1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
------------------------------------------------------------------------------
-- --
-- GNAT RUN-TIME COMPONENTS --
-- --
-- S Y S T E M . W I D T H _ I --
-- --
-- B o d y --
-- --
-- Copyright (C) 1992-2022, Free Software Foundation, Inc. --
-- --
-- GNAT is free software; you can redistribute it and/or modify it under --
-- terms of the GNU General Public License as published by the Free Soft- --
-- ware Foundation; either version 3, or (at your option) any later ver- --
-- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
-- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
-- or FITNESS FOR A PARTICULAR PURPOSE. --
-- --
-- As a special exception under Section 7 of GPL version 3, you are granted --
-- additional permissions described in the GCC Runtime Library Exception, --
-- version 3.1, as published by the Free Software Foundation. --
-- --
-- You should have received a copy of the GNU General Public License and --
-- a copy of the GCC Runtime Library Exception along with this program; --
-- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see --
-- <http://www.gnu.org/licenses/>. --
-- --
-- GNAT was originally developed by the GNAT team at New York University. --
-- Extensive contributions were provided by Ada Core Technologies Inc. --
-- --
------------------------------------------------------------------------------
with Ada.Numerics.Big_Numbers.Big_Integers_Ghost;
use Ada.Numerics.Big_Numbers.Big_Integers_Ghost;
function System.Width_I (Lo, Hi : Int) return Natural is
-- Ghost code, loop invariants and assertions in this unit are meant for
-- analysis only, not for run-time checking, as it would be too costly
-- otherwise. This is enforced by setting the assertion policy to Ignore.
pragma Assertion_Policy (Ghost => Ignore,
Loop_Invariant => Ignore,
Assert => Ignore);
-----------------------
-- Local Subprograms --
-----------------------
package Signed_Conversion is new Signed_Conversions (Int => Int);
function Big (Arg : Int) return Big_Integer renames
Signed_Conversion.To_Big_Integer;
-- Maximum value of exponent for 10 that fits in Uns'Base
function Max_Log10 return Natural is
(case Int'Base'Size is
when 8 => 2,
when 16 => 4,
when 32 => 9,
when 64 => 19,
when 128 => 38,
when others => raise Program_Error)
with Ghost;
------------------
-- Local Lemmas --
------------------
procedure Lemma_Lower_Mult (A, B, C : Big_Natural)
with
Ghost,
Pre => A <= B,
Post => A * C <= B * C;
procedure Lemma_Div_Commutation (X, Y : Int)
with
Ghost,
Pre => X >= 0 and Y > 0,
Post => Big (X) / Big (Y) = Big (X / Y);
procedure Lemma_Div_Twice (X : Big_Natural; Y, Z : Big_Positive)
with
Ghost,
Post => X / Y / Z = X / (Y * Z);
----------------------
-- Lemma_Lower_Mult --
----------------------
procedure Lemma_Lower_Mult (A, B, C : Big_Natural) is null;
---------------------------
-- Lemma_Div_Commutation --
---------------------------
procedure Lemma_Div_Commutation (X, Y : Int) is null;
---------------------
-- Lemma_Div_Twice --
---------------------
procedure Lemma_Div_Twice (X : Big_Natural; Y, Z : Big_Positive) is
XY : constant Big_Natural := X / Y;
YZ : constant Big_Natural := Y * Z;
XYZ : constant Big_Natural := X / Y / Z;
R : constant Big_Natural := (XY rem Z) * Y + (X rem Y);
begin
pragma Assert (X = XY * Y + (X rem Y));
pragma Assert (XY = XY / Z * Z + (XY rem Z));
pragma Assert (X = XYZ * YZ + R);
pragma Assert ((XY rem Z) * Y <= (Z - 1) * Y);
pragma Assert (R <= YZ - 1);
pragma Assert (X / YZ = (XYZ * YZ + R) / YZ);
pragma Assert (X / YZ = XYZ + R / YZ);
end Lemma_Div_Twice;
-- Local variables
W : Natural;
T : Int;
-- Local ghost variables
Max_W : constant Natural := Max_Log10 with Ghost;
Big_10 : constant Big_Integer := Big (10) with Ghost;
Pow : Big_Integer := 1 with Ghost;
T_Init : constant Int :=
Int'Max (abs (Int'Max (Lo, Int'First + 1)),
abs (Int'Max (Hi, Int'First + 1)))
with Ghost;
-- Start of processing for System.Width_I
begin
if Lo > Hi then
return 0;
else
-- Minimum value is 2, one for sign, one for digit
W := 2;
-- Get max of absolute values, but avoid bomb if we have the maximum
-- negative number (note that First + 1 has same digits as First)
T := Int'Max (
abs (Int'Max (Lo, Int'First + 1)),
abs (Int'Max (Hi, Int'First + 1)));
-- Increase value if more digits required
while T >= 10 loop
Lemma_Div_Commutation (T, 10);
Lemma_Div_Twice (Big (T_Init), Big_10 ** (W - 2), Big_10);
T := T / 10;
W := W + 1;
Pow := Pow * 10;
pragma Loop_Invariant (T >= 0);
pragma Loop_Invariant (W in 3 .. Max_W + 3);
pragma Loop_Invariant (Pow = Big_10 ** (W - 2));
pragma Loop_Invariant (Big (T) = Big (T_Init) / Pow);
pragma Loop_Variant (Decreases => T);
end loop;
declare
F : constant Big_Integer := Big_10 ** (W - 2) with Ghost;
Q : constant Big_Integer := Big (T_Init) / F with Ghost;
R : constant Big_Integer := Big (T_Init) rem F with Ghost;
begin
pragma Assert (Q < Big_10);
pragma Assert (Big (T_Init) = Q * F + R);
Lemma_Lower_Mult (Q, Big (9), F);
pragma Assert (Big (T_Init) <= Big (9) * F + F - 1);
pragma Assert (Big (T_Init) < Big_10 * F);
pragma Assert (Big_10 * F = Big_10 ** (W - 1));
end;
-- This is an expression of the functional postcondition for Width_I,
-- which cannot be expressed readily as a postcondition as this would
-- require making the instantiation Signed_Conversion and function Big
-- available from the spec.
pragma Assert (Big (Int'Max (Lo, Int'First + 1)) < Big_10 ** (W - 1));
pragma Assert (Big (Int'Max (Hi, Int'First + 1)) < Big_10 ** (W - 1));
return W;
end if;
end System.Width_I;
|
