mirror of
https://github.com/AdaCore/why3.git
synced 2026-02-12 12:34:55 -08:00
709 lines
18 KiB
Plaintext
709 lines
18 KiB
Plaintext
|
|
(** {1 Theory of integers}
|
|
|
|
This file provides the basic theory of integers, and several additional
|
|
theories for classical functions.
|
|
|
|
*)
|
|
|
|
(** {2 Integers and the basic operators} *)
|
|
|
|
module Int
|
|
|
|
constant zero : int = 0
|
|
constant one : int = 1
|
|
|
|
val (=) (x y : int) : bool ensures { result <-> x = y }
|
|
|
|
val function (-_) int : int
|
|
val function (+) int int : int
|
|
val function (*) int int : int
|
|
val predicate (<) int int : bool
|
|
|
|
let function (-) (x y : int) = x + -y
|
|
let predicate (>) (x y : int) = y < x
|
|
let predicate (<=) (x y : int) = x < y || x = y
|
|
let predicate (>=) (x y : int) = y <= x
|
|
|
|
clone export algebra.OrderedUnitaryCommutativeRing with
|
|
type t = int, constant zero = zero, constant one = one,
|
|
function (-_) = (-_), function (+) = (+),
|
|
function (*) = (*), predicate (<=) = (<=)
|
|
|
|
meta "remove_unused:keep" function (+)
|
|
meta "remove_unused:keep" function (-)
|
|
(* do not necessarily keep, to allow for linear arithmetic only
|
|
meta "remove_unused:keep" function (*)
|
|
*)
|
|
meta "remove_unused:keep" function (-_)
|
|
meta "remove_unused:keep" predicate (<)
|
|
meta "remove_unused:keep" predicate (<=)
|
|
meta "remove_unused:keep" predicate (>)
|
|
meta "remove_unused:keep" predicate (>=)
|
|
|
|
let ghost compat_order_mult (x y z:int)
|
|
requires { x <= y }
|
|
requires { 0 <= z }
|
|
ensures { x * z <= y * z }
|
|
= ()
|
|
|
|
end
|
|
|
|
(** {2 Absolute Value} *)
|
|
|
|
module Abs
|
|
|
|
use Int
|
|
|
|
let function abs (x:int) : int = if x >= 0 then x else -x
|
|
|
|
lemma Abs_le: forall x y:int. abs x <= y <-> -y <= x <= y
|
|
meta "remove_unused:dependency" lemma Abs_le, function abs
|
|
|
|
lemma Abs_pos: forall x:int. abs x >= 0
|
|
meta "remove_unused:dependency" lemma Abs_pos, function abs
|
|
|
|
(***
|
|
lemma Abs_zero: forall x:int. abs x = 0 -> x = 0
|
|
*)
|
|
|
|
end
|
|
|
|
(** {2 Minimum and Maximum} *)
|
|
|
|
module MinMax
|
|
|
|
use Int
|
|
|
|
clone export relations.MinMax with type t = int, predicate le = (<=), goal .
|
|
|
|
let min (x y : int) : int
|
|
ensures { result = min x y }
|
|
= if x <= y then x else y
|
|
|
|
let max (x y : int) : int
|
|
ensures { result = max x y }
|
|
= if x <= y then y else x
|
|
|
|
|
|
end
|
|
|
|
(** {2 The Basic Well-Founded Order on Integers} *)
|
|
|
|
module Lex2
|
|
|
|
use Int
|
|
|
|
predicate lt_nat (x y: int) = 0 <= y /\ x < y
|
|
|
|
clone export relations.Lex with type t1 = int, type t2 = int,
|
|
predicate rel1 = lt_nat, predicate rel2 = lt_nat
|
|
|
|
end
|
|
|
|
(** {2 Euclidean Division}
|
|
|
|
Division and modulo operators with the convention
|
|
that modulo is always non-negative.
|
|
|
|
It implies that division rounds down when divisor is positive, and
|
|
rounds up when divisor is negative.
|
|
|
|
*)
|
|
|
|
module EuclideanDivision
|
|
|
|
use Int
|
|
use Abs
|
|
|
|
function div (x y: int) : int
|
|
function mod (x y: int) : int
|
|
|
|
axiom Div_mod:
|
|
forall x y:int. y <> 0 -> x = y * div x y + mod x y
|
|
meta "remove_unused:dependency" axiom Div_mod, function div
|
|
meta "remove_unused:dependency" axiom Div_mod, function mod
|
|
|
|
axiom Mod_bound:
|
|
forall x y:int. y <> 0 -> 0 <= mod x y < abs y
|
|
meta "remove_unused:dependency" axiom Mod_bound, function mod
|
|
|
|
lemma Div_unique:
|
|
forall x y q:int. y > 0 -> q * y <= x < q * y + y -> div x y = q
|
|
meta "remove_unused:dependency" lemma Div_unique, function div
|
|
|
|
lemma Div_bound:
|
|
forall x y:int. x >= 0 /\ y > 0 -> 0 <= div x y <= x
|
|
meta "remove_unused:dependency" lemma Div_bound, function div
|
|
|
|
lemma Mod_1: forall x:int. mod x 1 = 0
|
|
meta "remove_unused:dependency" lemma Mod_1, function mod
|
|
|
|
lemma Div_1: forall x:int. div x 1 = x
|
|
meta "remove_unused:dependency" lemma Div_1, function div
|
|
|
|
lemma Div_inf: forall x y:int. 0 <= x < y -> div x y = 0
|
|
meta "remove_unused:dependency" lemma Div_inf, function div
|
|
|
|
lemma Div_inf_neg: forall x y:int. 0 < x <= y -> div (-x) y = -1
|
|
meta "remove_unused:dependency" lemma Div_inf_neg, function div
|
|
|
|
lemma Mod_0: forall y:int. y <> 0 -> mod 0 y = 0
|
|
meta "remove_unused:dependency" lemma Mod_0, function mod
|
|
|
|
lemma Div_1_left: forall y:int. y > 1 -> div 1 y = 0
|
|
meta "remove_unused:dependency" lemma Div_1_left, function div
|
|
|
|
lemma Div_minus1_left: forall y:int. y > 1 -> div (-1) y = -1
|
|
meta "remove_unused:dependency" lemma Div_minus1_left, function div
|
|
|
|
lemma Mod_1_left: forall y:int. y > 1 -> mod 1 y = 1
|
|
meta "remove_unused:dependency" lemma Mod_1_left, function mod
|
|
|
|
lemma Mod_minus1_left: forall y:int [mod (-1) y]. y > 1 -> mod (-1) y = y - 1
|
|
meta "remove_unused:dependency" lemma Mod_minus1_left, function mod
|
|
|
|
lemma Div_mult: forall x y z:int [div (x * y + z) x].
|
|
x > 0 ->
|
|
div (x * y + z) x = y + div z x
|
|
meta "remove_unused:dependency" lemma Div_mult, function div
|
|
|
|
lemma Mod_mult: forall x y z:int [mod (x * y + z) x].
|
|
x > 0 ->
|
|
mod (x * y + z) x = mod z x
|
|
meta "remove_unused:dependency" lemma Mod_mult, function mod
|
|
|
|
val div (x y:int) : int
|
|
requires { y <> 0 }
|
|
ensures { result = div x y }
|
|
|
|
val mod (x y:int) : int
|
|
requires { y <> 0 }
|
|
ensures { result = mod x y }
|
|
|
|
|
|
end
|
|
|
|
(** {2 Division by 2}
|
|
|
|
The particular case of Euclidean division by 2
|
|
|
|
*)
|
|
|
|
module Div2
|
|
|
|
use Int
|
|
|
|
lemma div2:
|
|
forall x: int. exists y: int. x = 2*y \/ x = 2*y+1
|
|
|
|
end
|
|
|
|
(** {2 Computer Division}
|
|
|
|
Division and modulo operators with the same conventions as mainstream
|
|
programming language such as C, Java, OCaml, that is, division rounds
|
|
towards zero, and thus `mod x y` has the same sign as `x`.
|
|
|
|
*)
|
|
|
|
module ComputerDivision
|
|
|
|
use Int
|
|
use Abs
|
|
|
|
function div (x y: int) : int
|
|
function mod (x y: int) : int
|
|
|
|
axiom Div_mod:
|
|
forall x y:int. y <> 0 -> x = y * div x y + mod x y
|
|
meta "remove_unused:dependency" axiom Div_mod, function div
|
|
meta "remove_unused:dependency" axiom Div_mod, function mod
|
|
|
|
axiom Div_bound:
|
|
forall x y:int. x >= 0 /\ y > 0 -> 0 <= div x y <= x
|
|
meta "remove_unused:dependency" axiom Div_bound, function div
|
|
meta "remove_unused:dependency" axiom Div_bound, function mod
|
|
|
|
axiom Mod_bound:
|
|
forall x y:int. y <> 0 -> - abs y < mod x y < abs y
|
|
meta "remove_unused:dependency" axiom Mod_bound, function div
|
|
meta "remove_unused:dependency" axiom Mod_bound, function mod
|
|
|
|
axiom Div_sign_pos:
|
|
forall x y:int. x >= 0 /\ y > 0 -> div x y >= 0
|
|
meta "remove_unused:dependency" axiom Div_sign_pos, function div
|
|
meta "remove_unused:dependency" axiom Div_sign_pos, function mod
|
|
|
|
axiom Div_sign_neg:
|
|
forall x y:int. x <= 0 /\ y > 0 -> div x y <= 0
|
|
meta "remove_unused:dependency" axiom Div_sign_neg, function div
|
|
meta "remove_unused:dependency" axiom Div_sign_neg, function mod
|
|
|
|
axiom Mod_sign_pos:
|
|
forall x y:int. x >= 0 /\ y <> 0 -> mod x y >= 0
|
|
meta "remove_unused:dependency" axiom Mod_sign_pos, function div
|
|
meta "remove_unused:dependency" axiom Mod_sign_pos, function mod
|
|
|
|
axiom Mod_sign_neg:
|
|
forall x y:int. x <= 0 /\ y <> 0 -> mod x y <= 0
|
|
meta "remove_unused:dependency" axiom Mod_sign_neg, function div
|
|
meta "remove_unused:dependency" axiom Mod_sign_neg, function mod
|
|
|
|
lemma Rounds_toward_zero:
|
|
forall x y:int. y <> 0 -> abs (div x y * y) <= abs x
|
|
meta "remove_unused:dependency" lemma Rounds_toward_zero, function div
|
|
meta "remove_unused:dependency" lemma Rounds_toward_zero, function mod
|
|
|
|
lemma Div_1: forall x:int. div x 1 = x
|
|
meta "remove_unused:dependency" lemma Div_1, function div
|
|
meta "remove_unused:dependency" lemma Div_1, function mod
|
|
|
|
lemma Mod_1: forall x:int. mod x 1 = 0
|
|
meta "remove_unused:dependency" lemma Mod_1, function div
|
|
meta "remove_unused:dependency" lemma Mod_1, function mod
|
|
|
|
lemma Div_inf: forall x y:int. 0 <= x < y -> div x y = 0
|
|
meta "remove_unused:dependency" lemma Div_inf, function div
|
|
meta "remove_unused:dependency" lemma Div_inf, function mod
|
|
|
|
lemma Mod_inf: forall x y:int. 0 <= x < y -> mod x y = x
|
|
meta "remove_unused:dependency" lemma Mod_inf, function div
|
|
meta "remove_unused:dependency" lemma Mod_inf, function mod
|
|
|
|
lemma Div_mult: forall x y z:int [div (x * y + z) x].
|
|
x > 0 /\ y >= 0 /\ z >= 0 ->
|
|
div (x * y + z) x = y + div z x
|
|
meta "remove_unused:dependency" lemma Div_mult, function div
|
|
meta "remove_unused:dependency" lemma Div_mult, function mod
|
|
|
|
lemma Mod_mult: forall x y z:int [mod (x * y + z) x].
|
|
x > 0 /\ y >= 0 /\ z >= 0 ->
|
|
mod (x * y + z) x = mod z x
|
|
meta "remove_unused:dependency" lemma Mod_mult, function div
|
|
meta "remove_unused:dependency" lemma Mod_mult, function mod
|
|
|
|
val div (x y:int) : int
|
|
requires { y <> 0 }
|
|
ensures { result = div x y }
|
|
|
|
val mod (x y:int) : int
|
|
requires { y <> 0 }
|
|
ensures { result = mod x y }
|
|
|
|
end
|
|
|
|
(** {2 Generic Exponentiation of something to an integer exponent} *)
|
|
|
|
module Exponentiation
|
|
|
|
use Int
|
|
|
|
type t
|
|
constant one : t
|
|
function (*) t t : t
|
|
|
|
clone export algebra.Monoid
|
|
with type t = t, constant unit = one, function op = (*), axiom .
|
|
|
|
(* TODO: implement with let rec once let cloning is done *)
|
|
function power t int : t
|
|
|
|
axiom Power_0 : forall x: t. power x 0 = one
|
|
|
|
axiom Power_s : forall x: t, n: int. n >= 0 -> power x (n+1) = x * power x n
|
|
|
|
lemma Power_s_alt: forall x: t, n: int. n > 0 -> power x n = x * power x (n-1)
|
|
|
|
lemma Power_1 : forall x : t. power x 1 = x
|
|
|
|
lemma Power_sum : forall x: t, n m: int. 0 <= n -> 0 <= m ->
|
|
power x (n+m) = power x n * power x m
|
|
|
|
lemma Power_mult : forall x:t, n m : int. 0 <= n -> 0 <= m ->
|
|
power x (Int.(*) n m) = power (power x n) m
|
|
|
|
lemma Power_comm1 : forall x y: t. x * y = y * x ->
|
|
forall n:int. 0 <= n ->
|
|
power x n * y = y * power x n
|
|
|
|
lemma Power_comm2 : forall x y: t. x * y = y * x ->
|
|
forall n:int. 0 <= n ->
|
|
power (x * y) n = power x n * power y n
|
|
|
|
(* TODO
|
|
|
|
use ComputerDivision
|
|
|
|
lemma Power_even : forall x:t, n:int. n >= 0 -> mod n 2 = 0 ->
|
|
power x n = power (x*x) (div n 2)
|
|
|
|
lemma power_odd : forall x:t, n:int. n >= 0 -> mod n 2 <> 0 ->
|
|
power x n = x * power (x*x) (div n 2)
|
|
*)
|
|
|
|
end
|
|
|
|
(** {2 Power of an integer to an integer } *)
|
|
|
|
module Power
|
|
|
|
use Int
|
|
|
|
(* TODO: remove once power is implemented in Exponentiation *)
|
|
val function power int int : int
|
|
|
|
clone export Exponentiation with
|
|
type t = int, constant one = one,
|
|
function (*) = (*), function power = power,
|
|
goal Assoc, goal Unit_def_l, goal Unit_def_r,
|
|
axiom Power_0, axiom Power_s
|
|
|
|
lemma Power_non_neg:
|
|
forall x y. x >= 0 /\ y >= 0 -> power x y >= 0
|
|
|
|
lemma Power_pos:
|
|
forall x y. x > 0 /\ y >= 0 -> power x y > 0
|
|
|
|
lemma Power_monotonic:
|
|
forall x n m:int. 0 < x /\ 0 <= n <= m -> power x n <= power x m
|
|
|
|
end
|
|
|
|
(** {2 Number of integers satisfying a given predicate} *)
|
|
|
|
module NumOf
|
|
|
|
use Int
|
|
|
|
(** number of `n` such that `a <= n < b` and `p n` *)
|
|
let rec function numof (p: int -> bool) (a b: int) : int
|
|
variant { b - a }
|
|
= if b <= a then 0 else
|
|
if p (b - 1) then 1 + numof p a (b - 1)
|
|
else numof p a (b - 1)
|
|
|
|
lemma Numof_bounds :
|
|
forall p : int -> bool, a b : int. a < b -> 0 <= numof p a b <= b - a
|
|
(* direct when a>=b, by induction on b when a <= b *)
|
|
|
|
lemma Numof_append :
|
|
forall p : int -> bool, a b c : int.
|
|
a <= b <= c -> numof p a c = numof p a b + numof p b c
|
|
(* by induction on c *)
|
|
|
|
lemma Numof_left_no_add :
|
|
forall p : int -> bool, a b : int.
|
|
a < b -> not p a -> numof p a b = numof p (a+1) b
|
|
(* by Numof_append *)
|
|
lemma Numof_left_add :
|
|
forall p : int -> bool, a b : int.
|
|
a < b -> p a -> numof p a b = 1 + numof p (a+1) b
|
|
(* by Numof_append *)
|
|
|
|
lemma Empty :
|
|
forall p : int -> bool, a b : int.
|
|
(forall n : int. a <= n < b -> not p n) -> numof p a b = 0
|
|
(* by induction on b *)
|
|
|
|
lemma Full :
|
|
forall p : int -> bool, a b : int. a <= b ->
|
|
(forall n : int. a <= n < b -> p n) -> numof p a b = b - a
|
|
(* by induction on b *)
|
|
|
|
lemma numof_increasing:
|
|
forall p : int -> bool, i j k : int.
|
|
i <= j <= k -> numof p i j <= numof p i k
|
|
(* by Numof_append and Numof_non_negative *)
|
|
|
|
lemma numof_strictly_increasing:
|
|
forall p: int -> bool, i j k l: int.
|
|
i <= j <= k < l -> p k -> numof p i j < numof p i l
|
|
(* by Numof_append and numof_increasing *)
|
|
|
|
lemma numof_change_any:
|
|
forall p1 p2: int -> bool, a b: int.
|
|
(forall j: int. a <= j < b -> p1 j -> p2 j) ->
|
|
numof p2 a b >= numof p1 a b
|
|
|
|
lemma numof_change_some:
|
|
forall p1 p2: int -> bool, a b i: int. a <= i < b ->
|
|
(forall j: int. a <= j < b -> p1 j -> p2 j) ->
|
|
not (p1 i) -> p2 i ->
|
|
numof p2 a b > numof p1 a b
|
|
|
|
lemma numof_change_equiv:
|
|
forall p1 p2: int -> bool, a b: int.
|
|
(forall j: int. a <= j < b -> p1 j <-> p2 j) ->
|
|
numof p2 a b = numof p1 a b
|
|
|
|
end
|
|
|
|
(** {2 Sum} *)
|
|
|
|
module Sum
|
|
|
|
use Int
|
|
|
|
(** sum of `f n` for `a <= n < b` *)
|
|
let rec function sum (f: int -> int) (a b: int) : int
|
|
variant { b - a }
|
|
= if b <= a then 0 else sum f a (b - 1) + f (b - 1)
|
|
|
|
lemma sum_left:
|
|
forall f: int -> int, a b: int.
|
|
a < b -> sum f a b = f a + sum f (a + 1) b
|
|
|
|
lemma sum_ext:
|
|
forall f g: int -> int, a b: int.
|
|
(forall i. a <= i < b -> f i = g i) ->
|
|
sum f a b = sum g a b
|
|
|
|
lemma sum_le:
|
|
forall f g: int -> int, a b: int.
|
|
(forall i. a <= i < b -> f i <= g i) ->
|
|
sum f a b <= sum g a b
|
|
|
|
lemma sum_zero:
|
|
forall f: int -> int, a b: int.
|
|
(forall i. a <= i < b -> f i = 0) ->
|
|
sum f a b = 0
|
|
|
|
lemma sum_nonneg:
|
|
forall f: int -> int, a b: int.
|
|
(forall i. a <= i < b -> 0 <= f i) ->
|
|
0 <= sum f a b
|
|
|
|
lemma sum_decomp:
|
|
forall f: int -> int, a b c: int. a <= b <= c ->
|
|
sum f a c = sum f a b + sum f b c
|
|
|
|
let rec lemma shift_left (f g: int -> int) (a b c d: int)
|
|
requires { b - a = d - c }
|
|
requires { forall i. a <= i < b -> f i = g (c + i - a) }
|
|
variant { b - a }
|
|
ensures { sum f a b = sum g c d }
|
|
= if a < b then shift_left f g (a+1) b (c+1) d
|
|
|
|
end
|
|
|
|
(** A similar theory, but with a polymorphic parameter passed
|
|
to function `f` and to function `sum`. *)
|
|
module SumParam
|
|
|
|
use Int
|
|
|
|
(** sum of `f x n` for `a <= n < b` *)
|
|
let rec function sum (f: 'a -> int -> int) (x: 'a) (a b: int) : int
|
|
variant { b - a }
|
|
= if b <= a then 0 else sum f x a (b - 1) + f x (b - 1)
|
|
|
|
lemma sum_left:
|
|
forall f: 'a -> int -> int, x: 'a, a b: int.
|
|
a < b -> sum f x a b = f x a + sum f x (a + 1) b
|
|
|
|
lemma sum_ext:
|
|
forall f: 'a -> int -> int, x: 'a, g: 'b -> int -> int, y: 'b, a b: int.
|
|
(forall i. a <= i < b -> f x i = g y i) ->
|
|
sum f x a b = sum g y a b
|
|
|
|
lemma sum_le:
|
|
forall f: 'a -> int -> int, x: 'a, g: 'b -> int -> int, y: 'b, a b: int.
|
|
(forall i. a <= i < b -> f x i <= g y i) ->
|
|
sum f x a b <= sum g y a b
|
|
|
|
lemma sum_zero:
|
|
forall f: 'a -> int -> int, x: 'a, a b: int.
|
|
(forall i. a <= i < b -> f x i = 0) ->
|
|
sum f x a b = 0
|
|
|
|
lemma sum_nonneg:
|
|
forall f: 'a -> int -> int, x: 'a, a b: int.
|
|
(forall i. a <= i < b -> 0 <= f x i) ->
|
|
0 <= sum f x a b
|
|
|
|
lemma sum_decomp:
|
|
forall f: 'a -> int -> int, x: 'a, a b c: int. a <= b <= c ->
|
|
sum f x a c = sum f x a b + sum f x b c
|
|
|
|
let rec lemma shift_left
|
|
(f: 'a -> int -> int) (x: 'a)
|
|
(g: 'b -> int -> int) (y: 'b) (a b c d: int)
|
|
requires { b - a = d - c }
|
|
requires { forall i. a <= i < b -> f x i = g y (c + i - a) }
|
|
variant { b - a }
|
|
ensures { sum f x a b = sum g y c d }
|
|
= if a < b then shift_left f x g y (a+1) b (c+1) d
|
|
|
|
let rec lemma sum_middle_change (f:'a -> int -> int) (c1 c2:'a) (i j l: int)
|
|
requires { i <= l < j }
|
|
ensures { (forall k : int. i <= k < j -> k <> l -> f c1 k = f c2 k) ->
|
|
sum f c1 i j - f c1 l = sum f c2 i j - f c2 l }
|
|
variant { j - l }
|
|
= if l = (j-1) then () else sum_middle_change f c1 c2 i (j-1) l
|
|
|
|
end
|
|
|
|
(** {2 Factorial function} *)
|
|
|
|
module Fact
|
|
|
|
use Int
|
|
|
|
let rec function fact (n: int) : int
|
|
requires { n >= 0 }
|
|
variant { n }
|
|
= if n = 0 then 1 else n * fact (n-1)
|
|
|
|
end
|
|
|
|
(** {2 Generic iteration of a function} *)
|
|
|
|
module Iter
|
|
|
|
use Int
|
|
|
|
(** `iter k x` is `f^k(x)` *)
|
|
let rec function iter (f: 'a -> 'a) (k: int) (x: 'a) : 'a
|
|
requires { k >= 0 }
|
|
variant { k }
|
|
= if k = 0 then x else iter f (k - 1) (f x)
|
|
|
|
lemma iter_1: forall f, x: 'a. iter f 1 x = f x
|
|
|
|
lemma iter_s: forall f, k, x: 'a. 0 < k -> iter f k x = f (iter f (k - 1) x)
|
|
|
|
end
|
|
|
|
(** {2 Integers extended with an infinite value} *)
|
|
|
|
module IntInf
|
|
|
|
use Int
|
|
|
|
type t = Finite int | Infinite
|
|
|
|
let function add (x: t) (y: t) : t =
|
|
match x with
|
|
| Infinite -> Infinite
|
|
| Finite x ->
|
|
match y with
|
|
| Infinite -> Infinite
|
|
| Finite y -> Finite (x + y)
|
|
end
|
|
end
|
|
|
|
let predicate eq (x y: t) =
|
|
match x, y with
|
|
| Infinite, Infinite -> true
|
|
| Finite x, Finite y -> x = y
|
|
| _, _ -> false
|
|
end
|
|
|
|
let predicate lt (x y: t) =
|
|
match x with
|
|
| Infinite -> false
|
|
| Finite x ->
|
|
match y with
|
|
| Infinite -> true
|
|
| Finite y -> x < y
|
|
end
|
|
end
|
|
|
|
let predicate le (x y: t) = lt x y || eq x y
|
|
|
|
clone export relations.TotalOrder with type t = t, predicate rel = le,
|
|
lemma Refl, lemma Antisymm, lemma Trans, lemma Total
|
|
|
|
end
|
|
|
|
(** {2 Induction principle on integers}
|
|
|
|
This theory can be cloned with the wanted predicate, to perform an
|
|
induction, either on nonnegative integers, or more generally on
|
|
integers greater or equal a given bound.
|
|
|
|
*)
|
|
|
|
module SimpleInduction
|
|
|
|
use Int
|
|
|
|
predicate p int
|
|
|
|
axiom base: p 0
|
|
|
|
axiom induction_step: forall n:int. 0 <= n -> p n -> p (n+1)
|
|
|
|
lemma SimpleInduction : forall n:int. 0 <= n -> p n
|
|
|
|
end
|
|
|
|
module Induction
|
|
|
|
use Int
|
|
|
|
predicate p int
|
|
|
|
lemma Induction :
|
|
(forall n:int. 0 <= n -> (forall k:int. 0 <= k < n -> p k) -> p n) ->
|
|
forall n:int. 0 <= n -> p n
|
|
|
|
constant bound : int
|
|
|
|
lemma Induction_bound :
|
|
(forall n:int. bound <= n ->
|
|
(forall k:int. bound <= k < n -> p k) -> p n) ->
|
|
forall n:int. bound <= n -> p n
|
|
|
|
end
|
|
|
|
module HOInduction
|
|
|
|
use Int
|
|
|
|
let lemma induction (p: int -> bool)
|
|
requires { p 0 }
|
|
requires { forall n. 0 <= n >= 0 -> p n -> p (n+1) }
|
|
ensures { forall n. 0 <= n -> p n }
|
|
= let rec lemma f (n: int) requires { n >= 0 } ensures { p n } variant {n}
|
|
= if n > 0 then f (n-1) in f 0
|
|
|
|
end
|
|
|
|
(** {2 Fibonacci numbers} *)
|
|
|
|
module Fibonacci
|
|
|
|
use Int
|
|
|
|
let rec function fib (n: int) : int
|
|
requires { n >= 0 }
|
|
variant { n }
|
|
= if n = 0 then 0 else
|
|
if n = 1 then 1 else
|
|
fib (n-1) + fib (n-2)
|
|
|
|
end
|
|
|
|
module WFltof
|
|
use Int
|
|
use relations.WellFounded
|
|
|
|
type t
|
|
function f t : int
|
|
|
|
axiom f_nonneg: forall x. 0 <= f x
|
|
|
|
predicate ltof (x y: t) = f x < f y
|
|
|
|
let rec lemma acc_ltof (n: int)
|
|
requires { 0 <= n }
|
|
ensures { forall x. f x < n -> acc ltof x }
|
|
variant { n }
|
|
= if n > 0 then acc_ltof (n-1)
|
|
|
|
lemma wf_ltof: well_founded ltof
|
|
|
|
end
|