (3 years ago)
Author:
siegel
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Language

    v43 v44  
    804804There are clauses for preconditions, postconditions, and other concepts.
    805805These are used in various experimental extensions of CIVL.
    806 Here me describe the two clauses which are fully supported and in effect by the CIVL model checker.
    807 
    808 === Specifying a guard: `enabled_when`
     806Here we describe only the clauses which are fully supported and used by the core CIVL model checker.
     807
     808=== Specifying a guard: `executes_when`
    809809
    810810This clause has syntax
    811   `enabled_when` ''expr'' `;`
     811  `executes_when` ''expr'' `;`
    812812It may be used with an [#atomic_f atomic] or [#system system] function.
    813813This clause specifies a guard that applies whenever the function is called.
    814 The ''expr'' may use the formal parameters of the functions as well as any other variables that are in scope.
     814The ''expr'' may use the formal parameters of the function as well as any other variables that are in scope.
    815815Whenever control in a process is at a call to the function, the call will be enabled only if the guard evaluates to ''true''.
    816 The actual arguments used in the call are substituted for the formal parameters in the guard expression.
    817 
    818 Note: if the actual arguments have side-effects, they are automatically refactored so that the side-effects occur once, before the call.
     816To evaluate the guard, the actual arguments used in the call are substituted for the formal parameters in the guard expression.
     817
     818Note: if the actual arguments have side-effects, the code is automatically refactored so that the side-effects occur once, before the call.
    819819I.e., the call
    820820  ''f''`(`''expr,,1,,''`,` ''expr,,2,,''`,` ...`)`
     
    833833=== The `depends_on` clause #depends_on
    834834
    835 `\nothing`
    836 
    837 === The `executes_when` clause #executes_when
     835A depends_on clause has the form
     836  `depends_on` ( `\nothing` | ''access-list'' ) `;`
     837where ''access-list'' has the form
     838  `\access` `(` ''expr'' ( `,` ''expr'' )* `)`
     839Each expression in the access list should have a pointer type.
     840
     841The clause specifies the dependency relation for the system or atomic function.
     842This dependency information is used by the model checker's partial order reduction algorithm to restrict the interleavings explored.
     843
     844The precise semantics: for a process that is at a state from which a call to the function is enabled:
     845any transition from another process that does not access any object pointed to by an expression in the access list
     846will be independent of the function call.
     847
     848(Two transitions are independent if, from any state in which both are enabled, neither can disable the other, and the two transitions commute,
     849i.e., executing the fist and then the second results in the same state as executing the second and then the first.)
     850
     851This clause should be used with care: it is possible to specify a depends-on clause which is not sound, i.e.,
     852the clause may declare that two transitions are independent when they are not.
     853In this case, the model checker may skip some interleaving on which a violation occurs, and report that a program is correct when it is not.
     854This mechanism is intended for use by expert library developers.
     855
     856