Commit d856a3fa authored by MARCHE Claude's avatar MARCHE Claude
Browse files

missing Coq script

parent a38e8717
(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below *)
Require Import ZArith.
Require Import Rbase.
Require int.Int.
(* Why3 assumption *)
Inductive list (a:Type) :=
| Nil : list a
| Cons : a -> (list a) -> list a.
Implicit Arguments Nil [[a]].
Implicit Arguments Cons [[a]].
Parameter map : forall (a:Type) (b:Type), Type.
Parameter get: forall {a:Type} {b:Type}, (map a b) -> a -> b.
Parameter set: forall {a:Type} {b:Type}, (map a b) -> a -> b -> (map a b).
Axiom Select_eq : forall {a:Type} {b:Type}, forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
a2) = b1).
Axiom Select_neq : forall {a:Type} {b:Type}, forall (m:(map a b)),
forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
a2) = (get m a2)).
Parameter const: forall {a:Type} {b:Type}, b -> (map a b).
Axiom Const : forall {a:Type} {b:Type}, forall (b1:b) (a1:a),
((get (const b1:(map a b)) a1) = b1).
(* Why3 assumption *)
Inductive datatype :=
| TYunit : datatype
| TYint : datatype
| TYbool : datatype .
(* Why3 assumption *)
Inductive value :=
| Vvoid : value
| Vint : Z -> value
| Vbool : bool -> value .
(* Why3 assumption *)
Inductive operator :=
| Oplus : operator
| Ominus : operator
| Omult : operator
| Ole : operator .
Parameter mident : Type.
Parameter ident : Type.
Parameter result: ident.
(* Why3 assumption *)
Inductive term :=
| Tvalue : value -> term
| Tvar : ident -> term
| Tderef : mident -> term
| Tbin : term -> operator -> term -> term .
(* Why3 assumption *)
Inductive fmla :=
| Fterm : term -> fmla
| Fand : fmla -> fmla -> fmla
| Fnot : fmla -> fmla
| Fimplies : fmla -> fmla -> fmla
| Flet : ident -> term -> fmla -> fmla
| Fforall : ident -> datatype -> fmla -> fmla .
(* Why3 assumption *)
Inductive expr :=
| Evalue : value -> expr
| Ebin : expr -> operator -> expr -> expr
| Evar : ident -> expr
| Ederef : mident -> expr
| Eassign : mident -> expr -> expr
| Eseq : expr -> expr -> expr
| Elet : ident -> expr -> expr -> expr
| Eif : expr -> expr -> expr -> expr
| Eassert : fmla -> expr
| Ewhile : expr -> fmla -> expr -> expr .
(* Why3 assumption *)
Definition type_value(v:value): datatype :=
match v with
| Vvoid => TYunit
| (Vint int1) => TYint
| (Vbool bool1) => TYbool
end.
(* Why3 assumption *)
Inductive type_operator : operator -> datatype -> datatype
-> datatype -> Prop :=
| Type_plus : (type_operator Oplus TYint TYint TYint)
| Type_minus : (type_operator Ominus TYint TYint TYint)
| Type_mult : (type_operator Omult TYint TYint TYint)
| Type_le : (type_operator Ole TYint TYint TYbool).
(* Why3 assumption *)
Definition type_stack := (list (ident* datatype)%type).
Parameter get_vartype: ident -> (list (ident* datatype)%type) -> datatype.
Axiom get_vartype_def : forall (i:ident) (pi:(list (ident* datatype)%type)),
match pi with
| Nil => ((get_vartype i pi) = TYunit)
| (Cons (x, ty) r) => ((x = i) -> ((get_vartype i pi) = ty)) /\
((~ (x = i)) -> ((get_vartype i pi) = (get_vartype i r)))
end.
(* Why3 assumption *)
Definition type_env := (map mident datatype).
(* Why3 assumption *)
Inductive type_term : (map mident datatype) -> (list (ident* datatype)%type)
-> term -> datatype -> Prop :=
| Type_value : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (v:value), (type_term sigma pi (Tvalue v)
(type_value v))
| Type_var : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) ->
(type_term sigma pi (Tvar v) ty)
| Type_deref : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (v:mident) (ty:datatype), ((get sigma v) = ty) ->
(type_term sigma pi (Tderef v) ty)
| Type_bin : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (t1:term) (t2:term) (op:operator) (ty1:datatype)
(ty2:datatype) (ty:datatype), (type_term sigma pi t1 ty1) ->
((type_term sigma pi t2 ty2) -> ((type_operator op ty1 ty2 ty) ->
(type_term sigma pi (Tbin t1 op t2) ty))).
(* Why3 assumption *)
Inductive type_fmla : (map mident datatype) -> (list (ident* datatype)%type)
-> fmla -> Prop :=
| Type_term : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (t:term), (type_term sigma pi t TYbool) ->
(type_fmla sigma pi (Fterm t))
| Type_conj : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) ->
((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fand f1 f2)))
| Type_neg : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (f:fmla), (type_fmla sigma pi f) -> (type_fmla sigma
pi (Fnot f))
| Type_implies : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) ->
((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fimplies f1 f2)))
| Type_let : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (x:ident) (t:term) (f:fmla) (ty:datatype),
(type_term sigma pi t ty) -> ((type_fmla sigma (Cons (x, ty) pi) f) ->
(type_fmla sigma pi (Flet x t f)))
| Type_forall1 : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (x:ident) (f:fmla), (type_fmla sigma (Cons (x, TYint)
pi) f) -> (type_fmla sigma pi (Fforall x TYint f))
| Type_forall2 : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (x:ident) (f:fmla), (type_fmla sigma (Cons (x, TYbool)
pi) f) -> (type_fmla sigma pi (Fforall x TYbool f))
| Type_forall3 : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (x:ident) (f:fmla), (type_fmla sigma (Cons (x, TYunit)
pi) f) -> (type_fmla sigma pi (Fforall x TYunit f)).
(* Why3 assumption *)
Inductive type_expr : (map mident datatype) -> (list (ident* datatype)%type)
-> expr -> datatype -> Prop :=
| Type_evalue : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (v:value), (type_expr sigma pi (Evalue v)
(type_value v))
| Type_evar : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) ->
(type_expr sigma pi (Evar v) ty)
| Type_ederef : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (v:mident) (ty:datatype), ((get sigma v) = ty) ->
(type_expr sigma pi (Ederef v) ty)
| Type_ebin : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (e1:expr) (e2:expr) (op:operator) (ty1:datatype)
(ty2:datatype) (ty:datatype), (type_expr sigma pi e1 ty1) ->
((type_expr sigma pi e2 ty2) -> ((type_operator op ty1 ty2 ty) ->
(type_expr sigma pi (Ebin e1 op e2) ty)))
| Type_eseq : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (e1:expr) (e2:expr) (ty:datatype), (type_expr sigma pi
e1 TYunit) -> ((type_expr sigma pi e2 ty) -> (type_expr sigma pi
(Eseq e1 e2) ty))
| Type_eassigns : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (x:mident) (e:expr) (ty:datatype), ((get sigma
x) = ty) -> ((type_expr sigma pi e ty) -> (type_expr sigma pi
(Eassign x e) TYunit))
| Type_elet : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (x:ident) (e1:expr) (e2:expr) (ty1:datatype)
(ty2:datatype), (type_expr sigma pi e1 ty1) -> ((type_expr sigma
(Cons (x, ty2) pi) e2 ty2) -> (type_expr sigma pi (Elet x e1 e2) ty2))
| Type_eif : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (e1:expr) (e2:expr) (e3:expr) (ty:datatype),
(type_expr sigma pi e1 TYbool) -> ((type_expr sigma pi e2 ty) ->
((type_expr sigma pi e3 ty) -> (type_expr sigma pi (Eif e1 e2 e3) ty)))
| Type_eassert : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (p:fmla), (type_fmla sigma pi p) -> (type_expr sigma
pi (Eassert p) TYbool)
| Type_ewhile : forall (sigma:(map mident datatype)) (pi:(list (ident*
datatype)%type)) (guard:expr) (body:expr) (inv:fmla), (type_fmla sigma
pi inv) -> ((type_expr sigma pi guard TYbool) -> ((type_expr sigma pi
body TYunit) -> (type_expr sigma pi (Ewhile guard inv body) TYunit))).
(* Why3 assumption *)
Definition env := (map mident value).
(* Why3 assumption *)
Definition stack := (list (ident* value)%type).
Parameter get_stack: ident -> (list (ident* value)%type) -> value.
Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)),
match pi with
| Nil => ((get_stack i pi) = Vvoid)
| (Cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) ->
((get_stack i pi) = (get_stack i r)))
end.
Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident*
value)%type)), ((get_stack x (Cons (x, v) r)) = v).
Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident*
value)%type)), (~ (x = i)) -> ((get_stack i (Cons (x, v) r)) = (get_stack i
r)).
Parameter eval_bin: value -> operator -> value -> value.
Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x,
y) with
| ((Vint x1), (Vint y1)) =>
match op with
| Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z))
| Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z))
| Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z))
| Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\
((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false)))
end
| (_, _) => ((eval_bin x op y) = Vvoid)
end.
(* Why3 assumption *)
Fixpoint eval_term(sigma:(map mident value)) (pi:(list (ident* value)%type))
(t:term) {struct t}: value :=
match t with
| (Tvalue v) => v
| (Tvar id) => (get_stack id pi)
| (Tderef id) => (get sigma id)
| (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma
pi t2))
end.
(* Why3 assumption *)
Fixpoint eval_fmla(sigma:(map mident value)) (pi:(list (ident* value)%type))
(f:fmla) {struct f}: Prop :=
match f with
| (Fterm t) => ((eval_term sigma pi t) = (Vbool true))
| (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2)
| (Fnot f1) => ~ (eval_fmla sigma pi f1)
| (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2)
| (Flet x t f1) => (eval_fmla sigma (Cons (x, (eval_term sigma pi t)) pi)
f1)
| (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Cons (x,
(Vint n)) pi) f1)
| (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Cons (x,
(Vbool b)) pi) f1)
| (Fforall x TYunit f1) => (eval_fmla sigma (Cons (x, Vvoid) pi) f1)
end.
Parameter msubst_term: term -> mident -> ident -> term.
Axiom msubst_term_def : forall (e:term) (r:mident) (v:ident),
match e with
| ((Tvalue _)|(Tvar _)) => ((msubst_term e r v) = e)
| (Tderef x) => ((r = x) -> ((msubst_term e r v) = (Tvar v))) /\
((~ (r = x)) -> ((msubst_term e r v) = e))
| (Tbin e1 op e2) => ((msubst_term e r v) = (Tbin (msubst_term e1 r v) op
(msubst_term e2 r v)))
end.
Parameter subst_term: term -> ident -> ident -> term.
Axiom subst_term_def : forall (e:term) (r:ident) (v:ident),
match e with
| ((Tvalue _)|(Tderef _)) => ((subst_term e r v) = e)
| (Tvar x) => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\
((~ (r = x)) -> ((subst_term e r v) = e))
| (Tbin e1 op e2) => ((subst_term e r v) = (Tbin (subst_term e1 r v) op
(subst_term e2 r v)))
end.
(* Why3 assumption *)
Fixpoint fresh_in_term(id:ident) (t:term) {struct t}: Prop :=
match t with
| (Tvalue _) => True
| (Tvar v) => ~ (id = v)
| (Tderef _) => True
| (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2)
end.
Axiom eval_msubst_term : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (e:term) (x:mident) (v:ident), (fresh_in_term v e) ->
((eval_term sigma pi (msubst_term e x v)) = (eval_term (set sigma x
(get_stack v pi)) pi e)).
Axiom eval_subst_term : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (e:term) (x:ident) (v:ident), (fresh_in_term v e) ->
((eval_term sigma pi (subst_term e x v)) = (eval_term sigma (Cons (x,
(get_stack v pi)) pi) e)).
Axiom eval_term_change_free : forall (t:term) (sigma:(map mident value))
(pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id
t) -> ((eval_term sigma (Cons (id, v) pi) t) = (eval_term sigma pi t)).
(* Why3 assumption *)
Fixpoint fresh_in_fmla(id:ident) (f:fmla) {struct f}: Prop :=
match f with
| (Fterm e) => (fresh_in_term id e)
| ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\
(fresh_in_fmla id f2)
| (Fnot f1) => (fresh_in_fmla id f1)
| (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\
(fresh_in_fmla id f1))
| (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1)
end.
(* Why3 assumption *)
Fixpoint subst(f:fmla) (x:ident) (v:ident) {struct f}: fmla :=
match f with
| (Fterm e) => (Fterm (subst_term e x v))
| (Fand f1 f2) => (Fand (subst f1 x v) (subst f2 x v))
| (Fnot f1) => (Fnot (subst f1 x v))
| (Fimplies f1 f2) => (Fimplies (subst f1 x v) (subst f2 x v))
| (Flet y t f1) => (Flet y (subst_term t x v) (subst f1 x v))
| (Fforall y ty f1) => (Fforall y ty (subst f1 x v))
end.
(* Why3 assumption *)
Fixpoint msubst(f:fmla) (x:mident) (v:ident) {struct f}: fmla :=
match f with
| (Fterm e) => (Fterm (msubst_term e x v))
| (Fand f1 f2) => (Fand (msubst f1 x v) (msubst f2 x v))
| (Fnot f1) => (Fnot (msubst f1 x v))
| (Fimplies f1 f2) => (Fimplies (msubst f1 x v) (msubst f2 x v))
| (Flet y t f1) => (Flet y (msubst_term t x v) (msubst f1 x v))
| (Fforall y ty f1) => (Fforall y ty (msubst f1 x v))
end.
Axiom subst_fresh : forall (f:fmla) (x:ident) (v:ident), (fresh_in_fmla x
f) -> ((subst f x v) = f).
Axiom let_subst : forall (t:term) (f:fmla) (x:ident) (id':ident) (id:mident),
((msubst (Flet x t f) id id') = (Flet x (msubst_term t id id') (msubst f id
id'))).
Axiom eval_msubst : forall (f:fmla) (sigma:(map mident value)) (pi:(list
(ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) ->
((eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (set sigma x
(get_stack v pi)) pi f)).
Axiom eval_subst : forall (f:fmla) (sigma:(map mident value)) (pi:(list
(ident* value)%type)) (x:ident) (v:ident), (fresh_in_fmla v f) ->
((eval_fmla sigma pi (subst f x v)) <-> (eval_fmla sigma (Cons (x,
(get_stack v pi)) pi) f)).
Axiom eval_swap : forall (f:fmla) (sigma:(map mident value)) (pi:(list
(ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value),
(~ (id1 = id2)) -> ((eval_fmla sigma (Cons (id1, v1) (Cons (id2, v2) pi))
f) <-> (eval_fmla sigma (Cons (id2, v2) (Cons (id1, v1) pi)) f)).
Axiom eval_same_var : forall (f:fmla) (sigma:(map mident value)) (pi:(list
(ident* value)%type)) (id:ident) (v1:value) (v2:value), (eval_fmla sigma
(Cons (id, v1) (Cons (id, v2) pi)) f) <-> (eval_fmla sigma (Cons (id, v1)
pi) f).
Axiom eval_change_free : forall (f:fmla) (sigma:(map mident value)) (pi:(list
(ident* value)%type)) (id:ident) (v:value), (fresh_in_fmla id f) ->
((eval_fmla sigma (Cons (id, v) pi) f) <-> (eval_fmla sigma pi f)).
(* Why3 assumption *)
Definition valid_fmla(p:fmla): Prop := forall (sigma:(map mident value))
(pi:(list (ident* value)%type)), (eval_fmla sigma pi p).
Axiom let_equiv : forall (id:ident) (id':ident) (t:term) (f:fmla),
forall (sigma:(map mident value)) (pi:(list (ident* value)%type)),
(fresh_in_fmla id' f) -> ((eval_fmla sigma pi (Flet id' t (subst f id
id'))) -> (eval_fmla sigma pi (Flet id t f))).
Axiom let_equiv2 : forall (id:ident) (id':ident) (t:term) (f:fmla),
forall (sigma:(map mident value)) (pi:(list (ident* value)%type)),
(fresh_in_fmla id' f) -> ((eval_fmla sigma pi (Flet id' t (subst f id
id'))) -> (eval_fmla sigma pi (Flet id t f))).
Axiom let_implies : forall (id:ident) (t:term) (p:fmla) (q:fmla),
(valid_fmla (Fimplies p q)) -> (valid_fmla (Fimplies (Flet id t p) (Flet id
t q))).
(* Why3 assumption *)
Fixpoint fresh_in_expr(id:ident) (e:expr) {struct e}: Prop :=
match e with
| (Evalue _) => True
| ((Eseq e1 e2)|(Ebin e1 _ e2)) => (fresh_in_expr id e1) /\
(fresh_in_expr id e2)
| (Evar v) => ~ (id = v)
| (Ederef _) => True
| (Eassign _ e1) => (fresh_in_expr id e1)
| (Elet v e1 e2) => (~ (id = v)) /\ ((fresh_in_expr id e1) /\
(fresh_in_expr id e2))
| (Eif e1 e2 e3) => (fresh_in_expr id e1) /\ ((fresh_in_expr id e2) /\
(fresh_in_expr id e3))
| (Eassert f) => (fresh_in_fmla id f)
| (Ewhile cond inv body) => (fresh_in_expr id cond) /\ ((fresh_in_fmla id
inv) /\ (fresh_in_expr id body))
end.
(* Why3 assumption *)
Inductive one_step : (map mident value) -> (list (ident* value)%type) -> expr
-> (map mident value) -> (list (ident* value)%type) -> expr -> Prop :=
| one_step_var : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (v:ident), (one_step sigma pi (Evar v) sigma pi
(Evalue (get_stack v pi)))
| one_step_deref : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (v:mident), (one_step sigma pi (Ederef v) sigma pi
(Evalue (get sigma v)))
| one_step_bin_ctxt1 : forall (sigma:(map mident value)) (sigma':(map
mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident*
value)%type)) (op:operator) (e1:expr) (e1':expr) (e2:expr),
(one_step sigma pi e1 sigma' pi' e1') -> (one_step sigma pi (Ebin e1 op
e2) sigma' pi' (Ebin e1' op e2))
| one_step_bin_ctxt2 : forall (sigma:(map mident value)) (sigma':(map
mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident*
value)%type)) (op:operator) (v1:value) (e2:expr) (e2':expr),
(one_step sigma pi e2 sigma' pi' e2') -> (one_step sigma pi
(Ebin (Evalue v1) op e2) sigma' pi' (Ebin (Evalue v1) op e2'))
| one_step_bin_value : forall (sigma:(map mident value)) (sigma':(map
mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident*
value)%type)) (op:operator) (v1:value) (v2:value), (one_step sigma pi
(Ebin (Evalue v1) op (Evalue v2)) sigma' pi' (Evalue (eval_bin v1 op
v2)))
| one_step_assign_ctxt : forall (sigma:(map mident value)) (sigma':(map
mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident*
value)%type)) (x:mident) (e:expr) (e':expr), (one_step sigma pi e
sigma' pi' e') -> (one_step sigma pi (Eassign x e) sigma' pi'
(Eassign x e'))
| one_step_assign_value : forall (sigma:(map mident value)) (pi:(list
(ident* value)%type)) (x:mident) (v:value), (one_step sigma pi
(Eassign x (Evalue v)) (set sigma x v) pi (Evalue Vvoid))
| one_step_seq_ctxt : forall (sigma:(map mident value)) (sigma':(map mident
value)) (pi:(list (ident* value)%type)) (pi':(list (ident*
value)%type)) (e1:expr) (e1':expr) (e2:expr), (one_step sigma pi e1
sigma' pi' e1') -> (one_step sigma pi (Eseq e1 e2) sigma' pi' (Eseq e1'
e2))
| one_step_seq_value : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (e:expr), (one_step sigma pi (Eseq (Evalue Vvoid) e)
sigma pi e)
| one_step_let_ctxt : forall (sigma:(map mident value)) (sigma':(map mident
value)) (pi:(list (ident* value)%type)) (pi':(list (ident*
value)%type)) (id:ident) (e1:expr) (e1':expr) (e2:expr),
(one_step sigma pi e1 sigma' pi' e1') -> (one_step sigma pi (Elet id e1
e2) sigma' pi' (Elet id e1' e2))
| one_step_let_value : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (id:ident) (v:value) (e:expr), (one_step sigma pi
(Elet id (Evalue v) e) sigma (Cons (id, v) pi) e)
| one_step_if_ctxt : forall (sigma:(map mident value)) (sigma':(map mident
value)) (pi:(list (ident* value)%type)) (pi':(list (ident*
value)%type)) (e1:expr) (e1':expr) (e2:expr) (e3:expr), (one_step sigma
pi e1 sigma' pi' e1') -> (one_step sigma pi (Eif e1 e2 e3) sigma' pi'
(Eif e1' e2 e3))
| one_step_if_true : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (e1:expr) (e2:expr), (one_step sigma pi
(Eif (Evalue (Vbool true)) e1 e2) sigma pi e1)
| one_step_if_false : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (e1:expr) (e2:expr), (one_step sigma pi
(Eif (Evalue (Vbool false)) e1 e2) sigma pi e2)
| one_step_assert : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi
(Eassert f) sigma pi (Evalue Vvoid))
| one_step_while : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (cond:expr) (inv:fmla) (body:expr), (eval_fmla sigma pi
inv) -> (one_step sigma pi (Ewhile cond inv body) sigma pi (Eif cond
(Eseq body (Ewhile cond inv body)) (Evalue Vvoid))).
(* Why3 assumption *)
Inductive many_steps : (map mident value) -> (list (ident* value)%type)
-> expr -> (map mident value) -> (list (ident* value)%type) -> expr
-> Z -> Prop :=
| many_steps_refl : forall (sigma:(map mident value)) (pi:(list (ident*
value)%type)) (e:expr), (many_steps sigma pi e sigma pi e 0%Z)
| many_steps_trans : forall (sigma1:(map mident value)) (sigma2:(map mident
value)) (sigma3:(map mident value)) (pi1:(list (ident* value)%type))
(pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type))
(e1:expr) (e2:expr) (e3:expr) (n:Z), (one_step sigma1 pi1 e1 sigma2 pi2
e2) -> ((many_steps sigma2 pi2 e2 sigma3 pi3 e3 n) ->
(many_steps sigma1 pi1 e1 sigma3 pi3 e3 (n + 1%Z)%Z)).
Axiom steps_non_neg : forall (sigma1:(map mident value)) (sigma2:(map mident
value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type))
(e1:expr) (e2:expr) (n:Z), (many_steps sigma1 pi1 e1 sigma2 pi2 e2 n) ->
(0%Z <= n)%Z.
Axiom many_steps_seq : forall (sigma1:(map mident value)) (sigma3:(map mident
value)) (pi1:(list (ident* value)%type)) (pi3:(list (ident* value)%type))
(e1:expr) (e2:expr) (n:Z), (many_steps sigma1 pi1 (Eseq e1 e2) sigma3 pi3
(Evalue Vvoid) n) -> exists sigma2:(map mident value), exists