Things to do in DaveExper:
==========================

** Continue porting examples [ done: Konst, Swap, Fac
			       still want: list examples, invoke examples ]

** Use justified recursive partial correctness rules for Call, Invoke, etc,
   which allow mutual recursion.     Need to make design choice between:  

       1. use -=m P e Q : harmless meta-quantified formulae in all rules-A
       2. use G -= P e Q -A
       3. use G -= P e Q, deeper embedding of hoare rules-A
	  [ adv:    we know proof system exactly and stick to it;
	    disadv: may be incomplete ]

   In any of 1-3 we'll need to derive derived rules again.

   Another choice: we may choose to implement VDM versions of these.

** Merge diverging versions:
     -- State with nats: prove VDMCallRecinv
     -- State with ints: prove rec2, proofs2  (use >=0 in validity def?)

** Soundness of partial correctness rules for recursion
    -- still need rules for invoke/invokestatic
    -- unify different strands (based on second op sems/resource params)

** Treat whole programs: if invariants aren't built into basic rules, this
   is more challenging: I think we would need to find an order based on call 
   graph to prove triples.  However, a first approximation would still be to
   prove each body correct in a context which assumes the pre-post conditions 
   hold everywhere.  

** VDM experiment:  
	recase Hoare examples.  
        rule for method Invoke.
        Consider how to derive specification for recursive cases.
	  later on, when rules/method clear: design SimpleVCGVDM
	        invariant: proving |= e : ?P, to instantiate P to most precise P
		(start of with VWP; end with use of subset_refl)

** Work on document/informal towards deliverable.
