Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
sav07_lecture_3_skeleton [2007/03/20 14:27] vkuncak |
sav07_lecture_3_skeleton [2007/03/20 14:28] vkuncak |
||
---|---|---|---|
Line 16: | Line 16: | ||
* efficient | * efficient | ||
* create formulas that we can prove later | * create formulas that we can prove later | ||
+ | |||
==== Formulas for basic statements ==== | ==== Formulas for basic statements ==== | ||
Line 23: | Line 24: | ||
R(x=t) = (x=t & y=y_0 & error=error_0) | R(x=t) = (x=t & y=y_0 & error=error_0) | ||
- | <b>Note</b>: all our statements will have the property that if error_0 = true, then error=true. That is, you can never recover from an error state. This is convenient: if we prove no errors at the end, then there were never errors in between. | + | **Note**: all our statements will have the property that if error_0 = true, then error=true. That is, you can never recover from an error state. This is convenient: if we prove no errors at the end, then there were never errors in between. |
- | <b>Note</b>: the condition y=y_0 & error=error_0 is called <b>frame condition</b>. There are as many conjuncts as there are components of the state. This can be annoying to write, so let us use shorthand frame(x) for it. The shorthand frame(x) denotes a conjunction of v=v_0 for all v that are distinct from x (in this case y and error). We can have zero or more variables as arguments of frame, so frame() means that nothing changes. | + | **Note**: the condition y=y_0 & error=error_0 is called <b>frame condition</b>. There are as many conjuncts as there are components of the state. This can be annoying to write, so let us use shorthand frame(x) for it. The shorthand frame(x) denotes a conjunction of v=v_0 for all v that are distinct from x (in this case y and error). We can have zero or more variables as arguments of frame, so frame() means that nothing changes. |
R(havoc x) = frame(x) | R(havoc x) = frame(x) | ||
Line 31: | Line 32: | ||
R(assert F) = (F -> frame) | R(assert F) = (F -> frame) | ||
- | Note: | + | **Note**: |
x=t is same as havoc(x);assume(x=t) | x=t is same as havoc(x);assume(x=t) |