Commit e55e1d35 authored by Raphael Rieu-Helft's avatar Raphael Rieu-Helft

Add schoolbook GMP functions to examples and bench

parent bb165cfe
......@@ -269,8 +269,8 @@ goods examples/avl "-L examples/avl"
goods examples/verifythis_2016_matrix_multiplication "-L examples/verifythis_2016_matrix_multiplication"
goods examples/double_wp "-L examples/double_wp"
goods examples/ring_decision "-L examples/ring_decision"
goods examples/multiprecision "-L examples/multiprecision"
goods examples/in_progress
goods examples/in_progress/multiprecision "-L examples/in_progress/multiprecision"
echo ""
echo "=== Checking replay (no prover) ==="
......@@ -290,6 +290,7 @@ replay examples/avl "-L examples/avl --merging-only"
#replay examples/to_port/verifythis_2016_matrix_multiplication "-L examples/to_port/verifythis_2016_matrix_multiplication --merging-only"
replay examples/double_wp "-L examples/double_wp --merging-only"
replay examples/ring_decision "-L examples/ring_decision --merging-only"
replay examples/multiprecision "-L examples/multiprecision --merging-only"
#replay examples/in_progress --merging-only
#replay examples/in_progress/multiprecision "-L examples/in_progress/multiprecision --merging-only"
echo ""
......
This diff is collapsed.
This diff is collapsed.
module Compare
use import int.Int
use import mach.int.Int32
use import mach.int.UInt64GMP as Limb
use import int.Power
use import ref.Ref
use import mach.c.C
use import map.Map
use import types.Types
use import lemmas.Lemmas
function compare_int (x y:int) : int =
if x < y then -1 else if x=y then 0 else 1
(** [compare_same_size] compares [x[0..sz-1]] and [y[0..sz-1]] as unsigned integers. It corresponds to [GMPN_CMP]. *)
let compare_same_size (x y:t) (sz:int32) : int32
requires { valid x sz }
requires { valid y sz }
ensures { result = compare_int (value x sz) (value y sz) }
=
let i = ref sz in
try
while Int32.(>=) !i (Int32.of_int 1) do
variant { p2i !i }
invariant { 0 <= !i <= sz }
invariant { forall j. !i <= j < sz ->
(pelts x)[x.offset+j] = (pelts y)[y.offset+j] }
assert { forall j. 0 <= j < sz - !i ->
let k = !i+j in
!i <= k < sz ->
(pelts x)[x.offset+k] = (pelts y)[y.offset+k] /\
(pelts x)[!i+x.offset+j] = (pelts y)[!i+y.offset+j] };
value_sub_frame_shift (pelts x) (pelts y) (p2i !i+x.offset)
(p2i !i+y.offset) ((p2i sz) - (p2i !i));
let ghost k = p2i !i in
i := Int32.(-) !i (Int32.of_int 1);
assert { 0 <= !i < sz };
let lx = get_ofs x !i in
let ly = get_ofs y !i in
if (not (Limb.(=) lx ly))
then begin
value_sub_concat (pelts x) x.offset (x.offset+k) (x.offset+p2i sz);
value_sub_concat (pelts y) y.offset (y.offset+k) (y.offset+p2i sz);
assert { compare_int (value x sz)
(value y sz)
= compare_int (value x k) (value y k) };
value_sub_tail (pelts x) x.offset (x.offset+k-1);
value_sub_tail (pelts y) y.offset (y.offset+k-1);
if Limb.(>) lx ly
then begin
value_sub_upper_bound (pelts y) y.offset (y.offset+k-1);
value_sub_lower_bound (pelts x) x.offset (x.offset+k-1);
assert { value x k - value y k =
(l2i lx - ly) * (power radix (k-1))
- ((value y (k-1)) - (value x (k-1)))
};
assert { (lx - ly) * (power radix (k-1))
>= power radix (k-1)
> ((value y (k-1)) - (value x (k-1)))
};
raise Return32 (Int32.of_int 1)
end
else begin
assert { ly > lx };
value_sub_upper_bound (pelts x) x.offset (x.offset+k-1);
value_sub_lower_bound (pelts y) y.offset (y.offset+k-1);
assert { value y k - value x k =
(ly - lx) * (power radix (k-1))
- ((value x (k-1)) - (value y (k-1)))
};
assert { (ly - lx) * (power radix (k-1))
>= power radix (k-1)
> ((value x (k-1)) - (value y (k-1)))
};
raise Return32 (Int32.(-_) (Int32.of_int 1))
end
end
else ()
done;
value_sub_frame_shift (pelts x) (pelts y) x.offset y.offset (p2i sz);
Int32.of_int 0
with Return32 r -> r
end
end
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
"http://why3.lri.fr/why3session.dtd">
<why3session shape_version="4">
<prover id="1" name="CVC3" version="2.4.1" timelimit="5" steplimit="0" memlimit="1000"/>
<prover id="3" name="Z3" version="4.5.0" timelimit="1" steplimit="0" memlimit="1000"/>
<prover id="4" name="Z3" version="4.4.1" timelimit="5" steplimit="0" memlimit="1000"/>
<prover id="5" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/>
<file name="../compare.mlw" proved="true">
<theory name="Compare" proved="true">
<goal name="VC compare_same_size" expl="VC for compare_same_size" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC compare_same_size.0" expl="loop invariant init" proved="true">
<proof prover="5"><result status="valid" time="0.04" steps="9"/></proof>
</goal>
<goal name="VC compare_same_size.1" expl="loop invariant init" proved="true">
<proof prover="4"><result status="valid" time="0.03"/></proof>
<proof prover="5"><result status="valid" time="0.03" steps="10"/></proof>
</goal>
<goal name="VC compare_same_size.2" expl="integer overflow" proved="true">
<proof prover="5"><result status="valid" time="0.09" steps="21"/></proof>
</goal>
<goal name="VC compare_same_size.3" expl="assertion" proved="true">
<proof prover="5"><result status="valid" time="0.05" steps="39"/></proof>
</goal>
<goal name="VC compare_same_size.4" expl="precondition" proved="true">
<proof prover="5"><result status="valid" time="0.04" steps="46"/></proof>
</goal>
<goal name="VC compare_same_size.5" expl="integer overflow" proved="true">
<proof prover="4"><result status="valid" time="0.04"/></proof>
<proof prover="5"><result status="valid" time="0.04" steps="24"/></proof>
</goal>
<goal name="VC compare_same_size.6" expl="integer overflow" proved="true">
<proof prover="5"><result status="valid" time="0.04" steps="26"/></proof>
</goal>
<goal name="VC compare_same_size.7" expl="assertion" proved="true">
<proof prover="5"><result status="valid" time="0.03" steps="16"/></proof>
</goal>
<goal name="VC compare_same_size.8" expl="precondition" proved="true">
<proof prover="5"><result status="valid" time="0.03" steps="28"/></proof>
</goal>
<goal name="VC compare_same_size.9" expl="precondition" proved="true">
<proof prover="4"><result status="valid" time="0.05"/></proof>
<proof prover="5"><result status="valid" time="0.06" steps="28"/></proof>
</goal>
<goal name="VC compare_same_size.10" expl="precondition" proved="true">
<proof prover="4"><result status="valid" time="0.02"/></proof>
<proof prover="5"><result status="valid" time="0.05" steps="20"/></proof>
</goal>
<goal name="VC compare_same_size.11" expl="precondition" proved="true">
<proof prover="5"><result status="valid" time="0.06" steps="21"/></proof>
</goal>
<goal name="VC compare_same_size.12" expl="assertion" proved="true">
<proof prover="5"><result status="valid" time="0.04" steps="51"/></proof>
</goal>
<goal name="VC compare_same_size.13" expl="precondition" proved="true">
<proof prover="4"><result status="valid" time="0.02"/></proof>
<proof prover="5"><result status="valid" time="0.05" steps="23"/></proof>
</goal>
<goal name="VC compare_same_size.14" expl="precondition" proved="true">
<proof prover="4"><result status="valid" time="0.02"/></proof>
<proof prover="5"><result status="valid" time="0.07" steps="24"/></proof>
</goal>
<goal name="VC compare_same_size.15" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.10"/></proof>
</goal>
<goal name="VC compare_same_size.16" expl="assertion" proved="true">
<transf name="inline_all" proved="true" >
<goal name="VC compare_same_size.16.0" expl="assertion" proved="true">
<proof prover="5" timelimit="1"><result status="valid" time="0.04" steps="19"/></proof>
</goal>
</transf>
</goal>
<goal name="VC compare_same_size.17" expl="assertion" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC compare_same_size.17.0" expl="VC for compare_same_size" proved="true">
<proof prover="1" memlimit="2000"><result status="valid" time="0.17"/></proof>
</goal>
<goal name="VC compare_same_size.17.1" expl="VC for compare_same_size" proved="true">
<proof prover="3"><result status="valid" time="0.03"/></proof>
</goal>
</transf>
</goal>
<goal name="VC compare_same_size.18" expl="integer overflow" proved="true">
<proof prover="4"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="VC compare_same_size.19" expl="postcondition" proved="true">
<proof prover="4"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC compare_same_size.20" expl="assertion" proved="true">
<proof prover="4"><result status="valid" time="0.03"/></proof>
<proof prover="5"><result status="valid" time="0.05" steps="26"/></proof>
</goal>
<goal name="VC compare_same_size.21" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.06"/></proof>
</goal>
<goal name="VC compare_same_size.22" expl="assertion" proved="true">
<transf name="inline_all" proved="true" >
<goal name="VC compare_same_size.22.0" expl="assertion" proved="true">
<proof prover="5" timelimit="1"><result status="valid" time="0.05" steps="20"/></proof>
</goal>
</transf>
</goal>
<goal name="VC compare_same_size.23" expl="assertion" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC compare_same_size.23.0" expl="VC for compare_same_size" proved="true">
<proof prover="1" memlimit="2000"><result status="valid" time="0.27"/></proof>
</goal>
<goal name="VC compare_same_size.23.1" expl="VC for compare_same_size" proved="true">
<proof prover="3"><result status="valid" time="0.02"/></proof>
</goal>
</transf>
</goal>
<goal name="VC compare_same_size.24" expl="integer overflow" proved="true">
<proof prover="4"><result status="valid" time="0.04"/></proof>
<proof prover="5"><result status="valid" time="0.23" steps="43"/></proof>
</goal>
<goal name="VC compare_same_size.25" expl="integer overflow" proved="true">
<proof prover="4"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="VC compare_same_size.26" expl="postcondition" proved="true">
<proof prover="4"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC compare_same_size.27" expl="loop variant decrease" proved="true">
<proof prover="4"><result status="valid" time="0.03"/></proof>
<proof prover="5"><result status="valid" time="0.03" steps="20"/></proof>
</goal>
<goal name="VC compare_same_size.28" expl="loop invariant preservation" proved="true">
<proof prover="5"><result status="valid" time="0.04" steps="20"/></proof>
</goal>
<goal name="VC compare_same_size.29" expl="loop invariant preservation" proved="true">
<proof prover="5"><result status="valid" time="0.03" steps="44"/></proof>
</goal>
<goal name="VC compare_same_size.30" expl="precondition" proved="true">
<proof prover="5"><result status="valid" time="0.03" steps="43"/></proof>
</goal>
<goal name="VC compare_same_size.31" expl="integer overflow" proved="true">
<proof prover="4"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC compare_same_size.32" expl="postcondition" proved="true">
<proof prover="5"><result status="valid" time="0.10" steps="37"/></proof>
</goal>
</transf>
</goal>
</theory>
</file>
</why3session>
This diff is collapsed.
This diff is collapsed.
module Lemmas
use import array.Array
use import map.Map
use map.MapEq
use map.Const
use import int.Int
(** {3 complements to map standard library} *)
predicate map_eq_sub_shift (x y:map int 'a) (xi yi sz:int) =
forall i. 0 <= i < sz -> x[xi+i] = y[yi+i]
let lemma map_eq_shift (x y:map int 'a) (xi yi sz k:int)
requires { map_eq_sub_shift x y xi yi sz }
requires { 0 <= k < sz }
ensures { x[xi+k] = y[yi+k] }
= ()
let rec lemma map_eq_shift_zero (x y: map int 'a) (n m: int)
requires { map_eq_sub_shift x y n n (m-n) }
variant { m - n }
ensures { MapEq.map_eq_sub x y n m }
=
if n < m then
begin
assert { forall i. 0 <= i < m-n -> x[n+i] = y[n+i] };
assert { forall i. n <= i < m ->
let j = i - n in 0 <= j < m-n ->
x[n+j] = y[n+j] -> x[i] = y[i]};
map_eq_shift_zero x y (n+1) m;
end
else ()
use import mach.int.Int32
use import ref.Ref
use import mach.int.UInt64GMP as Limb
use import int.Int
use import int.Power
use import mach.c.C
use import types.Types
meta compute_max_steps 0x100000
(** {3 Long integers as arrays of libs} *)
lemma limb_max_bound: 1 <= max_uint64
function l2i (x:limb) : int = Limb.to_int x
function p2i (i:int32) : int = int32'int i
let lemma prod_compat_strict_r (a b c:int)
requires { 0 <= a < b }
requires { 0 < c }
ensures { c * a < c * b }
= ()
let lemma prod_compat_r (a b c:int)
requires { 0 <= a <= b }
requires { 0 <= c }
ensures { c * a <= c * b }
= ()
(** {3 Integer value of a natural number} *)
(** [value_sub x n m] denotes the integer represented by
the digits x[n..m-1] with lsb at index n *)
let rec ghost function value_sub (x:map int limb) (n:int) (m:int) : int
variant {m - n}
=
if n < m then
l2i x[n] + radix * value_sub x (n+1) m
else 0
let rec lemma value_sub_frame (x y:map int limb) (n m:int)
requires { MapEq.map_eq_sub x y n m }
variant { m - n }
ensures { value_sub x n m = value_sub y n m }
=
if n < m then value_sub_frame x y (n+1) m else ()
let rec lemma value_sub_frame_shift (x y:map int limb) (xi yi sz:int)
requires { map_eq_sub_shift x y xi yi sz }
variant { sz }
ensures { value_sub x xi (xi+sz) = value_sub y yi (yi+sz) }
=
if sz>0
then begin
map_eq_shift x y xi yi sz 0;
assert { forall i. 0 <= i < sz-1 ->
let j = 1+i in x[xi+j] = y[yi+j] };
value_sub_frame_shift x y (xi+1) (yi+1) (sz-1)
end
else assert { 1+2 = 3 }
let rec lemma value_sub_tail (x:map int limb) (n m:int)
requires { n <= m }
variant { m - n }
ensures {
value_sub x n (m+1) =
value_sub x n m + (Map.get x m) * power radix (m-n) }
= [@vc:sp] if n < m then value_sub_tail x (n+1) m else ()(*assert { 1+2=3 }*)
let rec lemma value_sub_concat (x:map int limb) (n m l:int)
requires { n <= m <= l}
variant { m - n }
ensures {
value_sub x n l =
value_sub x n m + value_sub x m l * power radix (m-n) }
=
if n < m then
begin
assert {n<m};
value_sub_concat x (n+1) m l
end
else ()
let lemma value_sub_head (x:map int limb) (n m:int)
requires { n < m }
ensures { value_sub x n m = x[n] + radix * value_sub x (n+1) m }
= value_sub_concat x n (n+1) m
let lemma value_sub_update (x:map int limb) (i n m:int) (v:limb)
requires { n <= i < m }
ensures {
value_sub (Map.set x i v) n m =
value_sub x n m + power radix (i - n) * (v -(Map.get x i))
}
= assert { MapEq.map_eq_sub x (Map.set x i v) n i };
assert { MapEq.map_eq_sub x (Map.set x i v) (i+1) m };
value_sub_concat x n i m;
value_sub_concat (Map.set x i v) n i m;
value_sub_head x i m;
value_sub_head (Map.set x i v) i m
let rec lemma value_zero (x:map int limb) (n m:int)
requires { MapEq.map_eq_sub x (Const.const Limb.zero_unsigned) n m }
variant { m - n }
ensures { value_sub x n m = 0 }
= if n < m then value_zero x (n+1) m else ()
let lemma value_sub_update_no_change (x: map int limb) (i n m: int) (v:limb)
requires { n <= m }
requires { i < n \/ m <= i }
ensures { value_sub x n m = value_sub (Map.set x i v) n m }
= value_sub_frame x (Map.set x i v) n m
let lemma value_sub_shift_no_change (x:map int limb) (ofs i sz:int) (v:limb)
requires { i < 0 \/ sz <= i }
requires { 0 <= sz }
ensures { value_sub x ofs (ofs + sz) =
value_sub (Map.set x (ofs+i) v) ofs (ofs+sz) }
= value_sub_frame_shift x (Map.set x (ofs+i) v) ofs ofs sz
(** {3 Comparisons} *)
let rec lemma value_sub_lower_bound (x:map int limb) (x1 x2:int)
variant { x2 - x1 }
ensures { 0 <= value_sub x x1 x2 }
= if x2 <= x1 then () else
begin
value_sub_head x x1 x2;
value_sub_lower_bound x (x1+1) x2
end
let rec lemma value_sub_upper_bound (x:map int limb) (x1 x2:int)
requires { x1 <= x2 }
variant { x2 - x1 }
ensures { value_sub x x1 x2 < power radix (x2 - x1) }
= if x1 = x2 then () else
begin
value_sub_tail x x1 (x2-1);
assert { value_sub x x1 x2
<= value_sub x x1 (x2-1) + power radix (x2-x1-1) * (radix - 1) };
value_sub_upper_bound x x1 (x2-1)
end
let lemma value_sub_lower_bound_tight (x:map int limb) (x1 x2:int)
requires { x1 < x2 }
ensures { power radix (x2-x1-1) * l2i (Map.get x (x2-1)) <= value_sub x x1 x2 }
= assert { value_sub x x1 x2 = value_sub x x1 (x2-1)
+ power radix (x2-x1-1) * l2i (Map.get x (x2-1)) }
let lemma value_sub_upper_bound_tight (x:map int limb) (x1 x2:int)
requires { x1 < x2 }
ensures { value_sub x x1 x2 < power radix (x2-x1-1) * (l2i (Map.get x (x2-1)) + 1) }
= value_sub_upper_bound x x1 (x2-1)
function value (x:t) (sz:int) : int =
value_sub (pelts x) x.offset (x.offset + sz)
let lemma value_tail (x:t) (sz:int32)
requires { 0 <= sz }
ensures { value x (sz+1) = value x sz + (pelts x)[x.offset + sz] * power radix sz }
= value_sub_tail (pelts x) x.offset (x.offset + p2i sz)
meta remove_prop axiom value_tail
let lemma value_concat (x:t) (n m:int32)
requires { 0 <= n <= m }
ensures { value x m
= value x n + power radix n
* value_sub (pelts x) (x.offset + n) (x.offset + m) }
= value_sub_concat (pelts x) x.offset (x.offset + p2i n) (x.offset + p2i m)
end
\ No newline at end of file
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
module Types
use import mach.c.C
use import mach.int.Int32
use import mach.int.UInt64GMP as Limb
type limb = uint64
type t = ptr limb
exception Break
exception Return32 int32
exception ReturnLimb limb
end
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
"http://why3.lri.fr/why3session.dtd">
<why3session shape_version="4">
<file name="../types.mlw" proved="true">
</file>
</why3session>
module Util
use import int.Int
use import mach.int.Int32
use import mach.int.UInt64GMP as Limb
use import int.Power
use import ref.Ref
use import mach.c.C
use import map.Map
use import types.Types
use import lemmas.Lemmas
let copy (r x:t) (sz:int32) : unit
requires { valid x sz }
requires { valid r sz }
ensures { map_eq_sub_shift (pelts r) (pelts x) r.offset x.offset sz }
ensures { forall j. (j < offset r \/ offset r + sz <= j) ->
(pelts r)[j] = old (pelts r)[j] }
=
let zero = Int32.of_int 0 in
let one = Int32.of_int 1 in
let i = ref zero in
let xp = ref (C.incr x zero) in
let rp = ref (C.incr r zero) in
while (Int32.(<) !i sz) do
variant { p2i sz - p2i !i }
invariant { 0 <= !i <= sz }
invariant { map_eq_sub_shift (pelts r) (pelts x) r.offset x.offset !i }
invariant { pelts !xp = pelts x }
invariant { pelts !rp = pelts r }
invariant { !xp.min = min x }
invariant { !xp.max = x.max }
invariant { !rp.min = r.min }
invariant { !rp.max = r.max }
invariant { !xp.offset = x.offset + !i }
invariant { !rp.offset = r.offset + !i }
invariant { forall j. (j < offset r \/ offset r + sz <= j) ->
(pelts r)[j] = old (pelts r)[j] }
C.set !rp (C.get !xp);
rp.contents <- C.incr !rp one;
xp.contents <- C.incr !xp one;
i := Int32.(+) !i one;
done
(** [zero r sz] sets [(r,sz)] to zero. Corresponds to [mpn_zero]. *)
let zero (r:t) (sz:int32) : unit
requires { valid r sz }
ensures { value r sz = 0 }
ensures { forall j. (j < offset r \/ offset r + sz <= j)
-> (pelts r)[j] = old (pelts r)[j] }
=
let i = ref (Int32.of_int 0) in
let lzero = Limb.of_int 0 in
while Int32.(<) !i sz do
invariant { 0 <= !i <= sz }
variant { sz - !i }
invariant { value r !i = 0 }
invariant { forall j. (j < offset r \/ offset r + sz <= j)
-> (pelts r)[j] = old (pelts r)[j] }
set_ofs r !i lzero;
value_sub_tail (pelts r) r.offset (r.offset + p2i !i);
i := Int32.(+) !i (Int32.of_int 1);
done
end
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
"http://why3.lri.fr/why3session.dtd">
<why3session shape_version="4">
<prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/>
<prover id="1" name="Z3" version="4.5.0" timelimit="1" steplimit="0" memlimit="1000"/>
<file name="../util.mlw" proved="true">
<theory name="Util" proved="true">
<goal name="VC copy" expl="VC for copy" proved="true">
<transf name="split_vc" proved="true" >
<goal name="VC copy.0" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.1" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.2" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.3" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.4" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.5" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="VC copy.6" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.00"/></proof>
</goal>
<goal name="VC copy.7" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="VC copy.8" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="VC copy.9" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="VC copy.10" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.11" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="VC copy.12" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.13" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="VC copy.14" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="VC copy.15" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.16" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.17" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="VC copy.18" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="VC copy.19" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.20" expl="loop variant decrease" proved="true">
<proof prover="1"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="VC copy.21" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="VC copy.22" expl="loop invariant preservation" proved="true">
<proof prover="0"><result status="valid" time="0.06" steps="213"/></proof>
<proof prover="1"><result status="timeout" time="1.00"/></proof>
</goal>
<goal name="VC copy.23" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.24" expl="loop invariant preservation" proved="true">
<proof prover="0"><result status="valid" time="0.05" steps="101"/></proof>
<proof prover="1"><result status="timeout" time="1.00"/></proof>
</goal>
<goal name="VC copy.25" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.26" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.27" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.28" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.29" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC copy.30" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.31" expl="loop invariant preservation" proved="true">
<proof prover="0"><result status="valid" time="0.02" steps="108"/></proof>
<proof prover="1"><result status="timeout" time="1.00"/></proof>
</goal>
<goal name="VC copy.32" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC copy.33" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
</transf>
</goal>
<goal name="VC zero" expl="VC for zero" proved="true">
<transf name="split_vc" proved="true" >
<goal name="VC zero.0" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC zero.1" expl="integer overflow" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="VC zero.2" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="VC zero.3" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.03"/></proof>
</goal>