blob: 740c2308a3fdb6f11134de547675a75f11161a6a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
function Subonacci(n: nat): nat
{
if 2 <= n then
// proving that this case is a nat requires more information,
// which is here supplied by an assume expression
assume Subonacci(n-2) <= Subonacci(n-1);
Subonacci(n-1) - Subonacci(n-2)
else
n
}
function F(n: int): nat
{
Subonacci(assume 0 <= n; n) -
Subonacci(n)
}
function G(n: int, b: bool): nat
{
if b then
Subonacci(assume 0 <= n; n)
else
Subonacci(n) // error: n may not be a nat
}
ghost method M(m: nat, n: int)
{
var k := F(m);
assert k == 0;
k := F(n);
assert k == 0; // this is still known
}
method M0(j: int) returns (n: nat)
{
n := assert 0 <= j; j; // error: j may be negative
}
method M1(j: int) returns (n: nat)
{
n := (assume 0 <= j; j) + (assert 0 <= j; j);
assert n == 2*j;
}
function SpecOnly(): bool { true }
function method FuncMeth(): int {
assert SpecOnly(); // this call is allowed, because the .Guard of a
// PredicateExpr is not included in compilation
15
}
|
