Commit 588edddb by MARCHE Claude

### example isqrt: additional lemmas and assert to ease the proofs

parent da34dca3
 ... @@ -7,9 +7,14 @@ module Square ... @@ -7,9 +7,14 @@ module Square function sqr (x:int) : int = x * x function sqr (x:int) : int = x * x lemma sqr_non_neg: forall x:int. sqr x >= 0 lemma sqr_increasing: lemma sqr_increasing: forall x y:int. 0 <= x <= y -> sqr x <= sqr y forall x y:int. 0 <= x <= y -> sqr x <= sqr y lemma sqr_sum : forall x y : int. sqr(x+y) = sqr x + 2*x*y + sqr y predicate isqrt_spec (x res:int) = predicate isqrt_spec (x res:int) = res >= 0 /\ sqr res <= x < sqr (res + 1) res >= 0 /\ sqr res <= x < sqr (res + 1) end end ... @@ -56,7 +61,7 @@ module NewtonMethod ... @@ -56,7 +61,7 @@ module NewtonMethod = if x = 0 then 0 else = if x = 0 then 0 else if x <= 3 then 1 else if x <= 3 then 1 else let y = ref x in let y = ref x in let z = ref (div (x+1) 2) in let z = ref (div (1 + x) 2) in while !z < !y do while !z < !y do variant { !y } variant { !y } invariant { !z > 0 } invariant { !z > 0 } ... @@ -79,6 +84,7 @@ module NewtonMethod ... @@ -79,6 +84,7 @@ module NewtonMethod = sqr (a + 1 - !y) = sqr (a + 1 - !y) >= 0 } >= 0 } done; done; assert { !y * !y <= div x !y * !y by !y <= div x !y }; !y !y end end
This diff is collapsed.
No preview for this file type
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!