<VCC Notes > Assumption

Next is the second type of comment statement, Assumption. Syntax _ (assume E), this expression is to let VCC in the next amount of reasoning, ignoring the expression E, directly recognize the expression E.

Cases:

int x, y;

_ (assume X! = 0)

y = 100/x;

Before the assumption, VCC will definitely not pass validation, because x may be 0. However, after adding assumption, VCC chose to abandon the treatment and add x!=0 to its own database. But it doesn't do you any good to fool vcc with assumption, because when the code is actually running, no one will take care of that heap of annotations, and when x happens to be 0, the program will be crash. So in general, if you want your verification to be reliable, assumption can only be a temporary product in the verification process, and eventually it will be eliminated as much as possible.

Sounds assumption is not a good thing, in fact, he also has a lot of effect.

1. When your code is complex, VCC is difficult to verify, you can use assumption first skip, assumption is also a mark, and then to verify him.

2. When you debug those comments, you can use assumption to narrow down the error range and help locate the error.

3. For complex programs, VCC verification takes a long time, and using assumption allows VCC to discard the treatment and quickly pass that code to improve the efficiency of writing debug annotations.

4. You can use the assumption simulator to run the environment.

Even when VCC itself validates the program, it is secretly using assumption.

int x;

_ (Assert x = = 1)

_ (Assert x > 0)

In the example above, the first assertion will be an error, but the second will not. Since VCC gave the first assertion an error, he wrote a _ (assume x==1) in order to continue to find more errors.

Cases:

int x, y;

_ (Assert x > 5)

_ (Assert x > 3)

_ (Assert x < 2)

_ (Assert y < 3)

Results

_ (Assert x > 5)//Fails

_ (Assert x > 3)//succeeds

_ (Assert x < 2)//Fails

_ (Assert y < 3)//Fails

<VCC Notes > Assumption