path: root/contrib/correctness/examples
diff options
authorGravatar Stephane Glondu <>2010-07-21 09:46:51 +0200
committerGravatar Stephane Glondu <>2010-07-21 09:46:51 +0200
commit5b7eafd0f00a16d78f99a27f5c7d5a0de77dc7e6 (patch)
tree631ad791a7685edafeb1fb2e8faeedc8379318ae /contrib/correctness/examples
parentda178a880e3ace820b41d38b191d3785b82991f5 (diff)
Imported Upstream snapshot 8.3~beta0+13298
Diffstat (limited to 'contrib/correctness/examples')
6 files changed, 0 insertions, 961 deletions
diff --git a/contrib/correctness/examples/Handbook.v b/contrib/correctness/examples/Handbook.v
deleted file mode 100644
index abb1cc76..00000000
--- a/contrib/correctness/examples/Handbook.v
+++ /dev/null
@@ -1,232 +0,0 @@
-(* v * The Coq Proof Assistant / The Coq Development Team *)
-(* <O___,, * INRIA-Rocquencourt & LRI-CNRS-Orsay *)
-(* \VV/ *************************************************************)
-(* // * This file is distributed under the terms of the *)
-(* * GNU Lesser General Public License Version 2.1 *)
-(* Certification of Imperative Programs / Jean-Christophe Filliātre *)
-(* $Id: Handbook.v 1577 2001-04-11 07:56:19Z filliatr $ *)
-(* This file contains proofs of programs taken from the
- * "Handbook of Theoretical Computer Science", volume B,
- * chapter "Methods and Logics for Proving Programs", by P. Cousot,
- * pp 841--993, Edited by J. van Leeuwen (c) Elsevier Science Publishers B.V.
- * 1990.
- *
- * Programs are refered to by numbers and pages.
- *)
-Require Correctness.
-Require Sumbool.
-Require Omega.
-Require Zcomplements.
-Require Zpower.
-(* program (2) page 853 to compute x^y (annotated version is (25) page 860) *)
-(* en attendant... *)
-Parameter Zdiv2 : Z->Z.
-Parameter Zeven_odd_dec : (x:Z){`x=2*(Zdiv2 x)`}+{`x=2*(Zdiv2 x)+1`}.
-Definition Zodd_dec := [z:Z](sumbool_not ? ? (Zeven_odd_dec z)).
-Definition Zodd_bool := [z:Z](bool_of_sumbool ? ? (Zodd_dec z)).
-Axiom axiom1 : (x,y:Z) `y>0` -> `x*(Zpower x (Zpred y)) = (Zpower x y)`.
-Axiom axiom2 : (x:Z)`x>0` -> `(Zdiv2 x)<x`.
-Axiom axiom3 : (x,y:Z) `y>=0` -> `(Zpower (x*x) (Zdiv2 y)) = (Zpower x y)`.
-Global Variable X : Z ref.
-Global Variable Y : Z ref.
-Global Variable Z_ : Z ref.
-Correctness pgm25
- { `Y >= 0` }
- begin
- Z_ := 1;
- while !Y <> 0 do
- { invariant `Y >= 0` /\ `Z_ * (Zpower X Y) = (Zpower X@0 Y@0)`
- variant Y }
- if (Zodd_bool !Y) then begin
- Y := (Zpred !Y);
- Z_ := (Zmult !Z_ !X)
- end else begin
- Y := (Zdiv2 !Y);
- X := (Zmult !X !X)
- end
- done
- end
- { Z_ = (Zpower X@ Y@) }.
-Unfold Zpred; Unfold Zwf; Omega.
-Unfold Zpred; Omega.
-Decompose [and] Pre2.
-Rewrite <- H0.
-Replace `Z_1*X0*(Zpower X0 (Zpred Y0))` with `Z_1*(X0*(Zpower X0 (Zpred Y0)))`.
-Apply f_equal with f := (Zmult Z_1).
-Apply axiom1.
-Apply Zmult_assoc_r.
-Unfold Zwf.
-Repeat (Apply conj).
-Apply axiom2. Omega.
-Decompose [and] Pre2.
-Rewrite <- H0.
-Apply f_equal with f:=(Zmult Z_1).
-Apply axiom3. Omega.
-Decompose [and] Post6.
-Rewrite <- H2.
-Rewrite H0.
-(* program (178) page 934 to compute the factorial using global variables
- * annotated version is (185) page 939
- *)
-Parameter Zfact : Z -> Z.
-Axiom axiom4 : `(Zfact 0) = 1`.
-Axiom axiom5 : (x:Z) `x>0` -> `(Zfact (x-1))*x=(Zfact x)`.
-Correctness pgm178
-let rec F (u:unit) : unit { variant X } =
- { `X>=0` }
- (if !X = 0 then
- Y := 1
- else begin
- label L;
- X := (Zpred !X);
- (F tt);
- X := (Zs !X);
- Y := (Zmult !Y !X)
- end)
- { `X=X@` /\ `Y=(Zfact X@)` }.
-Rewrite Test1. Rewrite axiom4. Auto.
-Unfold Zwf. Unfold Zpred. Omega.
-Unfold Zpred. Omega.
-Unfold Zs. Unfold Zpred in Post3. Split.
-Decompose [and] Post3.
-Rewrite H.
-Replace `X0+(-1)+1` with X0.
-Rewrite H0.
-Replace `X0+(-1)` with `X0-1`.
-Apply axiom5.
-(* program (186) page 939 "showing the usefulness of auxiliary variables" ! *)
-Global Variable N : Z ref.
-Global Variable S : Z ref.
-Correctness pgm186
-let rec F (u:unit) : unit { variant N } =
- { `N>=0` }
- (if !N > 0 then begin
- label L;
- N := (Zpred !N);
- (F tt);
- S := (Zs !S);
- (F tt);
- N := (Zs !N)
- end)
- { `N=N@` /\ `S=S@+(Zpower 2 N@)-1` }.
-Unfold Zwf. Unfold Zpred. Omega.
-Unfold Zpred. Omega.
-Decompose [and] Post5. Rewrite H. Unfold Zwf. Unfold Zpred. Omega.
-Decompose [and] Post5. Rewrite H. Unfold Zpred. Omega.
-Unfold Zpred in Post5. Omega.
-Decompose [and] Post4. Rewrite H0.
-Decompose [and] Post5. Rewrite H2. Rewrite H1.
-Replace `(Zpower 2 N0)` with `2*(Zpower 2 (Zpred N0))`. Omega.
-Replace `(Zpower 2 N0)` with `(Zpower 2 (1+(Zpred N0)))`.
-Replace `2*(Zpower 2 (Zpred N0))` with `(Zpower 2 1)*(Zpower 2 (Zpred N0))`.
-Apply Zpower_exp.
-Unfold Zpred. Omega.
-Replace `(1+(Zpred N0))` with N0; [ Auto | Unfold Zpred; Omega ].
-Replace N0 with `0`; Simpl; Omega.
-(* program (196) page 944 (recursive factorial procedure with value-result
- * parameters)
- *)
-Correctness pgm196
-let rec F (U:Z) (V:Z ref) : unit { variant U } =
- { `U >= 0` }
- (if U = 0 then
- V := 1
- else begin
- (F (Zpred U) V);
- V := (Zmult !V U)
- end)
- { `V = (Zfact U)` }.
-Symmetry. Rewrite Test1. Apply axiom4.
-Unfold Zwf. Unfold Zpred. Omega.
-Unfold Zpred. Omega.
-Rewrite Post3.
-Unfold Zpred. Replace `U0+(-1)` with `U0-1`. Apply axiom5.
-(* program (197) page 945 (L_4 subset of Pascal) *)
-procedure P(X:Z; procedure Q(Z:Z));
- procedure L(X:Z); begin Q(X-1) end;
- begin if X>0 then P(X-1,L) else Q(X) end;
-procedure M(N:Z);
- procedure R(X:Z); begin writeln(X) (* => RES := !X *) end;
- begin P(N,R) end.
diff --git a/contrib/correctness/examples/exp.v b/contrib/correctness/examples/exp.v
deleted file mode 100644
index 3142e906..00000000
--- a/contrib/correctness/examples/exp.v
+++ /dev/null
@@ -1,204 +0,0 @@
-(* v * The Coq Proof Assistant / The Coq Development Team *)
-(* <O___,, * INRIA-Rocquencourt & LRI-CNRS-Orsay *)
-(* \VV/ *************************************************************)
-(* // * This file is distributed under the terms of the *)
-(* * GNU Lesser General Public License Version 2.1 *)
-(* Certification of Imperative Programs / Jean-Christophe Filliātre *)
-(*i $Id: exp.v 1577 2001-04-11 07:56:19Z filliatr $ i*)
-(* Efficient computation of X^n using
- *
- * X^(2n) = (X^n) ^ 2
- * X^(2n+1) = X . (X^n) ^ 2
- *
- * Proofs of both fonctional and imperative programs.
- *)
-Require Even.
-Require Div2.
-Require Correctness.
-Require ArithRing.
-Require ZArithRing.
-(* The specification uses the traditional definition of X^n *)
-Fixpoint power [x,n:nat] : nat :=
- Cases n of
- O => (S O)
- | (S n') => (mult x (power x n'))
- end.
-Definition square := [n:nat](mult n n).
-(* Three lemmas are necessary to establish the forthcoming proof obligations *)
-(* n = 2*(n/2) => (x^(n/2))^2 = x^n *)
-Lemma exp_div2_0 : (x,n:nat)
- n=(double (div2 n))
- -> (square (power x (div2 n)))=(power x n).
-Unfold square.
-Intros x n. Pattern n. Apply ind_0_1_SS.
-Intro. (Absurd (1)=(double (0)); Auto).
-Intros. Simpl.
-Cut n0=(double (div2 n0)).
-Intro. Rewrite <- (H H1).
-Simpl in H0.
-Unfold double in H0.
-Simpl in H0.
-Rewrite <- (plus_n_Sm (div2 n0) (div2 n0)) in H0.
-(Injection H0; Auto).
-(* n = 2*(n/2)+1 => x*(x^(n/2))^2 = x^n *)
-Lemma exp_div2_1 : (x,n:nat)
- n=(S (double (div2 n)))
- -> (mult x (square (power x (div2 n))))=(power x n).
-Unfold square.
-Intros x n. Pattern n. Apply ind_0_1_SS.
-Intro. (Absurd (0)=(S (double (0))); Auto).
-Intros. Simpl.
-Cut n0=(S (double (div2 n0))).
-Intro. Rewrite <- (H H1).
-Simpl in H0.
-Unfold double in H0.
-Simpl in H0.
-Rewrite <- (plus_n_Sm (div2 n0) (div2 n0)) in H0.
-(Injection H0; Auto).
-(* x^(2*n) = (x^2)^n *)
-Lemma power_2n : (x,n:nat)(power x (double n))=(power (square x) n).
-Unfold double. Unfold square.
-Induction n.
-Rewrite <- H.
-Rewrite <- (plus_n_Sm n0 n0).
-Auto with arith.
-Hints Resolve exp_div2_0 exp_div2_1.
-(* Functional version.
- *
- * Here we give the functional program as an incomplete CIC term,
- * using the tactic Refine.
- *
- * On this example, it really behaves as the tactic Program.
- *)
-Lemma f_exp : (x,n:nat) { y:nat | y=(power x n) }.
-Refine [x:nat]
- (well_founded_induction nat lt lt_wf
- [n:nat]{y:nat | y=(power x n) }
- [n:nat]
- [f:(p:nat)(lt p n)->{y:nat | y=(power x p) }]
- Cases (zerop n) of
- (left _) => (exist ? ? (S O) ?)
- | (right _) =>
- let (y,H) = (f (div2 n) ?) in
- Cases (even_odd_dec n) of
- (left _) => (exist ? ? (mult y y) ?)
- | (right _) => (exist ? ? (mult x (mult y y)) ?)
- end
- end).
-Rewrite a. Auto.
-Exact (lt_div2 n a).
-Change (square y)=(power x n). Rewrite H. Auto with arith.
-Change (mult x (square y))=(power x n). Rewrite H. Auto with arith.
-(* Imperative version. *)
-Definition even_odd_bool := [x:nat](bool_of_sumbool ? ? (even_odd_dec x)).
-Correctness i_exp
- fun (x:nat)(n:nat) ->
- let y = ref (S O) in
- let m = ref x in
- let e = ref n in
- begin
- while (notzerop_bool !e) do
- { invariant (power x n)=(mult y (power m e)) as Inv
- variant e for lt }
- (if not (even_odd_bool !e) then y := (mult !y !m))
- { (power x n) = (mult y (power m (double (div2 e)))) as Q };
- m := (square !m);
- e := (div2 !e)
- done;
- !y
- end
- { result=(power x n) }
-Rewrite (odd_double e0 Test1) in Inv. Rewrite Inv. Simpl. Auto with arith.
-Rewrite (even_double e0 Test1) in Inv. Rewrite Inv. Reflexivity.
-Exact (lt_div2 e0 Test2).
-Rewrite Q. Unfold double. Unfold square.
-Change (mult y1 (power m0 (double (div2 e0))))
- = (mult y1 (power (square m0) (div2 e0))).
-Rewrite (power_2n m0 (div2 e0)). Reflexivity.
-Auto with arith.
-Decompose [and] Inv.
-Rewrite H. Rewrite H0.
-Auto with arith.
-(* Recursive version. *)
-Correctness r_exp
- let rec exp (x:nat) (n:nat) : nat { variant n for lt} =
- (if (zerop_bool n) then
- (S O)
- else
- let y = (exp x (div2 n)) in
- if (even_odd_bool n) then
- (mult y y)
- else
- (mult x (mult y y))
- ) { result=(power x n) }
-Rewrite Test2. Auto.
-Exact (lt_div2 n0 Test2).
-Change (square y)=(power x0 n0). Rewrite Post7. Auto with arith.
-Change (mult x0 (square y))=(power x0 n0). Rewrite Post7. Auto with arith.
diff --git a/contrib/correctness/examples/exp_int.v b/contrib/correctness/examples/exp_int.v
deleted file mode 100644
index 044263ca..00000000
--- a/contrib/correctness/examples/exp_int.v
+++ /dev/null
@@ -1,218 +0,0 @@
-(* v * The Coq Proof Assistant / The Coq Development Team *)
-(* <O___,, * INRIA-Rocquencourt & LRI-CNRS-Orsay *)
-(* \VV/ *************************************************************)
-(* // * This file is distributed under the terms of the *)
-(* * GNU Lesser General Public License Version 2.1 *)
-(* Certification of Imperative Programs / Jean-Christophe Filliātre *)
-(* $Id: exp_int.v 1577 2001-04-11 07:56:19Z filliatr $ *)
-(* Efficient computation of X^n using
- *
- * X^(2n) = (X^n) ^ 2
- * X^(2n+1) = X . (X^n) ^ 2
- *
- * Proofs of both fonctional and imperative programs.
- *)
-Require Zpower.
-Require Zcomplements.
-Require Correctness.
-Require ZArithRing.
-Require Omega.
-Definition Zdouble := [n:Z]`2*n`.
-Definition Zsquare := [n:Z](Zmult n n).
-(* Some auxiliary lemmas about Zdiv2 are necessary *)
-Lemma Zdiv2_ge_0 : (x:Z) `x >= 0` -> `(Zdiv2 x) >= 0`.
-Destruct x; Auto with zarith.
-Destruct p; Auto with zarith.
-Simpl. Omega.
-Intros. (Absurd `(NEG p) >= 0`; Red; Auto with zarith).
-Lemma Zdiv2_lt : (x:Z) `x > 0` -> `(Zdiv2 x) < x`.
-Destruct x.
-Intro. Absurd `0 > 0`; [ Omega | Assumption ].
-Destruct p; Auto with zarith.
-Intro p0.
-Replace (POS (xI p0)) with `2*(POS p0)+1`.
-Simpl. Auto with zarith.
-Intro p0.
-Replace (POS (xO p0)) with `2*(POS p0)`.
-Simpl. Auto with zarith.
-Simpl. Omega.
-Absurd `(NEG p) > 0`; Red; Auto with zarith.
-Elim p; Auto with zarith.
-(* A property of Zpower: x^(2*n) = (x^2)^n *)
-Lemma Zpower_2n :
- (x,n:Z)`n >= 0` -> (Zpower x (Zdouble n))=(Zpower (Zsquare x) n).
-Unfold Zdouble.
-Intros x n Hn.
-Replace `2*n` with `n+n`.
-Rewrite Zpower_exp.
-Pattern n.
-Apply natlike_ind.
-Simpl. Auto with zarith.
-Unfold Zs.
-Rewrite Zpower_exp.
-Rewrite Zpower_exp.
-Replace (Zpower x `1`) with x.
-Replace (Zpower (Zsquare x) `1`) with (Zsquare x).
-Rewrite <- H0.
-Unfold Zsquare.
-Unfold Zpower; Unfold Zpower_pos; Simpl. Omega.
-Unfold Zpower; Unfold Zpower_pos; Simpl. Omega.
-(* The program *)
-Correctness i_exp
- fun (x:Z)(n:Z) ->
- { `n >= 0` }
- (let y = ref 1 in
- let m = ref x in
- let e = ref n in
- begin
- while !e > 0 do
- { invariant (Zpower x n)=(Zmult y (Zpower m e)) /\ `e>=0` as Inv
- variant e }
- (if not (Zeven_odd_bool !e) then y := (Zmult !y !m))
- { (Zpower x n) = (Zmult y (Zpower m (Zdouble (Zdiv2 e)))) as Q };
- m := (Zsquare !m);
- e := (Zdiv2 !e)
- done;
- !y
- end)
- { result=(Zpower x n) }
-(* Zodd *)
-Decompose [and] Inv.
-Rewrite (Zodd_div2 e0 H0 Test1) in H. Rewrite H.
-Rewrite Zpower_exp.
-Unfold Zdouble.
-Replace (Zpower m0 `1`) with m0.
-Unfold Zpower; Unfold Zpower_pos; Simpl; Ring.
-Generalize (Zdiv2_ge_0 e0); Omega.
-(* Zeven *)
-Decompose [and] Inv.
-Rewrite (Zeven_div2 e0 Test1) in H. Rewrite H.
-Auto with zarith.
-(* Zwf *)
-Unfold Zwf.
-Repeat Split.
-Generalize (Zdiv2_ge_0 e0); Omega.
-Exact (Zdiv2_lt e0 Test2).
-(* invariant *)
-Rewrite Q. Unfold Zdouble. Unfold Zsquare.
-Rewrite (Zpower_2n).
-Generalize (Zdiv2_ge_0 e0); Omega.
-Generalize (Zdiv2_ge_0 e0); Omega.
-Split; [ Ring | Assumption ].
-(* exit fo loop *)
-Decompose [and] Inv.
-Cut `e0 = 0`. Intro.
-Rewrite H1. Rewrite H.
-Simpl; Ring.
-(* Recursive version. *)
-Correctness r_exp
- let rec exp (x:Z) (n:Z) : Z { variant n } =
- { `n >= 0` }
- (if n = 0 then
- 1
- else
- let y = (exp x (Zdiv2 n)) in
- (if (Zeven_odd_bool n) then
- (Zmult y y)
- else
- (Zmult x (Zmult y y))) { result=(Zpower x n) as Q }
- )
- { result=(Zpower x n) }
-Rewrite Test2. Auto with zarith.
-(* w.f. *)
-Unfold Zwf.
-Repeat Split.
-Generalize (Zdiv2_ge_0 n0) ; Omega.
-Generalize (Zdiv2_lt n0) ; Omega.
-(* rec. call *)
-Generalize (Zdiv2_ge_0 n0) ; Omega.
-(* invariant: case even *)
-Generalize (Zeven_div2 n0 Test1).
-Intro Heq. Rewrite Heq.
-Rewrite Post4.
-Replace `2*(Zdiv2 n0)` with `(Zdiv2 n0)+(Zdiv2 n0)`.
-Rewrite Zpower_exp.
-Auto with zarith.
-Generalize (Zdiv2_ge_0 n0) ; Omega.
-Generalize (Zdiv2_ge_0 n0) ; Omega.
-(* invariant: cas odd *)
-Generalize (Zodd_div2 n0 Pre1 Test1).
-Intro Heq. Rewrite Heq.
-Rewrite Post4.
-Rewrite Zpower_exp.
-Replace `2*(Zdiv2 n0)` with `(Zdiv2 n0)+(Zdiv2 n0)`.
-Rewrite Zpower_exp.
-Replace `(Zpower x0 1)` with x0.
-Unfold Zpower; Unfold Zpower_pos; Simpl. Omega.
-Generalize (Zdiv2_ge_0 n0) ; Omega.
-Generalize (Zdiv2_ge_0 n0) ; Omega.
-Generalize (Zdiv2_ge_0 n0) ; Omega.
diff --git a/contrib/correctness/examples/extract.v b/contrib/correctness/examples/extract.v
deleted file mode 100644
index e225ba18..00000000
--- a/contrib/correctness/examples/extract.v
+++ /dev/null
@@ -1,43 +0,0 @@
-(* Tests d'extraction *)
-Require ProgramsExtraction.
-Save State Ici "test extraction".
-(* exp *)
-Require exp.
-Write Caml File "exp" [ i_exp r_exp ].
-(* exp_int *)
-Restore State Ici.
-Require exp_int.
-Write Caml File "exp_int" [ i_exp r_exp ].
-(* fact *)
-Restore State Ici.
-Require fact.
-Initialize x with (S (S (S O))).
-Initialize y with O.
-Write Caml File "fact" [ factorielle ].
-(* fact_int *)
-Restore State Ici.
-Require fact_int.
-Initialize x with `3`.
-Initialize y with `0`.
-Write Caml File "fact_int" [ factorielle ].
-(* Handbook *)
-Restore State Ici.
-Require Handbook.
-Initialize X with `3`.
-Initialize Y with `3`.
-Initialize Z with `3`.
-Initialize N with `3`.
-Initialize S with `3`.
-Write Caml File "Handbook" [ pgm178 pgm186 pgm196 ].
diff --git a/contrib/correctness/examples/fact.v b/contrib/correctness/examples/fact.v
deleted file mode 100644
index 07e77140..00000000
--- a/contrib/correctness/examples/fact.v
+++ /dev/null
@@ -1,69 +0,0 @@
-(* v * The Coq Proof Assistant / The Coq Development Team *)
-(* <O___,, * INRIA-Rocquencourt & LRI-CNRS-Orsay *)
-(* \VV/ *************************************************************)
-(* // * This file is distributed under the terms of the *)
-(* * GNU Lesser General Public License Version 2.1 *)
-(* Certification of Imperative Programs / Jean-Christophe Filliātre *)
-(* $Id: fact.v 1577 2001-04-11 07:56:19Z filliatr $ *)
-(* Proof of an imperative program computing the factorial (over type nat) *)
-Require Correctness.
-Require Omega.
-Require Arith.
-Fixpoint fact [n:nat] : nat :=
- Cases n of
- O => (S O)
- | (S p) => (mult n (fact p))
- end.
-(* (x * y) * (x-1)! = y * x! *)
-Lemma fact_rec : (x,y:nat)(lt O x) ->
- (mult (mult x y) (fact (pred x))) = (mult y (fact x)).
-Intros x y H.
-Generalize (mult_sym x y). Intro H1. Rewrite H1.
-Generalize (mult_assoc_r y x (fact (pred x))). Intro H2. Rewrite H2.
-Apply (f_equal nat nat [x:nat](mult y x)).
-Generalize H. Elim x; Auto with arith.
-(* we declare two variables x and y *)
-Global Variable x : nat ref.
-Global Variable y : nat ref.
-(* we give the annotated program *)
-Correctness factorielle
- begin
- y := (S O);
- while (notzerop_bool !x) do
- { invariant (mult y (fact x)) = (fact x@0) as I
- variant x for lt }
- y := (mult !x !y);
- x := (pred !x)
- done
- end
- { y = (fact x@0) }.
-(* decreasing of the variant *)
-(* preservation of the invariant *)
-Rewrite <- I. Exact (fact_rec x0 y1 Test1).
-(* entrance of loop *)
-Auto with arith.
-(* exit of loop *)
-Elim I. Intros H1 H2.
-Rewrite H2 in H1.
-Rewrite <- H1.
-Auto with arith.
diff --git a/contrib/correctness/examples/fact_int.v b/contrib/correctness/examples/fact_int.v
deleted file mode 100644
index f463ca80..00000000
--- a/contrib/correctness/examples/fact_int.v
+++ /dev/null
@@ -1,195 +0,0 @@
-(* v * The Coq Proof Assistant / The Coq Development Team *)
-(* <O___,, * INRIA-Rocquencourt & LRI-CNRS-Orsay *)
-(* \VV/ *************************************************************)
-(* // * This file is distributed under the terms of the *)
-(* * GNU Lesser General Public License Version 2.1 *)
-(* Certification of Imperative Programs / Jean-Christophe Filliātre *)
-(* $Id: fact_int.v 1577 2001-04-11 07:56:19Z filliatr $ *)
-(* Proof of an imperative program computing the factorial (over type Z) *)
-Require Correctness.
-Require Omega.
-Require ZArithRing.
-(* We define the factorial as a relation... *)
-Inductive fact : Z -> Z -> Prop :=
- fact_0 : (fact `0` `1`)
- | fact_S : (z,f:Z) (fact z f) -> (fact (Zs z) (Zmult (Zs z) f)).
-(* ...and then we prove that it contains a function *)
-Lemma fact_function : (z:Z) `0 <= z` -> (EX f:Z | (fact z f)).
-Apply natlike_ind with P:=[z:Z](EX f:Z | (fact z f)).
-Split with `1`.
-Exact fact_0.
-Elim H1.
-Split with `(Zs x)*x0`.
-Exact (fact_S x x0 H2).
-(* This lemma should belong to the ZArith library *)
-Lemma Z_mult_1 : (x,y:Z)`x>=1`->`y>=1`->`x*y>=1`.
-Generalize H.
-Apply natlike_ind with P:=[x:Z]`x >= 1`->`x*y >= 1`.
-Elim (Z_le_lt_eq_dec `0` x0 H1).
-Unfold Zs.
-Replace `(x0+1)*y` with `x0*y+y`.
-Generalize H2.
-Generalize `x0*y`.
-Rewrite <- b.
-(* (fact x f) implies x>=0 and f>=1 *)
-Lemma fact_pos : (x,f:Z)(fact x f)-> `x>=0` /\ `f>=1`.
-(Elim H; Auto).
-(Split; Try Omega).
-(Apply Z_mult_1; Try Omega).
-(* (fact 0 x) implies x=1 *)
-Lemma fact_0_1 : (x:Z)(fact `0` x) -> `x=1`.
-Inversion H.
-Elim (fact_pos z f H1).
-(Absurd `z >= 0`; Omega).
-(* We define the loop invariant : y * x! = x0! *)
-Inductive invariant [y,x,x0:Z] : Prop :=
- c_inv : (f,f0:Z)(fact x f)->(fact x0 f0)->(Zmult y f)=f0
- -> (invariant y x x0).
-(* The following lemma is used to prove the preservation of the invariant *)
-Lemma fact_rec : (x0,x,y:Z)`0 < x` ->
- (invariant y x x0)
- -> (invariant `x*y` (Zpred x) x0).
-Intros x0 x y H H0.
-Elim H0.
-Generalize H H0 H3.
-Elim H1.
-Absurd `0 < 0`; Omega.
-Apply c_inv with f:=f1 f0:=f0.
-Cut `z+1+-1 = z`. Intro eq_z. Rewrite <- eq_z in H4.
-Rewrite (Zmult_sym (Zs z) y).
-Rewrite (Zmult_assoc_r y (Zs z) f1).
-(* This one is used to prove the proof obligation at the exit of the loop *)
-Lemma invariant_0 : (x,y:Z)(invariant y `0` x)->(fact x y).
-Elim H.
-Generalize (fact_0_1 f H0).
-Rewrite H3 in H2.
-Simpl in H2.
-Replace y with `y*1`.
-Rewrite H2.
-(* At last we come to the proof itself *************************************)
-(* we declare two variable x and y *)
-Global Variable x : Z ref.
-Global Variable y : Z ref.
-(* and we give the annotated program *)
-Correctness factorielle
- { `0 <= x` }
- begin
- y := 1;
- while !x <> 0 do
- { invariant `0 <= x` /\ (invariant y x x@0) as Inv
- variant x for (Zwf ZERO) }
- y := (Zmult !x !y);
- x := (Zpred !x)
- done
- end
- { (fact x@0 y) }.
-(* decreasing *)
-Unfold Zwf. Unfold Zpred. Omega.
-(* preservation of the invariant *)
- Unfold Zpred; Omega.
- Cut `0 < x0`. Intro Hx0.
- Decompose [and] Inv.
- Exact (fact_rec x x0 y1 Hx0 H0).
- Omega.
-(* entrance of the loop *)
-Split; Auto.
-Elim (fact_function x Pre1). Intros.
-Apply c_inv with f:=x0 f0:=x0; Auto.
-(* exit of the loop *)
-Decompose [and] Inv.
-Rewrite H0 in H2.
-Exact (invariant_0 x y1 H2).