diff --git a/src/plugins/wp/tests/test_config_qualif b/src/plugins/wp/tests/test_config_qualif
index e92f71e312cedfa7a4d3d316991f7904c32d185d..395f0c6f754e0898ef3c7c570de157da9e5c3b4f 100644
--- a/src/plugins/wp/tests/test_config_qualif
+++ b/src/plugins/wp/tests/test_config_qualif
@@ -1,3 +1,3 @@
PLUGIN: wp
-CMD: @frama-c@ -wp -wp-par 1 -wp-share @PTEST_SHARE_DIR@ -wp-msg-key shell -wp-warn-key pedantic-assigns=inactive -wp-report @PTEST_SUITE_DIR@/../qualif.report -wp-session @PTEST_SUITE_DIR@/oracle@PTEST_CONFIG@/@PTEST_NAME@.@PTEST_NUMBER@.session -wp-cache-env -wp-cache replay @PTEST_FILE@ -wp-coq-timeout 120
+CMD: @frama-c@ -wp -wp-par 1 -wp-share @PTEST_SHARE_DIR@ -wp-msg-key shell -wp-warn-key pedantic-assigns=inactive -wp-report @PTEST_SUITE_DIR@/../qualif.report -wp-session @PTEST_SUITE_DIR@/oracle@PTEST_CONFIG@/@PTEST_NAME@.@PTEST_NUMBER@.session -wp-cache-env -wp-cache replay @PTEST_FILE@
OPT:
diff --git a/src/plugins/wp/tests/wp_acsl/chunk_typing_usable.i b/src/plugins/wp/tests/wp_acsl/chunk_typing_usable.i
index 7f41b168b082e3d19f3540484cd7557b03a9c276..8d1a09b6a1ca58a360ad45f3818594492d796d13 100644
--- a/src/plugins/wp/tests/wp_acsl/chunk_typing_usable.i
+++ b/src/plugins/wp/tests/wp_acsl/chunk_typing_usable.i
@@ -2,7 +2,7 @@
OPT: -wp-gen -wp-rte -wp-prover why3 -wp-msg-key print-generated
*/
/* run.config_qualif
- OPT: -wp-rte -wp-coq-script %{dep:@PTEST_DIR@/chunk_typing_usable.script} -wp-prover alt-ergo,native:coq
+ OPT: -wp-rte -wp-prover alt-ergo,coq
*/
/*@
diff --git a/src/plugins/wp/tests/wp_acsl/classify_float.c b/src/plugins/wp/tests/wp_acsl/classify_float.c
index 9a1e8e74b4239aaf28bc2497cf0659cea9b6027f..f281877af31f474fbf324a3b138fb504d312138b 100644
--- a/src/plugins/wp/tests/wp_acsl/classify_float.c
+++ b/src/plugins/wp/tests/wp_acsl/classify_float.c
@@ -1,6 +1,6 @@
/* run.config_qualif
OPT: -wp-prover alt-ergo
- OPT: -wp-prover native:coq -wp-coq-script %{dep:@PTEST_DIR@/classify_float.script}
+ OPT: -wp-prover coq
OPT: -wp-model real
*/
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/chunk_typing_usable.0.session/interactive/lemma_provable_lemma.v b/src/plugins/wp/tests/wp_acsl/oracle_qualif/chunk_typing_usable.0.session/interactive/lemma_provable_lemma.v
new file mode 100644
index 0000000000000000000000000000000000000000..1b3be3b8b35c241e8e2ef77e3af64c923aa96bb2
--- /dev/null
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/chunk_typing_usable.0.session/interactive/lemma_provable_lemma.v
@@ -0,0 +1,622 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Inductive addr :=
+ | addr'mk : Numbers.BinNums.Z -> Numbers.BinNums.Z -> addr.
+Axiom addr_WhyType : WhyType addr.
+Existing Instance addr_WhyType.
+
+(* Why3 assumption *)
+Definition offset (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x1
+ end.
+
+(* Why3 assumption *)
+Definition base (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x
+ end.
+
+Parameter addr_le: addr -> addr -> Prop.
+
+Parameter addr_lt: addr -> addr -> Prop.
+
+Parameter addr_le_bool: addr -> addr -> Init.Datatypes.bool.
+
+Parameter addr_lt_bool: addr -> addr -> Init.Datatypes.bool.
+
+Axiom addr_le_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_le p q <-> ((offset p) <= (offset q))%Z.
+
+Axiom addr_lt_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_lt p q <-> ((offset p) < (offset q))%Z.
+
+Axiom addr_le_bool_def :
+ forall (p:addr) (q:addr),
+ addr_le p q <-> ((addr_le_bool p q) = Init.Datatypes.true).
+
+Axiom addr_lt_bool_def :
+ forall (p:addr) (q:addr),
+ addr_lt p q <-> ((addr_lt_bool p q) = Init.Datatypes.true).
+
+(* Why3 assumption *)
+Definition null : addr := addr'mk 0%Z 0%Z.
+
+(* Why3 assumption *)
+Definition global (b:Numbers.BinNums.Z) : addr := addr'mk b 0%Z.
+
+(* Why3 assumption *)
+Definition shift (p:addr) (k:Numbers.BinNums.Z) : addr :=
+ addr'mk (base p) ((offset p) + k)%Z.
+
+(* Why3 assumption *)
+Definition included (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (0%Z < a)%Z ->
+ (0%Z <= b)%Z /\
+ ((base p) = (base q)) /\
+ ((offset q) <= (offset p))%Z /\
+ (((offset p) + a)%Z <= ((offset q) + b)%Z)%Z.
+
+(* Why3 assumption *)
+Definition separated (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (a <= 0%Z)%Z \/
+ (b <= 0%Z)%Z \/
+ ~ ((base p) = (base q)) \/
+ (((offset q) + b)%Z <= (offset p))%Z \/
+ (((offset p) + a)%Z <= (offset q))%Z.
+
+(* Why3 assumption *)
+Definition eqmem {a:Type} {a_WT:WhyType a} (m1:addr -> a) (m2:addr -> a)
+ (p:addr) (a1:Numbers.BinNums.Z) : Prop :=
+ forall (q:addr), included q 1%Z p a1 -> ((m1 q) = (m2 q)).
+
+Parameter havoc:
+ forall {a:Type} {a_WT:WhyType a}, (addr -> a) -> (addr -> a) -> addr ->
+ Numbers.BinNums.Z -> addr -> a.
+
+(* Why3 assumption *)
+Definition valid_rw (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (0%Z < (base p))%Z /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_rd (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_obj (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (p = null) \/
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (1%Z + (m (base p)))%Z)%Z.
+
+(* Why3 assumption *)
+Definition invalid (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (n <= 0%Z)%Z \/
+ ((base p) = 0%Z) \/
+ ((m (base p)) <= (offset p))%Z \/ (((offset p) + n)%Z <= 0%Z)%Z.
+
+Axiom valid_rw_rd :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ forall (n:Numbers.BinNums.Z), valid_rw m p n -> valid_rd m p n.
+
+Axiom valid_string :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ ((base p) < 0%Z)%Z ->
+ (0%Z <= (offset p))%Z /\ ((offset p) < (m (base p)))%Z ->
+ valid_rd m p 1%Z /\ ~ valid_rw m p 1%Z.
+
+Axiom separated_1 :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (i:Numbers.BinNums.Z)
+ (j:Numbers.BinNums.Z),
+ separated p a q b -> ((offset p) <= i)%Z /\ (i < ((offset p) + a)%Z)%Z ->
+ ((offset q) <= j)%Z /\ (j < ((offset q) + b)%Z)%Z ->
+ ~ ((addr'mk (base p) i) = (addr'mk (base q) j)).
+
+Parameter region: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter linked: (Numbers.BinNums.Z -> Numbers.BinNums.Z) -> Prop.
+
+Parameter sconst: (addr -> Numbers.BinNums.Z) -> Prop.
+
+(* Why3 assumption *)
+Definition framed (m:addr -> addr) : Prop :=
+ forall (p:addr), ((region (base p)) <= 0%Z)%Z ->
+ ((region (base (m p))) <= 0%Z)%Z.
+
+Axiom separated_included :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), (0%Z < a)%Z ->
+ (0%Z < b)%Z -> separated p a q b -> ~ included p a q b.
+
+Axiom included_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> included q b r c -> included p a r c.
+
+Axiom separated_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> separated q b r c -> separated p a r c.
+
+Axiom separated_sym :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
+ separated p a q b <-> separated q b p a.
+
+Axiom eqmem_included :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr) (q:addr),
+ forall (a1:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), included p a1 q b ->
+ eqmem m1 m2 q b -> eqmem m1 m2 p a1.
+
+Axiom eqmem_sym :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr),
+ forall (a1:Numbers.BinNums.Z), eqmem m1 m2 p a1 -> eqmem m2 m1 p a1.
+
+Axiom havoc_access :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m0:addr -> a) (m1:addr -> a), forall (q:addr) (p:addr),
+ forall (a1:Numbers.BinNums.Z),
+ (separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m1 q))) /\
+ (~ separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m0 q))).
+
+Parameter cinits: (addr -> Init.Datatypes.bool) -> Prop.
+
+(* Why3 assumption *)
+Definition is_init_range (m:addr -> Init.Datatypes.bool) (p:addr)
+ (l:Numbers.BinNums.Z) : Prop :=
+ forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < l)%Z ->
+ ((m (shift p i)) = Init.Datatypes.true).
+
+Parameter set_init:
+ (addr -> Init.Datatypes.bool) -> addr -> Numbers.BinNums.Z ->
+ addr -> Init.Datatypes.bool.
+
+Axiom set_init_access :
+ forall (m:addr -> Init.Datatypes.bool), forall (q:addr) (p:addr),
+ forall (a:Numbers.BinNums.Z),
+ (separated q 1%Z p a -> ((set_init m p a q) = (m q))) /\
+ (~ separated q 1%Z p a -> ((set_init m p a q) = Init.Datatypes.true)).
+
+(* Why3 assumption *)
+Definition monotonic_init (m1:addr -> Init.Datatypes.bool)
+ (m2:addr -> Init.Datatypes.bool) : Prop :=
+ forall (p:addr), ((m1 p) = Init.Datatypes.true) ->
+ ((m2 p) = Init.Datatypes.true).
+
+Parameter int_of_addr: addr -> Numbers.BinNums.Z.
+
+Parameter addr_of_int: Numbers.BinNums.Z -> addr.
+
+Axiom table : Type.
+Parameter table_WhyType : WhyType table.
+Existing Instance table_WhyType.
+
+Parameter table_of_base: Numbers.BinNums.Z -> table.
+
+Parameter table_to_offset: table -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom table_to_offset_zero :
+ forall (t:table), ((table_to_offset t 0%Z) = 0%Z).
+
+Axiom table_to_offset_monotonic :
+ forall (t:table), forall (o1:Numbers.BinNums.Z) (o2:Numbers.BinNums.Z),
+ (o1 <= o2)%Z <-> ((table_to_offset t o1) <= (table_to_offset t o2))%Z.
+
+Axiom int_of_addr_bijection :
+ forall (a:Numbers.BinNums.Z), ((int_of_addr (addr_of_int a)) = a).
+
+Axiom addr_of_int_bijection :
+ forall (p:addr), ((addr_of_int (int_of_addr p)) = p).
+
+Axiom addr_of_null : ((int_of_addr null) = 0%Z).
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+(* Why3 assumption *)
+Definition is_sint32_chunk (m:addr -> Numbers.BinNums.Z) : Prop :=
+ forall (a:addr), is_sint32 (m a).
+
+Parameter L_occ:
+ (addr -> Numbers.BinNums.Z) -> Numbers.BinNums.Z -> addr ->
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom Q_empty :
+ forall (Mint:addr -> Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (p:addr)
+ (f:Numbers.BinNums.Z) (t:Numbers.BinNums.Z),
+ (t <= f)%Z -> is_sint32_chunk Mint -> is_sint32 v ->
+ ((L_occ Mint v p f t) = 0%Z).
+
+Axiom Q_is :
+ forall (Mint:addr -> Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (p:addr)
+ (f:Numbers.BinNums.Z) (t:Numbers.BinNums.Z),
+ let x := ((-1%Z)%Z + t)%Z in
+ let x1 := Mint (shift p x) in
+ (x1 = v) -> (f < t)%Z -> is_sint32_chunk Mint -> is_sint32 v ->
+ is_sint32 x1 -> ((1%Z + (L_occ Mint v p f x))%Z = (L_occ Mint v p f t)).
+
+Axiom Q_isnt :
+ forall (Mint:addr -> Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (p:addr)
+ (f:Numbers.BinNums.Z) (t:Numbers.BinNums.Z),
+ let x := ((-1%Z)%Z + t)%Z in
+ let x1 := Mint (shift p x) in
+ ~ (x1 = v) -> (f < t)%Z -> is_sint32_chunk Mint -> is_sint32 v ->
+ is_sint32 x1 -> ((L_occ Mint v p f x) = (L_occ Mint v p f t)).
+
+Theorem Z_induction(m : Z)(P : Z -> Prop) :
+ (forall n, (n <= m)%Z -> P n ) ->
+ (forall n, (n >= m)%Z -> P n -> P (n+1)%Z) ->
+ (forall n, P n).
+Proof.
+ intros.
+ induction (Z_le_dec n m) ; auto with zarith.
+ apply Z.le_ind with (n := m) ; auto with zarith.
+ unfold Morphisms.Proper.
+ unfold Morphisms.respectful.
+ intros. rewrite H1. intuition.
+ intros. apply H0; auto with zarith.
+Qed.
+
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (t:addr -> Numbers.BinNums.Z) (i:Numbers.BinNums.Z) (a:addr)
+ (i1:Numbers.BinNums.Z) (i2:Numbers.BinNums.Z) (i3:Numbers.BinNums.Z),
+ (i2 <= i3)%Z -> (i1 <= i2)%Z -> is_sint32_chunk t -> is_sint32 i ->
+ (((L_occ t i a i1 i2) + (L_occ t i a i2 i3))%Z = (L_occ t i a i1 i3)).
+Proof.
+ Require Import Psatz.
+ Ltac norm := repeat(match goal with
+ | [ _ : _ |- context [ (-1 + (?i + 1))%Z ]] => replace (-1 + (i + 1))%Z with i by lia
+ | [ _ : _ |- context [ (-(1) + (?i + 1))%Z ]] => replace (-(1) + (i + 1))%Z with i by lia
+ | [ _ : _ |- context [ (0 + ?i)%Z ]] => replace (0 + i)%Z with i by lia
+ | [ _ : _ |- context [ (?i + 0)%Z ]] => replace (i + 0)%Z with i by lia
+ end).
+
+ intros M x p b s e.
+ generalize dependent s.
+ induction e using Z_induction with (m := b) ; intros s Us Ls TM Tx.
+ - repeat (rewrite Q_empty) ; auto ; lia.
+ - assert(EqNeq: { M (shift p e) = x } + { M (shift p e) <> x }) by
+ repeat(decide equality).
+ assert(Split: (s < e + 1 \/ s = e + 1)%Z) by lia.
+ inversion_clear Split as [ Low | Eq ] ; subst.
+ + inversion_clear EqNeq as [ Eq | Neq ] ; subst.
+ * replace (M (shift p e)) with (M (shift p ((-1) + (e + 1))))%Z by (norm ; auto).
+ rewrite <- Q_is with (t := (e + 1)%Z) ; [ rewrite <- Q_is with (t := (e + 1)%Z) | | | | |] ;
+ norm ; try rewrite Eq ; auto ; try lia.
+ assert(Simpl: forall x y z : Z, (x + y = z)%Z -> (x + (1 + y) = 1 + z)%Z) by (intros ; lia).
+ apply Simpl.
+ apply IHe ; auto ; lia.
+ * rewrite <- Q_isnt with (t := (e + 1)%Z) ; [ rewrite <- Q_isnt with (t := (e + 1)%Z) | | | | |] ;
+ norm ; auto ; try lia.
+ apply IHe ; auto ; lia.
+ + rewrite Q_empty with (f := (e+1)%Z) ; auto ; lia.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/chunk_typing_usable.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle_qualif/chunk_typing_usable.res.oracle
index 2c656c6f82589428c5d92e8c4a8f3218879fc66a..e7f7757e41296b5db9a8f1075c8af95cd6ddde0b 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle_qualif/chunk_typing_usable.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/chunk_typing_usable.res.oracle
@@ -3,16 +3,14 @@
[wp] Running WP plugin...
[rte:annot] annotating function usable_axiom
[rte:annot] annotating function usable_lemma
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 3 goals scheduled
-[wp] [Coq] Goal typed_lemma_provable_lemma : Saved script
-[wp] [Coq (native)] Goal typed_lemma_provable_lemma : Valid
+[wp] [Coq] Goal typed_lemma_provable_lemma : Valid
[wp] [Alt-Ergo] Goal typed_usable_axiom_ensures : Valid
[wp] [Alt-Ergo] Goal typed_usable_lemma_ensures : Valid
[wp] Proved goals: 3 / 3
Qed: 0
- Coq (native): 1
Alt-Ergo: 2 (unsuccess: 1)
+ Coq: 1
------------------------------------------------------------
Axiomatics WP Alt-Ergo Total Success
Lemma - - 1 100%
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.res.oracle
index 8d89bf6103e89d700c551ea565d3cd4a814e3d35..c2926ee4347068dc2e99f9c518571b7f1044d456 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.res.oracle
@@ -1,17 +1,13 @@
# frama-c -wp [...]
[kernel] Parsing classify_float.c (with preprocessing)
[wp] Running WP plugin...
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 3 goals scheduled
-[wp] [Coq] Goal typed_lemma_InfN_not_finite : Saved script
-[wp] [Coq (native)] Goal typed_lemma_InfN_not_finite : Valid
-[wp] [Coq] Goal typed_lemma_InfP_not_finite : Saved script
-[wp] [Coq (native)] Goal typed_lemma_InfP_not_finite : Valid
-[wp] [Coq] Goal typed_lemma_NaN_not_finite : Saved script
-[wp] [Coq (native)] Goal typed_lemma_NaN_not_finite : Valid
+[wp] [Coq] Goal typed_lemma_InfN_not_finite : Valid
+[wp] [Coq] Goal typed_lemma_InfP_not_finite : Valid
+[wp] [Coq] Goal typed_lemma_NaN_not_finite : Valid
[wp] Proved goals: 3 / 3
Qed: 0
- Coq (native): 3
+ Coq: 3
------------------------------------------------------------
Axiomatics WP Alt-Ergo Total Success
Lemma - - 3 100%
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_InfN_not_finite.v b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_InfN_not_finite.v
new file mode 100644
index 0000000000000000000000000000000000000000..9742dfb3d3c6aa053e0fe2d70b2e1b0238dac89a
--- /dev/null
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_InfN_not_finite.v
@@ -0,0 +1,1768 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require Reals.Rbasic_fun.
+Require Reals.R_sqrt.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.Abs.
+Require real.FromInt.
+Require real.Square.
+Require map.Map.
+Require bv.Pow2int.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+Axiom abs_def :
+ forall (x:Numbers.BinNums.Z),
+ ((0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = x)) /\
+ (~ (0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = (-x)%Z)).
+
+Axiom sqrt_lin1 :
+ forall (x:Reals.Rdefinitions.R), (1%R < x)%R ->
+ ((Reals.R_sqrt.sqrt x) < x)%R.
+
+Axiom sqrt_lin0 :
+ forall (x:Reals.Rdefinitions.R), (0%R < x)%R /\ (x < 1%R)%R ->
+ (x < (Reals.R_sqrt.sqrt x))%R.
+
+Axiom sqrt_0 : ((Reals.R_sqrt.sqrt 0%R) = 0%R).
+
+Axiom sqrt_1 : ((Reals.R_sqrt.sqrt 1%R) = 1%R).
+
+(* Why3 assumption *)
+Inductive mode :=
+ | RNE : mode
+ | RNA : mode
+ | RTP : mode
+ | RTN : mode
+ | RTZ : mode.
+Axiom mode_WhyType : WhyType mode.
+Existing Instance mode_WhyType.
+
+(* Why3 assumption *)
+Definition to_nearest (m:mode) : Prop := (m = RNE) \/ (m = RNA).
+
+Axiom t : Type.
+Parameter t_WhyType : WhyType t.
+Existing Instance t_WhyType.
+
+Parameter t'real: t -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite: t -> Prop.
+
+Axiom t'axiom :
+ forall (x:t), t'isFinite x ->
+ ((-340282346638528859811704183484516925440%R)%R <= (t'real x))%R /\
+ ((t'real x) <= 340282346638528859811704183484516925440%R)%R.
+
+Parameter truncate: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Truncate_int :
+ forall (i:Numbers.BinNums.Z), ((truncate (BuiltIn.IZR i)) = i).
+
+Axiom Truncate_down_pos :
+ forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
+ ((BuiltIn.IZR (truncate x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((truncate x) + 1%Z)%Z))%R.
+
+Axiom Truncate_up_neg :
+ forall (x:Reals.Rdefinitions.R), (x <= 0%R)%R ->
+ ((BuiltIn.IZR ((truncate x) - 1%Z)%Z) < x)%R /\
+ (x <= (BuiltIn.IZR (truncate x)))%R.
+
+Axiom Real_of_truncate :
+ forall (x:Reals.Rdefinitions.R),
+ ((x - 1%R)%R <= (BuiltIn.IZR (truncate x)))%R /\
+ ((BuiltIn.IZR (truncate x)) <= (x + 1%R)%R)%R.
+
+Axiom Truncate_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((truncate x) <= (truncate y))%Z.
+
+Axiom Truncate_monotonic_int1 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ (x <= (BuiltIn.IZR i))%R -> ((truncate x) <= i)%Z.
+
+Axiom Truncate_monotonic_int2 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ ((BuiltIn.IZR i) <= x)%R -> (i <= (truncate x))%Z.
+
+Parameter floor: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Parameter ceil: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Floor_int :
+ forall (i:Numbers.BinNums.Z), ((floor (BuiltIn.IZR i)) = i).
+
+Axiom Ceil_int : forall (i:Numbers.BinNums.Z), ((ceil (BuiltIn.IZR i)) = i).
+
+Axiom Floor_down :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR (floor x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((floor x) + 1%Z)%Z))%R.
+
+Axiom Ceil_up :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR ((ceil x) - 1%Z)%Z) < x)%R /\ (x <= (BuiltIn.IZR (ceil x)))%R.
+
+Axiom Floor_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((floor x) <= (floor y))%Z.
+
+Axiom Ceil_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((ceil x) <= (ceil y))%Z.
+
+Parameter zeroF: t.
+
+Parameter add: mode -> t -> t -> t.
+
+Parameter sub: mode -> t -> t -> t.
+
+Parameter mul: mode -> t -> t -> t.
+
+Parameter div: mode -> t -> t -> t.
+
+Parameter abs: t -> t.
+
+Parameter neg: t -> t.
+
+Parameter fma: mode -> t -> t -> t -> t.
+
+Parameter sqrt: mode -> t -> t.
+
+Parameter roundToIntegral: mode -> t -> t.
+
+Parameter min: t -> t -> t.
+
+Parameter max: t -> t -> t.
+
+Parameter le: t -> t -> Prop.
+
+Parameter lt: t -> t -> Prop.
+
+Parameter eq: t -> t -> Prop.
+
+Parameter is_normal: t -> Prop.
+
+Parameter is_subnormal: t -> Prop.
+
+Parameter is_zero: t -> Prop.
+
+Parameter is_infinite: t -> Prop.
+
+Parameter is_nan: t -> Prop.
+
+Parameter is_positive: t -> Prop.
+
+Parameter is_negative: t -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_not_nan (x:t) : Prop := t'isFinite x \/ is_infinite x.
+
+Axiom is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
+
+Axiom is_not_finite :
+ forall (x:t), ~ t'isFinite x <-> is_infinite x \/ is_nan x.
+
+Axiom zeroF_is_positive : is_positive zeroF.
+
+Axiom zeroF_is_zero : is_zero zeroF.
+
+Axiom zero_to_real :
+ forall (x:t), is_zero x <-> t'isFinite x /\ ((t'real x) = 0%R).
+
+Parameter of_int: mode -> Numbers.BinNums.Z -> t.
+
+Parameter to_int: mode -> t -> Numbers.BinNums.Z.
+
+Axiom zero_of_int : forall (m:mode), (zeroF = (of_int m 0%Z)).
+
+Parameter round: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int: Numbers.BinNums.Z.
+
+Axiom max_real_int :
+ ((33554430 * 10141204801825835211973625643008)%R = (BuiltIn.IZR max_int)).
+
+(* Why3 assumption *)
+Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(33554430 * 10141204801825835211973625643008)%R)%R <= x)%R /\
+ (x <= (33554430 * 10141204801825835211973625643008)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.
+
+Axiom is_finite : forall (x:t), t'isFinite x -> in_range (t'real x).
+
+(* Why3 assumption *)
+Definition no_overflow (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range (round m x).
+
+Axiom Bounded_real_no_overflow :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range x -> no_overflow m x.
+
+Axiom Round_monotonic :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round m x) <= (round m y))%R.
+
+Axiom Round_idempotent :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round m1 (round m2 x)) = (round m2 x)).
+
+Axiom Round_to_real :
+ forall (m:mode) (x:t), t'isFinite x -> ((round m (t'real x)) = (t'real x)).
+
+Axiom Round_down_le :
+ forall (x:Reals.Rdefinitions.R), ((round RTN x) <= x)%R.
+
+Axiom Round_up_ge : forall (x:Reals.Rdefinitions.R), (x <= (round RTP x))%R.
+
+Axiom Round_down_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTN (-x)%R) = (-(round RTP x))%R).
+
+Axiom Round_up_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTP (-x)%R) = (-(round RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-16777216%Z)%Z <= i)%Z /\ (i <= 16777216%Z)%Z.
+
+Axiom Exact_rounding_for_integers :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.
+
+(* Why3 assumption *)
+Definition diff_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.
+
+Axiom feq_eq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero x ->
+ eq x y -> (x = y).
+
+Axiom eq_feq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> (x = y) -> eq x y.
+
+Axiom eq_refl : forall (x:t), t'isFinite x -> eq x x.
+
+Axiom eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
+
+Axiom eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
+
+Axiom eq_zero : eq zeroF (neg zeroF).
+
+Axiom eq_to_real_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ eq x y <-> ((t'real x) = (t'real y)).
+
+Axiom eq_special :
+ forall (x:t) (y:t), eq x y ->
+ is_not_nan x /\
+ is_not_nan y /\
+ (t'isFinite x /\ t'isFinite y \/
+ is_infinite x /\ is_infinite y /\ same_sign x y).
+
+Axiom lt_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ lt x y <-> ((t'real x) < (t'real y))%R.
+
+Axiom le_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ le x y <-> ((t'real x) <= (t'real y))%R.
+
+Axiom le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
+
+Axiom lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
+
+Axiom le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
+
+Axiom not_lt_ge :
+ forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
+
+Axiom not_gt_le :
+ forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
+
+Axiom le_special :
+ forall (x:t) (y:t), le x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
+
+Axiom lt_special :
+ forall (x:t) (y:t), lt x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
+ is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
+
+Axiom lt_lt_finite :
+ forall (x:t) (y:t) (z:t), lt x y -> lt y z -> t'isFinite y.
+
+Axiom positive_to_real :
+ forall (x:t), t'isFinite x -> is_positive x -> (0%R <= (t'real x))%R.
+
+Axiom to_real_positive :
+ forall (x:t), t'isFinite x -> (0%R < (t'real x))%R -> is_positive x.
+
+Axiom negative_to_real :
+ forall (x:t), t'isFinite x -> is_negative x -> ((t'real x) <= 0%R)%R.
+
+Axiom to_real_negative :
+ forall (x:t), t'isFinite x -> ((t'real x) < 0%R)%R -> is_negative x.
+
+Axiom negative_xor_positive :
+ forall (x:t), ~ (is_positive x /\ is_negative x).
+
+Axiom negative_or_positive :
+ forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
+
+Axiom diff_sign_trans :
+ forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
+
+Axiom diff_sign_product :
+ forall (x:t) (y:t),
+ t'isFinite x /\ t'isFinite y /\ (((t'real x) * (t'real y))%R < 0%R)%R ->
+ diff_sign x y.
+
+Axiom same_sign_product :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y /\ same_sign x y ->
+ (0%R <= ((t'real x) * (t'real y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign (z:t) (x:t) (y:t) : Prop :=
+ (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).
+
+(* Why3 assumption *)
+Definition overflow_value (m:mode) (x:t) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x -> is_infinite x)
+ | RTP =>
+ (is_positive x -> is_infinite x) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RTZ =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RNA|RNE => is_infinite x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result (m:mode) (x:t) : Prop :=
+ is_zero x -> match m with
+ | RTN => is_negative x
+ | _ => is_positive x
+ end.
+
+Axiom add_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) + (t'real y))%R ->
+ t'isFinite (add m x y) /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom add_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (add m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom add_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (add m x y) ->
+ no_overflow m ((t'real x) + (t'real y))%R /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom sub_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) - (t'real y))%R ->
+ t'isFinite (sub m x y) /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom sub_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (sub m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom sub_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (sub m x y) ->
+ no_overflow m ((t'real x) - (t'real y))%R /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom mul_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) * (t'real y))%R ->
+ t'isFinite (mul m x y) /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom mul_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (mul m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom mul_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (mul m x y) ->
+ no_overflow m ((t'real x) * (t'real y))%R /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom div_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero y ->
+ no_overflow m ((t'real x) / (t'real y))%R ->
+ t'isFinite (div m x y) /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom div_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (div m x y) ->
+ t'isFinite x /\ t'isFinite y /\ ~ is_zero y \/
+ t'isFinite x /\ is_infinite y /\ ((t'real (div m x y)) = 0%R).
+
+Axiom div_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (div m x y) ->
+ t'isFinite y ->
+ no_overflow m ((t'real x) / (t'real y))%R /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom neg_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (neg x) /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom neg_finite_rev :
+ forall (x:t), t'isFinite (neg x) ->
+ t'isFinite x /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom abs_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (abs x) /\
+ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))) /\
+ is_positive (abs x).
+
+Axiom abs_finite_rev :
+ forall (x:t), t'isFinite (abs x) ->
+ t'isFinite x /\ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))).
+
+Axiom abs_universal : forall (x:t), ~ is_negative (abs x).
+
+Axiom fma_finite :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite x -> t'isFinite y ->
+ t'isFinite z ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ t'isFinite (fma m x y z) /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom fma_finite_rev :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite (fma m x y z) ->
+ t'isFinite x /\ t'isFinite y /\ t'isFinite z.
+
+Axiom fma_finite_rev_n :
+ forall (m:mode) (x:t) (y:t) (z:t), to_nearest m ->
+ t'isFinite (fma m x y z) ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom sqrt_finite :
+ forall (m:mode) (x:t), t'isFinite x -> (0%R <= (t'real x))%R ->
+ t'isFinite (sqrt m x) /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+Axiom sqrt_finite_rev :
+ forall (m:mode) (x:t), t'isFinite (sqrt m x) ->
+ t'isFinite x /\
+ (0%R <= (t'real x))%R /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.
+
+Axiom add_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := add m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) + (t'real y))%R ->
+ same_sign_real r ((t'real x) + (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (same_sign x y -> same_sign r x) /\
+ (~ same_sign x y -> sign_zero_result m r)).
+
+Axiom sub_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := sub m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) - (t'real y))%R ->
+ same_sign_real r ((t'real x) - (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (diff_sign x y -> same_sign r x) /\
+ (~ diff_sign x y -> sign_zero_result m r)).
+
+Axiom mul_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := mul m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_infinite r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) * (t'real y))%R ->
+ overflow_value m r) /\
+ (~ is_nan r -> product_sign r x y).
+
+Axiom div_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := div m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_zero r) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ is_zero y /\ ~ no_overflow m ((t'real x) / (t'real y))%R ->
+ overflow_value m r) /\
+ (t'isFinite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
+ (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
+
+Axiom neg_special :
+ forall (x:t),
+ (is_nan x -> is_nan (neg x)) /\
+ (is_infinite x -> is_infinite (neg x)) /\
+ (~ is_nan x -> diff_sign x (neg x)).
+
+Axiom abs_special :
+ forall (x:t),
+ (is_nan x -> is_nan (abs x)) /\
+ (is_infinite x -> is_infinite (abs x)) /\
+ (~ is_nan x -> is_positive (abs x)).
+
+Axiom fma_special :
+ forall (m:mode) (x:t) (y:t) (z:t),
+ let r := fma m x y z in
+ (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ t'isFinite y /\ is_infinite z ->
+ is_infinite r /\ same_sign r z) /\
+ (is_infinite x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (t'isFinite x /\
+ t'isFinite y /\
+ t'isFinite z /\
+ ~ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ same_sign_real r (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y /\ t'isFinite z ->
+ (product_sign z x y -> same_sign r z) /\
+ (~ product_sign z x y ->
+ ((((t'real x) * (t'real y))%R + (t'real z))%R = 0%R) ->
+ ((m = RTN) -> is_negative r) /\ (~ (m = RTN) -> is_positive r))).
+
+Axiom sqrt_special :
+ forall (m:mode) (x:t),
+ let r := sqrt m x in
+ (is_nan x -> is_nan r) /\
+ (is_plus_infinity x -> is_plus_infinity r) /\
+ (is_minus_infinity x -> is_nan r) /\
+ (t'isFinite x /\ ((t'real x) < 0%R)%R -> is_nan r) /\
+ (is_zero x -> same_sign r x) /\
+ (t'isFinite x /\ (0%R < (t'real x))%R -> is_positive r).
+
+Axiom of_int_add_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i + j)%Z ->
+ eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
+
+Axiom of_int_sub_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i - j)%Z ->
+ eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
+
+Axiom of_int_mul_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i * j)%Z ->
+ eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
+
+Axiom Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
+
+Axiom Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
+
+Axiom Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
+
+Axiom Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
+
+Parameter is_int: t -> Prop.
+
+Axiom zeroF_is_int : is_int zeroF.
+
+Axiom of_int_is_int :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range x ->
+ is_int (of_int m x).
+
+Axiom big_float_is_int :
+ forall (m:mode) (i:t), t'isFinite i ->
+ le i (neg (of_int m 16777216%Z)) \/ le (of_int m 16777216%Z) i -> is_int i.
+
+Axiom roundToIntegral_is_int :
+ forall (m:mode) (x:t), t'isFinite x -> is_int (roundToIntegral m x).
+
+Axiom eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
+
+Axiom add_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (add m x y) -> is_int (add m x y).
+
+Axiom sub_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (sub m x y) -> is_int (sub m x y).
+
+Axiom mul_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (mul m x y) -> is_int (mul m x y).
+
+Axiom fma_int :
+ forall (x:t) (y:t) (z:t) (m:mode), is_int x -> is_int y -> is_int z ->
+ t'isFinite (fma m x y z) -> is_int (fma m x y z).
+
+Axiom neg_int : forall (x:t), is_int x -> is_int (neg x).
+
+Axiom abs_int : forall (x:t), is_int x -> is_int (abs x).
+
+Axiom is_int_of_int :
+ forall (x:t) (m:mode) (m':mode), is_int x -> eq x (of_int m' (to_int m x)).
+
+Axiom is_int_to_int :
+ forall (m:mode) (x:t), is_int x -> in_int_range (to_int m x).
+
+Axiom is_int_is_finite : forall (x:t), is_int x -> t'isFinite x.
+
+Axiom int_to_real :
+ forall (m:mode) (x:t), is_int x ->
+ ((t'real x) = (BuiltIn.IZR (to_int m x))).
+
+Axiom truncate_int :
+ forall (m:mode) (i:t), is_int i -> eq (roundToIntegral m i) i.
+
+Axiom truncate_neg :
+ forall (x:t), t'isFinite x -> is_negative x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTP x)).
+
+Axiom truncate_pos :
+ forall (x:t), t'isFinite x -> is_positive x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTN x)).
+
+Axiom ceil_le : forall (x:t), t'isFinite x -> le x (roundToIntegral RTP x).
+
+Axiom ceil_lest :
+ forall (x:t) (y:t), le x y /\ is_int y -> le (roundToIntegral RTP x) y.
+
+Axiom ceil_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTP x)) = (BuiltIn.IZR (ceil (t'real x)))).
+
+Axiom ceil_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTP x)) = (ceil (t'real x))).
+
+Axiom floor_le : forall (x:t), t'isFinite x -> le (roundToIntegral RTN x) x.
+
+Axiom floor_lest :
+ forall (x:t) (y:t), le y x /\ is_int y -> le y (roundToIntegral RTN x).
+
+Axiom floor_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTN x)) = (BuiltIn.IZR (floor (t'real x)))).
+
+Axiom floor_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTN x)) = (floor (t'real x))).
+
+Axiom RNA_down :
+ forall (x:t),
+ lt (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up :
+ forall (x:t),
+ lt (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom RNA_down_tie :
+ forall (x:t),
+ eq (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ is_negative x -> ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up_tie :
+ forall (x:t),
+ eq (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ is_positive x -> ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom to_int_roundToIntegral :
+ forall (m:mode) (x:t), ((to_int m x) = (to_int m (roundToIntegral m x))).
+
+Axiom to_int_monotonic :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> le x y ->
+ ((to_int m x) <= (to_int m y))%Z.
+
+Axiom to_int_of_int :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((to_int m (of_int m i)) = i).
+
+Axiom eq_to_int :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> eq x y ->
+ ((to_int m x) = (to_int m y)).
+
+Axiom neg_to_int :
+ forall (m:mode) (x:t), is_int x -> ((to_int m (neg x)) = (-(to_int m x))%Z).
+
+Axiom roundToIntegral_is_finite :
+ forall (m:mode) (x:t), t'isFinite x -> t'isFinite (roundToIntegral m x).
+
+Axiom round_bound_ne :
+ forall (x:Reals.Rdefinitions.R), no_overflow RNE x ->
+ (((x - ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R
+ <= (round RNE x))%R /\
+ ((round RNE x) <=
+ ((x + ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R)%R.
+
+Axiom round_bound :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow m x ->
+ (((x - ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 713623846352979940529142984724747568191373312)%R)%R
+ <= (round m x))%R /\
+ ((round m x) <=
+ ((x + ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 713623846352979940529142984724747568191373312)%R)%R)%R.
+
+Axiom t1 : Type.
+Parameter t1_WhyType : WhyType t1.
+Existing Instance t1_WhyType.
+
+Parameter t'real1: t1 -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite1: t1 -> Prop.
+
+Axiom t'axiom1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((-179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R
+ <= (t'real1 x))%R /\
+ ((t'real1 x) <=
+ 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.
+
+Parameter zeroF1: t1.
+
+Parameter add1: mode -> t1 -> t1 -> t1.
+
+Parameter sub1: mode -> t1 -> t1 -> t1.
+
+Parameter mul1: mode -> t1 -> t1 -> t1.
+
+Parameter div1: mode -> t1 -> t1 -> t1.
+
+Parameter abs1: t1 -> t1.
+
+Parameter neg1: t1 -> t1.
+
+Parameter fma1: mode -> t1 -> t1 -> t1 -> t1.
+
+Parameter sqrt1: mode -> t1 -> t1.
+
+Parameter roundToIntegral1: mode -> t1 -> t1.
+
+Parameter min1: t1 -> t1 -> t1.
+
+Parameter max1: t1 -> t1 -> t1.
+
+Parameter le1: t1 -> t1 -> Prop.
+
+Parameter lt1: t1 -> t1 -> Prop.
+
+Parameter eq1: t1 -> t1 -> Prop.
+
+Parameter is_normal1: t1 -> Prop.
+
+Parameter is_subnormal1: t1 -> Prop.
+
+Parameter is_zero1: t1 -> Prop.
+
+Parameter is_infinite1: t1 -> Prop.
+
+Parameter is_nan1: t1 -> Prop.
+
+Parameter is_positive1: t1 -> Prop.
+
+Parameter is_negative1: t1 -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_plus_zero1 (x:t1) : Prop := is_zero1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_zero1 (x:t1) : Prop := is_zero1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_not_nan2 (x:t1) : Prop := t'isFinite1 x \/ is_infinite1 x.
+
+Axiom is_not_nan3 : forall (x:t1), is_not_nan2 x <-> ~ is_nan1 x.
+
+Axiom is_not_finite1 :
+ forall (x:t1), ~ t'isFinite1 x <-> is_infinite1 x \/ is_nan1 x.
+
+Axiom zeroF_is_positive1 : is_positive1 zeroF1.
+
+Axiom zeroF_is_zero1 : is_zero1 zeroF1.
+
+Axiom zero_to_real1 :
+ forall (x:t1), is_zero1 x <-> t'isFinite1 x /\ ((t'real1 x) = 0%R).
+
+Parameter of_int1: mode -> Numbers.BinNums.Z -> t1.
+
+Parameter to_int1: mode -> t1 -> Numbers.BinNums.Z.
+
+Axiom zero_of_int1 : forall (m:mode), (zeroF1 = (of_int1 m 0%Z)).
+
+Parameter round1: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int1: Numbers.BinNums.Z.
+
+Axiom max_real_int1 :
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ = (BuiltIn.IZR max_int1)).
+
+(* Why3 assumption *)
+Definition in_range1 (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R
+ <= x)%R /\
+ (x <=
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int1)%Z <= i)%Z /\ (i <= max_int1)%Z.
+
+Axiom is_finite1 : forall (x:t1), t'isFinite1 x -> in_range1 (t'real1 x).
+
+(* Why3 assumption *)
+Definition no_overflow1 (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range1 (round1 m x).
+
+Axiom Bounded_real_no_overflow1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range1 x -> no_overflow1 m x.
+
+Axiom Round_monotonic1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round1 m x) <= (round1 m y))%R.
+
+Axiom Round_idempotent1 :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round1 m2 x)) = (round1 m2 x)).
+
+Axiom Round_to_real1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((round1 m (t'real1 x)) = (t'real1 x)).
+
+Axiom Round_down_le1 :
+ forall (x:Reals.Rdefinitions.R), ((round1 RTN x) <= x)%R.
+
+Axiom Round_up_ge1 :
+ forall (x:Reals.Rdefinitions.R), (x <= (round1 RTP x))%R.
+
+Axiom Round_down_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTN (-x)%R) = (-(round1 RTP x))%R).
+
+Axiom Round_up_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTP (-x)%R) = (-(round1 RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-9007199254740992%Z)%Z <= i)%Z /\ (i <= 9007199254740992%Z)%Z.
+
+Axiom Exact_rounding_for_integers1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((round1 m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_positive1 y \/ is_negative1 x /\ is_negative1 y.
+
+(* Why3 assumption *)
+Definition diff_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_negative1 y \/ is_negative1 x /\ is_positive1 y.
+
+Axiom feq_eq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> ~ is_zero1 x ->
+ eq1 x y -> (x = y).
+
+Axiom eq_feq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> (x = y) -> eq1 x y.
+
+Axiom eq_refl1 : forall (x:t1), t'isFinite1 x -> eq1 x x.
+
+Axiom eq_sym1 : forall (x:t1) (y:t1), eq1 x y -> eq1 y x.
+
+Axiom eq_trans1 : forall (x:t1) (y:t1) (z:t1), eq1 x y -> eq1 y z -> eq1 x z.
+
+Axiom eq_zero1 : eq1 zeroF1 (neg1 zeroF1).
+
+Axiom eq_to_real_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ eq1 x y <-> ((t'real1 x) = (t'real1 y)).
+
+Axiom eq_special1 :
+ forall (x:t1) (y:t1), eq1 x y ->
+ is_not_nan2 x /\
+ is_not_nan2 y /\
+ (t'isFinite1 x /\ t'isFinite1 y \/
+ is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y).
+
+Axiom lt_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ lt1 x y <-> ((t'real1 x) < (t'real1 y))%R.
+
+Axiom le_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ le1 x y <-> ((t'real1 x) <= (t'real1 y))%R.
+
+Axiom le_lt_trans1 :
+ forall (x:t1) (y:t1) (z:t1), le1 x y /\ lt1 y z -> lt1 x z.
+
+Axiom lt_le_trans1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y /\ le1 y z -> lt1 x z.
+
+Axiom le_ge_asym1 : forall (x:t1) (y:t1), le1 x y /\ le1 y x -> eq1 x y.
+
+Axiom not_lt_ge1 :
+ forall (x:t1) (y:t1), ~ lt1 x y /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 y x.
+
+Axiom not_gt_le1 :
+ forall (x:t1) (y:t1), ~ lt1 y x /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 x y.
+
+Axiom le_special1 :
+ forall (x:t1) (y:t1), le1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y \/
+ is_not_nan2 x /\ is_plus_infinity1 y.
+
+Axiom lt_special1 :
+ forall (x:t1) (y:t1), lt1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y /\ ~ is_minus_infinity1 y \/
+ is_not_nan2 x /\ ~ is_plus_infinity1 x /\ is_plus_infinity1 y.
+
+Axiom lt_lt_finite1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y -> lt1 y z -> t'isFinite1 y.
+
+Axiom positive_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x -> (0%R <= (t'real1 x))%R.
+
+Axiom to_real_positive1 :
+ forall (x:t1), t'isFinite1 x -> (0%R < (t'real1 x))%R -> is_positive1 x.
+
+Axiom negative_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x -> ((t'real1 x) <= 0%R)%R.
+
+Axiom to_real_negative1 :
+ forall (x:t1), t'isFinite1 x -> ((t'real1 x) < 0%R)%R -> is_negative1 x.
+
+Axiom negative_xor_positive1 :
+ forall (x:t1), ~ (is_positive1 x /\ is_negative1 x).
+
+Axiom negative_or_positive1 :
+ forall (x:t1), is_not_nan2 x -> is_positive1 x \/ is_negative1 x.
+
+Axiom diff_sign_trans1 :
+ forall (x:t1) (y:t1) (z:t1), diff_sign1 x y /\ diff_sign1 y z ->
+ same_sign1 x z.
+
+Axiom diff_sign_product1 :
+ forall (x:t1) (y:t1),
+ t'isFinite1 x /\ t'isFinite1 y /\ (((t'real1 x) * (t'real1 y))%R < 0%R)%R ->
+ diff_sign1 x y.
+
+Axiom same_sign_product1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y /\ same_sign1 x y ->
+ (0%R <= ((t'real1 x) * (t'real1 y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign1 (z:t1) (x:t1) (y:t1) : Prop :=
+ (same_sign1 x y -> is_positive1 z) /\ (diff_sign1 x y -> is_negative1 z).
+
+(* Why3 assumption *)
+Definition overflow_value1 (m:mode) (x:t1) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x -> is_infinite1 x)
+ | RTP =>
+ (is_positive1 x -> is_infinite1 x) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RTZ =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RNA|RNE => is_infinite1 x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result1 (m:mode) (x:t1) : Prop :=
+ is_zero1 x -> match m with
+ | RTN => is_negative1 x
+ | _ => is_positive1 x
+ end.
+
+Axiom add_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ t'isFinite1 (add1 m x y) /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom add_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (add1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom add_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (add1 m x y) ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom sub_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ t'isFinite1 (sub1 m x y) /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom sub_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (sub1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom sub_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (sub1 m x y) ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom mul_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ t'isFinite1 (mul1 m x y) /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom mul_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (mul1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom mul_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (mul1 m x y) ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom div_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ ~ is_zero1 y -> no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ t'isFinite1 (div1 m x y) /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom div_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (div1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y \/
+ t'isFinite1 x /\ is_infinite1 y /\ ((t'real1 (div1 m x y)) = 0%R).
+
+Axiom div_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (div1 m x y) ->
+ t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) / (t'real1 y))%R /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom neg_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (neg1 x) /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom neg_finite_rev1 :
+ forall (x:t1), t'isFinite1 (neg1 x) ->
+ t'isFinite1 x /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom abs_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (abs1 x) /\
+ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))) /\
+ is_positive1 (abs1 x).
+
+Axiom abs_finite_rev1 :
+ forall (x:t1), t'isFinite1 (abs1 x) ->
+ t'isFinite1 x /\ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))).
+
+Axiom abs_universal1 : forall (x:t1), ~ is_negative1 (abs1 x).
+
+Axiom fma_finite1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 x -> t'isFinite1 y ->
+ t'isFinite1 z ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ t'isFinite1 (fma1 m x y z) /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom fma_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 (fma1 m x y z) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z.
+
+Axiom fma_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), to_nearest m ->
+ t'isFinite1 (fma1 m x y z) ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom sqrt_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> (0%R <= (t'real1 x))%R ->
+ t'isFinite1 (sqrt1 m x) /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+Axiom sqrt_finite_rev1 :
+ forall (m:mode) (x:t1), t'isFinite1 (sqrt1 m x) ->
+ t'isFinite1 x /\
+ (0%R <= (t'real1 x))%R /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real1 (x:t1) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive1 x /\ (0%R < r)%R \/ is_negative1 x /\ (r < 0%R)%R.
+
+Axiom add_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := add1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ same_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) + (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (same_sign1 x y -> same_sign1 r x) /\
+ (~ same_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom sub_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := sub1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ diff_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) - (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (diff_sign1 x y -> same_sign1 r x) /\
+ (~ diff_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom mul_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := mul1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_infinite1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom div_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := div1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_zero1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ ~ is_zero1 y /\ ~ no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ is_zero1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_zero1 x /\ is_zero1 y -> is_nan1 r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom neg_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (neg1 x)) /\
+ (is_infinite1 x -> is_infinite1 (neg1 x)) /\
+ (~ is_nan1 x -> diff_sign1 x (neg1 x)).
+
+Axiom abs_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (abs1 x)) /\
+ (is_infinite1 x -> is_infinite1 (abs1 x)) /\
+ (~ is_nan1 x -> is_positive1 (abs1 x)).
+
+Axiom fma_special1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1),
+ let r := fma1 m x y z in
+ (is_nan1 x \/ is_nan1 y \/ is_nan1 z -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ is_infinite1 z ->
+ is_infinite1 r /\ same_sign1 r z) /\
+ (is_infinite1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ t'isFinite1 z /\
+ ~ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ same_sign_real1 r (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z ->
+ (product_sign1 z x y -> same_sign1 r z) /\
+ (~ product_sign1 z x y ->
+ ((((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R = 0%R) ->
+ ((m = RTN) -> is_negative1 r) /\ (~ (m = RTN) -> is_positive1 r))).
+
+Axiom sqrt_special1 :
+ forall (m:mode) (x:t1),
+ let r := sqrt1 m x in
+ (is_nan1 x -> is_nan1 r) /\
+ (is_plus_infinity1 x -> is_plus_infinity1 r) /\
+ (is_minus_infinity1 x -> is_nan1 r) /\
+ (t'isFinite1 x /\ ((t'real1 x) < 0%R)%R -> is_nan1 r) /\
+ (is_zero1 x -> same_sign1 r x) /\
+ (t'isFinite1 x /\ (0%R < (t'real1 x))%R -> is_positive1 r).
+
+Axiom of_int_add_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i + j)%Z ->
+ eq1 (of_int1 m (i + j)%Z) (add1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_sub_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i - j)%Z ->
+ eq1 (of_int1 m (i - j)%Z) (sub1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_mul_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i * j)%Z ->
+ eq1 (of_int1 m (i * j)%Z) (mul1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom Min_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (min1 x y) y.
+
+Axiom Min_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (min1 x y) x.
+
+Axiom Max_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (max1 x y) x.
+
+Axiom Max_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (max1 x y) y.
+
+Parameter is_int1: t1 -> Prop.
+
+Axiom zeroF_is_int1 : is_int1 zeroF1.
+
+Axiom of_int_is_int1 :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range1 x ->
+ is_int1 (of_int1 m x).
+
+Axiom big_float_is_int1 :
+ forall (m:mode) (i:t1), t'isFinite1 i ->
+ le1 i (neg1 (of_int1 m 9007199254740992%Z)) \/
+ le1 (of_int1 m 9007199254740992%Z) i -> is_int1 i.
+
+Axiom roundToIntegral_is_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> is_int1 (roundToIntegral1 m x).
+
+Axiom eq_is_int1 : forall (x:t1) (y:t1), eq1 x y -> is_int1 x -> is_int1 y.
+
+Axiom add_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (add1 m x y) -> is_int1 (add1 m x y).
+
+Axiom sub_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (sub1 m x y) -> is_int1 (sub1 m x y).
+
+Axiom mul_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (mul1 m x y) -> is_int1 (mul1 m x y).
+
+Axiom fma_int1 :
+ forall (x:t1) (y:t1) (z:t1) (m:mode), is_int1 x -> is_int1 y ->
+ is_int1 z -> t'isFinite1 (fma1 m x y z) -> is_int1 (fma1 m x y z).
+
+Axiom neg_int1 : forall (x:t1), is_int1 x -> is_int1 (neg1 x).
+
+Axiom abs_int1 : forall (x:t1), is_int1 x -> is_int1 (abs1 x).
+
+Axiom is_int_of_int1 :
+ forall (x:t1) (m:mode) (m':mode), is_int1 x ->
+ eq1 x (of_int1 m' (to_int1 m x)).
+
+Axiom is_int_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x -> in_int_range1 (to_int1 m x).
+
+Axiom is_int_is_finite1 : forall (x:t1), is_int1 x -> t'isFinite1 x.
+
+Axiom int_to_real1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((t'real1 x) = (BuiltIn.IZR (to_int1 m x))).
+
+Axiom truncate_int1 :
+ forall (m:mode) (i:t1), is_int1 i -> eq1 (roundToIntegral1 m i) i.
+
+Axiom truncate_neg1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTP x)).
+
+Axiom truncate_pos1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTN x)).
+
+Axiom ceil_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 x (roundToIntegral1 RTP x).
+
+Axiom ceil_lest1 :
+ forall (x:t1) (y:t1), le1 x y /\ is_int1 y ->
+ le1 (roundToIntegral1 RTP x) y.
+
+Axiom ceil_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTP x)) = (BuiltIn.IZR (ceil (t'real1 x)))).
+
+Axiom ceil_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTP x)) = (ceil (t'real1 x))).
+
+Axiom floor_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 (roundToIntegral1 RTN x) x.
+
+Axiom floor_lest1 :
+ forall (x:t1) (y:t1), le1 y x /\ is_int1 y ->
+ le1 y (roundToIntegral1 RTN x).
+
+Axiom floor_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTN x)) = (BuiltIn.IZR (floor (t'real1 x)))).
+
+Axiom floor_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTN x)) = (floor (t'real1 x))).
+
+Axiom RNA_down1 :
+ forall (x:t1),
+ lt1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up1 :
+ forall (x:t1),
+ lt1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom RNA_down_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) -> is_negative1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) -> is_positive1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom to_int_roundToIntegral1 :
+ forall (m:mode) (x:t1),
+ ((to_int1 m x) = (to_int1 m (roundToIntegral1 m x))).
+
+Axiom to_int_monotonic1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> le1 x y ->
+ ((to_int1 m x) <= (to_int1 m y))%Z.
+
+Axiom to_int_of_int1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((to_int1 m (of_int1 m i)) = i).
+
+Axiom eq_to_int1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> eq1 x y ->
+ ((to_int1 m x) = (to_int1 m y)).
+
+Axiom neg_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((to_int1 m (neg1 x)) = (-(to_int1 m x))%Z).
+
+Axiom roundToIntegral_is_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> t'isFinite1 (roundToIntegral1 m x).
+
+Axiom round_bound_ne1 :
+ forall (x:Reals.Rdefinitions.R), no_overflow1 RNE x ->
+ (((x - ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R
+ <= (round1 RNE x))%R /\
+ ((round1 RNE x) <=
+ ((x + ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R)%R.
+
+Axiom round_bound1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow1 m x ->
+ (((x - ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R
+ <= (round1 m x))%R /\
+ ((round1 m x) <=
+ ((x + ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R)%R.
+
+Parameter to_float64: mode -> t -> t1.
+
+Parameter to_float32: mode -> t1 -> t.
+
+Axiom round_double_single :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round m2 x)) = (round m2 x)).
+
+Axiom to_float64_exact :
+ forall (m:mode) (x:t), t'isFinite x ->
+ t'isFinite1 (to_float64 m x) /\ ((t'real1 (to_float64 m x)) = (t'real x)).
+
+Axiom to_float32_conv :
+ forall (m:mode) (x:t1), t'isFinite1 x -> no_overflow m (t'real1 x) ->
+ t'isFinite (to_float32 m x) /\
+ ((t'real (to_float32 m x)) = (round m (t'real1 x))).
+
+(* Why3 assumption *)
+Definition f32 := t.
+
+(* Why3 assumption *)
+Definition f64 := t1.
+
+Parameter to_f32: Reals.Rdefinitions.R -> t.
+
+Parameter to_f64: Reals.Rdefinitions.R -> t1.
+
+Axiom to_float_is_finite_32 :
+ forall (f:t), t'isFinite f -> eq (to_f32 (t'real f)) f.
+
+Axiom to_f32_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range x ->
+ ((t'real (to_f32 x)) = (round RNE x)).
+
+Axiom to_f32_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range x -> t'isFinite (to_f32 x).
+
+Axiom to_f32_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x < (-(33554430 * 10141204801825835211973625643008)%R)%R)%R ->
+ is_minus_infinity (to_f32 x).
+
+Axiom to_f32_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((33554430 * 10141204801825835211973625643008)%R < x)%R ->
+ is_plus_infinity (to_f32 x).
+
+Axiom to_float_is_finite_64 :
+ forall (f:t1), t'isFinite1 f -> eq1 (to_f64 (t'real1 f)) f.
+
+Axiom to_f64_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range1 x ->
+ ((t'real1 (to_f64 x)) = (round1 RNE x)).
+
+Axiom to_f64_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range1 x -> t'isFinite1 (to_f64 x).
+
+Axiom to_f64_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x <
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R)%R ->
+ is_minus_infinity1 (to_f64 x).
+
+Axiom to_f64_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ < x)%R ->
+ is_plus_infinity1 (to_f64 x).
+
+(* Why3 assumption *)
+Definition round_float (m:mode) (r:Reals.Rdefinitions.R) : t :=
+ to_f32 (round m r).
+
+(* Why3 assumption *)
+Definition round_double (m:mode) (r:Reals.Rdefinitions.R) : t1 :=
+ to_f64 (round1 m r).
+
+Axiom is_zero_to_f32_zero : is_zero (to_f32 0%R).
+
+Axiom is_zero_to_f64_zero : is_zero1 (to_f64 0%R).
+
+Axiom real_0_is_zero_f32 : forall (f:t), (0%R = (t'real f)) -> is_zero f.
+
+Axiom real_0_is_zero_f64 : forall (f:t1), (0%R = (t'real1 f)) -> is_zero1 f.
+
+Axiom f32_to_f64 : forall (f:t), ((to_f64 (t'real f)) = (to_float64 RNE f)).
+
+Axiom f64_to_f32 :
+ forall (f:t1), ((to_f32 (t'real1 f)) = (to_float32 RNE f)).
+
+(* Why3 assumption *)
+Definition finite (x:Reals.Rdefinitions.R) : Prop :=
+ t'isFinite (to_f32 x) /\ t'isFinite1 (to_f64 x).
+
+Parameter eq_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom eq_f32b'def :
+ forall (x:t) (y:t),
+ (eq x y -> ((eq_f32b x y) = Init.Datatypes.true)) /\
+ (~ eq x y -> ((eq_f32b x y) = Init.Datatypes.false)).
+
+Parameter eq_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom eq_f64b'def :
+ forall (x:t1) (y:t1),
+ (eq1 x y -> ((eq_f64b x y) = Init.Datatypes.true)) /\
+ (~ eq1 x y -> ((eq_f64b x y) = Init.Datatypes.false)).
+
+(* Why3 assumption *)
+Definition ne_f32 (x:t) (y:t) : Prop := ~ eq x y.
+
+(* Why3 assumption *)
+Definition ne_f64 (x:t1) (y:t1) : Prop := ~ eq1 x y.
+
+Parameter ne_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom ne_f32b'def :
+ forall (x:t) (y:t),
+ (ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.true)) /\
+ (~ ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.false)).
+
+Parameter ne_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom ne_f64b'def :
+ forall (x:t1) (y:t1),
+ (ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.true)) /\
+ (~ ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.false)).
+
+Parameter le_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom le_f32b'def :
+ forall (x:t) (y:t),
+ (le x y -> ((le_f32b x y) = Init.Datatypes.true)) /\
+ (~ le x y -> ((le_f32b x y) = Init.Datatypes.false)).
+
+Parameter le_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom le_f64b'def :
+ forall (x:t1) (y:t1),
+ (le1 x y -> ((le_f64b x y) = Init.Datatypes.true)) /\
+ (~ le1 x y -> ((le_f64b x y) = Init.Datatypes.false)).
+
+Parameter lt_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom lt_f32b'def :
+ forall (x:t) (y:t),
+ (lt x y -> ((lt_f32b x y) = Init.Datatypes.true)) /\
+ (~ lt x y -> ((lt_f32b x y) = Init.Datatypes.false)).
+
+Parameter lt_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom lt_f64b'def :
+ forall (x:t1) (y:t1),
+ (lt1 x y -> ((lt_f64b x y) = Init.Datatypes.true)) /\
+ (~ lt1 x y -> ((lt_f64b x y) = Init.Datatypes.false)).
+
+Parameter model_f32: t -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f32 (f:t) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real f) - (model_f32 f))%R.
+
+(* Why3 assumption *)
+Definition error_f32 (f:t) : Reals.Rdefinitions.R :=
+ ((delta_f32 f) / (Reals.Rbasic_fun.Rabs (model_f32 f)))%R.
+
+Parameter model_f64: t1 -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f64 (f:t1) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real1 f) - (model_f64 f))%R.
+
+(* Why3 assumption *)
+Definition error_f64 (f:t1) : Reals.Rdefinitions.R :=
+ ((delta_f64 f) / (Reals.Rbasic_fun.Rabs (model_f64 f)))%R.
+
+Axiom Q_InfP_not_finite :
+ forall (x:t1), ~ t'isFinite1 x \/ ~ is_plus_infinity1 x.
+
+Axiom Q_NaN_not_finite : forall (x:t1), ~ t'isFinite1 x \/ ~ is_nan1 x.
+
+(* Why3 goal *)
+Theorem wp_goal : forall (f:t1), ~ t'isFinite1 f \/ ~ is_minus_infinity1 f.
+Proof.
+ admit.
+Admitted.
+
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_InfP_not_finite.v b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_InfP_not_finite.v
new file mode 100644
index 0000000000000000000000000000000000000000..e544d62b139f1aa7e83b17bb15e1c8babbef5568
--- /dev/null
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_InfP_not_finite.v
@@ -0,0 +1,1765 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require Reals.Rbasic_fun.
+Require Reals.R_sqrt.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.Abs.
+Require real.FromInt.
+Require real.Square.
+Require map.Map.
+Require bv.Pow2int.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+Axiom abs_def :
+ forall (x:Numbers.BinNums.Z),
+ ((0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = x)) /\
+ (~ (0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = (-x)%Z)).
+
+Axiom sqrt_lin1 :
+ forall (x:Reals.Rdefinitions.R), (1%R < x)%R ->
+ ((Reals.R_sqrt.sqrt x) < x)%R.
+
+Axiom sqrt_lin0 :
+ forall (x:Reals.Rdefinitions.R), (0%R < x)%R /\ (x < 1%R)%R ->
+ (x < (Reals.R_sqrt.sqrt x))%R.
+
+Axiom sqrt_0 : ((Reals.R_sqrt.sqrt 0%R) = 0%R).
+
+Axiom sqrt_1 : ((Reals.R_sqrt.sqrt 1%R) = 1%R).
+
+(* Why3 assumption *)
+Inductive mode :=
+ | RNE : mode
+ | RNA : mode
+ | RTP : mode
+ | RTN : mode
+ | RTZ : mode.
+Axiom mode_WhyType : WhyType mode.
+Existing Instance mode_WhyType.
+
+(* Why3 assumption *)
+Definition to_nearest (m:mode) : Prop := (m = RNE) \/ (m = RNA).
+
+Axiom t : Type.
+Parameter t_WhyType : WhyType t.
+Existing Instance t_WhyType.
+
+Parameter t'real: t -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite: t -> Prop.
+
+Axiom t'axiom :
+ forall (x:t), t'isFinite x ->
+ ((-340282346638528859811704183484516925440%R)%R <= (t'real x))%R /\
+ ((t'real x) <= 340282346638528859811704183484516925440%R)%R.
+
+Parameter truncate: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Truncate_int :
+ forall (i:Numbers.BinNums.Z), ((truncate (BuiltIn.IZR i)) = i).
+
+Axiom Truncate_down_pos :
+ forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
+ ((BuiltIn.IZR (truncate x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((truncate x) + 1%Z)%Z))%R.
+
+Axiom Truncate_up_neg :
+ forall (x:Reals.Rdefinitions.R), (x <= 0%R)%R ->
+ ((BuiltIn.IZR ((truncate x) - 1%Z)%Z) < x)%R /\
+ (x <= (BuiltIn.IZR (truncate x)))%R.
+
+Axiom Real_of_truncate :
+ forall (x:Reals.Rdefinitions.R),
+ ((x - 1%R)%R <= (BuiltIn.IZR (truncate x)))%R /\
+ ((BuiltIn.IZR (truncate x)) <= (x + 1%R)%R)%R.
+
+Axiom Truncate_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((truncate x) <= (truncate y))%Z.
+
+Axiom Truncate_monotonic_int1 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ (x <= (BuiltIn.IZR i))%R -> ((truncate x) <= i)%Z.
+
+Axiom Truncate_monotonic_int2 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ ((BuiltIn.IZR i) <= x)%R -> (i <= (truncate x))%Z.
+
+Parameter floor: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Parameter ceil: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Floor_int :
+ forall (i:Numbers.BinNums.Z), ((floor (BuiltIn.IZR i)) = i).
+
+Axiom Ceil_int : forall (i:Numbers.BinNums.Z), ((ceil (BuiltIn.IZR i)) = i).
+
+Axiom Floor_down :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR (floor x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((floor x) + 1%Z)%Z))%R.
+
+Axiom Ceil_up :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR ((ceil x) - 1%Z)%Z) < x)%R /\ (x <= (BuiltIn.IZR (ceil x)))%R.
+
+Axiom Floor_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((floor x) <= (floor y))%Z.
+
+Axiom Ceil_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((ceil x) <= (ceil y))%Z.
+
+Parameter zeroF: t.
+
+Parameter add: mode -> t -> t -> t.
+
+Parameter sub: mode -> t -> t -> t.
+
+Parameter mul: mode -> t -> t -> t.
+
+Parameter div: mode -> t -> t -> t.
+
+Parameter abs: t -> t.
+
+Parameter neg: t -> t.
+
+Parameter fma: mode -> t -> t -> t -> t.
+
+Parameter sqrt: mode -> t -> t.
+
+Parameter roundToIntegral: mode -> t -> t.
+
+Parameter min: t -> t -> t.
+
+Parameter max: t -> t -> t.
+
+Parameter le: t -> t -> Prop.
+
+Parameter lt: t -> t -> Prop.
+
+Parameter eq: t -> t -> Prop.
+
+Parameter is_normal: t -> Prop.
+
+Parameter is_subnormal: t -> Prop.
+
+Parameter is_zero: t -> Prop.
+
+Parameter is_infinite: t -> Prop.
+
+Parameter is_nan: t -> Prop.
+
+Parameter is_positive: t -> Prop.
+
+Parameter is_negative: t -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_not_nan (x:t) : Prop := t'isFinite x \/ is_infinite x.
+
+Axiom is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
+
+Axiom is_not_finite :
+ forall (x:t), ~ t'isFinite x <-> is_infinite x \/ is_nan x.
+
+Axiom zeroF_is_positive : is_positive zeroF.
+
+Axiom zeroF_is_zero : is_zero zeroF.
+
+Axiom zero_to_real :
+ forall (x:t), is_zero x <-> t'isFinite x /\ ((t'real x) = 0%R).
+
+Parameter of_int: mode -> Numbers.BinNums.Z -> t.
+
+Parameter to_int: mode -> t -> Numbers.BinNums.Z.
+
+Axiom zero_of_int : forall (m:mode), (zeroF = (of_int m 0%Z)).
+
+Parameter round: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int: Numbers.BinNums.Z.
+
+Axiom max_real_int :
+ ((33554430 * 10141204801825835211973625643008)%R = (BuiltIn.IZR max_int)).
+
+(* Why3 assumption *)
+Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(33554430 * 10141204801825835211973625643008)%R)%R <= x)%R /\
+ (x <= (33554430 * 10141204801825835211973625643008)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.
+
+Axiom is_finite : forall (x:t), t'isFinite x -> in_range (t'real x).
+
+(* Why3 assumption *)
+Definition no_overflow (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range (round m x).
+
+Axiom Bounded_real_no_overflow :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range x -> no_overflow m x.
+
+Axiom Round_monotonic :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round m x) <= (round m y))%R.
+
+Axiom Round_idempotent :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round m1 (round m2 x)) = (round m2 x)).
+
+Axiom Round_to_real :
+ forall (m:mode) (x:t), t'isFinite x -> ((round m (t'real x)) = (t'real x)).
+
+Axiom Round_down_le :
+ forall (x:Reals.Rdefinitions.R), ((round RTN x) <= x)%R.
+
+Axiom Round_up_ge : forall (x:Reals.Rdefinitions.R), (x <= (round RTP x))%R.
+
+Axiom Round_down_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTN (-x)%R) = (-(round RTP x))%R).
+
+Axiom Round_up_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTP (-x)%R) = (-(round RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-16777216%Z)%Z <= i)%Z /\ (i <= 16777216%Z)%Z.
+
+Axiom Exact_rounding_for_integers :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.
+
+(* Why3 assumption *)
+Definition diff_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.
+
+Axiom feq_eq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero x ->
+ eq x y -> (x = y).
+
+Axiom eq_feq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> (x = y) -> eq x y.
+
+Axiom eq_refl : forall (x:t), t'isFinite x -> eq x x.
+
+Axiom eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
+
+Axiom eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
+
+Axiom eq_zero : eq zeroF (neg zeroF).
+
+Axiom eq_to_real_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ eq x y <-> ((t'real x) = (t'real y)).
+
+Axiom eq_special :
+ forall (x:t) (y:t), eq x y ->
+ is_not_nan x /\
+ is_not_nan y /\
+ (t'isFinite x /\ t'isFinite y \/
+ is_infinite x /\ is_infinite y /\ same_sign x y).
+
+Axiom lt_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ lt x y <-> ((t'real x) < (t'real y))%R.
+
+Axiom le_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ le x y <-> ((t'real x) <= (t'real y))%R.
+
+Axiom le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
+
+Axiom lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
+
+Axiom le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
+
+Axiom not_lt_ge :
+ forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
+
+Axiom not_gt_le :
+ forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
+
+Axiom le_special :
+ forall (x:t) (y:t), le x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
+
+Axiom lt_special :
+ forall (x:t) (y:t), lt x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
+ is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
+
+Axiom lt_lt_finite :
+ forall (x:t) (y:t) (z:t), lt x y -> lt y z -> t'isFinite y.
+
+Axiom positive_to_real :
+ forall (x:t), t'isFinite x -> is_positive x -> (0%R <= (t'real x))%R.
+
+Axiom to_real_positive :
+ forall (x:t), t'isFinite x -> (0%R < (t'real x))%R -> is_positive x.
+
+Axiom negative_to_real :
+ forall (x:t), t'isFinite x -> is_negative x -> ((t'real x) <= 0%R)%R.
+
+Axiom to_real_negative :
+ forall (x:t), t'isFinite x -> ((t'real x) < 0%R)%R -> is_negative x.
+
+Axiom negative_xor_positive :
+ forall (x:t), ~ (is_positive x /\ is_negative x).
+
+Axiom negative_or_positive :
+ forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
+
+Axiom diff_sign_trans :
+ forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
+
+Axiom diff_sign_product :
+ forall (x:t) (y:t),
+ t'isFinite x /\ t'isFinite y /\ (((t'real x) * (t'real y))%R < 0%R)%R ->
+ diff_sign x y.
+
+Axiom same_sign_product :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y /\ same_sign x y ->
+ (0%R <= ((t'real x) * (t'real y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign (z:t) (x:t) (y:t) : Prop :=
+ (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).
+
+(* Why3 assumption *)
+Definition overflow_value (m:mode) (x:t) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x -> is_infinite x)
+ | RTP =>
+ (is_positive x -> is_infinite x) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RTZ =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RNA|RNE => is_infinite x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result (m:mode) (x:t) : Prop :=
+ is_zero x -> match m with
+ | RTN => is_negative x
+ | _ => is_positive x
+ end.
+
+Axiom add_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) + (t'real y))%R ->
+ t'isFinite (add m x y) /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom add_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (add m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom add_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (add m x y) ->
+ no_overflow m ((t'real x) + (t'real y))%R /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom sub_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) - (t'real y))%R ->
+ t'isFinite (sub m x y) /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom sub_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (sub m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom sub_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (sub m x y) ->
+ no_overflow m ((t'real x) - (t'real y))%R /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom mul_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) * (t'real y))%R ->
+ t'isFinite (mul m x y) /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom mul_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (mul m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom mul_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (mul m x y) ->
+ no_overflow m ((t'real x) * (t'real y))%R /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom div_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero y ->
+ no_overflow m ((t'real x) / (t'real y))%R ->
+ t'isFinite (div m x y) /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom div_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (div m x y) ->
+ t'isFinite x /\ t'isFinite y /\ ~ is_zero y \/
+ t'isFinite x /\ is_infinite y /\ ((t'real (div m x y)) = 0%R).
+
+Axiom div_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (div m x y) ->
+ t'isFinite y ->
+ no_overflow m ((t'real x) / (t'real y))%R /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom neg_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (neg x) /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom neg_finite_rev :
+ forall (x:t), t'isFinite (neg x) ->
+ t'isFinite x /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom abs_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (abs x) /\
+ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))) /\
+ is_positive (abs x).
+
+Axiom abs_finite_rev :
+ forall (x:t), t'isFinite (abs x) ->
+ t'isFinite x /\ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))).
+
+Axiom abs_universal : forall (x:t), ~ is_negative (abs x).
+
+Axiom fma_finite :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite x -> t'isFinite y ->
+ t'isFinite z ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ t'isFinite (fma m x y z) /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom fma_finite_rev :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite (fma m x y z) ->
+ t'isFinite x /\ t'isFinite y /\ t'isFinite z.
+
+Axiom fma_finite_rev_n :
+ forall (m:mode) (x:t) (y:t) (z:t), to_nearest m ->
+ t'isFinite (fma m x y z) ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom sqrt_finite :
+ forall (m:mode) (x:t), t'isFinite x -> (0%R <= (t'real x))%R ->
+ t'isFinite (sqrt m x) /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+Axiom sqrt_finite_rev :
+ forall (m:mode) (x:t), t'isFinite (sqrt m x) ->
+ t'isFinite x /\
+ (0%R <= (t'real x))%R /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.
+
+Axiom add_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := add m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) + (t'real y))%R ->
+ same_sign_real r ((t'real x) + (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (same_sign x y -> same_sign r x) /\
+ (~ same_sign x y -> sign_zero_result m r)).
+
+Axiom sub_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := sub m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) - (t'real y))%R ->
+ same_sign_real r ((t'real x) - (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (diff_sign x y -> same_sign r x) /\
+ (~ diff_sign x y -> sign_zero_result m r)).
+
+Axiom mul_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := mul m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_infinite r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) * (t'real y))%R ->
+ overflow_value m r) /\
+ (~ is_nan r -> product_sign r x y).
+
+Axiom div_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := div m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_zero r) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ is_zero y /\ ~ no_overflow m ((t'real x) / (t'real y))%R ->
+ overflow_value m r) /\
+ (t'isFinite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
+ (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
+
+Axiom neg_special :
+ forall (x:t),
+ (is_nan x -> is_nan (neg x)) /\
+ (is_infinite x -> is_infinite (neg x)) /\
+ (~ is_nan x -> diff_sign x (neg x)).
+
+Axiom abs_special :
+ forall (x:t),
+ (is_nan x -> is_nan (abs x)) /\
+ (is_infinite x -> is_infinite (abs x)) /\
+ (~ is_nan x -> is_positive (abs x)).
+
+Axiom fma_special :
+ forall (m:mode) (x:t) (y:t) (z:t),
+ let r := fma m x y z in
+ (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ t'isFinite y /\ is_infinite z ->
+ is_infinite r /\ same_sign r z) /\
+ (is_infinite x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (t'isFinite x /\
+ t'isFinite y /\
+ t'isFinite z /\
+ ~ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ same_sign_real r (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y /\ t'isFinite z ->
+ (product_sign z x y -> same_sign r z) /\
+ (~ product_sign z x y ->
+ ((((t'real x) * (t'real y))%R + (t'real z))%R = 0%R) ->
+ ((m = RTN) -> is_negative r) /\ (~ (m = RTN) -> is_positive r))).
+
+Axiom sqrt_special :
+ forall (m:mode) (x:t),
+ let r := sqrt m x in
+ (is_nan x -> is_nan r) /\
+ (is_plus_infinity x -> is_plus_infinity r) /\
+ (is_minus_infinity x -> is_nan r) /\
+ (t'isFinite x /\ ((t'real x) < 0%R)%R -> is_nan r) /\
+ (is_zero x -> same_sign r x) /\
+ (t'isFinite x /\ (0%R < (t'real x))%R -> is_positive r).
+
+Axiom of_int_add_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i + j)%Z ->
+ eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
+
+Axiom of_int_sub_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i - j)%Z ->
+ eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
+
+Axiom of_int_mul_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i * j)%Z ->
+ eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
+
+Axiom Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
+
+Axiom Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
+
+Axiom Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
+
+Axiom Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
+
+Parameter is_int: t -> Prop.
+
+Axiom zeroF_is_int : is_int zeroF.
+
+Axiom of_int_is_int :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range x ->
+ is_int (of_int m x).
+
+Axiom big_float_is_int :
+ forall (m:mode) (i:t), t'isFinite i ->
+ le i (neg (of_int m 16777216%Z)) \/ le (of_int m 16777216%Z) i -> is_int i.
+
+Axiom roundToIntegral_is_int :
+ forall (m:mode) (x:t), t'isFinite x -> is_int (roundToIntegral m x).
+
+Axiom eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
+
+Axiom add_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (add m x y) -> is_int (add m x y).
+
+Axiom sub_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (sub m x y) -> is_int (sub m x y).
+
+Axiom mul_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (mul m x y) -> is_int (mul m x y).
+
+Axiom fma_int :
+ forall (x:t) (y:t) (z:t) (m:mode), is_int x -> is_int y -> is_int z ->
+ t'isFinite (fma m x y z) -> is_int (fma m x y z).
+
+Axiom neg_int : forall (x:t), is_int x -> is_int (neg x).
+
+Axiom abs_int : forall (x:t), is_int x -> is_int (abs x).
+
+Axiom is_int_of_int :
+ forall (x:t) (m:mode) (m':mode), is_int x -> eq x (of_int m' (to_int m x)).
+
+Axiom is_int_to_int :
+ forall (m:mode) (x:t), is_int x -> in_int_range (to_int m x).
+
+Axiom is_int_is_finite : forall (x:t), is_int x -> t'isFinite x.
+
+Axiom int_to_real :
+ forall (m:mode) (x:t), is_int x ->
+ ((t'real x) = (BuiltIn.IZR (to_int m x))).
+
+Axiom truncate_int :
+ forall (m:mode) (i:t), is_int i -> eq (roundToIntegral m i) i.
+
+Axiom truncate_neg :
+ forall (x:t), t'isFinite x -> is_negative x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTP x)).
+
+Axiom truncate_pos :
+ forall (x:t), t'isFinite x -> is_positive x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTN x)).
+
+Axiom ceil_le : forall (x:t), t'isFinite x -> le x (roundToIntegral RTP x).
+
+Axiom ceil_lest :
+ forall (x:t) (y:t), le x y /\ is_int y -> le (roundToIntegral RTP x) y.
+
+Axiom ceil_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTP x)) = (BuiltIn.IZR (ceil (t'real x)))).
+
+Axiom ceil_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTP x)) = (ceil (t'real x))).
+
+Axiom floor_le : forall (x:t), t'isFinite x -> le (roundToIntegral RTN x) x.
+
+Axiom floor_lest :
+ forall (x:t) (y:t), le y x /\ is_int y -> le y (roundToIntegral RTN x).
+
+Axiom floor_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTN x)) = (BuiltIn.IZR (floor (t'real x)))).
+
+Axiom floor_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTN x)) = (floor (t'real x))).
+
+Axiom RNA_down :
+ forall (x:t),
+ lt (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up :
+ forall (x:t),
+ lt (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom RNA_down_tie :
+ forall (x:t),
+ eq (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ is_negative x -> ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up_tie :
+ forall (x:t),
+ eq (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ is_positive x -> ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom to_int_roundToIntegral :
+ forall (m:mode) (x:t), ((to_int m x) = (to_int m (roundToIntegral m x))).
+
+Axiom to_int_monotonic :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> le x y ->
+ ((to_int m x) <= (to_int m y))%Z.
+
+Axiom to_int_of_int :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((to_int m (of_int m i)) = i).
+
+Axiom eq_to_int :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> eq x y ->
+ ((to_int m x) = (to_int m y)).
+
+Axiom neg_to_int :
+ forall (m:mode) (x:t), is_int x -> ((to_int m (neg x)) = (-(to_int m x))%Z).
+
+Axiom roundToIntegral_is_finite :
+ forall (m:mode) (x:t), t'isFinite x -> t'isFinite (roundToIntegral m x).
+
+Axiom round_bound_ne :
+ forall (x:Reals.Rdefinitions.R), no_overflow RNE x ->
+ (((x - ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R
+ <= (round RNE x))%R /\
+ ((round RNE x) <=
+ ((x + ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R)%R.
+
+Axiom round_bound :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow m x ->
+ (((x - ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 713623846352979940529142984724747568191373312)%R)%R
+ <= (round m x))%R /\
+ ((round m x) <=
+ ((x + ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 713623846352979940529142984724747568191373312)%R)%R)%R.
+
+Axiom t1 : Type.
+Parameter t1_WhyType : WhyType t1.
+Existing Instance t1_WhyType.
+
+Parameter t'real1: t1 -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite1: t1 -> Prop.
+
+Axiom t'axiom1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((-179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R
+ <= (t'real1 x))%R /\
+ ((t'real1 x) <=
+ 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.
+
+Parameter zeroF1: t1.
+
+Parameter add1: mode -> t1 -> t1 -> t1.
+
+Parameter sub1: mode -> t1 -> t1 -> t1.
+
+Parameter mul1: mode -> t1 -> t1 -> t1.
+
+Parameter div1: mode -> t1 -> t1 -> t1.
+
+Parameter abs1: t1 -> t1.
+
+Parameter neg1: t1 -> t1.
+
+Parameter fma1: mode -> t1 -> t1 -> t1 -> t1.
+
+Parameter sqrt1: mode -> t1 -> t1.
+
+Parameter roundToIntegral1: mode -> t1 -> t1.
+
+Parameter min1: t1 -> t1 -> t1.
+
+Parameter max1: t1 -> t1 -> t1.
+
+Parameter le1: t1 -> t1 -> Prop.
+
+Parameter lt1: t1 -> t1 -> Prop.
+
+Parameter eq1: t1 -> t1 -> Prop.
+
+Parameter is_normal1: t1 -> Prop.
+
+Parameter is_subnormal1: t1 -> Prop.
+
+Parameter is_zero1: t1 -> Prop.
+
+Parameter is_infinite1: t1 -> Prop.
+
+Parameter is_nan1: t1 -> Prop.
+
+Parameter is_positive1: t1 -> Prop.
+
+Parameter is_negative1: t1 -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_plus_zero1 (x:t1) : Prop := is_zero1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_zero1 (x:t1) : Prop := is_zero1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_not_nan2 (x:t1) : Prop := t'isFinite1 x \/ is_infinite1 x.
+
+Axiom is_not_nan3 : forall (x:t1), is_not_nan2 x <-> ~ is_nan1 x.
+
+Axiom is_not_finite1 :
+ forall (x:t1), ~ t'isFinite1 x <-> is_infinite1 x \/ is_nan1 x.
+
+Axiom zeroF_is_positive1 : is_positive1 zeroF1.
+
+Axiom zeroF_is_zero1 : is_zero1 zeroF1.
+
+Axiom zero_to_real1 :
+ forall (x:t1), is_zero1 x <-> t'isFinite1 x /\ ((t'real1 x) = 0%R).
+
+Parameter of_int1: mode -> Numbers.BinNums.Z -> t1.
+
+Parameter to_int1: mode -> t1 -> Numbers.BinNums.Z.
+
+Axiom zero_of_int1 : forall (m:mode), (zeroF1 = (of_int1 m 0%Z)).
+
+Parameter round1: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int1: Numbers.BinNums.Z.
+
+Axiom max_real_int1 :
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ = (BuiltIn.IZR max_int1)).
+
+(* Why3 assumption *)
+Definition in_range1 (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R
+ <= x)%R /\
+ (x <=
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int1)%Z <= i)%Z /\ (i <= max_int1)%Z.
+
+Axiom is_finite1 : forall (x:t1), t'isFinite1 x -> in_range1 (t'real1 x).
+
+(* Why3 assumption *)
+Definition no_overflow1 (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range1 (round1 m x).
+
+Axiom Bounded_real_no_overflow1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range1 x -> no_overflow1 m x.
+
+Axiom Round_monotonic1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round1 m x) <= (round1 m y))%R.
+
+Axiom Round_idempotent1 :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round1 m2 x)) = (round1 m2 x)).
+
+Axiom Round_to_real1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((round1 m (t'real1 x)) = (t'real1 x)).
+
+Axiom Round_down_le1 :
+ forall (x:Reals.Rdefinitions.R), ((round1 RTN x) <= x)%R.
+
+Axiom Round_up_ge1 :
+ forall (x:Reals.Rdefinitions.R), (x <= (round1 RTP x))%R.
+
+Axiom Round_down_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTN (-x)%R) = (-(round1 RTP x))%R).
+
+Axiom Round_up_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTP (-x)%R) = (-(round1 RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-9007199254740992%Z)%Z <= i)%Z /\ (i <= 9007199254740992%Z)%Z.
+
+Axiom Exact_rounding_for_integers1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((round1 m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_positive1 y \/ is_negative1 x /\ is_negative1 y.
+
+(* Why3 assumption *)
+Definition diff_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_negative1 y \/ is_negative1 x /\ is_positive1 y.
+
+Axiom feq_eq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> ~ is_zero1 x ->
+ eq1 x y -> (x = y).
+
+Axiom eq_feq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> (x = y) -> eq1 x y.
+
+Axiom eq_refl1 : forall (x:t1), t'isFinite1 x -> eq1 x x.
+
+Axiom eq_sym1 : forall (x:t1) (y:t1), eq1 x y -> eq1 y x.
+
+Axiom eq_trans1 : forall (x:t1) (y:t1) (z:t1), eq1 x y -> eq1 y z -> eq1 x z.
+
+Axiom eq_zero1 : eq1 zeroF1 (neg1 zeroF1).
+
+Axiom eq_to_real_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ eq1 x y <-> ((t'real1 x) = (t'real1 y)).
+
+Axiom eq_special1 :
+ forall (x:t1) (y:t1), eq1 x y ->
+ is_not_nan2 x /\
+ is_not_nan2 y /\
+ (t'isFinite1 x /\ t'isFinite1 y \/
+ is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y).
+
+Axiom lt_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ lt1 x y <-> ((t'real1 x) < (t'real1 y))%R.
+
+Axiom le_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ le1 x y <-> ((t'real1 x) <= (t'real1 y))%R.
+
+Axiom le_lt_trans1 :
+ forall (x:t1) (y:t1) (z:t1), le1 x y /\ lt1 y z -> lt1 x z.
+
+Axiom lt_le_trans1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y /\ le1 y z -> lt1 x z.
+
+Axiom le_ge_asym1 : forall (x:t1) (y:t1), le1 x y /\ le1 y x -> eq1 x y.
+
+Axiom not_lt_ge1 :
+ forall (x:t1) (y:t1), ~ lt1 x y /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 y x.
+
+Axiom not_gt_le1 :
+ forall (x:t1) (y:t1), ~ lt1 y x /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 x y.
+
+Axiom le_special1 :
+ forall (x:t1) (y:t1), le1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y \/
+ is_not_nan2 x /\ is_plus_infinity1 y.
+
+Axiom lt_special1 :
+ forall (x:t1) (y:t1), lt1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y /\ ~ is_minus_infinity1 y \/
+ is_not_nan2 x /\ ~ is_plus_infinity1 x /\ is_plus_infinity1 y.
+
+Axiom lt_lt_finite1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y -> lt1 y z -> t'isFinite1 y.
+
+Axiom positive_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x -> (0%R <= (t'real1 x))%R.
+
+Axiom to_real_positive1 :
+ forall (x:t1), t'isFinite1 x -> (0%R < (t'real1 x))%R -> is_positive1 x.
+
+Axiom negative_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x -> ((t'real1 x) <= 0%R)%R.
+
+Axiom to_real_negative1 :
+ forall (x:t1), t'isFinite1 x -> ((t'real1 x) < 0%R)%R -> is_negative1 x.
+
+Axiom negative_xor_positive1 :
+ forall (x:t1), ~ (is_positive1 x /\ is_negative1 x).
+
+Axiom negative_or_positive1 :
+ forall (x:t1), is_not_nan2 x -> is_positive1 x \/ is_negative1 x.
+
+Axiom diff_sign_trans1 :
+ forall (x:t1) (y:t1) (z:t1), diff_sign1 x y /\ diff_sign1 y z ->
+ same_sign1 x z.
+
+Axiom diff_sign_product1 :
+ forall (x:t1) (y:t1),
+ t'isFinite1 x /\ t'isFinite1 y /\ (((t'real1 x) * (t'real1 y))%R < 0%R)%R ->
+ diff_sign1 x y.
+
+Axiom same_sign_product1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y /\ same_sign1 x y ->
+ (0%R <= ((t'real1 x) * (t'real1 y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign1 (z:t1) (x:t1) (y:t1) : Prop :=
+ (same_sign1 x y -> is_positive1 z) /\ (diff_sign1 x y -> is_negative1 z).
+
+(* Why3 assumption *)
+Definition overflow_value1 (m:mode) (x:t1) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x -> is_infinite1 x)
+ | RTP =>
+ (is_positive1 x -> is_infinite1 x) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RTZ =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RNA|RNE => is_infinite1 x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result1 (m:mode) (x:t1) : Prop :=
+ is_zero1 x -> match m with
+ | RTN => is_negative1 x
+ | _ => is_positive1 x
+ end.
+
+Axiom add_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ t'isFinite1 (add1 m x y) /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom add_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (add1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom add_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (add1 m x y) ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom sub_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ t'isFinite1 (sub1 m x y) /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom sub_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (sub1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom sub_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (sub1 m x y) ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom mul_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ t'isFinite1 (mul1 m x y) /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom mul_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (mul1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom mul_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (mul1 m x y) ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom div_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ ~ is_zero1 y -> no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ t'isFinite1 (div1 m x y) /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom div_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (div1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y \/
+ t'isFinite1 x /\ is_infinite1 y /\ ((t'real1 (div1 m x y)) = 0%R).
+
+Axiom div_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (div1 m x y) ->
+ t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) / (t'real1 y))%R /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom neg_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (neg1 x) /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom neg_finite_rev1 :
+ forall (x:t1), t'isFinite1 (neg1 x) ->
+ t'isFinite1 x /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom abs_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (abs1 x) /\
+ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))) /\
+ is_positive1 (abs1 x).
+
+Axiom abs_finite_rev1 :
+ forall (x:t1), t'isFinite1 (abs1 x) ->
+ t'isFinite1 x /\ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))).
+
+Axiom abs_universal1 : forall (x:t1), ~ is_negative1 (abs1 x).
+
+Axiom fma_finite1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 x -> t'isFinite1 y ->
+ t'isFinite1 z ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ t'isFinite1 (fma1 m x y z) /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom fma_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 (fma1 m x y z) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z.
+
+Axiom fma_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), to_nearest m ->
+ t'isFinite1 (fma1 m x y z) ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom sqrt_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> (0%R <= (t'real1 x))%R ->
+ t'isFinite1 (sqrt1 m x) /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+Axiom sqrt_finite_rev1 :
+ forall (m:mode) (x:t1), t'isFinite1 (sqrt1 m x) ->
+ t'isFinite1 x /\
+ (0%R <= (t'real1 x))%R /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real1 (x:t1) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive1 x /\ (0%R < r)%R \/ is_negative1 x /\ (r < 0%R)%R.
+
+Axiom add_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := add1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ same_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) + (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (same_sign1 x y -> same_sign1 r x) /\
+ (~ same_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom sub_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := sub1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ diff_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) - (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (diff_sign1 x y -> same_sign1 r x) /\
+ (~ diff_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom mul_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := mul1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_infinite1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom div_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := div1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_zero1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ ~ is_zero1 y /\ ~ no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ is_zero1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_zero1 x /\ is_zero1 y -> is_nan1 r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom neg_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (neg1 x)) /\
+ (is_infinite1 x -> is_infinite1 (neg1 x)) /\
+ (~ is_nan1 x -> diff_sign1 x (neg1 x)).
+
+Axiom abs_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (abs1 x)) /\
+ (is_infinite1 x -> is_infinite1 (abs1 x)) /\
+ (~ is_nan1 x -> is_positive1 (abs1 x)).
+
+Axiom fma_special1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1),
+ let r := fma1 m x y z in
+ (is_nan1 x \/ is_nan1 y \/ is_nan1 z -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ is_infinite1 z ->
+ is_infinite1 r /\ same_sign1 r z) /\
+ (is_infinite1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ t'isFinite1 z /\
+ ~ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ same_sign_real1 r (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z ->
+ (product_sign1 z x y -> same_sign1 r z) /\
+ (~ product_sign1 z x y ->
+ ((((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R = 0%R) ->
+ ((m = RTN) -> is_negative1 r) /\ (~ (m = RTN) -> is_positive1 r))).
+
+Axiom sqrt_special1 :
+ forall (m:mode) (x:t1),
+ let r := sqrt1 m x in
+ (is_nan1 x -> is_nan1 r) /\
+ (is_plus_infinity1 x -> is_plus_infinity1 r) /\
+ (is_minus_infinity1 x -> is_nan1 r) /\
+ (t'isFinite1 x /\ ((t'real1 x) < 0%R)%R -> is_nan1 r) /\
+ (is_zero1 x -> same_sign1 r x) /\
+ (t'isFinite1 x /\ (0%R < (t'real1 x))%R -> is_positive1 r).
+
+Axiom of_int_add_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i + j)%Z ->
+ eq1 (of_int1 m (i + j)%Z) (add1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_sub_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i - j)%Z ->
+ eq1 (of_int1 m (i - j)%Z) (sub1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_mul_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i * j)%Z ->
+ eq1 (of_int1 m (i * j)%Z) (mul1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom Min_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (min1 x y) y.
+
+Axiom Min_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (min1 x y) x.
+
+Axiom Max_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (max1 x y) x.
+
+Axiom Max_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (max1 x y) y.
+
+Parameter is_int1: t1 -> Prop.
+
+Axiom zeroF_is_int1 : is_int1 zeroF1.
+
+Axiom of_int_is_int1 :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range1 x ->
+ is_int1 (of_int1 m x).
+
+Axiom big_float_is_int1 :
+ forall (m:mode) (i:t1), t'isFinite1 i ->
+ le1 i (neg1 (of_int1 m 9007199254740992%Z)) \/
+ le1 (of_int1 m 9007199254740992%Z) i -> is_int1 i.
+
+Axiom roundToIntegral_is_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> is_int1 (roundToIntegral1 m x).
+
+Axiom eq_is_int1 : forall (x:t1) (y:t1), eq1 x y -> is_int1 x -> is_int1 y.
+
+Axiom add_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (add1 m x y) -> is_int1 (add1 m x y).
+
+Axiom sub_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (sub1 m x y) -> is_int1 (sub1 m x y).
+
+Axiom mul_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (mul1 m x y) -> is_int1 (mul1 m x y).
+
+Axiom fma_int1 :
+ forall (x:t1) (y:t1) (z:t1) (m:mode), is_int1 x -> is_int1 y ->
+ is_int1 z -> t'isFinite1 (fma1 m x y z) -> is_int1 (fma1 m x y z).
+
+Axiom neg_int1 : forall (x:t1), is_int1 x -> is_int1 (neg1 x).
+
+Axiom abs_int1 : forall (x:t1), is_int1 x -> is_int1 (abs1 x).
+
+Axiom is_int_of_int1 :
+ forall (x:t1) (m:mode) (m':mode), is_int1 x ->
+ eq1 x (of_int1 m' (to_int1 m x)).
+
+Axiom is_int_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x -> in_int_range1 (to_int1 m x).
+
+Axiom is_int_is_finite1 : forall (x:t1), is_int1 x -> t'isFinite1 x.
+
+Axiom int_to_real1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((t'real1 x) = (BuiltIn.IZR (to_int1 m x))).
+
+Axiom truncate_int1 :
+ forall (m:mode) (i:t1), is_int1 i -> eq1 (roundToIntegral1 m i) i.
+
+Axiom truncate_neg1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTP x)).
+
+Axiom truncate_pos1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTN x)).
+
+Axiom ceil_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 x (roundToIntegral1 RTP x).
+
+Axiom ceil_lest1 :
+ forall (x:t1) (y:t1), le1 x y /\ is_int1 y ->
+ le1 (roundToIntegral1 RTP x) y.
+
+Axiom ceil_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTP x)) = (BuiltIn.IZR (ceil (t'real1 x)))).
+
+Axiom ceil_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTP x)) = (ceil (t'real1 x))).
+
+Axiom floor_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 (roundToIntegral1 RTN x) x.
+
+Axiom floor_lest1 :
+ forall (x:t1) (y:t1), le1 y x /\ is_int1 y ->
+ le1 y (roundToIntegral1 RTN x).
+
+Axiom floor_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTN x)) = (BuiltIn.IZR (floor (t'real1 x)))).
+
+Axiom floor_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTN x)) = (floor (t'real1 x))).
+
+Axiom RNA_down1 :
+ forall (x:t1),
+ lt1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up1 :
+ forall (x:t1),
+ lt1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom RNA_down_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) -> is_negative1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) -> is_positive1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom to_int_roundToIntegral1 :
+ forall (m:mode) (x:t1),
+ ((to_int1 m x) = (to_int1 m (roundToIntegral1 m x))).
+
+Axiom to_int_monotonic1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> le1 x y ->
+ ((to_int1 m x) <= (to_int1 m y))%Z.
+
+Axiom to_int_of_int1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((to_int1 m (of_int1 m i)) = i).
+
+Axiom eq_to_int1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> eq1 x y ->
+ ((to_int1 m x) = (to_int1 m y)).
+
+Axiom neg_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((to_int1 m (neg1 x)) = (-(to_int1 m x))%Z).
+
+Axiom roundToIntegral_is_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> t'isFinite1 (roundToIntegral1 m x).
+
+Axiom round_bound_ne1 :
+ forall (x:Reals.Rdefinitions.R), no_overflow1 RNE x ->
+ (((x - ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R
+ <= (round1 RNE x))%R /\
+ ((round1 RNE x) <=
+ ((x + ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R)%R.
+
+Axiom round_bound1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow1 m x ->
+ (((x - ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R
+ <= (round1 m x))%R /\
+ ((round1 m x) <=
+ ((x + ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R)%R.
+
+Parameter to_float64: mode -> t -> t1.
+
+Parameter to_float32: mode -> t1 -> t.
+
+Axiom round_double_single :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round m2 x)) = (round m2 x)).
+
+Axiom to_float64_exact :
+ forall (m:mode) (x:t), t'isFinite x ->
+ t'isFinite1 (to_float64 m x) /\ ((t'real1 (to_float64 m x)) = (t'real x)).
+
+Axiom to_float32_conv :
+ forall (m:mode) (x:t1), t'isFinite1 x -> no_overflow m (t'real1 x) ->
+ t'isFinite (to_float32 m x) /\
+ ((t'real (to_float32 m x)) = (round m (t'real1 x))).
+
+(* Why3 assumption *)
+Definition f32 := t.
+
+(* Why3 assumption *)
+Definition f64 := t1.
+
+Parameter to_f32: Reals.Rdefinitions.R -> t.
+
+Parameter to_f64: Reals.Rdefinitions.R -> t1.
+
+Axiom to_float_is_finite_32 :
+ forall (f:t), t'isFinite f -> eq (to_f32 (t'real f)) f.
+
+Axiom to_f32_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range x ->
+ ((t'real (to_f32 x)) = (round RNE x)).
+
+Axiom to_f32_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range x -> t'isFinite (to_f32 x).
+
+Axiom to_f32_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x < (-(33554430 * 10141204801825835211973625643008)%R)%R)%R ->
+ is_minus_infinity (to_f32 x).
+
+Axiom to_f32_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((33554430 * 10141204801825835211973625643008)%R < x)%R ->
+ is_plus_infinity (to_f32 x).
+
+Axiom to_float_is_finite_64 :
+ forall (f:t1), t'isFinite1 f -> eq1 (to_f64 (t'real1 f)) f.
+
+Axiom to_f64_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range1 x ->
+ ((t'real1 (to_f64 x)) = (round1 RNE x)).
+
+Axiom to_f64_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range1 x -> t'isFinite1 (to_f64 x).
+
+Axiom to_f64_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x <
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R)%R ->
+ is_minus_infinity1 (to_f64 x).
+
+Axiom to_f64_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ < x)%R ->
+ is_plus_infinity1 (to_f64 x).
+
+(* Why3 assumption *)
+Definition round_float (m:mode) (r:Reals.Rdefinitions.R) : t :=
+ to_f32 (round m r).
+
+(* Why3 assumption *)
+Definition round_double (m:mode) (r:Reals.Rdefinitions.R) : t1 :=
+ to_f64 (round1 m r).
+
+Axiom is_zero_to_f32_zero : is_zero (to_f32 0%R).
+
+Axiom is_zero_to_f64_zero : is_zero1 (to_f64 0%R).
+
+Axiom real_0_is_zero_f32 : forall (f:t), (0%R = (t'real f)) -> is_zero f.
+
+Axiom real_0_is_zero_f64 : forall (f:t1), (0%R = (t'real1 f)) -> is_zero1 f.
+
+Axiom f32_to_f64 : forall (f:t), ((to_f64 (t'real f)) = (to_float64 RNE f)).
+
+Axiom f64_to_f32 :
+ forall (f:t1), ((to_f32 (t'real1 f)) = (to_float32 RNE f)).
+
+(* Why3 assumption *)
+Definition finite (x:Reals.Rdefinitions.R) : Prop :=
+ t'isFinite (to_f32 x) /\ t'isFinite1 (to_f64 x).
+
+Parameter eq_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom eq_f32b'def :
+ forall (x:t) (y:t),
+ (eq x y -> ((eq_f32b x y) = Init.Datatypes.true)) /\
+ (~ eq x y -> ((eq_f32b x y) = Init.Datatypes.false)).
+
+Parameter eq_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom eq_f64b'def :
+ forall (x:t1) (y:t1),
+ (eq1 x y -> ((eq_f64b x y) = Init.Datatypes.true)) /\
+ (~ eq1 x y -> ((eq_f64b x y) = Init.Datatypes.false)).
+
+(* Why3 assumption *)
+Definition ne_f32 (x:t) (y:t) : Prop := ~ eq x y.
+
+(* Why3 assumption *)
+Definition ne_f64 (x:t1) (y:t1) : Prop := ~ eq1 x y.
+
+Parameter ne_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom ne_f32b'def :
+ forall (x:t) (y:t),
+ (ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.true)) /\
+ (~ ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.false)).
+
+Parameter ne_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom ne_f64b'def :
+ forall (x:t1) (y:t1),
+ (ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.true)) /\
+ (~ ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.false)).
+
+Parameter le_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom le_f32b'def :
+ forall (x:t) (y:t),
+ (le x y -> ((le_f32b x y) = Init.Datatypes.true)) /\
+ (~ le x y -> ((le_f32b x y) = Init.Datatypes.false)).
+
+Parameter le_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom le_f64b'def :
+ forall (x:t1) (y:t1),
+ (le1 x y -> ((le_f64b x y) = Init.Datatypes.true)) /\
+ (~ le1 x y -> ((le_f64b x y) = Init.Datatypes.false)).
+
+Parameter lt_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom lt_f32b'def :
+ forall (x:t) (y:t),
+ (lt x y -> ((lt_f32b x y) = Init.Datatypes.true)) /\
+ (~ lt x y -> ((lt_f32b x y) = Init.Datatypes.false)).
+
+Parameter lt_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom lt_f64b'def :
+ forall (x:t1) (y:t1),
+ (lt1 x y -> ((lt_f64b x y) = Init.Datatypes.true)) /\
+ (~ lt1 x y -> ((lt_f64b x y) = Init.Datatypes.false)).
+
+Parameter model_f32: t -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f32 (f:t) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real f) - (model_f32 f))%R.
+
+(* Why3 assumption *)
+Definition error_f32 (f:t) : Reals.Rdefinitions.R :=
+ ((delta_f32 f) / (Reals.Rbasic_fun.Rabs (model_f32 f)))%R.
+
+Parameter model_f64: t1 -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f64 (f:t1) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real1 f) - (model_f64 f))%R.
+
+(* Why3 assumption *)
+Definition error_f64 (f:t1) : Reals.Rdefinitions.R :=
+ ((delta_f64 f) / (Reals.Rbasic_fun.Rabs (model_f64 f)))%R.
+
+Axiom Q_NaN_not_finite : forall (x:t1), ~ t'isFinite1 x \/ ~ is_nan1 x.
+
+(* Why3 goal *)
+Theorem wp_goal : forall (f:t1), ~ t'isFinite1 f \/ ~ is_plus_infinity1 f.
+Proof.
+ admit.
+Admitted.
+
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_NaN_not_finite.v b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_NaN_not_finite.v
new file mode 100644
index 0000000000000000000000000000000000000000..a86828893bd332312c7da8814d7a4d82552eae36
--- /dev/null
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/classify_float.1.session/interactive/lemma_NaN_not_finite.v
@@ -0,0 +1,1763 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require Reals.Rbasic_fun.
+Require Reals.R_sqrt.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.Abs.
+Require real.FromInt.
+Require real.Square.
+Require map.Map.
+Require bv.Pow2int.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+Axiom abs_def :
+ forall (x:Numbers.BinNums.Z),
+ ((0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = x)) /\
+ (~ (0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = (-x)%Z)).
+
+Axiom sqrt_lin1 :
+ forall (x:Reals.Rdefinitions.R), (1%R < x)%R ->
+ ((Reals.R_sqrt.sqrt x) < x)%R.
+
+Axiom sqrt_lin0 :
+ forall (x:Reals.Rdefinitions.R), (0%R < x)%R /\ (x < 1%R)%R ->
+ (x < (Reals.R_sqrt.sqrt x))%R.
+
+Axiom sqrt_0 : ((Reals.R_sqrt.sqrt 0%R) = 0%R).
+
+Axiom sqrt_1 : ((Reals.R_sqrt.sqrt 1%R) = 1%R).
+
+(* Why3 assumption *)
+Inductive mode :=
+ | RNE : mode
+ | RNA : mode
+ | RTP : mode
+ | RTN : mode
+ | RTZ : mode.
+Axiom mode_WhyType : WhyType mode.
+Existing Instance mode_WhyType.
+
+(* Why3 assumption *)
+Definition to_nearest (m:mode) : Prop := (m = RNE) \/ (m = RNA).
+
+Axiom t : Type.
+Parameter t_WhyType : WhyType t.
+Existing Instance t_WhyType.
+
+Parameter t'real: t -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite: t -> Prop.
+
+Axiom t'axiom :
+ forall (x:t), t'isFinite x ->
+ ((-340282346638528859811704183484516925440%R)%R <= (t'real x))%R /\
+ ((t'real x) <= 340282346638528859811704183484516925440%R)%R.
+
+Parameter truncate: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Truncate_int :
+ forall (i:Numbers.BinNums.Z), ((truncate (BuiltIn.IZR i)) = i).
+
+Axiom Truncate_down_pos :
+ forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
+ ((BuiltIn.IZR (truncate x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((truncate x) + 1%Z)%Z))%R.
+
+Axiom Truncate_up_neg :
+ forall (x:Reals.Rdefinitions.R), (x <= 0%R)%R ->
+ ((BuiltIn.IZR ((truncate x) - 1%Z)%Z) < x)%R /\
+ (x <= (BuiltIn.IZR (truncate x)))%R.
+
+Axiom Real_of_truncate :
+ forall (x:Reals.Rdefinitions.R),
+ ((x - 1%R)%R <= (BuiltIn.IZR (truncate x)))%R /\
+ ((BuiltIn.IZR (truncate x)) <= (x + 1%R)%R)%R.
+
+Axiom Truncate_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((truncate x) <= (truncate y))%Z.
+
+Axiom Truncate_monotonic_int1 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ (x <= (BuiltIn.IZR i))%R -> ((truncate x) <= i)%Z.
+
+Axiom Truncate_monotonic_int2 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ ((BuiltIn.IZR i) <= x)%R -> (i <= (truncate x))%Z.
+
+Parameter floor: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Parameter ceil: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Floor_int :
+ forall (i:Numbers.BinNums.Z), ((floor (BuiltIn.IZR i)) = i).
+
+Axiom Ceil_int : forall (i:Numbers.BinNums.Z), ((ceil (BuiltIn.IZR i)) = i).
+
+Axiom Floor_down :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR (floor x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((floor x) + 1%Z)%Z))%R.
+
+Axiom Ceil_up :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR ((ceil x) - 1%Z)%Z) < x)%R /\ (x <= (BuiltIn.IZR (ceil x)))%R.
+
+Axiom Floor_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((floor x) <= (floor y))%Z.
+
+Axiom Ceil_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((ceil x) <= (ceil y))%Z.
+
+Parameter zeroF: t.
+
+Parameter add: mode -> t -> t -> t.
+
+Parameter sub: mode -> t -> t -> t.
+
+Parameter mul: mode -> t -> t -> t.
+
+Parameter div: mode -> t -> t -> t.
+
+Parameter abs: t -> t.
+
+Parameter neg: t -> t.
+
+Parameter fma: mode -> t -> t -> t -> t.
+
+Parameter sqrt: mode -> t -> t.
+
+Parameter roundToIntegral: mode -> t -> t.
+
+Parameter min: t -> t -> t.
+
+Parameter max: t -> t -> t.
+
+Parameter le: t -> t -> Prop.
+
+Parameter lt: t -> t -> Prop.
+
+Parameter eq: t -> t -> Prop.
+
+Parameter is_normal: t -> Prop.
+
+Parameter is_subnormal: t -> Prop.
+
+Parameter is_zero: t -> Prop.
+
+Parameter is_infinite: t -> Prop.
+
+Parameter is_nan: t -> Prop.
+
+Parameter is_positive: t -> Prop.
+
+Parameter is_negative: t -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_not_nan (x:t) : Prop := t'isFinite x \/ is_infinite x.
+
+Axiom is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
+
+Axiom is_not_finite :
+ forall (x:t), ~ t'isFinite x <-> is_infinite x \/ is_nan x.
+
+Axiom zeroF_is_positive : is_positive zeroF.
+
+Axiom zeroF_is_zero : is_zero zeroF.
+
+Axiom zero_to_real :
+ forall (x:t), is_zero x <-> t'isFinite x /\ ((t'real x) = 0%R).
+
+Parameter of_int: mode -> Numbers.BinNums.Z -> t.
+
+Parameter to_int: mode -> t -> Numbers.BinNums.Z.
+
+Axiom zero_of_int : forall (m:mode), (zeroF = (of_int m 0%Z)).
+
+Parameter round: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int: Numbers.BinNums.Z.
+
+Axiom max_real_int :
+ ((33554430 * 10141204801825835211973625643008)%R = (BuiltIn.IZR max_int)).
+
+(* Why3 assumption *)
+Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(33554430 * 10141204801825835211973625643008)%R)%R <= x)%R /\
+ (x <= (33554430 * 10141204801825835211973625643008)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.
+
+Axiom is_finite : forall (x:t), t'isFinite x -> in_range (t'real x).
+
+(* Why3 assumption *)
+Definition no_overflow (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range (round m x).
+
+Axiom Bounded_real_no_overflow :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range x -> no_overflow m x.
+
+Axiom Round_monotonic :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round m x) <= (round m y))%R.
+
+Axiom Round_idempotent :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round m1 (round m2 x)) = (round m2 x)).
+
+Axiom Round_to_real :
+ forall (m:mode) (x:t), t'isFinite x -> ((round m (t'real x)) = (t'real x)).
+
+Axiom Round_down_le :
+ forall (x:Reals.Rdefinitions.R), ((round RTN x) <= x)%R.
+
+Axiom Round_up_ge : forall (x:Reals.Rdefinitions.R), (x <= (round RTP x))%R.
+
+Axiom Round_down_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTN (-x)%R) = (-(round RTP x))%R).
+
+Axiom Round_up_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTP (-x)%R) = (-(round RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-16777216%Z)%Z <= i)%Z /\ (i <= 16777216%Z)%Z.
+
+Axiom Exact_rounding_for_integers :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.
+
+(* Why3 assumption *)
+Definition diff_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.
+
+Axiom feq_eq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero x ->
+ eq x y -> (x = y).
+
+Axiom eq_feq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> (x = y) -> eq x y.
+
+Axiom eq_refl : forall (x:t), t'isFinite x -> eq x x.
+
+Axiom eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
+
+Axiom eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
+
+Axiom eq_zero : eq zeroF (neg zeroF).
+
+Axiom eq_to_real_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ eq x y <-> ((t'real x) = (t'real y)).
+
+Axiom eq_special :
+ forall (x:t) (y:t), eq x y ->
+ is_not_nan x /\
+ is_not_nan y /\
+ (t'isFinite x /\ t'isFinite y \/
+ is_infinite x /\ is_infinite y /\ same_sign x y).
+
+Axiom lt_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ lt x y <-> ((t'real x) < (t'real y))%R.
+
+Axiom le_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ le x y <-> ((t'real x) <= (t'real y))%R.
+
+Axiom le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
+
+Axiom lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
+
+Axiom le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
+
+Axiom not_lt_ge :
+ forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
+
+Axiom not_gt_le :
+ forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
+
+Axiom le_special :
+ forall (x:t) (y:t), le x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
+
+Axiom lt_special :
+ forall (x:t) (y:t), lt x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
+ is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
+
+Axiom lt_lt_finite :
+ forall (x:t) (y:t) (z:t), lt x y -> lt y z -> t'isFinite y.
+
+Axiom positive_to_real :
+ forall (x:t), t'isFinite x -> is_positive x -> (0%R <= (t'real x))%R.
+
+Axiom to_real_positive :
+ forall (x:t), t'isFinite x -> (0%R < (t'real x))%R -> is_positive x.
+
+Axiom negative_to_real :
+ forall (x:t), t'isFinite x -> is_negative x -> ((t'real x) <= 0%R)%R.
+
+Axiom to_real_negative :
+ forall (x:t), t'isFinite x -> ((t'real x) < 0%R)%R -> is_negative x.
+
+Axiom negative_xor_positive :
+ forall (x:t), ~ (is_positive x /\ is_negative x).
+
+Axiom negative_or_positive :
+ forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
+
+Axiom diff_sign_trans :
+ forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
+
+Axiom diff_sign_product :
+ forall (x:t) (y:t),
+ t'isFinite x /\ t'isFinite y /\ (((t'real x) * (t'real y))%R < 0%R)%R ->
+ diff_sign x y.
+
+Axiom same_sign_product :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y /\ same_sign x y ->
+ (0%R <= ((t'real x) * (t'real y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign (z:t) (x:t) (y:t) : Prop :=
+ (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).
+
+(* Why3 assumption *)
+Definition overflow_value (m:mode) (x:t) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x -> is_infinite x)
+ | RTP =>
+ (is_positive x -> is_infinite x) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RTZ =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RNA|RNE => is_infinite x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result (m:mode) (x:t) : Prop :=
+ is_zero x -> match m with
+ | RTN => is_negative x
+ | _ => is_positive x
+ end.
+
+Axiom add_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) + (t'real y))%R ->
+ t'isFinite (add m x y) /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom add_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (add m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom add_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (add m x y) ->
+ no_overflow m ((t'real x) + (t'real y))%R /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom sub_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) - (t'real y))%R ->
+ t'isFinite (sub m x y) /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom sub_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (sub m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom sub_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (sub m x y) ->
+ no_overflow m ((t'real x) - (t'real y))%R /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom mul_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) * (t'real y))%R ->
+ t'isFinite (mul m x y) /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom mul_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (mul m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom mul_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (mul m x y) ->
+ no_overflow m ((t'real x) * (t'real y))%R /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom div_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero y ->
+ no_overflow m ((t'real x) / (t'real y))%R ->
+ t'isFinite (div m x y) /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom div_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (div m x y) ->
+ t'isFinite x /\ t'isFinite y /\ ~ is_zero y \/
+ t'isFinite x /\ is_infinite y /\ ((t'real (div m x y)) = 0%R).
+
+Axiom div_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (div m x y) ->
+ t'isFinite y ->
+ no_overflow m ((t'real x) / (t'real y))%R /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom neg_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (neg x) /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom neg_finite_rev :
+ forall (x:t), t'isFinite (neg x) ->
+ t'isFinite x /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom abs_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (abs x) /\
+ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))) /\
+ is_positive (abs x).
+
+Axiom abs_finite_rev :
+ forall (x:t), t'isFinite (abs x) ->
+ t'isFinite x /\ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))).
+
+Axiom abs_universal : forall (x:t), ~ is_negative (abs x).
+
+Axiom fma_finite :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite x -> t'isFinite y ->
+ t'isFinite z ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ t'isFinite (fma m x y z) /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom fma_finite_rev :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite (fma m x y z) ->
+ t'isFinite x /\ t'isFinite y /\ t'isFinite z.
+
+Axiom fma_finite_rev_n :
+ forall (m:mode) (x:t) (y:t) (z:t), to_nearest m ->
+ t'isFinite (fma m x y z) ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom sqrt_finite :
+ forall (m:mode) (x:t), t'isFinite x -> (0%R <= (t'real x))%R ->
+ t'isFinite (sqrt m x) /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+Axiom sqrt_finite_rev :
+ forall (m:mode) (x:t), t'isFinite (sqrt m x) ->
+ t'isFinite x /\
+ (0%R <= (t'real x))%R /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.
+
+Axiom add_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := add m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) + (t'real y))%R ->
+ same_sign_real r ((t'real x) + (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (same_sign x y -> same_sign r x) /\
+ (~ same_sign x y -> sign_zero_result m r)).
+
+Axiom sub_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := sub m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) - (t'real y))%R ->
+ same_sign_real r ((t'real x) - (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (diff_sign x y -> same_sign r x) /\
+ (~ diff_sign x y -> sign_zero_result m r)).
+
+Axiom mul_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := mul m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_infinite r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) * (t'real y))%R ->
+ overflow_value m r) /\
+ (~ is_nan r -> product_sign r x y).
+
+Axiom div_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := div m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_zero r) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ is_zero y /\ ~ no_overflow m ((t'real x) / (t'real y))%R ->
+ overflow_value m r) /\
+ (t'isFinite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
+ (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
+
+Axiom neg_special :
+ forall (x:t),
+ (is_nan x -> is_nan (neg x)) /\
+ (is_infinite x -> is_infinite (neg x)) /\
+ (~ is_nan x -> diff_sign x (neg x)).
+
+Axiom abs_special :
+ forall (x:t),
+ (is_nan x -> is_nan (abs x)) /\
+ (is_infinite x -> is_infinite (abs x)) /\
+ (~ is_nan x -> is_positive (abs x)).
+
+Axiom fma_special :
+ forall (m:mode) (x:t) (y:t) (z:t),
+ let r := fma m x y z in
+ (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ t'isFinite y /\ is_infinite z ->
+ is_infinite r /\ same_sign r z) /\
+ (is_infinite x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (t'isFinite x /\
+ t'isFinite y /\
+ t'isFinite z /\
+ ~ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ same_sign_real r (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y /\ t'isFinite z ->
+ (product_sign z x y -> same_sign r z) /\
+ (~ product_sign z x y ->
+ ((((t'real x) * (t'real y))%R + (t'real z))%R = 0%R) ->
+ ((m = RTN) -> is_negative r) /\ (~ (m = RTN) -> is_positive r))).
+
+Axiom sqrt_special :
+ forall (m:mode) (x:t),
+ let r := sqrt m x in
+ (is_nan x -> is_nan r) /\
+ (is_plus_infinity x -> is_plus_infinity r) /\
+ (is_minus_infinity x -> is_nan r) /\
+ (t'isFinite x /\ ((t'real x) < 0%R)%R -> is_nan r) /\
+ (is_zero x -> same_sign r x) /\
+ (t'isFinite x /\ (0%R < (t'real x))%R -> is_positive r).
+
+Axiom of_int_add_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i + j)%Z ->
+ eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
+
+Axiom of_int_sub_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i - j)%Z ->
+ eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
+
+Axiom of_int_mul_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i * j)%Z ->
+ eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
+
+Axiom Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
+
+Axiom Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
+
+Axiom Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
+
+Axiom Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
+
+Parameter is_int: t -> Prop.
+
+Axiom zeroF_is_int : is_int zeroF.
+
+Axiom of_int_is_int :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range x ->
+ is_int (of_int m x).
+
+Axiom big_float_is_int :
+ forall (m:mode) (i:t), t'isFinite i ->
+ le i (neg (of_int m 16777216%Z)) \/ le (of_int m 16777216%Z) i -> is_int i.
+
+Axiom roundToIntegral_is_int :
+ forall (m:mode) (x:t), t'isFinite x -> is_int (roundToIntegral m x).
+
+Axiom eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
+
+Axiom add_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (add m x y) -> is_int (add m x y).
+
+Axiom sub_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (sub m x y) -> is_int (sub m x y).
+
+Axiom mul_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (mul m x y) -> is_int (mul m x y).
+
+Axiom fma_int :
+ forall (x:t) (y:t) (z:t) (m:mode), is_int x -> is_int y -> is_int z ->
+ t'isFinite (fma m x y z) -> is_int (fma m x y z).
+
+Axiom neg_int : forall (x:t), is_int x -> is_int (neg x).
+
+Axiom abs_int : forall (x:t), is_int x -> is_int (abs x).
+
+Axiom is_int_of_int :
+ forall (x:t) (m:mode) (m':mode), is_int x -> eq x (of_int m' (to_int m x)).
+
+Axiom is_int_to_int :
+ forall (m:mode) (x:t), is_int x -> in_int_range (to_int m x).
+
+Axiom is_int_is_finite : forall (x:t), is_int x -> t'isFinite x.
+
+Axiom int_to_real :
+ forall (m:mode) (x:t), is_int x ->
+ ((t'real x) = (BuiltIn.IZR (to_int m x))).
+
+Axiom truncate_int :
+ forall (m:mode) (i:t), is_int i -> eq (roundToIntegral m i) i.
+
+Axiom truncate_neg :
+ forall (x:t), t'isFinite x -> is_negative x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTP x)).
+
+Axiom truncate_pos :
+ forall (x:t), t'isFinite x -> is_positive x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTN x)).
+
+Axiom ceil_le : forall (x:t), t'isFinite x -> le x (roundToIntegral RTP x).
+
+Axiom ceil_lest :
+ forall (x:t) (y:t), le x y /\ is_int y -> le (roundToIntegral RTP x) y.
+
+Axiom ceil_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTP x)) = (BuiltIn.IZR (ceil (t'real x)))).
+
+Axiom ceil_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTP x)) = (ceil (t'real x))).
+
+Axiom floor_le : forall (x:t), t'isFinite x -> le (roundToIntegral RTN x) x.
+
+Axiom floor_lest :
+ forall (x:t) (y:t), le y x /\ is_int y -> le y (roundToIntegral RTN x).
+
+Axiom floor_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTN x)) = (BuiltIn.IZR (floor (t'real x)))).
+
+Axiom floor_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTN x)) = (floor (t'real x))).
+
+Axiom RNA_down :
+ forall (x:t),
+ lt (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up :
+ forall (x:t),
+ lt (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom RNA_down_tie :
+ forall (x:t),
+ eq (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ is_negative x -> ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up_tie :
+ forall (x:t),
+ eq (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ is_positive x -> ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom to_int_roundToIntegral :
+ forall (m:mode) (x:t), ((to_int m x) = (to_int m (roundToIntegral m x))).
+
+Axiom to_int_monotonic :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> le x y ->
+ ((to_int m x) <= (to_int m y))%Z.
+
+Axiom to_int_of_int :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((to_int m (of_int m i)) = i).
+
+Axiom eq_to_int :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> eq x y ->
+ ((to_int m x) = (to_int m y)).
+
+Axiom neg_to_int :
+ forall (m:mode) (x:t), is_int x -> ((to_int m (neg x)) = (-(to_int m x))%Z).
+
+Axiom roundToIntegral_is_finite :
+ forall (m:mode) (x:t), t'isFinite x -> t'isFinite (roundToIntegral m x).
+
+Axiom round_bound_ne :
+ forall (x:Reals.Rdefinitions.R), no_overflow RNE x ->
+ (((x - ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R
+ <= (round RNE x))%R /\
+ ((round RNE x) <=
+ ((x + ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R)%R.
+
+Axiom round_bound :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow m x ->
+ (((x - ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 713623846352979940529142984724747568191373312)%R)%R
+ <= (round m x))%R /\
+ ((round m x) <=
+ ((x + ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 713623846352979940529142984724747568191373312)%R)%R)%R.
+
+Axiom t1 : Type.
+Parameter t1_WhyType : WhyType t1.
+Existing Instance t1_WhyType.
+
+Parameter t'real1: t1 -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite1: t1 -> Prop.
+
+Axiom t'axiom1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((-179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R
+ <= (t'real1 x))%R /\
+ ((t'real1 x) <=
+ 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.
+
+Parameter zeroF1: t1.
+
+Parameter add1: mode -> t1 -> t1 -> t1.
+
+Parameter sub1: mode -> t1 -> t1 -> t1.
+
+Parameter mul1: mode -> t1 -> t1 -> t1.
+
+Parameter div1: mode -> t1 -> t1 -> t1.
+
+Parameter abs1: t1 -> t1.
+
+Parameter neg1: t1 -> t1.
+
+Parameter fma1: mode -> t1 -> t1 -> t1 -> t1.
+
+Parameter sqrt1: mode -> t1 -> t1.
+
+Parameter roundToIntegral1: mode -> t1 -> t1.
+
+Parameter min1: t1 -> t1 -> t1.
+
+Parameter max1: t1 -> t1 -> t1.
+
+Parameter le1: t1 -> t1 -> Prop.
+
+Parameter lt1: t1 -> t1 -> Prop.
+
+Parameter eq1: t1 -> t1 -> Prop.
+
+Parameter is_normal1: t1 -> Prop.
+
+Parameter is_subnormal1: t1 -> Prop.
+
+Parameter is_zero1: t1 -> Prop.
+
+Parameter is_infinite1: t1 -> Prop.
+
+Parameter is_nan1: t1 -> Prop.
+
+Parameter is_positive1: t1 -> Prop.
+
+Parameter is_negative1: t1 -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_plus_zero1 (x:t1) : Prop := is_zero1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_zero1 (x:t1) : Prop := is_zero1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_not_nan2 (x:t1) : Prop := t'isFinite1 x \/ is_infinite1 x.
+
+Axiom is_not_nan3 : forall (x:t1), is_not_nan2 x <-> ~ is_nan1 x.
+
+Axiom is_not_finite1 :
+ forall (x:t1), ~ t'isFinite1 x <-> is_infinite1 x \/ is_nan1 x.
+
+Axiom zeroF_is_positive1 : is_positive1 zeroF1.
+
+Axiom zeroF_is_zero1 : is_zero1 zeroF1.
+
+Axiom zero_to_real1 :
+ forall (x:t1), is_zero1 x <-> t'isFinite1 x /\ ((t'real1 x) = 0%R).
+
+Parameter of_int1: mode -> Numbers.BinNums.Z -> t1.
+
+Parameter to_int1: mode -> t1 -> Numbers.BinNums.Z.
+
+Axiom zero_of_int1 : forall (m:mode), (zeroF1 = (of_int1 m 0%Z)).
+
+Parameter round1: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int1: Numbers.BinNums.Z.
+
+Axiom max_real_int1 :
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ = (BuiltIn.IZR max_int1)).
+
+(* Why3 assumption *)
+Definition in_range1 (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R
+ <= x)%R /\
+ (x <=
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int1)%Z <= i)%Z /\ (i <= max_int1)%Z.
+
+Axiom is_finite1 : forall (x:t1), t'isFinite1 x -> in_range1 (t'real1 x).
+
+(* Why3 assumption *)
+Definition no_overflow1 (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range1 (round1 m x).
+
+Axiom Bounded_real_no_overflow1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range1 x -> no_overflow1 m x.
+
+Axiom Round_monotonic1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round1 m x) <= (round1 m y))%R.
+
+Axiom Round_idempotent1 :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round1 m2 x)) = (round1 m2 x)).
+
+Axiom Round_to_real1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((round1 m (t'real1 x)) = (t'real1 x)).
+
+Axiom Round_down_le1 :
+ forall (x:Reals.Rdefinitions.R), ((round1 RTN x) <= x)%R.
+
+Axiom Round_up_ge1 :
+ forall (x:Reals.Rdefinitions.R), (x <= (round1 RTP x))%R.
+
+Axiom Round_down_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTN (-x)%R) = (-(round1 RTP x))%R).
+
+Axiom Round_up_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTP (-x)%R) = (-(round1 RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-9007199254740992%Z)%Z <= i)%Z /\ (i <= 9007199254740992%Z)%Z.
+
+Axiom Exact_rounding_for_integers1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((round1 m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_positive1 y \/ is_negative1 x /\ is_negative1 y.
+
+(* Why3 assumption *)
+Definition diff_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_negative1 y \/ is_negative1 x /\ is_positive1 y.
+
+Axiom feq_eq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> ~ is_zero1 x ->
+ eq1 x y -> (x = y).
+
+Axiom eq_feq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> (x = y) -> eq1 x y.
+
+Axiom eq_refl1 : forall (x:t1), t'isFinite1 x -> eq1 x x.
+
+Axiom eq_sym1 : forall (x:t1) (y:t1), eq1 x y -> eq1 y x.
+
+Axiom eq_trans1 : forall (x:t1) (y:t1) (z:t1), eq1 x y -> eq1 y z -> eq1 x z.
+
+Axiom eq_zero1 : eq1 zeroF1 (neg1 zeroF1).
+
+Axiom eq_to_real_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ eq1 x y <-> ((t'real1 x) = (t'real1 y)).
+
+Axiom eq_special1 :
+ forall (x:t1) (y:t1), eq1 x y ->
+ is_not_nan2 x /\
+ is_not_nan2 y /\
+ (t'isFinite1 x /\ t'isFinite1 y \/
+ is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y).
+
+Axiom lt_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ lt1 x y <-> ((t'real1 x) < (t'real1 y))%R.
+
+Axiom le_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ le1 x y <-> ((t'real1 x) <= (t'real1 y))%R.
+
+Axiom le_lt_trans1 :
+ forall (x:t1) (y:t1) (z:t1), le1 x y /\ lt1 y z -> lt1 x z.
+
+Axiom lt_le_trans1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y /\ le1 y z -> lt1 x z.
+
+Axiom le_ge_asym1 : forall (x:t1) (y:t1), le1 x y /\ le1 y x -> eq1 x y.
+
+Axiom not_lt_ge1 :
+ forall (x:t1) (y:t1), ~ lt1 x y /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 y x.
+
+Axiom not_gt_le1 :
+ forall (x:t1) (y:t1), ~ lt1 y x /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 x y.
+
+Axiom le_special1 :
+ forall (x:t1) (y:t1), le1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y \/
+ is_not_nan2 x /\ is_plus_infinity1 y.
+
+Axiom lt_special1 :
+ forall (x:t1) (y:t1), lt1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y /\ ~ is_minus_infinity1 y \/
+ is_not_nan2 x /\ ~ is_plus_infinity1 x /\ is_plus_infinity1 y.
+
+Axiom lt_lt_finite1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y -> lt1 y z -> t'isFinite1 y.
+
+Axiom positive_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x -> (0%R <= (t'real1 x))%R.
+
+Axiom to_real_positive1 :
+ forall (x:t1), t'isFinite1 x -> (0%R < (t'real1 x))%R -> is_positive1 x.
+
+Axiom negative_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x -> ((t'real1 x) <= 0%R)%R.
+
+Axiom to_real_negative1 :
+ forall (x:t1), t'isFinite1 x -> ((t'real1 x) < 0%R)%R -> is_negative1 x.
+
+Axiom negative_xor_positive1 :
+ forall (x:t1), ~ (is_positive1 x /\ is_negative1 x).
+
+Axiom negative_or_positive1 :
+ forall (x:t1), is_not_nan2 x -> is_positive1 x \/ is_negative1 x.
+
+Axiom diff_sign_trans1 :
+ forall (x:t1) (y:t1) (z:t1), diff_sign1 x y /\ diff_sign1 y z ->
+ same_sign1 x z.
+
+Axiom diff_sign_product1 :
+ forall (x:t1) (y:t1),
+ t'isFinite1 x /\ t'isFinite1 y /\ (((t'real1 x) * (t'real1 y))%R < 0%R)%R ->
+ diff_sign1 x y.
+
+Axiom same_sign_product1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y /\ same_sign1 x y ->
+ (0%R <= ((t'real1 x) * (t'real1 y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign1 (z:t1) (x:t1) (y:t1) : Prop :=
+ (same_sign1 x y -> is_positive1 z) /\ (diff_sign1 x y -> is_negative1 z).
+
+(* Why3 assumption *)
+Definition overflow_value1 (m:mode) (x:t1) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x -> is_infinite1 x)
+ | RTP =>
+ (is_positive1 x -> is_infinite1 x) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RTZ =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RNA|RNE => is_infinite1 x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result1 (m:mode) (x:t1) : Prop :=
+ is_zero1 x -> match m with
+ | RTN => is_negative1 x
+ | _ => is_positive1 x
+ end.
+
+Axiom add_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ t'isFinite1 (add1 m x y) /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom add_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (add1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom add_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (add1 m x y) ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom sub_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ t'isFinite1 (sub1 m x y) /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom sub_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (sub1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom sub_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (sub1 m x y) ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom mul_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ t'isFinite1 (mul1 m x y) /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom mul_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (mul1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom mul_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (mul1 m x y) ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom div_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ ~ is_zero1 y -> no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ t'isFinite1 (div1 m x y) /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom div_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (div1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y \/
+ t'isFinite1 x /\ is_infinite1 y /\ ((t'real1 (div1 m x y)) = 0%R).
+
+Axiom div_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (div1 m x y) ->
+ t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) / (t'real1 y))%R /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom neg_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (neg1 x) /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom neg_finite_rev1 :
+ forall (x:t1), t'isFinite1 (neg1 x) ->
+ t'isFinite1 x /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom abs_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (abs1 x) /\
+ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))) /\
+ is_positive1 (abs1 x).
+
+Axiom abs_finite_rev1 :
+ forall (x:t1), t'isFinite1 (abs1 x) ->
+ t'isFinite1 x /\ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))).
+
+Axiom abs_universal1 : forall (x:t1), ~ is_negative1 (abs1 x).
+
+Axiom fma_finite1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 x -> t'isFinite1 y ->
+ t'isFinite1 z ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ t'isFinite1 (fma1 m x y z) /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom fma_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 (fma1 m x y z) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z.
+
+Axiom fma_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), to_nearest m ->
+ t'isFinite1 (fma1 m x y z) ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom sqrt_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> (0%R <= (t'real1 x))%R ->
+ t'isFinite1 (sqrt1 m x) /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+Axiom sqrt_finite_rev1 :
+ forall (m:mode) (x:t1), t'isFinite1 (sqrt1 m x) ->
+ t'isFinite1 x /\
+ (0%R <= (t'real1 x))%R /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real1 (x:t1) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive1 x /\ (0%R < r)%R \/ is_negative1 x /\ (r < 0%R)%R.
+
+Axiom add_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := add1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ same_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) + (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (same_sign1 x y -> same_sign1 r x) /\
+ (~ same_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom sub_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := sub1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ diff_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) - (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (diff_sign1 x y -> same_sign1 r x) /\
+ (~ diff_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom mul_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := mul1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_infinite1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom div_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := div1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_zero1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ ~ is_zero1 y /\ ~ no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ is_zero1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_zero1 x /\ is_zero1 y -> is_nan1 r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom neg_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (neg1 x)) /\
+ (is_infinite1 x -> is_infinite1 (neg1 x)) /\
+ (~ is_nan1 x -> diff_sign1 x (neg1 x)).
+
+Axiom abs_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (abs1 x)) /\
+ (is_infinite1 x -> is_infinite1 (abs1 x)) /\
+ (~ is_nan1 x -> is_positive1 (abs1 x)).
+
+Axiom fma_special1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1),
+ let r := fma1 m x y z in
+ (is_nan1 x \/ is_nan1 y \/ is_nan1 z -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ is_infinite1 z ->
+ is_infinite1 r /\ same_sign1 r z) /\
+ (is_infinite1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ t'isFinite1 z /\
+ ~ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ same_sign_real1 r (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z ->
+ (product_sign1 z x y -> same_sign1 r z) /\
+ (~ product_sign1 z x y ->
+ ((((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R = 0%R) ->
+ ((m = RTN) -> is_negative1 r) /\ (~ (m = RTN) -> is_positive1 r))).
+
+Axiom sqrt_special1 :
+ forall (m:mode) (x:t1),
+ let r := sqrt1 m x in
+ (is_nan1 x -> is_nan1 r) /\
+ (is_plus_infinity1 x -> is_plus_infinity1 r) /\
+ (is_minus_infinity1 x -> is_nan1 r) /\
+ (t'isFinite1 x /\ ((t'real1 x) < 0%R)%R -> is_nan1 r) /\
+ (is_zero1 x -> same_sign1 r x) /\
+ (t'isFinite1 x /\ (0%R < (t'real1 x))%R -> is_positive1 r).
+
+Axiom of_int_add_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i + j)%Z ->
+ eq1 (of_int1 m (i + j)%Z) (add1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_sub_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i - j)%Z ->
+ eq1 (of_int1 m (i - j)%Z) (sub1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_mul_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i * j)%Z ->
+ eq1 (of_int1 m (i * j)%Z) (mul1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom Min_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (min1 x y) y.
+
+Axiom Min_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (min1 x y) x.
+
+Axiom Max_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (max1 x y) x.
+
+Axiom Max_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (max1 x y) y.
+
+Parameter is_int1: t1 -> Prop.
+
+Axiom zeroF_is_int1 : is_int1 zeroF1.
+
+Axiom of_int_is_int1 :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range1 x ->
+ is_int1 (of_int1 m x).
+
+Axiom big_float_is_int1 :
+ forall (m:mode) (i:t1), t'isFinite1 i ->
+ le1 i (neg1 (of_int1 m 9007199254740992%Z)) \/
+ le1 (of_int1 m 9007199254740992%Z) i -> is_int1 i.
+
+Axiom roundToIntegral_is_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> is_int1 (roundToIntegral1 m x).
+
+Axiom eq_is_int1 : forall (x:t1) (y:t1), eq1 x y -> is_int1 x -> is_int1 y.
+
+Axiom add_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (add1 m x y) -> is_int1 (add1 m x y).
+
+Axiom sub_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (sub1 m x y) -> is_int1 (sub1 m x y).
+
+Axiom mul_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (mul1 m x y) -> is_int1 (mul1 m x y).
+
+Axiom fma_int1 :
+ forall (x:t1) (y:t1) (z:t1) (m:mode), is_int1 x -> is_int1 y ->
+ is_int1 z -> t'isFinite1 (fma1 m x y z) -> is_int1 (fma1 m x y z).
+
+Axiom neg_int1 : forall (x:t1), is_int1 x -> is_int1 (neg1 x).
+
+Axiom abs_int1 : forall (x:t1), is_int1 x -> is_int1 (abs1 x).
+
+Axiom is_int_of_int1 :
+ forall (x:t1) (m:mode) (m':mode), is_int1 x ->
+ eq1 x (of_int1 m' (to_int1 m x)).
+
+Axiom is_int_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x -> in_int_range1 (to_int1 m x).
+
+Axiom is_int_is_finite1 : forall (x:t1), is_int1 x -> t'isFinite1 x.
+
+Axiom int_to_real1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((t'real1 x) = (BuiltIn.IZR (to_int1 m x))).
+
+Axiom truncate_int1 :
+ forall (m:mode) (i:t1), is_int1 i -> eq1 (roundToIntegral1 m i) i.
+
+Axiom truncate_neg1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTP x)).
+
+Axiom truncate_pos1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTN x)).
+
+Axiom ceil_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 x (roundToIntegral1 RTP x).
+
+Axiom ceil_lest1 :
+ forall (x:t1) (y:t1), le1 x y /\ is_int1 y ->
+ le1 (roundToIntegral1 RTP x) y.
+
+Axiom ceil_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTP x)) = (BuiltIn.IZR (ceil (t'real1 x)))).
+
+Axiom ceil_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTP x)) = (ceil (t'real1 x))).
+
+Axiom floor_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 (roundToIntegral1 RTN x) x.
+
+Axiom floor_lest1 :
+ forall (x:t1) (y:t1), le1 y x /\ is_int1 y ->
+ le1 y (roundToIntegral1 RTN x).
+
+Axiom floor_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTN x)) = (BuiltIn.IZR (floor (t'real1 x)))).
+
+Axiom floor_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTN x)) = (floor (t'real1 x))).
+
+Axiom RNA_down1 :
+ forall (x:t1),
+ lt1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up1 :
+ forall (x:t1),
+ lt1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom RNA_down_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) -> is_negative1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) -> is_positive1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom to_int_roundToIntegral1 :
+ forall (m:mode) (x:t1),
+ ((to_int1 m x) = (to_int1 m (roundToIntegral1 m x))).
+
+Axiom to_int_monotonic1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> le1 x y ->
+ ((to_int1 m x) <= (to_int1 m y))%Z.
+
+Axiom to_int_of_int1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((to_int1 m (of_int1 m i)) = i).
+
+Axiom eq_to_int1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> eq1 x y ->
+ ((to_int1 m x) = (to_int1 m y)).
+
+Axiom neg_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((to_int1 m (neg1 x)) = (-(to_int1 m x))%Z).
+
+Axiom roundToIntegral_is_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> t'isFinite1 (roundToIntegral1 m x).
+
+Axiom round_bound_ne1 :
+ forall (x:Reals.Rdefinitions.R), no_overflow1 RNE x ->
+ (((x - ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R
+ <= (round1 RNE x))%R /\
+ ((round1 RNE x) <=
+ ((x + ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R)%R.
+
+Axiom round_bound1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow1 m x ->
+ (((x - ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R
+ <= (round1 m x))%R /\
+ ((round1 m x) <=
+ ((x + ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R)%R.
+
+Parameter to_float64: mode -> t -> t1.
+
+Parameter to_float32: mode -> t1 -> t.
+
+Axiom round_double_single :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round m2 x)) = (round m2 x)).
+
+Axiom to_float64_exact :
+ forall (m:mode) (x:t), t'isFinite x ->
+ t'isFinite1 (to_float64 m x) /\ ((t'real1 (to_float64 m x)) = (t'real x)).
+
+Axiom to_float32_conv :
+ forall (m:mode) (x:t1), t'isFinite1 x -> no_overflow m (t'real1 x) ->
+ t'isFinite (to_float32 m x) /\
+ ((t'real (to_float32 m x)) = (round m (t'real1 x))).
+
+(* Why3 assumption *)
+Definition f32 := t.
+
+(* Why3 assumption *)
+Definition f64 := t1.
+
+Parameter to_f32: Reals.Rdefinitions.R -> t.
+
+Parameter to_f64: Reals.Rdefinitions.R -> t1.
+
+Axiom to_float_is_finite_32 :
+ forall (f:t), t'isFinite f -> eq (to_f32 (t'real f)) f.
+
+Axiom to_f32_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range x ->
+ ((t'real (to_f32 x)) = (round RNE x)).
+
+Axiom to_f32_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range x -> t'isFinite (to_f32 x).
+
+Axiom to_f32_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x < (-(33554430 * 10141204801825835211973625643008)%R)%R)%R ->
+ is_minus_infinity (to_f32 x).
+
+Axiom to_f32_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((33554430 * 10141204801825835211973625643008)%R < x)%R ->
+ is_plus_infinity (to_f32 x).
+
+Axiom to_float_is_finite_64 :
+ forall (f:t1), t'isFinite1 f -> eq1 (to_f64 (t'real1 f)) f.
+
+Axiom to_f64_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range1 x ->
+ ((t'real1 (to_f64 x)) = (round1 RNE x)).
+
+Axiom to_f64_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range1 x -> t'isFinite1 (to_f64 x).
+
+Axiom to_f64_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x <
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R)%R ->
+ is_minus_infinity1 (to_f64 x).
+
+Axiom to_f64_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ < x)%R ->
+ is_plus_infinity1 (to_f64 x).
+
+(* Why3 assumption *)
+Definition round_float (m:mode) (r:Reals.Rdefinitions.R) : t :=
+ to_f32 (round m r).
+
+(* Why3 assumption *)
+Definition round_double (m:mode) (r:Reals.Rdefinitions.R) : t1 :=
+ to_f64 (round1 m r).
+
+Axiom is_zero_to_f32_zero : is_zero (to_f32 0%R).
+
+Axiom is_zero_to_f64_zero : is_zero1 (to_f64 0%R).
+
+Axiom real_0_is_zero_f32 : forall (f:t), (0%R = (t'real f)) -> is_zero f.
+
+Axiom real_0_is_zero_f64 : forall (f:t1), (0%R = (t'real1 f)) -> is_zero1 f.
+
+Axiom f32_to_f64 : forall (f:t), ((to_f64 (t'real f)) = (to_float64 RNE f)).
+
+Axiom f64_to_f32 :
+ forall (f:t1), ((to_f32 (t'real1 f)) = (to_float32 RNE f)).
+
+(* Why3 assumption *)
+Definition finite (x:Reals.Rdefinitions.R) : Prop :=
+ t'isFinite (to_f32 x) /\ t'isFinite1 (to_f64 x).
+
+Parameter eq_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom eq_f32b'def :
+ forall (x:t) (y:t),
+ (eq x y -> ((eq_f32b x y) = Init.Datatypes.true)) /\
+ (~ eq x y -> ((eq_f32b x y) = Init.Datatypes.false)).
+
+Parameter eq_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom eq_f64b'def :
+ forall (x:t1) (y:t1),
+ (eq1 x y -> ((eq_f64b x y) = Init.Datatypes.true)) /\
+ (~ eq1 x y -> ((eq_f64b x y) = Init.Datatypes.false)).
+
+(* Why3 assumption *)
+Definition ne_f32 (x:t) (y:t) : Prop := ~ eq x y.
+
+(* Why3 assumption *)
+Definition ne_f64 (x:t1) (y:t1) : Prop := ~ eq1 x y.
+
+Parameter ne_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom ne_f32b'def :
+ forall (x:t) (y:t),
+ (ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.true)) /\
+ (~ ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.false)).
+
+Parameter ne_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom ne_f64b'def :
+ forall (x:t1) (y:t1),
+ (ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.true)) /\
+ (~ ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.false)).
+
+Parameter le_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom le_f32b'def :
+ forall (x:t) (y:t),
+ (le x y -> ((le_f32b x y) = Init.Datatypes.true)) /\
+ (~ le x y -> ((le_f32b x y) = Init.Datatypes.false)).
+
+Parameter le_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom le_f64b'def :
+ forall (x:t1) (y:t1),
+ (le1 x y -> ((le_f64b x y) = Init.Datatypes.true)) /\
+ (~ le1 x y -> ((le_f64b x y) = Init.Datatypes.false)).
+
+Parameter lt_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom lt_f32b'def :
+ forall (x:t) (y:t),
+ (lt x y -> ((lt_f32b x y) = Init.Datatypes.true)) /\
+ (~ lt x y -> ((lt_f32b x y) = Init.Datatypes.false)).
+
+Parameter lt_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom lt_f64b'def :
+ forall (x:t1) (y:t1),
+ (lt1 x y -> ((lt_f64b x y) = Init.Datatypes.true)) /\
+ (~ lt1 x y -> ((lt_f64b x y) = Init.Datatypes.false)).
+
+Parameter model_f32: t -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f32 (f:t) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real f) - (model_f32 f))%R.
+
+(* Why3 assumption *)
+Definition error_f32 (f:t) : Reals.Rdefinitions.R :=
+ ((delta_f32 f) / (Reals.Rbasic_fun.Rabs (model_f32 f)))%R.
+
+Parameter model_f64: t1 -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f64 (f:t1) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real1 f) - (model_f64 f))%R.
+
+(* Why3 assumption *)
+Definition error_f64 (f:t1) : Reals.Rdefinitions.R :=
+ ((delta_f64 f) / (Reals.Rbasic_fun.Rabs (model_f64 f)))%R.
+
+(* Why3 goal *)
+Theorem wp_goal : forall (f:t1), ~ t'isFinite1 f \/ ~ is_nan1 f.
+Proof.
+ admit.
+Admitted.
+
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/tset.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle_qualif/tset.res.oracle
index 678ead75a09a52d12646a33a60c522dc7c4244ba..09696132705eae973a73ded6c9ea2d4e14da184d 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle_qualif/tset.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/tset.res.oracle
@@ -1,7 +1,6 @@
# frama-c -wp [...]
[kernel] Parsing tset.i (no preprocessing)
[wp] Running WP plugin...
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 4 goals scheduled
[wp] [Qed] Goal typed_lemma_UNION_DESCR : Valid
[wp] [Alt-Ergo] Goal typed_lemma_UNION_EQ : Valid
diff --git a/src/plugins/wp/tests/wp_acsl/tset.i b/src/plugins/wp/tests/wp_acsl/tset.i
index 1f7b11df21bbacb99fcbf4de995db036cac04e8d..0f955192f57d0c52ae914f739ad62070abf049fd 100644
--- a/src/plugins/wp/tests/wp_acsl/tset.i
+++ b/src/plugins/wp/tests/wp_acsl/tset.i
@@ -1,11 +1,11 @@
/* run.config_qualif
- OPT: -wp -wp-prover alt-ergo,native:coq -wp-coq-script %{dep:@PTEST_DIR@/tset.s}
+ OPT: -wp -wp-prover alt-ergo,coq
*/
/*@
lemma UNION_EQ:
- \forall integer x,y ;
+ \forall integer x,y ;
(\union(0,x) == \union(0,y)) <==> (x==y) ;
lemma UNION_LIFT:
diff --git a/src/plugins/wp/tests/wp_bts/bts_1174.i b/src/plugins/wp/tests/wp_bts/bts_1174.i
index ce50d9189258794e8e0292d0262e3e922e763a83..244cce0d7ad738f2232736b9deeaaf492e0c83ca 100644
--- a/src/plugins/wp/tests/wp_bts/bts_1174.i
+++ b/src/plugins/wp/tests/wp_bts/bts_1174.i
@@ -1,5 +1,5 @@
/* run.config_qualif
- OPT: -wp -wp-prover native:coq -wp-coq-script %{dep:@PTEST_DIR@/bts_1174.s} -wp-model +real
+ OPT: -wp -wp-prover coq -wp-model +real
*/
/*@ requires -10. <= x && x <= 10.; */
diff --git a/src/plugins/wp/tests/wp_bts/bts_2471.i b/src/plugins/wp/tests/wp_bts/bts_2471.i
index a25c144dafc34fea9b4067ea4e9e953d1ff1505e..5a4e280a22389387dc6650724ac5e079a110930d 100644
--- a/src/plugins/wp/tests/wp_bts/bts_2471.i
+++ b/src/plugins/wp/tests/wp_bts/bts_2471.i
@@ -4,7 +4,7 @@
/* run.config_qualif
OPT: -wp-timeout 1
- OPT: -wp-prover native:coq
+ OPT: -wp-prover coq
*/
/*@ axiomatic maps {
diff --git a/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_qed_ok.v b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_qed_ok.v
new file mode 100644
index 0000000000000000000000000000000000000000..1719a11c0bd459923bf8c6e49accdd5e546bfe5f
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_qed_ok.v
@@ -0,0 +1,326 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (i:Numbers.BinNums.Z) (r:Reals.Rdefinitions.R), ~ (i = 0%Z) ->
+ (r <= 10%R)%R -> ((-10%R)%R <= r)%R -> (0%R <= r)%R -> is_sint32 i ->
+ (0%R <= (2%R * r)%R)%R.
+Proof.
+ intros.
+ Require Import Fourier.
+ fourier.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_rte_is_nan_or_infinite.v b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_rte_is_nan_or_infinite.v
new file mode 100644
index 0000000000000000000000000000000000000000..5b6c4be6ab5fb2f3e2580d9c03a5f35d1cb93401
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_rte_is_nan_or_infinite.v
@@ -0,0 +1,1996 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require Reals.Rbasic_fun.
+Require Reals.R_sqrt.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.Abs.
+Require real.FromInt.
+Require real.Square.
+Require map.Map.
+Require bv.Pow2int.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+Axiom abs_def :
+ forall (x:Numbers.BinNums.Z),
+ ((0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = x)) /\
+ (~ (0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = (-x)%Z)).
+
+Axiom sqrt_lin1 :
+ forall (x:Reals.Rdefinitions.R), (1%R < x)%R ->
+ ((Reals.R_sqrt.sqrt x) < x)%R.
+
+Axiom sqrt_lin0 :
+ forall (x:Reals.Rdefinitions.R), (0%R < x)%R /\ (x < 1%R)%R ->
+ (x < (Reals.R_sqrt.sqrt x))%R.
+
+Axiom sqrt_0 : ((Reals.R_sqrt.sqrt 0%R) = 0%R).
+
+Axiom sqrt_1 : ((Reals.R_sqrt.sqrt 1%R) = 1%R).
+
+(* Why3 assumption *)
+Inductive mode :=
+ | RNE : mode
+ | RNA : mode
+ | RTP : mode
+ | RTN : mode
+ | RTZ : mode.
+Axiom mode_WhyType : WhyType mode.
+Existing Instance mode_WhyType.
+
+(* Why3 assumption *)
+Definition to_nearest (m:mode) : Prop := (m = RNE) \/ (m = RNA).
+
+Axiom t : Type.
+Parameter t_WhyType : WhyType t.
+Existing Instance t_WhyType.
+
+Parameter t'real: t -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite: t -> Prop.
+
+Axiom t'axiom :
+ forall (x:t), t'isFinite x ->
+ ((-340282346638528859811704183484516925440%R)%R <= (t'real x))%R /\
+ ((t'real x) <= 340282346638528859811704183484516925440%R)%R.
+
+Parameter truncate: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Truncate_int :
+ forall (i:Numbers.BinNums.Z), ((truncate (BuiltIn.IZR i)) = i).
+
+Axiom Truncate_down_pos :
+ forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
+ ((BuiltIn.IZR (truncate x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((truncate x) + 1%Z)%Z))%R.
+
+Axiom Truncate_up_neg :
+ forall (x:Reals.Rdefinitions.R), (x <= 0%R)%R ->
+ ((BuiltIn.IZR ((truncate x) - 1%Z)%Z) < x)%R /\
+ (x <= (BuiltIn.IZR (truncate x)))%R.
+
+Axiom Real_of_truncate :
+ forall (x:Reals.Rdefinitions.R),
+ ((x - 1%R)%R <= (BuiltIn.IZR (truncate x)))%R /\
+ ((BuiltIn.IZR (truncate x)) <= (x + 1%R)%R)%R.
+
+Axiom Truncate_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((truncate x) <= (truncate y))%Z.
+
+Axiom Truncate_monotonic_int1 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ (x <= (BuiltIn.IZR i))%R -> ((truncate x) <= i)%Z.
+
+Axiom Truncate_monotonic_int2 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ ((BuiltIn.IZR i) <= x)%R -> (i <= (truncate x))%Z.
+
+Parameter floor: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Parameter ceil: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Floor_int :
+ forall (i:Numbers.BinNums.Z), ((floor (BuiltIn.IZR i)) = i).
+
+Axiom Ceil_int : forall (i:Numbers.BinNums.Z), ((ceil (BuiltIn.IZR i)) = i).
+
+Axiom Floor_down :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR (floor x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((floor x) + 1%Z)%Z))%R.
+
+Axiom Ceil_up :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR ((ceil x) - 1%Z)%Z) < x)%R /\ (x <= (BuiltIn.IZR (ceil x)))%R.
+
+Axiom Floor_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((floor x) <= (floor y))%Z.
+
+Axiom Ceil_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((ceil x) <= (ceil y))%Z.
+
+Parameter zeroF: t.
+
+Parameter add: mode -> t -> t -> t.
+
+Parameter sub: mode -> t -> t -> t.
+
+Parameter mul: mode -> t -> t -> t.
+
+Parameter div: mode -> t -> t -> t.
+
+Parameter abs: t -> t.
+
+Parameter neg: t -> t.
+
+Parameter fma: mode -> t -> t -> t -> t.
+
+Parameter sqrt: mode -> t -> t.
+
+Parameter roundToIntegral: mode -> t -> t.
+
+Parameter min: t -> t -> t.
+
+Parameter max: t -> t -> t.
+
+Parameter le: t -> t -> Prop.
+
+Parameter lt: t -> t -> Prop.
+
+Parameter eq: t -> t -> Prop.
+
+Parameter is_normal: t -> Prop.
+
+Parameter is_subnormal: t -> Prop.
+
+Parameter is_zero: t -> Prop.
+
+Parameter is_infinite: t -> Prop.
+
+Parameter is_nan: t -> Prop.
+
+Parameter is_positive: t -> Prop.
+
+Parameter is_negative: t -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_not_nan (x:t) : Prop := t'isFinite x \/ is_infinite x.
+
+Axiom is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
+
+Axiom is_not_finite :
+ forall (x:t), ~ t'isFinite x <-> is_infinite x \/ is_nan x.
+
+Axiom zeroF_is_positive : is_positive zeroF.
+
+Axiom zeroF_is_zero : is_zero zeroF.
+
+Axiom zero_to_real :
+ forall (x:t), is_zero x <-> t'isFinite x /\ ((t'real x) = 0%R).
+
+Parameter of_int: mode -> Numbers.BinNums.Z -> t.
+
+Parameter to_int: mode -> t -> Numbers.BinNums.Z.
+
+Axiom zero_of_int : forall (m:mode), (zeroF = (of_int m 0%Z)).
+
+Parameter round: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int: Numbers.BinNums.Z.
+
+Axiom max_real_int :
+ ((33554430 * 10141204801825835211973625643008)%R = (BuiltIn.IZR max_int)).
+
+(* Why3 assumption *)
+Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(33554430 * 10141204801825835211973625643008)%R)%R <= x)%R /\
+ (x <= (33554430 * 10141204801825835211973625643008)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.
+
+Axiom is_finite : forall (x:t), t'isFinite x -> in_range (t'real x).
+
+(* Why3 assumption *)
+Definition no_overflow (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range (round m x).
+
+Axiom Bounded_real_no_overflow :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range x -> no_overflow m x.
+
+Axiom Round_monotonic :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round m x) <= (round m y))%R.
+
+Axiom Round_idempotent :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round m1 (round m2 x)) = (round m2 x)).
+
+Axiom Round_to_real :
+ forall (m:mode) (x:t), t'isFinite x -> ((round m (t'real x)) = (t'real x)).
+
+Axiom Round_down_le :
+ forall (x:Reals.Rdefinitions.R), ((round RTN x) <= x)%R.
+
+Axiom Round_up_ge : forall (x:Reals.Rdefinitions.R), (x <= (round RTP x))%R.
+
+Axiom Round_down_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTN (-x)%R) = (-(round RTP x))%R).
+
+Axiom Round_up_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTP (-x)%R) = (-(round RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-16777216%Z)%Z <= i)%Z /\ (i <= 16777216%Z)%Z.
+
+Axiom Exact_rounding_for_integers :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.
+
+(* Why3 assumption *)
+Definition diff_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.
+
+Axiom feq_eq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero x ->
+ eq x y -> (x = y).
+
+Axiom eq_feq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> (x = y) -> eq x y.
+
+Axiom eq_refl : forall (x:t), t'isFinite x -> eq x x.
+
+Axiom eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
+
+Axiom eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
+
+Axiom eq_zero : eq zeroF (neg zeroF).
+
+Axiom eq_to_real_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ eq x y <-> ((t'real x) = (t'real y)).
+
+Axiom eq_special :
+ forall (x:t) (y:t), eq x y ->
+ is_not_nan x /\
+ is_not_nan y /\
+ (t'isFinite x /\ t'isFinite y \/
+ is_infinite x /\ is_infinite y /\ same_sign x y).
+
+Axiom lt_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ lt x y <-> ((t'real x) < (t'real y))%R.
+
+Axiom le_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ le x y <-> ((t'real x) <= (t'real y))%R.
+
+Axiom le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
+
+Axiom lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
+
+Axiom le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
+
+Axiom not_lt_ge :
+ forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
+
+Axiom not_gt_le :
+ forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
+
+Axiom le_special :
+ forall (x:t) (y:t), le x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
+
+Axiom lt_special :
+ forall (x:t) (y:t), lt x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
+ is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
+
+Axiom lt_lt_finite :
+ forall (x:t) (y:t) (z:t), lt x y -> lt y z -> t'isFinite y.
+
+Axiom positive_to_real :
+ forall (x:t), t'isFinite x -> is_positive x -> (0%R <= (t'real x))%R.
+
+Axiom to_real_positive :
+ forall (x:t), t'isFinite x -> (0%R < (t'real x))%R -> is_positive x.
+
+Axiom negative_to_real :
+ forall (x:t), t'isFinite x -> is_negative x -> ((t'real x) <= 0%R)%R.
+
+Axiom to_real_negative :
+ forall (x:t), t'isFinite x -> ((t'real x) < 0%R)%R -> is_negative x.
+
+Axiom negative_xor_positive :
+ forall (x:t), ~ (is_positive x /\ is_negative x).
+
+Axiom negative_or_positive :
+ forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
+
+Axiom diff_sign_trans :
+ forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
+
+Axiom diff_sign_product :
+ forall (x:t) (y:t),
+ t'isFinite x /\ t'isFinite y /\ (((t'real x) * (t'real y))%R < 0%R)%R ->
+ diff_sign x y.
+
+Axiom same_sign_product :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y /\ same_sign x y ->
+ (0%R <= ((t'real x) * (t'real y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign (z:t) (x:t) (y:t) : Prop :=
+ (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).
+
+(* Why3 assumption *)
+Definition overflow_value (m:mode) (x:t) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x -> is_infinite x)
+ | RTP =>
+ (is_positive x -> is_infinite x) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RTZ =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RNA|RNE => is_infinite x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result (m:mode) (x:t) : Prop :=
+ is_zero x -> match m with
+ | RTN => is_negative x
+ | _ => is_positive x
+ end.
+
+Axiom add_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) + (t'real y))%R ->
+ t'isFinite (add m x y) /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom add_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (add m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom add_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (add m x y) ->
+ no_overflow m ((t'real x) + (t'real y))%R /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom sub_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) - (t'real y))%R ->
+ t'isFinite (sub m x y) /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom sub_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (sub m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom sub_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (sub m x y) ->
+ no_overflow m ((t'real x) - (t'real y))%R /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom mul_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) * (t'real y))%R ->
+ t'isFinite (mul m x y) /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom mul_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (mul m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom mul_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (mul m x y) ->
+ no_overflow m ((t'real x) * (t'real y))%R /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom div_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero y ->
+ no_overflow m ((t'real x) / (t'real y))%R ->
+ t'isFinite (div m x y) /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom div_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (div m x y) ->
+ t'isFinite x /\ t'isFinite y /\ ~ is_zero y \/
+ t'isFinite x /\ is_infinite y /\ ((t'real (div m x y)) = 0%R).
+
+Axiom div_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (div m x y) ->
+ t'isFinite y ->
+ no_overflow m ((t'real x) / (t'real y))%R /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom neg_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (neg x) /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom neg_finite_rev :
+ forall (x:t), t'isFinite (neg x) ->
+ t'isFinite x /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom abs_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (abs x) /\
+ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))) /\
+ is_positive (abs x).
+
+Axiom abs_finite_rev :
+ forall (x:t), t'isFinite (abs x) ->
+ t'isFinite x /\ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))).
+
+Axiom abs_universal : forall (x:t), ~ is_negative (abs x).
+
+Axiom fma_finite :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite x -> t'isFinite y ->
+ t'isFinite z ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ t'isFinite (fma m x y z) /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom fma_finite_rev :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite (fma m x y z) ->
+ t'isFinite x /\ t'isFinite y /\ t'isFinite z.
+
+Axiom fma_finite_rev_n :
+ forall (m:mode) (x:t) (y:t) (z:t), to_nearest m ->
+ t'isFinite (fma m x y z) ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom sqrt_finite :
+ forall (m:mode) (x:t), t'isFinite x -> (0%R <= (t'real x))%R ->
+ t'isFinite (sqrt m x) /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+Axiom sqrt_finite_rev :
+ forall (m:mode) (x:t), t'isFinite (sqrt m x) ->
+ t'isFinite x /\
+ (0%R <= (t'real x))%R /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.
+
+Axiom add_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := add m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) + (t'real y))%R ->
+ same_sign_real r ((t'real x) + (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (same_sign x y -> same_sign r x) /\
+ (~ same_sign x y -> sign_zero_result m r)).
+
+Axiom sub_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := sub m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) - (t'real y))%R ->
+ same_sign_real r ((t'real x) - (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (diff_sign x y -> same_sign r x) /\
+ (~ diff_sign x y -> sign_zero_result m r)).
+
+Axiom mul_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := mul m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_infinite r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) * (t'real y))%R ->
+ overflow_value m r) /\
+ (~ is_nan r -> product_sign r x y).
+
+Axiom div_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := div m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_zero r) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ is_zero y /\ ~ no_overflow m ((t'real x) / (t'real y))%R ->
+ overflow_value m r) /\
+ (t'isFinite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
+ (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
+
+Axiom neg_special :
+ forall (x:t),
+ (is_nan x -> is_nan (neg x)) /\
+ (is_infinite x -> is_infinite (neg x)) /\
+ (~ is_nan x -> diff_sign x (neg x)).
+
+Axiom abs_special :
+ forall (x:t),
+ (is_nan x -> is_nan (abs x)) /\
+ (is_infinite x -> is_infinite (abs x)) /\
+ (~ is_nan x -> is_positive (abs x)).
+
+Axiom fma_special :
+ forall (m:mode) (x:t) (y:t) (z:t),
+ let r := fma m x y z in
+ (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ t'isFinite y /\ is_infinite z ->
+ is_infinite r /\ same_sign r z) /\
+ (is_infinite x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (t'isFinite x /\
+ t'isFinite y /\
+ t'isFinite z /\
+ ~ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ same_sign_real r (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y /\ t'isFinite z ->
+ (product_sign z x y -> same_sign r z) /\
+ (~ product_sign z x y ->
+ ((((t'real x) * (t'real y))%R + (t'real z))%R = 0%R) ->
+ ((m = RTN) -> is_negative r) /\ (~ (m = RTN) -> is_positive r))).
+
+Axiom sqrt_special :
+ forall (m:mode) (x:t),
+ let r := sqrt m x in
+ (is_nan x -> is_nan r) /\
+ (is_plus_infinity x -> is_plus_infinity r) /\
+ (is_minus_infinity x -> is_nan r) /\
+ (t'isFinite x /\ ((t'real x) < 0%R)%R -> is_nan r) /\
+ (is_zero x -> same_sign r x) /\
+ (t'isFinite x /\ (0%R < (t'real x))%R -> is_positive r).
+
+Axiom of_int_add_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i + j)%Z ->
+ eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
+
+Axiom of_int_sub_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i - j)%Z ->
+ eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
+
+Axiom of_int_mul_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i * j)%Z ->
+ eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
+
+Axiom Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
+
+Axiom Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
+
+Axiom Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
+
+Axiom Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
+
+Parameter is_int: t -> Prop.
+
+Axiom zeroF_is_int : is_int zeroF.
+
+Axiom of_int_is_int :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range x ->
+ is_int (of_int m x).
+
+Axiom big_float_is_int :
+ forall (m:mode) (i:t), t'isFinite i ->
+ le i (neg (of_int m 16777216%Z)) \/ le (of_int m 16777216%Z) i -> is_int i.
+
+Axiom roundToIntegral_is_int :
+ forall (m:mode) (x:t), t'isFinite x -> is_int (roundToIntegral m x).
+
+Axiom eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
+
+Axiom add_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (add m x y) -> is_int (add m x y).
+
+Axiom sub_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (sub m x y) -> is_int (sub m x y).
+
+Axiom mul_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (mul m x y) -> is_int (mul m x y).
+
+Axiom fma_int :
+ forall (x:t) (y:t) (z:t) (m:mode), is_int x -> is_int y -> is_int z ->
+ t'isFinite (fma m x y z) -> is_int (fma m x y z).
+
+Axiom neg_int : forall (x:t), is_int x -> is_int (neg x).
+
+Axiom abs_int : forall (x:t), is_int x -> is_int (abs x).
+
+Axiom is_int_of_int :
+ forall (x:t) (m:mode) (m':mode), is_int x -> eq x (of_int m' (to_int m x)).
+
+Axiom is_int_to_int :
+ forall (m:mode) (x:t), is_int x -> in_int_range (to_int m x).
+
+Axiom is_int_is_finite : forall (x:t), is_int x -> t'isFinite x.
+
+Axiom int_to_real :
+ forall (m:mode) (x:t), is_int x ->
+ ((t'real x) = (BuiltIn.IZR (to_int m x))).
+
+Axiom truncate_int :
+ forall (m:mode) (i:t), is_int i -> eq (roundToIntegral m i) i.
+
+Axiom truncate_neg :
+ forall (x:t), t'isFinite x -> is_negative x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTP x)).
+
+Axiom truncate_pos :
+ forall (x:t), t'isFinite x -> is_positive x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTN x)).
+
+Axiom ceil_le : forall (x:t), t'isFinite x -> le x (roundToIntegral RTP x).
+
+Axiom ceil_lest :
+ forall (x:t) (y:t), le x y /\ is_int y -> le (roundToIntegral RTP x) y.
+
+Axiom ceil_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTP x)) = (BuiltIn.IZR (ceil (t'real x)))).
+
+Axiom ceil_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTP x)) = (ceil (t'real x))).
+
+Axiom floor_le : forall (x:t), t'isFinite x -> le (roundToIntegral RTN x) x.
+
+Axiom floor_lest :
+ forall (x:t) (y:t), le y x /\ is_int y -> le y (roundToIntegral RTN x).
+
+Axiom floor_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTN x)) = (BuiltIn.IZR (floor (t'real x)))).
+
+Axiom floor_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTN x)) = (floor (t'real x))).
+
+Axiom RNA_down :
+ forall (x:t),
+ lt (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up :
+ forall (x:t),
+ lt (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom RNA_down_tie :
+ forall (x:t),
+ eq (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ is_negative x -> ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up_tie :
+ forall (x:t),
+ eq (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ is_positive x -> ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom to_int_roundToIntegral :
+ forall (m:mode) (x:t), ((to_int m x) = (to_int m (roundToIntegral m x))).
+
+Axiom to_int_monotonic :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> le x y ->
+ ((to_int m x) <= (to_int m y))%Z.
+
+Axiom to_int_of_int :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((to_int m (of_int m i)) = i).
+
+Axiom eq_to_int :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> eq x y ->
+ ((to_int m x) = (to_int m y)).
+
+Axiom neg_to_int :
+ forall (m:mode) (x:t), is_int x -> ((to_int m (neg x)) = (-(to_int m x))%Z).
+
+Axiom roundToIntegral_is_finite :
+ forall (m:mode) (x:t), t'isFinite x -> t'isFinite (roundToIntegral m x).
+
+Axiom round_bound_ne :
+ forall (x:Reals.Rdefinitions.R), no_overflow RNE x ->
+ (((x - ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R
+ <= (round RNE x))%R /\
+ ((round RNE x) <=
+ ((x + ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R)%R.
+
+Axiom round_bound :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow m x ->
+ (((x - ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 713623846352979940529142984724747568191373312)%R)%R
+ <= (round m x))%R /\
+ ((round m x) <=
+ ((x + ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 713623846352979940529142984724747568191373312)%R)%R)%R.
+
+Axiom t1 : Type.
+Parameter t1_WhyType : WhyType t1.
+Existing Instance t1_WhyType.
+
+Parameter t'real1: t1 -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite1: t1 -> Prop.
+
+Axiom t'axiom1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((-179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R
+ <= (t'real1 x))%R /\
+ ((t'real1 x) <=
+ 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.
+
+Parameter zeroF1: t1.
+
+Parameter add1: mode -> t1 -> t1 -> t1.
+
+Parameter sub1: mode -> t1 -> t1 -> t1.
+
+Parameter mul1: mode -> t1 -> t1 -> t1.
+
+Parameter div1: mode -> t1 -> t1 -> t1.
+
+Parameter abs1: t1 -> t1.
+
+Parameter neg1: t1 -> t1.
+
+Parameter fma1: mode -> t1 -> t1 -> t1 -> t1.
+
+Parameter sqrt1: mode -> t1 -> t1.
+
+Parameter roundToIntegral1: mode -> t1 -> t1.
+
+Parameter min1: t1 -> t1 -> t1.
+
+Parameter max1: t1 -> t1 -> t1.
+
+Parameter le1: t1 -> t1 -> Prop.
+
+Parameter lt1: t1 -> t1 -> Prop.
+
+Parameter eq1: t1 -> t1 -> Prop.
+
+Parameter is_normal1: t1 -> Prop.
+
+Parameter is_subnormal1: t1 -> Prop.
+
+Parameter is_zero1: t1 -> Prop.
+
+Parameter is_infinite1: t1 -> Prop.
+
+Parameter is_nan1: t1 -> Prop.
+
+Parameter is_positive1: t1 -> Prop.
+
+Parameter is_negative1: t1 -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_plus_zero1 (x:t1) : Prop := is_zero1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_zero1 (x:t1) : Prop := is_zero1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_not_nan2 (x:t1) : Prop := t'isFinite1 x \/ is_infinite1 x.
+
+Axiom is_not_nan3 : forall (x:t1), is_not_nan2 x <-> ~ is_nan1 x.
+
+Axiom is_not_finite1 :
+ forall (x:t1), ~ t'isFinite1 x <-> is_infinite1 x \/ is_nan1 x.
+
+Axiom zeroF_is_positive1 : is_positive1 zeroF1.
+
+Axiom zeroF_is_zero1 : is_zero1 zeroF1.
+
+Axiom zero_to_real1 :
+ forall (x:t1), is_zero1 x <-> t'isFinite1 x /\ ((t'real1 x) = 0%R).
+
+Parameter of_int1: mode -> Numbers.BinNums.Z -> t1.
+
+Parameter to_int1: mode -> t1 -> Numbers.BinNums.Z.
+
+Axiom zero_of_int1 : forall (m:mode), (zeroF1 = (of_int1 m 0%Z)).
+
+Parameter round1: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int1: Numbers.BinNums.Z.
+
+Axiom max_real_int1 :
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ = (BuiltIn.IZR max_int1)).
+
+(* Why3 assumption *)
+Definition in_range1 (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R
+ <= x)%R /\
+ (x <=
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int1)%Z <= i)%Z /\ (i <= max_int1)%Z.
+
+Axiom is_finite1 : forall (x:t1), t'isFinite1 x -> in_range1 (t'real1 x).
+
+(* Why3 assumption *)
+Definition no_overflow1 (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range1 (round1 m x).
+
+Axiom Bounded_real_no_overflow1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range1 x -> no_overflow1 m x.
+
+Axiom Round_monotonic1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round1 m x) <= (round1 m y))%R.
+
+Axiom Round_idempotent1 :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round1 m2 x)) = (round1 m2 x)).
+
+Axiom Round_to_real1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((round1 m (t'real1 x)) = (t'real1 x)).
+
+Axiom Round_down_le1 :
+ forall (x:Reals.Rdefinitions.R), ((round1 RTN x) <= x)%R.
+
+Axiom Round_up_ge1 :
+ forall (x:Reals.Rdefinitions.R), (x <= (round1 RTP x))%R.
+
+Axiom Round_down_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTN (-x)%R) = (-(round1 RTP x))%R).
+
+Axiom Round_up_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTP (-x)%R) = (-(round1 RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-9007199254740992%Z)%Z <= i)%Z /\ (i <= 9007199254740992%Z)%Z.
+
+Axiom Exact_rounding_for_integers1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((round1 m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_positive1 y \/ is_negative1 x /\ is_negative1 y.
+
+(* Why3 assumption *)
+Definition diff_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_negative1 y \/ is_negative1 x /\ is_positive1 y.
+
+Axiom feq_eq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> ~ is_zero1 x ->
+ eq1 x y -> (x = y).
+
+Axiom eq_feq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> (x = y) -> eq1 x y.
+
+Axiom eq_refl1 : forall (x:t1), t'isFinite1 x -> eq1 x x.
+
+Axiom eq_sym1 : forall (x:t1) (y:t1), eq1 x y -> eq1 y x.
+
+Axiom eq_trans1 : forall (x:t1) (y:t1) (z:t1), eq1 x y -> eq1 y z -> eq1 x z.
+
+Axiom eq_zero1 : eq1 zeroF1 (neg1 zeroF1).
+
+Axiom eq_to_real_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ eq1 x y <-> ((t'real1 x) = (t'real1 y)).
+
+Axiom eq_special1 :
+ forall (x:t1) (y:t1), eq1 x y ->
+ is_not_nan2 x /\
+ is_not_nan2 y /\
+ (t'isFinite1 x /\ t'isFinite1 y \/
+ is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y).
+
+Axiom lt_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ lt1 x y <-> ((t'real1 x) < (t'real1 y))%R.
+
+Axiom le_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ le1 x y <-> ((t'real1 x) <= (t'real1 y))%R.
+
+Axiom le_lt_trans1 :
+ forall (x:t1) (y:t1) (z:t1), le1 x y /\ lt1 y z -> lt1 x z.
+
+Axiom lt_le_trans1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y /\ le1 y z -> lt1 x z.
+
+Axiom le_ge_asym1 : forall (x:t1) (y:t1), le1 x y /\ le1 y x -> eq1 x y.
+
+Axiom not_lt_ge1 :
+ forall (x:t1) (y:t1), ~ lt1 x y /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 y x.
+
+Axiom not_gt_le1 :
+ forall (x:t1) (y:t1), ~ lt1 y x /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 x y.
+
+Axiom le_special1 :
+ forall (x:t1) (y:t1), le1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y \/
+ is_not_nan2 x /\ is_plus_infinity1 y.
+
+Axiom lt_special1 :
+ forall (x:t1) (y:t1), lt1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y /\ ~ is_minus_infinity1 y \/
+ is_not_nan2 x /\ ~ is_plus_infinity1 x /\ is_plus_infinity1 y.
+
+Axiom lt_lt_finite1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y -> lt1 y z -> t'isFinite1 y.
+
+Axiom positive_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x -> (0%R <= (t'real1 x))%R.
+
+Axiom to_real_positive1 :
+ forall (x:t1), t'isFinite1 x -> (0%R < (t'real1 x))%R -> is_positive1 x.
+
+Axiom negative_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x -> ((t'real1 x) <= 0%R)%R.
+
+Axiom to_real_negative1 :
+ forall (x:t1), t'isFinite1 x -> ((t'real1 x) < 0%R)%R -> is_negative1 x.
+
+Axiom negative_xor_positive1 :
+ forall (x:t1), ~ (is_positive1 x /\ is_negative1 x).
+
+Axiom negative_or_positive1 :
+ forall (x:t1), is_not_nan2 x -> is_positive1 x \/ is_negative1 x.
+
+Axiom diff_sign_trans1 :
+ forall (x:t1) (y:t1) (z:t1), diff_sign1 x y /\ diff_sign1 y z ->
+ same_sign1 x z.
+
+Axiom diff_sign_product1 :
+ forall (x:t1) (y:t1),
+ t'isFinite1 x /\ t'isFinite1 y /\ (((t'real1 x) * (t'real1 y))%R < 0%R)%R ->
+ diff_sign1 x y.
+
+Axiom same_sign_product1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y /\ same_sign1 x y ->
+ (0%R <= ((t'real1 x) * (t'real1 y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign1 (z:t1) (x:t1) (y:t1) : Prop :=
+ (same_sign1 x y -> is_positive1 z) /\ (diff_sign1 x y -> is_negative1 z).
+
+(* Why3 assumption *)
+Definition overflow_value1 (m:mode) (x:t1) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x -> is_infinite1 x)
+ | RTP =>
+ (is_positive1 x -> is_infinite1 x) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RTZ =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RNA|RNE => is_infinite1 x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result1 (m:mode) (x:t1) : Prop :=
+ is_zero1 x -> match m with
+ | RTN => is_negative1 x
+ | _ => is_positive1 x
+ end.
+
+Axiom add_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ t'isFinite1 (add1 m x y) /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom add_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (add1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom add_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (add1 m x y) ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom sub_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ t'isFinite1 (sub1 m x y) /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom sub_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (sub1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom sub_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (sub1 m x y) ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom mul_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ t'isFinite1 (mul1 m x y) /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom mul_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (mul1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom mul_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (mul1 m x y) ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom div_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ ~ is_zero1 y -> no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ t'isFinite1 (div1 m x y) /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom div_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (div1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y \/
+ t'isFinite1 x /\ is_infinite1 y /\ ((t'real1 (div1 m x y)) = 0%R).
+
+Axiom div_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (div1 m x y) ->
+ t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) / (t'real1 y))%R /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom neg_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (neg1 x) /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom neg_finite_rev1 :
+ forall (x:t1), t'isFinite1 (neg1 x) ->
+ t'isFinite1 x /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom abs_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (abs1 x) /\
+ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))) /\
+ is_positive1 (abs1 x).
+
+Axiom abs_finite_rev1 :
+ forall (x:t1), t'isFinite1 (abs1 x) ->
+ t'isFinite1 x /\ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))).
+
+Axiom abs_universal1 : forall (x:t1), ~ is_negative1 (abs1 x).
+
+Axiom fma_finite1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 x -> t'isFinite1 y ->
+ t'isFinite1 z ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ t'isFinite1 (fma1 m x y z) /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom fma_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 (fma1 m x y z) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z.
+
+Axiom fma_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), to_nearest m ->
+ t'isFinite1 (fma1 m x y z) ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom sqrt_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> (0%R <= (t'real1 x))%R ->
+ t'isFinite1 (sqrt1 m x) /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+Axiom sqrt_finite_rev1 :
+ forall (m:mode) (x:t1), t'isFinite1 (sqrt1 m x) ->
+ t'isFinite1 x /\
+ (0%R <= (t'real1 x))%R /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real1 (x:t1) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive1 x /\ (0%R < r)%R \/ is_negative1 x /\ (r < 0%R)%R.
+
+Axiom add_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := add1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ same_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) + (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (same_sign1 x y -> same_sign1 r x) /\
+ (~ same_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom sub_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := sub1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ diff_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) - (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (diff_sign1 x y -> same_sign1 r x) /\
+ (~ diff_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom mul_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := mul1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_infinite1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom div_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := div1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_zero1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ ~ is_zero1 y /\ ~ no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ is_zero1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_zero1 x /\ is_zero1 y -> is_nan1 r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom neg_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (neg1 x)) /\
+ (is_infinite1 x -> is_infinite1 (neg1 x)) /\
+ (~ is_nan1 x -> diff_sign1 x (neg1 x)).
+
+Axiom abs_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (abs1 x)) /\
+ (is_infinite1 x -> is_infinite1 (abs1 x)) /\
+ (~ is_nan1 x -> is_positive1 (abs1 x)).
+
+Axiom fma_special1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1),
+ let r := fma1 m x y z in
+ (is_nan1 x \/ is_nan1 y \/ is_nan1 z -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ is_infinite1 z ->
+ is_infinite1 r /\ same_sign1 r z) /\
+ (is_infinite1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ t'isFinite1 z /\
+ ~ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ same_sign_real1 r (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z ->
+ (product_sign1 z x y -> same_sign1 r z) /\
+ (~ product_sign1 z x y ->
+ ((((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R = 0%R) ->
+ ((m = RTN) -> is_negative1 r) /\ (~ (m = RTN) -> is_positive1 r))).
+
+Axiom sqrt_special1 :
+ forall (m:mode) (x:t1),
+ let r := sqrt1 m x in
+ (is_nan1 x -> is_nan1 r) /\
+ (is_plus_infinity1 x -> is_plus_infinity1 r) /\
+ (is_minus_infinity1 x -> is_nan1 r) /\
+ (t'isFinite1 x /\ ((t'real1 x) < 0%R)%R -> is_nan1 r) /\
+ (is_zero1 x -> same_sign1 r x) /\
+ (t'isFinite1 x /\ (0%R < (t'real1 x))%R -> is_positive1 r).
+
+Axiom of_int_add_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i + j)%Z ->
+ eq1 (of_int1 m (i + j)%Z) (add1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_sub_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i - j)%Z ->
+ eq1 (of_int1 m (i - j)%Z) (sub1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_mul_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i * j)%Z ->
+ eq1 (of_int1 m (i * j)%Z) (mul1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom Min_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (min1 x y) y.
+
+Axiom Min_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (min1 x y) x.
+
+Axiom Max_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (max1 x y) x.
+
+Axiom Max_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (max1 x y) y.
+
+Parameter is_int1: t1 -> Prop.
+
+Axiom zeroF_is_int1 : is_int1 zeroF1.
+
+Axiom of_int_is_int1 :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range1 x ->
+ is_int1 (of_int1 m x).
+
+Axiom big_float_is_int1 :
+ forall (m:mode) (i:t1), t'isFinite1 i ->
+ le1 i (neg1 (of_int1 m 9007199254740992%Z)) \/
+ le1 (of_int1 m 9007199254740992%Z) i -> is_int1 i.
+
+Axiom roundToIntegral_is_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> is_int1 (roundToIntegral1 m x).
+
+Axiom eq_is_int1 : forall (x:t1) (y:t1), eq1 x y -> is_int1 x -> is_int1 y.
+
+Axiom add_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (add1 m x y) -> is_int1 (add1 m x y).
+
+Axiom sub_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (sub1 m x y) -> is_int1 (sub1 m x y).
+
+Axiom mul_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (mul1 m x y) -> is_int1 (mul1 m x y).
+
+Axiom fma_int1 :
+ forall (x:t1) (y:t1) (z:t1) (m:mode), is_int1 x -> is_int1 y ->
+ is_int1 z -> t'isFinite1 (fma1 m x y z) -> is_int1 (fma1 m x y z).
+
+Axiom neg_int1 : forall (x:t1), is_int1 x -> is_int1 (neg1 x).
+
+Axiom abs_int1 : forall (x:t1), is_int1 x -> is_int1 (abs1 x).
+
+Axiom is_int_of_int1 :
+ forall (x:t1) (m:mode) (m':mode), is_int1 x ->
+ eq1 x (of_int1 m' (to_int1 m x)).
+
+Axiom is_int_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x -> in_int_range1 (to_int1 m x).
+
+Axiom is_int_is_finite1 : forall (x:t1), is_int1 x -> t'isFinite1 x.
+
+Axiom int_to_real1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((t'real1 x) = (BuiltIn.IZR (to_int1 m x))).
+
+Axiom truncate_int1 :
+ forall (m:mode) (i:t1), is_int1 i -> eq1 (roundToIntegral1 m i) i.
+
+Axiom truncate_neg1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTP x)).
+
+Axiom truncate_pos1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTN x)).
+
+Axiom ceil_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 x (roundToIntegral1 RTP x).
+
+Axiom ceil_lest1 :
+ forall (x:t1) (y:t1), le1 x y /\ is_int1 y ->
+ le1 (roundToIntegral1 RTP x) y.
+
+Axiom ceil_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTP x)) = (BuiltIn.IZR (ceil (t'real1 x)))).
+
+Axiom ceil_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTP x)) = (ceil (t'real1 x))).
+
+Axiom floor_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 (roundToIntegral1 RTN x) x.
+
+Axiom floor_lest1 :
+ forall (x:t1) (y:t1), le1 y x /\ is_int1 y ->
+ le1 y (roundToIntegral1 RTN x).
+
+Axiom floor_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTN x)) = (BuiltIn.IZR (floor (t'real1 x)))).
+
+Axiom floor_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTN x)) = (floor (t'real1 x))).
+
+Axiom RNA_down1 :
+ forall (x:t1),
+ lt1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up1 :
+ forall (x:t1),
+ lt1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom RNA_down_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) -> is_negative1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) -> is_positive1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom to_int_roundToIntegral1 :
+ forall (m:mode) (x:t1),
+ ((to_int1 m x) = (to_int1 m (roundToIntegral1 m x))).
+
+Axiom to_int_monotonic1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> le1 x y ->
+ ((to_int1 m x) <= (to_int1 m y))%Z.
+
+Axiom to_int_of_int1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((to_int1 m (of_int1 m i)) = i).
+
+Axiom eq_to_int1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> eq1 x y ->
+ ((to_int1 m x) = (to_int1 m y)).
+
+Axiom neg_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((to_int1 m (neg1 x)) = (-(to_int1 m x))%Z).
+
+Axiom roundToIntegral_is_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> t'isFinite1 (roundToIntegral1 m x).
+
+Axiom round_bound_ne1 :
+ forall (x:Reals.Rdefinitions.R), no_overflow1 RNE x ->
+ (((x - ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R
+ <= (round1 RNE x))%R /\
+ ((round1 RNE x) <=
+ ((x + ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R)%R.
+
+Axiom round_bound1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow1 m x ->
+ (((x - ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R
+ <= (round1 m x))%R /\
+ ((round1 m x) <=
+ ((x + ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R)%R.
+
+Parameter to_float64: mode -> t -> t1.
+
+Parameter to_float32: mode -> t1 -> t.
+
+Axiom round_double_single :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round m2 x)) = (round m2 x)).
+
+Axiom to_float64_exact :
+ forall (m:mode) (x:t), t'isFinite x ->
+ t'isFinite1 (to_float64 m x) /\ ((t'real1 (to_float64 m x)) = (t'real x)).
+
+Axiom to_float32_conv :
+ forall (m:mode) (x:t1), t'isFinite1 x -> no_overflow m (t'real1 x) ->
+ t'isFinite (to_float32 m x) /\
+ ((t'real (to_float32 m x)) = (round m (t'real1 x))).
+
+(* Why3 assumption *)
+Definition f32 := t.
+
+(* Why3 assumption *)
+Definition f64 := t1.
+
+Parameter to_f32: Reals.Rdefinitions.R -> t.
+
+Parameter to_f64: Reals.Rdefinitions.R -> t1.
+
+Axiom to_float_is_finite_32 :
+ forall (f:t), t'isFinite f -> eq (to_f32 (t'real f)) f.
+
+Axiom to_f32_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range x ->
+ ((t'real (to_f32 x)) = (round RNE x)).
+
+Axiom to_f32_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range x -> t'isFinite (to_f32 x).
+
+Axiom to_f32_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x < (-(33554430 * 10141204801825835211973625643008)%R)%R)%R ->
+ is_minus_infinity (to_f32 x).
+
+Axiom to_f32_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((33554430 * 10141204801825835211973625643008)%R < x)%R ->
+ is_plus_infinity (to_f32 x).
+
+Axiom to_float_is_finite_64 :
+ forall (f:t1), t'isFinite1 f -> eq1 (to_f64 (t'real1 f)) f.
+
+Axiom to_f64_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range1 x ->
+ ((t'real1 (to_f64 x)) = (round1 RNE x)).
+
+Axiom to_f64_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range1 x -> t'isFinite1 (to_f64 x).
+
+Axiom to_f64_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x <
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R)%R ->
+ is_minus_infinity1 (to_f64 x).
+
+Axiom to_f64_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ < x)%R ->
+ is_plus_infinity1 (to_f64 x).
+
+(* Why3 assumption *)
+Definition round_float (m:mode) (r:Reals.Rdefinitions.R) : t :=
+ to_f32 (round m r).
+
+(* Why3 assumption *)
+Definition round_double (m:mode) (r:Reals.Rdefinitions.R) : t1 :=
+ to_f64 (round1 m r).
+
+Axiom is_zero_to_f32_zero : is_zero (to_f32 0%R).
+
+Axiom is_zero_to_f64_zero : is_zero1 (to_f64 0%R).
+
+Axiom real_0_is_zero_f32 : forall (f:t), (0%R = (t'real f)) -> is_zero f.
+
+Axiom real_0_is_zero_f64 : forall (f:t1), (0%R = (t'real1 f)) -> is_zero1 f.
+
+Axiom f32_to_f64 : forall (f:t), ((to_f64 (t'real f)) = (to_float64 RNE f)).
+
+Axiom f64_to_f32 :
+ forall (f:t1), ((to_f32 (t'real1 f)) = (to_float32 RNE f)).
+
+(* Why3 assumption *)
+Definition finite (x:Reals.Rdefinitions.R) : Prop :=
+ t'isFinite (to_f32 x) /\ t'isFinite1 (to_f64 x).
+
+Parameter eq_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom eq_f32b'def :
+ forall (x:t) (y:t),
+ (eq x y -> ((eq_f32b x y) = Init.Datatypes.true)) /\
+ (~ eq x y -> ((eq_f32b x y) = Init.Datatypes.false)).
+
+Parameter eq_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom eq_f64b'def :
+ forall (x:t1) (y:t1),
+ (eq1 x y -> ((eq_f64b x y) = Init.Datatypes.true)) /\
+ (~ eq1 x y -> ((eq_f64b x y) = Init.Datatypes.false)).
+
+(* Why3 assumption *)
+Definition ne_f32 (x:t) (y:t) : Prop := ~ eq x y.
+
+(* Why3 assumption *)
+Definition ne_f64 (x:t1) (y:t1) : Prop := ~ eq1 x y.
+
+Parameter ne_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom ne_f32b'def :
+ forall (x:t) (y:t),
+ (ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.true)) /\
+ (~ ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.false)).
+
+Parameter ne_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom ne_f64b'def :
+ forall (x:t1) (y:t1),
+ (ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.true)) /\
+ (~ ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.false)).
+
+Parameter le_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom le_f32b'def :
+ forall (x:t) (y:t),
+ (le x y -> ((le_f32b x y) = Init.Datatypes.true)) /\
+ (~ le x y -> ((le_f32b x y) = Init.Datatypes.false)).
+
+Parameter le_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom le_f64b'def :
+ forall (x:t1) (y:t1),
+ (le1 x y -> ((le_f64b x y) = Init.Datatypes.true)) /\
+ (~ le1 x y -> ((le_f64b x y) = Init.Datatypes.false)).
+
+Parameter lt_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom lt_f32b'def :
+ forall (x:t) (y:t),
+ (lt x y -> ((lt_f32b x y) = Init.Datatypes.true)) /\
+ (~ lt x y -> ((lt_f32b x y) = Init.Datatypes.false)).
+
+Parameter lt_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom lt_f64b'def :
+ forall (x:t1) (y:t1),
+ (lt1 x y -> ((lt_f64b x y) = Init.Datatypes.true)) /\
+ (~ lt1 x y -> ((lt_f64b x y) = Init.Datatypes.false)).
+
+Parameter model_f32: t -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f32 (f:t) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real f) - (model_f32 f))%R.
+
+(* Why3 assumption *)
+Definition error_f32 (f:t) : Reals.Rdefinitions.R :=
+ ((delta_f32 f) / (Reals.Rbasic_fun.Rabs (model_f32 f)))%R.
+
+Parameter model_f64: t1 -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f64 (f:t1) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real1 f) - (model_f64 f))%R.
+
+(* Why3 assumption *)
+Definition error_f64 (f:t1) : Reals.Rdefinitions.R :=
+ ((delta_f64 f) / (Reals.Rbasic_fun.Rabs (model_f64 f)))%R.
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+Parameter fliteral: t1.
+
+Axiom fliteral_axiom :
+ t'isFinite1 fliteral /\ ((t'real1 fliteral) = (1 * 2)%R).
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (i:Numbers.BinNums.Z) (f:t1),
+ let r := t'real1 f in
+ ~ (i = 0%Z) -> (r <= 10%R)%R -> ((-10%R)%R <= r)%R -> is_sint32 i ->
+ t'isFinite1 (mul1 RNE f fliteral).
+(* Why3 intros i f r h1 h2 h3 h4. *)
+Proof.
+intros i f r h1 h2 h3 h4.
+
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_rte_is_nan_or_infinite.v.save b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_rte_is_nan_or_infinite.v.save
new file mode 100644
index 0000000000000000000000000000000000000000..49de7a734f986fa183b54c89b6c446aabb7986c6
--- /dev/null
+++ b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.0.session/interactive/job_assert_rte_is_nan_or_infinite.v.save
@@ -0,0 +1,1995 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require Reals.Rbasic_fun.
+Require Reals.R_sqrt.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.Abs.
+Require real.FromInt.
+Require real.Square.
+Require map.Map.
+Require bv.Pow2int.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+Axiom abs_def :
+ forall (x:Numbers.BinNums.Z),
+ ((0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = x)) /\
+ (~ (0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = (-x)%Z)).
+
+Axiom sqrt_lin1 :
+ forall (x:Reals.Rdefinitions.R), (1%R < x)%R ->
+ ((Reals.R_sqrt.sqrt x) < x)%R.
+
+Axiom sqrt_lin0 :
+ forall (x:Reals.Rdefinitions.R), (0%R < x)%R /\ (x < 1%R)%R ->
+ (x < (Reals.R_sqrt.sqrt x))%R.
+
+Axiom sqrt_0 : ((Reals.R_sqrt.sqrt 0%R) = 0%R).
+
+Axiom sqrt_1 : ((Reals.R_sqrt.sqrt 1%R) = 1%R).
+
+(* Why3 assumption *)
+Inductive mode :=
+ | RNE : mode
+ | RNA : mode
+ | RTP : mode
+ | RTN : mode
+ | RTZ : mode.
+Axiom mode_WhyType : WhyType mode.
+Existing Instance mode_WhyType.
+
+(* Why3 assumption *)
+Definition to_nearest (m:mode) : Prop := (m = RNE) \/ (m = RNA).
+
+Axiom t : Type.
+Parameter t_WhyType : WhyType t.
+Existing Instance t_WhyType.
+
+Parameter t'real: t -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite: t -> Prop.
+
+Axiom t'axiom :
+ forall (x:t), t'isFinite x ->
+ ((-340282346638528859811704183484516925440%R)%R <= (t'real x))%R /\
+ ((t'real x) <= 340282346638528859811704183484516925440%R)%R.
+
+Parameter truncate: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Truncate_int :
+ forall (i:Numbers.BinNums.Z), ((truncate (BuiltIn.IZR i)) = i).
+
+Axiom Truncate_down_pos :
+ forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
+ ((BuiltIn.IZR (truncate x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((truncate x) + 1%Z)%Z))%R.
+
+Axiom Truncate_up_neg :
+ forall (x:Reals.Rdefinitions.R), (x <= 0%R)%R ->
+ ((BuiltIn.IZR ((truncate x) - 1%Z)%Z) < x)%R /\
+ (x <= (BuiltIn.IZR (truncate x)))%R.
+
+Axiom Real_of_truncate :
+ forall (x:Reals.Rdefinitions.R),
+ ((x - 1%R)%R <= (BuiltIn.IZR (truncate x)))%R /\
+ ((BuiltIn.IZR (truncate x)) <= (x + 1%R)%R)%R.
+
+Axiom Truncate_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((truncate x) <= (truncate y))%Z.
+
+Axiom Truncate_monotonic_int1 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ (x <= (BuiltIn.IZR i))%R -> ((truncate x) <= i)%Z.
+
+Axiom Truncate_monotonic_int2 :
+ forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
+ ((BuiltIn.IZR i) <= x)%R -> (i <= (truncate x))%Z.
+
+Parameter floor: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Parameter ceil: Reals.Rdefinitions.R -> Numbers.BinNums.Z.
+
+Axiom Floor_int :
+ forall (i:Numbers.BinNums.Z), ((floor (BuiltIn.IZR i)) = i).
+
+Axiom Ceil_int : forall (i:Numbers.BinNums.Z), ((ceil (BuiltIn.IZR i)) = i).
+
+Axiom Floor_down :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR (floor x)) <= x)%R /\
+ (x < (BuiltIn.IZR ((floor x) + 1%Z)%Z))%R.
+
+Axiom Ceil_up :
+ forall (x:Reals.Rdefinitions.R),
+ ((BuiltIn.IZR ((ceil x) - 1%Z)%Z) < x)%R /\ (x <= (BuiltIn.IZR (ceil x)))%R.
+
+Axiom Floor_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((floor x) <= (floor y))%Z.
+
+Axiom Ceil_monotonic :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
+ ((ceil x) <= (ceil y))%Z.
+
+Parameter zeroF: t.
+
+Parameter add: mode -> t -> t -> t.
+
+Parameter sub: mode -> t -> t -> t.
+
+Parameter mul: mode -> t -> t -> t.
+
+Parameter div: mode -> t -> t -> t.
+
+Parameter abs: t -> t.
+
+Parameter neg: t -> t.
+
+Parameter fma: mode -> t -> t -> t -> t.
+
+Parameter sqrt: mode -> t -> t.
+
+Parameter roundToIntegral: mode -> t -> t.
+
+Parameter min: t -> t -> t.
+
+Parameter max: t -> t -> t.
+
+Parameter le: t -> t -> Prop.
+
+Parameter lt: t -> t -> Prop.
+
+Parameter eq: t -> t -> Prop.
+
+Parameter is_normal: t -> Prop.
+
+Parameter is_subnormal: t -> Prop.
+
+Parameter is_zero: t -> Prop.
+
+Parameter is_infinite: t -> Prop.
+
+Parameter is_nan: t -> Prop.
+
+Parameter is_positive: t -> Prop.
+
+Parameter is_negative: t -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.
+
+(* Why3 assumption *)
+Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.
+
+(* Why3 assumption *)
+Definition is_not_nan (x:t) : Prop := t'isFinite x \/ is_infinite x.
+
+Axiom is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
+
+Axiom is_not_finite :
+ forall (x:t), ~ t'isFinite x <-> is_infinite x \/ is_nan x.
+
+Axiom zeroF_is_positive : is_positive zeroF.
+
+Axiom zeroF_is_zero : is_zero zeroF.
+
+Axiom zero_to_real :
+ forall (x:t), is_zero x <-> t'isFinite x /\ ((t'real x) = 0%R).
+
+Parameter of_int: mode -> Numbers.BinNums.Z -> t.
+
+Parameter to_int: mode -> t -> Numbers.BinNums.Z.
+
+Axiom zero_of_int : forall (m:mode), (zeroF = (of_int m 0%Z)).
+
+Parameter round: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int: Numbers.BinNums.Z.
+
+Axiom max_real_int :
+ ((33554430 * 10141204801825835211973625643008)%R = (BuiltIn.IZR max_int)).
+
+(* Why3 assumption *)
+Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(33554430 * 10141204801825835211973625643008)%R)%R <= x)%R /\
+ (x <= (33554430 * 10141204801825835211973625643008)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.
+
+Axiom is_finite : forall (x:t), t'isFinite x -> in_range (t'real x).
+
+(* Why3 assumption *)
+Definition no_overflow (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range (round m x).
+
+Axiom Bounded_real_no_overflow :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range x -> no_overflow m x.
+
+Axiom Round_monotonic :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round m x) <= (round m y))%R.
+
+Axiom Round_idempotent :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round m1 (round m2 x)) = (round m2 x)).
+
+Axiom Round_to_real :
+ forall (m:mode) (x:t), t'isFinite x -> ((round m (t'real x)) = (t'real x)).
+
+Axiom Round_down_le :
+ forall (x:Reals.Rdefinitions.R), ((round RTN x) <= x)%R.
+
+Axiom Round_up_ge : forall (x:Reals.Rdefinitions.R), (x <= (round RTP x))%R.
+
+Axiom Round_down_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTN (-x)%R) = (-(round RTP x))%R).
+
+Axiom Round_up_neg :
+ forall (x:Reals.Rdefinitions.R), ((round RTP (-x)%R) = (-(round RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
+ ((-16777216%Z)%Z <= i)%Z /\ (i <= 16777216%Z)%Z.
+
+Axiom Exact_rounding_for_integers :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.
+
+(* Why3 assumption *)
+Definition diff_sign (x:t) (y:t) : Prop :=
+ is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.
+
+Axiom feq_eq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero x ->
+ eq x y -> (x = y).
+
+Axiom eq_feq :
+ forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> (x = y) -> eq x y.
+
+Axiom eq_refl : forall (x:t), t'isFinite x -> eq x x.
+
+Axiom eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
+
+Axiom eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
+
+Axiom eq_zero : eq zeroF (neg zeroF).
+
+Axiom eq_to_real_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ eq x y <-> ((t'real x) = (t'real y)).
+
+Axiom eq_special :
+ forall (x:t) (y:t), eq x y ->
+ is_not_nan x /\
+ is_not_nan y /\
+ (t'isFinite x /\ t'isFinite y \/
+ is_infinite x /\ is_infinite y /\ same_sign x y).
+
+Axiom lt_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ lt x y <-> ((t'real x) < (t'real y))%R.
+
+Axiom le_finite :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
+ le x y <-> ((t'real x) <= (t'real y))%R.
+
+Axiom le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
+
+Axiom lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
+
+Axiom le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
+
+Axiom not_lt_ge :
+ forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
+
+Axiom not_gt_le :
+ forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
+
+Axiom le_special :
+ forall (x:t) (y:t), le x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
+
+Axiom lt_special :
+ forall (x:t) (y:t), lt x y ->
+ t'isFinite x /\ t'isFinite y \/
+ is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
+ is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
+
+Axiom lt_lt_finite :
+ forall (x:t) (y:t) (z:t), lt x y -> lt y z -> t'isFinite y.
+
+Axiom positive_to_real :
+ forall (x:t), t'isFinite x -> is_positive x -> (0%R <= (t'real x))%R.
+
+Axiom to_real_positive :
+ forall (x:t), t'isFinite x -> (0%R < (t'real x))%R -> is_positive x.
+
+Axiom negative_to_real :
+ forall (x:t), t'isFinite x -> is_negative x -> ((t'real x) <= 0%R)%R.
+
+Axiom to_real_negative :
+ forall (x:t), t'isFinite x -> ((t'real x) < 0%R)%R -> is_negative x.
+
+Axiom negative_xor_positive :
+ forall (x:t), ~ (is_positive x /\ is_negative x).
+
+Axiom negative_or_positive :
+ forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
+
+Axiom diff_sign_trans :
+ forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
+
+Axiom diff_sign_product :
+ forall (x:t) (y:t),
+ t'isFinite x /\ t'isFinite y /\ (((t'real x) * (t'real y))%R < 0%R)%R ->
+ diff_sign x y.
+
+Axiom same_sign_product :
+ forall (x:t) (y:t), t'isFinite x /\ t'isFinite y /\ same_sign x y ->
+ (0%R <= ((t'real x) * (t'real y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign (z:t) (x:t) (y:t) : Prop :=
+ (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).
+
+(* Why3 assumption *)
+Definition overflow_value (m:mode) (x:t) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x -> is_infinite x)
+ | RTP =>
+ (is_positive x -> is_infinite x) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RTZ =>
+ (is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (33554430 * 10141204801825835211973625643008)%R)) /\
+ (~ is_positive x ->
+ t'isFinite x /\
+ ((t'real x) = (-(33554430 * 10141204801825835211973625643008)%R)%R))
+ | RNA|RNE => is_infinite x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result (m:mode) (x:t) : Prop :=
+ is_zero x -> match m with
+ | RTN => is_negative x
+ | _ => is_positive x
+ end.
+
+Axiom add_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) + (t'real y))%R ->
+ t'isFinite (add m x y) /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom add_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (add m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom add_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (add m x y) ->
+ no_overflow m ((t'real x) + (t'real y))%R /\
+ ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
+
+Axiom sub_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) - (t'real y))%R ->
+ t'isFinite (sub m x y) /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom sub_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (sub m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom sub_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (sub m x y) ->
+ no_overflow m ((t'real x) - (t'real y))%R /\
+ ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
+
+Axiom mul_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y ->
+ no_overflow m ((t'real x) * (t'real y))%R ->
+ t'isFinite (mul m x y) /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom mul_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (mul m x y) ->
+ t'isFinite x /\ t'isFinite y.
+
+Axiom mul_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (mul m x y) ->
+ no_overflow m ((t'real x) * (t'real y))%R /\
+ ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
+
+Axiom div_finite :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero y ->
+ no_overflow m ((t'real x) / (t'real y))%R ->
+ t'isFinite (div m x y) /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom div_finite_rev :
+ forall (m:mode) (x:t) (y:t), t'isFinite (div m x y) ->
+ t'isFinite x /\ t'isFinite y /\ ~ is_zero y \/
+ t'isFinite x /\ is_infinite y /\ ((t'real (div m x y)) = 0%R).
+
+Axiom div_finite_rev_n :
+ forall (m:mode) (x:t) (y:t), to_nearest m -> t'isFinite (div m x y) ->
+ t'isFinite y ->
+ no_overflow m ((t'real x) / (t'real y))%R /\
+ ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
+
+Axiom neg_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (neg x) /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom neg_finite_rev :
+ forall (x:t), t'isFinite (neg x) ->
+ t'isFinite x /\ ((t'real (neg x)) = (-(t'real x))%R).
+
+Axiom abs_finite :
+ forall (x:t), t'isFinite x ->
+ t'isFinite (abs x) /\
+ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))) /\
+ is_positive (abs x).
+
+Axiom abs_finite_rev :
+ forall (x:t), t'isFinite (abs x) ->
+ t'isFinite x /\ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))).
+
+Axiom abs_universal : forall (x:t), ~ is_negative (abs x).
+
+Axiom fma_finite :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite x -> t'isFinite y ->
+ t'isFinite z ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ t'isFinite (fma m x y z) /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom fma_finite_rev :
+ forall (m:mode) (x:t) (y:t) (z:t), t'isFinite (fma m x y z) ->
+ t'isFinite x /\ t'isFinite y /\ t'isFinite z.
+
+Axiom fma_finite_rev_n :
+ forall (m:mode) (x:t) (y:t) (z:t), to_nearest m ->
+ t'isFinite (fma m x y z) ->
+ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ ((t'real (fma m x y z)) =
+ (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
+
+Axiom sqrt_finite :
+ forall (m:mode) (x:t), t'isFinite x -> (0%R <= (t'real x))%R ->
+ t'isFinite (sqrt m x) /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+Axiom sqrt_finite_rev :
+ forall (m:mode) (x:t), t'isFinite (sqrt m x) ->
+ t'isFinite x /\
+ (0%R <= (t'real x))%R /\
+ ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.
+
+Axiom add_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := add m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) + (t'real y))%R ->
+ same_sign_real r ((t'real x) + (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (same_sign x y -> same_sign r x) /\
+ (~ same_sign x y -> sign_zero_result m r)).
+
+Axiom sub_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := sub m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
+ (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
+ (is_infinite x /\ is_infinite y /\ diff_sign x y ->
+ is_infinite r /\ same_sign r x) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) - (t'real y))%R ->
+ same_sign_real r ((t'real x) - (t'real y))%R /\ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y ->
+ (diff_sign x y -> same_sign r x) /\
+ (~ diff_sign x y -> sign_zero_result m r)).
+
+Axiom mul_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := mul m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_infinite r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ no_overflow m ((t'real x) * (t'real y))%R ->
+ overflow_value m r) /\
+ (~ is_nan r -> product_sign r x y).
+
+Axiom div_special :
+ forall (m:mode) (x:t) (y:t),
+ let r := div m x y in
+ (is_nan x \/ is_nan y -> is_nan r) /\
+ (t'isFinite x /\ is_infinite y -> is_zero r) /\
+ (is_infinite x /\ t'isFinite y -> is_infinite r) /\
+ (is_infinite x /\ is_infinite y -> is_nan r) /\
+ (t'isFinite x /\
+ t'isFinite y /\ ~ is_zero y /\ ~ no_overflow m ((t'real x) / (t'real y))%R ->
+ overflow_value m r) /\
+ (t'isFinite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
+ (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
+
+Axiom neg_special :
+ forall (x:t),
+ (is_nan x -> is_nan (neg x)) /\
+ (is_infinite x -> is_infinite (neg x)) /\
+ (~ is_nan x -> diff_sign x (neg x)).
+
+Axiom abs_special :
+ forall (x:t),
+ (is_nan x -> is_nan (abs x)) /\
+ (is_infinite x -> is_infinite (abs x)) /\
+ (~ is_nan x -> is_positive (abs x)).
+
+Axiom fma_special :
+ forall (m:mode) (x:t) (y:t) (z:t),
+ let r := fma m x y z in
+ (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
+ (is_zero x /\ is_infinite y -> is_nan r) /\
+ (is_infinite x /\ is_zero y -> is_nan r) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (is_infinite x /\ is_infinite y /\ t'isFinite z ->
+ is_infinite r /\ product_sign r x y) /\
+ (t'isFinite x /\ t'isFinite y /\ is_infinite z ->
+ is_infinite r /\ same_sign r z) /\
+ (is_infinite x /\ is_infinite y /\ is_infinite z ->
+ (product_sign z x y -> is_infinite r /\ same_sign r z) /\
+ (~ product_sign z x y -> is_nan r)) /\
+ (t'isFinite x /\
+ t'isFinite y /\
+ t'isFinite z /\
+ ~ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
+ same_sign_real r (((t'real x) * (t'real y))%R + (t'real z))%R /\
+ overflow_value m r) /\
+ (t'isFinite x /\ t'isFinite y /\ t'isFinite z ->
+ (product_sign z x y -> same_sign r z) /\
+ (~ product_sign z x y ->
+ ((((t'real x) * (t'real y))%R + (t'real z))%R = 0%R) ->
+ ((m = RTN) -> is_negative r) /\ (~ (m = RTN) -> is_positive r))).
+
+Axiom sqrt_special :
+ forall (m:mode) (x:t),
+ let r := sqrt m x in
+ (is_nan x -> is_nan r) /\
+ (is_plus_infinity x -> is_plus_infinity r) /\
+ (is_minus_infinity x -> is_nan r) /\
+ (t'isFinite x /\ ((t'real x) < 0%R)%R -> is_nan r) /\
+ (is_zero x -> same_sign r x) /\
+ (t'isFinite x /\ (0%R < (t'real x))%R -> is_positive r).
+
+Axiom of_int_add_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i + j)%Z ->
+ eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
+
+Axiom of_int_sub_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i - j)%Z ->
+ eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
+
+Axiom of_int_mul_exact :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range i -> in_safe_int_range j ->
+ in_safe_int_range (i * j)%Z ->
+ eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
+
+Axiom Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
+
+Axiom Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
+
+Axiom Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
+
+Axiom Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
+
+Parameter is_int: t -> Prop.
+
+Axiom zeroF_is_int : is_int zeroF.
+
+Axiom of_int_is_int :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range x ->
+ is_int (of_int m x).
+
+Axiom big_float_is_int :
+ forall (m:mode) (i:t), t'isFinite i ->
+ le i (neg (of_int m 16777216%Z)) \/ le (of_int m 16777216%Z) i -> is_int i.
+
+Axiom roundToIntegral_is_int :
+ forall (m:mode) (x:t), t'isFinite x -> is_int (roundToIntegral m x).
+
+Axiom eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
+
+Axiom add_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (add m x y) -> is_int (add m x y).
+
+Axiom sub_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (sub m x y) -> is_int (sub m x y).
+
+Axiom mul_int :
+ forall (x:t) (y:t) (m:mode), is_int x -> is_int y ->
+ t'isFinite (mul m x y) -> is_int (mul m x y).
+
+Axiom fma_int :
+ forall (x:t) (y:t) (z:t) (m:mode), is_int x -> is_int y -> is_int z ->
+ t'isFinite (fma m x y z) -> is_int (fma m x y z).
+
+Axiom neg_int : forall (x:t), is_int x -> is_int (neg x).
+
+Axiom abs_int : forall (x:t), is_int x -> is_int (abs x).
+
+Axiom is_int_of_int :
+ forall (x:t) (m:mode) (m':mode), is_int x -> eq x (of_int m' (to_int m x)).
+
+Axiom is_int_to_int :
+ forall (m:mode) (x:t), is_int x -> in_int_range (to_int m x).
+
+Axiom is_int_is_finite : forall (x:t), is_int x -> t'isFinite x.
+
+Axiom int_to_real :
+ forall (m:mode) (x:t), is_int x ->
+ ((t'real x) = (BuiltIn.IZR (to_int m x))).
+
+Axiom truncate_int :
+ forall (m:mode) (i:t), is_int i -> eq (roundToIntegral m i) i.
+
+Axiom truncate_neg :
+ forall (x:t), t'isFinite x -> is_negative x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTP x)).
+
+Axiom truncate_pos :
+ forall (x:t), t'isFinite x -> is_positive x ->
+ ((roundToIntegral RTZ x) = (roundToIntegral RTN x)).
+
+Axiom ceil_le : forall (x:t), t'isFinite x -> le x (roundToIntegral RTP x).
+
+Axiom ceil_lest :
+ forall (x:t) (y:t), le x y /\ is_int y -> le (roundToIntegral RTP x) y.
+
+Axiom ceil_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTP x)) = (BuiltIn.IZR (ceil (t'real x)))).
+
+Axiom ceil_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTP x)) = (ceil (t'real x))).
+
+Axiom floor_le : forall (x:t), t'isFinite x -> le (roundToIntegral RTN x) x.
+
+Axiom floor_lest :
+ forall (x:t) (y:t), le y x /\ is_int y -> le y (roundToIntegral RTN x).
+
+Axiom floor_to_real :
+ forall (x:t), t'isFinite x ->
+ ((t'real (roundToIntegral RTN x)) = (BuiltIn.IZR (floor (t'real x)))).
+
+Axiom floor_to_int :
+ forall (m:mode) (x:t), t'isFinite x ->
+ ((to_int m (roundToIntegral RTN x)) = (floor (t'real x))).
+
+Axiom RNA_down :
+ forall (x:t),
+ lt (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up :
+ forall (x:t),
+ lt (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom RNA_down_tie :
+ forall (x:t),
+ eq (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) ->
+ is_negative x -> ((roundToIntegral RNA x) = (roundToIntegral RTN x)).
+
+Axiom RNA_up_tie :
+ forall (x:t),
+ eq (sub RNE (roundToIntegral RTP x) x) (sub RNE x (roundToIntegral RTN x)) ->
+ is_positive x -> ((roundToIntegral RNA x) = (roundToIntegral RTP x)).
+
+Axiom to_int_roundToIntegral :
+ forall (m:mode) (x:t), ((to_int m x) = (to_int m (roundToIntegral m x))).
+
+Axiom to_int_monotonic :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> t'isFinite y -> le x y ->
+ ((to_int m x) <= (to_int m y))%Z.
+
+Axiom to_int_of_int :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range i ->
+ ((to_int m (of_int m i)) = i).
+
+Axiom eq_to_int :
+ forall (m:mode) (x:t) (y:t), t'isFinite x -> eq x y ->
+ ((to_int m x) = (to_int m y)).
+
+Axiom neg_to_int :
+ forall (m:mode) (x:t), is_int x -> ((to_int m (neg x)) = (-(to_int m x))%Z).
+
+Axiom roundToIntegral_is_finite :
+ forall (m:mode) (x:t), t'isFinite x -> t'isFinite (roundToIntegral m x).
+
+Axiom round_bound_ne :
+ forall (x:Reals.Rdefinitions.R), no_overflow RNE x ->
+ (((x - ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R
+ <= (round RNE x))%R /\
+ ((round RNE x) <=
+ ((x + ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 1427247692705959881058285969449495136382746624)%R)%R)%R.
+
+Axiom round_bound :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow m x ->
+ (((x - ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 713623846352979940529142984724747568191373312)%R)%R
+ <= (round m x))%R /\
+ ((round m x) <=
+ ((x + ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 713623846352979940529142984724747568191373312)%R)%R)%R.
+
+Axiom t1 : Type.
+Parameter t1_WhyType : WhyType t1.
+Existing Instance t1_WhyType.
+
+Parameter t'real1: t1 -> Reals.Rdefinitions.R.
+
+Parameter t'isFinite1: t1 -> Prop.
+
+Axiom t'axiom1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((-179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R
+ <= (t'real1 x))%R /\
+ ((t'real1 x) <=
+ 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.
+
+Parameter zeroF1: t1.
+
+Parameter add1: mode -> t1 -> t1 -> t1.
+
+Parameter sub1: mode -> t1 -> t1 -> t1.
+
+Parameter mul1: mode -> t1 -> t1 -> t1.
+
+Parameter div1: mode -> t1 -> t1 -> t1.
+
+Parameter abs1: t1 -> t1.
+
+Parameter neg1: t1 -> t1.
+
+Parameter fma1: mode -> t1 -> t1 -> t1 -> t1.
+
+Parameter sqrt1: mode -> t1 -> t1.
+
+Parameter roundToIntegral1: mode -> t1 -> t1.
+
+Parameter min1: t1 -> t1 -> t1.
+
+Parameter max1: t1 -> t1 -> t1.
+
+Parameter le1: t1 -> t1 -> Prop.
+
+Parameter lt1: t1 -> t1 -> Prop.
+
+Parameter eq1: t1 -> t1 -> Prop.
+
+Parameter is_normal1: t1 -> Prop.
+
+Parameter is_subnormal1: t1 -> Prop.
+
+Parameter is_zero1: t1 -> Prop.
+
+Parameter is_infinite1: t1 -> Prop.
+
+Parameter is_nan1: t1 -> Prop.
+
+Parameter is_positive1: t1 -> Prop.
+
+Parameter is_negative1: t1 -> Prop.
+
+(* Why3 assumption *)
+Definition is_plus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_infinity1 (x:t1) : Prop :=
+ is_infinite1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_plus_zero1 (x:t1) : Prop := is_zero1 x /\ is_positive1 x.
+
+(* Why3 assumption *)
+Definition is_minus_zero1 (x:t1) : Prop := is_zero1 x /\ is_negative1 x.
+
+(* Why3 assumption *)
+Definition is_not_nan2 (x:t1) : Prop := t'isFinite1 x \/ is_infinite1 x.
+
+Axiom is_not_nan3 : forall (x:t1), is_not_nan2 x <-> ~ is_nan1 x.
+
+Axiom is_not_finite1 :
+ forall (x:t1), ~ t'isFinite1 x <-> is_infinite1 x \/ is_nan1 x.
+
+Axiom zeroF_is_positive1 : is_positive1 zeroF1.
+
+Axiom zeroF_is_zero1 : is_zero1 zeroF1.
+
+Axiom zero_to_real1 :
+ forall (x:t1), is_zero1 x <-> t'isFinite1 x /\ ((t'real1 x) = 0%R).
+
+Parameter of_int1: mode -> Numbers.BinNums.Z -> t1.
+
+Parameter to_int1: mode -> t1 -> Numbers.BinNums.Z.
+
+Axiom zero_of_int1 : forall (m:mode), (zeroF1 = (of_int1 m 0%Z)).
+
+Parameter round1: mode -> Reals.Rdefinitions.R -> Reals.Rdefinitions.R.
+
+Parameter max_int1: Numbers.BinNums.Z.
+
+Axiom max_real_int1 :
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ = (BuiltIn.IZR max_int1)).
+
+(* Why3 assumption *)
+Definition in_range1 (x:Reals.Rdefinitions.R) : Prop :=
+ ((-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R
+ <= x)%R /\
+ (x <=
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R.
+
+(* Why3 assumption *)
+Definition in_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-max_int1)%Z <= i)%Z /\ (i <= max_int1)%Z.
+
+Axiom is_finite1 : forall (x:t1), t'isFinite1 x -> in_range1 (t'real1 x).
+
+(* Why3 assumption *)
+Definition no_overflow1 (m:mode) (x:Reals.Rdefinitions.R) : Prop :=
+ in_range1 (round1 m x).
+
+Axiom Bounded_real_no_overflow1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), in_range1 x -> no_overflow1 m x.
+
+Axiom Round_monotonic1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ (x <= y)%R -> ((round1 m x) <= (round1 m y))%R.
+
+Axiom Round_idempotent1 :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round1 m2 x)) = (round1 m2 x)).
+
+Axiom Round_to_real1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((round1 m (t'real1 x)) = (t'real1 x)).
+
+Axiom Round_down_le1 :
+ forall (x:Reals.Rdefinitions.R), ((round1 RTN x) <= x)%R.
+
+Axiom Round_up_ge1 :
+ forall (x:Reals.Rdefinitions.R), (x <= (round1 RTP x))%R.
+
+Axiom Round_down_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTN (-x)%R) = (-(round1 RTP x))%R).
+
+Axiom Round_up_neg1 :
+ forall (x:Reals.Rdefinitions.R),
+ ((round1 RTP (-x)%R) = (-(round1 RTN x))%R).
+
+(* Why3 assumption *)
+Definition in_safe_int_range1 (i:Numbers.BinNums.Z) : Prop :=
+ ((-9007199254740992%Z)%Z <= i)%Z /\ (i <= 9007199254740992%Z)%Z.
+
+Axiom Exact_rounding_for_integers1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((round1 m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
+
+(* Why3 assumption *)
+Definition same_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_positive1 y \/ is_negative1 x /\ is_negative1 y.
+
+(* Why3 assumption *)
+Definition diff_sign1 (x:t1) (y:t1) : Prop :=
+ is_positive1 x /\ is_negative1 y \/ is_negative1 x /\ is_positive1 y.
+
+Axiom feq_eq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> ~ is_zero1 x ->
+ eq1 x y -> (x = y).
+
+Axiom eq_feq1 :
+ forall (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> (x = y) -> eq1 x y.
+
+Axiom eq_refl1 : forall (x:t1), t'isFinite1 x -> eq1 x x.
+
+Axiom eq_sym1 : forall (x:t1) (y:t1), eq1 x y -> eq1 y x.
+
+Axiom eq_trans1 : forall (x:t1) (y:t1) (z:t1), eq1 x y -> eq1 y z -> eq1 x z.
+
+Axiom eq_zero1 : eq1 zeroF1 (neg1 zeroF1).
+
+Axiom eq_to_real_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ eq1 x y <-> ((t'real1 x) = (t'real1 y)).
+
+Axiom eq_special1 :
+ forall (x:t1) (y:t1), eq1 x y ->
+ is_not_nan2 x /\
+ is_not_nan2 y /\
+ (t'isFinite1 x /\ t'isFinite1 y \/
+ is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y).
+
+Axiom lt_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ lt1 x y <-> ((t'real1 x) < (t'real1 y))%R.
+
+Axiom le_finite1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y ->
+ le1 x y <-> ((t'real1 x) <= (t'real1 y))%R.
+
+Axiom le_lt_trans1 :
+ forall (x:t1) (y:t1) (z:t1), le1 x y /\ lt1 y z -> lt1 x z.
+
+Axiom lt_le_trans1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y /\ le1 y z -> lt1 x z.
+
+Axiom le_ge_asym1 : forall (x:t1) (y:t1), le1 x y /\ le1 y x -> eq1 x y.
+
+Axiom not_lt_ge1 :
+ forall (x:t1) (y:t1), ~ lt1 x y /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 y x.
+
+Axiom not_gt_le1 :
+ forall (x:t1) (y:t1), ~ lt1 y x /\ is_not_nan2 x /\ is_not_nan2 y ->
+ le1 x y.
+
+Axiom le_special1 :
+ forall (x:t1) (y:t1), le1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y \/
+ is_not_nan2 x /\ is_plus_infinity1 y.
+
+Axiom lt_special1 :
+ forall (x:t1) (y:t1), lt1 x y ->
+ t'isFinite1 x /\ t'isFinite1 y \/
+ is_minus_infinity1 x /\ is_not_nan2 y /\ ~ is_minus_infinity1 y \/
+ is_not_nan2 x /\ ~ is_plus_infinity1 x /\ is_plus_infinity1 y.
+
+Axiom lt_lt_finite1 :
+ forall (x:t1) (y:t1) (z:t1), lt1 x y -> lt1 y z -> t'isFinite1 y.
+
+Axiom positive_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x -> (0%R <= (t'real1 x))%R.
+
+Axiom to_real_positive1 :
+ forall (x:t1), t'isFinite1 x -> (0%R < (t'real1 x))%R -> is_positive1 x.
+
+Axiom negative_to_real1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x -> ((t'real1 x) <= 0%R)%R.
+
+Axiom to_real_negative1 :
+ forall (x:t1), t'isFinite1 x -> ((t'real1 x) < 0%R)%R -> is_negative1 x.
+
+Axiom negative_xor_positive1 :
+ forall (x:t1), ~ (is_positive1 x /\ is_negative1 x).
+
+Axiom negative_or_positive1 :
+ forall (x:t1), is_not_nan2 x -> is_positive1 x \/ is_negative1 x.
+
+Axiom diff_sign_trans1 :
+ forall (x:t1) (y:t1) (z:t1), diff_sign1 x y /\ diff_sign1 y z ->
+ same_sign1 x z.
+
+Axiom diff_sign_product1 :
+ forall (x:t1) (y:t1),
+ t'isFinite1 x /\ t'isFinite1 y /\ (((t'real1 x) * (t'real1 y))%R < 0%R)%R ->
+ diff_sign1 x y.
+
+Axiom same_sign_product1 :
+ forall (x:t1) (y:t1), t'isFinite1 x /\ t'isFinite1 y /\ same_sign1 x y ->
+ (0%R <= ((t'real1 x) * (t'real1 y))%R)%R.
+
+(* Why3 assumption *)
+Definition product_sign1 (z:t1) (x:t1) (y:t1) : Prop :=
+ (same_sign1 x y -> is_positive1 z) /\ (diff_sign1 x y -> is_negative1 z).
+
+(* Why3 assumption *)
+Definition overflow_value1 (m:mode) (x:t1) : Prop :=
+ match m with
+ | RTN =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x -> is_infinite1 x)
+ | RTP =>
+ (is_positive1 x -> is_infinite1 x) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RTZ =>
+ (is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)) /\
+ (~ is_positive1 x ->
+ t'isFinite1 x /\
+ ((t'real1 x) =
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R))
+ | RNA|RNE => is_infinite1 x
+ end.
+
+(* Why3 assumption *)
+Definition sign_zero_result1 (m:mode) (x:t1) : Prop :=
+ is_zero1 x -> match m with
+ | RTN => is_negative1 x
+ | _ => is_positive1 x
+ end.
+
+Axiom add_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ t'isFinite1 (add1 m x y) /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom add_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (add1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom add_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (add1 m x y) ->
+ no_overflow1 m ((t'real1 x) + (t'real1 y))%R /\
+ ((t'real1 (add1 m x y)) = (round1 m ((t'real1 x) + (t'real1 y))%R)).
+
+Axiom sub_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ t'isFinite1 (sub1 m x y) /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom sub_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (sub1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom sub_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (sub1 m x y) ->
+ no_overflow1 m ((t'real1 x) - (t'real1 y))%R /\
+ ((t'real1 (sub1 m x y)) = (round1 m ((t'real1 x) - (t'real1 y))%R)).
+
+Axiom mul_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ t'isFinite1 (mul1 m x y) /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom mul_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (mul1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y.
+
+Axiom mul_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (mul1 m x y) ->
+ no_overflow1 m ((t'real1 x) * (t'real1 y))%R /\
+ ((t'real1 (mul1 m x y)) = (round1 m ((t'real1 x) * (t'real1 y))%R)).
+
+Axiom div_finite1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y ->
+ ~ is_zero1 y -> no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ t'isFinite1 (div1 m x y) /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom div_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 (div1 m x y) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y \/
+ t'isFinite1 x /\ is_infinite1 y /\ ((t'real1 (div1 m x y)) = 0%R).
+
+Axiom div_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1), to_nearest m -> t'isFinite1 (div1 m x y) ->
+ t'isFinite1 y ->
+ no_overflow1 m ((t'real1 x) / (t'real1 y))%R /\
+ ((t'real1 (div1 m x y)) = (round1 m ((t'real1 x) / (t'real1 y))%R)).
+
+Axiom neg_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (neg1 x) /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom neg_finite_rev1 :
+ forall (x:t1), t'isFinite1 (neg1 x) ->
+ t'isFinite1 x /\ ((t'real1 (neg1 x)) = (-(t'real1 x))%R).
+
+Axiom abs_finite1 :
+ forall (x:t1), t'isFinite1 x ->
+ t'isFinite1 (abs1 x) /\
+ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))) /\
+ is_positive1 (abs1 x).
+
+Axiom abs_finite_rev1 :
+ forall (x:t1), t'isFinite1 (abs1 x) ->
+ t'isFinite1 x /\ ((t'real1 (abs1 x)) = (Reals.Rbasic_fun.Rabs (t'real1 x))).
+
+Axiom abs_universal1 : forall (x:t1), ~ is_negative1 (abs1 x).
+
+Axiom fma_finite1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 x -> t'isFinite1 y ->
+ t'isFinite1 z ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ t'isFinite1 (fma1 m x y z) /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom fma_finite_rev1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), t'isFinite1 (fma1 m x y z) ->
+ t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z.
+
+Axiom fma_finite_rev_n1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1), to_nearest m ->
+ t'isFinite1 (fma1 m x y z) ->
+ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ ((t'real1 (fma1 m x y z)) =
+ (round1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R)).
+
+Axiom sqrt_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> (0%R <= (t'real1 x))%R ->
+ t'isFinite1 (sqrt1 m x) /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+Axiom sqrt_finite_rev1 :
+ forall (m:mode) (x:t1), t'isFinite1 (sqrt1 m x) ->
+ t'isFinite1 x /\
+ (0%R <= (t'real1 x))%R /\
+ ((t'real1 (sqrt1 m x)) = (round1 m (Reals.R_sqrt.sqrt (t'real1 x)))).
+
+(* Why3 assumption *)
+Definition same_sign_real1 (x:t1) (r:Reals.Rdefinitions.R) : Prop :=
+ is_positive1 x /\ (0%R < r)%R \/ is_negative1 x /\ (r < 0%R)%R.
+
+Axiom add_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := add1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ same_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) + (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) + (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (same_sign1 x y -> same_sign1 r x) /\
+ (~ same_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom sub_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := sub1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_infinite1 r /\ diff_sign1 r y) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r /\ same_sign1 r x) /\
+ (is_infinite1 x /\ is_infinite1 y /\ same_sign1 x y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_infinite1 y /\ diff_sign1 x y ->
+ is_infinite1 r /\ same_sign1 r x) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) - (t'real1 y))%R ->
+ same_sign_real1 r ((t'real1 x) - (t'real1 y))%R /\ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y ->
+ (diff_sign1 x y -> same_sign1 r x) /\
+ (~ diff_sign1 x y -> sign_zero_result1 m r)).
+
+Axiom mul_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := mul1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_infinite1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\ ~ no_overflow1 m ((t'real1 x) * (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom div_special1 :
+ forall (m:mode) (x:t1) (y:t1),
+ let r := div1 m x y in
+ (is_nan1 x \/ is_nan1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ is_infinite1 y -> is_zero1 r) /\
+ (is_infinite1 x /\ t'isFinite1 y -> is_infinite1 r) /\
+ (is_infinite1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ ~ is_zero1 y /\ ~ no_overflow1 m ((t'real1 x) / (t'real1 y))%R ->
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ is_zero1 y /\ ~ is_zero1 x -> is_infinite1 r) /\
+ (is_zero1 x /\ is_zero1 y -> is_nan1 r) /\
+ (~ is_nan1 r -> product_sign1 r x y).
+
+Axiom neg_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (neg1 x)) /\
+ (is_infinite1 x -> is_infinite1 (neg1 x)) /\
+ (~ is_nan1 x -> diff_sign1 x (neg1 x)).
+
+Axiom abs_special1 :
+ forall (x:t1),
+ (is_nan1 x -> is_nan1 (abs1 x)) /\
+ (is_infinite1 x -> is_infinite1 (abs1 x)) /\
+ (~ is_nan1 x -> is_positive1 (abs1 x)).
+
+Axiom fma_special1 :
+ forall (m:mode) (x:t1) (y:t1) (z:t1),
+ let r := fma1 m x y z in
+ (is_nan1 x \/ is_nan1 y \/ is_nan1 z -> is_nan1 r) /\
+ (is_zero1 x /\ is_infinite1 y -> is_nan1 r) /\
+ (is_infinite1 x /\ is_zero1 y -> is_nan1 r) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ ~ is_zero1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (is_infinite1 x /\ t'isFinite1 y /\ ~ is_zero1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (is_infinite1 x /\ is_infinite1 y /\ t'isFinite1 z ->
+ is_infinite1 r /\ product_sign1 r x y) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ is_infinite1 z ->
+ is_infinite1 r /\ same_sign1 r z) /\
+ (is_infinite1 x /\ is_infinite1 y /\ is_infinite1 z ->
+ (product_sign1 z x y -> is_infinite1 r /\ same_sign1 r z) /\
+ (~ product_sign1 z x y -> is_nan1 r)) /\
+ (t'isFinite1 x /\
+ t'isFinite1 y /\
+ t'isFinite1 z /\
+ ~ no_overflow1 m (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R ->
+ same_sign_real1 r (((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R /\
+ overflow_value1 m r) /\
+ (t'isFinite1 x /\ t'isFinite1 y /\ t'isFinite1 z ->
+ (product_sign1 z x y -> same_sign1 r z) /\
+ (~ product_sign1 z x y ->
+ ((((t'real1 x) * (t'real1 y))%R + (t'real1 z))%R = 0%R) ->
+ ((m = RTN) -> is_negative1 r) /\ (~ (m = RTN) -> is_positive1 r))).
+
+Axiom sqrt_special1 :
+ forall (m:mode) (x:t1),
+ let r := sqrt1 m x in
+ (is_nan1 x -> is_nan1 r) /\
+ (is_plus_infinity1 x -> is_plus_infinity1 r) /\
+ (is_minus_infinity1 x -> is_nan1 r) /\
+ (t'isFinite1 x /\ ((t'real1 x) < 0%R)%R -> is_nan1 r) /\
+ (is_zero1 x -> same_sign1 r x) /\
+ (t'isFinite1 x /\ (0%R < (t'real1 x))%R -> is_positive1 r).
+
+Axiom of_int_add_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i + j)%Z ->
+ eq1 (of_int1 m (i + j)%Z) (add1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_sub_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i - j)%Z ->
+ eq1 (of_int1 m (i - j)%Z) (sub1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom of_int_mul_exact1 :
+ forall (m:mode) (n:mode) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
+ in_safe_int_range1 i -> in_safe_int_range1 j ->
+ in_safe_int_range1 (i * j)%Z ->
+ eq1 (of_int1 m (i * j)%Z) (mul1 n (of_int1 m i) (of_int1 m j)).
+
+Axiom Min_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (min1 x y) y.
+
+Axiom Min_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (min1 x y) x.
+
+Axiom Max_r1 : forall (x:t1) (y:t1), le1 y x -> eq1 (max1 x y) x.
+
+Axiom Max_l1 : forall (x:t1) (y:t1), le1 x y -> eq1 (max1 x y) y.
+
+Parameter is_int1: t1 -> Prop.
+
+Axiom zeroF_is_int1 : is_int1 zeroF1.
+
+Axiom of_int_is_int1 :
+ forall (m:mode) (x:Numbers.BinNums.Z), in_int_range1 x ->
+ is_int1 (of_int1 m x).
+
+Axiom big_float_is_int1 :
+ forall (m:mode) (i:t1), t'isFinite1 i ->
+ le1 i (neg1 (of_int1 m 9007199254740992%Z)) \/
+ le1 (of_int1 m 9007199254740992%Z) i -> is_int1 i.
+
+Axiom roundToIntegral_is_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> is_int1 (roundToIntegral1 m x).
+
+Axiom eq_is_int1 : forall (x:t1) (y:t1), eq1 x y -> is_int1 x -> is_int1 y.
+
+Axiom add_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (add1 m x y) -> is_int1 (add1 m x y).
+
+Axiom sub_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (sub1 m x y) -> is_int1 (sub1 m x y).
+
+Axiom mul_int1 :
+ forall (x:t1) (y:t1) (m:mode), is_int1 x -> is_int1 y ->
+ t'isFinite1 (mul1 m x y) -> is_int1 (mul1 m x y).
+
+Axiom fma_int1 :
+ forall (x:t1) (y:t1) (z:t1) (m:mode), is_int1 x -> is_int1 y ->
+ is_int1 z -> t'isFinite1 (fma1 m x y z) -> is_int1 (fma1 m x y z).
+
+Axiom neg_int1 : forall (x:t1), is_int1 x -> is_int1 (neg1 x).
+
+Axiom abs_int1 : forall (x:t1), is_int1 x -> is_int1 (abs1 x).
+
+Axiom is_int_of_int1 :
+ forall (x:t1) (m:mode) (m':mode), is_int1 x ->
+ eq1 x (of_int1 m' (to_int1 m x)).
+
+Axiom is_int_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x -> in_int_range1 (to_int1 m x).
+
+Axiom is_int_is_finite1 : forall (x:t1), is_int1 x -> t'isFinite1 x.
+
+Axiom int_to_real1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((t'real1 x) = (BuiltIn.IZR (to_int1 m x))).
+
+Axiom truncate_int1 :
+ forall (m:mode) (i:t1), is_int1 i -> eq1 (roundToIntegral1 m i) i.
+
+Axiom truncate_neg1 :
+ forall (x:t1), t'isFinite1 x -> is_negative1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTP x)).
+
+Axiom truncate_pos1 :
+ forall (x:t1), t'isFinite1 x -> is_positive1 x ->
+ ((roundToIntegral1 RTZ x) = (roundToIntegral1 RTN x)).
+
+Axiom ceil_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 x (roundToIntegral1 RTP x).
+
+Axiom ceil_lest1 :
+ forall (x:t1) (y:t1), le1 x y /\ is_int1 y ->
+ le1 (roundToIntegral1 RTP x) y.
+
+Axiom ceil_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTP x)) = (BuiltIn.IZR (ceil (t'real1 x)))).
+
+Axiom ceil_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTP x)) = (ceil (t'real1 x))).
+
+Axiom floor_le1 :
+ forall (x:t1), t'isFinite1 x -> le1 (roundToIntegral1 RTN x) x.
+
+Axiom floor_lest1 :
+ forall (x:t1) (y:t1), le1 y x /\ is_int1 y ->
+ le1 y (roundToIntegral1 RTN x).
+
+Axiom floor_to_real1 :
+ forall (x:t1), t'isFinite1 x ->
+ ((t'real1 (roundToIntegral1 RTN x)) = (BuiltIn.IZR (floor (t'real1 x)))).
+
+Axiom floor_to_int1 :
+ forall (m:mode) (x:t1), t'isFinite1 x ->
+ ((to_int1 m (roundToIntegral1 RTN x)) = (floor (t'real1 x))).
+
+Axiom RNA_down1 :
+ forall (x:t1),
+ lt1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up1 :
+ forall (x:t1),
+ lt1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom RNA_down_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE x (roundToIntegral1 RTN x))
+ (sub1 RNE (roundToIntegral1 RTP x) x) -> is_negative1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTN x)).
+
+Axiom RNA_up_tie1 :
+ forall (x:t1),
+ eq1 (sub1 RNE (roundToIntegral1 RTP x) x)
+ (sub1 RNE x (roundToIntegral1 RTN x)) -> is_positive1 x ->
+ ((roundToIntegral1 RNA x) = (roundToIntegral1 RTP x)).
+
+Axiom to_int_roundToIntegral1 :
+ forall (m:mode) (x:t1),
+ ((to_int1 m x) = (to_int1 m (roundToIntegral1 m x))).
+
+Axiom to_int_monotonic1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> t'isFinite1 y -> le1 x y ->
+ ((to_int1 m x) <= (to_int1 m y))%Z.
+
+Axiom to_int_of_int1 :
+ forall (m:mode) (i:Numbers.BinNums.Z), in_safe_int_range1 i ->
+ ((to_int1 m (of_int1 m i)) = i).
+
+Axiom eq_to_int1 :
+ forall (m:mode) (x:t1) (y:t1), t'isFinite1 x -> eq1 x y ->
+ ((to_int1 m x) = (to_int1 m y)).
+
+Axiom neg_to_int1 :
+ forall (m:mode) (x:t1), is_int1 x ->
+ ((to_int1 m (neg1 x)) = (-(to_int1 m x))%Z).
+
+Axiom roundToIntegral_is_finite1 :
+ forall (m:mode) (x:t1), t'isFinite1 x -> t'isFinite1 (roundToIntegral1 m x).
+
+Axiom round_bound_ne1 :
+ forall (x:Reals.Rdefinitions.R), no_overflow1 RNE x ->
+ (((x - ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R
+ <= (round1 RNE x))%R /\
+ ((round1 RNE x) <=
+ ((x + ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R)%R.
+
+Axiom round_bound1 :
+ forall (m:mode) (x:Reals.Rdefinitions.R), no_overflow1 m x ->
+ (((x - ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R
+ <= (round1 m x))%R /\
+ ((round1 m x) <=
+ ((x + ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
+ (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R)%R.
+
+Parameter to_float64: mode -> t -> t1.
+
+Parameter to_float32: mode -> t1 -> t.
+
+Axiom round_double_single :
+ forall (m1:mode) (m2:mode) (x:Reals.Rdefinitions.R),
+ ((round1 m1 (round m2 x)) = (round m2 x)).
+
+Axiom to_float64_exact :
+ forall (m:mode) (x:t), t'isFinite x ->
+ t'isFinite1 (to_float64 m x) /\ ((t'real1 (to_float64 m x)) = (t'real x)).
+
+Axiom to_float32_conv :
+ forall (m:mode) (x:t1), t'isFinite1 x -> no_overflow m (t'real1 x) ->
+ t'isFinite (to_float32 m x) /\
+ ((t'real (to_float32 m x)) = (round m (t'real1 x))).
+
+(* Why3 assumption *)
+Definition f32 := t.
+
+(* Why3 assumption *)
+Definition f64 := t1.
+
+Parameter to_f32: Reals.Rdefinitions.R -> t.
+
+Parameter to_f64: Reals.Rdefinitions.R -> t1.
+
+Axiom to_float_is_finite_32 :
+ forall (f:t), t'isFinite f -> eq (to_f32 (t'real f)) f.
+
+Axiom to_f32_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range x ->
+ ((t'real (to_f32 x)) = (round RNE x)).
+
+Axiom to_f32_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range x -> t'isFinite (to_f32 x).
+
+Axiom to_f32_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x < (-(33554430 * 10141204801825835211973625643008)%R)%R)%R ->
+ is_minus_infinity (to_f32 x).
+
+Axiom to_f32_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((33554430 * 10141204801825835211973625643008)%R < x)%R ->
+ is_plus_infinity (to_f32 x).
+
+Axiom to_float_is_finite_64 :
+ forall (f:t1), t'isFinite1 f -> eq1 (to_f64 (t'real1 f)) f.
+
+Axiom to_f64_range_round :
+ forall (x:Reals.Rdefinitions.R), in_range1 x ->
+ ((t'real1 (to_f64 x)) = (round1 RNE x)).
+
+Axiom to_f64_range_finite :
+ forall (x:Reals.Rdefinitions.R), in_range1 x -> t'isFinite1 (to_f64 x).
+
+Axiom to_f64_minus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ (x <
+ (-(9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R)%R)%R ->
+ is_minus_infinity1 (to_f64 x).
+
+Axiom to_f64_plus_infinity :
+ forall (x:Reals.Rdefinitions.R),
+ ((9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R
+ < x)%R ->
+ is_plus_infinity1 (to_f64 x).
+
+(* Why3 assumption *)
+Definition round_float (m:mode) (r:Reals.Rdefinitions.R) : t :=
+ to_f32 (round m r).
+
+(* Why3 assumption *)
+Definition round_double (m:mode) (r:Reals.Rdefinitions.R) : t1 :=
+ to_f64 (round1 m r).
+
+Axiom is_zero_to_f32_zero : is_zero (to_f32 0%R).
+
+Axiom is_zero_to_f64_zero : is_zero1 (to_f64 0%R).
+
+Axiom real_0_is_zero_f32 : forall (f:t), (0%R = (t'real f)) -> is_zero f.
+
+Axiom real_0_is_zero_f64 : forall (f:t1), (0%R = (t'real1 f)) -> is_zero1 f.
+
+Axiom f32_to_f64 : forall (f:t), ((to_f64 (t'real f)) = (to_float64 RNE f)).
+
+Axiom f64_to_f32 :
+ forall (f:t1), ((to_f32 (t'real1 f)) = (to_float32 RNE f)).
+
+(* Why3 assumption *)
+Definition finite (x:Reals.Rdefinitions.R) : Prop :=
+ t'isFinite (to_f32 x) /\ t'isFinite1 (to_f64 x).
+
+Parameter eq_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom eq_f32b'def :
+ forall (x:t) (y:t),
+ (eq x y -> ((eq_f32b x y) = Init.Datatypes.true)) /\
+ (~ eq x y -> ((eq_f32b x y) = Init.Datatypes.false)).
+
+Parameter eq_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom eq_f64b'def :
+ forall (x:t1) (y:t1),
+ (eq1 x y -> ((eq_f64b x y) = Init.Datatypes.true)) /\
+ (~ eq1 x y -> ((eq_f64b x y) = Init.Datatypes.false)).
+
+(* Why3 assumption *)
+Definition ne_f32 (x:t) (y:t) : Prop := ~ eq x y.
+
+(* Why3 assumption *)
+Definition ne_f64 (x:t1) (y:t1) : Prop := ~ eq1 x y.
+
+Parameter ne_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom ne_f32b'def :
+ forall (x:t) (y:t),
+ (ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.true)) /\
+ (~ ne_f32 x y -> ((ne_f32b x y) = Init.Datatypes.false)).
+
+Parameter ne_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom ne_f64b'def :
+ forall (x:t1) (y:t1),
+ (ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.true)) /\
+ (~ ne_f64 x y -> ((ne_f64b x y) = Init.Datatypes.false)).
+
+Parameter le_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom le_f32b'def :
+ forall (x:t) (y:t),
+ (le x y -> ((le_f32b x y) = Init.Datatypes.true)) /\
+ (~ le x y -> ((le_f32b x y) = Init.Datatypes.false)).
+
+Parameter le_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom le_f64b'def :
+ forall (x:t1) (y:t1),
+ (le1 x y -> ((le_f64b x y) = Init.Datatypes.true)) /\
+ (~ le1 x y -> ((le_f64b x y) = Init.Datatypes.false)).
+
+Parameter lt_f32b: t -> t -> Init.Datatypes.bool.
+
+Axiom lt_f32b'def :
+ forall (x:t) (y:t),
+ (lt x y -> ((lt_f32b x y) = Init.Datatypes.true)) /\
+ (~ lt x y -> ((lt_f32b x y) = Init.Datatypes.false)).
+
+Parameter lt_f64b: t1 -> t1 -> Init.Datatypes.bool.
+
+Axiom lt_f64b'def :
+ forall (x:t1) (y:t1),
+ (lt1 x y -> ((lt_f64b x y) = Init.Datatypes.true)) /\
+ (~ lt1 x y -> ((lt_f64b x y) = Init.Datatypes.false)).
+
+Parameter model_f32: t -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f32 (f:t) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real f) - (model_f32 f))%R.
+
+(* Why3 assumption *)
+Definition error_f32 (f:t) : Reals.Rdefinitions.R :=
+ ((delta_f32 f) / (Reals.Rbasic_fun.Rabs (model_f32 f)))%R.
+
+Parameter model_f64: t1 -> Reals.Rdefinitions.R.
+
+(* Why3 assumption *)
+Definition delta_f64 (f:t1) : Reals.Rdefinitions.R :=
+ Reals.Rbasic_fun.Rabs ((t'real1 f) - (model_f64 f))%R.
+
+(* Why3 assumption *)
+Definition error_f64 (f:t1) : Reals.Rdefinitions.R :=
+ ((delta_f64 f) / (Reals.Rbasic_fun.Rabs (model_f64 f)))%R.
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+Parameter fliteral: t1.
+
+Axiom fliteral_axiom :
+ t'isFinite1 fliteral /\ ((t'real1 fliteral) = (1 * 2)%R).
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (i:Numbers.BinNums.Z) (f:t1),
+ let r := t'real1 f in
+ ~ (i = 0%Z) -> (r <= 10%R)%R -> ((-10%R)%R <= r)%R -> is_sint32 i ->
+ t'isFinite1 (mul1 RNE f fliteral).
+Proof.
+intros i f r h1 h2 h3 h4.
+
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.res.oracle b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.res.oracle
index d9a23912c0146b7c40b02c375c68271fcab0e186..2e980a59b736685ec5792ce128784b7c83477a06 100644
--- a/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.res.oracle
+++ b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_1174.res.oracle
@@ -2,13 +2,11 @@
[kernel] Parsing bts_1174.i (no preprocessing)
[wp] Running WP plugin...
[wp] Warning: Missing RTE guards
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 1 goal scheduled
-[wp] [Coq] Goal typed_real_job_assert_qed_ok : Saved script
-[wp] [Coq (native)] Goal typed_real_job_assert_qed_ok : Valid
+[wp] [Coq] Goal typed_real_job_assert_qed_ok : Valid
[wp] Proved goals: 1 / 1
Qed: 0
- Coq (native): 1
+ Coq: 1
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
job - - 1 100%
diff --git a/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_2471.1.res.oracle b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_2471.1.res.oracle
index 8d031ef0aec0346a1b754a010c2e9c610ff308a1..fd77bf32479b1f01fa6c0f47ab4c077ed8ef068b 100644
--- a/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_2471.1.res.oracle
+++ b/src/plugins/wp/tests/wp_bts/oracle_qualif/bts_2471.1.res.oracle
@@ -2,12 +2,10 @@
[kernel] Parsing bts_2471.i (no preprocessing)
[wp] Running WP plugin...
[wp] Warning: Missing RTE guards
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 1 goal scheduled
-[wp] [Coq] Goal typed_foo_assert_ko : Default tactic
-[wp] [Coq (native)] Goal typed_foo_assert_ko : Unsuccess
+[wp] [Coq] Goal typed_foo_assert_ko : Unsuccess
[wp] Proved goals: 0 / 1
- Coq (native): 0 (unsuccess: 1)
+ Coq: 0 (unsuccess: 1)
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
foo - - 1 0.0%
diff --git a/src/plugins/wp/tests/wp_plugin/abs.i b/src/plugins/wp/tests/wp_plugin/abs.i
index 2992f8953e5d03a9fdfb65808d32cb82476ae185..77a22fdc26958674051945fae5d3f1e69d8947ae 100644
--- a/src/plugins/wp/tests/wp_plugin/abs.i
+++ b/src/plugins/wp/tests/wp_plugin/abs.i
@@ -7,7 +7,7 @@
COMMENT: depends from files mentionned into "abs.driver"
DEPS: abs.why abs.mlw abs.script Abs.v
OPT: -wp -wp-driver %{dep:@PTEST_DIR@/abs.driver} -wp-prover alt-ergo
- OPT: -wp -wp-driver %{dep:@PTEST_DIR@/abs.driver} -wp-prover native:coq -wp-coq-script %{dep:@PTEST_DIR@/abs.script}
+ OPT: -wp -wp-driver %{dep:@PTEST_DIR@/abs.driver} -wp-prover coq
*/
/*@ axiomatic Absolute { logic integer ABS(integer x) ; } */
diff --git a/src/plugins/wp/tests/wp_plugin/float_format.i b/src/plugins/wp/tests/wp_plugin/float_format.i
index 1aedc8151c7a89d30e89588646ac46f5db65d229..32638b743812503f6432a3bf23d80a7921b90aa4 100644
--- a/src/plugins/wp/tests/wp_plugin/float_format.i
+++ b/src/plugins/wp/tests/wp_plugin/float_format.i
@@ -1,5 +1,5 @@
/* run.config_qualif
- OPT: -wp-prover native:coq
+ OPT: -wp-prover coq
OPT: -wp-prover alt-ergo -wp-steps 5 -wp-timeout 100
*/
diff --git a/src/plugins/wp/tests/wp_plugin/inductive.c b/src/plugins/wp/tests/wp_plugin/inductive.c
index fb36d5d70c8dae269c984c1ddc9fc335aa4929c4..27be59683fddb6c4bd533d9ee6954a2209b53253 100644
--- a/src/plugins/wp/tests/wp_plugin/inductive.c
+++ b/src/plugins/wp/tests/wp_plugin/inductive.c
@@ -3,7 +3,7 @@
*/
/* run.config_qualif
- OPT: -wp-prover coq -wp-coq-script %{dep:@PTEST_DIR@/inductive.script} -wp-timeout 240
+ OPT: -wp-prover coq -wp-timeout 240
*/
typedef struct _list { int element; struct _list* next; } list;
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/abs.1.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle_qualif/abs.1.res.oracle
index 146552b7f55e6cec0927dd4ce0cc23678597b4dc..7ff2eea8aab38a2c694b8a60e8af212c5118ea41 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle_qualif/abs.1.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/abs.1.res.oracle
@@ -2,13 +2,11 @@
[kernel] Parsing abs.i (no preprocessing)
[wp] Running WP plugin...
[wp] Warning: Missing RTE guards
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 1 goal scheduled
-[wp] [Coq] Goal typed_abs_abs_ensures : Saved script
-[wp] [Coq (native)] Goal typed_abs_abs_ensures : Valid
+[wp] [Coq] Goal typed_abs_abs_ensures : Valid
[wp] Proved goals: 1 / 1
Qed: 0
- Coq (native): 1
+ Coq: 1
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
abs - - 1 100%
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/abs.1.session/interactive/abs_ensures.v b/src/plugins/wp/tests/wp_plugin/oracle_qualif/abs.1.session/interactive/abs_ensures.v
new file mode 100644
index 0000000000000000000000000000000000000000..565fe5684b5102b52e3da065cf61603a4f0bc54c
--- /dev/null
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/abs.1.session/interactive/abs_ensures.v
@@ -0,0 +1,341 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+Parameter my_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom abs_pos :
+ forall (x:Numbers.BinNums.Z), (0%Z <= x)%Z -> ((my_abs x) = x).
+
+Axiom abs_neg :
+ forall (x:Numbers.BinNums.Z), (x <= 0%Z)%Z -> ((my_abs x) = (-x)%Z).
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (i:Numbers.BinNums.Z) (i1:Numbers.BinNums.Z), is_sint32 i1 ->
+ is_sint32 i ->
+ (i1 < 0%Z)%Z /\ ((i + i1)%Z = 0%Z) \/ ~ (i1 < 0%Z)%Z /\ (i1 = i) ->
+ ((my_abs i1) = i).
+Proof.
+ Require Import Psatz.
+
+ intros i n Hn Hi H ; intros.
+ inversion_clear H as [ C1 | C2 ].
+ + inversion_clear C1 as [ Nn Hin ].
+ assert (Heq: i = (-n)%Z) by lia.
+ rewrite Heq ; apply abs_neg ; lia.
+ + inversion_clear C2 as [ Pn Hin ] ; subst.
+ apply abs_pos ; lia.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/float_format.0.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle_qualif/float_format.0.res.oracle
index d27cc13ed05839d0ddf88a3ed38c7c36ef17cf66..c9d94a87a47ff301d7f3b25a1466a322e00f5736 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle_qualif/float_format.0.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/float_format.0.res.oracle
@@ -5,12 +5,10 @@
(warn-once: no further messages from category 'parser:decimal-float' will be emitted)
[wp] Running WP plugin...
[wp] Warning: Missing RTE guards
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 1 goal scheduled
-[wp] [Coq] Goal typed_output_ensures_KO : Default tactic
-[wp] [Coq (native)] Goal typed_output_ensures_KO : Unsuccess
+[wp] [Coq] Goal typed_output_ensures_KO : Unsuccess
[wp] Proved goals: 0 / 1
- Coq (native): 0 (unsuccess: 1)
+ Coq: 0 (unsuccess: 1)
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
output - - 1 0.0%
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.0.session/interactive/lemma_offset.v b/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.0.session/interactive/lemma_offset.v
new file mode 100644
index 0000000000000000000000000000000000000000..2959622c67342a2762399ec0bb12652da71d43e3
--- /dev/null
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.0.session/interactive/lemma_offset.v
@@ -0,0 +1,428 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Inductive addr :=
+ | addr'mk : Numbers.BinNums.Z -> Numbers.BinNums.Z -> addr.
+Axiom addr_WhyType : WhyType addr.
+Existing Instance addr_WhyType.
+
+(* Why3 assumption *)
+Definition offset (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x1
+ end.
+
+(* Why3 assumption *)
+Definition base (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x
+ end.
+
+Parameter addr_le: addr -> addr -> Prop.
+
+Parameter addr_lt: addr -> addr -> Prop.
+
+Parameter addr_le_bool: addr -> addr -> Init.Datatypes.bool.
+
+Parameter addr_lt_bool: addr -> addr -> Init.Datatypes.bool.
+
+Axiom addr_le_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_le p q <-> ((offset p) <= (offset q))%Z.
+
+Axiom addr_lt_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_lt p q <-> ((offset p) < (offset q))%Z.
+
+Axiom addr_le_bool_def :
+ forall (p:addr) (q:addr),
+ addr_le p q <-> ((addr_le_bool p q) = Init.Datatypes.true).
+
+Axiom addr_lt_bool_def :
+ forall (p:addr) (q:addr),
+ addr_lt p q <-> ((addr_lt_bool p q) = Init.Datatypes.true).
+
+(* Why3 assumption *)
+Definition null : addr := addr'mk 0%Z 0%Z.
+
+(* Why3 assumption *)
+Definition global (b:Numbers.BinNums.Z) : addr := addr'mk b 0%Z.
+
+(* Why3 assumption *)
+Definition shift (p:addr) (k:Numbers.BinNums.Z) : addr :=
+ addr'mk (base p) ((offset p) + k)%Z.
+
+(* Why3 assumption *)
+Definition included (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (0%Z < a)%Z ->
+ (0%Z <= b)%Z /\
+ ((base p) = (base q)) /\
+ ((offset q) <= (offset p))%Z /\
+ (((offset p) + a)%Z <= ((offset q) + b)%Z)%Z.
+
+(* Why3 assumption *)
+Definition separated (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (a <= 0%Z)%Z \/
+ (b <= 0%Z)%Z \/
+ ~ ((base p) = (base q)) \/
+ (((offset q) + b)%Z <= (offset p))%Z \/
+ (((offset p) + a)%Z <= (offset q))%Z.
+
+(* Why3 assumption *)
+Definition eqmem {a:Type} {a_WT:WhyType a} (m1:addr -> a) (m2:addr -> a)
+ (p:addr) (a1:Numbers.BinNums.Z) : Prop :=
+ forall (q:addr), included q 1%Z p a1 -> ((m1 q) = (m2 q)).
+
+Parameter havoc:
+ forall {a:Type} {a_WT:WhyType a}, (addr -> a) -> (addr -> a) -> addr ->
+ Numbers.BinNums.Z -> addr -> a.
+
+(* Why3 assumption *)
+Definition valid_rw (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (0%Z < (base p))%Z /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_rd (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_obj (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (p = null) \/
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (1%Z + (m (base p)))%Z)%Z.
+
+(* Why3 assumption *)
+Definition invalid (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (n <= 0%Z)%Z \/
+ ((base p) = 0%Z) \/
+ ((m (base p)) <= (offset p))%Z \/ (((offset p) + n)%Z <= 0%Z)%Z.
+
+Axiom valid_rw_rd :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ forall (n:Numbers.BinNums.Z), valid_rw m p n -> valid_rd m p n.
+
+Axiom valid_string :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ ((base p) < 0%Z)%Z ->
+ (0%Z <= (offset p))%Z /\ ((offset p) < (m (base p)))%Z ->
+ valid_rd m p 1%Z /\ ~ valid_rw m p 1%Z.
+
+Axiom separated_1 :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (i:Numbers.BinNums.Z)
+ (j:Numbers.BinNums.Z),
+ separated p a q b -> ((offset p) <= i)%Z /\ (i < ((offset p) + a)%Z)%Z ->
+ ((offset q) <= j)%Z /\ (j < ((offset q) + b)%Z)%Z ->
+ ~ ((addr'mk (base p) i) = (addr'mk (base q) j)).
+
+Parameter region: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter linked: (Numbers.BinNums.Z -> Numbers.BinNums.Z) -> Prop.
+
+Parameter sconst: (addr -> Numbers.BinNums.Z) -> Prop.
+
+(* Why3 assumption *)
+Definition framed (m:addr -> addr) : Prop :=
+ forall (p:addr), ((region (base p)) <= 0%Z)%Z ->
+ ((region (base (m p))) <= 0%Z)%Z.
+
+Axiom separated_included :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), (0%Z < a)%Z ->
+ (0%Z < b)%Z -> separated p a q b -> ~ included p a q b.
+
+Axiom included_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> included q b r c -> included p a r c.
+
+Axiom separated_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> separated q b r c -> separated p a r c.
+
+Axiom separated_sym :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
+ separated p a q b <-> separated q b p a.
+
+Axiom eqmem_included :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr) (q:addr),
+ forall (a1:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), included p a1 q b ->
+ eqmem m1 m2 q b -> eqmem m1 m2 p a1.
+
+Axiom eqmem_sym :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr),
+ forall (a1:Numbers.BinNums.Z), eqmem m1 m2 p a1 -> eqmem m2 m1 p a1.
+
+Axiom havoc_access :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m0:addr -> a) (m1:addr -> a), forall (q:addr) (p:addr),
+ forall (a1:Numbers.BinNums.Z),
+ (separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m1 q))) /\
+ (~ separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m0 q))).
+
+Parameter cinits: (addr -> Init.Datatypes.bool) -> Prop.
+
+(* Why3 assumption *)
+Definition is_init_range (m:addr -> Init.Datatypes.bool) (p:addr)
+ (l:Numbers.BinNums.Z) : Prop :=
+ forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < l)%Z ->
+ ((m (shift p i)) = Init.Datatypes.true).
+
+Parameter set_init:
+ (addr -> Init.Datatypes.bool) -> addr -> Numbers.BinNums.Z ->
+ addr -> Init.Datatypes.bool.
+
+Axiom set_init_access :
+ forall (m:addr -> Init.Datatypes.bool), forall (q:addr) (p:addr),
+ forall (a:Numbers.BinNums.Z),
+ (separated q 1%Z p a -> ((set_init m p a q) = (m q))) /\
+ (~ separated q 1%Z p a -> ((set_init m p a q) = Init.Datatypes.true)).
+
+(* Why3 assumption *)
+Definition monotonic_init (m1:addr -> Init.Datatypes.bool)
+ (m2:addr -> Init.Datatypes.bool) : Prop :=
+ forall (p:addr), ((m1 p) = Init.Datatypes.true) ->
+ ((m2 p) = Init.Datatypes.true).
+
+Parameter int_of_addr: addr -> Numbers.BinNums.Z.
+
+Parameter addr_of_int: Numbers.BinNums.Z -> addr.
+
+Axiom table : Type.
+Parameter table_WhyType : WhyType table.
+Existing Instance table_WhyType.
+
+Parameter table_of_base: Numbers.BinNums.Z -> table.
+
+Parameter table_to_offset: table -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom table_to_offset_zero :
+ forall (t:table), ((table_to_offset t 0%Z) = 0%Z).
+
+Axiom table_to_offset_monotonic :
+ forall (t:table), forall (o1:Numbers.BinNums.Z) (o2:Numbers.BinNums.Z),
+ (o1 <= o2)%Z <-> ((table_to_offset t o1) <= (table_to_offset t o2))%Z.
+
+Axiom int_of_addr_bijection :
+ forall (a:Numbers.BinNums.Z), ((int_of_addr (addr_of_int a)) = a).
+
+Axiom addr_of_int_bijection :
+ forall (p:addr), ((addr_of_int (int_of_addr p)) = p).
+
+Axiom addr_of_null : ((int_of_addr null) = 0%Z).
+
+(* Why3 assumption *)
+Inductive P_reachable: (Numbers.BinNums.Z -> Numbers.BinNums.Z) ->
+ (addr -> addr) -> addr -> addr -> Prop :=
+ | Q_root_reachable :
+ forall (Malloc:Numbers.BinNums.Z -> Numbers.BinNums.Z)
+ (Mptr:addr -> addr) (root:addr),
+ P_reachable Malloc Mptr root root
+ | Q_next_reachable :
+ forall (Malloc:Numbers.BinNums.Z -> Numbers.BinNums.Z)
+ (Mptr:addr -> addr) (root:addr) (node:addr),
+ valid_rw Malloc root 2%Z ->
+ P_reachable Malloc Mptr (Mptr (shift root 1%Z)) node ->
+ P_reachable Malloc Mptr root node.
+
+Axiom Q_test :
+ forall (Malloc:Numbers.BinNums.Z -> Numbers.BinNums.Z) (Mptr:addr -> addr)
+ (root:addr) (node:addr),
+ P_reachable Malloc Mptr root node ->
+ (root = node) \/
+ valid_rw Malloc root 2%Z /\
+ P_reachable Malloc Mptr (Mptr (shift root 1%Z)) node.
+
+(* Why3 assumption *)
+Definition P_same_array (Mint:addr -> Numbers.BinNums.Z)
+ (Mint1:addr -> Numbers.BinNums.Z) (a:addr) (b:addr)
+ (begin:Numbers.BinNums.Z) (end1:Numbers.BinNums.Z) : Prop :=
+ forall (i:Numbers.BinNums.Z), (begin <= i)%Z -> (i < end1)%Z ->
+ ((Mint1 (shift a i)) = (Mint (shift b i))).
+
+(* Why3 assumption *)
+Definition P_swap (Mint:addr -> Numbers.BinNums.Z)
+ (Mint1:addr -> Numbers.BinNums.Z) (a:addr) (b:addr)
+ (begin:Numbers.BinNums.Z) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z)
+ (end1:Numbers.BinNums.Z) : Prop :=
+ ((((((Mint1 (shift a i)) = (Mint (shift b j))) /\
+ ((Mint1 (shift a j)) = (Mint (shift b i)))) /\
+ (begin <= i)%Z) /\
+ (i < j)%Z) /\
+ (j < end1)%Z) /\
+ (forall (i1:Numbers.BinNums.Z), ~ (i1 = i) -> ~ (j = i1) ->
+ (begin <= i1)%Z -> (i1 < end1)%Z ->
+ ((Mint1 (shift a i1)) = (Mint (shift b i1)))).
+
+(* Why3 assumption *)
+Inductive P_same_elements: (addr -> Numbers.BinNums.Z) ->
+ (addr -> Numbers.BinNums.Z) -> addr -> addr -> Numbers.BinNums.Z ->
+ Numbers.BinNums.Z -> Prop :=
+ | Q_refl :
+ forall (Mint:addr -> Numbers.BinNums.Z)
+ (Mint1:addr -> Numbers.BinNums.Z) (a:addr) (b:addr)
+ (begin:Numbers.BinNums.Z) (end1:Numbers.BinNums.Z),
+ P_same_array Mint Mint1 a b begin end1 ->
+ P_same_elements Mint Mint1 a b begin end1
+ | Q_swap :
+ forall (Mint:addr -> Numbers.BinNums.Z)
+ (Mint1:addr -> Numbers.BinNums.Z) (a:addr) (b:addr)
+ (begin:Numbers.BinNums.Z) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z)
+ (end1:Numbers.BinNums.Z),
+ P_swap Mint Mint1 a b begin i j end1 ->
+ P_same_elements Mint Mint1 a b begin end1
+ | Q_trans :
+ forall (Mint:addr -> Numbers.BinNums.Z)
+ (Mint1:addr -> Numbers.BinNums.Z) (Mint2:addr -> Numbers.BinNums.Z)
+ (a:addr) (b:addr) (c:addr) (begin:Numbers.BinNums.Z)
+ (end1:Numbers.BinNums.Z),
+ P_same_elements Mint Mint1 b c begin end1 ->
+ P_same_elements Mint1 Mint2 a b begin end1 ->
+ P_same_elements Mint Mint2 a c begin end1.
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (t:addr -> Numbers.BinNums.Z) (t1:addr -> Numbers.BinNums.Z)
+ (a:addr) (a1:addr) (i:Numbers.BinNums.Z) (i1:Numbers.BinNums.Z)
+ (i2:Numbers.BinNums.Z),
+ P_same_elements t t1 (shift a i2) (shift a1 i2) i i1 ->
+ P_same_elements t t1 a a1 (i + i2)%Z (i1 + i2)%Z.
+Proof.
+ Require Import Psatz.
+
+ intros M1 M2 p q b e s.
+ remember (shift p s) as ps.
+ remember (shift q s) as qs.
+ intro H.
+ revert dependent p.
+ revert dependent q.
+ induction H ; intros ; subst.
+ - apply Q_refl.
+ unfold P_same_array in * ; unfold shift in * ; intros.
+ destruct p, q ; simpl in * .
+ replace i with (s + (i - s))%Z by lia.
+ rewrite 2!Z.add_assoc.
+ apply H ; lia.
+ - apply Q_swap with (i := (s + i)%Z) (j := (s + j)%Z).
+ unfold P_swap in * ; unfold shift in * ; destruct p, q ; simpl in * .
+ decompose [and] H ; clear H.
+ repeat split ; try lia.
+ * rewrite 2!Z.add_assoc ; auto.
+ * rewrite 2!Z.add_assoc ; auto.
+ * intros.
+ replace i1 with (s + (i1 - s))%Z by lia.
+ rewrite 2!Z.add_assoc ; auto.
+ apply H1 ; lia.
+ - apply Q_trans with (Mint1 := Mint1)(b := shift b (- s)%Z).
+ * apply IHP_same_elements1 ; auto.
+ unfold shift ; destruct b ; simpl ; f_equal ; lia.
+ * apply IHP_same_elements2 ; auto.
+ unfold shift ; destruct b ; simpl ; f_equal ; lia.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.0.session/interactive/lemma_test.v b/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.0.session/interactive/lemma_test.v
new file mode 100644
index 0000000000000000000000000000000000000000..8741256bcdbbce570c6158e1c8df78a0e784b712
--- /dev/null
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.0.session/interactive/lemma_test.v
@@ -0,0 +1,346 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Inductive addr :=
+ | addr'mk : Numbers.BinNums.Z -> Numbers.BinNums.Z -> addr.
+Axiom addr_WhyType : WhyType addr.
+Existing Instance addr_WhyType.
+
+(* Why3 assumption *)
+Definition offset (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x1
+ end.
+
+(* Why3 assumption *)
+Definition base (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x
+ end.
+
+Parameter addr_le: addr -> addr -> Prop.
+
+Parameter addr_lt: addr -> addr -> Prop.
+
+Parameter addr_le_bool: addr -> addr -> Init.Datatypes.bool.
+
+Parameter addr_lt_bool: addr -> addr -> Init.Datatypes.bool.
+
+Axiom addr_le_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_le p q <-> ((offset p) <= (offset q))%Z.
+
+Axiom addr_lt_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_lt p q <-> ((offset p) < (offset q))%Z.
+
+Axiom addr_le_bool_def :
+ forall (p:addr) (q:addr),
+ addr_le p q <-> ((addr_le_bool p q) = Init.Datatypes.true).
+
+Axiom addr_lt_bool_def :
+ forall (p:addr) (q:addr),
+ addr_lt p q <-> ((addr_lt_bool p q) = Init.Datatypes.true).
+
+(* Why3 assumption *)
+Definition null : addr := addr'mk 0%Z 0%Z.
+
+(* Why3 assumption *)
+Definition global (b:Numbers.BinNums.Z) : addr := addr'mk b 0%Z.
+
+(* Why3 assumption *)
+Definition shift (p:addr) (k:Numbers.BinNums.Z) : addr :=
+ addr'mk (base p) ((offset p) + k)%Z.
+
+(* Why3 assumption *)
+Definition included (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (0%Z < a)%Z ->
+ (0%Z <= b)%Z /\
+ ((base p) = (base q)) /\
+ ((offset q) <= (offset p))%Z /\
+ (((offset p) + a)%Z <= ((offset q) + b)%Z)%Z.
+
+(* Why3 assumption *)
+Definition separated (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (a <= 0%Z)%Z \/
+ (b <= 0%Z)%Z \/
+ ~ ((base p) = (base q)) \/
+ (((offset q) + b)%Z <= (offset p))%Z \/
+ (((offset p) + a)%Z <= (offset q))%Z.
+
+(* Why3 assumption *)
+Definition eqmem {a:Type} {a_WT:WhyType a} (m1:addr -> a) (m2:addr -> a)
+ (p:addr) (a1:Numbers.BinNums.Z) : Prop :=
+ forall (q:addr), included q 1%Z p a1 -> ((m1 q) = (m2 q)).
+
+Parameter havoc:
+ forall {a:Type} {a_WT:WhyType a}, (addr -> a) -> (addr -> a) -> addr ->
+ Numbers.BinNums.Z -> addr -> a.
+
+(* Why3 assumption *)
+Definition valid_rw (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (0%Z < (base p))%Z /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_rd (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_obj (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (p = null) \/
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (1%Z + (m (base p)))%Z)%Z.
+
+(* Why3 assumption *)
+Definition invalid (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (n <= 0%Z)%Z \/
+ ((base p) = 0%Z) \/
+ ((m (base p)) <= (offset p))%Z \/ (((offset p) + n)%Z <= 0%Z)%Z.
+
+Axiom valid_rw_rd :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ forall (n:Numbers.BinNums.Z), valid_rw m p n -> valid_rd m p n.
+
+Axiom valid_string :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ ((base p) < 0%Z)%Z ->
+ (0%Z <= (offset p))%Z /\ ((offset p) < (m (base p)))%Z ->
+ valid_rd m p 1%Z /\ ~ valid_rw m p 1%Z.
+
+Axiom separated_1 :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (i:Numbers.BinNums.Z)
+ (j:Numbers.BinNums.Z),
+ separated p a q b -> ((offset p) <= i)%Z /\ (i < ((offset p) + a)%Z)%Z ->
+ ((offset q) <= j)%Z /\ (j < ((offset q) + b)%Z)%Z ->
+ ~ ((addr'mk (base p) i) = (addr'mk (base q) j)).
+
+Parameter region: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter linked: (Numbers.BinNums.Z -> Numbers.BinNums.Z) -> Prop.
+
+Parameter sconst: (addr -> Numbers.BinNums.Z) -> Prop.
+
+(* Why3 assumption *)
+Definition framed (m:addr -> addr) : Prop :=
+ forall (p:addr), ((region (base p)) <= 0%Z)%Z ->
+ ((region (base (m p))) <= 0%Z)%Z.
+
+Axiom separated_included :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), (0%Z < a)%Z ->
+ (0%Z < b)%Z -> separated p a q b -> ~ included p a q b.
+
+Axiom included_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> included q b r c -> included p a r c.
+
+Axiom separated_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> separated q b r c -> separated p a r c.
+
+Axiom separated_sym :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
+ separated p a q b <-> separated q b p a.
+
+Axiom eqmem_included :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr) (q:addr),
+ forall (a1:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), included p a1 q b ->
+ eqmem m1 m2 q b -> eqmem m1 m2 p a1.
+
+Axiom eqmem_sym :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr),
+ forall (a1:Numbers.BinNums.Z), eqmem m1 m2 p a1 -> eqmem m2 m1 p a1.
+
+Axiom havoc_access :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m0:addr -> a) (m1:addr -> a), forall (q:addr) (p:addr),
+ forall (a1:Numbers.BinNums.Z),
+ (separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m1 q))) /\
+ (~ separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m0 q))).
+
+Parameter cinits: (addr -> Init.Datatypes.bool) -> Prop.
+
+(* Why3 assumption *)
+Definition is_init_range (m:addr -> Init.Datatypes.bool) (p:addr)
+ (l:Numbers.BinNums.Z) : Prop :=
+ forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < l)%Z ->
+ ((m (shift p i)) = Init.Datatypes.true).
+
+Parameter set_init:
+ (addr -> Init.Datatypes.bool) -> addr -> Numbers.BinNums.Z ->
+ addr -> Init.Datatypes.bool.
+
+Axiom set_init_access :
+ forall (m:addr -> Init.Datatypes.bool), forall (q:addr) (p:addr),
+ forall (a:Numbers.BinNums.Z),
+ (separated q 1%Z p a -> ((set_init m p a q) = (m q))) /\
+ (~ separated q 1%Z p a -> ((set_init m p a q) = Init.Datatypes.true)).
+
+(* Why3 assumption *)
+Definition monotonic_init (m1:addr -> Init.Datatypes.bool)
+ (m2:addr -> Init.Datatypes.bool) : Prop :=
+ forall (p:addr), ((m1 p) = Init.Datatypes.true) ->
+ ((m2 p) = Init.Datatypes.true).
+
+Parameter int_of_addr: addr -> Numbers.BinNums.Z.
+
+Parameter addr_of_int: Numbers.BinNums.Z -> addr.
+
+Axiom table : Type.
+Parameter table_WhyType : WhyType table.
+Existing Instance table_WhyType.
+
+Parameter table_of_base: Numbers.BinNums.Z -> table.
+
+Parameter table_to_offset: table -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom table_to_offset_zero :
+ forall (t:table), ((table_to_offset t 0%Z) = 0%Z).
+
+Axiom table_to_offset_monotonic :
+ forall (t:table), forall (o1:Numbers.BinNums.Z) (o2:Numbers.BinNums.Z),
+ (o1 <= o2)%Z <-> ((table_to_offset t o1) <= (table_to_offset t o2))%Z.
+
+Axiom int_of_addr_bijection :
+ forall (a:Numbers.BinNums.Z), ((int_of_addr (addr_of_int a)) = a).
+
+Axiom addr_of_int_bijection :
+ forall (p:addr), ((addr_of_int (int_of_addr p)) = p).
+
+Axiom addr_of_null : ((int_of_addr null) = 0%Z).
+
+(* Why3 assumption *)
+Inductive P_reachable: (Numbers.BinNums.Z -> Numbers.BinNums.Z) ->
+ (addr -> addr) -> addr -> addr -> Prop :=
+ | Q_root_reachable :
+ forall (Malloc:Numbers.BinNums.Z -> Numbers.BinNums.Z)
+ (Mptr:addr -> addr) (root:addr),
+ P_reachable Malloc Mptr root root
+ | Q_next_reachable :
+ forall (Malloc:Numbers.BinNums.Z -> Numbers.BinNums.Z)
+ (Mptr:addr -> addr) (root:addr) (node:addr),
+ valid_rw Malloc root 2%Z ->
+ P_reachable Malloc Mptr (Mptr (shift root 1%Z)) node ->
+ P_reachable Malloc Mptr root node.
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (t:Numbers.BinNums.Z -> Numbers.BinNums.Z) (t1:addr -> addr)
+ (a:addr) (a1:addr),
+ P_reachable t t1 a a1 ->
+ (a1 = a) \/ valid_rw t a 2%Z /\ P_reachable t t1 (t1 (shift a 1%Z)) a1.
+Proof.
+ intros M1 M2 p q H.
+ destruct H.
+ - left ; auto.
+ - right ; split ; assumption.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.res.oracle
index 6ba6b85a7b863238c853add006c0bbf2c5705c78..729cc633cdf7126b1edaa8d8028e4f1636a236f7 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/inductive.res.oracle
@@ -1,15 +1,12 @@
# frama-c -wp -wp-timeout 240 [...]
[kernel] Parsing inductive.c (with preprocessing)
[wp] Running WP plugin...
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 2 goals scheduled
-[wp] [Coq] Goal typed_lemma_offset : Saved script
-[wp] [Coq (native)] Goal typed_lemma_offset : Valid
-[wp] [Coq] Goal typed_lemma_test : Saved script
-[wp] [Coq (native)] Goal typed_lemma_test : Valid
+[wp] [Coq] Goal typed_lemma_offset : Valid
+[wp] [Coq] Goal typed_lemma_test : Valid
[wp] Proved goals: 2 / 2
Qed: 0
- Coq (native): 2
+ Coq: 2
------------------------------------------------------------
Axiomatics WP Alt-Ergo Total Success
Lemma - - 2 100%
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_assigns_part2.v b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_assigns_part2.v
new file mode 100644
index 0000000000000000000000000000000000000000..26de73e48cb71891bc87851d3e2f2b02333a3753
--- /dev/null
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_assigns_part2.v
@@ -0,0 +1,559 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Inductive addr :=
+ | addr'mk : Numbers.BinNums.Z -> Numbers.BinNums.Z -> addr.
+Axiom addr_WhyType : WhyType addr.
+Existing Instance addr_WhyType.
+
+(* Why3 assumption *)
+Definition offset (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x1
+ end.
+
+(* Why3 assumption *)
+Definition base (v:addr) : Numbers.BinNums.Z :=
+ match v with
+ | addr'mk x x1 => x
+ end.
+
+Parameter addr_le: addr -> addr -> Prop.
+
+Parameter addr_lt: addr -> addr -> Prop.
+
+Parameter addr_le_bool: addr -> addr -> Init.Datatypes.bool.
+
+Parameter addr_lt_bool: addr -> addr -> Init.Datatypes.bool.
+
+Axiom addr_le_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_le p q <-> ((offset p) <= (offset q))%Z.
+
+Axiom addr_lt_def :
+ forall (p:addr) (q:addr), ((base p) = (base q)) ->
+ addr_lt p q <-> ((offset p) < (offset q))%Z.
+
+Axiom addr_le_bool_def :
+ forall (p:addr) (q:addr),
+ addr_le p q <-> ((addr_le_bool p q) = Init.Datatypes.true).
+
+Axiom addr_lt_bool_def :
+ forall (p:addr) (q:addr),
+ addr_lt p q <-> ((addr_lt_bool p q) = Init.Datatypes.true).
+
+(* Why3 assumption *)
+Definition null : addr := addr'mk 0%Z 0%Z.
+
+(* Why3 assumption *)
+Definition global (b:Numbers.BinNums.Z) : addr := addr'mk b 0%Z.
+
+(* Why3 assumption *)
+Definition shift (p:addr) (k:Numbers.BinNums.Z) : addr :=
+ addr'mk (base p) ((offset p) + k)%Z.
+
+(* Why3 assumption *)
+Definition included (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (0%Z < a)%Z ->
+ (0%Z <= b)%Z /\
+ ((base p) = (base q)) /\
+ ((offset q) <= (offset p))%Z /\
+ (((offset p) + a)%Z <= ((offset q) + b)%Z)%Z.
+
+(* Why3 assumption *)
+Definition separated (p:addr) (a:Numbers.BinNums.Z) (q:addr)
+ (b:Numbers.BinNums.Z) : Prop :=
+ (a <= 0%Z)%Z \/
+ (b <= 0%Z)%Z \/
+ ~ ((base p) = (base q)) \/
+ (((offset q) + b)%Z <= (offset p))%Z \/
+ (((offset p) + a)%Z <= (offset q))%Z.
+
+(* Why3 assumption *)
+Definition eqmem {a:Type} {a_WT:WhyType a} (m1:addr -> a) (m2:addr -> a)
+ (p:addr) (a1:Numbers.BinNums.Z) : Prop :=
+ forall (q:addr), included q 1%Z p a1 -> ((m1 q) = (m2 q)).
+
+Parameter havoc:
+ forall {a:Type} {a_WT:WhyType a}, (addr -> a) -> (addr -> a) -> addr ->
+ Numbers.BinNums.Z -> addr -> a.
+
+(* Why3 assumption *)
+Definition valid_rw (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (0%Z < (base p))%Z /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_rd (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.
+
+(* Why3 assumption *)
+Definition valid_obj (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (0%Z < n)%Z ->
+ (p = null) \/
+ ~ (0%Z = (base p)) /\
+ (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (1%Z + (m (base p)))%Z)%Z.
+
+(* Why3 assumption *)
+Definition invalid (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
+ (n:Numbers.BinNums.Z) : Prop :=
+ (n <= 0%Z)%Z \/
+ ((base p) = 0%Z) \/
+ ((m (base p)) <= (offset p))%Z \/ (((offset p) + n)%Z <= 0%Z)%Z.
+
+Axiom valid_rw_rd :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ forall (n:Numbers.BinNums.Z), valid_rw m p n -> valid_rd m p n.
+
+Axiom valid_string :
+ forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
+ ((base p) < 0%Z)%Z ->
+ (0%Z <= (offset p))%Z /\ ((offset p) < (m (base p)))%Z ->
+ valid_rd m p 1%Z /\ ~ valid_rw m p 1%Z.
+
+Axiom separated_1 :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (i:Numbers.BinNums.Z)
+ (j:Numbers.BinNums.Z),
+ separated p a q b -> ((offset p) <= i)%Z /\ (i < ((offset p) + a)%Z)%Z ->
+ ((offset q) <= j)%Z /\ (j < ((offset q) + b)%Z)%Z ->
+ ~ ((addr'mk (base p) i) = (addr'mk (base q) j)).
+
+Parameter region: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter linked: (Numbers.BinNums.Z -> Numbers.BinNums.Z) -> Prop.
+
+Parameter sconst: (addr -> Numbers.BinNums.Z) -> Prop.
+
+(* Why3 assumption *)
+Definition framed (m:addr -> addr) : Prop :=
+ forall (p:addr), ((region (base p)) <= 0%Z)%Z ->
+ ((region (base (m p))) <= 0%Z)%Z.
+
+Axiom separated_included :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), (0%Z < a)%Z ->
+ (0%Z < b)%Z -> separated p a q b -> ~ included p a q b.
+
+Axiom included_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> included q b r c -> included p a r c.
+
+Axiom separated_trans :
+ forall (p:addr) (q:addr) (r:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
+ included p a q b -> separated q b r c -> separated p a r c.
+
+Axiom separated_sym :
+ forall (p:addr) (q:addr),
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
+ separated p a q b <-> separated q b p a.
+
+Axiom eqmem_included :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr) (q:addr),
+ forall (a1:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), included p a1 q b ->
+ eqmem m1 m2 q b -> eqmem m1 m2 p a1.
+
+Axiom eqmem_sym :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m1:addr -> a) (m2:addr -> a), forall (p:addr),
+ forall (a1:Numbers.BinNums.Z), eqmem m1 m2 p a1 -> eqmem m2 m1 p a1.
+
+Axiom havoc_access :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (m0:addr -> a) (m1:addr -> a), forall (q:addr) (p:addr),
+ forall (a1:Numbers.BinNums.Z),
+ (separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m1 q))) /\
+ (~ separated q 1%Z p a1 -> ((havoc m0 m1 p a1 q) = (m0 q))).
+
+Parameter cinits: (addr -> Init.Datatypes.bool) -> Prop.
+
+(* Why3 assumption *)
+Definition is_init_range (m:addr -> Init.Datatypes.bool) (p:addr)
+ (l:Numbers.BinNums.Z) : Prop :=
+ forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < l)%Z ->
+ ((m (shift p i)) = Init.Datatypes.true).
+
+Parameter set_init:
+ (addr -> Init.Datatypes.bool) -> addr -> Numbers.BinNums.Z ->
+ addr -> Init.Datatypes.bool.
+
+Axiom set_init_access :
+ forall (m:addr -> Init.Datatypes.bool), forall (q:addr) (p:addr),
+ forall (a:Numbers.BinNums.Z),
+ (separated q 1%Z p a -> ((set_init m p a q) = (m q))) /\
+ (~ separated q 1%Z p a -> ((set_init m p a q) = Init.Datatypes.true)).
+
+(* Why3 assumption *)
+Definition monotonic_init (m1:addr -> Init.Datatypes.bool)
+ (m2:addr -> Init.Datatypes.bool) : Prop :=
+ forall (p:addr), ((m1 p) = Init.Datatypes.true) ->
+ ((m2 p) = Init.Datatypes.true).
+
+Parameter int_of_addr: addr -> Numbers.BinNums.Z.
+
+Parameter addr_of_int: Numbers.BinNums.Z -> addr.
+
+Axiom table : Type.
+Parameter table_WhyType : WhyType table.
+Existing Instance table_WhyType.
+
+Parameter table_of_base: Numbers.BinNums.Z -> table.
+
+Parameter table_to_offset: table -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom table_to_offset_zero :
+ forall (t:table), ((table_to_offset t 0%Z) = 0%Z).
+
+Axiom table_to_offset_monotonic :
+ forall (t:table), forall (o1:Numbers.BinNums.Z) (o2:Numbers.BinNums.Z),
+ (o1 <= o2)%Z <-> ((table_to_offset t o1) <= (table_to_offset t o2))%Z.
+
+Axiom int_of_addr_bijection :
+ forall (a:Numbers.BinNums.Z), ((int_of_addr (addr_of_int a)) = a).
+
+Axiom addr_of_int_bijection :
+ forall (p:addr), ((addr_of_int (int_of_addr p)) = p).
+
+Axiom addr_of_null : ((int_of_addr null) = 0%Z).
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (t:Numbers.BinNums.Z -> Numbers.BinNums.Z) (a:addr)
+ (i:Numbers.BinNums.Z) (i1:Numbers.BinNums.Z),
+ let a1 := shift a i in
+ (0%Z <= i1)%Z -> (i <= i1)%Z -> (0%Z <= i)%Z -> (i < i1)%Z ->
+ ((region (base a)) <= 0%Z)%Z -> ((to_uint32 (1%Z + i)%Z) <= i1)%Z ->
+ linked t -> is_uint32 i1 -> is_uint32 i -> ~ invalid t a1 1%Z ->
+ included a1 1%Z (shift a 0%Z) i1.
+Proof.
+ Require Import Psatz.
+
+ intros.
+ unfold included.
+ unfold base, offset, shift in * ; simpl in *.
+ lia.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_invariant_established.v b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_invariant_established.v
new file mode 100644
index 0000000000000000000000000000000000000000..c4516805f0d993d85149abfe2fccb798174300a4
--- /dev/null
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_invariant_established.v
@@ -0,0 +1,322 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+(* Why3 goal *)
+Theorem wp_goal : forall (i:Numbers.BinNums.Z), is_uint32 i -> (0%Z <= i)%Z.
+Proof.
+ Require Import Psatz.
+ intros ; unfold is_uint32 in * ; lia.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_invariant_preserved.v b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_invariant_preserved.v
new file mode 100644
index 0000000000000000000000000000000000000000..de105f5f2d24a160997d9315d2fdf86d8052df7f
--- /dev/null
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.0.session/interactive/copy_loop_invariant_preserved.v
@@ -0,0 +1,329 @@
+(* This file is generated by Why3's Coq driver *)
+(* Beware! Only edit allowed sections below *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require HighOrd.
+Require bool.Bool.
+Require int.Int.
+Require int.Abs.
+Require int.ComputerDivision.
+Require real.Real.
+Require real.RealInfix.
+Require real.FromInt.
+Require map.Map.
+
+Parameter eqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom eqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.true) <-> (x = y).
+
+Axiom eqb_false :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((eqb x y) = Init.Datatypes.false) <-> ~ (x = y).
+
+Parameter neqb:
+ forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.
+
+Axiom neqb1 :
+ forall {a:Type} {a_WT:WhyType a},
+ forall (x:a) (y:a), ((neqb x y) = Init.Datatypes.true) <-> ~ (x = y).
+
+Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Parameter zleq:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.
+
+Axiom zlt1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zlt x y) = Init.Datatypes.true) <-> (x < y)%Z.
+
+Axiom zleq1 :
+ forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
+ ((zleq x y) = Init.Datatypes.true) <-> (x <= y)%Z.
+
+Parameter rlt:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Parameter rleq:
+ Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.
+
+Axiom rlt1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rlt x y) = Init.Datatypes.true) <-> (x < y)%R.
+
+Axiom rleq1 :
+ forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
+ ((rleq x y) = Init.Datatypes.true) <-> (x <= y)%R.
+
+(* Why3 assumption *)
+Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
+ BuiltIn.IZR x.
+
+Axiom c_euclidian :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
+ (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).
+
+Axiom cmod_remainder :
+ forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
+ ((0%Z <= n)%Z -> (0%Z < d)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
+ ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
+ ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
+ ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
+ (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
+ ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
+ ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
+ (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).
+
+Axiom cdiv_neutral :
+ forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).
+
+Axiom cdiv_inv :
+ forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
+ ((ZArith.BinInt.Z.quot a a) = 1%Z).
+
+Axiom cdiv_closed_remainder :
+ forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
+ (0%Z <= a)%Z -> (0%Z <= b)%Z ->
+ (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
+ ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).
+
+(* Why3 assumption *)
+Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).
+
+(* Why3 assumption *)
+Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 256%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
+ ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 65536%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
+ ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
+ ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.
+
+(* Why3 assumption *)
+Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
+ ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.
+
+Axiom is_bool0 : is_bool 0%Z.
+
+Axiom is_bool1 : is_bool 1%Z.
+
+Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom to_bool'def :
+ forall (x:Numbers.BinNums.Z),
+ ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).
+
+Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom two_power_abs_is_positive :
+ forall (n:Numbers.BinNums.Z), (0%Z < (two_power_abs n))%Z.
+
+Axiom two_power_abs_plus_pos :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ (0%Z <= m)%Z ->
+ ((two_power_abs (n + m)%Z) = ((two_power_abs n) * (two_power_abs m))%Z).
+
+Axiom two_power_abs_plus_one :
+ forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
+ ((two_power_abs (n + 1%Z)%Z) = (2%Z * (two_power_abs n))%Z).
+
+(* Why3 assumption *)
+Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+(* Why3 assumption *)
+Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
+ ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.
+
+Parameter to_uint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Parameter to_sint:
+ Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
+
+Axiom is_to_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n (to_uint n x).
+
+Axiom is_to_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_sint n (to_sint n x).
+
+Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).
+
+Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).
+
+Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).
+
+Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).
+
+Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).
+
+Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).
+
+Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).
+
+Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).
+
+Axiom id_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_uint n x <-> ((to_uint n x) = x).
+
+Axiom id_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ is_sint n x <-> ((to_sint n x) = x).
+
+Axiom id_uint8 :
+ forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).
+
+Axiom id_sint8 :
+ forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).
+
+Axiom id_uint16 :
+ forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).
+
+Axiom id_sint16 :
+ forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).
+
+Axiom id_uint32 :
+ forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).
+
+Axiom id_sint32 :
+ forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).
+
+Axiom id_uint64 :
+ forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).
+
+Axiom id_sint64 :
+ forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).
+
+Axiom proj_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_uint n (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_sint n x)) = (to_sint n x)).
+
+Axiom proj_uint8 :
+ forall (x:Numbers.BinNums.Z), ((to_uint8 (to_uint8 x)) = (to_uint8 x)).
+
+Axiom proj_sint8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_sint8 x)) = (to_sint8 x)).
+
+Axiom proj_uint16 :
+ forall (x:Numbers.BinNums.Z), ((to_uint16 (to_uint16 x)) = (to_uint16 x)).
+
+Axiom proj_sint16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_sint16 x)) = (to_sint16 x)).
+
+Axiom proj_uint32 :
+ forall (x:Numbers.BinNums.Z), ((to_uint32 (to_uint32 x)) = (to_uint32 x)).
+
+Axiom proj_sint32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_sint32 x)) = (to_sint32 x)).
+
+Axiom proj_uint64 :
+ forall (x:Numbers.BinNums.Z), ((to_uint64 (to_uint64 x)) = (to_uint64 x)).
+
+Axiom proj_sint64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_sint64 x)) = (to_sint64 x)).
+
+Axiom proj_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ ((to_sint n (to_uint n x)) = (to_uint n x)).
+
+Axiom incl_su :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z), is_uint n x ->
+ is_sint n x.
+
+Axiom proj_su_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint (m + n)%Z (to_uint n x)) = (to_uint n x)).
+
+Axiom proj_su_sint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_sint n (to_uint (m + (n + 1%Z)%Z)%Z x)) = (to_sint n x)).
+
+Axiom proj_int8 :
+ forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).
+
+Axiom proj_int16 :
+ forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).
+
+Axiom proj_int32 :
+ forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).
+
+Axiom proj_int64 :
+ forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).
+
+Axiom proj_us_uint :
+ forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= m)%Z ->
+ ((to_uint (n + 1%Z)%Z (to_sint (m + n)%Z x)) = (to_uint (n + 1%Z)%Z x)).
+
+Axiom incl_uint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_uint (n + i)%Z x.
+
+Axiom incl_sint :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_sint n x -> is_sint (n + i)%Z x.
+
+Axiom incl_int :
+ forall (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
+ (0%Z <= n)%Z -> (0%Z <= i)%Z -> is_uint n x -> is_sint (n + i)%Z x.
+
+(* Why3 goal *)
+Theorem wp_goal :
+ forall (i:Numbers.BinNums.Z) (i1:Numbers.BinNums.Z), (0%Z <= i1)%Z ->
+ (i <= i1)%Z -> (0%Z <= i)%Z -> (i < i1)%Z -> is_uint32 i1 -> is_uint32 i ->
+ ((to_uint32 (1%Z + i)%Z) <= i1)%Z.
+Proof.
+ Require Import Psatz.
+ intros i n Ln Un Li Ui Hi Hn.
+ unfold is_uint32 in * .
+ assert (to_uint32 (1 + i) = 1 + i)%Z.
+ apply id_uint32 ; unfold is_uint32 ; lia.
+ rewrite H ; lia.
+Qed.
+
diff --git a/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.res.oracle
index 724f423702b11d463ff5957c6ae6f936e1558ca3..2a778626650ec1c7914af47affa551156dde65b0 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle_qualif/region_to_coq.res.oracle
@@ -2,18 +2,14 @@
[kernel] Parsing region_to_coq.i (no preprocessing)
[wp] Running WP plugin...
[wp] Warning: Missing RTE guards
-[wp] Warning: native support for coq is deprecated, use tip instead
[wp] 4 goals scheduled
-[wp] [Coq] Goal typed_copy_loop_invariant_preserved : Saved script
-[wp] [Coq (native)] Goal typed_copy_loop_invariant_preserved : Valid
-[wp] [Coq] Goal typed_copy_loop_invariant_established : Saved script
-[wp] [Coq (native)] Goal typed_copy_loop_invariant_established : Valid
+[wp] [Coq] Goal typed_copy_loop_invariant_preserved : Valid
+[wp] [Coq] Goal typed_copy_loop_invariant_established : Valid
[wp] [Qed] Goal typed_copy_loop_assigns_part1 : Valid
-[wp] [Coq] Goal typed_copy_loop_assigns_part2 : Saved script
-[wp] [Coq (native)] Goal typed_copy_loop_assigns_part2 : Valid
+[wp] [Coq] Goal typed_copy_loop_assigns_part2 : Valid
[wp] Proved goals: 4 / 4
Qed: 1
- Coq (native): 3
+ Coq: 3
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
copy 1 - 4 100%
diff --git a/src/plugins/wp/tests/wp_plugin/region_to_coq.i b/src/plugins/wp/tests/wp_plugin/region_to_coq.i
index 24ca4a86019fb5939ae553d2d1b18396e78c6a47..dcf02f6108a07af270315c63f188ad500cffcb28 100644
--- a/src/plugins/wp/tests/wp_plugin/region_to_coq.i
+++ b/src/plugins/wp/tests/wp_plugin/region_to_coq.i
@@ -2,7 +2,7 @@
DONTRUN:
*/
/* run.config_qualif
- OPT: -wp-prover native:coq -wp-coq-script %{dep:@PTEST_DIR@/region_to_coq.script}
+ OPT: -wp-prover coq
*/
void copy(int* a, unsigned int n, int* b)