1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
// 4 errors expected
class Main {
method A() {
var d := new Data;
call d.Init();
share d;
var t0: T := new T; t0.d := d;
share t0 between waitlevel and d
var t1: T := new T; t1.d := d;
share t1 between waitlevel and d
var t0Token: token<T.run>;
fork t0Token := t0.run();
var t1Token: token<T.run>;
fork t1Token := t1.run();
join t0Token; acquire t0; unshare t0;
join t1Token; acquire t1; unshare t1;
acquire d; unshare d;
assert 0 <= d.x && d.x < 100;
}
method B() returns (r: U)
lockchange r;
{
var u := new U;
share u;
var uToken: token<U.run>;
fork uToken := u.run();
acquire u; // a little unusual to acquire after a fork, but allowed
assert waitlevel == u.mu;
var v := new U;
share v; acquire v; // this line has the effect of increasing waitlevel
assert waitlevel == v.mu;
assert waitlevel != u.mu;
assert u << v;
assert u << waitlevel;
join uToken; // material for the smoke check
release u;
r := v;
}
method C()
ensures waitlevel == old(waitlevel);
{
var u := new U;
share u;
acquire u;
release u;
}
method Mx0()
{
}
method Mx1()
lockchange this
{
}
method MxCaller0()
ensures waitlevel == old(waitlevel);
{
}
method MxCaller1()
ensures waitlevel == old(waitlevel);
{
call Mx0();
}
method MxCaller2()
ensures waitlevel == old(waitlevel); // error
{
call Mx1();
} // error: missing lockchange
method D(u: U)
requires u != null && rd(u.mu) && waitlevel << u;
ensures waitlevel == old(waitlevel);
{
acquire u;
release u;
}
}
class Data {
var x: int;
invariant acc(x) && 0 <= x && x < 100;
method Init()
requires acc(x);
ensures acc(x) && x == 0;
{
x := 0;
}
}
class T {
var d: Data;
invariant rd(d) && d != null && rd(d.mu) && rd(this.mu) && this << d;
method run()
requires rd(mu) && waitlevel << this;
ensures rd(mu);
{
acquire this;
acquire d;
d.x := d.x + 1;
if (d.x == 100) { d.x := 0; }
release d;
release this;
}
}
class U {
method run()
requires rd(mu) && waitlevel << this;
ensures rd(mu);
{
}
}
// Tests that use OLD in postcondition of run:
class X {
var k: int
var l: int
method inc()
requires acc(k)
ensures acc(k) && k == old(k) + 1
{
k := k + 1
}
method Client0() returns (y: int)
ensures y == 8
{
var x := new X
x.k := 17 x.l := 10
call x.inc()
assert x.k == 18 && x.l == 10
y := x.k - x.l
}
method run()
requires acc(k) && 0 <= k
ensures acc(k) && k == old(k) + 1
{
k := k + 1
}
method Client1() returns (y: int)
ensures y == 8
{
var x := new X
x.k := 17
x.l := 20
var xToken: token<X.run>;
fork xToken := x.run();
x.l := 10
join xToken
assert x.k == 18 && x.l == 10
y := x.k - x.l
}
method Client2(tk: token<X.run>, x: X) returns (z: int)
requires x!=null && tk!=null && acc(tk.joinable) && tk.joinable && eval(tk.fork x.run(), acc(x.k) && 0<=x.k);
ensures 1 <= z
{
join tk
z := x.k
assert 1<=x.k;
}
}
class ReadSharing {
var x: int
method Consume()
requires rd(x)
{
// skip
}
method Divulge() // bad
requires rd(x)
{
call Consume()
call Consume() // error: cannot share twice (1773)
}
method Communicates() // good
requires rd(x,3)
ensures rd(x,1)
{
call Consume()
call Consume()
}
method Gossips() // bad
requires rd(x,3)
ensures rd(x,1)
{
call Consume()
call Consume()
call Consume()
} // error: does not live up to postcondition (2015)
method Shares() // good
requires rd(x,*)
ensures rd(x,*)
{
call Consume()
call Consume()
call Consume()
}
method TeamPlayer(N: int) // good
requires 0<=N && rd(x,N)
ensures rd(x,0)
{
var n := N
while (0 < n)
invariant 0<=n && rd(x,n)
{
n := n - 1
}
}
method Unselfish(N: int) // good
requires rd(x,*)
ensures rd(x,*)
{
var n := N
if (N == 173) {
call Unselfish(200)
}
while (0 < n)
invariant rd(x,*)
{
call Consume()
n := n - 1
}
}
}
|