Commit 2839e902 by Guillaume Melquiond

Fix syntax of some examples.

parent d747d923
 ... ... @@ -79,7 +79,7 @@ module Check let is_dyck (w: word) : bool ensures { result <-> dyck w } = try match is_dyck_rec (ref Nil) w with try match is_dyck_rec (ghost ref Nil) w with | Nil -> true | _ -> false end with Failure -> false end ... ...
 ... ... @@ -40,28 +40,28 @@ module FIND let find (a: array int) = requires { length a = _N+1 } ensures { found a /\ permut_all a (old a) } 'Init: let m = ref 1 in let n = ref _N in while !m < !n do invariant { m_invariant !m a /\ n_invariant !n a /\ permut_all a (at a 'Init) /\ 1 <= !m /\ !n <= _N } permut_all a (old a) /\ 1 <= !m /\ !n <= _N } variant { !n - !m } let r = a[f] in let i = ref !m in let j = ref !n in while !i <= !j do invariant { i_invariant !m !n !i r a /\ j_invariant !m !n !j r a /\ m_invariant !m a /\ n_invariant !n a /\ 0 <= !j /\ !i <= _N + 1 /\ termination !i !j !m !n r a /\ permut_all a (at a 'Init) } termination !i !j !m !n r a /\ permut_all a (old a) } variant { _N + 2 + !j - !i } 'L: while a[!i] < r do label L in while a[!i] < r do invariant { i_invariant !m !n !i r a /\ at !i 'L <= !i <= !n /\ termination !i !j !m !n r a } !i at L <= !i <= !n /\ termination !i !j !m !n r a } variant { _N + 1 - !i } i := !i + 1 done; while r < a[!j] do invariant { j_invariant !m !n !j r a /\ !j <= at !j 'L /\ !m <= !j /\ termination !i !j !m !n r a } !j <= !j at L /\ !m <= !j /\ termination !i !j !m !n r a } variant { !j } j := !j - 1 done; ... ... @@ -70,7 +70,7 @@ module FIND if !i <= !j then begin let w = a[!i] in begin a[!i] <- a[!j]; a[!j] <- w end; assert { exchange a (at a 'L) !i !j }; assert { exchange a (a at L) !i !j }; assert { a[!i] <= r }; assert { r <= a[!j] }; i := !i + 1; j := !j - 1 ... ...
 ... ... @@ -33,13 +33,12 @@ module Flag let b = ref 0 in let i = ref 0 in let r = ref (length a) in 'Init: while !i < !r do invariant { 0 <= !b <= !i <= !r <= length a } invariant { monochrome a 0 !b Blue } invariant { monochrome a !b !i White } invariant { monochrome a !r (length a) Red } invariant { permut_all (at a 'Init) a } invariant { permut_all (old a) a } variant { !r - !i } match a[!i] with | Blue -> ... ...
 ... ... @@ -80,24 +80,23 @@ module Flag a := set !a j ai let dutch_flag (a:ref (map int color)) (n:int) = let dutch_flag (a:ref (map int color)) (n:int) requires { 0 <= n } ensures { (exists b:int. exists r:int. monochrome !a 0 b Blue /\ monochrome !a b r White /\ monochrome !a r n Red) } ensures { forall c:color. nb_occ !a 0 n c = nb_occ (old !a) 0 n c } let b = ref 0 in = let b = ref 0 in let i = ref 0 in let r = ref n in 'Init: while !i < !r do invariant { 0 <= !b <= !i <= !r <= n } invariant { monochrome !a 0 !b Blue } invariant { monochrome !a !b !i White } invariant { monochrome !a !r n Red } invariant { forall c:color. nb_occ !a 0 n c = nb_occ (at !a 'Init) 0 n c } forall c:color. nb_occ !a 0 n c = nb_occ (old !a) 0 n c } variant { !r - !i } match get !a !i with | Blue -> swap a !b !i; b := !b + 1; i := !i + 1 ... ...
 ... ... @@ -55,7 +55,7 @@ module Utils_Spec lemma countZero: count zeros = zeros lemma numOfZero: NumOf.numof (\i. nth zeros i) 0 32 = 0 lemma numOfZero: NumOf.numof (fun i -> nth zeros i) 0 32 = 0 (** Now, for b a bitvector with n 1-bits, we check that if its first bit is 0 then shifting b by one on the right doesn't ... ... @@ -86,7 +86,7 @@ module Utils_Spec let x = (if nth_bv bv zeros then 1 else 0) in let f = nth bv in let g = nth (lsr_bv bv one) in let h = \i. nth bv (i+1) in let h = fun i -> nth bv (i+1) in (forall i. 0 <= i < 31 -> g i = h i) && NumOf.numof f 0 32 - x = NumOf.numof f (0+1) 32 && NumOf.numof f (0+1) (31+1) = NumOf.numof h 0 31 && ... ... @@ -117,7 +117,7 @@ module Utils_Spec lemma separation: forall a b. hammingD a b = zeros <-> a = b function fun_or (f g : HO.pred 'a) : HO.pred 'a = \x. f x \/ g x function fun_or (f g : 'a -> bool) : 'a -> bool = fun x -> f x \/ g x let rec lemma numof_or (p q : int -> bool) (a b: int) : unit variant {b - a} ... ...
 ... ... @@ -272,16 +272,16 @@ module N value_sub x.elts 0 (to_int !i) (to_int l) + value_sub y.elts 0 (to_int !i) (to_int h) } variant { to_int l - to_int !i } 'L: label L in let sum = Int31.(+) (Int31.(+) x[!i] y[!i]) !carry in if Int31.(>=) sum base31 then begin arr[!i] <- Int31.(-) sum base31; carry := one end else begin arr[!i] <- sum; carry := zero end; if Int31.ne arr[!i] zero then non_null_idx := !i; assert { MapEq.map_eq_sub arr.elts (at arr 'L).elts 0 (to_int !i) }; MapEq.map_eq_sub arr.elts (arr at L).elts 0 (to_int !i) }; assert { value_sub arr.elts 0 (to_int !i) (to_int h + 1) = value_sub (at arr 'L).elts 0 (to_int !i) (to_int h + 1) }; value_sub (arr at L).elts 0 (to_int !i) (to_int h + 1) }; i := Int31.(+) !i one; done; while Int31.(<) !i h do ... ... @@ -300,24 +300,24 @@ module N value_sub x.elts 0 (to_int l) (to_int l) + value_sub y.elts 0 (to_int !i) (to_int h) } variant { to_int h - to_int !i } 'L: label L in let sum = Int31.(+) y[!i] !carry in if Int31.(>=) sum base31 then begin arr[!i] <- Int31.(-) sum base31; carry := one end else begin arr[!i] <- sum; carry := zero end; if Int31.ne arr[!i] zero then non_null_idx := !i; assert { MapEq.map_eq_sub arr.elts (at arr 'L).elts 0 (to_int !i) }; MapEq.map_eq_sub arr.elts (arr at L).elts 0 (to_int !i) }; assert { value_sub arr.elts 0 (to_int !i) (to_int h + 1) = value_sub (at arr 'L).elts 0 (to_int !i) (to_int h + 1) }; value_sub (arr at L).elts 0 (to_int !i) (to_int h + 1) }; i := Int31.(+) !i one; done; 'L: label L in arr[!i] <- !carry; assert { MapEq.map_eq_sub arr.elts (at arr 'L).elts 0 (to_int !i) }; MapEq.map_eq_sub arr.elts (arr at L).elts 0 (to_int !i) }; assert { value_sub arr.elts 0 (to_int !i) (to_int h + 1) = value_sub (at arr 'L).elts 0 (to_int !i) (to_int h + 1) }; value_sub (arr at L).elts 0 (to_int !i) (to_int h + 1) }; assert { value_array arr = value_array x + value_array y }; abstract ensures { -1 <= to_int !non_null_idx <= to_int !i } ... ... @@ -547,7 +547,7 @@ module Z value_sub x.elts 0 (to_int !i) (to_int l) + value_sub y.elts 0 (to_int !i) (to_int h) } variant { to_int l - to_int !i } 'L: label L in let sum = Int31.(+) (Int31.(+) x[!i] y[!i]) !carry in if Int31.(>=) sum max_digit31 then begin arr[!i] <- Int31.(-) sum base31; carry := one end ... ... @@ -556,9 +556,9 @@ module Z then begin arr[!i] <- Int31.(+) sum base31; carry := minusone end else begin arr[!i] <- sum; carry := zero end; assert { MapEq.map_eq_sub arr.elts (at arr 'L).elts 0 (to_int !i) }; MapEq.map_eq_sub arr.elts (arr at L).elts 0 (to_int !i) }; assert { value_sub arr.elts 0 (to_int !i) (to_int h + 1) = value_sub (at arr 'L).elts 0 (to_int !i) (to_int h + 1) }; value_sub (arr at L).elts 0 (to_int !i) (to_int h + 1) }; i := Int31.(+) !i one; done; while Int31.(<) !i h do ... ... @@ -572,7 +572,7 @@ module Z value_sub x.elts 0 (to_int l) (to_int l) + value_sub y.elts 0 (to_int !i) (to_int h) } variant { to_int h - to_int !i } 'L: label L in let sum = Int31.(+) y[!i] !carry in if Int31.(>=) sum max_digit31 then begin arr[!i] <- Int31.(-) sum base31; carry := one end ... ... @@ -581,17 +581,17 @@ module Z then begin arr[!i] <- Int31.(+) sum base31; carry := minusone end else begin arr[!i] <- sum; carry := zero end; assert { MapEq.map_eq_sub arr.elts (at arr 'L).elts 0 (to_int !i) }; MapEq.map_eq_sub arr.elts (arr at L).elts 0 (to_int !i) }; assert { value_sub arr.elts 0 (to_int !i) (to_int h + 1) = value_sub (at arr 'L).elts 0 (to_int !i) (to_int h + 1) }; value_sub (arr at L).elts 0 (to_int !i) (to_int h + 1) }; i := Int31.(+) !i one; done; 'L: label L in arr[!i] <- !carry; assert { MapEq.map_eq_sub arr.elts (at arr 'L).elts 0 (to_int !i) }; MapEq.map_eq_sub arr.elts (arr at L).elts 0 (to_int !i) }; assert { value_sub arr.elts 0 (to_int !i) (to_int h + 1) = value_sub (at arr 'L).elts 0 (to_int !i) (to_int h + 1) }; value_sub (arr at L).elts 0 (to_int !i) (to_int h + 1) }; arr let add (x y:t) : t ... ...
 ... ... @@ -58,20 +58,20 @@ constant p2 : term = (Lambda y (Var y))) (Lambda x (Var x)) predicate ground_rec (t:term) (bound: H.pred identifier) = predicate ground_rec (t:term) (bound: identifier -> bool) = match t with | Var v -> bound v | App t1 t2 -> ground_rec t1 bound /\ ground_rec t2 bound | Lambda x t -> ground_rec t (\v. v=x \/ bound v) end let lemma ground_rec_app (t1 t2 : term) (bound: H.pred identifier) let lemma ground_rec_app (t1 t2 : term) (bound: identifier -> bool) requires { ground_rec (App t1 t2) bound } ensures { ground_rec t1 bound } ensures { ground_rec t2 bound } = () function no_bound : H.pred identifier = (\x. false) function no_bound : identifier -> bool = fun x -> false predicate ground (t:term) = ground_rec t no_bound ... ...
 ... ... @@ -6,11 +6,11 @@ module String type char constant dummy_char: char type string = { length: int; chars: HO.func int char } type string = { length: int; chars: int -> char } function ([]) (s: string) (i: int) : char = s.chars i constant empty : string = { length = 0; chars = \ i: int. dummy_char } constant empty : string = { length = 0; chars = fun (i: int) -> dummy_char } val get (s: string) (i:int) : char requires { 0 <= i < s.length } ... ... @@ -18,11 +18,11 @@ module String function app (s1 s2: string) : string = { length = s1.length + s2.length; chars = \ i: int. chars = fun i -> if i < s1.length then s1.chars i else s2.chars (i - s1.length) } function sub (s: string) (ofs: int) (len: int) : string = { length = len; chars = \ i: int. s.chars (i - ofs) } { length = len; chars = fun i -> s.chars (i - ofs) } predicate (==) (s1 s2: string) = s1.length = s2.length /\ ... ...
 ... ... @@ -334,11 +334,10 @@ module M2 ensures { reverse (model (old !next) (old !p)) = model !next !result } = let old_p = !p in let q = ref null in 'Init: while !p <> null do invariant { is_list !next !p /\ is_list !next !q } invariant { sep_list_list !next !p !q } invariant { reverse (model (at !next 'Init) (old_p)) = invariant { reverse (model (old !next) (old_p)) = reverse (model !next !p) ++ model !next !q } variant { model !next !p } let tmp = !next[!p] in ... ...