a better way to provide that the length of string is nonnegative

parent 9de8eea0
......@@ -163,8 +163,6 @@ module BadShiftTable
= assert { (substring text j m)[i + m - j] = c } in
()
lemma length_nonneg: forall s. length s >= 0
let search (bst: bad_shift_table) (text: string) : int63
requires { length bst.pat <= length text }
ensures { -1 <= result <= length text - length bst.pat }
......
......@@ -5,54 +5,54 @@
<prover id="0" name="Z3" version="4.8.4" timelimit="1" steplimit="0" memlimit="1000"/>
<prover id="1" name="Z3" version="4.8.6" timelimit="1" steplimit="0" memlimit="1000"/>
<prover id="2" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/>
<prover id="3" name="CVC4" version="1.7" alternative="strings" timelimit="5" steplimit="0" memlimit="1000"/>
<prover id="4" name="CVC4" version="1.7" timelimit="1" steplimit="0" memlimit="1000"/>
<file format="whyml" proved="true">
<path name=".."/><path name="string_search.mlw"/>
<theory name="Occurs" proved="true">
<goal name="occurs&#39;vc" expl="VC for occurs" proved="true">
<transf name="split_vc" proved="true" >
<goal name="occurs&#39;vc.0" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="96446"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="24"/></proof>
</goal>
<goal name="occurs&#39;vc.1" expl="loop invariant init" proved="true">
<proof prover="2"><result status="valid" time="0.05" steps="93"/></proof>
<proof prover="2"><result status="valid" time="0.03" steps="95"/></proof>
</goal>
<goal name="occurs&#39;vc.2" expl="assertion" proved="true">
<proof prover="0"><result status="valid" time="0.02" steps="30349"/></proof>
<proof prover="1"><result status="valid" time="0.02" steps="25123"/></proof>
</goal>
<goal name="occurs&#39;vc.3" expl="integer overflow" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="32"/></proof>
<proof prover="2"><result status="valid" time="0.03" steps="35"/></proof>
</goal>
<goal name="occurs&#39;vc.4" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.03" steps="183"/></proof>
<proof prover="2"><result status="valid" time="0.05" steps="186"/></proof>
</goal>
<goal name="occurs&#39;vc.5" expl="loop invariant preservation" proved="true">
<transf name="rewrite" proved="true" arg1="&lt;-" arg2="concat_substring">
<goal name="occurs&#39;vc.5.0" expl="loop invariant preservation" proved="true">
<proof prover="2" timelimit="5"><result status="valid" time="2.23" steps="4287"/></proof>
<proof prover="2" timelimit="5"><result status="valid" time="2.08" steps="3506"/></proof>
</goal>
<goal name="occurs&#39;vc.5.1" expl="rewrite premises" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="34"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="37"/></proof>
</goal>
<goal name="occurs&#39;vc.5.2" expl="rewrite premises" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="34"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="37"/></proof>
</goal>
<goal name="occurs&#39;vc.5.3" expl="rewrite premises" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="34"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="37"/></proof>
</goal>
<goal name="occurs&#39;vc.5.4" expl="rewrite premises" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="34"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="37"/></proof>
</goal>
<goal name="occurs&#39;vc.5.5" expl="rewrite premises" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="34"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="37"/></proof>
</goal>
</transf>
</goal>
<goal name="occurs&#39;vc.6" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.03" steps="243"/></proof>
<proof prover="4"><result status="valid" time="0.07" steps="15245"/></proof>
</goal>
<goal name="occurs&#39;vc.7" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="110846"/></proof>
<proof prover="1"><result status="valid" time="0.02" steps="24571"/></proof>
</goal>
</transf>
</goal>
......@@ -61,57 +61,66 @@
<goal name="search1&#39;vc" expl="VC for search1" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search1&#39;vc.0" expl="integer overflow" proved="true">
<proof prover="2" timelimit="5"><result status="valid" time="2.06" steps="1575"/></proof>
<proof prover="0"><result status="valid" time="0.02" steps="17582"/></proof>
</goal>
<goal name="search1&#39;vc.1" expl="loop invariant init" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="21"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="24"/></proof>
</goal>
<goal name="search1&#39;vc.2" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="23"/></proof>
<proof prover="1"><result status="valid" time="0.02" steps="25411"/></proof>
</goal>
<goal name="search1&#39;vc.3" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="25"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
</goal>
<goal name="search1&#39;vc.4" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="27"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="30"/></proof>
</goal>
<goal name="search1&#39;vc.5" expl="loop invariant preservation" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="116"/></proof>
</goal>
<goal name="search1&#39;vc.6" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="19"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="22"/></proof>
</goal>
<goal name="search1&#39;vc.7" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="69"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="70"/></proof>
</goal>
<goal name="search1&#39;vc.8" expl="out of loop bounds" proved="true">
<proof prover="0"><result status="valid" time="0.02" steps="28909"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="21"/></proof>
</goal>
</transf>
</goal>
<goal name="search2&#39;vc" expl="VC for search2" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search2&#39;vc.0" expl="integer overflow" proved="true">
<proof prover="2" timelimit="5"><result status="valid" time="2.04" steps="1575"/></proof>
<proof prover="0"><result status="valid" time="0.03" steps="17582"/></proof>
</goal>
<goal name="search2&#39;vc.1" expl="loop invariant init" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search2&#39;vc.1.0" expl="loop invariant init" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="21"/></proof>
</goal>
</transf>
<proof prover="2"><result status="valid" time="0.02" steps="24"/></proof>
</goal>
<goal name="search2&#39;vc.2" expl="precondition" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search2&#39;vc.2.0" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="23"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="26"/></proof>
</goal>
<goal name="search2&#39;vc.2.1" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="26"/></proof>
</goal>
</transf>
</goal>
<goal name="search2&#39;vc.3" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="27309"/></proof>
</goal>
<goal name="search2&#39;vc.4" expl="postcondition" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search2&#39;vc.4.0" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
</goal>
<goal name="search2&#39;vc.4.1" expl="postcondition" proved="true">
<transf name="unfold" proved="true" arg1="matches">
<goal name="search2&#39;vc.2.1.0" expl="precondition" proved="true">
<goal name="search2&#39;vc.4.1.0" expl="postcondition" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search2&#39;vc.2.1.0.0" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="97773"/></proof>
<goal name="search2&#39;vc.4.1.0.0" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="28530"/></proof>
</goal>
</transf>
</goal>
......@@ -119,26 +128,20 @@
</goal>
</transf>
</goal>
<goal name="search2&#39;vc.3" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="109128"/></proof>
</goal>
<goal name="search2&#39;vc.4" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="25"/></proof>
</goal>
<goal name="search2&#39;vc.5" expl="postcondition" proved="true">
<proof prover="3"><result status="valid" time="0.06" steps="8376"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="167"/></proof>
</goal>
<goal name="search2&#39;vc.6" expl="loop invariant preservation" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="31"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="34"/></proof>
</goal>
<goal name="search2&#39;vc.7" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="19"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="22"/></proof>
</goal>
<goal name="search2&#39;vc.8" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="69"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="70"/></proof>
</goal>
<goal name="search2&#39;vc.9" expl="out of loop bounds" proved="true">
<proof prover="0"><result status="valid" time="0.03" steps="28909"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="24749"/></proof>
</goal>
</transf>
</goal>
......@@ -150,40 +153,40 @@
<goal name="make_table&#39;vc" expl="VC for make_table" proved="true">
<transf name="split_vc" proved="true" >
<goal name="make_table&#39;vc.0" expl="integer overflow" proved="true">
<proof prover="2"><result status="valid" time="0.15" steps="622"/></proof>
<proof prover="2"><result status="valid" time="0.06" steps="18"/></proof>
</goal>
<goal name="make_table&#39;vc.1" expl="loop invariant init" proved="true">
<proof prover="2"><result status="valid" time="0.08" steps="20"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="21"/></proof>
</goal>
<goal name="make_table&#39;vc.2" expl="loop invariant init" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="115"/></proof>
<proof prover="2"><result status="valid" time="0.03" steps="116"/></proof>
</goal>
<goal name="make_table&#39;vc.3" expl="loop invariant init" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="26"/></proof>
<proof prover="2"><result status="valid" time="0.03" steps="27"/></proof>
</goal>
<goal name="make_table&#39;vc.4" expl="integer overflow" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="24"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="25"/></proof>
</goal>
<goal name="make_table&#39;vc.5" expl="loop invariant preservation" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="142"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="143"/></proof>
</goal>
<goal name="make_table&#39;vc.6" expl="loop invariant preservation" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="375"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="489"/></proof>
</goal>
<goal name="make_table&#39;vc.7" expl="loop invariant preservation" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="321"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="322"/></proof>
</goal>
<goal name="make_table&#39;vc.8" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.03" steps="26"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="27"/></proof>
</goal>
<goal name="make_table&#39;vc.9" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.03" steps="48"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="49"/></proof>
</goal>
<goal name="make_table&#39;vc.10" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.06" steps="82"/></proof>
<proof prover="2"><result status="valid" time="0.08" steps="83"/></proof>
</goal>
<goal name="make_table&#39;vc.11" expl="out of loop bounds" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="232"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="18"/></proof>
</goal>
</transf>
</goal>
......@@ -210,87 +213,87 @@
<goal name="no_shift&#39;vc" expl="VC for no_shift" proved="true">
<proof prover="2"><result status="valid" time="0.44" steps="1056"/></proof>
</goal>
<goal name="length_nonneg" proved="true">
<proof prover="2"><result status="valid" time="0.13" steps="545"/></proof>
</goal>
<goal name="search&#39;vc" expl="VC for search" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search&#39;vc.0" expl="loop invariant init" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="22"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="23"/></proof>
</goal>
<goal name="search&#39;vc.1" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="7238"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="5822"/></proof>
</goal>
<goal name="search&#39;vc.2" expl="integer overflow" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="26"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="90559"/></proof>
</goal>
<goal name="search&#39;vc.3" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="103041"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="31"/></proof>
</goal>
<goal name="search&#39;vc.4" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="30"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="33"/></proof>
</goal>
<goal name="search&#39;vc.5" expl="postcondition" proved="true">
<proof prover="2" timelimit="5"><result status="valid" time="0.01" steps="32"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="35"/></proof>
</goal>
<goal name="search&#39;vc.6" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="126210"/></proof>
<proof prover="1"><result status="valid" time="0.04" steps="96355"/></proof>
</goal>
<goal name="search&#39;vc.7" expl="postcondition" proved="true">
<proof prover="2" timelimit="5"><result status="valid" time="0.01" steps="37"/></proof>
</goal>
<goal name="search&#39;vc.8" expl="postcondition" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search&#39;vc.7.0" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="30"/></proof>
<goal name="search&#39;vc.8.0" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="136"/></proof>
</goal>
<goal name="search&#39;vc.7.1" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="30"/></proof>
<goal name="search&#39;vc.8.1" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="35"/></proof>
</goal>
</transf>
</goal>
<goal name="search&#39;vc.8" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="137"/></proof>
</goal>
<goal name="search&#39;vc.9" expl="integer overflow" proved="true">
<transf name="split_vc" proved="true" >
<goal name="search&#39;vc.9.0" expl="integer overflow" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="102"/></proof>
</goal>
</transf>
<proof prover="1"><result status="valid" time="0.03" steps="104687"/></proof>
</goal>
<goal name="search&#39;vc.10" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="111033"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="89786"/></proof>
</goal>
<goal name="search&#39;vc.11" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="41"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="44"/></proof>
</goal>
<goal name="search&#39;vc.12" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="7781"/></proof>
<proof prover="2"><result status="valid" time="0.01" steps="43"/></proof>
</goal>
<goal name="search&#39;vc.13" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="141276"/></proof>
<transf name="split_vc" proved="true" >
<goal name="search&#39;vc.13.0" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.01" steps="39"/></proof>
</goal>
<goal name="search&#39;vc.13.1" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="39"/></proof>
</goal>
</transf>
</goal>
<goal name="search&#39;vc.14" expl="precondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="41"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="168168"/></proof>
</goal>
<goal name="search&#39;vc.15" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="140063"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="137826"/></proof>
</goal>
<goal name="search&#39;vc.16" expl="integer overflow" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="206"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="198"/></proof>
</goal>
<goal name="search&#39;vc.17" expl="loop variant decrease" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="117"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="116"/></proof>
</goal>
<goal name="search&#39;vc.18" expl="loop invariant preservation" proved="true">
<proof prover="2"><result status="valid" time="0.04" steps="186"/></proof>
<proof prover="2"><result status="valid" time="0.03" steps="151"/></proof>
</goal>
<goal name="search&#39;vc.19" expl="loop invariant preservation" proved="true">
<proof prover="2"><result status="valid" time="0.38" steps="984"/></proof>
<proof prover="2"><result status="valid" time="0.37" steps="884"/></proof>
</goal>
<goal name="search&#39;vc.20" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="28"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="31"/></proof>
</goal>
<goal name="search&#39;vc.21" expl="postcondition" proved="true">
<proof prover="2"><result status="valid" time="0.02" steps="110"/></proof>
<proof prover="2"><result status="valid" time="0.02" steps="109"/></proof>
</goal>
</transf>
</goal>
......
......@@ -485,7 +485,7 @@ module OCaml
ensures { result <-> x = y }
val partial length (s: string) : int63
ensures { result = length s }
ensures { result = length s >= 0 }
val sub (s: string) (start: int63) (len: int63) : string
requires { 0 <= start <= length s }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment