Expand the documentation of the goto-program instructions.

martin · martin · commit abdfc0067a5c · 2018-05-17T12:50:19.000+01:00
This clarifies a few sources of mistakes and misconceptions as well as
documenting some common practice.
diff --git a/src/goto-programs/goto_program.h b/src/goto-programs/goto_program.h
@@ -106,14 +106,19 @@ class goto_programt
   /// respective fields in this class:
   ///
   /// - GOTO:
-  ///     if `guard` then goto `targets`
+  ///     goto `targets` if and only if `guard` is true
+  ///     If there are multiple targets, pick one non-deterministically.
   /// - RETURN:
   ///     Set the value returned by `code` (which shall be either nil or an
   ///     instance of code_returnt) and then jump to the end of the function.
+  ///     Many analysis tools remove these instructions before they start.
   /// - DECL:
   ///     Introduces a symbol denoted by the field `code` (an instance of
   ///     code_declt), the life-time of which is bounded by a corresponding DEAD
-  ///     instruction.
+  ///     instruction.  Symbols must be DECL'd before they are used.
+  /// - DEAD:
+  ///     Ends the life of the symbol denoted by the field `code`.
+  ///     After a DEAD instruction the symbol must be DECL'd again before use.
   /// - FUNCTION_CALL:
   ///     Invoke the function denoted by field `code` (an instance of
   ///     code_function_callt).
@@ -124,7 +129,8 @@ class goto_programt
   ///     Execute the `code` (an instance of codet of kind ID_fence, ID_printf,
   ///     ID_array_copy, ID_array_set, ID_input, ID_output, ...).
   /// - ASSUME:
-  ///     Wait for `guard` to evaluate to true.
+  ///     This thread of execution waits for `guard` to evaluate to true.
+  ///     Assume does not "retro-actively" affect the thread or any ASSERTs.
   /// - ASSERT:
   ///     Using ASSERT instructions is the one and only way to express
   ///     properties to be verified. Execution paths abort if `guard` evaluates
@@ -134,17 +140,21 @@ class goto_programt
   /// - ATOMIC_BEGIN, ATOMIC_END:
   ///     When a thread executes ATOMIC_BEGIN, no thread other will be able to
   ///     execute any instruction until the same thread executes ATOMIC_END.
+  ///     Concurrency is not support by all analysis tools.
   /// - END_FUNCTION:
-  ///     Can only occur as the last instruction of the list.
+  ///     Must occur as the last instruction of the list and nowhere else.
   /// - START_THREAD:
   ///     Create a new thread and run the code of this function starting from
   ///     targets[0]. Quite often the instruction pointed by targets[0] will be
   ///     just a FUNCTION_CALL, followed by an END_THREAD.
+  ///     Concurrency is not support by all analysis tools.
   /// - END_THREAD:
   ///     Terminate the calling thread.
+  ///     Concurrency is not support by all analysis tools.
   /// - THROW:
   ///     throw `exception1`, ..., `exceptionN`
   ///     where the list of exceptions is extracted from the `code` field
+  ///     Many analysis tools remove these instructions before they start.
   /// - CATCH, when code.find(ID_exception_list) is non-empty:
   ///     Establishes that from here to the next occurrence of CATCH with an
   ///     empty list (see below) if
@@ -156,6 +166,7 @@ class goto_programt
   /// - CATCH, when empty code.find(ID_exception_list) is empty:
   ///     clears all the catch clauses established as per the above in this
   ///     function?
+  ///     Many analysis tools remove these instructions before they start.
   class instructiont final
   {
   public:
