docs: reorder statements page

Author: Philipp15b

website/docs/heyvl/statements.md

@@ -8,14 +8,40 @@ sidebar_position: 2
 Statements in HeyVL are instructions that are interpreted sequentially and that have side-effects.
 They are used inside the body of [procedures](./procs.md).
 
-## Semantics
+We can categorize HeyVL's statements into either *concrete* or *verification* statements.
+We have [concrete statements](#concrete-statements) and [verification statements](#verification-statements).
+Concrete statements include [assignments](#assignments), [Boolean choices](#boolean-choices), and [while loops](#while-loops).
+
+The purpose of *verification statements* is to encode either *proof obligations* and *proof assumptions*.
+For example, [assert and assume statements](#assert-and-assume) are used to do this.
+When you are verifying programs, you ideally do not use these verification statements directly but instead use Caesar's built-in set of [proof rules](../proof-rules/).
+They internally use verification statements, but Caesar's proof rules guarantee correct usage so that the proofs are sound.
+
+Below is an overview of HeyVL's statements with links to the respective documentation sections:
+
+| [Concrete Statements](#concrete-statements) | [Verification Statements](#verification-statements) |
+|-----------------------|-------------------------|
+| [Blocks](#blocks)                | [Assert and Assume](#assert-and-assume)       |
+| [Variable Declarations](#variable-declarations) | [Havoc](#havoc)                   |
+| [Assignments and Procedure Calls](#assignments)           | [Reward](#reward)                  |
+| [Boolean Choices](#boolean-choices)           | [Nondeterministic Choices](#nondeterministic-choices)|
+| [While Loops](#while-loops)                      |          |
+
+There are also some [deprecated verification statements](#deprecated-statements).
+
+
+## Semantics: The Meaning of HeyVL Programs {#semantics}
 
 Since HeyVL is an intermediate verification language, not all statements allow an operational interpretation of their effects.
 All HeyVL statements should be understood through their (quantitative) verification condition semantics.
 These are defined in reverse order, starting from an initial verification condition and proceeding from the last statement backwards to the front.
 We describe the *formal semantics of HeyVL statements* [in our paper on Caesar (cf. Section 3)](https://arxiv.org/pdf/2309.07781.pdf#page=10).
 
-## Blocks
+
+## Concrete Statements
+
+
+### Blocks
 
 A block is a sequence of statements enclosed by curly braces.
 Statements _may_ be separated by semicolons, but those can be omitted.
@@ -30,33 +56,82 @@ x = 1
 y = 1 // y is not declared in this scope
 ```
 
-## Variable Declarations
 
-A variable declaration `var name: Type` creates a new local variable in the current scope.
+### Variable Declarations
+
+A variable declaration creates a new local variable of type `Type` in the current scope:
+```heyvl
+var name: Type
+```
+See the [standard library](../stdlib/) for Caesar's built-in types and [domains](./domains.md) for user-defined types.
+
 A variable declaration can be combined with an assignment to initialize the variable:
 ```heyvl
 var forty_two: UInt = 42
 ```
 
-## Assignments
+If a variable is not initialized, the program will be verified *for all* possible values of that variable.
 
-An assignment `x = 39 + y` evaluates the expression on the right-hand side in the current state and assigns the result to the variable on the left-hand side.
+### Assignments and Procedure Calls {#assignments}
+
+An assignment evaluates the expression on the right-hand side in the current state and assigns the result to the variable on the left-hand side.
+For example:
+```heyvl
+x = 39 + y
+```
+The right-hand side must evaluate to a value of a type that can be matches the type of `x`.
+
+The right-hand side of the assignment can be a procedure call.
+See the [reference on procedure calls](./procs.md#calling-procedures) for more information.[^calls-concrete]
 
 The left-hand side of an assignment may be a list of variables to unpack a tuple.
 For example, imagine a procedure `two_numbers` whose return type is `(x: UInt, y: UInt)`.
 The following statement assigns the result of a call to `two_numbers` to `x` and `y`:
 ```heyvl
 x, y = two_numbers()
 ```
+If the procedure does not have any return values, the call may be written without the equals sign and the left-hand side, i.e. simply:
+```heyvl
+fn(arg1, arg2)
+```
 
-If the right-hand side of the assignment is a (pure) expression, then the verification condition semantics amounts to a substitution of the left-hand side by the right-hand side.
 
-The right-hand side of the assignment can be a procedure call.
-See the [reference on procedure calls](./procs.md#calling-procedures) for more information.
+### Boolean Choices
+
+HeyVL supports a binary choice depending on the value of a Boolean expression:
+```heyvl
+if x + 1 == 2 {
+    ...
+} else {
+    ...
+}
+```
+
+### While Loops
+
+HeyVL supports while loops that run a block of code while a condition evaluates to true.
+```heyvl
+var cont: Bool = true
+@invariant(...)
+while cont {
+    cont = flip(0.5)
+}
+```
+
+For verification, **while loops need to have [proof rule annotations](../proof-rules/)** such as the [`@invariant(...)` annotation](../proof-rules/induction.md) in the example.
+If a while loop does not have a proof rule annotation, Caesar cannot verify the program and will show an error.
+
+The proof rule annotations also implicitly specify whether the loop has least or greatest fixpoint semantics.
+This choice can be made explicit with the [calculus annotations](../proof-rules/calculi.md) on procedures, which we recommend you use.
+
+With the **[model checking translation](../model-checking.md), proof rule annotations are not necessary**.
+It allows usage of a *probabilistic model checker* such as [Storm](https://www.stormchecker.org/) for a subset of HeyVL programs.
+This can be helpful to e.g. get an initial estimation of expected values.
 
-If the procedure does not have any return values, the call may be written without the equals sign and the left-hand side, i.e. simply `fn(arg1, arg2)`.
+## Verification Statements
 
-## Havoc
+
+### Havoc
 
 A `havoc` statement can be used to "forget" previous values of variables in the following code.
 It also comes in a `co` variant.
@@ -67,7 +142,8 @@ cohavoc a, b, c
 
 The verification condition semantics of `havoc` and `cohavoc` create an infimum respectively supremum over the specified variables.
 
-## Assert and Assume
+
+### Assert and Assume
 
 These statements generate binary operators in the verification condition semantics.
 All three statements also come in `co` variants.
@@ -79,7 +155,8 @@ assert 1 + x
 assume 0
 ```
 
-## Reward (formerly Tick)
+
+### Reward
 
 The `reward` statement accepts an expression and adds it to the current verification condition.
 For example,
@@ -90,7 +167,8 @@ has the following semantics: `vc[reward 2 * x](f) = f + (2 * x)`.
 
 `tick` is another name that Caesar accepts for `reward`.
 
-## Nondeterministic Choices
+
+### Nondeterministic Choices
 
 HeyVL supports two kinds of binary nondeterministic choices: The "demonic" one (`if ⊓`) and the "angelic" one (`if ⊔`).
 ```heyvl
@@ -105,30 +183,6 @@ You can also use Latex-style syntax instead of Unicode.
 Caesar supports `\cap` and `\cup` instead of `⊓` and `⊔`, respectively.
 (We're looking for better syntax for these statements. If you have an idea, [please start a discussion](https://github.com/moves-rwth/caesar/discussions).)
 
-## Boolean Choices
-
-HeyVL supports a binary choice depending on the value of a Boolean expression:
-```heyvl
-if x + 1 == 2 {
-    ...
-} else {
-    ...
-}
-```
-
-## While Loops
-
-HeyVL supports while loops that run a block of code while a condition evaluates to true.
-```heyvl
-var cont: Bool = true
-while cont {
-    cont = flip(0.5)
-}
-```
-
-However, for verification while loops need to be annotated with [proof rules](../proof-rules/), otherwise Caesar will show an error.
-These proof rule annotations also implicitly specify whether the loop has least or greatest fixpoint semantics.
-This choice can be made explicit with the [calculus annotations](../proof-rules/calculi.md) on procedures, which we recommend you use.
 
 ## Deprecated Statements
 
@@ -162,3 +216,8 @@ If negations are used in such a way that monotonicity is broken, then (co)proced
 Refer to our [OOPSLA '23 paper](../publications.md#oopsla-23) for details on monotonicity and soundness of (co)procedure calls.
 
 :::
+
+
+[^calls-concrete]: Note that a procedure does not necessarily need to have a body.
+Caesar will verify calls only based on their specification.
+In those cases, a procedure call is thus not concrete.

website/docs/model-checking.md

@@ -254,7 +254,7 @@ In the body, statements:
  * [Sampling from distributions](./stdlib/distributions.md),
  * [If-then-else statements](./heyvl/statements.md#boolean-choices),
  * While loops (with least-fixed point semantics — [see below for semantics details](#loop-semantics)),
- * [`reward` statements](./heyvl/statements.md#reward-formerly-tick),
+ * [`reward` statements](./heyvl/statements.md#reward),
  * In `proc`s:
    * [`assert` statements](./heyvl/statements.md#assert-and-assume),
    * [Binary demonic choices](./heyvl/statements.md#nondeterministic-choices),