Skip to content

GitLab

why3
why3
Commit a2fa050c authored by MARCHE Claude's avatar MARCHE Claude
Browse files
Options

completed proof of example flag2

parent 7adfce46
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 1037 additions and 1255 deletions
examples/programs/flag2.mlw
View file @ a2fa050c
......@@ -20,20 +20,48 @@ module Flag
axiom nb_occ_null:
forall a:map int color, i j:int, c:color.
i >= j -> nb_occ a i j c = 0
axiom nb_occ_add:
axiom nb_occ_add_eq:
forall a:map int color, i j:int, c:color.
i < j /\ get a (j-1) = c -> nb_occ a i j c = nb_occ a i (j-1) c + 1
axiom nb_occ_add_neq:
forall a:map int color, i j:int, c:color.
i < j -> nb_occ a i j c = nb_occ a i (j-1) c +
(if get a (j-1) = c then 1 else 0)
i < j /\ get a (j-1) <> c -> nb_occ a i j c = nb_occ a i (j-1) c
lemma nb_occ_split:
forall a:map int color, i j k:int, c:color.
i <= j <= k ->
nb_occ a i k c = nb_occ a i j c + nb_occ a j k c
lemma nb_occ_store_outside_up:
forall a:map int color, i j k:int, c:color.
i <= j <= k -> nb_occ (set a k c) i j c = nb_occ a i j c
lemma nb_occ_store:
lemma nb_occ_store_outside_down:
forall a:map int color, i j k:int, c:color.
k < i <= j -> nb_occ (set a k c) i j c = nb_occ a i j c
lemma nb_occ_store_eq_eq:
forall a:map int color, i j k:int, c:color.
i <= k < j -> get a k = c ->
nb_occ (set a k c) i j c = nb_occ a i j c
lemma nb_occ_store_eq_neq:
forall a:map int color, i j k:int, c:color.
i <= k < j -> get a k <> c ->
nb_occ (set a k c) i j c = nb_occ a i j c + 1
lemma nb_occ_store_neq_eq:
forall a:map int color, i j k:int, c c':color.
i <= k < j ->
nb_occ (set a k c) i j c' =
nb_occ a i j c' + (if c=c' then 1 else 0) - (if get a k = c' then 1 else 0)
i <= k < j -> c <> c' -> get a k = c ->
nb_occ (set a k c') i j c = nb_occ a i j c - 1
lemma nb_occ_store_outside:
lemma nb_occ_store_neq_neq:
forall a:map int color, i j k:int, c c':color.
not (i <= k < j) -> nb_occ (set a k c) i j c' = nb_occ a i j c'
i <= k < j -> c <> c' -> get a k <> c ->
nb_occ (set a k c') i j c = nb_occ a i j c
let swap(a:ref (map int color)) (i:int) (j:int) : unit =
{ }
......@@ -44,7 +72,8 @@ module Flag
{ get !a i = get (old !a) j /\
get !a j = get (old !a) i /\
(forall k:int. k <> i /\ k <> j -> get !a k = get (old !a) k) /\
(forall i j:int, c:color. nb_occ !a i j c = nb_occ (old !a) i j c)
(forall k1 k2:int, c:color. k1 <= i < k2 /\ k1 <= j < k2 ->
nb_occ !a k1 k2 c = nb_occ (old !a) k1 k2 c)
}
......@@ -55,7 +84,7 @@ module Flag
let r = ref n in
'Init:
while !i < !r do
invariant {
invariant {
0 <= !b <= !i <= !r <= n /\
monochrome !a 0 !b Blue /\
monochrome !a !b !i White /\
......
examples/programs/flag2/flag2_WP_Flag_nb_occ_split_1.v 0 → 100644
View file @ a2fa050c
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Require int.Int.
(* Why3 assumption *)
Definition unit := unit.
Parameter qtmark : Type.
Parameter at1: forall (a:Type), a -> qtmark -> a.
Implicit Arguments at1.
Parameter old: forall (a:Type), a -> a.
Implicit Arguments old.
(* Why3 assumption *)
Definition implb(x:bool) (y:bool): bool := match (x,
y) with
| (true, false) => false
| (_, _) => true
end.
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b.
Implicit Arguments get.
Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b).
Implicit Arguments set.
Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
a2) = b1).
Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
a2) = (get m a2)).
Parameter const: forall (b:Type) (a:Type), b -> (map a b).
Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.
Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
((get (const b1:(map a b)) a1) = b1).
(* Why3 assumption *)
Inductive ref (a:Type) :=
| mk_ref : a -> ref a.
Implicit Arguments mk_ref.
(* Why3 assumption *)
Definition contents (a:Type)(v:(ref a)): a :=
match v with
| (mk_ref x) => x
end.
Implicit Arguments contents.
(* Why3 assumption *)
Inductive color :=
| Blue : color
| White : color
| Red : color .
(* Why3 assumption *)
Definition monochrome(a:(map Z color)) (i:Z) (j:Z) (c:color): Prop :=
forall (k:Z), ((i <= k)%Z /\ (k < j)%Z) -> ((get a k) = c).
Parameter nb_occ: (map Z color) -> Z -> Z -> color -> Z.
Axiom nb_occ_null : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
(j <= i)%Z -> ((nb_occ a i j c) = 0%Z).
Axiom nb_occ_add_eq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = ((nb_occ a
i (j - 1%Z)%Z c) + 1%Z)%Z).
Axiom nb_occ_add_neq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ~ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = (nb_occ a
i (j - 1%Z)%Z c)).
Open Scope Z_scope.
Require Import Why3.
Ltac ae := why3 "alt-ergo" timelimit 3.
(* Why3 goal *)
Theorem nb_occ_split : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z) (c:color),
((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ a i k c) = ((nb_occ a i j
c) + (nb_occ a j k c))%Z).
intros a i j k c (h1 & h2).
generalize h2.
pattern k; apply Zlt_lower_bound_ind with (z:=j); auto.
ae.
Qed.
examples/programs/flag2/flag2_WP_Flag_nb_occ_store_eq_neq_1.v 0 → 100644
View file @ a2fa050c
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Require int.Int.
(* Why3 assumption *)
Definition unit := unit.
Parameter qtmark : Type.
Parameter at1: forall (a:Type), a -> qtmark -> a.
Implicit Arguments at1.
Parameter old: forall (a:Type), a -> a.
Implicit Arguments old.
(* Why3 assumption *)
Definition implb(x:bool) (y:bool): bool := match (x,
y) with
| (true, false) => false
| (_, _) => true
end.
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b.
Implicit Arguments get.
Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b).
Implicit Arguments set.
Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
a2) = b1).
Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
a2) = (get m a2)).
Parameter const: forall (b:Type) (a:Type), b -> (map a b).
Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.
Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
((get (const b1:(map a b)) a1) = b1).
(* Why3 assumption *)
Inductive ref (a:Type) :=
| mk_ref : a -> ref a.
Implicit Arguments mk_ref.
(* Why3 assumption *)
Definition contents (a:Type)(v:(ref a)): a :=
match v with
| (mk_ref x) => x
end.
Implicit Arguments contents.
(* Why3 assumption *)
Inductive color :=
| Blue : color
| White : color
| Red : color .
(* Why3 assumption *)
Definition monochrome(a:(map Z color)) (i:Z) (j:Z) (c:color): Prop :=
forall (k:Z), ((i <= k)%Z /\ (k < j)%Z) -> ((get a k) = c).
Parameter nb_occ: (map Z color) -> Z -> Z -> color -> Z.
Axiom nb_occ_null : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
(j <= i)%Z -> ((nb_occ a i j c) = 0%Z).
Axiom nb_occ_add_eq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = ((nb_occ a
i (j - 1%Z)%Z c) + 1%Z)%Z).
Axiom nb_occ_add_neq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ~ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = (nb_occ a
i (j - 1%Z)%Z c)).
Axiom nb_occ_split : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z) (c:color),
((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ a i k c) = ((nb_occ a i j
c) + (nb_occ a j k c))%Z).
Axiom nb_occ_store_outside_up : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ (set a k c) i j
c) = (nb_occ a i j c)).
Axiom nb_occ_store_outside_down : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((k < i)%Z /\ (i <= j)%Z) -> ((nb_occ (set a k c) i j
c) = (nb_occ a i j c)).
Axiom nb_occ_store_eq_eq : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((i <= k)%Z /\ (k < j)%Z) -> (((get a k) = c) -> ((nb_occ (set a
k c) i j c) = (nb_occ a i j c))).
Open Scope Z_scope.
Require Import Why3.
Ltac ae := why3 "alt-ergo" timelimit 3.
(* Why3 goal *)
Theorem nb_occ_store_eq_neq : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((i <= k)%Z /\ (k < j)%Z) -> ((~ ((get a k) = c)) ->
((nb_occ (set a k c) i j c) = ((nb_occ a i j c) + 1%Z)%Z)).
intros a i j k c (Hik & Hkj) H.
rewrite nb_occ_split with (j:=k); auto with zarith.
rewrite nb_occ_store_outside_up; auto with zarith.
rewrite nb_occ_split with (i:=k) (j:=k+1); auto with zarith.
rewrite nb_occ_split with (i:=i) (j:=k) (k:=j); auto with zarith.
rewrite nb_occ_split with (i:=k) (j:=k+1) (k:=j); auto with zarith.
rewrite nb_occ_store_outside_down with (i:=k+1); auto with zarith.
ae.
Qed.
examples/programs/flag2/flag2_WP_Flag_nb_occ_store_neq_eq_1.v 0 → 100644
View file @ a2fa050c
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Require int.Int.
(* Why3 assumption *)
Definition unit := unit.
Parameter qtmark : Type.
Parameter at1: forall (a:Type), a -> qtmark -> a.
Implicit Arguments at1.
Parameter old: forall (a:Type), a -> a.
Implicit Arguments old.
(* Why3 assumption *)
Definition implb(x:bool) (y:bool): bool := match (x,
y) with
| (true, false) => false
| (_, _) => true
end.
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b.
Implicit Arguments get.
Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b).
Implicit Arguments set.
Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
a2) = b1).
Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
a2) = (get m a2)).
Parameter const: forall (b:Type) (a:Type), b -> (map a b).
Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.
Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
((get (const b1:(map a b)) a1) = b1).
(* Why3 assumption *)
Inductive ref (a:Type) :=
| mk_ref : a -> ref a.
Implicit Arguments mk_ref.
(* Why3 assumption *)
Definition contents (a:Type)(v:(ref a)): a :=
match v with
| (mk_ref x) => x
end.
Implicit Arguments contents.
(* Why3 assumption *)
Inductive color :=
| Blue : color
| White : color
| Red : color .
(* Why3 assumption *)
Definition monochrome(a:(map Z color)) (i:Z) (j:Z) (c:color): Prop :=
forall (k:Z), ((i <= k)%Z /\ (k < j)%Z) -> ((get a k) = c).
Parameter nb_occ: (map Z color) -> Z -> Z -> color -> Z.
Axiom nb_occ_null : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
(j <= i)%Z -> ((nb_occ a i j c) = 0%Z).
Axiom nb_occ_add_eq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = ((nb_occ a
i (j - 1%Z)%Z c) + 1%Z)%Z).
Axiom nb_occ_add_neq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ~ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = (nb_occ a
i (j - 1%Z)%Z c)).
Axiom nb_occ_split : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z) (c:color),
((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ a i k c) = ((nb_occ a i j
c) + (nb_occ a j k c))%Z).
Axiom nb_occ_store_outside_up : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ (set a k c) i j
c) = (nb_occ a i j c)).
Axiom nb_occ_store_outside_down : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((k < i)%Z /\ (i <= j)%Z) -> ((nb_occ (set a k c) i j
c) = (nb_occ a i j c)).
Axiom nb_occ_store_eq_eq : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((i <= k)%Z /\ (k < j)%Z) -> (((get a k) = c) -> ((nb_occ (set a
k c) i j c) = (nb_occ a i j c))).
Axiom nb_occ_store_eq_neq : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((i <= k)%Z /\ (k < j)%Z) -> ((~ ((get a k) = c)) ->
((nb_occ (set a k c) i j c) = ((nb_occ a i j c) + 1%Z)%Z)).
(* Why3 goal *)
Theorem nb_occ_store_neq_eq : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color) (cqt:color), ((i <= k)%Z /\ (k < j)%Z) -> ((~ (c = cqt)) ->
(((get a k) = c) -> ((nb_occ (set a k cqt) i j c) = ((nb_occ a i j
c) - 1%Z)%Z))).
intuition.
Qed.
examples/programs/flag2/flag2_WP_Flag_nb_occ_store_outside_down_1.v 0 → 100644
View file @ a2fa050c
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Require int.Int.
(* Why3 assumption *)
Definition unit := unit.
Parameter qtmark : Type.
Parameter at1: forall (a:Type), a -> qtmark -> a.
Implicit Arguments at1.
Parameter old: forall (a:Type), a -> a.
Implicit Arguments old.
(* Why3 assumption *)
Definition implb(x:bool) (y:bool): bool := match (x,
y) with
| (true, false) => false
| (_, _) => true
end.
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b.
Implicit Arguments get.
Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b).
Implicit Arguments set.
Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
a2) = b1).
Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
a2) = (get m a2)).
Parameter const: forall (b:Type) (a:Type), b -> (map a b).
Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.
Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
((get (const b1:(map a b)) a1) = b1).
(* Why3 assumption *)
Inductive ref (a:Type) :=
| mk_ref : a -> ref a.
Implicit Arguments mk_ref.
(* Why3 assumption *)
Definition contents (a:Type)(v:(ref a)): a :=
match v with
| (mk_ref x) => x
end.
Implicit Arguments contents.
(* Why3 assumption *)
Inductive color :=
| Blue : color
| White : color
| Red : color .
(* Why3 assumption *)
Definition monochrome(a:(map Z color)) (i:Z) (j:Z) (c:color): Prop :=
forall (k:Z), ((i <= k)%Z /\ (k < j)%Z) -> ((get a k) = c).
Parameter nb_occ: (map Z color) -> Z -> Z -> color -> Z.
Axiom nb_occ_null : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
(j <= i)%Z -> ((nb_occ a i j c) = 0%Z).
Axiom nb_occ_add_eq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = ((nb_occ a
i (j - 1%Z)%Z c) + 1%Z)%Z).
Axiom nb_occ_add_neq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ~ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = (nb_occ a
i (j - 1%Z)%Z c)).
Axiom nb_occ_split : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z) (c:color),
((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ a i k c) = ((nb_occ a i j
c) + (nb_occ a j k c))%Z).
Axiom nb_occ_store_outside_up : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z)
(c:color), ((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ (set a k c) i j
c) = (nb_occ a i j c)).
Open Scope Z_scope.
Require Import Why3.
Ltac ae := why3 "alt-ergo" timelimit 3.
(* Why3 goal *)
Theorem nb_occ_store_outside_down : forall (a:(map Z color)) (i:Z) (j:Z)
(k:Z) (c:color), ((k < i)%Z /\ (i <= j)%Z) -> ((nb_occ (set a k c) i j
c) = (nb_occ a i j c)).
intros a i j k c (h1 & h2).
generalize h2.
pattern j; apply Zlt_lower_bound_ind with (z:=i); auto.
ae.
Qed.
examples/programs/flag2/flag2_WP_Flag_nb_occ_store_outside_up_1.v 0 → 100644
View file @ a2fa050c
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Require int.Int.
(* Why3 assumption *)
Definition unit := unit.
Parameter qtmark : Type.
Parameter at1: forall (a:Type), a -> qtmark -> a.
Implicit Arguments at1.
Parameter old: forall (a:Type), a -> a.
Implicit Arguments old.
(* Why3 assumption *)
Definition implb(x:bool) (y:bool): bool := match (x,
y) with
| (true, false) => false
| (_, _) => true
end.
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b.
Implicit Arguments get.
Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b).
Implicit Arguments set.
Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
a2) = b1).
Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
a2) = (get m a2)).
Parameter const: forall (b:Type) (a:Type), b -> (map a b).
Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.
Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a),
((get (const b1:(map a b)) a1) = b1).
(* Why3 assumption *)
Inductive ref (a:Type) :=
| mk_ref : a -> ref a.
Implicit Arguments mk_ref.
(* Why3 assumption *)
Definition contents (a:Type)(v:(ref a)): a :=
match v with
| (mk_ref x) => x
end.
Implicit Arguments contents.
(* Why3 assumption *)
Inductive color :=
| Blue : color
| White : color
| Red : color .
(* Why3 assumption *)
Definition monochrome(a:(map Z color)) (i:Z) (j:Z) (c:color): Prop :=
forall (k:Z), ((i <= k)%Z /\ (k < j)%Z) -> ((get a k) = c).
Parameter nb_occ: (map Z color) -> Z -> Z -> color -> Z.
Axiom nb_occ_null : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
(j <= i)%Z -> ((nb_occ a i j c) = 0%Z).
Axiom nb_occ_add_eq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = ((nb_occ a
i (j - 1%Z)%Z c) + 1%Z)%Z).
Axiom nb_occ_add_neq : forall (a:(map Z color)) (i:Z) (j:Z) (c:color),
((i < j)%Z /\ ~ ((get a (j - 1%Z)%Z) = c)) -> ((nb_occ a i j c) = (nb_occ a
i (j - 1%Z)%Z c)).
Axiom nb_occ_split : forall (a:(map Z color)) (i:Z) (j:Z) (k:Z) (c:color),
((i <= j)%Z /\ (j <= k)%Z) -> ((nb_occ a i k c) = ((nb_occ a i j
c) + (nb_occ a j k c))%Z).
Open Scope Z_scope.
Require Import Why3.
Ltac ae := why3 "alt-ergo" timelimit 3.