(**************************************************************************) (* *) (* The Why3 Verification Platform / The Why3 Development Team *) (* Copyright 2010-2013 -- INRIA - CNRS - Paris-Sud University *) (* *) (* This software is distributed under the terms of the GNU Lesser *) (* General Public License version 2.1, with the special exception *) (* on linking described in file LICENSE. *) (* *) (* File modified by CEA (Commissariat à l'énergie atomique et aux *) (* énergies alternatives). *) (* *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) (* this is a prelude for Alt-Ergo integer arithmetic *) (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) (**************************************************************************) (* *) (* The Why3 Verification Platform / The Why3 Development Team *) (* Copyright 2010-2013 -- INRIA - CNRS - Paris-Sud University *) (* *) (* This software is distributed under the terms of the GNU Lesser *) (* General Public License version 2.1, with the special exception *) (* on linking described in file LICENSE. *) (* *) (* File modified by CEA (Commissariat à l'énergie atomique et aux *) (* énergies alternatives). *) (* *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) (** The theory int_Int_ must be appended to this file*) logic abs_int : int -> int axiom abs_def : (forall x:int. ((0 <= x) -> (abs_int(x) = x))) axiom abs_def1 : (forall x:int. ((not (0 <= x)) -> (abs_int(x) = (-x)))) axiom Abs_le : (forall x:int. forall y:int. ((abs_int(x) <= y) -> ((-y) <= x))) axiom Abs_le1 : (forall x:int. forall y:int. ((abs_int(x) <= y) -> (x <= y))) axiom Abs_le2 : (forall x:int. forall y:int. ((((-y) <= x) and (x <= y)) -> (abs_int(x) <= y))) axiom Abs_pos : (forall x:int. (0 <= abs_int(x))) (**************************************************************************) (* *) (* The Why3 Verification Platform / The Why3 Development Team *) (* Copyright 2010-2013 -- INRIA - CNRS - Paris-Sud University *) (* *) (* This software is distributed under the terms of the GNU Lesser *) (* General Public License version 2.1, with the special exception *) (* on linking described in file LICENSE. *) (* *) (* File modified by CEA (Commissariat à l'énergie atomique et aux *) (* énergies alternatives). *) (* *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) logic safe_comp_div: int, int -> int axiom safe_comp_div_def: forall x, y:int. x >= 0 and y > 0 -> safe_comp_div(x,y) = x / y logic safe_comp_mod: int, int -> int axiom safe_comp_mod_def: forall x, y:int. x >= 0 and y > 0 -> safe_comp_mod(x,y) = x % y (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) (** The theory int_Int_ must be appended to this file*) (** The theory int_Abs_ must be appended to this file*) axiom Div_bound : (forall x:int. forall y:int. (((0 <= x) and (0 < y)) -> (0 <= safe_comp_div(x,y)))) axiom Div_bound1 : (forall x:int. forall y:int. (((0 <= x) and (0 < y)) -> (safe_comp_div(x,y) <= x))) axiom Div_1 : (forall x:int. (safe_comp_div(x,1) = x)) axiom Mod_1 : (forall x:int. (safe_comp_mod(x,1) = 0)) axiom Div_inf : (forall x:int. forall y:int. (((0 <= x) and (x < y)) -> (safe_comp_div(x,y) = 0))) axiom Mod_inf : (forall x:int. forall y:int. (((0 <= x) and (x < y)) -> (safe_comp_mod(x,y) = x))) axiom Div_mult : (forall x:int. forall y:int. forall z:int [safe_comp_div(((x * y) + z),x)]. (((0 < x) and ((0 <= y) and (0 <= z))) -> (safe_comp_div(((x * y) + z),x) = (y + safe_comp_div(z,x))))) axiom Mod_mult : (forall x:int. forall y:int. forall z:int [safe_comp_mod(((x * y) + z),x)]. (((0 < x) and ((0 <= y) and (0 <= z))) -> (safe_comp_mod(((x * y) + z),x) = safe_comp_mod(z,x)))) (**************************************************************************) (* *) (* The Why3 Verification Platform / The Why3 Development Team *) (* Copyright 2010-2013 -- INRIA - CNRS - Paris-Sud University *) (* *) (* This software is distributed under the terms of the GNU Lesser *) (* General Public License version 2.1, with the special exception *) (* on linking described in file LICENSE. *) (* *) (* File modified by CEA (Commissariat à l'énergie atomique et aux *) (* énergies alternatives). *) (* *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) (* this is a prelude for Alt-Ergo real arithmetic *) (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) axiom add_div : (forall x:real. forall y:real. forall z:real. ((not (z = 0.0)) -> (((x + y) / z) = ((x / z) + (y / z))))) axiom sub_div : (forall x:real. forall y:real. forall z:real. ((not (z = 0.0)) -> (((x - y) / z) = ((x / z) - (y / z))))) axiom neg_div : (forall x:real. forall y:real. ((not (y = 0.0)) -> (((-x) / y) = (-(x / y))))) axiom assoc_mul_div : (forall x:real. forall y:real. forall z:real. ((not (z = 0.0)) -> (((x * y) / z) = (x * (y / z))))) axiom assoc_div_mul : (forall x:real. forall y:real. forall z:real. (((not (y = 0.0)) and (not (z = 0.0))) -> (((x / y) / z) = (x / (y * z))))) axiom assoc_div_div : (forall x:real. forall y:real. forall z:real. (((not (y = 0.0)) and (not (z = 0.0))) -> ((x / (y / z)) = ((x * z) / y)))) (**************************************************************************) (* *) (* The Why3 Verification Platform / The Why3 Development Team *) (* Copyright 2010-2013 -- INRIA - CNRS - Paris-Sud University *) (* *) (* This software is distributed under the terms of the GNU Lesser *) (* General Public License version 2.1, with the special exception *) (* on linking described in file LICENSE. *) (* *) (* File modified by CEA (Commissariat à l'énergie atomique et aux *) (* énergies alternatives). *) (* *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) (** The theory real_Real_ must be appended to this file*) (**************************************************************************) (* *) (* The Why3 Verification Platform / The Why3 Development Team *) (* Copyright 2010-2013 -- INRIA - CNRS - Paris-Sud University *) (* *) (* This software is distributed under the terms of the GNU Lesser *) (* General Public License version 2.1, with the special exception *) (* on linking described in file LICENSE. *) (* *) (* File modified by CEA (Commissariat à l'énergie atomique et aux *) (* énergies alternatives). *) (* *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) (** The theory int_Int_ must be appended to this file*) (** The theory real_Real_ must be appended to this file*) logic from_int : int -> real axiom Zero : (from_int(0) = 0.0) axiom One : (from_int(1) = 1.0) axiom Add : (forall x:int. forall y:int. (from_int((x + y)) = (from_int(x) + from_int(y)))) axiom Sub : (forall x:int. forall y:int. (from_int((x - y)) = (from_int(x) - from_int(y)))) axiom Mul : (forall x:int. forall y:int. (from_int((x * y)) = (from_int(x) * from_int(y)))) axiom Neg : (forall x:int. (from_int((-x)) = (-from_int(x)))) (**************************************************************************) (* *) (* This file is part of WP plug-in of Frama-C. *) (* *) (* Copyright (C) 2007-2016 *) (* CEA (Commissariat a l'energie atomique et aux energies *) (* alternatives) *) (* *) (* All rights reserved. *) (* Contact CEA LIST for licensing. *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) (** The theory bool_Bool_ must be appended to this file*) (** The theory int_Int_ must be appended to this file*) (** The theory int_Abs_ must be appended to this file*) (** The theory int_ComputerDivision_ must be appended to this file*) (** The theory real_Real_ must be appended to this file*) (** The theory real_RealInfix_ must be appended to this file*) (** The theory real_FromInt_ must be appended to this file*) logic match_bool : bool, 'a, 'a -> 'a axiom match_bool1 : (forall p:bool. forall x:'a. forall y:'a [match_bool(p, x, y)]. (((p = true) and (match_bool(p, x, y) = x)) or ((p = false) and (match_bool(p, x, y) = y)))) logic eqb : 'a, 'a -> bool axiom eqb1 : (forall x:'a. forall y:'a. ((eqb(x, y) = true) -> (x = y))) axiom eqb2 : (forall x:'a. forall y:'a. ((x = y) -> (eqb(x, y) = true))) logic neqb : 'a, 'a -> bool axiom neqb1 : (forall x:'a. forall y:'a. ((neqb(x, y) = true) -> (not (x = y)))) axiom neqb2 : (forall x:'a. forall y:'a. ((not (x = y)) -> (neqb(x, y) = true))) logic zlt : int, int -> bool logic zleq : int, int -> bool axiom zlt1 : (forall x:int. forall y:int. ((zlt(x, y) = true) -> (x < y))) axiom zlt2 : (forall x:int. forall y:int. ((x < y) -> (zlt(x, y) = true))) axiom zleq1 : (forall x:int. forall y:int. ((zleq(x, y) = true) -> (x <= y))) axiom zleq2 : (forall x:int. forall y:int. ((x <= y) -> (zleq(x, y) = true))) logic rlt : real, real -> bool logic rleq : real, real -> bool axiom rlt1 : (forall x:real. forall y:real. ((rlt(x, y) = true) -> (x < y))) axiom rlt2 : (forall x:real. forall y:real. ((x < y) -> (rlt(x, y) = true))) axiom rleq1 : (forall x:real. forall y:real. ((rleq(x, y) = true) -> (x <= y))) axiom rleq2 : (forall x:real. forall y:real. ((x <= y) -> (rleq(x, y) = true))) logic truncate : real -> int function real_of_int(x: int) : real = from_int(x) axiom truncate_of_int : (forall x:int. (truncate(real_of_int(x)) = x)) axiom c_euclidian : (forall n:int. forall d:int [safe_comp_div(n,d), safe_comp_mod(n,d)]. ((not (d = 0)) -> (n = ((safe_comp_div(n,d) * d) + safe_comp_mod(n,d))))) axiom cdiv_cases : (forall n:int. forall d:int [safe_comp_div(n,d)]. ((0 <= n) -> ((0 < d) -> (safe_comp_div(n,d) = (n / d))))) axiom cdiv_cases1 : (forall n:int. forall d:int [safe_comp_div(n,d)]. ((n <= 0) -> ((0 < d) -> (safe_comp_div(n,d) = (-((-n) / d)))))) axiom cdiv_cases2 : (forall n:int. forall d:int [safe_comp_div(n,d)]. ((0 <= n) -> ((d < 0) -> (safe_comp_div(n,d) = (-(n / (-d))))))) axiom cdiv_cases3 : (forall n:int. forall d:int [safe_comp_div(n,d)]. ((n <= 0) -> ((d < 0) -> (safe_comp_div(n,d) = ((-n) / (-d)))))) axiom cmod_cases : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((0 <= n) -> ((0 < d) -> (safe_comp_mod(n,d) = (n % d))))) axiom cmod_cases1 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((n <= 0) -> ((0 < d) -> (safe_comp_mod(n,d) = (-((-n) % d)))))) axiom cmod_cases2 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((0 <= n) -> ((d < 0) -> (safe_comp_mod(n,d) = (n % (-d)))))) axiom cmod_cases3 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((n <= 0) -> ((d < 0) -> (safe_comp_mod(n,d) = (-((-n) % (-d))))))) axiom cmod_remainder : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((0 <= n) -> ((0 < d) -> (0 <= safe_comp_mod(n,d))))) axiom cmod_remainder1 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((0 <= n) -> ((0 < d) -> (safe_comp_mod(n,d) < d)))) axiom cmod_remainder2 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((n <= 0) -> ((0 < d) -> ((-d) < safe_comp_mod(n,d))))) axiom cmod_remainder3 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((n <= 0) -> ((0 < d) -> (safe_comp_mod(n,d) <= 0)))) axiom cmod_remainder4 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((0 <= n) -> ((d < 0) -> (0 <= safe_comp_mod(n,d))))) axiom cmod_remainder5 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((0 <= n) -> ((d < 0) -> (safe_comp_mod(n,d) < (-d))))) axiom cmod_remainder6 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((n <= 0) -> ((d < 0) -> (d < safe_comp_mod(n,d))))) axiom cmod_remainder7 : (forall n:int. forall d:int [safe_comp_mod(n,d)]. ((n <= 0) -> ((d < 0) -> (safe_comp_mod(n,d) <= 0)))) axiom cdiv_neutral : (forall a:int [safe_comp_div(a,1)]. (safe_comp_div(a,1) = a)) axiom cdiv_inv : (forall a:int [safe_comp_div(a,a)]. ((not (a = 0)) -> (safe_comp_div(a,a) = 1))) (**************************************************************************) (* *) (* This file is part of WP plug-in of Frama-C. *) (* *) (* Copyright (C) 2007-2016 *) (* CEA (Commissariat a l'energie atomique et aux energies *) (* alternatives) *) (* *) (* All rights reserved. *) (* Contact CEA LIST for licensing. *) (**************************************************************************) (* this is the prelude for Alt-Ergo, any versions *) (** The theory BuiltIn_ must be appended to this file*) (** The theory Bool_ must be appended to this file*) (** The theory bool_Bool_ must be appended to this file*) (** The theory int_Int_ must be appended to this file*) logic is_uint8 : int -> prop axiom is_uint8_def : (forall x:int [is_uint8(x)]. (is_uint8(x) -> (0 <= x))) axiom is_uint8_def1 : (forall x:int [is_uint8(x)]. (is_uint8(x) -> (x < 256))) axiom is_uint8_def2 : (forall x:int [is_uint8(x)]. (((0 <= x) and (x < 256)) -> is_uint8(x))) logic is_sint8 : int -> prop axiom is_sint8_def : (forall x:int [is_sint8(x)]. (is_sint8(x) -> ((-128) <= x))) axiom is_sint8_def1 : (forall x:int [is_sint8(x)]. (is_sint8(x) -> (x < 128))) axiom is_sint8_def2 : (forall x:int [is_sint8(x)]. ((((-128) <= x) and (x < 128)) -> is_sint8(x))) logic is_uint16 : int -> prop axiom is_uint16_def : (forall x:int [is_uint16(x)]. (is_uint16(x) -> (0 <= x))) axiom is_uint16_def1 : (forall x:int [is_uint16(x)]. (is_uint16(x) -> (x < 65536))) axiom is_uint16_def2 : (forall x:int [is_uint16(x)]. (((0 <= x) and (x < 65536)) -> is_uint16(x))) predicate is_sint16(x: int) = (((-32768) <= x) and (x < 32768)) logic is_uint32 : int -> prop axiom is_uint32_def : (forall x:int [is_uint32(x)]. (is_uint32(x) -> (0 <= x))) axiom is_uint32_def1 : (forall x:int [is_uint32(x)]. (is_uint32(x) -> (x < 4294967296))) axiom is_uint32_def2 : (forall x:int [is_uint32(x)]. (((0 <= x) and (x < 4294967296)) -> is_uint32(x))) logic is_sint32 : int -> prop axiom is_sint32_def : (forall x:int [is_sint32(x)]. (is_sint32(x) -> ((-2147483648) <= x))) axiom is_sint32_def1 : (forall x:int [is_sint32(x)]. (is_sint32(x) -> (x < 2147483648))) axiom is_sint32_def2 : (forall x:int [is_sint32(x)]. ((((-2147483648) <= x) and (x < 2147483648)) -> is_sint32(x))) logic is_uint64 : int -> prop axiom is_uint64_def : (forall x:int [is_uint64(x)]. (is_uint64(x) -> (0 <= x))) axiom is_uint64_def1 : (forall x:int [is_uint64(x)]. (is_uint64(x) -> (x < 18446744073709551616))) axiom is_uint64_def2 : (forall x:int [is_uint64(x)]. (((0 <= x) and (x < 18446744073709551616)) -> is_uint64(x))) logic is_sint64 : int -> prop axiom is_sint64_def : (forall x:int [is_sint64(x)]. (is_sint64(x) -> ((-9223372036854775808) <= x))) axiom is_sint64_def1 : (forall x:int [is_sint64(x)]. (is_sint64(x) -> (x < 9223372036854775808))) axiom is_sint64_def2 : (forall x:int [is_sint64(x)]. ((((-9223372036854775808) <= x) and (x < 9223372036854775808)) -> is_sint64(x))) logic to_uint8 : int -> int logic to_sint8 : int -> int logic to_uint16 : int -> int logic to_sint16 : int -> int logic to_uint32 : int -> int logic to_sint32 : int -> int logic to_uint64 : int -> int logic to_sint64 : int -> int logic two_power_abs : int -> int predicate is_uint(n: int, x: int) = ((0 <= x) and (x < two_power_abs(n))) predicate is_sint(n: int, x: int) = (((-two_power_abs(n)) <= x) and (x < two_power_abs(n))) logic to_uint : int, int -> int logic to_sint : int, int -> int axiom is_to_uint8 : (forall x:int [is_uint8(to_uint8(x))]. is_uint8(to_uint8(x))) axiom is_to_sint8 : (forall x:int [is_sint8(to_sint8(x))]. is_sint8(to_sint8(x))) axiom is_to_uint16 : (forall x:int [is_uint16(to_uint16(x))]. is_uint16(to_uint16(x))) axiom is_to_sint16 : (forall x:int [is_sint16(to_sint16(x))]. is_sint16(to_sint16(x))) axiom is_to_uint32 : (forall x:int [is_uint32(to_uint32(x))]. is_uint32(to_uint32(x))) axiom is_to_sint32 : (forall x:int [is_sint32(to_sint32(x))]. is_sint32(to_sint32(x))) axiom is_to_uint64 : (forall x:int [is_uint64(to_uint64(x))]. is_uint64(to_uint64(x))) axiom is_to_sint64 : (forall x:int [is_sint64(to_sint64(x))]. is_sint64(to_sint64(x))) axiom id_uint8 : (forall x:int [to_uint8(x)]. (((0 <= x) and (x < 256)) -> (to_uint8(x) = x))) axiom id_sint8 : (forall x:int [to_sint8(x)]. ((((-128) <= x) and (x < 128)) -> (to_sint8(x) = x))) axiom id_uint16 : (forall x:int [to_uint16(x)]. (((0 <= x) and (x < 65536)) -> (to_uint16(x) = x))) axiom id_sint16 : (forall x:int [to_sint16(x)]. ((((-32768) <= x) and (x < 32768)) -> (to_sint16(x) = x))) axiom id_uint32 : (forall x:int [to_uint32(x)]. (((0 <= x) and (x < 4294967296)) -> (to_uint32(x) = x))) axiom id_sint32 : (forall x:int [to_sint32(x)]. ((((-2147483648) <= x) and (x < 2147483648)) -> (to_sint32(x) = x))) axiom id_uint64 : (forall x:int [to_uint64(x)]. (((0 <= x) and (x < 18446744073709551616)) -> (to_uint64(x) = x))) axiom id_sint64 : (forall x:int [to_sint64(x)]. ((((-9223372036854775808) <= x) and (x < 9223372036854775808)) -> (to_sint64(x) = x))) axiom proj_int8 : (forall x:int [to_sint8(to_uint8(x))]. (to_sint8(to_uint8(x)) = to_sint8(x))) axiom proj_int16 : (forall x:int [to_sint16(to_uint16(x))]. (to_sint16(to_uint16(x)) = to_sint16(x))) axiom proj_int32 : (forall x:int [to_sint32(to_uint32(x))]. (to_sint32(to_uint32(x)) = to_sint32(x))) axiom proj_int64 : (forall x:int [to_sint64(to_uint64(x))]. (to_sint64(to_uint64(x)) = to_sint64(x))) logic lnot : int -> int logic ac land : int, int -> int logic ac lxor : int, int -> int logic ac lor : int, int -> int logic lsl : int, int -> int logic lsr : int, int -> int logic bit_testb : int, int -> bool logic bit_test : int, int -> prop (* ---------------------------------------------------------- *) (* --- Lemma 'Two' --- *) (* ---------------------------------------------------------- *) (* --- Global Definitions --- *) axiom Q_One: forall x : int. is_sint32(x) -> ((0 = x) or (1 = x)) goal lemma_Two: forall i : int. is_sint32(i) -> ((0 = i) or (1 = i))