Convert some more examples.

b7d720e3 · Guillaume Melquiond · 1b197bd7 · b7d720e3 · b7d720e3 · b7d720e3
Commit b7d720e3 authored Jun 14, 2018 by Guillaume Melquiond
9 changed files
--- a/examples/mergesort_list.mlw
+++ b/examples/mergesort_list.mlw
@@ -79,8 +79,8 @@ end
 (** Mergesort.

    This implementation splits the input list in two according to even- and
-    odd-order elements (see function [split] below). Thus it is not stable.
-    For a stable implementation, see below module [OCamlMergesort]. *)
+    odd-order elements (see function `split` below). Thus it is not stable.
+    For a stable implementation, see below module `OCamlMergesort`. *)

 module Mergesort

@@ -124,8 +124,8 @@ end

    - all functions are tail recursive. To avoid the extra cost of
      List.rev, sort is duplicated in two versions that respectively
-      sort in order and in reverse order ([sort] and [sort_rev]) and
-      merge is duplicated as well ([rev_merge] and [rev_merge_rev]).
+      sort in order and in reverse order (`sort` and `sort_rev`) and
+      merge is duplicated as well (`rev_merge` and `rev_merge_rev`).

    Note: this is a stable sort, but stability is not proved here.
 *)
@@ -214,8 +214,8 @@ module OCamlMergesort
      | Nil -> absurd
    end

-  (** [sort n l] sorts [prefix n l]
-      and [rev_sort n l]  sorts [prefix n l] in reverse order. *)
+  (** `sort n l` sorts `prefix n l`
+      and `rev_sort n l`  sorts `prefix n l` in reverse order. *)

  use import mach.int.Int


--- a/examples/multiprecision/add.mlw
+++ b/examples/multiprecision/add.mlw
@@ -11,9 +11,9 @@ module Add
  use import types.Types
  use import lemmas.Lemmas

-  (** [add_limb r x y sz] adds to [x] the value of the limb [y],
-      writes the result in [r] and returns the carry. [r] and [x]
-      have size [sz]. This corresponds to the function [mpn_add_1] *)
+  (** `add_limb r x y sz` adds to `x` the value of the limb `y`,
+      writes the result in `r` and returns the carry. `r` and `x`
+      have size `sz`. This corresponds to the function `mpn_add_1` *)
  (* r and x must be separated. This is enforced by Why3 regions in typing *)
  let add_limb (r x:t) (y:limb) (sz:int32) : limb
    requires { valid x sz }
@@ -87,8 +87,8 @@ module Add
    end


-  (** [add_limbs r x y sz] adds [x[0..sz-1]] and [y[0..sz-1]] and writes the result in [r].
-      Returns the carry, either [0] or [1]. Corresponds to the function [mpn_add_n]. *)
+  (** `add_limbs r x y sz` adds `x[0..sz-1]` and `y[0..sz-1]` and writes the result in `r`.
+      Returns the carry, either `0` or `1`. Corresponds to the function `mpn_add_n`. *)

  let add_limbs (r x y:t) (sz:int32) : limb
    requires { valid x sz }
@@ -152,9 +152,9 @@ module Add
    done;
    !c

-  (** [add r x y sx sy] adds [(x, sx)] to [(y,sy)] and writes the
-      result in [(r, sx)].  [sx] must be greater than or equal to
-      [sy]. Returns carry, either 0 or 1. Corresponds to [mpn_add]. *)
+  (** `add r x y sx sy` adds `(x, sx)` to `(y, sy)` and writes the
+      result in `(r, sx)`.  `sx` must be greater than or equal to
+      `sy`. Returns carry, either 0 or 1. Corresponds to `mpn_add`. *)
  let add (r x y:t) (sx sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx }
@@ -422,9 +422,9 @@ module Add

  use import int.EuclideanDivision

-  (** [incr x y sz] adds to [x] the value of the limb [y] in place.
-      [x] has size [sz]. The addition must not overflow. This corresponds
-      to [mpn_incr] *)
+  (** `incr x y sz` adds to `x` the value of the limb `y` in place.
+      `x` has size `sz`. The addition must not overflow. This corresponds
+      to `mpn_incr` *)
  let incr (x:t) (y:limb) (ghost sz:int32) : unit
    requires { valid x sz }
    requires { sz > 0 }
@@ -482,9 +482,9 @@ module Add
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i !i) (x.offset + p2i sz)

-  (** [incr_1 x sz] adds 1 to [x] in place.
-      [x] has size [sz]. The addition must not overflow.
-      This corresponds to [mpn_incr] *)
+  (** `incr_1 x sz` adds 1 to `x` in place.
+      `x` has size `sz`. The addition must not overflow.
+      This corresponds to `mpn_incr` *)
  let incr_1 (x:t) (ghost sz:int32) : unit
    requires { valid x sz }
    requires { sz > 0 }
@@ -545,4 +545,4 @@ module Add
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i !i) (x.offset + p2i sz)

-end
\ No newline at end of file
+end
--- a/examples/multiprecision/compare.mlw
+++ b/examples/multiprecision/compare.mlw
@@ -13,7 +13,8 @@ module Compare
  function compare_int (x y:int) : int =
    if x < y then -1 else if x=y then 0 else 1

-  (** [compare_same_size] compares [x[0..sz-1]] and [y[0..sz-1]] as unsigned integers. It corresponds to [GMPN_CMP]. *)
+  (** `compare_same_size` compares `x[0..sz-1]` and `y[0..sz-1]` as unsigned integers.
+      It corresponds to `GMPN_CMP`. *)
  let compare_same_size (x y:t) (sz:int32) : int32
    requires { valid x sz }
    requires { valid y sz }
@@ -84,4 +85,4 @@ module Compare
   with Return32 r -> r
   end

-end
\ No newline at end of file
+end
--- a/examples/multiprecision/div.mlw
+++ b/examples/multiprecision/div.mlw
@@ -318,9 +318,9 @@ module Div
    assert { !qh * d + !r = ul + radix * uh };
    (!qh,!r)

-(** [divmod_1 q x y sz] divides [(x,sz)] by [y], writes the quotient
-    in [(q, sz)] and returns the remainder. Corresponds to
-    [mpn_divmod_1]. *)
+(** `divmod_1 q x y sz` divides `(x, sz)` by `y`, writes the quotient
+    in `(q, sz)` and returns the remainder. Corresponds to
+    `mpn_divmod_1`. *)
 (* TODO develop further decimal points (qxn) *)
 let divmod_1 (q x:t) (y:limb) (sz:int32) : limb
    requires { valid x sz }
@@ -1241,10 +1241,10 @@ let divmod_1 (q x:t) (y:limb) (sz:int32) : limb
    let u2, b2 = sub_with_borrow u1 z limb_zero in
    (u2, (Limb.(+) b1 b2))

-  (** [submul_limb r x y sz] multiplies [(x, sz)] by [y], substracts the [sz]
-      least significant limbs from [(r, sz)] and writes the result in [(r,sz)].
+  (** `submul_limb r x y sz` multiplies `(x, sz)` by `y`, subtracts the `sz`
+      least significant limbs from `(r, sz)` and writes the result in `(r, sz)`.
      Returns the most significant limb of the product plus the borrow
-      of the substraction. Corresponds to [mpn_submul_1].*)
+      of the subtraction. Corresponds to `mpn_submul_1`.*)
  let submul_limb (r x:t) (y:limb) (sz:int32):limb
    requires { valid x sz }
    requires { valid r sz }
@@ -1363,7 +1363,7 @@ let divmod_1 (q x:t) (y:limb) (sz:int32) : limb
    done;
    !b

-  (* [(x,sz)] is normalized if its most significant bit is set. *)
+  (* `(x, sz)` is normalized if its most significant bit is set. *)
  predicate normalized (x:t) (sz:int32) =
    valid x sz
    /\ (pelts x)[x.offset + sz - 1] >= div radix 2
@@ -3722,9 +3722,9 @@ let divmod_1 (q x:t) (y:limb) (sz:int32) : limb

 (*  val sub_limb_in_place (x:t) (y:limb) (sz:int32) : limb*)

-  (** [div_qr q r x y sx sy] divides [(x,sx)] by [(y,sy)], writes the quotient
-    in [(q, (sx-sy))] and the remainder in [(r, sy)]. Corresponds to
-    [mpn_tdiv_qr]. *)
+  (** `div_qr q r x y sx sy` divides `(x, sx)` by `(y, sy)`, writes the quotient
+    in `(q, (sx-sy))` and the remainder in `(r, sy)`. Corresponds to
+    `mpn_tdiv_qr`. *)
  let div_qr (q r x y nx ny:t) (sx sy:int32) : unit
    requires { 1 <= sy <= sx <= (Int32.max_int32 - 1) }
    requires { valid x sx }

--- a/examples/multiprecision/lemmas.mlw
+++ b/examples/multiprecision/lemmas.mlw
@@ -6,7 +6,7 @@ module Lemmas
  use map.Const
  use import int.Int

-  (** {3 complements to map standard library} *)
+  (** {3 Complements to map standard library} *)

  predicate map_eq_sub_shift (x y:map int 'a) (xi yi sz:int) =
    forall i. 0 <= i < sz -> x[xi+i] = y[yi+i]
@@ -63,8 +63,8 @@ module Lemmas

  (** {3 Integer value of a natural number} *)

-  (** [value_sub x n m] denotes the integer represented by
-     the digits x[n..m-1] with lsb at index n *)
+  (** `value_sub x n m` denotes the integer represented by
+     the digits `x[n..m-1]` with lsb at index n *)
  let rec ghost function value_sub (x:map int limb) (n:int) (m:int) : int
     variant {m - n}
   =
@@ -204,4 +204,4 @@ module Lemmas

  = value_sub_concat (pelts x) x.offset (x.offset + p2i n) (x.offset + p2i m)

-end
\ No newline at end of file
+end
--- a/examples/multiprecision/logical.mlw
+++ b/examples/multiprecision/logical.mlw
@@ -113,9 +113,9 @@ module Logical
           };
    r

-  (** [lshift r x sz cnt] shifts [(x,sz)] [cnt] bits to the left and
-      writes the result in [(r, sz)]. Returns the [cnt] most significant
-      bits of [(x, sz)]. Corresponds to [mpn_lshift]. *)
+  (** `lshift r x sz cnt` shifts `(x, sz)` `cnt` bits to the left and
+      writes the result in `(r, sz)`. Returns the `cnt` most significant
+      bits of `(x, sz)`. Corresponds to `mpn_lshift`. *)
  (*TODO overlapping allowed if r >= x*)
  let lshift (r x:t) (sz:int32) (cnt:limb) : limb
    requires { 0 < cnt < Limb.length }
@@ -252,9 +252,9 @@ module Logical
   value_sub_head (pelts r) r.offset (r.offset + p2i sz);
   retval

-  (** [rshift r x sz cnt] shifts [(x,sz)] [cnt] bits to the right and
-      writes the result in [(r, sz)]. Returns the [cnt] least significant
-      bits of [(x, sz)]. Corresponds to [mpn_rshift]. *)
+  (** `rshift r x sz cnt` shifts `(x, sz)` `cnt` bits to the right and
+      writes the result in `(r, sz)`. Returns the `cnt` least significant
+      bits of `(x, sz)`. Corresponds to `mpn_rshift`. *)
  (*TODO overlapping allowed if r <= x*)
  let rshift (r x:t) (sz:int32) (cnt:limb) : limb
    requires { valid x sz }
@@ -386,4 +386,4 @@ module Logical
           };
    retval

-end
\ No newline at end of file
+end
--- a/examples/multiprecision/mul.mlw
+++ b/examples/multiprecision/mul.mlw
@@ -14,9 +14,9 @@ module Mul
  use import add.Add


-    (** [mul_limb r x y sz] multiplies [x[0..sz-1]] by the limb [y] and
-    writes the n least significant limbs in [r], and returns the most
-    significant limb. It corresponds to [mpn_mul_1]. *)
+    (** `mul_limb r x y sz` multiplies `x[0..sz-1]` by the limb `y` and
+    writes the n least significant limbs in `r`, and returns the most
+    significant limb. It corresponds to `mpn_mul_1`. *)
  let mul_limb (r x:t) (y:limb) (sz:int32) : limb
    requires { valid x sz }
    requires { valid r sz }
@@ -91,10 +91,10 @@ module Mul
    done;
    !c

-  (** [addmul_limb r x y sz] multiplies [(x, sz)] by [y], adds the [sz]
-      least significant limbs to [(r, sz)] and writes the result in [(r,sz)].
+  (** `addmul_limb r x y sz` multiplies `(x, sz)` by `y`, adds the `sz`
+      least significant limbs to `(r, sz)` and writes the result in `(r, sz)`.
      Returns the most significant limb of the product plus the carry
-      of the addition. Corresponds to [mpn_addmul_1].*)
+      of the addition. Corresponds to `mpn_addmul_1`.*)
  let addmul_limb (r x:t) (y:limb) (sz:int32):limb
    requires { valid x sz }
    requires { valid r sz }
@@ -214,9 +214,9 @@ module Mul
    done;
    !c

-  (** [mul_limbs r x y sz] multiplies [(x, sz)] and [(y, sz)] and
-  writes the result to [(r, 2*sz)]. [r] must not overlap with either
-  [x] or [y]. Corresponds to [mpn_mul_n].  *)
+  (** `mul_limbs r x y sz` multiplies `(x, sz)` and `(y, sz)` and
+  writes the result to `(r, 2*sz)`. `r` must not overlap with either
+  `x` or `y`. Corresponds to `mpn_mul_n`.  *)
  let mul_limbs (r x y:t) (sz:int32) : unit
    requires { sz > 0 }
    requires { valid x sz }
@@ -479,9 +479,9 @@ module Mul
    done;
    !c

-  (** [mul r x y sx sy] multiplies [(x, sx)] and [(y,sy)] and writes
-  the result in [(r, sx+sy)]. [sx] must be greater than or equal to
-  [sy]. Corresponds to [mpn_mul]. *)
+  (** `mul r x y sx sy` multiplies `(x, sx)` and `(y,sy)` and writes
+  the result in `(r, sx+sy)`. `sx` must be greater than or equal to
+  `sy`. Corresponds to `mpn_mul`. *)
  let mul (r x y:t) (sx sy:int32) : unit
    requires { 0 < sy <= sx }
    requires { valid x sx }
@@ -598,4 +598,4 @@ module Mul
      rp.contents <- C.incr !rp one;
    done;

-end
\ No newline at end of file
+end
--- a/examples/multiprecision/sub.mlw
+++ b/examples/multiprecision/sub.mlw
@@ -12,9 +12,9 @@ module Sub
  use import lemmas.Lemmas


-  (** [sub_limb r x y sz] substracts [y] from [(x, sz)] and writes
-      the result to [(r, sz)]. Returns borrow, either 0 or
-      1. Corresponds to [mpn_sub_1]. *)
+  (** `sub_limb r x y sz` subtracts `y` from `(x, sz)` and writes
+      the result to `(r, sz)`. Returns borrow, either 0 or
+      1. Corresponds to `mpn_sub_1`. *)
  let sub_limb (r x:t) (y:limb) (sz:int32) : limb
    requires { valid x sz }
    requires { valid r sz }
@@ -87,9 +87,9 @@ module Sub
    !b
  end

-  (** [sub_limbs r x y sz] substracts [(y, sz)] from [(x, sz)] and
-      writes the result to [(r, sz)]. Returns borrow, either 0 or
-      1. Corresponds to [mpn_sub_n]. *)
+  (** `sub_limbs r x y sz` subtracts `(y, sz)` from `(x, sz)` and
+      writes the result to `(r, sz)`. Returns borrow, either 0 or
+      1. Corresponds to `mpn_sub_n`. *)
  let sub_limbs (r x y:t) (sz:int32) : limb
    requires { valid x sz }
    requires { valid y sz }
@@ -153,9 +153,9 @@ module Sub
      done;
      !b

-  (** [sub r x y sx sy] substracts [(y,sy)] from [(x, sx)] and writes the
-      result in [(r, sx)]. [sx] must be greater than or equal to
-      [sy]. Returns borrow, either 0 or 1. Corresponds to [mpn_sub]. *)
+  (** `sub r x y sx sy` subtracts `(y,sy)` from `(x, sx)` and writes the
+      result in `(r, sx)`. `sx` must be greater than or equal to
+      `sy`. Returns borrow, either 0 or 1. Corresponds to `mpn_sub`. *)
  let sub (r x y:t) (sx sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx }
@@ -418,9 +418,9 @@ module Sub
      end
    end

-  (** [decr x y sz] subtracts from [x] the value of the limb [y] in place.
-      [x] has size [sz]. The subtraction must not overflow. This corresponds
-      to [mpn_decr] *)
+  (** `decr x y sz` subtracts from `x` the value of the limb `y` in place.
+      `x` has size `sz`. The subtraction must not overflow. This corresponds
+      to `mpn_decr` *)
  let decr (x:t) (y:limb) (ghost sz:int32) : unit
    requires { valid x sz }
    requires { sz > 0 }
@@ -480,9 +480,9 @@ module Sub
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i !i) (x.offset + p2i sz)

-  (** [incr_1 x sz] subtracts 1 from [x] in place.
-      [x] has size [sz]. The subtraction must not overflow.
-      This corresponds to [mpn_decr] *)
+  (** `incr_1 x sz` subtracts 1 from `x` in place.
+      `x` has size `sz`. The subtraction must not overflow.
+      This corresponds to `mpn_decr` *)
  let decr_1 (x:t) (ghost sz:int32) : unit
    requires { valid x sz }
    requires { sz > 0 }
@@ -543,4 +543,4 @@ module Sub
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i !i) (x.offset + p2i sz)

-end
\ No newline at end of file
+end
--- a/examples/multiprecision/util.mlw
+++ b/examples/multiprecision/util.mlw
@@ -42,7 +42,7 @@ module Util
      i := Int32.(+) !i one;
    done

-   (* [is_zero] checks if [x[0..sz-1]] is zero. It corresponds to [mpn_zero_p]. *)
+   (* `is_zero` checks if `x[0..sz-1]` is zero. It corresponds to `mpn_zero_p`. *)
   let is_zero (x:t) (sz:int32) : int32
     requires { valid x sz }
     ensures { 0 <= Int32.to_int result <= 1 }
@@ -75,7 +75,7 @@ module Util
     with Return32 r -> r
     end

-  (** [zero r sz] sets [(r,sz)] to zero. Corresponds to [mpn_zero]. *)
+  (** `zero r sz` sets `(r,sz)` to zero. Corresponds to `mpn_zero`. *)
  let zero (r:t) (sz:int32) : unit
    requires { valid r sz }
    ensures { value r sz = 0 }
@@ -95,4 +95,4 @@ module Util
      i := Int32.(+) !i (Int32.of_int 1);
    done

-end
\ No newline at end of file
+end