Verification fails if `condition` is not true when the function is called.

Lets the verifier use `condition` to verify subsequent code.

```

int abs(int i)

_(requires i != INT_MIN)

{

return i >= 0 ? i : -i;

}

void foo()

{

abs(-42); // Cool.

abs(-2147483647) // Not cool.

}

```

### `_(ensures condition)`

Postcondition.

Verification fails if `condition` does not hold at the end of the function.

Lets the verifier use `condition` after the function has been called.

```

int positive()

_(ensures \result > 0)

{

return 5;

}

void foo()

{

int i = positive();

_(assert i >= 1)

}

```

### `_(maintains condition)`

Equivalent to `_(requires condition) _(ensures condition)`.

### `\result`

Refers to the return value of a function.

```

_(ensures \result == 42)

```

### `_(returns x)`

Equivalent to `_(ensures \result == x)`.

### `\old(x)`

Refers to the value of `x` when the function was called.

```

void foo(int x)

// [...]

{

x++;

_(assert x == \old(x) + 1)

}

```

### `\same(x)`

Equivalent to `x == \old(x)`.

## Assisting Verification

### `_(ghost statement)`

`statement` is executed by the verifier only, not during runtime of the compiled program.

It is used to calculate "meta"-information for reasoning about the code.

"Real" code can influence ghost code but not vice versa.

```

int i = 21;

_(ghost int I = i)

_(ghost I *= 2)

_(assert I == 42 && i == 21)

```

### `_(unchecked)(expression)`

Ignores arithmetic overflows in `expression`.

Usually, a programs' correctness depends on computer arithmetic behaving exactly like ordinary arithmetic, but in some special cases (e.g. hash computation), overflow is desired.

```

unsigned zero = _(unchecked)(UINT_MAX + 1);

```

## Framing, Type Invariants, Ownership

### `_(writes x)`

States that a function wants to write to the contents of the set of pointers `x`.

Can also be used with multiple arguments: `_(writes x, y, z)`.

```

void set_zero(int *p)

_(writes p)

// [...]

{

*p = 0;

}

```

### `_(pure)`

States that a function does not modify the heap (i.e. does not have side effects, is a pure function).

The result of the function only changes if the inputs or the values the function reads change.

```

_(pure) int max(int a, int b)

{

return a > b ? a : b;

}

```

### `_(reads x)`

States that a _pure_ function wants to read the contents of the pointers x and y (on the heap) and therefore might change its value when the contents of x or y change.

Can also be used with multiple arguments: `_(reads x, y, z)`.

Does not apply to non-pure functions.

```

_(pure) bool value_equal(Foo *a, Foo *b)

_(reads a, b)

// [...]

{

return a->value == b->value;

}

```

### `\array_range(array, length)`

Refers to all the `length` elements of `array` as a set of pointers. Equivalent to `&array[0], &array[1], ..., &array[length - 1]`.

```

void foo(int *arr, unsigned len)

_(writes \array_range(arr, len))

{

// [...]

}

```

### `\disjoint(x, y)`

Holds if `x` and `y` are non-overlapping sets of pointers.

```

\disjoint(\array_range(a, n), \array_range(b, m))

```

### `_(invariant condition)` (Type Invariant)

Verification fails if `condition` does not hold when the struct object is wrapped.

If the struct object is known to be in the wrapped state, its invariants hold.