mirror of
https://github.com/AdaCore/why3.git
synced 2026-02-12 12:34:55 -08:00
36 lines
779 B
Plaintext
36 lines
779 B
Plaintext
|
|
(** {1 A possibly null, yet safe, value}
|
|
|
|
The OCaml driver does optimize this into the identity.
|
|
|
|
To permit the implementation of `eq_null`, `null` is implemented as a
|
|
heap-allocated value in OCaml, e.g., `Obj.magic [|0|]`.
|
|
*)
|
|
|
|
module Null
|
|
|
|
type null = int
|
|
|
|
type t_model 'a = Null null | Value 'a
|
|
|
|
type t 'a = abstract { v: t_model 'a }
|
|
|
|
let ghost predicate is_null (t: t 'a) =
|
|
match t.v with Null _ -> true | Value _ -> false end
|
|
|
|
val create_null () : t 'a
|
|
ensures { is_null result }
|
|
|
|
val eq_null (n x: t 'a) : bool
|
|
requires { is_null n }
|
|
ensures { result <-> x.v = n.v }
|
|
|
|
val create (x: 'a) : t 'a
|
|
ensures { result.v = Value x }
|
|
|
|
val get (t: t 'a) : 'a
|
|
requires { not (is_null t) }
|
|
ensures { t.v = Value result }
|
|
|
|
end
|