1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
/**************************************************************************/
/* */
/* The Why platform for program certification */
/* */
/* Copyright (C) 2002-2011 */
/* */
/* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11 */
/* Claude MARCHE, INRIA & Univ. Paris-sud 11 */
/* Yannick MOY, Univ. Paris-sud 11 */
/* Romain BARDOU, Univ. Paris-sud 11 */
/* */
/* Secondary contributors: */
/* */
/* Thierry HUBERT, Univ. Paris-sud 11 (former Caduceus front-end) */
/* Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa) */
/* Ali AYAD, CNRS & CEA Saclay (floating-point support) */
/* Sylvie BOLDO, INRIA (floating-point support) */
/* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) */
/* Mehdi DOGGUY, Univ. Paris-sud 11 (Why GUI) */
/* */
/* This software is free software; you can redistribute it and/or */
/* modify it under the terms of the GNU Lesser General Public */
/* License version 2.1, with the special exception on linking */
/* described in file LICENSE. */
/* */
/* This software is distributed in the hope that it will be useful, */
/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. */
/* */
/**************************************************************************/
//@+ SeparationPolicy = Regions
/*@ axiomatic NumOfPos {
@ logic integer num_of_pos{L}(integer i,integer j,int t[]);
@ axiom num_of_pos_empty{L} :
@ \forall integer i j, int t[];
@ i >= j ==> num_of_pos(i,j,t) == 0;
@ axiom num_of_pos_true_case{L} :
@ \forall integer i j k, int t[];
@ i < j && t[j-1] > 0 ==>
@ num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
@ axiom num_of_pos_false_case{L} :
@ \forall integer i j k, int t[];
@ i < j && ! (t[j-1] > 0) ==>
@ num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
@ }
@*/
/*@ lemma num_of_pos_non_negative{L} :
@ \forall integer i j, int t[]; 0 <= num_of_pos(i,j,t);
@*/
/*@ lemma num_of_pos_additive{L} :
@ \forall integer i j k, int t[]; i <= j <= k ==>
@ num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
@*/
/*@ lemma num_of_pos_increasing{L} :
@ \forall integer i j k, int t[];
@ j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
@*/
/*@ lemma num_of_pos_strictly_increasing{L} :
@ \forall integer i n, int t[];
@ 0 <= i < n && t[i] > 0 ==>
@ num_of_pos(0,i,t) < num_of_pos(0,n,t);
@*/
public class Muller {
/*@ requires t != null;
@*/
public static int[] m(int t[]) {
int count = 0;
/*@ loop_invariant
@ 0 <= i <= t.length &&
@ 0 <= count <= i &&
@ count == num_of_pos(0,i,t) ;
@ loop_variant t.length - i;
@*/
for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;
int u[] = new int[count];
count = 0;
/*@ loop_invariant
@ 0 <= i <= t.length &&
@ 0 <= count <= i &&
@ count == num_of_pos(0,i,t);
@ loop_variant t.length - i;
@*/
for (int i=0 ; i < t.length; i++) {
if (t[i] > 0) u[count++] = t[i];
}
return u;
}
}
/*
Local Variables:
compile-command: "make Muller.why3ml"
End:
*/
|
