1. 05 Sep, 2011 1 commit
2. 04 Sep, 2011 3 commits
3. 03 Sep, 2011 2 commits
4. 02 Sep, 2011 9 commits
5. 01 Sep, 2011 4 commits
6. 31 Aug, 2011 2 commits
7. 29 Aug, 2011 1 commit
8. 25 Aug, 2011 1 commit
9. 24 Aug, 2011 2 commits
10. 23 Aug, 2011 6 commits
• Add a new transformation that instantiates the axioms marked with the · 4d7dd217
Guillaume Melquiond authored
```meta "instantiate : auto" on as many terms as possible.

The transformation is rather naive, since it doesn't look for term
candidates under quantifiers, if-then-else, let-in, and so on. So it can
only appear late in the transformation pipe.

It is only enabled for Gappa and its target axioms are the ones that state
that any floating-point value is bounded. It was the last transformation
from Why2 still missing in Why3.

Thanks to this transformation, Gappa is now able to prove all the safety
obligations from the following code, including the ones about division and
downcast, which is definitely frightening.

/*@ assigns \nothing;
@ ensures \result == \abs(x);
@*/
extern double fabs(double x);

/*@ requires \valid(AB_Ptr) && \valid(CD_Ptr);
@ assigns *AB_Ptr, *CD_Ptr;
@ ensures \abs(*AB_Ptr) <= 6.111111e-2;
@ ensures \abs(*CD_Ptr) <= 6.111111e-2;
@ */
void limitValue(float *AB_Ptr, float *CD_Ptr)
{
double Fabs_AB, Fabs_CD;
double max;

Fabs_AB = fabs (*AB_Ptr);
Fabs_CD = fabs (*CD_Ptr);

max = Fabs_AB;
if (Fabs_CD > Fabs_AB)  max = Fabs_CD;

if ( max > 6.111111e-2)
{
*AB_Ptr = (float) (((*AB_Ptr) * 6.111111e-2) / max);
*CD_Ptr = (float) (((*CD_Ptr) * 6.111111e-2) / max);
}
}```
• Add new Gappa versions. · 06c33403
Guillaume Melquiond authored
• Add some axioms for floating-point arithmetic. · c587be38
Guillaume Melquiond authored
```In particular, they are now sufficient to prove that the difference of two
nonnegative floating-point numbers do not overflow.```
• Fix detection of Alt-Ergo >= 0.93. · d53499b5
Guillaume Melquiond authored
11. 22 Aug, 2011 9 commits