mccarthy.mlw 2.02 KB
Newer Older
1

2 3
(* McCarthy's ``91'' function. *)

4
module McCarthy91
5

6 7
  use import int.Int

8 9
  function spec (x: int) : int = if x <= 100 then 91 else x-10

10
  (* traditional recursive implementation *)
11

12
  let rec f91 (n:int) : int variant { 101-n }
13
    ensures { result = spec n }
14
  = if n <= 100 then
15 16 17
      f91 (f91 (n + 11))
    else
      n - 10
18

19
  (* non-recursive implementation using a while loop *)
20

21
  use import ref.Ref
22

23
  (* iter k x = f^k(x) *)
24
  clone import int.Iter with type t = int, function f = spec
25

26
  let f91_nonrec (n0: int) ensures { result = spec n0 }
27
  = let e = ref 1 in
28 29
    let n = ref n0 in
    while !e > 0 do
30
      invariant { !e >= 0 /\ iter !e !n = spec n0 }
31
      variant   { 101 - !n + 10 * !e, !e }
32 33 34
      if !n > 100 then begin
        n := !n - 10;
        e := !e - 1
35
      end else begin
36 37
        n := !n + 11;
        e := !e + 1
38 39
      end
    done;
40
    !n
41

42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
  (* Use a 'morally' irrelevant control flow from a recursive function
     to ease proof (the recursive structure does not contribute to the
     program execution). This is a technique for proving derecursified
     programs. See verifythis_2016_tree_traversal for a more
     complex example. *)

  exception Stop

  let f91_pseudorec (n0:int) : int
    ensures { result = spec n0 }
  = let e = ref 1 in
    let n = ref n0 in
    let bloc () : unit
      requires { !e >= 0 }
      ensures { !(old e) > 0 }
      ensures { if !(old n) > 100 then !n = !(old n) - 10 /\ !e = !(old e) - 1
        else !n = !(old n) + 11 /\ !e = !(old e) + 1 }
      raises { Stop -> !e = !(old e) = 0 /\ !n = !(old n) }
    = if not (!e > 0) then raise Stop;
      if !n > 100 then begin
        n := !n - 10;
        e := !e - 1
      end else begin
        n := !n + 11;
        e := !e + 1
      end
    in
    let rec aux () : unit
      requires { !e > 0 }
      variant { 101 - !n }
      ensures { !e = !(old e) - 1 /\ !n = spec !(old n) }
      raises { Stop -> false }
    = let u = !n in bloc (); if u <= 100 then (aux (); aux ()) in
    try aux (); bloc (); absurd
    with Stop -> !n end

78
end