1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
/**************************************************************************/
/* */
/* The Why platform for program certification */
/* Copyright (C) 2002-2008 */
/* Romain BARDOU */
/* Jean-Franois COUCHOT */
/* Mehdi DOGGUY */
/* Jean-Christophe FILLITRE */
/* Thierry HUBERT */
/* Claude MARCH */
/* Yannick MOY */
/* Christine PAULIN */
/* Yann RGIS-GIANAS */
/* Nicolas ROUSSET */
/* Xavier URBAIN */
/* */
/* This software is free software; you can redistribute it and/or */
/* modify it under the terms of the GNU General Public */
/* License version 2, as published by the Free Software Foundation. */
/* */
/* This software is distributed in the hope that it will be useful, */
/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. */
/* */
/* See the GNU General Public License version 2 for more details */
/* (enclosed in the file GPL). */
/* */
/**************************************************************************/
/* complements for non-linear integer arithmetic */
//@ lemma zero_right: \forall integer x; x*0 == 0;
//@ lemma zero_left: \forall integer x; 0*x == 0;
//@ lemma one_right: \forall integer x; x*1 == x;
//@ lemma one_left: \forall integer x; 1*x == x;
//@ lemma two_right: \forall integer x; x*2 == x+x;
//@ lemma two_left: \forall integer x; 2*x == x+x;
/*@ lemma distr_right:
@ \forall integer x y z; x*(y+z) == (x*y)+(x*z);
@*/
/*@ lemma distr_left:
@ \forall integer x y z; (x+y)*z == (x*z)+(y*z);
@*/
/*@ lemma sqr_short_elim:
@ \forall integer x; x*x <= 32760 ==> x <= 180;
@*/
/*@ lemma sqr_short_intro:
@ \forall integer x; 0 <= x && x <= 181 ==> x*x <= 32761;
@*/
/*@ lemma sqr_int_elim:
@ \forall integer x; x*x <= 2147395599 ==> x <= 46339;
@*/
/*@ lemma sqr_int_intro:
@ \forall integer x; 0 <= x && x <= 46340 ==> x*x <= 2147395600;
@*/
public class Lesson1 {
/*@ behavior result_ge_x:
@ ensures \result >= x;
@ behavior result_ge_y:
@ ensures \result >= y;
@ behavior result_is_lub:
@ ensures \forall integer z; z >= x && z >= y ==> z >= \result;
@*/
public static int max(int x, int y) {
if (x>y) return x; else return y;
}
/*@ requires x >= 0 && x <= 32760;
@ ensures \result >= 0 && \result * \result <= x
@ && x < (\result + 1) * (\result + 1);
@*/
public static short short_sqrt(short x) {
short count = 0, sum = 1;
/*@ loop_invariant
@ count >= 0 && x >= count*count &&
@ sum == (count+1)*(count+1) &&
@ count <= 180 && sum <= 32761;
@ decreases x - sum;
@*/
while (sum <= x) {
count++;
//@ assert (count*count)+2*count+1 == (count+1)*(count+1);
sum += 2*count+1;
}
return count;
}
/*@ requires x >= 0 && x <= 2147395599;
@ behavior result_is_sqrt:
@ ensures \result >= 0 && \result * \result <= x
@ && x < (\result + 1) * (\result + 1) ;
@*/
public static int sqrt(int x) {
int count = 0, sum = 1;
/*@ loop_invariant
@ count >= 0 && x >= count*count &&
@ sum == (count+1)*(count+1) &&
@ count <= 46339 && sum <= 2147395600;
@ decreases x - sum;
@*/
while (sum <= x) {
count++;
//@ assert (count*count)+2*count+1 == (count+1)*(count+1);
sum += 2*count+1;
}
return count;
}
}
/*
Local Variables:
compile-command: "make Lesson1"
End:
*/
|
